TL;DR: Data compromises rose 79% over five years and 86% of cyber incidents caused business disruption in 2025, according to Zero Networks, underscoring that containment speed now matters more than detection volume alone. Traditional response models leave organizations with conditional resilience because lateral movement can unfold in seconds while containment still takes days.
NHIMG editorial — based on content published by Zero Networks: How to Build Cyber Resilience via Automated Containment: An Architectural Framework
By the numbers:
- Data compromises reached an all-time high in 2025, jumping 79% in the span of five years.
- 86% of cyber incidents lead to business disruptions.
- Attackers begin moving laterally in as little as 27 seconds after gaining initial access.
Questions worth separating out
Q: What breaks when organisations rely on detection instead of containment for cyber resilience?
A: Detection-first programmes fail when attackers can move faster than human response.
Q: Why do identity and access controls matter so much for cyber resilience?
A: Because identity determines reachability.
Q: How should security teams implement microsegmentation without breaking operations?
A: Start with the highest-value systems and the most dangerous internal routes, then define explicit communication pairs based on actual business need.
Practitioner guidance
- Measure identity blast radius first Inventory which identities can reach critical systems, then rank them by how much of the environment each one can traverse before containment triggers.
- Replace inherited internal trust with explicit segmentation Remove flat east-west reachability between user zones, service tiers, and production systems.
- Convert standing privilege into task-scoped elevation Limit elevated permissions to the specific maintenance or recovery task, require identity verification before grant, and revoke access automatically when the task completes.
What's in the full article
Zero Networks' full article covers the operational detail this post intentionally leaves for the source:
- A step-by-step architectural framework for automated containment across network zones and identity-controlled reachability.
- Practical examples of how identity-based access controls, microsegmentation, and JIT privilege work together in production.
- The vendor’s view of how containment supports Zero Trust implementation across infrastructure, workflows, controls, and policies.
- A closer look at the four containment pillars and how they are applied to operational environments.
👉 Read Zero Networks' architectural framework for automated containment →
Automated containment and blast radius reduction: are your controls keeping up?
Explore further
Blast radius, not breach count, is the real resilience metric: A programme can record fewer alerts and still fail if one compromise can still reach critical systems. The decisive question is how much of the environment remains reachable after the first foothold. Organisations that measure resilience by incident volume rather than spread are measuring the wrong thing, and the practical conclusion is to treat reachability as an identity governance issue.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: Who is accountable when a resilience architecture still allows lateral movement during an incident?
A: Accountability sits across security architecture, IAM, network engineering, and the business owners of critical services. If the design still allows broad internal reachability, the issue is not only response performance. It is a governance failure in how access, segmentation, and continuity requirements were defined.
👉 Read our full editorial: Automated containment is changing cyber resilience architecture