The problem was never detection
For the last decade, the security industry has focused on detection. The emphasis has been on generating more alerts, improving signal quality and expanding coverage. These efforts have been meaningful, but we are approaching a saturation point. Despite continued progress in detection, defenders are still falling behind while attackers retain the advantage.
According to CrowdStrike, lateral movement can now occur in an average of just 29 minutes. Within that window, the difference between understanding and uncertainty determines whether an incident is contained or escalates. Visibility remains important, but the ability to move through the OODA loop — understand, orient, decide and act — within an increasingly compressed time window matters more.
Security teams are not constrained by a lack of alerts or data; they are constrained by a lack of answers. Each alert initiates a process that requires analysts to pivot across tools, assemble fragmented context, reconstruct events and determine impact. This process is fundamentally time-bound and in most environments, it still takes hours.
Attackers operate on a much shorter timeline, creating a structural asymmetry that human-driven investigation cannot match. The industry has not failed to improve detection; it has misidentified the primary constraint. Investigation speed is the limiting factor.
