As we move into 2026, a familiar pattern continues to emerge across the security landscape. Many organisations still lean heavily on post-incident investigation to explain why a breach occurred and what can be done to prevent a repeat. While these investigations are valuable, the reality is that they are often compensating for a lack of preparation and weak early detection.
Forensics remains a critical component of a mature incident response capability, but it is not a silver bullet. Tracing the root cause of a cyber incident is frequently complex, expensive, and time-consuming, and in a significant number of cases, it simply does not yield definitive answers. Foundry’s latest Security Priorities study found that 57% of security leaders say their organisation has struggled to find the root cause of security incidents they have experienced over the past 12 months. That finding is alarmingly accurate and mirrors what I see in practice.
Our own incident response figures show that unless organisations are prepared to conduct extensive additional forensic work, there’s only a 50/50 chance they’ll identify the origin of a security breach.
The issue is rarely a lack of effort during the investigation itself; it is far more often a symptom of environments that were not designed to preserve evidence or surface meaningful signals in the first place.
When organisations engage a third party to conduct incident response or forensic investigations, the expectation is that specialists will be able to work backwards, test theories, and identify exactly how the environment was compromised. In reality, even with significant time and investment, investigations can hit a hard stop. There are several recurring reasons for this.
It remains difficult for many organisations to spot precursor events to an attack. As a result, there can be weeks or even months between initial compromise indicators and the point at which a major detection alert is triggered. This lag causes real challenges once an investigation begins, which is why the earlier incident response experts are involved, the better the outcome tends to be.
The problem is not always technology. Independent research conducted for our Cyber Security Whitepaper showed that a third of UK SMEs admit they are unable to fully utilise the cyber security tools they already have. That limits early detection and dramatically reduces the volume and quality of evidence available when an incident finally comes to light.
There is also a persistent skills shortage, particularly in mid-sized organisations that do not have round-the-clock SOC teams and in-house forensic investigation expertise. Sometimes the detection capability exists, but there are not enough people to fight the fires, or they lack the experience to recognise the seriousness of an alert until it escalates. The alarm is sounding, but the response is slow or uncertain.
Cost pressures often compound the problem. Many organisations try to remediate security incidents internally before engaging specialist support. By the time external help is brought in, systems may have been powered down, volatile evidence lost, and critical log files overwritten during well-intentioned but ill-planned firefighting.
Cloud adoption adds another layer of complexity. Organisations no longer maintain on-premises storage or retain extensive logs by default. With cloud storage, decisions about forensic logging, EDR data, and retention periods are driven by budget as much as security needs. Automated policies can also inadvertently delete evidence-containing files, and once that data is gone, there is only so far an investigation can go.
The challenge arises when tracing the incident back to the initial point of compromise. Too often, the evidence simply ceases to exist.
The common thread running through all of this is preparation. The right preparation will rebalance reliance on incident response and will give forensic investigations the best chance of success. These are the crucial steps organisations must take:
Tabletop exercises are crucial for both rehearsing incident responses and for identifying new ideas to improve readiness. They allow teams to rehearse incident response, expose weaknesses in backup policies or recovery assumptions, and uncover communication or decision-making bottlenecks. They also help organisations understand what evidence must be protected during an incident and what can safely be overwritten to restore services.
Despite their value, many organisations still struggle to make time for them. That is a mistake. Calm, repeatable practice is what enables clear-headed decision-making when a real incident occurs. There are no shortcuts.
There also needs to be sustained investment in skills development, particularly around recognising and investigating the early stages of a compromise. This capability is often lacking in organisations without dedicated SOC resources, and even where tooling exists, the human element is missing.
For smaller businesses, managed cyber security services can provide a practical alternative to building in-house capability. Either way, the ability to act on detection rules and understand their significance in real time is critical.
Successful forensics may close one gap in an organisation’s defences, but it does not compensate for weak detection, poor preparation, or lost evidence. When breaches occur, too much emphasis is often placed on fighting the fire and restoring services, while the opportunity to understand how the fire started is lost.
To break that cycle, organisations must treat preparation as a strategic security investment. Being truly incident-ready means having the processes, skills, and mindset in place to support both rapid response and meaningful investigation. Prevention, detection, and readiness are what give forensics a fighting chance and what ultimately reduce the likelihood of history repeating itself.
