Meet Insights Agent — your AI teammate for faster, smarter breach response.
Try Free
Experienced a Breach?
|
Support
|
Contact Us
|
+1 855 426 3983
ZERO TRUST HUB ARCHIVE/ WEEKLY BRIEFING

Why the Containment Gap Is a Zero Trust Problem

Trevor Dearing
Director of Critical Infrastructure Solutions
March 16, 2026
7 min. read
Trevor Dearing
Director of Critial Infrastructure Solutoins

According to our new research, The Containment Gap: Exploring the Distance Between Detection and Resilience, 95% of security leaders say they’re confident they can detect unauthorized lateral movement inside their environments.

At first glance, that sounds like progress. Detection tools are everywhere, and visibility dashboards are improving. Security teams are investing heavily in analytics and monitoring.

But another statistic in the research tells a much more troubling story.

Nearly half of organizations say they still struggle to stop attackers from moving once they are inside their environment.

That gap between seeing an attack and stopping it is what this report calls the containment gap. And it exposes a deeper issue in modern security architecture.

For years, the industry has optimized for detection. But Zero Trust was never about detection. It was about limiting trust and stopping attackers from moving once they gain access.  

If organizations want real cyber resilience, they must adopt a Zero Trust mindset and shift their focus from simply seeing breaches to actively containing them.

Detection became the scoreboard

Over the last decade, security investment has focused heavily on visibility and detection.

EDR platforms monitor endpoint activity. SIEM tools aggregate and analyze logs. NDR platforms inspect network traffic. Threat intelligence feeds provide constant updates on emerging attacks.

All of this has improved our ability to see what’s happening inside our environments. In fact, organizations rate their visibility into communication paths at roughly 4 out of 5 on average.  

That’s incredibly valuable insight. But the fact is that detection doesn’t contain an attack. It simply tells you there’s an attack.

Modern breaches exploit this gap. Most begin with something simple — a stolen credential, exposed application, compromised supplier, or phishing email. Once inside, attackers slow down, map the environment, escalate privileges, and move between workloads.

That movement is what turns a foothold into a breach.

Detection tools may eventually surface the activity. But by then, the attack may already have spread uncontained through your environment.

The research reflects this reality. As we highlighted at the start, 95% of teams believe they can detect unauthorized lateral movement. But nearly half still struggle to stop it.  

Attackers aren’t winning because defenders can’t see them but because defenders can’t contain them fast enough.

Zero Trust shifts the metric from detection to containment

Zero Trust is often framed as an identity strategy, but that misses the point.

At its core, Zero Trust removes implicit trust from the environment, so attackers can’t move freely once they gain access.  

Segmentation plays a central role. When workloads are isolated from each other, communication must be explicitly allowed and lateral movement becomes far harder.

The breach may still happen, but the blast radius becomes dramatically smaller. That’s the real goal of cyber resilience.

The research suggests organizations recognize this shift. In fact, 93% report using at least one form of microsegmentation today.  

But adoption alone doesn’t guarantee results.

Security dashboards still emphasize metrics like mean time to detect, alert volume, and threat intelligence coverage. Those numbers may look impressive, but they don’t answer the question that matters most during a breach: how quickly can we stop an attacker from moving?

Containment speed is what determines whether an incident becomes a minor disruption or a major crisis. Yet only 17% of organizations can isolate a compromised asset in near real time.  

That means most organizations still give attackers minutes or hours to move through their environment after detection.

In cyber terms, that’s a long time, and it’s something a Zero Trust strategy can reduce.

Closing the containment gap

If there is one lesson CISOs should take from this research, it’s that detection is no longer the hardest, most critical problem in cybersecurity. It’s containment.

Security programs that continue optimizing only for visibility will remain stuck in a cycle of detection, investigation, and recovery.

The organizations that break that cycle will design their environments differently. They’ll assume attackers will eventually gain access, remove implicit trust between systems, and enforce strict communication paths across workloads.

In other words, they’ll build security architectures grounded in Zero Trust principles.

Until containment becomes the primary design goal of cybersecurity programs, the containment gap will remain exactly where attackers want it: wide open.

Zero Trust Resources

Report

2025 Global Cloud Detection and Response Report

Discover how 1,150 global cybersecurity leaders are tackling alert fatigue, blind spots, and lateral movement in the hybrid multi-cloud.

Read now
eBook

Strategies for DORA Compliance: Key Role of Zero Trust Segmentation

Is your organization ready for the January 2025 DORA deadline? Discover key strategies for cyber resilience and how Illumio Zero Trust Segmentation simplifies compliance.

Read now
GUIDE

Zero Trust Segmentation for Dummies

Breaches are inevitable, but the damage isn’t. Zero Trust Segmentation for Dummies simplifies how to stop threats from spreading, protecting your organization before they cause harm.

Read now

Ready to learn more about breach containment?

See the Platform