November 8, 2025
By Jane Frankland
Would you trust a security guard using a 1990s mugshot book to identify criminals in an era of deepfakes and face-changing AI?
Of course you wouldn’t!
Yet many organisations are still relying on traditional threat detection approaches to counter modern cyberattacks. Systems once fit for purpose are now dangerously outdated in a world where the average cost of a data breach has reached $4.45 million (IBM, 2025) and hackers are using AI, machine learning, and automation to move faster, smarter, and with greater precision than ever before.
This is no longer a technical issue; it’s a core business risk.
Consider the fact that 61% of organisations still depend on legacy, signature-based Web Application Firewalls (WAFs) as their main line of cloud defence. With AI-driven polymorphic malware now evading static controls, working exploits for published CVEs ready in 10-15 mins and costing $1, and reducing detection windows to seconds, the latest research from Elastic how untenable this approach has become.
Here are some key findings:
The uncomfortable truth?
Relying on traditional threat detection is no longer a security posture — it’s a liability.
In this blog, I’m digging deeper into why traditional threat detection is failing, how attackers are exploiting the gaps, and what CISOs and risk leaders can do to modernise threat detection strategies. I’m partnering with Elastic, and drawing on insights from their latest Global Threat Report for 2025, and a recent interview with their CISO, @MandyAndress.
When you tune into my interview with Elastic’s CISO, Mandy Andress you’ll hear her view on the threat landscape, the key challenges, and how Elastic is tackling advanced global threat detection.
Cyber risk isn’t just technical — it’s existential.
Consider a recent large-scale cyberattack on a major manufacturer which brought production to a halt, costing tens of millions per week. Within a month, estimated revenue losses had climbed into the billions, forcing the organisation to seek emergency financial support to stabilise operations.
The lesson was clear: modern threat detection failure has real-world business consequences.
This is the new face of cyber risk. Hackers don’t just steal data — they paralyse operations, disrupt economies, erode trust, and threaten national resilience.
This is the new face of cyber risk. Hackers don’t just steal data; they paralyse operations, devastate supply chains, erode trust at every level, and threaten national security.
Traditional threat detection tools were built for a world that no longer exists — one of static environments and predictable threats. Today’s hackers exploit those gaps relentlessly.
Traditional threat detection tools depend on matching known threat signatures. But with AI-driven polymorphic malware reshaping its code thousands of times per hour to avoid detection, static signatures are obsolete. As for zero-day exploits, already unknown to defenders, they simply slip past.
Modern enterprises generate vast telemetry across endpoints, networks, and cloud environments, but traditional threat detection tools struggle to correlate data at the required speed. Overwhelmed and desensitised by alert floods, SOC teams either chase false positives or disable alerts to reduce noise – allowing genuine compromises to slip through unnoticed. Today, approximately 40% of alerts are ignored or left un-investigated due to resource constraints. A stark example is the 3CX supply-chain attack, where legitimate alerts were initially dismissed as false positives – a delay linked directly to alert fatigue and the cyberattack.
Traditional threat detection tools flag suspicious activity but lack context – the who, what, where, and why. Without correlating signals across endpoints, cloud, and identity systems, security teams can misclassify critical events, allowing attackers to blend in with normal activity.
Traditional threat detection tools often operate in silos, failing to integrate across the full security stack. This fragmented approach hampers visibility and delays incident response. For example, one enterprise fell victim to a phishing-led intrusion because its email gateway and endpoint systems couldn’t communicate in real time – creating a critical gap that hackers swiftly exploited.
The browser is now a major weak point in cybersecurity, with over 1 in 8 malware programs designed to steal sensitive browser data. For example, attackers are using tactics like “ClickFix” campaigns, where employees are tricked into following seemingly harmless instructions – such as copying and pasting a command – only to unknowingly install malware. This malware then harvests browser-stored passwords, cookies, and autofill information, giving attackers direct access to corporate accounts. These stolen credentials fuel the access broker economy, giving attackers the keys to corporate accounts — a threat traditional network-based defences were never designed to counter.
Traditional threat detection tools were built to defend against external attacks, not the growing risks posed by insiders or human-driven exploits. Recent attacks on UK retailers as well as manufacturing companies, began with social engineering tactics. Employees were tricked into handing over access credentials, which hackers then used to move laterally through systems, escalating their access unnoticed.
In another example, BBC correspondent Joe Tidy revealed how he was approached by a cybercriminal offering him 15% of any ransom payment if he gave them access to his work laptop. Similarly, an IT worker in Brazil was arrested for selling his login credentials to hackers, leading to a $100m loss for a banking victim.
The rapid expansion of remote work, IoT, and multi-cloud environments has created an attack surface far beyond what traditional tools were built to protect.
Traditional threat detection tools, designed for static, perimeter-based environments, struggle to provide visibility into hybrid infrastructures. This leaves critical blind spots, such as unsecured IoT devices, misconfigured cloud services, and vulnerabilities in remote work setups.
These gaps create opportunities for attackers to exploit modern environments, exposing organisations to risks that traditional defences were never designed to counter.
Cloud Under Siege: The rapid expansion of remote work, IoT, and multi-cloud environments has created an attack surface far beyond what traditional tools were built to protect. Today, over 60% of cloud security events stem from just three adversary goals: Initial Access, Persistence, and Credential Access. Hardening identity and authentication flows is now the most effective way to protect cloud workloads.
Source Code Leaks:A single accidental commit can create lasting exposure in distributed repositories. Elastic’s internal investigations revealed how sensitive data — such as API keys and even a passport photo — was unintentionally committed to GitHub. Once embedded in the repository’s immutable history, this information became nearly impossible to fully remove, as copies could persist in forks, clones, or cached versions.
AI as an Adversary Weapon:Elastic Security Labs observed a 15.5% rise in “generic” threats, likely driven by hackers using LLMs to mass-produce simple but effective malware loaders. AI has democratized hacking, giving even low-skilled threat actors access to powerful tools.
A Strategic Roadmap for CISOs
To build resilience in this new landscape, CISOs and cyber risk owners must lead the shift from traditional threat detection to modern, intelligence-driven security.
The threat landscape is evolving fast – and so must threat detection. Traditional threat detection tools aren’t just underperforming; they’re actively increasing risk exposure.
For today’s CISOs and cyber risk leaders, the choice is clear: modernise threat detection or accept preventable risk. The future belongs to organisations that can detect, contextualise, and respond at machine speed.
There’s no better time than the present to ask yourself, is your detection strategy built for yesterday’s attacks or today’s and tomorrow’s?
To understand how threat behaviours are evolving – and how your organisation can stay ahead, download the 2025 Elastic Global Threat Report.
Tell me, where are the biggest gaps in threat detection today, and what do you think we, as a community, need to do better? Join me on LinkedIn for a conversation where you can let me know your thoughts, and if I’ve missed anything!
Finally, in the spirit of full disclosure, please be aware that I’ve received compensation for promoting this thought leadership blog for Elastic. Because your success is important to me, I only align myself with brands I believe in, and Elastic is one of them.
related posts:
A simple update. That’s all it took. Michelle was locked out of every system — email, HR portal, even the virtual meeting rooms. While her phone buzzed as colleagues called in a panic, the same thing was happening across departments. Admins couldn’t access the cloud console. Engineers were denied login to critical infrastructure. Even customer
Read MoreAre we prepared for a world where cyberattacks are fully automated? Where AI agents can identify vulnerabilities, write malicious code, and adapt their tactics in real time? This isn’t a scene from a science fiction movie but rather questions to ask yourself this Cybersecurity Awareness Month. The cybercrime industry, projected to cost the global economy
Read MoreWhen Jaguar Land Rover (JLR) fell victim to their most recent cyber-attack last month, costing the company an estimated £50 million per week in disrupted operations, the UK government’s decision to underwrite a £1.5 billion loan facility may have seemed like pragmatic crisis management. But while this isn’t technically a “bailing out JLR,” — taxpayers
Read More