top of page
Nimbus-logo

Today’s Security Is Not About Stopping Breaches. It Is About Containing Them.

  • Kostas Tsiolas
  • Apr 27
  • 2 min read

The dangerous lie in many security programs is not prevention itself.

It is the belief that prevention is enough.




Firewalls, Web Application Firewalls (WAFs), endpoint controls, phishing protection, and detection platforms all matter. They reduce risk. They stop known attacks. They make exploitation harder.

But they do not eliminate compromise.

  1. One stolen credential.

  2. One leaked access key.

  3. One over-permissive service account.

  4. One poisoned pipeline.

  5. One misconfigured storage bucket.

That is often enough to turn a contained weakness into an enterprise-wide incident.

In modern cloud environments, the question is not only:

“Can we stop the attacker?”

The harder question is:

“How much can they reach when prevention fails?”

That is the real test of cloud security maturity.

Not breach prevention alone.

Blast Radius control. The Fallacy of the Perimeter

Traditional security thinking was built around a perimeter.

  • Protect the edge.

  • Inspect the traffic.

  • Block the known bad.

  • Keep the attacker outside.

That model made more sense when infrastructure was mostly on-premises. You owned the network. You controlled the wires. Systems lived inside a relatively defined boundary.

Cloud changed that boundary.

In cloud environments, the dominant perimeter is no longer the network edge. It is the combination of Identity, control-plane permissions, workload boundaries, data access, and software supply chain trust.

This shift is still underestimated.


Many organizations continue to invest heavily in front-door controls: firewalls, Web Application Firewalls (WAFs), edge filtering, and endpoint prevention.

These controls are necessary.

But they are insufficient.


They assume the attacker is outside, trying to break in.
In many real-world cloud or not incidents, the attacker does not break in. They log in.

  1. They use a valid credential.

  2. They abuse a legitimate token.

  3. They assume an over-permissive role.

  4. They exploit a trusted automation account.

  5. They move through paths that were already allowed by design.

You cannot rely on prevention to stop an attacker who is using access your environment already trusts. From “If” to “How Much”

The Assume Breach mindset is often misunderstood.

It is not pessimism.

It is engineering realism.

Assume Breach does not mean you stop investing in prevention. It means you stop designing your environment as if prevention will succeed every time.


That shift changes the security conversation.

You stop asking only:

“How do we keep them out?”


You start asking:

“How much can they take when they get in?”

“How far can they move?”

“Which systems can they reach?”

“Which permissions can they escalate?”

“Which backups can they delete?”

“Which data can they exfiltrate?”


The metric of success changes.

It is not just Mean Time to Detect (MTTD).It is not just Mean Time to Respond (MTTR).It is not the illusion of zero incidents.

Success becomes:

  • Limited access.

  • Limited lateral movement.

  • Limited privilege escalation.

  • Limited data exposure.

  • Limited operational impact.

  • Fast recovery.


A breach is bad.

An unconstrained breach is catastrophic.

 
 
 

Comments

bottom of page