Yet for many organisations, this abundance of detection capability has not translated into a meaningful reduction in exposure. The reason is architectural: most security operations are built to generate and correlate alerts, not to answer the question that actually matters: where are we genuinely exposed right now, and what does that mean for the business?
Key Takeaways
- Correlation is not prioritisation. Most security operations centres can aggregate and link events across multiple data sources, but they lack the contextual layer needed to distinguish which correlated signals represent genuine business risk from those that do not.
- A vulnerability and an exposure are not the same thing. A weakness that exists in isolation is categorically different from a weakness that is reachable, exploitable, and consequential in a specific environment. Treating them as equivalent is a primary driver of wasted remediation effort.
- Most SOCs are reactive by design. They are built to answer “what happened?” and “what is happening?” but not “where are we exposed right now, and how long have we been exposed?” This is a design constraint, not a skills failure.
- The cost of reactive security is measurable and significant. Globally, it takes organisations an average of 194 days to identify a breach and a further 64 days to contain it: nearly nine months of attacker access before the exposure is even resolved.
- Continuous exposure validation is an operational discipline, not a product. Organisations that begin building toward it, moving from point-in-time assessment to ongoing validation of their actual exposure state, will be better positioned to connect telemetry to risk-informed decisions.
Correlation Is Not Prioritisation
Modern security tooling has made significant advances in detection and correlation. A well-configured security operations centre can aggregate events from endpoint, network, cloud, and identity layers, correlate those events into incidents, and surface them for analyst review within minutes. That capability is genuinely valuable. The problem is what happens next.
Correlation produces incidents. Prioritisation requires context. Knowing that three events are related does not, by itself, tell you whether those events represent a material risk to business operations or an artefact of normal network behaviour. Yet in most SOCs, the step between correlation and action is left largely to analyst judgement, applied at pace, under volume pressure, without the environmental context needed to make reliable distinctions.
The consequence is predictable. When everything looks potentially urgent, teams default to handling volume rather than risk. Analysts investigate alerts by arrival order, severity score, or tool classification: proxies for risk that frequently do not reflect the actual business impact of the underlying exposure. The result is a prioritisation process that is, in practice, not prioritisation at all. It is triage under noise.
Orro works with security teams that have invested heavily in detection tooling and still find themselves unable to answer a basic question with confidence: of the exposures we are aware of right now, which ones genuinely matter to this organisation? The inability to answer that question consistently is not a resourcing problem. It is a design problem.
The Difference Between a Vulnerability and an Exposure
There is a distinction that most security operations frameworks handle poorly: the difference between a vulnerability that exists and an exposure that is real.
A vulnerability is a technical weakness: a misconfiguration, an unpatched CVE, an overprivileged account. It can be catalogued, scored, and tracked. An exposure is something more specific: a vulnerability that is reachable from an attacker’s current or probable position, exploitable given the actual configuration of the environment, and consequential in the context of what that system does and what it connects to.
A critical CVE on an isolated, non-internet-facing development system in a test environment is very different from the same CVE on an internet-facing system that processes customer payments and sits adjacent to operational infrastructure. The CVSS score may be identical. The business risk is not.
Most security operations treat these as functionally equivalent. Vulnerability scanners produce findings; findings are scored; high-severity findings are handed to patching teams. The question of whether a given vulnerability is genuinely reachable and exploitable in the specific environment rarely enters the process systematically. The result is remediation effort spread across findings ordered by severity score rather than by actual exposure, with the most dangerous gaps often sitting quietly in the middle of the list, indistinguishable from lower-risk items without deeper contextual analysis.
Over a third of all serious incidents responded to by ASD’s ACSC in FY2024–25 were discovered only because the agency proactively notified the affected organisation of suspicious activity (ACSC Annual Cyber Threat Report 2024–25). The organisation’s own security operations did not surface them. The exposure existed; it simply was not visible as a genuine risk within the organisation’s security process.
Why Most SOCs Are Reactive by Design
Security operations centres were developed and matured primarily as detection-and-response functions, and they perform that function well. Their tooling, processes, metrics, and staffing models reflect that design intent. The dominant KPIs — mean time to detect (MTTD), mean time to respond (MTTR), alert volume, incidents closed — are measures of activity after something has been observed, and they are the right measures for what a SOC is built to do. The problem is not that the SOC performs this function poorly. The problem is that detection and response, however well-executed, do not by themselves answer a different and equally important question: where is the organisation genuinely exposed right now, before an incident surfaces that exposure?
There is no standard operational metric for continuous exposure validation. The SOC answers “what happened?” and “what is happening?” with considerable sophistication. Answering “where are we at risk right now, and how long have we been at risk?” requires a different layer entirely: one that sits upstream of incident response, connecting vulnerability data to environmental context and validating that the organisation’s actual exposure state reflects the risks it believes it is carrying. That layer is not part of the traditional detection-and-response architecture. It is not a gap in capability; it is a gap in scope.
The volume problem that most SOCs now face reinforces this constraint. A 2024 survey by MSSP Alert and CyberRisk Alliance found that 62% of security alerts are entirely ignored (MSSP Alert/CyberRisk Alliance, 2024). IBM’s research found that security teams could resolve only 49% of the alerts assigned to them in a given workday. The Tines Voice of the SOC report found that 71% of SOC analysts experience burnout (Tines, 2024), with alert volume consistently cited as a primary driver. When analysts are working through thousands of alerts a day, the capacity for the kind of contextual judgement needed to distinguish a genuine exposure from a false positive is systematically constrained — not because analysts lack skill, but because the volume-to-context ratio makes deep assessment structurally difficult.
The result is a function optimised for throughput operating in an environment that also requires depth. Both are legitimate operational needs. The challenge is that most organisations have invested heavily in the former without yet building the architecture to deliver the latter.
The Cost of the Reactive Posture
The financial and operational costs of reactive security are well-documented, but they are often discussed as a cost-of-breach problem rather than a cost-of-architecture problem. The distinction matters.
The IBM Cost of a Data Breach Report 2024 found that the global average cost of a data breach reached USD 4.88 million — a 10% increase on the prior year and the largest single-year jump since the pandemic (IBM, 2024). But the figure that most directly reflects the cost of reactive security design is the lifecycle data: on average, organisations took 194 days to identify a breach and a further 64 days to contain it — a combined window of nearly nine months during which an attacker had active access to the environment. For breaches involving stolen credentials, that window stretched to nearly 10 months (IBM, 2024).
For Australian critical infrastructure operators specifically, the risk profile is sharper. Attacks on critical infrastructure sectors increased by 111% in FY2024–25, with critical infrastructure now accounting for 13% of all incidents responded to by ASD’s ACSC (ACSC, 2025). In industrial and operational environments, attacker dwell time is particularly consequential: a persistent actor operating undetected within an OT-adjacent network is not simply a data risk — it is a safety and continuity risk.
The broader pattern across the data is consistent. Organisations that detect breaches through their own security teams and tools close those breaches faster and at lower cost than organisations that are notified by an external party. IBM found that internal detection shortened the breach lifecycle by 61 days on average and saved organisations nearly USD 1 million compared to attacker-disclosed incidents (IBM, 2024). The implication is direct: the ability to understand genuine exposure state — not just alert volume — is measurably linked to better outcomes.
Evidence Snapshot: What the Data Shows About SOC Effectiveness and Detection Gaps
Alert volume and analyst capacity
- IBM research found that security teams could resolve only 49% of alerts assigned to them in a workday. Trend Micro/IBM via ACM Computing Surveys, 2024
- 62% of security alerts are entirely ignored, with analyst accuracy declining by 40% after extended shifts. MSSP Alert/CyberRisk Alliance, 2024, cited in Elastic
- 71% of SOC analysts report burnout, with alert fatigue consistently identified as a primary contributor. Tines Voice of the SOC, 2024
Breach detection timelines and dwell time
- Globally, organisations took an average of 194 days to identify a breach and 64 days to contain it in 2024 — a combined window of nearly nine months. IBM Cost of a Data Breach 2024
- Breaches involving stolen credentials extended that window to nearly 10 months to identify and contain. IBM Cost of a Data Breach 2024
- For industrial sector organisations, mean time to identify a breach was 199 days — above the global average. IBM Cost of a Data Breach: Industrial Sector, 2024
Australian-specific detection gaps
- Over a third (37%) of all serious incidents (C3 and above) handled by ASD’s ACSC in FY2024–25 were discovered only after the agency proactively notified the affected organisation — meaning those organisations’ own security operations did not detect the compromise. ACSC Annual Cyber Threat Report 2024–25
- 39% of ransomware incidents in FY2024–25 were identified by ACSC before the affected organisation became aware. ACSC, 2025
- Attacks on critical infrastructure increased 111% year-on-year in FY2024–25. ACSC, 2025
Toward Continuous Exposure Validation
The missing layer in most security operations is not more tooling. It is not more headcount. It is a discipline: the continuous validation of actual exposure state, applied with enough environmental context to distinguish risks that are genuine, reachable, and business-relevant from those that are theoretical.
Point-in-time assessments, whether penetration tests, vulnerability scans, or periodic risk reviews, have genuine value. They do not, however, reflect the reality of how environments change. Networks evolve. Configurations drift. New assets appear and existing ones change context. An exposure that did not exist six weeks ago may be present today. An exposure that was remediated on paper may still be reachable in practice, because the patch was applied to one instance and not another, or because the compensating control assumed to be in place is not configured correctly.
Continuous exposure validation as a discipline means building operations around the ongoing question: what is our actual exposure state right now, and does that state reflect the risks we believe we are carrying? It requires connecting vulnerability data to network topology, understanding which assets are genuinely reachable, and validating that remediation actions have actually reduced exposure, not simply closed tickets.
This is a meaningful shift in how security operations are designed and measured. It asks different questions of the existing technology stack. It requires processes that sit between detection (which most organisations do reasonably well) and risk reporting (which is often backward-looking and periodic). It demands that the gap between “we found this” and “this has been reduced” is treated as an operational problem requiring active management, not an administrative step in a workflow.
For organisations operating across complex environments, utilities with converged IT/OT infrastructure, resources sector operators with geographically distributed assets, financial services firms carrying critical customer data, that gap is not a theoretical concern. It is the space in which attackers operate.
Building toward continuous exposure validation does not require abandoning existing operations. It requires extending them, adding the contextual layer that transforms correlation into genuine prioritisation, and transforming prioritisation into validated risk reduction. That architectural shift is the subject of the next article in this series.
If your security operations are generating more data than they can act on, Orro works with organisations to identify the gap between what is being detected and what is being reduced. Explore how modern security operations are closing the loop between exposure and action.
Sources & Further Reading
Cited sources
- ASD’s ACSC. Annual Cyber Threat Report 2024–25. Australian Signals Directorate, October 2025. https://www.cyber.gov.au/about-us/view-all-content/reports-and-statistics/annual-cyber-threat-report-2024-2025
- IBM Security / Ponemon Institute. Cost of a Data Breach Report 2024. IBM, July 2024. https://newsroom.ibm.com/2024-07-30-ibm-report-escalating-data-breach-disruption-pushes-costs-to-new-highs
- IBM Security. Cost of a Data Breach 2024: Industrial Sector. IBM, 2024. https://www.ibm.com/think/insights/cost-of-a-data-breach-industrial-sector
- Tines. Voice of the SOC Analyst Report. Tines, 2024. https://www.tines.com/reports/voice-of-the-soc-analyst/
- MSSP Alert / CyberRisk Alliance. Survey: 62% of SOC Alerts Are Ignored. 2024. Cited in Elastic, 2025. https://www.elastic.co/blog/reduce-alert-fatigue-with-ai-defence-soc
- Trend Micro / ACM Computing Surveys. Alert Fatigue in Security Operations Centres: Research Challenges and Opportunities. ACM, 2025. https://dl.acm.org/doi/10.1145/3723158
- Verizon. 2024 Data Breach Investigations Report. Verizon Business, 2024. https://www.verizon.com/business/resources/reports/dbir/
Further reading
- ASD’s ACSC. Best Practices for Event Logging and Threat Detection. August 2024. https://www.cyber.gov.au
- APRA. CPG 234 — Information Security. Australian Prudential Regulation Authority. https://www.apra.gov.au
- Netenrich. SOC Analyst Burnout: Is It Putting Your Organisation at Risk? November 2025. https://netenrich.com/blog/soc-analyst-burnout
- Orro. The Illusion of Control: Why Visibility Alone Isn’t Reducing Cyber Risk. Orro Insights, March 2026. https://orro.group/service/cyber-security/visibility-alone-isnt-reducing-cyber-risk/
- Orro. Cyber Security Services. Orro Group.
- Orro. Visibility & Response. Orro Group.
- Orro. National Cyber Defence Centre. Orro Group.
