Cybersecurity news headlines like “The Growing Threat of AI-powered Cyberattacks in 2025” and “Over 190 million hit in UnitedHealth data breach — confirmed largest in history” are upsetting and discouraging. Sometimes it seems like the bad guys are always a step ahead.
However, IBM Security’s Cost of a Data Breach Report 2025 contains some encouraging news: “The global average breach cost dropped to USD 4.44 million from USD 4.88 million in 2024, a 9% decrease and a return to 2023 cost levels.” The report states this decline reflects faster breach detection and containment, driven mainly by in-house security teams, external service providers, and the growing use of AI and automation.
Translation: organizations are evolving beyond their longtime prevention-only cybersecurity mindsets toward approaches that assume breaches will happen. They’re not trying to stop all attacks at their figurative gates. Instead, they focus on limiting their impact.
By containing threats quickly, organizations will be better able to protect their most critical operations, reduce downtime, and maintain business continuity.
The Diminishing Returns of Prevention
Preventive tools and policies still play a role in a holistic cybersecurity approach. Early tools such as firewalls and antivirus software were revolutionary, blocking the vast majority of attacks before they could cause damage. But over time, adversaries found ways around these defenses. Today’s attackers often exploit trusted identities, compromised credentials, or legitimate processes to move undetected through networks.
This evolution has eroded the returns on prevention. Security teams can continue to layer on more preventive tools, but each new investment delivers smaller gains. Even the most advanced preventive systems can’t stop every intrusion. Phishing emails still bypass filters. Bad actors can exploit vulnerabilities in third-party software before the defenders can apply patches. Misconfigurations and human error create openings that technology alone cannot close.
Prevention remains essential, but it is no longer sufficient on its own. Stopping everything is not realistic. Improving resilience begins with the realization that some breaches will succeed. But it is possible to ensure that one breach does not become a full-scale incident that halts operations and creates long-term financial and reputational damage.
The Case for Containment-First Thinking
A containment-first strategy focuses on restricting an attacker’s ability to move laterally once inside the network. The primary goal is to confine the incident’s scope to minimize disruption and safeguard critical systems first.
This mindset aligns closely with zero trust principles, which treat every connection and request as potentially hostile until verified. Segmenting networks, applying identity-based access controls, and continuously validating permissions enables organizations to make it difficult for adversaries to reach sensitive assets even if they’ve gained a foothold in the network.
Embracing a Containment-First Approach
Shifting to containment-first thinking requires changing the design of how organizations design and operate their security programs. This involves rearchitecting defenses so that any breach is confined and its impact minimized.
Taking the following five steps will create multiple choke points for attackers, reducing the blast radius of any compromise and giving defenders the time they need to respond.
1.Prioritize critical assets. Start by identifying the “crown jewels”—the systems, applications, and data that are essential to operations or carry the highest business value. This inventory should also include vulnerable legacy systems that, if compromised, could serve as gateways to more critical assets.
2.Segment environments. Use microsegmentation and identity-based access controls to divide networks into smaller, isolated zones. This prevents attackers from moving freely once inside and forces them to overcome multiple barriers before reaching sensitive systems.
3.Evaluate at every layer. Containment isn’t just a network issue. Apply segmentation and access restrictions across user, application, and workload layers to ensure that security gaps in one area don’t undermine the rest of the environment.
4.Continuously validate defenses. Be sure to regularly update threat models, access controls, and segmentation policies to account for new vulnerabilities and how attackers are changing their tactics. Containment is only effective if it reflects the current state of the organization’s systems and risks.
Changing Corporate Culture
The Chief Information Security Officer plays a key role in securing organization-wide support, including at the senior executive and board levels, for making this shift from prevention to containment. They must understand that containment is a resilience-improvement strategy, not a retreat from prevention. Framing the approach in business terms, such as reduced downtime, lower recovery costs, and faster return to operations, will help secure the endorsement of decision-makers.
Then, the technical execution falls on the shoulders of the security architects and engineering teams responsible for defining segmentation boundaries, establishing access policies, and implementing validation processes. Their work will ensure that even if (or, more likely, when) a breach occurs, the organization continues operating with minimal disruption.
The Pressure to Demonstrate ROI
Security leaders are constantly under pressure to justify their budgets. A containment-first approach offers them a clear value proposition. Limiting the blast radius of an attack reduces downtime, contains recovery costs, and safeguards the systems most critical to revenue and operations. Measure and communicate these outcomes in terms executives understand, such as hours of business interruption avoided or percentage reductions in incident response costs. That’s how they will show a quantifiable impact on the organization’s bottom line.
As cyber threats evolve, so must the strategies used to defend against them. Prevention will always have a place, but its limits are increasingly evident. A containment-first approach accepts the reality that some attacks will succeed and focuses on ensuring those incidents remain isolated, controlled, and non-disruptive to critical operations.
Organizations that embrace this mindset build resilience. They become better equipped to maintain business continuity during an incident, recover more quickly, and adapt as both technology and the threat landscape change.
The faster an organization contains a breach, the smaller its impact. Containment-first thinking delivers a measurable defensive advantage and positions organizations to operate with confidence, even when facing determined adversaries.
Join our LinkedIn group Information Security Community!
