Hybrid cloud security was built before the present era of automated, machine-based cyberattacks that take just milliseconds to execute and minutes to deliver devastating impacts to infrastructure.
The architectures and tech stacks every enterprise depends upon, from batch-based detection to siloed tools to 15-minute response windows, stood a greater likelihood of defending against attackers moving at human speed. But in a weaponized AI world, those approaches to analyzing threat data don't make sense.
The most recent survey numbers tell the story. Greater than half (55%) of organizations suffered cloud breaches previously 12 months. That’s a 17-point spike, in line with Gigamon's 2025 Hybrid Cloud Security Survey. Nearly half of the enterprises polled said their security tools missed the attack entirely. While 82% of enterprises now run hybrid or multi-cloud environments, only 36% express confidence in detecting threats in real time, per Fortinet's 2025 State of Cloud Security Report.
Adversaries aren’t wasting any time weaponizing AI to focus on hybrid cloud vulnerabilities. Organizations now face 1,925 cyberattacks weekly. That’s a rise of 47% in a 12 months. Further, ransomware surged 126% in the primary quarter of 2025 alone. The visibility gaps everyone talks about in hybrid environments is where breaches originate. The underside line is that the safety architectures designed for the pre-AI era can't keep pace.
However the industry is finally starting to reply. CrowdStrike, for its part, is providing one vision of cybersecurity reinvention. Today at AWS re:Invent, the corporate is rolling out real-time Cloud Detection and Response, a platform designed to compress 15-minute response windows right down to seconds.
But the larger story is why your entire approach to hybrid cloud security must change, and what meaning for CISOs planning their 2026 strategies.
Why the old model for hybrid cloud security is failing
Initially, hybrid cloud promised the most effective of each worlds. Every organization could have public cloud agility with on-prem control. The safety model that took shape reflected the most effective practices on the time. The difficulty is that those best practices at the moment are introducing vulnerabilities.
How bad is it? The vast majority of security teams struggle to maintain up with the threats and workloads. In line with recent research:
-
91% of security leaders admit to creating security compromises of their hybrid cloud environments, often trading visibility for speed, accepting siloed tools, and dealing with degraded data quality.
-
76% report a shortage of cloud security expertise, limiting their ability to deploy and manage comprehensive solutions.
-
Only 17% of organizations can see attackers moving laterally inside their network. That’s one in every of several blind spots that attackers capitalize on to use dwell times to the fullest, install ransomware, do reconnaissance, and lurk until the time is true to launch an attack.
-
70% now view the general public cloud because the riskiest environment of their infrastructure, and half are considering moving workloads back on-prem.
"You’ll be able to't secure what you’ll be able to't see," says Mandy Andress, CISO at Elastic. "That's the guts of the 2 big challenges we see as security practitioners: The complexity and sprawl of a company's infrastructure, coupled with the rapid pace of technological change."
CrowdStrike's Zaitsev diagnosed the foundation cause: "Everyone assumed this was a one-way trip, lift and shift every little thing to the cloud. That's not what happened. We're seeing firms pull workloads back on-prem when the economics make sense. The fact? Everyone's going to be hybrid. Five years from now. Ten years. Perhaps eternally. Security has to cope with that."
Weaponized AI is changing the threat calculus fast
The weaponized AI era isn't just accelerating attacks. It’s breaking the elemental assumptions on which hybrid cloud security was built. The window between patch release and weaponized exploit collapsed from weeks to hours. The vast majority of adversaries aren't typing commands anymore; they're automating machine-based campaigns that orchestrate agentic AI at a scale and speed that current hybrid cloud tools and human SOC teams can't sustain with.
Zaitsev shared threat data from CrowdStrike's mid-year hunting report, which found that cloud intrusions spiked 136% in a 12 months, with roughly 40% of all cloud actor activity coming from Chinese nexus adversaries. This illustrates how quickly the threat landscape can change, and why hybrid cloud security must be reinvented for the AI era now.
Mike Riemer, SVP and field CISO at Ivanti, has witnessed the timeline collapse. Threat actors now reverse-engineer patches inside 72 hours using AI assistance. If enterprises don't patch inside that time-frame, "they're open to use," Riemer told VentureBeat. "That's the brand new reality."
Using previous-generation tools in the present cloud control plane is a dangerous bet. All it takes is a single compromised virtual machine (VM) that nobody knows exists. Compromise the control plane, including the APIs that manage cloud resources, and so they’ve got keys to spin up, modify or delete 1000’s of assets across an organization’s hybrid environment.
The seams between hybrid cloud environments are attack highways where millisecond-long attacks seldom leave any digital exhaust or traces. Many organizations never see weaponized AI attacks coming.
VentureBeat hears that the worst hybrid cloud attacks can only be diagnosed long after the very fact, when forensics and evaluation are finally accomplished. Attackers and adversaries are that good at covering their tracks, often counting on living-off-the-land (LotL) tools to evade detection for months, even years in extreme cases.
"Enterprises training AI models are concentrating sensitive data in cloud environments, which is gold for adversaries," CrowdStrike's Zaitsev said. "Attackers are using agentic AI to run their campaigns. The standard SOC workflow — see the alert, triage, investigate for 15 or 20 minutes, take motion an hour or a day later —is totally insufficient. You're bringing a knife to a gunfight."
The human toll of counting on outdated architecture
The human toll of the hybrid cloud crisis shows up in SOC metrics and burnout. The AI SOC Market Landscape 2025 report found that the typical security operations center processes 960 alerts day by day. Each takes roughly 70 minutes to research properly. Assuming standard SOC staffing levels, there aren't enough hours within the day to get to all those alerts.
Futher, not less than 40% of alerts, on average, never get touched. The human cost is staggering. A Tines survey of SOC analysts found that 71% are experiencing burnout. Two-thirds say manual grunt work consumes greater than half of SOC staff' day. The identical percentage are eyeing the exit from their jobs, and, in lots of extreme cases as some confide to VentureBeat, the industry.
Hybrid environments make every little thing more complicated. Enterprises have different tools for AWS, Azure and on-prem architectures. They’ve different consoles; often different teams. As for alert correlation across environments? It's manual and infrequently delegated to probably the most senior SOC team members — if it happens in any respect.
Batch-based detection can't survive the weaponized AI era
Here's what most legacy vendors of hybrid cloud security tools won't openly admit: Cloud security tools are fundamentally flawed and never designed for real-time defense. The bulk are batch-based, collecting logs every five, ten or fifteen minutes, processing them through correlation engines, then generating alerts. In a world where adversaries are increasingly executing machine-based attacks in milliseconds, a 15-minute detection delay isn't only a minor setback; it's the difference between stopping an attack and having to research a breach.
As adversaries weaponize AI to speed up cloud attacks and move laterally across systems, traditional cloud detection and response (CDR) tools counting on log batch processing are too slow to maintain up. These systems can take quarter-hour or more to surface a single detection.
CrowdStrike's Zaitsev didn't hedge. Before the corporate's recent tools released today, there was no such thing as real-time cloud detection and prevention, he claimed. "Everyone else is batch-based. Suck down logs every five or 10 minutes, wait for data, import it, correlate it. We've seen competitors take 10 to quarter-hour minimum. That's not detection—that's archaeology."
He continued: "It's carrier pigeon versus 5G. The gap between quarter-hour and 15 seconds isn't nearly alert quality. It's the difference between getting a notification that something has already happened; now you're doing cleanup, versus actually stopping the attack before the adversary achieves anything. One is incident response. The opposite is prevention."
Reinventing hybrid cloud security must begin with speed
CrowdStrike's recent real-time Cloud Detection and Response, a part of Falcon Cloud Security's unified cloud-native application protection platform (CNAPP), is meant to secure every layer of hybrid cloud risk. It’s built on three key innovations:
-
Real-time detection engine: Built on event streaming technology pioneered and battle-tested by Falcon Adversary OverWatch, this engine analyzes cloud logs as they stream in. It then applies detections to eliminate latency and false positives.
-
Latest cloud-specific indicators of attack out of the box: AI and machine learning (ML) correlate what's happening in real time against cloud asset and identity data. That's how the system catches stealthy moves like privilege escalation and CloudShell abuse before attackers can capitalize on them.
-
Automated cloud response actions and workflows: There's a niche in traditional cloud security. Cloud workload protection (CWP) simply stops on the workload. Cloud security posture management (CSPM) shows what could go incorrect. But neither protects the control plane at runtime. Latest workflows built on Falcon Fusion SOAR close that gap, triggering immediately to disrupt adversaries before SOC teams can intervene.
CrowdStrike's Cloud Detection and Response integrates with AWS EventBridge, Amazon's real-time serverless event streaming service. As an alternative of polling for logs on a schedule, the system taps directly into the event stream as things occur.
"Anything that calls itself CNAPP that doesn't have real-time cloud detection and response is now obsolete," CrowdStrike CTO Elia Zaitsev said in an exclusive interview with VentureBeat.
Against this, EventBridge provides a us asynchronous, microservice-based, just-in-time event processing. "We're not waiting five minutes for a bucket of knowledge," he said.
But tapping into it is just half the issue. "Can you truly sustain with that firehose? Are you able to process it fast enough to matter?" Zaitsev asked rhetorically. CrowdStrike claims it might probably handle 60 million events per second. "This isn't duct tape and a demo."
The underlying streaming technology isn't recent to CrowdStrike. Falcon Adversary OverWatch has been running stream processing for 15 years to hunt across CrowdStrike's customer base, processing logs in real time fairly than waiting for batch cycles to finish.
The platform integrates Charlotte AI for automated triage, providing 98% accuracy matching expert managed detection and response (MDR) analysts, cutting 40-plus hours of manual work weekly. When the system detects a control plane compromise, it doesn't wait for human approval. It revokes tokens, kills sessions, boots the attacker and nukes malicious CloudFormation templates, all before the adversary can execute.
What this implies for the CNAPP market
Cloud security is the fastest-growing segment in Gartner's latest forecast, expanding at a 25.9% CAGR through 2028. Precedence Research projects the market will grow from $36 billion in 2024 to $121 billion by 2034. And it's crowded: Palo Alto Networks, Wiz (now absorbed into Google via a $32 billion acquisition), Microsoft, Orca, SentinelOne (to call a couple of).
CrowdStrike already had a seat on the table as a Leader within the 2025 IDC MarketScape for CNAPP for the third consecutive 12 months. Gartner predicts that by 2029, 40% of enterprises that successfully implement zero trust in cloud environments will depend on CNAPP platforms because of their visibility and control.
But Zaitsev is making an even bigger claim, stating that today's announcement redefines what "complete" means for CNAPP in hybrid environments. "CSPM isn't going away. Cloud workload protection isn't going away. What becomes obsolete is looking something a CNAPP when it lacks real-time cloud detection and response. You're missing the security net, the thing that catches what gets through proactive defenses. And in hybrid, something all the time gets through."
The unified platform angle matters specifically for hybrid," he said. "Adversaries deliberately hop between environments because they know defenders run different tools, often different teams, for cloud versus on-prem versus identity. Jumping domains is the way you shake your tail. Attackers know most organizations can't follow them across the seams. With us, they will't do this anymore."
Constructing hybrid security for the AI era
Reinventing hybrid cloud security won't occur overnight. Here's where CISOs should focus:
-
Map your hybrid visibility gaps: Every cloud workload, every on-prem system, every identity traversing between them. If 82% of breaches trace to blind spots, know where yours are before attackers find them.
-
Pressure vendors on detection latency: Ask difficult questions on architecture. In the event that they're running batch-based processing, understand what a 15-minute window means when adversaries move in seconds.
-
Deploy AI triage now: With 40% of alerts going uninvestigated and 71% of analysts burned out, automation isn't a roadmap item; it’s a must have for a successful deterrence strategy. Search for measurable accuracy rates and real-time savings.
-
Compress patch cycles to 72 hours: AI-assisted reverse engineering has collapsed the exploit window. Monthly patch cycles don't cut it anymore.
-
Architect for everlasting hybrid. Stop waiting for cloud migration to simplify security. It won't. Design for complexity because the baseline, not a brief state. The 54% of enterprises running hybrid models today will still be hybrid tomorrow.
The underside line
Hybrid cloud security should be reinvented for the AI era. Previous-generation hybrid cloud security solutions are quickly being eclipsed by weaponized AI attacks, often launched as machine-on-machine intrusion attempts. The evidence is obvious: 55% breach rates, 91% of security leaders making compromises they know are dangerous and AI-accelerated attacks that move faster than batch-based detection can respond. Architectures designed for human-speed threats can't protect against machine-speed adversaries.
"Modern cybersecurity is about differentiating between acceptable and unacceptable risk," says Chaim Mazal, CSO at Gigamon. "Our research shows where CISOs are drawing that line, highlighting the critical importance of visibility into all data-in-motion to secure complex hybrid cloud infrastructure against today's emerging threats. It's clear that current approaches aren't keeping pace, which is why CISOs must reevaluate tool stacks and reprioritize investments and resources to more confidently secure their infrastructure."
VentureBeat shall be tracking which approaches to hybrid cloud reinvention actually deliver, and which don't, within the months ahead.
