Cloud adoption continues to grow, but so do the challenges security teams face in detecting and responding to threats across hybrid and multicloud environments. The 2025 SANS Detection & Response Survey highlights a widening gap between cloud complexity and the operational readiness of security teams - and it’s a gap that attackers are exploiting.

Here’s what the data tell us about why cloud visibility remains difficult in 2025, and how organizations can strengthen their approach.

1. Cloud expertise remains one of the biggest resource gaps

More than 58% of respondents cite limited cloud security expertise as a key challenge in detecting cloud-based threats. Even organizations with mature on-prem security practices are struggling to keep pace with new cloud architectures, APIs, and services.

What this means: Cloud detection requires more specialized knowledge than many teams can hire or train quickly enough.

2. Multicloud environments are making detection harder

According to the survey, 53% of teams struggle with the complexity of managing multicloud setups. As organizations expand into AWS, Azure, GCP, and SaaS ecosystems, visibility becomes fragmented, especially when each provider uses different telemetry formats and security controls.

What this means: Security teams must piece together visibility across multiple providers, often resulting in blind spots.

3. Integration issues create even more blind spots

53% of respondents also report difficulty integrating cloud security tools with existing detection stacks. Tool sprawl increases operational overhead, while incomplete integrations reduce the reliability of detections.

What this means: Teams can’t effectively correlate activity or maintain consistent visibility across cloud and on-prem environments.

4. High alert volume makes cloud visibility even harder

Cloud environments generate enormous amounts of telemetry. According to the survey, 35% of teams say the volume of cloud alerts is a major challenge. Combined with limited expertise and integration gaps, that volume becomes overwhelming.

What this means: Teams are missing subtle signs of compromise because they’re buried under alerts.

5. Cloud-native tools aren’t enough on their own

The survey shows a mixed picture in terms of cloud detection effectiveness:

• Cloud-native tools: 20% extremely effective, 57% effective
• Third-party solutions: 20% extremely effective, 56% effective
• In-house tools: steep drop in effectiveness vs. last year

What this means: Cloud-native tools provide coverage, but often lack context, making it harder to understand how cloud events connect to network activity, lateral movement, or exfiltration.

The takeaway: Visibility must extend beyond the cloud control plane

The SANS data reinforces what many teams have already discovered:

• Cloud-native security isn’t enough.
• Tools must correlate cloud, network, and hybrid activity to reveal unseen threats.

NDR plays a critical role here by:

• Providing deep visibility into all TCP/IP network traffic: in cloud and on-prem 
• Detecting behavioral anomalies that cloud-native tools miss
• Exposing broader threats that span hybrid and multi-cloud environments
• Reducing alert noise with high-confidence, context-rich detections
• Helping teams without deep cloud expertise quickly understand what’s happening

NDR helps simplify complexity without requiring teams to become cloud-forensics experts overnight.

Cloud Complexity Demands a Broader Detection Lens

Cloud environments are becoming more distributed, intricate, and deeply interwoven with everyday business operations. The 2025 SANS Detection & Response Survey makes one thing clear: while organizations can’t control the pace of cloud adoption or the complexity that comes with it, they can control how well they see what’s happening inside those environments.

Many traditional detection approaches, while still essential, were built for a world with fewer moving parts, cloud services, and more predictable traffic patterns. As the SANS findings highlight, these tools often struggle to offer the level of visibility required across multicloud architectures, ephemeral workloads, encrypted traffic flows, and cloud-native services that generate limited or inconsistent telemetry. The result is an incomplete picture that makes it difficult for defenders to confidently identify, validate, and respond to emerging threats.

This is where Network Detection and Response (NDR) plays an increasingly important role. NDR provides a network-based perspective that spans cloud and on-prem environments, helping teams observe lateral movement, behavioral anomalies, and cross-environment activity that can be difficult to see through logs or endpoint data alone. By filling gaps between fragmented telemetry sources, NDR adds context to signals that might otherwise go unnoticed or remain.

In short, cloud complexity isn’t going away, but the visibility challenges it creates don’t have to remain. By adding NDR to the security stack, organizations gain the unified visibility and behavioral insight needed to navigate cloud environments with confidence. Instead of chasing isolated alerts or stitching together incomplete data sources, security teams can finally see the full story of what’s happening across their hybrid infrastructure.

As cloud architectures continue to evolve, the organizations that invest in broad, transparent visibility will be the ones best positioned to stay ahead of attackers. NDR isn’t a luxury in this landscape, it’s the essential network intelligence layer that modern detection and response simply cannot function without.

If you're interested in reading the full 2025 SANS Detection and Response Survey, you can download it here. For more information on our Clear NDR solution, visit our product page or click the demo link, listed below the author bio.