Cybersecurity Spends Billions Spotting Attacks. It Should Be Stopping Them.
Detection tools now dominate the security market, but faster alerts have not cut breach rates. A growing chorus of security professionals says the industry has the balance badly wrong.

Key points
- More than 70 percent of the 500-plus companies that entered the RSAC Conference startup competition over the past three years sell detection tools, not prevention tools.
- IBM's Cost of a Data Breach Report shows that faster detection reduces financial damage, but the average global breach still costs millions of dollars because detection does not stop the first intrusion.
- Common causes of breaches remain unchanged: known software flaws, stolen passwords, and misconfigured systems.
- AI tools are now generating phishing emails, which are fake messages designed to trick people into handing over passwords, at a scale no human team can match.
The cybersecurity industry has a spending problem. Not a shortage of money, a mislabelling of what that money buys.
Most new security products are built around detection: software that watches for signs of an intrusion after criminals are already inside a network. The tools are good at what they do. But they activate only after something has already gone wrong.
Writing for CSO Online, security professionals argue this has tipped the balance too far. The original point of security was to stop attacks before they landed, not to document them afterwards.
How did the industry end up here?
It happened gradually. Early computer networks were simple enough that firewalls, which act like locked doors between a company's systems and the outside world, and antivirus software could block most threats at the boundary. Then networks grew larger and more tangled. Criminals found ways around the perimeter. So security vendors built tools to watch what was happening inside networks instead: intrusion detection systems and, later, Security Information and Event Management platforms, known as SIEM, which collect and analyse logs from across an organisation to flag suspicious activity.
Detection was always meant to complement prevention. Somewhere along the way it became the main event.
Today, security teams measure success by how quickly they spot a problem and contain it. Executives track metrics like mean-time-to-detect, the average gap between an intrusion starting and a team noticing it. The unspoken assumption baked into those metrics is that a breach is inevitable. You just have to limit the damage.
That assumption is expensive. IBM's data shows faster detection cuts costs, but breaches still cost millions on average, because a criminal who is already inside has already won the first round.
The structural causes of breaches have barely shifted. Known vulnerabilities that companies have not patched, passwords stolen through phishing, and systems left open by configuration errors account for most incidents. All three are preventable before an attacker ever arrives.
Detection tools also produce a relentless stream of alerts, many of them false alarms. Security staff spend hours filtering noise to find genuine threats. Alert fatigue is real. Talented analysts are scarce. As AI lowers the cost and skill required to run large-scale attacks, the volume of alerts will only grow.
Prevention changes the maths in a different way. Requiring staff to use phish-resistant multi-factor authentication, which means a login that requires a second proof of identity beyond just a password, blocks most stolen-credential attacks outright. Patching known flaws before criminals exploit them removes entire categories of risk. Splitting networks into segments, so that a criminal who breaks into one part cannot roam freely, limits damage if something does get through.
Organisations that do these things well have fewer serious breaches and lower long-term costs, according to available research. The alerts that remain are easier to investigate because the background noise is lower.
What should organisations do? Audit which security budget lines prevent problems and which only report them. Prioritise patching, strong authentication, and staff awareness training. Detection is still essential, but it works best when prevention has already shrunk the field of threats it needs to cover.



