Our team just wrapped up the 2025 Glilot Nexus Roadshow and GDS Security Summit, meeting with CISOs and security leaders across industries in four cities in the US.

The interest we’ve received has been overwhelming, reinforcing that security teams recognize they cannot solve the challenges of detection and response with a run-time agent bolted onto a static CSPM tool. The cloud threat landscape moves too quickly for security teams to lag behind. Today’s organizations are actively looking for solutions that provide real-time cloud detection and response (CDR), not just more alerts.  

Here are five key insights that stood out in our conversations—each underscoring why CDR is gaining momentum as a must-have in cloud security:

1. Bolting run-time agents onto CSPM isn’t working.

The recent push by vendors to integrate real-time agent-based detection with Cloud Security Posture Management (CSPM) is fundamentally flawed. CSPM was designed for static posture management, not real-time threat detection. Trying to bolt detection and response onto a scan-based tool creates dangerous blind spots. Security leaders are starting to see through this marketing attempt—true CDR requires event-driven detection, not a periodic snapshot.

2. Cloud attacks move faster than periodic scans can detect.

Attackers don’t operate on a scan schedule.They exploit misconfigurations, escalate privileges, and move laterally within minutes. In fact, over 60% of cloud attacks originate from identity-based threats, misconfigurations, and API exposures. But CSPM solutions only update periodically, meaning security teams are always reacting to outdated information. Real-time CDR solutions like Stream Security’s CloudTwin™are designed to track posture changes as they happen, ensuring security teams aren’t left chasing ghosts.

3. Static CSPM models fail to capture attack paths.

CSPM tools were built to identify misconfigurations—not active attack paths. When an attacker pivots within a cloud environment using identity modifications or network reachability changes,CSPM can’t track it. Over 80% of cloud breaches involve lateral movement, which means real-time attack path detection is critical in stopping attackers before they cause major damage. CDR solutions that continuously model cloud activity allow security teams to visualize the real-time impact of an attack and respond before damage is done.

4. Mean Time to Respond (MTTR) is the SOC’s battleground.

SOC leaders are being measured on how quickly they can neutralize threats, but CSPM-based security models slow them down. If security teams need to manually investigate logs and correlate changes, response times suffer. The ability to reduce MTTR is a key performance metric for security operations, and real-time CDR eliminates bottlenecks by providing instant attack storylines and contextualized alerts – removing hurdles for the SOC.

5. Security Teams Need Actionable Context, Not Just More Logs.

Many vendors promise visibility but fail to provide clarity. CSPM-driven security stacks flood teams with findings but don’t answer critical questions: What changed? What’s at risk? What should we do next? Without dynamic attack path modeling, security teams are left guessing. CDR solutions like Stream’s CloudTwin™ensure every alert is actionable and response-ready.

The market’s response to CDR has been overwhelming. At every stop on the roadshow, CISOs and security teams are telling us the same thing: they’re ready for a new approach.

The old tools—SIEMs drowning in logs, static CSPM platforms, and agent-dependent EDR—aren’t solving the real challenges of cloud security.

The momentum behind CDR isn’t just hype—it’s necessity. Cloud threats are evolving in real time, and security teams need tools that can keep up.

‍