From Cloud migration to incident management maturity

October 7, 2025

Cloud migration has increased exposure to cyberattacks, requiring companies to strengthen their incident management and response strategies to protect their infrastructures and services. This process demands comprehensive preparation, advanced detection, effective containment, complete eradication, and secure recovery, all adapted to the specific characteristics of cloud environments.

______

In recent years, studies have confirmed that attacks on cloud infrastructures have grown significantly. When combined with the fact that many organisations have migrated their entire infrastructure to the cloud, we find ourselves with the perfect storm.

Cloud migration has brought multiple benefits for businesses — enhanced computing capacity, improved services for employees and customers, better upgrade capabilities, and greater opportunities to optimise their systems. However, many migrations have been carried out without proper Cyber Security measures or without the necessary analysis of the specific security requirements of application developments.

Threats have intensified due to the constant exposure of infrastructure, lack of control and monitoring over these services, deployment of solutions without proper security validation, and the use of advanced attack techniques and AI-driven technologies to enhance the impact of attacks.

Therefore, it is essential for organisations to understand the importance of securing both cloud migration and cloud service deployment. Security implementations must be aligned with the characteristics and services of the Cloud; implementing Cyber Security for a SaaS model is not the same as for a PaaS or IaaS model.

Incident response plans must be reviewed and adapted to address the new service architecture and the risks inherent to these environments.

We know how crucial it is to have clearly defined steps in an incident response, including playbooks for every potential situation, and a master incident response plan that encompasses both physical network infrastructure and cloud-based services.

Let’s start with preparation

The first step in any incident response. In this phase, the goal is to establish the capabilities, resources, policies, and tools required to effectively respond to security incidents, considering a variable attack surface and shared components with third parties not fully under our control.

  • As always in Cyber Security, it’s critical to start with a clear inventory and asset criticality classification. In cloud environments, this means a deep analysis of components (VMs, containers, buckets, APIs, identities), and a multidimensional classification based on data sensitivity and operational dependency — supported by a standardised tagging system that provides clear information about region, tenant, and provider, among others.

    To achieve this, highly granular visibility tools and specialised cloud security solutions such as CSPM (Cloud Security Posture Management) are essential. These technologies ensure dynamic inventory management and, when integrated with SIEM (Security Information and Event Management), provide timely alerts related to critical assets.
  • In addition to this inventory, it’s crucial to create an attack surface map that documents all data entry points into the cloud — including public interfaces, APIs, credentials, and third-party integrations. This enables Blue Teams to identify configuration errors, analyse permissions and identity management, and pinpoint commonly exposed services.

    Technology offers several solutions to support this, such as CWPP (Cloud Workload Protection Platforms) and persistent Pentest services, which enable both surface-level error detection and proactive threat anticipation.
  • When responding to a cyber incident, it’s essential to have clearly defined roles and responsibilities for everyone involved, supported by RACI matrices for each type of incident. IT, security, legal, communications, and development teams must all collaborate under an appointed incident manager.
  • In Cyber Security, everything should be backed by documented procedures and policies that define data and event retention, encryption, backup strategies, and restoration tests.

    This documentation forms the foundation for establishing the investigation window available to the incident response team.
  • No skill is learned without practice. Preparation must include training exercises involving people, technology, and processes.

    Simulation platforms or tabletop exercises based on real scenarios help validate every point mentioned above.

Requirements for detecting cloud-based threats

Threat detection in the cloud has its own particularities. What we traditionally consider a “perimeter” no longer exists — identity becomes the new perimeter that must be secured. Therefore, detection strategies must include the following technical capabilities:

  • A unified and comprehensive telemetry across all architecture components that covers both security and performance requirements.

    Multi-cloud systems are essential here, with agents even within containers to ensure complete visibility across 100% of components.
  • As identity is now the boundary, detection must align with user and device behaviour, triggering alerts based on anomalies or deviations from normal patterns.

    Technologies such as UEBA (User and Entity Behavior Analytics) leverage Machine Learning to perform this type of analysis.
  • Alerts must be contextualised with identity and risk data, allowing accurate risk scoring to determine whether a preconfigured playbook in the SOAR should be executed or if DFIR activation is required.

For advanced detection, the monitoring system should receive the highest volume and quality of data — including access events, network activity, configuration changes, and API calls — from sources like CWPP, CSPM, cloud firewalls, and IAM tools.

We’re in the incident: time to contain

Containing the spread of an attack is one of the primary capabilities of incident management, but it depends directly on the organisation’s preparation and team training. However, certain technologies can significantly help meet expectations in this phase, especially in cloud architectures.

  • The ability to modify network architecture in real time is a major advantage of the cloud and is critical during incident response — being able to reconfigure networks, adjust security groups, and modify access policies instantly can make the difference between losing services and halting an attack.
  • As mentioned, identity is the new frontier in the cloud. Ensuring proper identity management during containment allows compromised accounts to be limited within seconds — by rotating API keys, revoking tokens, or disabling active sessions.
  • CWPP workload management and reporting enable rapid suspension of compromised services or instances, ensuring service availability while preventing the attack’s spread.

Each cloud provider offers services to address these needs through different solutions, or they can be managed via a multi-cloud system that also incorporates evidence collection capabilities, essential for forensic and malware analysis teams during incidents.

Now secure, let’s eradicate

This is undoubtedly one of the most critical phases of incident management — it must ensure the removal of all malicious artefacts, control over all exploited vulnerabilities, and elimination of any residual threats that could lead to a reactivation.

The eradication process requires collaboration across multiple teams — forensic analysts, threat hunters, and monitoring and network administrators — using both technological and procedural tools such as:

  • Verifying that threat detection covered all elements of the cloud architecture, ensuring that the artefact triggering the DFIR activation is no longer present in any system.
  • The threat hunting team should run deep scan campaigns using XDR, CWPP, and other tools to identify attack characteristics and prevent reinfection. Monitoring should begin at this stage and continue for months after closure.
  • A thorough analysis must be conducted on any elements scheduled for restoration (checking images, snapshots, disks, and backups) to ensure no remnants of the attack remain that could restore attacker access.

Eradication is only effective when every artefact used by the attacker has been identified, no malware variants or persistence mechanisms remain, and all components that could enable reinfection have been removed.

Let’s begin recovery

The sole objective of this phase is to restore normal service operations, ensuring the environment is free of threats and data integrity is maintained. This is not always easy, either due to the attack’s impact or poor backup practices.

All cloud providers offer automated restoration tools and snapshot capabilities. Therefore, in this phase, any element verified as clean should be restored using these tools.

Time to analyse

Cloud migration or the native development of cloud services demands a redefinition of incident response strategies, prioritising the cloud’s dynamics of sharing, automation, and scalability, all of which require specific DFIR capabilities at every stage.

The main takeaway is that companies migrating to the cloud must prioritise secure-by-design mechanisms to avoid structural vulnerabilities and weaknesses in incident management. For cloud-native companies, demonstrating a high level of maturity in incident management becomes a true competitive advantage.

A robust incident response plan not only reduces the operational and financial impact of a breach but also strengthens customer, partner, and regulator trust in the company’s digital resilience.

The importance of Threat Detection and Response in the identity landscape