Sysdig introduces new benchmark for cloud detection and response

Sysdig’s 5/5/5 Benchmark emphasises the need to detect, triage, and respond to attacks at cloud speed

Leaders in cloud security Sysdig have released the 5/5/5 Benchmark for Cloud Detection and Response, a new framework that outlines how quickly organisations should detect, triage, and respond to attacks in the cloud.

Operating securely in the cloud requires a mindset shift in regard to time, and with that, cloud security programs need to hold themselves to a modernised benchmark: five seconds to detect, five minutes to correlate insights and understand what’s happening, and five additional minutes to respond. Recent findings by the Sysdig Threat Research Team published in the 2023 Global Cloud Threat Report note that, after discovering an exploitable target, malicious actors require less than 10 minutes to execute an attack.

“People are always looking for security metrics, especially when the industry evolves into new operating models. We have plenty of ‘best practices,’ but no real way to quantify cloud security agility — until now,” said Anna Belak, Director, Office of Cybersecurity Strategy at Sysdig. “The 5/5/5 Benchmark, built in partnership with our customers, industry analysts, and the Sysdig Threat Research Team, sets a new standard for operating securely in the cloud.”

Cloud attacks are swift and sophisticated, requiring robust threat detection and response programs that move at the speed of the cloud. On-premises attacks take 16 days on average and antiquated frameworks challenge security teams to respond to a breach within 60 minutes, which is simply insufficient for the cloud. Bad actors are exploiting the automation and scale of the cloud, along with new techniques, to accelerate all stages of an attack and inflict damage within minutes. The 5/5/5 Benchmark guides organizations to detect and respond to cloud attacks faster than adversaries can complete them.


The Challenge


  • Detect threats within five seconds. Organisations should be able to gather detection signals from their cloud security tools in real time to ensure visibility into ephemeral assets.
  • Correlate and triage within five minutes. Teams should be able to gather full context for all correlated signals within five minutes of receiving the first relevant alert.
  • Initiate a response within five minutes. Organisations should be able to initiate a tactical response within five minutes of confirming that an attack is in progress.

“As organisations move to the cloud, traditional on-premises security standards become outdated and too slow. In the cloud, both innovation and attacks happen quickly – companies need security tools, processes, and standards designed to operate at the speed of cloud-native environments,” said Phil Bues, Research Manager for IDC Cloud Security.

Download the 5/5/5 Benchmark for Cloud Detection and Response.