Almost every security incident ends with "there were signs, but no one saw them." SSH brute force attempts were logged for days but no one watched those logs. Credit card numbers sat unencrypted in S3 but no one opened that bucket. An unpatched EC2 instance carried a known CVE for six months but no one scanned. The essence of a breach is "the time it was detectable but not detected." The security industry measures this with one metric: MTTD (Mean Time To Detect), average detection time. IBM's 2023 Data Breach Cost Report found that identifying and containing breaches took an average of 277 days. Attackers had nine months inside.