The Articulation Gap Is Closing — And Most Cloud Security Teams Aren't Ready

There’s a window closing in cloud security right now, and most organisations don’t know it exists.

Daniel Miessler calls it the Articulation Gap — the distance between what security experts know and what’s been documented.¹ Right now, the majority of cloud incident response expertise sits locked inside the heads of a small number of practitioners. It hasn’t been translated into detection libraries, response playbooks, or policy-as-code. It’s tacit knowledge.

That’s about to change.

Every time an expert documents a detection pattern, writes a containment playbook, or publishes a response procedure, that knowledge gets absorbed into the tools and platforms used by everyone else — permanently. Miessler calls it a ratchet. It only turns one way.

Commodity tooling is racing to capture this expertise. The SIEM vendors, the cloud security platforms, the managed detection providers — all of them are translating what practitioners know into their products. When they succeed, the expertise advantage disappears.

Mandiant’s M-Trends 2026 report puts a number on what this gap costs in the real world: 14-day global median dwell time — 26 days if you’re relying on an external party to tell you you’ve been compromised.² In cloud environments, 59% of compromises result in data theft. The gap between what attackers can do and what organisations can detect isn’t a tooling problem. It’s an articulation problem.

At AWS, we’ve spent years translating frontline incident response experience into documented detections, pre-authorised response procedures, and policy baselines that make authorisation decisions machine-enforceable and auditable. That’s the expertise ratchet working in your favour instead of against you.

The window is narrowing. The ratchet is turning.