In August 2021, an attacker gained unauthorised access to the UK Electoral Commission's systems. Nobody knew. Not for a week. Not for a month. For over a year, the attacker had free rein across systems holding the electoral register data of millions of UK voters, until the breach was finally discovered in October 2022. By then, the question wasn't whether sensitive data had been exposed. It was how much, and for how long.
That more than twelve months passed before anyone noticed is not an anomaly. It is a symptom of a problem that runs through the infrastructure of organisations large and small: the gap between what security teams believe they can see, and what is actually happening across their environment.
This is what makes modern infrastructure risk so dangerous. The threat landscape has fundamentally changed. Hybrid work is the norm, cloud adoption has accelerated beyond what most security strategies anticipated, and the attack surface your organisation needs to defend looks nothing like it did five years ago. Yet many IT and security teams are still operating with tools and architectures that weren't built to provide visibility across all of it. Attackers know this. They find the dark corners - the unmonitored traffic flows, the legacy systems nobody looks at anymore, the third-party connections that fell outside the scope of the last security review. And they wait.
The organisations that get caught aren't always the ones that were complacent. They're often the ones that simply couldn't see what they didn't know to look for. This post is about changing that.
Cast your mind back to how enterprise IT looked a decade ago. Applications on-premise. Users in the office. A defined network perimeter with clear boundaries. Security was, relatively speaking, a known quantity — protect the edge, monitor what crosses it, respond accordingly.
That world is gone. What replaced it is something far more complex: a distributed tangle of multi-cloud deployments, SaaS platforms, hybrid workforces, third-party APIs, and legacy systems that were never designed to coexist with any of it. The modern enterprise IT environment doesn't have an edge anymore. It has dozens of them, each one a potential point of failure.
The problem isn't that security teams aren't aware of this shift in theory. Most are. The problem is that the tools and architectures many organisations are still relying on were built for the old model. They've been patched, extended, and bolted together to accommodate the new reality — but patching a model that was never designed for your current environment is not the same as having a model that works.
The gap between those two things is where hidden risk lives.
When we talk about hidden risks in web infrastructure, we're not talking about obscure zero-day vulnerabilities that only nation-state actors know about. We're talking about structural problems that are hiding in plain sight, often because no single team has full visibility across the environment to see them.
Consider a few scenarios that are far more common than most organisations would like to admit.
The integration gap: Your WAF is configured by one team. Your DDoS mitigation sits with another. Your remote access controls were set up during the pandemic and haven't been reviewed since. Each individual control looks fine in isolation. But between them, there are routing paths, edge cases, and traffic types that none of those tools were specifically configured to handle. Attackers don't respect organisational boundaries. Your security stack shouldn't either.
The third-party blindspot: In April 2025, Marks & Spencer suffered one of the costliest cyberattacks in UK retail history, estimated at over £400 million in losses. Attackers didn't breach M&S directly. They compromised a trusted third-party IT supplier, used social engineering to obtain credentials, and moved laterally through systems that M&S had no direct visibility into. The gap wasn't inside the perimeter. It was in the connection between M&S's environment and a vendor they trusted implicitly. For organisations managing complex supplier ecosystems, this is one of the most underestimated risks in modern web infrastructure.
The legacy exposure problem: Modernisation projects rarely replace everything. They layer new infrastructure on top of old, because ripping out legacy systems entirely is expensive, disruptive, and carries its own risk. The result is that critical data or traffic flows often still pass through systems that were architected before modern threat vectors existed. Nobody thinks of these systems as a risk because they've always been there. That familiarity is precisely what makes them dangerous.
The cloud visibility deficit: According to Cloudflare research, organisations increasingly require secure connectivity across on-premise networks, cloud deployments, SaaS applications, and the public internet simultaneously. But visibility tools haven't kept pace with the environments they're supposed to monitor. Many organisations have excellent visibility into their on-premise environment and significantly less visibility into what's happening at their cloud boundaries, in their SaaS traffic, or across their remote access infrastructure. What you can't see, you can't protect.
The vendor sprawl problem: The average enterprise IT environment now involves dozens of security and networking vendors. Each one promises integration. In reality, many of these so-called integrated platforms run different services on entirely separate infrastructure, requiring manual configuration and ongoing maintenance to function together. Every manual integration is a potential point of misconfiguration. Every misconfiguration is a potential exposure.
It would be convenient to frame this as a resourcing problem. If only organisations had bigger budgets, better tools, more headcount. But the evidence doesn't support that narrative.
The organisations that experience serious infrastructure-related incidents aren't typically the ones with small budgets and understaffed teams. They're often large, sophisticated enterprises with mature security functions, significant vendor relationships, and experienced leadership. What they share is not a lack of investment. It's a structural problem with the architecture they've invested in.
More tools don't reduce complexity. In most cases, they increase it. More integration points mean more potential failure modes. More vendors mean more inconsistency in policy enforcement, more alert noise, and more time spent on maintenance rather than on detection and response.
The organisations that are genuinely getting ahead of web infrastructure risk are doing something different. They're not adding to the stack. They're consolidating it, fundamentally rethinking how security and connectivity are delivered across their environment, and moving toward architectures where visibility, policy enforcement, and threat intelligence are unified rather than fragmented.
If you want a quick indicator of whether your organisation has a hidden infrastructure risk problem, look at these numbers honestly.
How long does it take your team to detect and respond to a security incident? If it's measured in hours rather than minutes, your architecture is working against you. Organisations that have moved to genuinely integrated security platforms are seeing response times improve by up to 75%, not because their people got better, but because the tools stopped getting in the way.
What is your total cost of ownership for security and network infrastructure, and is it going up or down relative to the control you have? Rising costs without rising capability is a reliable sign that complexity is compounding. Organisations consolidating onto unified platforms are reporting TCO reductions of 50% or more, while simultaneously improving their security posture.
How long does it take to extend your security controls to a new cloud environment, a new acquisition, or a new remote workforce? If the answer is weeks or months, the architecture can't keep pace with the business. That lag is not an operational inconvenience. It's a window of exposure every time it happens.
Identifying the problem is one thing. Here is where to focus if you want to make meaningful progress.
Most organisations don't have a clear, current picture of how their security and networking tools connect to each other, where those connections are manual, and what happens when one fails. Before you can consolidate or simplify, you need to know what you're actually working with. This isn't glamorous work, but it's foundational.
There's an important distinction between having a tool that nominally covers a domain and actually having visibility into it. Walk through your cloud boundaries, your remote access traffic, your SaaS usage, and your third-party API connections and ask honestly: if something were happening here right now, would we know? The answer will tell you more than any vendor assessment.
When the next renewal cycle comes around, resist the instinct to simply upgrade existing tools. Ask instead whether the function that tool serves could be delivered as part of a more unified platform. The goal is fewer integration points, not better ones. Every time you consolidate a capability onto shared infrastructure, you remove a potential blind spot and reduce the maintenance burden on your team.
Detection capability gets a lot of attention. Response time gets less, despite being arguably more operationally important. If your team can't move quickly when something is detected, the detection itself has limited value. Measure how long it actually takes to respond to incidents in your current architecture and use that as a baseline for evaluating any changes you make.
Large-scale consolidation takes time, and that's a reasonable reality. But most environments have specific, identifiable points of elevated risk that can be addressed independently, without waiting for a full architectural overhaul. Find them and deal with them now, even if the broader programme is still in planning.
Most infrastructure risk audits happen reactively. A near-miss, a regulatory requirement, a change in leadership, or in the worst cases, an actual incident. The organisations that are best positioned right now are the ones that asked the hard questions before any of those triggers arrived.
Where does our visibility actually end? Where are our integration dependencies, and what happens if one of them fails or is compromised? Are our security controls genuinely consistent across every environment we operate in, or do we have dark corners we're simply not looking at?
These aren't comfortable questions. But they're considerably more comfortable than the alternative.
We've curated two resources, produced in partnership with Cloudflare, that address these challenges head on. The first examines how platform consolidation actually works in practice, and why so many consolidation projects fall short of their goals. The second makes the case for a fundamentally different approach to connecting and securing the modern IT environment.
Download: Driving Down IT Stack Complexity →
Download: The Connectivity Cloud — A Way to Take Back IT and Security Control →
CDS is Cloudflare's first authorised service delivery partner in EMEA. We work with organisations operating in critical environments, the kind where a security failure doesn't just cost money, it makes headlines. From implementation and migration to ongoing management, we help IT and security leaders get the full value of Cloudflare's platform without the complexity of going it alone. If your infrastructure can't afford to get it wrong, let's talk.