In a Security Operations Centre, detection is measured by what happens after an alert appears on a screen. Many organisations now have tools that identify suspicious activity across endpoints, email, identity, networks, cloud platforms and applications. Those tools are necessary, but detection is not containment, and an alert sitting in a queue does not reduce risk. A security tool can show that a login looks unusual, a file has moved unexpectedly, a mailbox rule has changed, or an endpoint is behaving differently. It cannot decide whether the activity is a false positive, a policy issue, early compromise, or a confirmed incident.