In cybersecurity, the incident that makes headlines is usually the one that succeeds. The ransomware spreads, the systems go down, the data leaks, and the postmortem begins. But some of the most important warnings arrive earlier, in quieter form. A phishing payload slips through but gets stopped on execution. A compromised credential is detected before it reaches the crown jewels. A vulnerable OT asset is found before it becomes a point of disruption.

These moments are often treated as relief points. They should be treated as evidence. A near miss does not prove the system worked perfectly. It proves the system came close enough to failure to deserve serious scrutiny.

The clean-up is not the lesson

Ashwini Pandey, Group CISO, Punjab National Bank, makes that distinction starkly. In his view, the difference between a near miss and a full breach is often “only a few seconds.” That is what makes the post-incident response so important. The machine may be cleaned, the alert may be closed, and the organization may move on. But the real question is not whether the damage was contained. It is what allowed the path to open in the first place.

Pandey’s point cuts against a common security instinct: to celebrate the block and overlook the weakness that made the block necessary. If a malicious email bypasses filters, a payload executes, and only the final control stops escalation, that is not a story of complete success. It is a sign that defenses held late, not early. In that sense, the near miss is less about relief than about exposure.

AI can fail without looking broken

That warning becomes sharper in AI-led environments, where the system may continue to run while trust quietly erodes underneath it. Pravin Kumar, CMISO, NPCI, points to a near miss involving a poisoned open-source dependency used in an AI-driven fraud and anti-money-laundering environment. The danger in such cases is not dramatic shutdown. It is a silent compromise. The model appears functional, but begins allowing what it was meant to detect.

The deeper issue, in his telling, is the absence of explainability, governance, and integrated oversight between MLOps and security operations. If the model cannot be explained, it cannot be trusted. If AI dependencies are not governed, the enterprise may inherit invisible risk directly into critical workflows. That makes the near miss in AI environments especially dangerous. The system may not scream when it is failing. It may simply start making the wrong decisions quietly.

In OT, delay itself becomes a vulnerability

Amal Krishna, CISO, ONGC, brings the same theme into operational technology, where the meaning of risk changes again. In OT, the problem is not just that vulnerabilities exist. It is that even known vulnerabilities cannot always be treated with the urgency common in IT. A patch that can be applied immediately in enterprise IT may need to wait weeks in a production environment because uptime, safety, and operational continuity come first.

That delay creates a different kind of near miss. The organization knows the weakness exists, but cannot move with the same freedom to eliminate it. Krishna’s answer is not to force IT logic onto OT, but to redesign the response around OT realities: a dedicated OT SOC, tighter vendor access, one-way movement controls, stricter playbooks, and compensating measures that assume the exposure may remain longer than anyone would like.

The real maturity test is what happens after the almost

Taken together, these perspectives reveal something important. The mature organization is not the one that only counts breaches. It is the one that studies the almost-breach with equal seriousness. A near miss is not a smaller story. In many ways, it is the most useful one. It arrives before the disaster, while there is still time to rethink assumptions, redesign controls, and close the gap properly.

That is why the real test of cyber resilience may not be whether an attack was blocked. It may be whether the organization learned enough from the near miss to ensure that next time, it never gets that close at all.

Disclaimer: The views expressed are solely those of the speakers and have been taken from the ETCISO Secufest 2026. ETCISO does not necessarily subscribe to them.

(With inputs from Swati Sengupta).

Join the community of 2M+ industry professionals.

Subscribe to Newsletter to get latest insights & analysis in your inbox.

All about ETCISO industry right on your smartphone!