It is often witnessed that cyber incidents snowball into sensational and dramatic events with massive breaches, systems and sites becoming inoperable, resulting in sudden consumer inconvenience or damage. Large-scale events where millions of account details are stolen, reams of confidential information leaked online, IP stolen and systems damaged are usually under the lens. However, the sudden nature of this chaos is misleading. Most of these attacks started weeks or months before, when the cyber criminals found their entry point and patiently started to explore, locate valuable assets and make their plans. Furthermore, cyber incidents will not be a one-off, no matter how complex or simple, targeted or accidental they may seem. The early subtle signs and the cumulative impact of repeated attacks must be understood and factored into an organization’s planning and risk appetite.