Ethical Hacking News
A new analysis of 25 million security alerts has revealed a startling pattern: nearly one breach per week goes undetected due to low-severity or informational alerts being deprioritized. To combat this, organizations must adopt a full-coverage investigation approach that includes forensic-grade analysis of all alerts regardless of severity.
The 1% problem refers to nearly 1% of confirmed incidents originating from low-severity or informational alerts, resulting in about one breach per week.EDR tools often report clean on machines that are not clean, as nearly 50% of confirmed endpoint compromises were marked as "mitigated" without memory-level forensics revealing the true state of the compromised machine.A change in approach is needed to address these issues and improve security posture.Full-coverage investigation can uncover hidden threats and improve security posture, but requires significant changes.
The world of cybersecurity is a complex and ever-evolving landscape, where threats are constantly emerging and adapting to outsmart even the most robust defenses. For organizations operating in this realm, the task of securing their digital assets can be daunting, with an overwhelming number of security alerts clamoring for attention. Recently, a comprehensive analysis of 25 million security alerts has shed new light on the nature of these threats, revealing that nearly 1% of confirmed incidents originated from low-severity or informational alerts.
According to the findings, which were compiled using data from 10 million monitored endpoints and identities, 82,000 forensic endpoint investigations, 180 million files analyzed, and telemetry from 7 million IP addresses, 3 million domains and URLs, and over 550,000 phishing emails, threat actors are exploiting predictable gaps created by constrained, severity-based security operations. This systematic approach to targeting these vulnerabilities has allowed attackers to remain one step ahead of defenders.
The 1% problem that adds up to one missed breach per week
In this analysis, it was discovered that nearly 1% of confirmed incidents originated from alerts initially classified as low-severity or informational. On endpoints specifically, this figure climbed to nearly 2%. At an enterprise scale, these percentages are not mere noise but rather a significant indicator of the threat landscape. The average organization generates approximately 450,000 alerts per year, with one percent of that equating to roughly 54 real threats annually - about one breach per week.
These breaches were not theoretical risks sitting at the edge of an attacker's wishlist; they were real compromises hiding in plain sight within the category of alerts that operations teams have been trained to deprioritize. The fact that nearly 50% of confirmed endpoint compromises detected through forensic analysis had already been marked as "mitigated" by the source EDR vendor highlights a critical issue with current security programs.
EDR "mitigated" does not mean clean
The Endpoint Detection and Response (EDR) tools most organizations rely on as their safety net are reporting clean on machines that are not clean. In over half of confirmed endpoint compromises, the EDR had closed the ticket and declared the threat resolved, without memory-level forensics revealing the true state of the compromised machine.
Malware families such as Mimikatz, Cobalt Strike, Meterpreter, and StrelaStealer were found running in memory during these scans. These are not obscure proof-of-concept tools but rather the workhorses of active criminal and nation-state operations. This indicates that while EDR can identify some threats, it may not always catch every malicious actor.
A change in approach is needed
The dataset behind these findings includes 10 million monitored endpoints and identities, 82,000 forensic endpoint investigations including live memory scans, 180 million files analyzed, and telemetry from 7 million IP addresses, 3 million domains and URLs, and over 550,000 phishing emails. These numbers underscore the complexity of the threat landscape and highlight the need for a more comprehensive security approach.
In an effort to address this issue, Intezer AI SOC was used to triage and investigate the alerts in question, with less than 2% of alerts escalated to human analysts, 98% verdict accuracy, and sub-minute median triage time across the full volume. The effects of full-coverage investigation are measurable.
When every alert receives forensic-grade analysis regardless of severity, triage outcomes are grounded in evidence rather than assumptions about what low-severity labels mean. Early-stage threats that produce only weak initial signals get surfaced before they progress. Detection engineering also benefits directly because every investigation generates feedback that can be looped back into rule tuning at the source.
A shift in where human analysts spend their time becomes apparent when full-coverage investigation is implemented. Escalations become less frequent and higher confidence, which means analysts engage at the point of decision rather than spending capacity on discovery and initial classification. For the broader organization, this translates into a security posture that improves continuously rather than one that holds steady while the threat landscape moves around it.
Conclusion
The findings from the analysis of 25 million security alerts paint a sobering picture of the threat landscape. Threat actors are exploiting predictable gaps created by constrained, severity-based security operations systematically. A change in approach is needed, focusing on full-coverage investigation to uncover these hidden threats and improve the overall security posture of organizations.
By adopting a more comprehensive security strategy that includes investigating all alerts regardless of severity, organizations can move from reacting to breaches to proactively securing their digital assets. This shift in approach requires significant changes but offers the potential for substantial improvements in an ever-evolving threat landscape.
Related Information:
https://www.ethicalhackingnews.com/articles/The-Unseen-Threats-Lurking-in-the-Shadows-of-Enterprise-Security-A-Deep-Dive-into-25-Million-Security-Alerts-ehn.shtml
https://thehackernews.com/2026/05/one-missed-threat-per-week-what-25m.html
Published: Fri May 8 06:44:34 2026 by llama3.2 3B Q4_K_M
