One Missed Threat Per Week: What 25M Alerts Reveal About Low-Severity Risk
One Missed Threat Per Week: What 25M Alerts Reveal About Low-Severity Risk
https://thehackernews.com/2026/05/one-missed-threat-per-week-what-25m.html
Publish Date: 2026-05-08 06:30:00
Source Domain: thehackernews.com
The dark secret of enterprise security operations is that defenders have quietly institutionalized the practice of not looking. This is not just anecdotal, but rather backed by a recent report investigating more than 25 million security alerts, including informational and low-severity, across live enterprise environments.
The dataset behind these findings includes 10 million monitored endpoints and identities, 82,000 forensic endpoint investigations including live memory scans, 180 million files analyzed, and telemetry from 7 million IP addresses, 3 million domains and URLs, and over 550,000 phishing emails.
The patterns that emerge from this data tell a consistent story. Threat actors are exploiting the predictable gaps created by constrained, severity-based security operations, and they are doing it systematically. Understanding where those gaps actually live requires looking at the full alert picture, starting with the category most teams have been conditioned to ignore.
The 1% problem that adds up to one missed breach per week
In this analysis of 25M alerts, nearly 1% of confirmed incidents originated from alerts initially classified as low-severity or informational. On endpoints specifically, that figure climbed to nearly 2%.
At enterprise scale, percentages like these are not noise. The average organization generates approximately 450,000 alerts per year. One percent of that is roughly 54 real threats annually, about one per week, that never get investigated under a traditional SOC or MDR model. Detection did not fail. Triage economics just made investigation impossible.
These are not theoretical risks sitting at the edge of an attacker’s wishlist. They are real compromises hiding in the category of alerts that operations teams have been trained to deprioritize.
EDR “mitigated” does not mean clean
Endpoint findings from the report deserve special attention because they challenge a foundational assumption in most security programs: that EDR remediation…
