Enterprise Security Misses One Real Threat Per Week Due to Low-Severity Alert Neglect

TL;DR Analysis of 25 million security alerts across live enterprise environments found that nearly 1% of confirmed incidents originated from alerts initially classified as low-severity or informational—translating to approximately 54 real threats per year, or one per week, that go uninvestigated under traditional SOC and MDR models. On endpoints alone, the figure climbed to 2%, and 51% of confirmed endpoint compromises had already been marked "mitigated" by their source EDR vendors despite active malware infections detected in memory.

What happened

A dataset spanning 25 million security alerts, 10 million monitored endpoints and identities, 82,000 forensic endpoint investigations with live memory scans, and telemetry from over 550,000 phishing emails revealed systematic gaps in how enterprise security operations prioritize alert investigation.

The core finding: nearly 1% of confirmed incidents originated from alerts initially classified as low-severity or informational. At enterprise scale, the average organization generates approximately 450,000 alerts per year, meaning roughly 54 real threats annually—about one per week—never receive investigation under severity-based triage models used by traditional SOCs and MDR providers.

When forensic-grade memory analysis was applied to 82,000 endpoint alerts, 2,600 contained active infections. Of those confirmed compromised endpoints, 51% had already been marked "mitigated" by their source EDR vendor. The malware families found running in active memory during scans included Mimikatz, Cobalt Strike, Meterpreter, and StrelaStealer—operational tools used by criminal and nation-state operators, not proof-of-concept exploits.

The report also documented a shift in phishing methodology. Less than 6% of confirmed malicious phishing emails contained attachments; most relied on links and social engineering. Attackers have migrated infrastructure onto trusted platforms including Vercel, CodePen, OneDrive, and PayPal's invoicing system. One documented campaign leveraged PayPal's legitimate payment request infrastructure to send threat emails, embedding callback numbers in payment notes and using Unicode homoglyphs to defeat signature-based detection.

Four new email gateway bypass techniques were identified: Base64 payloads hidden in SVG files, links embedded in PDF annotation metadata, dynamically loaded phishing pages served through OneDrive shares, and DOCX files concealing archived HTML content containing QR codes.

Cloud telemetry showed a pronounced concentration around defense evasion and persistence tactics rather than high-impact behaviors like lateral movement or privilege escalation. AWS S3 accounted for roughly 70% of all cloud control violations, with the most common issues centered on access management, server logging, and cross-account restrictions—findings that rarely trigger alerts and are often classified as low-severity despite repeated exploitation.

Why it matters

For developers and infrastructure engineers, this research documents a critical capacity problem: severity-based triage is mathematically insufficient to cover modern alert volumes. The operational constraint is not detection quality but analyst bandwidth. Approximately 60% of alerts go unreviewed in both in-house SOCs and outsourced MDR services due to human capacity limits.

For SOC analysts and threat hunters, the findings highlight a broken feedback loop. When low-severity alerts are never investigated, missed threats never surface. Detection rules that fail to catch real attacks never get corrected. The system does not self-improve because the inputs required for improvement are never examined.

For security architects, the data presents a case for rethinking triage economics entirely. The traditional model—automate most closures, investigate only critical alerts, trust severity labels—fails at scale when attackers deliberately stage attacks to produce weak initial signals and exploit the predictable gaps in coverage.

The specific finding about EDR "mitigation" claims is operationally significant: half of all confirmed endpoint compromises had been declared clean by their EDR vendor. Without memory-level forensic validation, those infections remain invisible.

Affected systems and CVEs

EDR vendors (unspecified in report)
Email gateways
SOC platforms
MDR services
AWS S3
Vercel
CodePen
OneDrive
PayPal invoicing system
Cloudflare Turnstile
Google reCAPTCHA

No CVE assigned at the time of publication.

What to do

Implement alert investigation coverage independent of severity classification; investigate all alerts rather than filtering by initial risk labels
Conduct forensic-grade analysis at scale to supplement and validate traditional EDR detection claims, particularly live memory scans on flagged endpoints
Audit AWS S3 access management, server logging configuration, and cross-account restriction policies; prioritize remediation of misconfigured buckets regardless of alert severity
Deploy alternative email security approaches designed to catch phishing hosted on trusted platforms (Vercel, CodePen, OneDrive, PayPal, etc.)
Implement additional scanning methods for emails using obfuscation techniques: Base64 in SVG files, links in PDF metadata, QR codes in archived HTML within DOCX files
Use memory-level forensics to validate EDR remediation decisions before closing incident tickets
Loop investigation findings back into detection engineering to improve rule tuning and reduce false negatives
Consider AI-assisted SOC capabilities to increase alert analysis coverage beyond human analyst capacity constraints

Open questions

Which specific EDR vendors failed to detect active infections on 51% of confirmed compromises? The report does not disclose vendor names.
Which organization(s) provided the 25 million alert dataset, and over what time period were alerts collected?
What is the geographic scope of the monitored environments, and does the 1% figure apply uniformly across enterprise types and sizes?
Do the 54 annual missed threats per organization represent confirmed breaches that progressed to damage, or intrusions that were thwarted at later stages?
What specific detection rules or methods used by source EDR vendors failed to identify the active malware infections?
Which nation-states or criminal organizations were behind the observed attacks?