Nearly 1% of confirmed incidents in a 25‑million‑alert dataset originated from alerts initially classified as low‑severity or informational, a gap that scales to about one missed breach per week for a typical enterprise.
Low‑severity and informational alerts: a small percentage, big consequence
The report examined more than 25 million alerts across live enterprise environments, drawing on telemetry from 10 million monitored endpoints and identities, 7 million IP addresses, 3 million domains and URLs, and over 550,000 phishing emails. At scale, what looks like a fraction is not benign noise: the average organization generates roughly 450,000 alerts per year, and 1% of that volume equals roughly 54 real threats annually — about one per week — that go unexplored under traditional SOC or MDR triage models. On endpoints specifically, the share of confirmed incidents that began as low‑severity or informational alerts climbed to nearly 2%.
Endpoint forensics: EDR "mitigated" does not mean clean
Endpoint findings in the dataset challenge an operational assumption many security teams hold. Of 82,000 alerts that received live forensic memory scans, 2,600 showed active infections. Crucially, 51% of those confirmed compromised endpoints had already been marked "mitigated" by the source EDR vendor. In other words, more than half of the endpoints found running malware in memory were reported as resolved by the EDR. The malware observed in memory included Mimikatz, Cobalt Strike, Meterpreter, and StrelaStealer.
Phishing evolution: PayPal invoices, trusted platforms, CAPTCHAs, and four bypasses
Phishing in the dataset has moved away from loud, attachment‑centric attacks and toward low‑noise, link‑and‑language campaigns hosted on trusted platforms. Less than 6% of confirmed malicious phishing emails contained attachments. Attack infrastructure often sat on services that are trusted by default — Vercel, CodePen, OneDrive — and even PayPal's invoicing system. One documented campaign used PayPal's legitimate payment request flow, embedding callback numbers in payment notes and using Unicode homoglyphs to defeat signature detection; mail passed standard authentication checks because it genuinely originated from PayPal.
- Cloudflare Turnstile CAPTCHA correlated with a higher likelihood of phishing pages, while Google reCAPTCHA correlated with legitimate infrastructure.
- Four identified gateway bypass techniques were used at scale: Base64 payloads hidden inside SVG image files; links embedded in PDF annotation metadata invisible to surface scanners; dynamically loaded phishing pages served through OneDrive shares; and DOCX files concealing archived HTML content containing QR codes.
Cloud telemetry and AWS S3 misconfigurations: patient attackers, quiet escalation
Cloud alerts concentrated on defense evasion and persistence rather than noisy high‑impact behaviors. Attackers favored long‑term access patterns — token manipulation, abuse of legitimate cloud features, and obfuscation to avoid triggering higher‑severity detections — with the intent to remain present and undetected. Misconfigurations compounded the risk: S3 accounted for roughly 70% of all cloud control violations in the dataset, commonly around access management, server logging, and cross‑account restrictions. Most of these findings were classified as low severity and rarely triggered alerts, yet they materially accelerate adversary capabilities once a foothold exists.
What this means for SOCs, MDR providers, and enterprise security leaders
- SOCs and MDR providers: Human analysts cannot scale with ever‑expanding telemetry. The report notes roughly 60% of alerts still go unreviewed whether handled in‑house or outsourced, forcing aggressive triage that leaves early‑stage compromises invisible.
- Detection engineers and forensic teams: When low‑severity alerts remain unexplored, the feedback loop that improves detection never closes. Forensic‑grade analysis on all alerts produces direct feedback for rule tuning and detection engineering.
- Enterprise security leaders and procurement: The dataset shows that tools and labels alone do not eliminate risk; operational design and triage economics determine what gets investigated. Solutions that reduce human escalation while preserving forensic depth can alter where analyst time is spent.
Investigating everything changes the dynamic: the dataset's full‑coverage analysis used Intezer AI SOC to triage and investigate, escalating less than 2% of alerts to human analysts, delivering 98% verdict accuracy and a sub‑minute median triage time across the volume. That model converts low‑severity noise into actionable evidence and produces the corrective feedback detection programs need. The remaining question the data leaves on the table is operational: will organizations accept the costs and architecture changes required to close the triage gap — or will one missed low‑severity alert continue to become one missed breach per week?
