Approximately 60% of security alerts go unreviewed — and, according to an analysis of 25 million alerts, nearly 1% of real threats begin in the low-severity queue where human teams rarely look.
Scale mismatch: alerts, math, and the hidden incidents
Managed detection and response (MDR) was built to fill a staffing gap: provide 24/7 human triage when customers could not. But the model has not kept pace with a changing attack surface. Intezer's analysis of 25 million alerts across global enterprises in 2025 found that nearly 1% of real threats originate in low-severity and informational alerts. Using the source’s example math — an enterprise generating 450,000 alerts annually, 60% of which are not investigated, with 2% of those being real incidents and 1% of real incidents originating in low-severity alerts — translates to roughly 54 genuine incidents per year sitting in the deprioritized queue. The article’s blunt question for security leaders: of the 60% of alerts your team isn't reviewing, how confident are you that none are live attacks?
Operational variance and decaying detection
Investigation quality varies by who is on shift, the queue depth, and staffing — a P1 alert at 3 a.m. receives different follow-up than the same alert at 10 a.m. The source describes this variance as inevitable when human teams run around the clock under pressure. That inconsistency contributes to early-stage intrusions being mistaken for routine behavior and to shallow investigations being closed as noise.
Detection engineering often operates as a periodic exercise rather than a continuous feedback loop. In many MDR deployments, rules are tuned reactively — when customers complain or a major CVE appears — while investigation learnings rarely feed back into the detection system. The result: noisy or broken rules persist and coverage can drift away from current attacker techniques, leaving MITRE ATT&CK coverage lower than teams assume.
Adversary tactics and what they are exploiting
The source frames 2026 attackers as operating with AI assistance: “AI-generated phishing campaigns” hitting inboxes at scale and quality; credential stealers such as Agent Tesla and LummaC2 moving quickly; and EDR evasion so effective that research cited in the piece found more than half of confirmed compromised endpoints had already been marked as “mitigated” by the EDR vendor. Those trends, the article argues, put a premium on speed and forensic depth — not just surface-level triage.
What an AI SOC proposes — and the evidence offered
The proposed alternative is an “AI SOC” where investigative execution is automated and humans supervise decisions. Intezer’s platform data, drawn from the same 25 million-alert corpus, is presented as proof that this can scale: less than 2% of alerts required human escalation; over 98% resolved autonomously with sub-minute median triage time and 98% verdict accuracy. For the 450K-alert example, the article calculates roughly 441K alerts per year would be fully investigated and resolved without human intervention, while the 54 genuine low-severity incidents that traditional MDR would miss are caught and given actionable remediation recommendations.
Critical to that autonomy, the source stresses, is forensic depth — memory forensics, binary analysis, and code-reuse detection — so that AI verdicts are evidence-backed and can be trusted to act without routine human validation. The AI SOC model also promises a closed-loop between investigation and detection engineering so noisy rules get tuned continuously and new coverage can be deployed in days rather than months.
How technologists, procurement leaders, and end users should respond
- Technologists and security teams: evaluate whether your detection engineering is a closed loop today and whether investigation evidence (memory dumps, binary analysis, forensic traces) is captured in a reusable form. Consider pilot augmentation so you can compare MDR output with AI-driven triage.
- Procurement leaders and CISOs: watch pricing models. The source contrasts per-alert pricing — which encourages selectivity — with per-endpoint pricing, which removes economic penalties for investigating every alert and stabilizes budgeting around endpoint counts.
- End users and internal auditors: demand auditability. The article warns that many MDR services are “black boxes” where customers can’t inspect investigation logic, evidence trails, or verdict reasoning; ownership of detection rules and case history should reside with the organization if it plans to build internal AI agents.
Intezer’s central warning is straightforward: the MDR model was built for human-speed attackers and staffing shortfalls; AI-accelerated adversaries exploit the low-severity spaces MDR leaves unread. The metrics the article cites present a choice — accept a persistent blind spot that research estimates contains roughly one real incident per week in a typical large enterprise, or move to an operating model that automates forensic-grade investigation for every alert, every hour, and attempts to make coverage continuous rather than sampled.
Source: Rethinking MDR as Attackers and Defenders Embrace AI — The Hacker News
