A recent comprehensive report has starkly illuminated a concerning, yet quietly institutionalized, practice within enterprise security operations: the deliberate act of not looking at a significant portion of security alerts. This revelation, far from anecdotal, is substantiated by an extensive investigation into over 25 million security alerts, encompassing both informational and low-severity classifications, observed across live enterprise environments. The findings challenge fundamental assumptions about security posture, EDR efficacy, and the evolving threat landscape, signaling a critical inflection point for Chief Information Security Officers (CISOs) and security teams worldwide.
The dataset underpinning these groundbreaking findings is monumental, offering an unprecedented view into the daily realities of modern cyber defense. It includes telemetry from 10 million monitored endpoints and identities, 82,000 forensic endpoint investigations (including detailed live memory scans), 180 million files analyzed, and network intelligence from 7 million IP addresses, 3 million domains and URLs, alongside analysis of over 550,000 phishing emails. The consistent patterns that emerge from this vast ocean of data paint a clear and unsettling picture: sophisticated threat actors are systematically exploiting the predictable gaps created by resource-constrained, severity-based security operations. Understanding where these critical vulnerabilities reside necessitates a holistic examination of the entire alert spectrum, particularly focusing on the categories that security teams have traditionally been conditioned to deprioritize or outright ignore.
The Pervasive Problem of Alert Fatigue and Resource Constraints
For years, the cybersecurity industry has grappled with the ever-increasing volume of security alerts. As organizations expand their digital footprints across cloud environments, diverse endpoints, and intricate networks, the sheer number of potential security signals generated by various tools—Security Information and Event Management (SIEM) systems, Endpoint Detection and Response (EDR) solutions, Intrusion Detection/Prevention Systems (IDS/IPS), and more—has skyrocketed. This deluge has led to a phenomenon known as "alert fatigue," where human analysts, overwhelmed by the sheer volume, develop a tendency to overlook or dismiss alerts, especially those deemed "low-severity" or "informational."
Traditionally, Security Operations Centers (SOCs) and Managed Detection and Response (MDR) providers have adopted a triage model predicated on alert severity. This approach is rooted in practical economics: human analysts are a finite and expensive resource. To operate within budgetary constraints, security teams are often forced to automate the closure of most low-severity alerts, reserving in-depth investigations for only those flagged as critical. The implicit trust placed in these severity labels, however, has now been empirically challenged, revealing a dangerous disconnect between perceived risk and actual threat. This operational reality, while understandable from a resource management perspective, inadvertently creates exploitable blind spots that adversaries are increasingly leveraging.
The "1% Problem": A Gateway for Persistent Threats
The report’s analysis of 25 million alerts reveals a startling statistic: nearly 1% of all confirmed security incidents originated from alerts initially categorized as low-severity or informational. When focusing specifically on endpoints, this figure nearly doubles, climbing to almost 2%. At first glance, these percentages might seem negligible, easily dismissed as background noise in the vast landscape of enterprise security data. However, at an enterprise scale, these seemingly small percentages translate into significant, tangible risks.
Consider an average organization that generates approximately 450,000 security alerts annually. One percent of this volume equates to roughly 54 genuine threats per year—a staggering average of one missed breach every single week. These are not theoretical risks residing on an attacker’s wishlist; they represent real compromises that remain undetected because the alerts flagging them are systematically deprioritized under traditional SOC or MDR models. The failure here is not in detection; the security tools did generate alerts. The failure lies in triage economics, which rendered comprehensive investigation practically impossible. These incidents remain hidden in plain sight, allowing attackers to establish footholds, exfiltrate data, or deploy further malicious payloads unimpeded, often for extended periods.
EDR’s False Promise: "Mitigated" Does Not Mean Clean
A particularly alarming revelation from the report pertains to Endpoint Detection and Response (EDR) systems, which form the bedrock of many organizations’ endpoint security strategies. The findings directly challenge the foundational assumption that EDR remediation can be trusted at face value. Out of 82,000 alerts that underwent live forensic memory scans, a significant 2,600 were found to have active infections. More critically, of these confirmed compromised endpoints, a staggering 51% had already been marked as "mitigated" by the source EDR vendor.
This means that in over half of the confirmed endpoint compromises detected through rigorous forensic analysis, the EDR system had prematurely closed the ticket, erroneously declaring the threat resolved. Without memory-level forensics, these active infections would have remained completely invisible, allowing advanced persistent threats (APTs) and sophisticated malware to operate stealthily within the network. The very tools organizations rely upon as their primary endpoint safety net are, in many cases, reporting a clean bill of health for machines that are demonstrably compromised.
The malware families identified running in memory during these scans are not obscure proof-of-concept tools. They include Mimikatz (credential dumping), Cobalt Strike (adversary simulation, post-exploitation), Meterpreter (advanced payload for Metasploit), and StrelaStealer (information theft). These are the workhorses of active criminal enterprises and nation-state operations, indicating that serious, well-resourced attackers are exploiting these EDR blind spots. This challenges CISOs to re-evaluate the true efficacy of their current EDR deployments and consider supplementary forensic capabilities to ensure actual, rather than perceived, remediation.
The Evolving Phishing Landscape: Bypassing Traditional Gateways
The report’s phishing data reflects a fundamental and rapid shift in attacker methodology, one that most conventional email security architectures are ill-equipped to counter. Less than 6% of confirmed malicious phishing emails contained traditional attachments, a stark departure from historical norms. Instead, attackers predominantly relied on malicious links and psychologically engineered language to trick recipients.
More significantly, threat actors have strategically migrated their phishing infrastructure to platforms inherently trusted by default. Services like Vercel, CodePen, OneDrive, and even PayPal’s own invoicing system are now being weaponized. For instance, one documented campaign leveraged PayPal’s legitimate payment request infrastructure to dispatch threat emails. These emails contained callback numbers embedded within the payment notes and utilized Unicode homoglyphs to bypass signature-based detection mechanisms. Crucially, the sending domain passed every standard authentication check because the mail genuinely originated from PayPal’s legitimate servers, making it incredibly difficult for traditional email gateways to flag as malicious.
Furthermore, the report highlights an intriguing observation: Cloudflare Turnstile CAPTCHA has emerged as a reliable indicator of malicious intent, with sites employing it consistently more likely to be phishing pages. Conversely, Google reCAPTCHA correlated with legitimate infrastructure. This suggests attackers are co-opting security mechanisms designed to thwart bots to instead deter automated security scanners, adding another layer of obfuscation.
The study identified four novel techniques used to bypass email gateways at scale: Base64 payloads concealed within SVG image files, malicious links embedded in PDF annotation metadata (rendering them invisible to surface-level scanners), dynamically loaded phishing pages served through legitimate OneDrive shares, and DOCX files containing archived HTML content with QR codes. These are not exotic, theoretical exploits but operational techniques being widely deployed, necessitating a re-evaluation of email security strategies beyond mere attachment and domain-based analysis.
Cloud Telemetry: Attackers’ Long Game in the Digital Sky
The report’s analysis of cloud alert data uncovers a pronounced concentration around defense evasion and persistence tactics. Notably, there were relatively few high-impact behaviors such as lateral movement or privilege escalation appearing in the initial alert signals. This indicates a sophisticated and patient approach by attackers in cloud environments.
The dominant pattern observed is long-term access, achieved through token manipulation, abuse of legitimate cloud features, and obfuscation techniques designed to avoid triggering higher-severity detections. The primary goal is to maintain a persistent and undetected presence within the cloud infrastructure, rather than to execute noisy, high-impact actions that would immediately draw attention.
AWS misconfigurations significantly amplify this risk. S3 storage buckets alone accounted for approximately 70% of all cloud control violations within the dataset. The most common issues revolved around access management, server logging, and cross-account restrictions. Critically, these misconfigurations rarely trigger high-severity alerts; most are classified as low-severity. However, they have been repeatedly exploited once attackers establish even a minimal foothold, dramatically accelerating their ability to move laterally, escalate privileges, and exfiltrate sensitive data. This quiet accumulation of risk in the cloud highlights the need for continuous security posture management and a re-evaluation of how low-severity cloud alerts are prioritized.
Why Traditional SOCs and MDRs Face an Insurmountable Challenge
The systemic issues brought to light by this report point to an operational and capacity problem that technology alone, until recently, has struggled to solve. The fundamental bottleneck remains human analyst capacity. As telemetry expands exponentially across endpoints, cloud services, identities, networks, and SaaS applications, every SOC eventually encounters the same operational ceiling. The only viable strategy to remain within budget and manageable workloads has been aggressive triage: automate the closure of the majority of alerts, investigate only those deemed critical, and place inherent trust in the accuracy of severity labels. The 2026 data unequivocally demonstrates that this trust is misplaced at scale.
MDR providers, while offering an outsourced solution, face identical constraints. Their human-scaled operating model dictates that approximately 60% of alerts still go unreviewed, whether managed internally or externally. Simply adding more analysts, while raising the operational ceiling, does not eliminate the fundamental challenge of human scalability. SOAR (Security Orchestration, Automation, and Response) platforms offer workflow automation but demand significant upfront investment in designing playbooks and still do not fully replace the nuanced investigative execution that complex threats require.
The deeper, more insidious problem is the broken feedback loop inherent in this traditional model. When low-severity alerts are never investigated, the real threats they represent remain undiscovered. Consequently, detection rules that fail to catch actual attacks are never identified or corrected. The security system cannot self-improve because the vital inputs necessary for its refinement—the insights gained from investigating all alerts—are never examined. This creates a stagnant security posture in a rapidly evolving threat landscape.
The Paradigm Shift: Investigating Everything with AI-Powered SOCs
The capacity to investigate all 25 million alerts cited in the report required fundamentally removing the historical constraint that has made full coverage impossible: human analyst capacity. In this particular dataset, the Intezer AI SOC platform was employed to triage and investigate the vast majority of alerts. The results were transformative: less than 2% of alerts required escalation to a human analyst, achieving a remarkable 98% verdict accuracy with a sub-minute median triage time across the entire volume.
The effects of such a full-coverage investigation approach are profound and measurable. When every alert receives forensic-grade analysis, irrespective of its initial severity classification, triage outcomes are grounded in concrete evidence rather than potentially flawed assumptions about low-severity labels. This capability ensures that early-stage threats, which often produce only weak initial signals, are surfaced and addressed long before they can progress into full-blown breaches. Furthermore, detection engineering benefits directly from this comprehensive analysis; every investigation generates invaluable feedback that can be seamlessly looped back into rule tuning and refinement at the source, leading to continuous improvement of the security posture.
For human analysts, the practical result is a significant shift in how their time is allocated. Escalations become less frequent, but crucially, they are of higher confidence and quality. This empowers analysts to engage at the critical point of decision-making and strategic response, rather than expending precious capacity on laborious initial discovery and classification tasks. The role of the human analyst evolves from a reactive alert processor to a proactive threat hunter and strategic defender.
For the broader organization, this translates into a security posture that is not merely static but continuously adapts and improves, keeping pace with an ever-changing threat landscape. The ability to "look everywhere" and uncover hidden compromises fundamentally changes the game, moving organizations from a reactive stance of damage control to a proactive one of early intervention and resilience. This marks a strategic imperative for CISOs navigating the complexities of modern cyber defense.
Broader Implications and the Future of Enterprise Security
The findings of the 2026 AI SOC Report by Intezer resonate deeply with the broader industry trend towards intelligent automation in cybersecurity. The era of relying solely on human-centric, reactive security models is rapidly drawing to a close. The economic realities of scale, the sophistication of modern adversaries, and the sheer volume of data necessitate a new approach.
CISOs are increasingly grappling with the challenge of securing complex, hybrid environments against persistent and adaptable threats. The report underscores that traditional metrics of security effectiveness, such as the number of alerts generated or mitigated, can be misleading if the underlying investigative processes are flawed or incomplete. The true measure of security lies in the ability to identify and neutralize all genuine threats, regardless of their initial perceived severity.
The adoption of AI-powered security operations platforms is not merely an incremental improvement; it represents a fundamental shift in how enterprises can achieve comprehensive visibility and proactive defense. By offloading the initial, high-volume triage and investigation tasks to AI, human expertise can be directed towards higher-value activities: strategic threat intelligence, proactive hunting, incident response planning, and architectural improvements. This symbiotic relationship between AI and human intelligence is poised to redefine the capabilities of future SOCs, transforming them from overwhelmed alert centers into highly efficient, intelligent threat detection and response hubs. The dark secret of enterprise security, once a quiet acceptance of inherent limitations, is now a mandate for change, driven by the undeniable evidence that looking everywhere is not just possible, but essential.
To explore the full report and research findings, see the 2026 AI SOC Report for CISOs by Intezer.
