The dark secret of business security performance is that defenders quietly practice the practice of not looking. This is not just anecdotal, but rather supported by a recent report that investigates more than 25 million security alerts, including information and low severity, across live business environments.
The data behind these findings includes monitored endpoints and identities, investigation of 82,000 forensic endpoints including live memory scans, 180 million files analyzed, and telemetry from 7 million IP addresses, 3 million domains and URLs, and more than 550,000 phishing emails.
The patterns that emerge from this data tell a consistent story. Threat actors exploit the predictable gaps created by delayed, difficulty-based security operations, and they do so systematically. Understanding where those gaps lie requires looking at the full picture of surveillance, starting with the category most groups are conditioned to ignore.
A 1% problem that includes one violation per week
In this analysis of 25M alerts, about 1% of confirmed incidents are from alerts that are initially considered to be of low severity or information. Specifically, that number increased to about 2%.
On a business scale, percentages like these don’t sound like much. The average organization generates about 450,000 alerts per year. One percent of that is about 54 actual threats per year, about one per week, that are never investigated under the traditional SOC or MDR model. Discovery failed. Triage economics just made the investigation impossible.
These are not theoretical risks sitting on the edge of an attacker’s wish list. It is a real compromise hidden in the notification section that the working groups are trained to put down.
EDR “reduced” does not mean clean
A final point finding from the report deserves special attention because it challenges a basic assumption in many security systems: that EDR fixes can actually be trusted.
Of the 82,000 alerts that have undergone live forensic memory testing, 2,600 had underlying diseases. Of those verified compromised endpoints, 51% have already been marked as “degraded” by the source EDR vendor.
For more than half of the confirmed compromises found through forensic analysis, EDR had closed the ticket and declared the threat resolved. Without memory-level forensics, those diseases remain undiagnosed. They are tools that many organizations rely on as an endpoint security net to report clean on unclean machines.
Malware families found running in memory during these scans include Mimikatz, Cobalt Strike, Meterpreter, and StrelaStealer, not obscure proof-of-concept tools, but workhorses of crime and state operations.
Phishing has left your email gateway behind
The phishing data in the report shows a fundamental change in the attacker’s approach that most email security architectures are not designed to handle.
Less than 6% of verified phishing emails contain attachments. Most rely on links and language. More importantly, the attackers moved their infrastructure to trusted social networks by default: Vercel, CodePen, OneDrive, and PayPal’s invoicing system.
One campaign documented in the report uses PayPal’s legitimate payment application infrastructure to send malicious emails, with phone numbers embedded in payment notes and Unicode homoglyphs to defeat signature-based detection. The sending domain passes all standard verification checks because the mail originates from PayPal.
Cloudflare Turnstile CAPTCHA has become a reliable signal of malicious intent: sites that use it are more likely to be phishing pages, while Google reCAPTCHA is associated with legitimate infrastructure. Attackers are using methods designed to stop bots to stop automated security scanners instead.
Four new techniques for bypassing email gateways were identified in the data: Base64 uploads hidden inside SVG image files, links embedded in PDF annotation metadata invisible to high-end scanners, dynamically uploaded phishing pages provided by legitimate OneDrive shares, and DOCX files hiding HTML archive content containing QR codes. None of this is unusual. They are operational strategies used at scale.
Cloud telemetry shows attackers playing long games
Cloud alert data from the report shows a pronounced focus on defensive avoidance and persistence tactics, with few high-impact behaviors such as lateral movement or right-wing from the signal.
Attackers are cautious and patient. The dominant pattern is long-term access. Forging tokens, abusing the legal features of the cloud, and simplifying to avoid triggering high-intensity detection. The goal is to stay present and out of sight, not to make noise.
Poor configuration of AWS silently compounds this risk. S3 accounts for nearly 70% of all cloud governance breaches in the dataset, with the most common issues focusing on access control, server logging, and various account restrictions. These findings rarely cause warnings. Most are classified as low severity. And they have been exploited many times once the attackers have found any position, they are very quick to what they can do next.
Why traditional SOCs and MDRs cannot bridge this gap
This is a performance and power problem that technology alone has not solved until recently.
Human analysts are not equal in alert volume. As telemetry extends to endpoint, cloud, proprietary, network, and SaaS, the entire SOC ends up under the same roof. The only way to work within a budget is to decide hard: turn off most of the automation, investigate only what seems critical, and trust that the severity labels reflect the truth. The 2026 data shows that trust is ranked negatively on the scale.
MDR providers face similar challenges. Human-scale operational modeling means that about 60% of notifications are still not reviewed whether they are handled internally or externally. Adding more analysts moves the roof but doesn’t stop it. SOAR platforms provide you with an automated workflow but require your team to design the entire playbook and not get into the position of doing the investigation.
The deeper problem is an unclosed feedback loop. If low-severity alerts are not investigated, missed threats do not appear. Detection rules that fail to catch actual attacks are never fixed. The system does not improve itself because the inputs that would need to be improved are never tested.
What changes when you investigate everything
Investigating all 25 million alerts in the report cited above requires removing the barrier that has made full coverage impossible. In particular, the ability to analyze people is a bottleneck. In this dataset, The Intezer AI SOC was used for testing and investigation, with less than 2% alerts raised by a human analyst, 98% decision accuracy, and an average decision time of less than a minute at full capacity.
The results of a thorough investigation are measurable. When all alerts receive forensic-grade analysis regardless of severity, triage results are based on evidence rather than guesswork about what the lower labels mean. Early threats that produce only weak initial signals, appear before they develop. Optical engineering also directly benefits, because each probe produces a response that can be fed back into the regulation at the source.
A practical consequence for human analysts is a change in where their time is spent. The increase is slow and the confidence is high, which means that the analysts are involved in the decision area rather than using volume in the initial detection and classification.
For an organization wide, this translates into a security posture that is continually improving rather than one that is stable while the threat landscape evolves.
To check out the full report and survey results, see Intezer’s 2026 AI SOC Report for CISOs.
