Security Alerts: 1% of Low-Severity Hides a Weekly Breach

Are you sure your security team isn’t just… not looking?

Because apparently, that’s the dirty little secret of enterprise security operations these days. It’s not just a hunch; a new report crunched numbers on over 25 million security alerts—yes, including all those pesky informational and low-severity ones—from actual, live corporate networks. We’re talking 10 million endpoints, 82,000 live memory scans, 180 million files busted open, and telemetry from millions of IP addresses and domains. The whole nine yards. And what they found? Threat actors aren’t exactly being subtle; they’re exploiting the predictable blind spots created by security teams conditioned to ignore anything that doesn’t scream red alert. They’re doing it deliberately.

The 1% Problem That Adds Up to One Missed Breach Per Week

Here’s the gut punch: out of that 25 million pile of alerts, almost 1% of the confirmed security incidents actually kicked off from something initially slapped with a ‘low-severity’ or ‘informational’ label. On endpoints alone, that number nudged up to nearly 2%. Now, at the scale of a large organization, where you’re drowning in roughly 450,000 alerts a year, 1% isn’t chump change. That’s about 54 real threats annually. That’s one actual breach per week that never even gets a second glance under the typical SOC or MDR playbook. Detection wasn’t the failure here; it was the economics of triage that made investigation a non-starter. These aren’t theoretical boogeymen; they’re active compromises masquerading as background chatter.

EDR ‘Mitigated’ Doesn’t Mean Clean

This endpoint stuff? It needs its own spotlight because it blows up a fundamental belief most security programs are built on: that your Endpoint Detection and Response (EDR) tool telling you something is ‘mitigated’ actually means it’s gone. Of the 82,000 endpoints that got the full forensic memory scan treatment, a whopping 2,600 were found to have active infections. And of those compromised machines, over half—51%—had already been marked as ‘mitigated’ by their EDR vendor. Think about that. The tools you’re relying on to keep your endpoints safe are cheerfully closing tickets on machines that are still very much infected. If you’re not doing deep memory forensics, these threats are just living rent-free, invisible to your automated defenses. The report named names too: Mimikatz, Cobalt Strike, Meterpreter. These aren’t script kiddie toys; they’re the hammers of active criminal and nation-state operations.

Phishing Has Left Your Email Gateway Behind

And the phishing data? It confirms what many have suspected: attackers have outgrown your email gateway’s capabilities. Less than 6% of the malicious phishing emails actually had attachments. Most relied on links and convincing prose. What’s more telling is where they’re hosting their malicious infrastructure now—on platforms that security systems are trained to trust: Vercel, CodePen, OneDrive, heck, even PayPal’s invoicing system. One campaign detailed in the report used PayPal’s legitimate payment request system, embedding threat details in payment notes and using sneaky Unicode characters to fool basic defenses. The sending domain? Passed all standard checks because the email really came from PayPal. Here’s a darkly amusing footnote: Cloudflare’s Turnstile CAPTCHA is apparently a dead giveaway for phishing sites, while Google reCAPTCHA points to legit infrastructure. Attackers are weaponizing bot-detection tech against security scanners. The report flagged four new ways attackers are slipping past email gateways: Base64 payloads tucked into SVG files, links hidden in PDF metadata, dynamic phishing pages served from legitimate OneDrive shares, and DOCX files with hidden archives containing QR codes. None of this is exotic; it’s just operational, and it’s happening at scale.

Cloud Telemetry Shows Attackers Playing Long Games

When you look at cloud alerts, the pattern shifts. There’s a heavy focus on defense evasion and persistence tactics, with fewer high-impact moves like lateral movement or privilege escalation showing up. Attackers are playing the long game, being incredibly patient. Their goal is long-term access. They’re messing with tokens, abusing legitimate cloud features, and using obfuscation to avoid tripping those high-severity alarms. The objective isn’t to make noise; it’s to stay present, undetected. AWS misconfigurations just add another quiet layer to this risk. S3 accounts are often…

The patterns that emerge from this data tell a consistent story. Threat actors are exploiting the predictable gaps created by constrained, severity-based security operations, and they are doing it systematically.

This isn’t just about having more tools; it’s about having the right processes—and the willingness to investigate the small stuff before it becomes the big stuff. Because as this report chillingly illustrates, the “small stuff” is often where the real damage is done.

So, Why Are Security Teams Ignoring the “Small Stuff”?

It boils down to economics and a deeply ingrained, albeit flawed, process. Security Operations Centers (SOCs) and Managed Detection and Response (MDR) services are often priced and structured around investigating alerts that meet a certain severity threshold. The sheer volume of low-severity or informational alerts makes it impossible for human analysts, or even many automated systems, to sift through them without an overwhelming backlog. The cost-benefit analysis favors focusing on the alerts that have the highest immediate probability of being a catastrophic breach. This creates a gap where attackers can operate with relative impunity, slowly gaining a foothold or exfiltrating data, because the initial signals are too quiet to warrant immediate investigation under the current operational models. It’s a systems problem, not necessarily a failure of individual tools or even most analysts themselves.