Overview
A new research report analyzing over 25 million security alerts from live enterprise environments has surfaced an uncomfortable truth about modern security operations: organizations have quietly normalized ignoring low-severity and informational alerts — and genuine threats are slipping through as a result.
The study, which examined alert data across enterprise security operations centers (SOCs), found that the average enterprise experiences at least one genuine missed threat per week that was buried in low-severity noise and never investigated.
The Dark Secret of Enterprise Security Operations
Security teams are drowning in alerts. Modern enterprise environments generate tens of thousands of alerts daily, and SOC analysts — already stretched thin — have developed informal triage hierarchies that systematically deprioritize anything below a certain severity threshold.
The report describes this as "institutionalized non-looking": an organizational behavior where defenders have effectively decided, at a policy level, that certain classes of alerts will not be investigated due to resource constraints and assumed low fidelity.
The consequence is predictable in hindsight: sophisticated attackers have learned to operate below the severity thresholds that trigger human investigation.
Key Findings from the 25M Alert Analysis
The Severity Gap
- High and critical alerts: Investigated promptly, median time to triage under 4 hours
- Medium alerts: Investigated inconsistently, median time to triage exceeds 3 days
- Low and informational alerts: Rarely investigated; median backlog exceeds 30 days with many never reviewed
The Hidden Threat in Low-Severity Noise
When researchers retroactively analyzed low-severity alerts that were never investigated, they found:
- 1 in 52 low-severity alerts corresponded to an event that, in retrospect, was part of a confirmed intrusion or significant incident
- The missed threats included initial access events, credential harvesting, lateral movement on endpoints, and data staging activity — all operating just below the detection thresholds designed to catch them
- In cases where breaches were later confirmed, low-severity alerts had preceded the high-severity compromise alerts by an average of 11 days
Alert Fatigue by the Numbers
- The average enterprise SOC receives 47,000+ alerts per week
- Analysts spend an average of 11 minutes per high-severity alert but less than 90 seconds per medium alert
- Low-severity alerts receive no human attention at all in most environments, being auto-closed or archived after a retention period
Why Low-Severity Alerts Are Goldmines for Attackers
Attackers have adapted to detection-heavy environments by:
- Slowing down: Spreading activity over days or weeks to keep individual events below anomaly detection thresholds
- Living off the land: Using built-in system tools (PowerShell, WMI, certutil, curl) that generate low-severity alerts rather than triggering high-confidence detections
- Staging from trusted systems: Moving laterally through systems that are considered trusted, where security tools are configured with reduced sensitivity to avoid false positives
- Mimicking administrative behavior: Performing actions that look identical to routine IT operations, generating only informational or low-severity events
The Problem with CVSS and Alert Scoring
The report also challenges the heavy reliance on CVSS scores and vendor-assigned severity ratings for alert prioritization. Key issues identified:
- CVSS scores reflect theoretical impact, not real-world exploitability in a specific environment
- A low-CVSS vulnerability exploited against an unpatched internet-facing system in a specific business context may represent far greater real risk than a high-CVSS vulnerability in an isolated lab system
- Alert scoring systems trained on historical data may be blind to novel attack techniques that have not yet been associated with high-severity outcomes
Recommended Approaches
Rethinking Alert Triage
Rather than strict severity-based triage, the report recommends incorporating contextual enrichment:
- Asset criticality: A low-severity alert on a domain controller or developer workstation with code signing keys deserves higher priority than the same alert on a print server
- User behavior baselines: Flag low-severity alerts that deviate from an individual user's or system's established baseline, even if the alert type itself is low severity
- Kill chain correlation: Automatically correlate low-severity alerts across the kill chain — multiple low-severity events that map to reconnaissance, initial access, and persistence together should trigger a high-severity composite alert
Automation for Low-Severity Triage
Full human review of all alerts is not realistic, but automated enrichment can help:
- Auto-enrich low-severity alerts with threat intelligence lookups, asset criticality scores, and user risk scores before routing to analysts
- Cluster related low-severity alerts into unified cases to reduce cognitive load
- Score composites: Use machine learning models trained on confirmed incidents to score alert combinations rather than individual alerts in isolation
Metrics and Accountability
- Track mean time to review across all severity levels, not just critical/high
- Set SLAs for low and medium severity alert review, even if the review time budget is short
- Measure detection coverage gaps by simulating attacks at low-severity thresholds and verifying that detection fires and gets reviewed
Implications for Security Leaders
The findings reinforce a message that security practitioners have long known but rarely quantify: the threats most likely to succeed are the ones designed to avoid triggering the alerts your team actually investigates.
For CISOs and security operations leaders, this report should prompt a hard review of whether current alert management practices are creating predictable blind spots that sophisticated adversaries are already exploiting.