Report: Enterprises Are Still Training Themselves to Miss Real Cyberattacks

For years, security teams have lived with a hard truth: they cannot look at everything. As alert volumes balloon across endpoints, cloud workloads, identity systems, and email gateways, security operations centers have learned to triage aggressively. Low severity and informational alerts are often ignored by design, treated as background noise rather than actionable risk.

New research from Intezer suggests that this tradeoff is quietly failing.

An analysis of more than 25 million real-world security alerts across live enterprise environments shows that a meaningful share of confirmed cyber incidents begin as signals most teams are conditioned to dismiss. Nearly one percent of all verified incidents traced back to alerts originally classified as low severity or informational. On endpoints, the rate was almost double that. For a large organization generating hundreds of thousands of alerts a year, that gap translates into dozens of real threats annually that never receive human investigation.

This pattern exposes a growing mismatch between how modern attacks operate and how security teams prioritize risk. Instead of relying on loud exploits or obvious malware, attackers increasingly move slowly, hide inside legitimate processes, and abuse trusted services. Those behaviors often register as subtle anomalies rather than high confidence alarms.

“Security teams have normalized the idea that some risk must be accepted because it is impossible to investigate everything,” said Itai Tevet, CEO and co-founder of Intezer. “Our research shows that this acceptance is increasingly misaligned with how modern attacks unfold. When genuine threats consistently emerge from alerts we have trained ourselves to ignore, the definition of acceptable risk needs to be reexamined.”

The data reveals uncomfortable blind spots across the security stack. Endpoint tools frequently report that threats have been handled when systems remain compromised. More than half of endpoint alerts were not automatically mitigated, and nearly one in ten of those unresolved alerts turned out to be malicious. In some cases, live forensic scans uncovered active compromise even after security software indicated cleanup had already occurred.

Cloud environments tell a similar story. Rather than triggering noisy alarms, attackers favor defense evasion and persistence techniques that blend into normal operations. The goal is not disruption but durability, maintaining long-term access through legitimate cloud services while avoiding attention.

Email attacks have also evolved past the attachment-heavy phishing campaigns many defenses were built to catch. The vast majority of malicious messages now rely on links, browser-based abuse, and trusted platforms such as cloud storage, code sandboxes, and CAPTCHA flows to slip past filters and social engineering defenses.

Identity systems, meanwhile, generate enormous volumes of alerts with surprisingly little signal. Location anomalies and impossible travel warnings rarely correlate with actual compromise. Routine VPN usage, mobile behavior, and overlapping security controls account for most false positives, leaving teams overwhelmed by noise while genuine threats remain buried.

Underlying infrastructure weaknesses persist as well. Cloud misconfigurations, particularly in object storage services, remain widespread. Missing encryption, weak access controls, and absent logging continue to appear even in mature environments. At the network level, many organizations still implicitly trust internal traffic, transmitting credentials and sensitive data without encryption rather than enforcing zero trust principles.

Taken together, the findings point to a deeper problem than alert fatigue alone. The industry’s long-standing definition of acceptable risk was shaped by human limitations. Analysts could only investigate so much, so low severity alerts became expendable. That assumption is increasingly outdated in an era where AI-driven forensic analysis can operate at enterprise scale.

As attack surfaces expand and adversaries adopt AI-assisted tooling of their own, the cost of ignoring low confidence signals continues to rise. The research suggests that organizations clinging to aggressive triage models may be underestimating their exposure not because they lack data, but because they have learned to look away from it.

The uncomfortable conclusion is that many breaches are not slipping past defenses undetected. They are being flagged, labeled, and quietly ignored.