Analysis of 25M Alerts Reveals Systemic Gaps in Enterprise Threat Detection
A new analysis of 25 million security alerts reveals that enterprise reliance on severity-based triage and automated EDR remediation is leaving organizations vulnerable to one missed breach per week.

A comprehensive analysis of 25 million security alerts across enterprise environments has revealed a systemic failure in how organizations triage low-severity threats, leading to an estimated one missed breach per week for the average company The Hacker News. By examining telemetry from 10 million endpoints and 180 million files, researchers found that nearly 1% of all confirmed incidents—and up to 2% of endpoint-specific incidents—originate from alerts initially dismissed as low-severity or informational The Hacker News.
The report highlights a critical breakdown in "triage economics," where the sheer volume of alerts—averaging 450,000 per year per organization—forces security teams to ignore lower-priority signals. Because these alerts are systematically deprioritized, real compromises are successfully hiding in plain sight. These are not theoretical vulnerabilities, but active threats that bypass traditional Security Operations Center (SOC) and Managed Detection and Response (MDR) workflows The Hacker News.
Furthermore, the study challenges the reliability of Endpoint Detection and Response (EDR) platforms. Forensic memory scans conducted on 82,000 alerts revealed that 2,600 endpoints were actively infected, yet 51% of these compromised machines had already been marked as "mitigated" by the EDR vendor The Hacker News. This indicates that EDR tools are frequently closing tickets and reporting systems as clean while active malware—including well-known tools like Mimikatz, Cobalt Strike, Meterpreter, and StrelaStealer—continues to run in memory The Hacker News.
The research also details a significant shift in phishing tactics that bypass traditional email gateways. Less than 6% of malicious emails now contain attachments, with attackers instead favoring links and social engineering. Threat actors are increasingly leveraging trusted platforms such as Vercel, CodePen, OneDrive, and PayPal to host their infrastructure The Hacker News. By using legitimate services like PayPal’s invoicing system, attackers can send emails that pass all standard authentication checks, often employing Unicode homoglyphs to evade signature-based detection The Hacker News.
Additionally, attackers are weaponizing security mechanisms against scanners. The report notes that Cloudflare Turnstile CAPTCHA is now a strong indicator of malicious intent, as attackers use it to block automated security crawlers, whereas Google reCAPTCHA remains more closely correlated with legitimate infrastructure The Hacker News.
This data suggests that the current reliance on severity-based triage and automated EDR remediation is creating predictable gaps that threat actors are actively exploiting. As attackers move toward trusted infrastructure and evade automated detection, the findings underscore the necessity of deeper forensic visibility and a reevaluation of how "low-severity" alerts are handled within enterprise security programs The Hacker News.