A new analysis of more than 25 million security alerts across live enterprise environments shows defenders have been quietly avoiding low‑severity information. The dataset includes 10 million monitored endpoints and identities, 82,000 forensic endpoint investigations including live memory scans, 180 million files analyzed, and telemetry from 7 million IP addresses, 3 million domains and URLs, and over 550,000 phishing emails.
The findings indicate nearly 1% of confirmed incidents originated from alerts initially classified as low‑severity or informational, rising to almost 2% on endpoints. At enterprise scale, the average organisation generates around 450,000 alerts per year, meaning roughly 54 real threats annually—about one per week—that never get investigated under a traditional SOC or MDR model.
The report argues that triage economics and the trust placed in severity labels mask these risks, and that full‑coverage investigation using Intezer AI SOC triage with less than 2% of alerts escalated to a human and 98% verdict accuracy can surface early‑stage threats that would otherwise remain hidden.