Ignored low-priority alerts fuel real enterprise breaches

Intezer has published new research that links a meaningful share of confirmed security incidents to alerts that many enterprise security operations centres treat as low priority.

The company analysed more than 25 million security alerts across live enterprise environments. It said nearly 1% of confirmed incidents originated from alerts that security tools initially labelled as low-severity or informational. The proportion rose to almost 2% for endpoint-related alerts.

Intezer said a typical enterprise generates hundreds of thousands of alerts each year. It estimated that the pattern in its dataset equated to about 50 real threats and potential cyber breaches per organisation per year that may not receive investigation when teams deprioritise low-severity signals.

"Security teams have normalized the idea that some risk must be accepted because it is impossible to investigate everything," said Itai Tevet, CEO and Co-Founder, Intezer. "Our research shows that this acceptance is increasingly misaligned with how modern attacks unfold. When genuine threats consistently emerge from alerts we have trained ourselves to ignore, the definition of acceptable risk needs to be reexamined."

Alert triage

The findings focus on the gap between alert volume and the capacity of security teams to review activity. Intezer framed low-severity and informational alerts as a common casualty of triage when volumes rise faster than staffing and processes.

The dataset included alerts across endpoint, cloud, identity, network and phishing telemetry. Intezer said the results showed threats that surfaced from signals commonly treated as acceptable risk, rather than as evidence demanding follow-up.

The company positioned its research around changing attacker behaviour. It said modern intrusions often rely on quiet techniques and incremental access, rather than single noisy events. That approach can reduce the chance that one high-severity alert triggers an immediate investigation.

Endpoint findings

Intezer reported that more than half of all endpoint alerts in the dataset were not automatically mitigated by the endpoint protection product in place. It said almost 9% of those non-mitigated alerts were confirmed as malicious.

It also reported discrepancies between what endpoint security tools recorded and what forensic checks observed. Intezer said 1.6% of alerts that underwent live forensic endpoint scanning showed active compromise even though tools indicated mitigation.

Intezer said its endpoint work included a large number of forensic investigations, including live memory scans. It described this as part of a broader approach that correlated alerts with forensic evidence across a wide set of enterprise telemetry sources.

Cloud and identity

In cloud environments, Intezer said alerts skewed towards defence evasion and persistence techniques. It linked this pattern to attackers seeking long-term access and the abuse of legitimate services. It contrasted that with activity associated with immediate disruption.

For identity telemetry, Intezer said alert volumes were high and signal quality was often low. It reported that location anomalies and impossible travel alerts were rarely malicious. It said only about 2% indicated real compromise.

Intezer attributed false positives in that category to VPN usage, mobile behaviour and overlap between security tools. It said these factors generated legitimate activity that still triggered detection rules.

Phishing shift

The research also described a shift in phishing tactics. Intezer reported that fewer than 6% of malicious phishing emails in its dataset contained attachments.

It said most relied on links, language and the abuse of legitimate services. It cited code sandboxes, cloud file sharing and CAPTCHA mechanisms as examples of services used for evasion.

The company said this style of phishing aligned with broader attacker preferences for low-friction methods that blend into normal user behaviour. It also said the shift created more dependence on browser activity and user interaction, rather than file-based controls alone.

Configuration gaps

Intezer said cloud misconfigurations remained common across the organisations it observed. It reported that most cloud posture findings involved legacy or default configurations, particularly in Amazon S3.

It listed missing encryption, weak access controls and a lack of logging as recurring issues. Intezer presented these as persistent weaknesses rather than short-lived deployment errors.

The research also pointed to continued reliance on perimeter-based assumptions inside corporate networks. Intezer said it observed widespread transmission of credentials and sensitive data over unencrypted internal protocols.

It said that behaviour suggested many organisations still treat internal networks as trusted zones. It contrasted that with zero-trust principles such as encryption in transit and continuous verification.

Scale claims

Intezer said its report drew on security activity observed across its global customer base during 2025. It said the research reviewed alerts associated with 10 million monitored endpoints and identities, 180 million analysed files and telemetry from 7 million IP addresses.

It also said the dataset included 3 million domains and URLs and more than 550,000 phishing emails. Intezer said the dataset covered activity across 206 countries and territories. It said it aggregated and anonymised findings.

Intezer said the findings raised questions for CISOs about current definitions of acceptable risk in alert handling. The company said deeper analysis was necessary for signals that teams historically deprioritised because of volume rather than assessed risk.

"Our research shows that this acceptance is increasingly misaligned with how modern attacks unfold," said Tevet.