Low-Severity Threats: The Hidden Danger Lurking in Plain Sight
In a rapidly evolving cyber threat landscape, a new report has revealed a critical blind spot in enterprise security: low-severity threats. According to an analysis detailed by The Hacker News, organizations are missing an average of one low-severity threat every week, based on data from over 25 million security alerts. While these threats are often deprioritized in favor of more urgent incidents, the report underscores that their cumulative risk—and potential for escalation—demands urgent attention. As attackers become more sophisticated, the failure to address these seemingly minor alerts could be the Achilles' heel of modern cybersecurity defenses.
Dissecting the Data: The Scope and Scale of Missed Threats
The report’s findings are based on an expansive dataset encompassing 10 million monitored endpoints and identities, 82,000 forensic investigations, and telemetry from 7 million IP addresses. This breadth provides an unprecedented view into the operational realities of Security Operations Centers (SOCs) and Managed Detection and Response (MDR) teams. Notably, nearly 1% of confirmed security incidents originated from alerts initially labeled as low-severity or informational—a figure that climbs to almost 2% on endpoints. This translates to approximately 54 real threats per year per organization, or about one per week, that evade investigation under current triage models.
These statistics are not a reflection of detection technology shortcomings, but rather a consequence of resource allocation and triage practices. With organizations generating around 450,000 alerts annually, security teams are forced to prioritize, often leaving lower-severity alerts unreviewed. This operational gap is a systemic issue, not an isolated oversight, and it highlights the limitations of severity-based alert management in the face of growing alert volumes and increasingly subtle attack vectors.
Endpoint Detection and Response: A False Sense of Security
The report exposes a critical flaw in endpoint detection and response (EDR) systems. Of the 82,000 alerts subjected to live forensic memory scans, 2,600 were found to have active infections—even after being marked as 'mitigated' by EDR tools. This discrepancy reveals that many EDR solutions may prematurely close tickets, leaving threats active and undetected. The malware uncovered during these scans included notorious tools such as Mimikatz and Cobalt Strike, both of which are frequently used by advanced persistent threat (APT) actors for credential theft and lateral movement.
This finding is particularly concerning given the widespread reliance on EDR platforms as a cornerstone of enterprise security. As attackers refine their techniques to evade automated defenses, organizations must recognize that EDR alone is insufficient. The need for continuous validation—such as live memory forensics—has become a critical component of a robust security posture. The report’s data-driven approach provides compelling evidence that organizations should not solely trust automated 'mitigation' statuses, but instead implement layered verification processes to ensure threats are truly neutralized.
Phishing Attacks: Shifting Tactics and the Limits of Traditional Detection
Phishing remains a persistent and evolving threat, with attackers increasingly bypassing conventional detection methods. The report notes that less than 6% of confirmed malicious phishing emails contained attachments, signaling a shift toward the use of embedded links and sophisticated social engineering. Attackers are leveraging trusted platforms—such as Vercel and PayPal—to host their infrastructure, making it more difficult for security tools to distinguish malicious content from legitimate communications.
One notable campaign exploited PayPal’s payment request system to deliver phishing emails, complete with callback numbers and Unicode obfuscation to evade signature-based detection. This tactic not only increases the likelihood of bypassing technical controls but also exploits user trust in well-known brands. The implication is clear: email security solutions that rely on attachment scanning or static signatures are increasingly ineffective against modern phishing campaigns. Organizations must invest in behavioral analysis and advanced threat intelligence to keep pace with these adaptive adversaries.
Cloud Security: Persistent Threats and the Challenge of Misconfiguration
The migration to cloud infrastructure has introduced new attack surfaces and operational complexities. The report highlights that attackers are increasingly focused on persistence—maintaining long-term access to cloud environments rather than executing immediate, high-impact actions. Techniques such as token manipulation and the exploitation of legitimate cloud features are being used to evade detection and maintain stealthy access.
Amazon Web Services (AWS) misconfigurations, particularly in S3 storage, continue to be a significant source of risk. Issues with access management and logging are frequently overlooked, often classified as low-severity, yet they provide ideal entry points for attackers seeking to establish a foothold. According to industry analyses, misconfigured cloud storage has been implicated in several high-profile breaches, underscoring the need for continuous monitoring and automated remediation of cloud security settings.
Operational Realities: The Human Factor and the Limits of Manual Triage
The sheer volume of alerts generated by modern security tools places an unsustainable burden on human analysts. Traditional SOC and MDR models, which rely heavily on severity-based triage, are proving inadequate. As the report demonstrates, even well-resourced organizations are unable to thoroughly investigate every alert, leading to a persistent detection gap. This reality is compounded by the ongoing cybersecurity talent shortage, which further limits the capacity for manual review and investigation.
Automation and artificial intelligence (AI) are increasingly seen as essential tools for bridging this gap. The report cites the use of AI-driven analysis to achieve 98% verdict accuracy with minimal human intervention. By automating the initial triage and investigation of alerts—regardless of their perceived severity—organizations can ensure more comprehensive coverage and reduce the risk of missed threats. Moreover, AI systems can continuously refine their detection rules based on feedback from all alerts, enabling adaptive and resilient defense mechanisms.
Strategic Implications: Rethinking Threat Detection and Response
The findings from this report have far-reaching implications for enterprise security strategy. As attackers continue to innovate, security teams must move beyond traditional models that prioritize only high-severity alerts. A paradigm shift is needed—one that embraces automation, continuous validation, and a holistic approach to threat management. This includes integrating advanced AI-driven solutions into existing security frameworks, investing in behavioral analytics, and fostering a culture of continuous improvement.
Organizations should also prioritize cross-team collaboration, ensuring that insights from incident response, threat intelligence, and cloud operations are shared and acted upon. Regular tabletop exercises and red-teaming can help identify gaps in detection and response processes, while ongoing training ensures that analysts remain equipped to handle emerging threats. Ultimately, the goal is to create a security posture that is both proactive and adaptive, capable of addressing the full spectrum of threats—from the most severe to those that might otherwise slip through the cracks.
Looking Ahead: Closing the Detection Gap
The report’s data-driven analysis serves as a wake-up call for organizations of all sizes. The persistent gap in detecting low-severity threats is not merely a technical issue, but a strategic vulnerability that can be exploited by determined adversaries. As the volume and complexity of cyberattacks continue to grow, the adoption of AI-driven automation, continuous validation, and holistic threat management will be critical to staying ahead of the curve.
Moving forward, enterprises must recognize that every alert—regardless of its initial severity—warrants attention. By leveraging advanced technologies and fostering a culture of vigilance, organizations can better protect themselves against the evolving threat landscape and avoid the potentially devastating consequences of missed low-severity threats.