25M Alerts Expose Hidden Low-Severity Threat Gaps in Enterprise SOC

A recent analysis of more than 25 million security alerts collected from a dozen global security operations centers (SOCs) over a six‑month period reveals that low‑severity events account for roughly 73 percent of the total noise, yet only about four percent of those alerts undergo any meaningful investigation. The study, conducted by the threat‑intelligence firm SecureWatch Labs and cited by The Hacker News, found that, on average, one high‑impact threat slips through the cracks each week—often because analysts dismiss the associated low‑severity indicators as benign or irrelevant.

The suppressed alerts span a wide spectrum of low‑risk signals: non‑critical CVE notifications such as CVE‑2023‑28430 in MinIO, heuristic detections flagged by behavioral analytics in platforms like Splunk Enterprise Security and Palo Alto XSIAM, and low‑confidence phishing URLs reported by email gateways. For instance, a routine DNS‑query anomaly (e.g., a query to a known sinkhole) that triggers a “medium” severity rule is routinely filtered out by rule sets that require a confidence score above 85 percent before escalation. The result is a blind spot where adversaries can embed malicious activity under the guise of routine, low‑priority noise.

One documented case illustrates the real‑world consequences. In a mid‑size financial services firm, a low‑severity phishing alert that pointed to a credential‑harvesting page was queued for 48 hours without analyst review. During that window, the attacker used the harvested credentials to authenticate to a misconfigured VPN, move laterally into the internal network, and exfiltrate 200 000 customer records before the SOC finally detected the anomaly. The incident, later attributed to the ransomware group “LockByte,” underscores how ignored low‑severity alerts can become the entry point for more damaging attacks, including ransomware deployments and advanced persistent threat (APT) intrusions.

To close the gap, researchers recommend a risk‑based triage approach that leverages AI‑driven scoring to re‑evaluate low‑severity alerts in context of asset criticality, user behavior, and threat‑intel feeds. Automated playbooks that quarantine suspicious endpoints or reset compromised accounts upon detection of a low‑severity trigger can also reduce dwell time without overwhelming analysts. Moreover, integrating continuous threat‑intel updates—such as indicators linked to CVE‑2022‑0185 (Linux kernel buffer overflow) or known command‑and‑control domains—into alert enrichment pipelines ensures that even “low‑priority” events are prioritized when they correlate with active exploit activity.