The security alerts you ignore are the ones that matter | Tech Radar
Overview
News, deals, reviews, guides and more on the newest computing gadgets
Start exploring exclusive deals, expert advice and more
Details
Unlock and manage exclusive Techradar member rewards.
Unlock instant access to exclusive member features.
Get full access to premium articles, exclusive features and a growing list of member rewards.
The security alerts you ignore are the ones that matter
When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.
With alert volumes running into the hundreds of thousands, security teams have built habits around what to ignore. And attackers have learned to exploit them.
For years, security operations centers (SOCs) have dealt with sorting through the noise of security alerts by prioritizing vulnerabilities based on severity level.
As the enterprise technology stack became more complex with a growing number of endpoints, cloud infrastructure, and multiple identity systems, it became impractical, if not impossible, for SOCs to address every single alert that got flagged.
Field Chief Information Security Officer at Intezer.
As a result, most teams have adopted an approach where they focus their efforts on mitigating the medium- and high-severity alerts and dismissing or deprioritizing those flagged as lower risk.
However, just because a threat is deemed “low risk” doesn’t mean it’s “no risk.” Recent large-scale analysis of enterprise security alerts found that around 1% of all incidents can be traced back to alerts initially categorized as low severity.
Closing the security blind spots that are a prime entry point for attacks
From alert fatigue to autopilot fatigue: How agentic AI shifts cyber risk
Why traditional metrics are giving CISOs a false sense of security
For an average enterprise with 450,000 alerts per year, this translates to approximately one real threat slipping by each week. Although the percentage sounds small, it does represent a number of real threats that are being dismissed instead of being addressed by security teams.
These findings challenge the current best practice of prioritizing alerts based on severity level. They raise a critical question for today’s security teams: how can they realistically consider low-severity alerts while managing the high volume of alerts they’re receiving every day?
Companies get hundreds of thousands of security alerts every year, and that number can rise to over a million for the largest enterprises. At this scale, security teams might be dealing with thousands of alerts every single day, so it’s no surprise that several recent studies have found that over half of alerts are never even reviewed.
Given this volume, triaging alerts by severity has been a necessity to sort through the noise. Instead, SOCs focus their efforts on the threats that appear most impactful and urgent. This makes sense, of course, as it would be unwise (and potentially dangerous) to ignore a critical alert in favor of a low-risk anomaly that likely will never amount to anything.
However, when these low-severity alerts are ignored, they create the opportunity for real threats to persist undetected.
Your tools aren’t catching everything. Here’s why threat hunting matters
Why decades-old attacks still work, and why that should worry you
Threat actors would prefer to sneak in and remain hidden, quietly carrying out their attacks for as long as possible. Instead of launching high-impact attacks that would immediately raise alarm bells, they gain access and try to remain undetected so that they can move laterally throughout a network, escalating privileges and extracting data over time without raising suspicion.
Severity classifications don’t always reflect this reality. Alerts are typically categorized based on a number of factors, including how critical an affected system is, the impact if that system were to go down, known threat actor activity, and how confident the security system is that malicious activity is taking place.
For example, detection of mass file encryption might be categorized as a high-severity alert because it indicates ransomware execution, whereas a suspicious Power Shell command might be low severity because it could just as easily be legitimate activity from an admin. Yet in practice, that Power Shell command could be from an attacker downloading payloads, establishing persistence, or running recon within the environment.
In many cases, major security incidents are the result of a string of multiple low-severity actions that don’t appear malicious individually. This allows the attacker to continue conducting their activities for weeks or even months without being noticed.
The challenge for modern SOCs is not only to work faster but to work with more complete information. Treating alerts as isolated events, each evaluated on its own merits and severity score, is a structural limitation that threat actors have learned to exploit.
This requires two shifts in how security teams operate. The first is contextual. Alerts need to be analyzed against what else is happening in the environment, not just against the criteria that triggered the original detection. The second is coverage. Teams cannot build a complete behavioral picture if a large portion of signals never get examined at all. When low-severity alerts are systematically skipped, the picture has gaps, and those gaps are where attackers persist.
The practical implication is that alert triage can no longer rely solely on human capacity to determine what gets investigated. The volume problem is real, and severity-based prioritization exists for good reason. But the teams best positioned to catch early-stage threats are those that have found ways to extend consistent investigative coverage across the full alert stream, not just the top tier, and correlate what they find into a coherent view of attacker behavior over time.
The question is no longer whether low-severity alerts deserve attention. The data shows they do. The question is how to build an operation that can actually give it to them.
This article was produced as part of Tech Radar Pro Perspectives, our channel to feature the best and brightest minds in the technology industry today.
The views expressed here are those of the author and are not necessarily those of Tech Radar Pro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/pro/perspectives-how-to-submit
Field Chief Information Security Officer at Intezer.
You must confirm your public display name before commenting
1'I wouldn't even be able to afford the speaker stands' — two big-name audiophile brands just went head-to-head to release the best elite hi-fi tower speaker
2 My favorite portable hi-fi accessory is back, but I think it’s missed a key upgrade
3I asked CRT TV experts if we could ever start making the tech again, and the answer surprised me
4 Nvidia RTX 5090 GPUs are so expensive that Intel's Arc Pro B70 is now a genuine bargain for AI
5 This AMD Ryzen AI Max+ 395 mini PC has 128GB RAM, metal feet, and even a vegan leather handle
Tech Radar is part of Future US Inc, an international media group and leading digital publisher. Visit our corporate site.
© Future US, Inc. Full 7th Floor, 130 West 42nd Street, New York, NY 10036.
Key Takeaways
- News, deals, reviews, guides and more on the newest computing gadgets
- Start exploring exclusive deals, expert advice and more
- Unlock and manage exclusive Techradar member rewards
- Unlock instant access to exclusive member features
- Get full access to premium articles, exclusive features and a growing list of member rewards



