A study covering more than 25 million security alerts in real corporate environments revealed a structural issue: almost 1% of confirmed incidents originated from notifications initially classified as low-priority or informational. On endpoints, this figure reached 2%. With an average volume of 450,000 alerts per organization per year, this translates into roughly 54 real threats annually — about one per week — that in the traditional SOC or MDR model are never investigated. The data indicate that the problem is not detection, but the economics of triage: analyst resources are exhausted before the stream of notifications.

Scope of the study

According to the report, the dataset included telemetry from 10 million endpoints and accounts, 82,000 forensic investigations with memory analysis, 180 million analyzed files, as well as data on 7 million IP addresses, 3 million domains and URLs, and more than 550,000 phishing emails. It is important to note that the primary report (the 2026 AI SOC Report by Intezer) was not made available for independent verification, so the specific figures should be treated with a caveat regarding their source.

EDR: a false sense of security

The most troubling finding concerns the reliability of EDR-class solutions. Of the 82,000 alerts that underwent forensic memory analysis, 2,600 hosts had an active infection. At the same time, it is reported that 51% of these confirmed compromised machines had already been flagged by the EDR vendor as “mitigated”. In practice, more than half of the real infections remained invisible because the protection tool closed the ticket and declared the threat eliminated.

The malware families found in memory during scanning included:

• Mimikatz — a credential extraction tool
• Cobalt Strike — a post-exploitation framework
• Meterpreter — a Metasploit component for remote control
• StrelaStealer — a credential stealer for email clients

These are not experimental samples but operational tools used in criminal and state-sponsored operations.

Phishing: trusted platforms as weapons

Less than 6% of confirmed malicious phishing emails contained attachments. The overwhelming majority relied on links and social engineering. According to the study, attackers have moved their infrastructure to platforms that are trusted by default: Vercel, CodePen, OneDrive, and the PayPal invoicing system.

One documented campaign used PayPal’s legitimate payment request feature to send phishing emails. Callback numbers were placed in the payment notes, and Unicode homoglyphs were used to bypass signature-based detection. The email passed all standard authentication checks because it was in fact sent from PayPal’s servers.

Another observation: sites using Cloudflare Turnstile CAPTCHA in the analyzed dataset consistently correlated with phishing pages, whereas Google reCAPTCHA correlated with legitimate infrastructure. Attackers use anti-bot mechanisms to block automated security scanners.

The four email gateway evasion techniques identified in the data:

1. A Base64 payload hidden inside SVG files
2. Links embedded in PDF annotation metadata, invisible to superficial scanners
3. Dynamically loaded phishing pages via legitimate shared OneDrive folders
4. DOCX files containing archived HTML with QR codes

Cloud infrastructure: silent misconfigurations

Cloud alerts in the study clustered around detection evasion and persistence tactics. Lateral movement and privilege escalation were recorded significantly less often. According to the report, attackers act patiently: token manipulation, abuse of legitimate cloud service features, and obfuscation to avoid triggering high-priority detections.

AWS S3 accounted for about 70% of all cloud security policy violations in the dataset. The main issues were access management, server logging, and cross-account interaction restrictions. These findings are generally classified as low priority and rarely generate alerts, but they are repeatedly exploited once initial access has been obtained.

Practical recommendations

• Do not trust an EDR “mitigated” status without verification. Implement periodic memory scanning on critical hosts — especially those where the EDR has detected and “remediated” a threat.
• Revisit the policy of ignoring low-priority alerts. Allocate resources for selective investigation of informational notifications, particularly on endpoints.
• Update phishing filtering rules to reflect the abuse of trusted platforms. Add checks for links to Vercel, CodePen, and OneDrive in the context of inbound email.
• Audit your S3 bucket configurations with a focus on access management, logging, and cross-account policies. Raise the priority of these findings within vulnerability management processes.
• Close the feedback loop: the results of investigations into low-priority alerts must feed back into detection rule tuning. Without this, the system does not self-improve.

The key takeaway from these data is not the specific figures (which require independent verification), but the systemic pattern: a triage model based on severity levels creates predictable blind spots, and attackers deliberately exploit them. The first concrete step is to conduct a retrospective review of alerts closed by the EDR as “mitigated” over the last 90 days, using an independent forensic tool to check memory on at least a 5–10% sample of hosts.