NEW YORK , Feb. 03, 2026 (GLOBE NEWSWIRE) — Intezer, the AI SOC platform for enterprise powered by ForensicAI™, today released its 2026 AI SOC Report for CISOs, based on the forensic analysis of more than 25 million security alerts across live enterprise environments. The research reveals a critical disconnect between how security teams prioritize alerts and where threats actually originate, with dozens of real threats per organization each year traced back to alerts typically classified as low-severity or informational.
The findings highlight a long-standing challenge in security operations. When alert volume increases faster than enterprise SOC teams can scale, low-severity and informational alerts are deprioritized as part of acceptable risk. Intezer examined alerts across endpoint, cloud, identity, network, and phishing telemetry and found that nearly 1% of confirmed incidents originated from alerts initially labeled as low-severity. At endpoints, that figure rose to almost 2%. For a typical enterprise generating hundreds of thousands of alerts annually, this translates into approximately 50 real threats and potential cyber breaches per year that are likely never investigated.
“Security teams have normalized the idea that some risk must be accepted because it is impossible to investigate everything,” said Itai Tevet, CEO and co-founder of Intezer. “Our research shows that this acceptance is increasingly misaligned with how modern attacks unfold. When genuine threats consistently emerge from alerts we have trained ourselves to ignore, the definition of acceptable risk needs to be reexamined.”
Key Findings from the 2026 AI SOC Report
- Endpoint protection frequently reports success while systems remain compromised — Over half of all endpoint alerts were not automatically mitigated by their endpoint protection solution. Of these non-mitigated alerts, almost 9% were confirmed as malicious. Additionally, 1.6% of alerts that underwent live forensic endpoint scanning were found to have active compromise even though endpoint security tools indicated the threat had been mitigated.
- Attackers favor stealth and persistence over noisy exploitation — Cloud alerts were dominated by defense evasion and persistence techniques, reflecting attackers’ focus on long-term access and abuse of legitimate services rather than immediate disruption.
- Phishing has shifted from attachments to browsers and trusted platforms — Fewer than 6% of malicious phishing emails contained attachments. Most relied on links, language, and abuse of legitimate services such as code sandboxes, cloud file sharing, and CAPTCHA mechanisms to evade detection.
- Identity telemetry produces high volumes of alerts with low signal — Location anomalies and impossible travel alerts were rarely malicious, with only about 2% indicating a real compromise. VPN usage, mobile behavior, and overlapping security tools were the primary drivers of false positives.
- Cloud misconfigurations remain persistent and widespread — The majority of cloud posture findings involve legacy or default configurations, particularly in Amazon S3, including missing encryption, weak access controls, and lack of logging.
- Companies still rely on perimeter security rather than zero-trust security — Intezer observed widespread transmission of credentials and sensitive data over unencrypted internal protocols, indicating that many organizations still assume internal networks are trustworthy rather than enforcing zero-trust principles such as encryption in transit and continuous verification.
Implications for Security Leaders
Intezer’s data shows that what most organizations view as “acceptable risk” is no longer justified in an era in which AI-driven forensic analysis can operate at enterprise scale. As alert volume continues to escalate, driven by the expanding attack surface and AI-orchestrated cyber attacks, organizations need deeper analysis of every signal, particularly those that have historically been deprioritized due to volume rather than true risk. With AI capable of performing high-fidelity forensic analysis across all alerts, organizations that continue to rely on aggressive triage and selective investigation may be underestimating their exposure.
Download the report and register to join the Intezer research team on February 4, at 12 p.m. ET for a webinar providing an in-depth analysis of these findings and what it means for SOC leaders and their teams.
Research Methodology
The 2026 AI SOC Report for CISOs is based on Intezer’s analysis of security activity observed across its global customer base throughout 2025. The research examined more than 25 million security alerts, spanning 10 million monitored endpoints and identities; 180 million analyzed files; 82,000 endpoint forensic investigations, including live memory scans; and telemetry from 7 million IP addresses, 3 million domains and URLs, and over 550,000 phishing emails. The dataset covers activity across 206 countries and territories. All findings were aggregated and anonymized, with no customer-identifying or sensitive information accessed or retained.
About Intezer
Intezer AI SOC delivers 24/7, forensic-grade cyber alert triage across 100% of alerts, with less than 2% escalated for human review, dramatically accelerating incident response. Powered by ForensicAI™, Intezer specializes in deep forensic investigation to deliver unmatched accuracy and speed, significantly reducing cyber risk and enabling security teams to operate effectively without reliance on outsourced services. Intezer is trusted by global enterprises including NVIDIA, MGM Resorts, Equifax, Salesforce, and Ferguson. Learn more at www.intezer.com.
Media Contact
Jennifer Tanner
Look Left Marketing
[email protected]
A photo accompanying this announcement is available at https://www.globenewswire.com/NewsRoom/AttachmentNg/00c434de-bd67-439b-a4c6-71863c4e2a24