AI-led security centres warned over missed threats
Thu, 2nd Jul 2026 (Today)
Secure.com has published an analysis warning that AI-led security operations centres can miss genuine cyber threats. The paper focuses on false negatives in automated threat detection.
As companies deploy AI tools in security operations, much of the attention has centred on false positives. Secure.com argues that the less visible risk is false negatives: cases in which a system classifies a real attack as harmless, generates no alert, and leaves security teams unaware that an intruder is active.
Yasir Zahid, Cybersecurity Leader and Product Builder at Secure.com, said organisations expanding AI's role in monitoring and triage often underestimate the issue. He described false negatives as the more serious operational risk because they leave analysts with no immediate signal to examine.
"A false negative is not a noisy alert. It is a silent one," said Yasir Zahid, Cybersecurity Leader and Product Builder at Secure.com.
"It happens when the AI processes a real threat, misclassifies it as benign, and takes no action. No escalation. No ticket. Nothing. The threat sits there, and the clock starts running. False positives are annoying and expensive in analyst hours, but false negatives are dangerous - one creates noise and the other creates damage," Zahid said.
According to the analysis, AI detection tools can lose 45 to 50 per cent of their tested accuracy when they move from controlled testing into live operating environments. It links that drop to differences in data, infrastructure, and evolving attack methods.
That gap between laboratory performance and production use is a central theme of the paper. It argues that many security teams still treat AI systems as if they can deliver complete coverage, even though real environments contain far more variables than test conditions.
Missed signals
The paper identifies several reasons for missed detections, including gaps in model training, thresholds tuned too aggressively to suppress alert noise, low-severity events closed without review, and a mismatch between customer environments and the assumptions built into the model.
It also points to the nature of modern attacks, which often unfold in stages. An isolated low-priority event may appear insignificant on its own, yet form part of a wider compromise that becomes obvious only after an attacker has moved further into a network.
In that context, a missed early signal can be costly. Secure.com cites estimates showing that up to 40 per cent of alerts in a standard security operations centre go uninvestigated, giving quiet threats more room to persist.
The volume of alerts compounds the problem. The analysis says enterprise security operations centres may process more than 10,000 alerts a day, while false positive rates can exceed 50 per cent and reach 80 per cent in some environments. Heavy alert loads can push teams to automate the closure of lower-priority signals, creating potential blind spots.
Cost pressure

The paper says delayed detection can increase breach costs because attackers remain in an environment longer before containment begins.
Secure.com cites figures showing the average global cost of a data breach at USD $4.44 million and the average cost in the United States at USD $10.22 million. It also points to detection and containment costs averaging USD $1.47 million per incident, with healthcare listed as the costliest sector at USD $7.42 million per breach.
Beyond direct response spending, the analysis highlights regulatory penalties and longer-term revenue effects. It says 32 per cent of breached organisations paid regulatory fines, while lost business and customer churn can create an exposure of USD $2.1 million over two to five years.
The document argues that the answer is not to abandon AI in the security operations centre, but to design processes on the assumption that some threats will be missed. It outlines a model in which uncertain findings are routed to human analysts, low-severity closures are reviewed, and missed detections are fed back into detection logic.
Threat hunting is presented as one of the main safeguards. Rather than waiting for an alert, analysts actively test hypotheses about suspicious activity and search for supporting evidence, which can help uncover attacks that automated systems did not flag.
Secondary review and detection quality checks are also described as important controls. These include reviewing low-severity alerts closed automatically, mapping coverage against known attack techniques, and running red team exercises to test whether specific attack paths would be detected.
Zahid said the central mistake is treating AI as infallible rather than as a tool that needs oversight and governance.
"The point isn't that AI is bad at detection. It's that no AI is perfect and designing a SOC as if it were is the actual risk," Zahid said.