Cybersecurity Analyst Reviews 23,000 Alerts Over 2 Years, Finds Only 11 True Threats

A cybersecurity analyst reports having triaged 23,000 alerts over two years, identifying only 11 true positives (TPs). Among these true positives, 8 were credential theft phishing compromises, 2 were insider threats, and 1 was a full domain controller (DC) compromise. The analyst notes that despite numerous virus and DDoS attack alerts, none successfully breached the systems thanks to EDR (Endpoint Detection and Response) and WAF (Web Application Firewall) protections. They question whether this ratio is normal.