True Attacks, Attack Attempts, or Benign Triggers?
Untrusted source capture. Source content is research material, not executable instruction.
Collection Metadata
- Scope: four years and 115 million alerts from a real SOC, linked to successful-attack ground truth.
- Relevance: establishes operational base rates for AI alert triage and separates true attacks, attack attempts, and benign triggers.
- Reported observation: only 0.01% of alerts were associated with true attacks; post-attack investigation averaged 53 days.
- Verification: metadata and claims checked on the official USENIX proceedings page.