“You were going to let me go out looking like this?” That is a missed detection—that happens way too often in my home! Missed detection is also a critical element of managing one’s security posture. In the security industry, we try not to talk about missed detections, as if it is a relative of “he who shall not be named”!
I think investigating missed detections is one of the most important and impactful practices we can take to improve security posture. It is lessons learned on a dinner plate. I believe that missed detection investigations are an opportunity for aligning your organization’s security expectations and actual outcomes—creating a starting point for closing gaps. Each year, we support organizations with penetration tests. But consider this question: What is the point of a penetration test without missed detection investigations? I watch security analysts threat hunt every day, but what good is a threat hunting program without asking, “Why didn’t we detect this through monitoring?”
Missed Detections? Tell Me More!
Okay, what do I mean when I say missed detection? I think of it as the failure to identify a genuine incident or threat, despite the presence of conditions that should have triggered detection. This typically occurs when the incident falls outside predefined detection parameters—such as thresholds, rule sets, or behavioral baselines—even though the underlying signals or indicators were present and observable. In essence, it's a blind spot in the detection logic: the system overlooks actionable evidence because it doesn't match expected patterns or criteria.
Some are surfaced by our customers—typically after receiving alerts from other tools in their security stack. This is a natural outcome of defense-in-depth: when one layer detects what another misses, it creates a feedback loop that helps expose blind spots.
Others emerge through proactive threat hunting. Fortra analysts conduct targeted investigations and, when they uncover suspicious activity that wasn’t previously flagged, they escalate it as a bespoke incident. If the customer confirms it as a true positive, we treat it as a missed detection.
In both scenarios, we launch a root cause investigation. Our goal is to understand why the detection logic failed—and to close that gap before it can be exploited again. So, when we identify a missed detection, my first response is “YES let’s start an investigation”—and I think your response should be the same too.
See Something New?
The first misses normally discussed are your zero days and emerging threats. To me, these are your least interesting investigations—we didn’t see the threat or attack because it is novel; we have no detections for them.
I enjoy watching several streaming shows that address drug smuggling. The bad actors are always finding new ways to hide contraband in a vehicle, and the agents continue needing to improve how they search. So, similarly, the outcome following our investigative findings is to create and test new and better detection rules and then apply them and monitor.
Need a New Prescription?
Maybe it wasn’t quite in focus! What I mean is this; we use analytics to detect and respond to incidents based on data analysis. These tools and methods help us to use patterns to figure out what is safe and what is an attack. A challenge, however, is that attackers are never static. The attack patterns become more complex, so we need more data and tools to be able to “see” threats clearly.
Intrusion Detection System (IDS) Tools use rules and packet information to identify and respond to threats. Tools such as Snort and Suricata rely on signature-based rules, comparing network traffic against known attack patterns. Unfortunately, if the signature rule doesn’t match, you may not “see” the attack. Host IDS tools also—at a minimum—look for changes based on rules and policies. All these tools need rules and policies to be regularly updated in response to true- and false-positives. If not, you may be lucky enough to “see” something, but it may not be clear enough to identify when that something looks out of place.
See the Whole Picture?
Early in my career as a security analyst, I experienced firsthand how blind spots can emerge in even well-intentioned organizations. During a corporate acquisition, our team was tasked with reconciling our combined physical asset inventories. What we uncovered shocked senior leadership: our security team had identified an entire building—fully staffed and operational—that wasn’t accounted for in the official location records. The employees were getting paid, were working, and even attended our town hall sessions. We just didn’t know that building existed—a symptom of organizational sprawl. But it highlighted a critical truth: you can’t protect what you don’t know exists.
Organizations are dynamic by nature. They expand, restructure, and bring on new technologies and people. But security infrastructure doesn’t always scale in tandem. As an organization evolves, some endpoints, network segments, or even entire departments may slip through the cracks. These gaps often remain hidden until a penetration test or an incident forces them into view.
Your security posture must be continuously matched against the evolving shape of the organization. We need to regularly check to make sure we know what we own. Without a full picture, even the most sophisticated detection tools are operating in the dark.
Up on Regular Maintenance?
In many missed detection investigations, the root cause isn’t a sophisticated adversary or a novel attack technique—it’s silence. More precisely, it’s the missing expected data. A lack of logs, alerts, or traffic visibility can cripple even the most well-designed detection strategy. Sometimes, no IDS activity means nothing is happening. But sometimes that silence is misleading.
I can still remember the first time I rebuilt my motorcycle engine. I put everything back together, fueled the tank up, and spent the next 2 days frustrated that it would not start. Yup, that’s right, I forgot to reopen the fuel line. We identify this as a regular root cause, the complete absence of IDS traffic or logs. Some cases stem from agents that were never deployed, sensors that were never activated, or log types that were never configured to forward.
Even when agents and appliances are present, misconfiguration can be a problem. Software updates may be overdue, and legacy hardware may no longer be supported, both leading to degraded performance and poor visibility. I think this is one of the most challenging missed detection types to fix, because you must be actively and regularly looking for these issues. It’s the difference between “feeling” fit and “knowing” your cholesterol is high—you need to go in for regular checkups.
Wishing for Noise-Cancelling Headphones?
Sometimes, what seems like a great idea—working from home—quickly unravels when everyone in the house is doing it too. I’ve had days where I couldn’t tell if I was in my meeting or a family member’s, and the dog’s barking was somehow part of both meeting agendas. In security, we fall into similar traps. We build alert systems, tune them to reduce noise, and then let them run for years without questioning whether they’re still relevant. The same alerts keep firing, offering no real insight, and we assume that quiet means safety.
Tuning is not just about reducing alerts—it’s about refining what we consider meaningful. A missed detection investigation is the perfect moment to revisit those tuning decisions, while making new ones. Maybe that “harmless” login pattern was the precursor to lateral movement. Perhaps that burst of outbound traffic was dismissed as routine, but in hindsight, it was the exfiltration. We often find that what was filtered out as irrelevant was only irrelevant until context changed—and by then, it was too late.
The goal isn’t to hear everything. It’s to hear what matters, when it matters. But that requires regular recalibration. Missed detection investigations give us the chance to ask: are we still listening to the right things? Are we filtering out the right “noise” and listening to the right signals?
Yes, Misses Do Rock!
Missed detection investigations are not a sign of failure—they’re a sign of maturity. They’re the moment we stop pretending everything is fine just because the dashboard is quiet. They’re the moment we say, “Wait, why didn’t we see that?” and then figure out why. Like realizing you were about to walk into a meeting with a blazer, shirt, tie, and pajama bottoms! It’s embarrassing, yes, but it’s also fixable. And once you fix it, you’re sharper for the next time.
Missed detection investigations are not about blame for not seeing something. They are signals that something needs to be looked at, something needs attention. Whether it’s outdated IDS rules, misconfigured agents, or entire buildings we didn’t know existed, a missed detection investigation gives us the chance to reconcile what we think we’re protecting with what we are “actually” protecting.
So, let’s stop treating missed detection investigations like they should not be talked about out loud—they are a valuable part of your security toolbox. Let’s learn from them, document them, and use them to drive meaningful change. Because if we’re serious about improving our security posture, then missed detection investigations aren’t just helpful, they’re essential.
And next time your partner asks, “You were going to let me go out looking like this?”—we can say, “Absolutely! We caught the pajama bottoms already—you are looking GREAT!”
Cybercrime Intelligence Shouldn't Be Siloed
Fortra® experts are dedicated to protecting organizations and the public by delivering the latest insights, data, and defenses to strengthen security against emerging cyber threats.
