Daylila

Cybersecurity · Friday, 12 June 2026

01 · Briefing · what happened

Security teams are drowning in alerts — and the warning that matters keeps slipping through

Cybersecurity 2 min 62 sources

A growing share of breaches now start not with a missed clue but with a clue that was buried under thousands of others. Alert fatigue is becoming its own threat, and defenders, regulators, and ordinary users are all feeling the same overload.

Key takeaways

  • Security teams face thousands of alerts a day, and the real one keeps getting lost in the noise — alert fatigue is now a threat in its own right.
  • Regulators are responding by switching from "fix everything severe" to "fix what's actually being attacked first" — triage as policy.
  • The same overload reaches ordinary people: the breach notices and security prompts you've learned to ignore are exactly what attackers count on.

The problem in security right now is not that no one is watching. It is that everyone is watching too much.

Security analysts at large organisations face thousands of alerts a day — most of them false alarms or low-stakes noise. A new analysis warns that this flood is becoming a threat in its own right [22]. When every warning looks urgent, the human mind stops treating any of them as urgent. The one alert that signals a real intruder lands in the same crowded inbox as the four thousand that don’t, and it gets the same tired glance.

This is not a story about lazy defenders. It is a story about a limit built into human attention. Teams are already stretched: most security staff say they can’t find the time to train on new threats, because the day is eaten by the alerts already on screen [31]. The work of keeping up never finishes, so the work of getting better rarely starts.

Regulators are quietly admitting the same thing. The US cybersecurity agency CISA this week changed how it tells federal agencies to patch software holes. Instead of “fix everything marked severe,” the new guidance is “fix what is actually being attacked first” [4][13]. For the most exploited flaws, agencies now have three days [8]. It is a triage rule — an acknowledgement that you cannot fix everything at once, so you must decide what to ignore for now. That is alert fatigue, formalised into policy.

There is one bright spot, and it carries the same lesson. The volume of phishing emails — the fake messages that try to trick people into handing over passwords — fell about 20% over the past year [21]. But the risk did not fall with it. Attackers sent fewer messages and made each one sharper, harder to spot, better aimed. Less noise, more signal — on the attacker’s side. The defenders who learned to tune out the obvious junk are now facing fewer, better-disguised lures.

Meanwhile the machinery against the noise keeps grinding. Interpol and partners dismantled SniperDz, a service that let low-skill criminals rent ready-made phishing pages by the month [2]. Taking it down removes one source of the flood. But the flood has many taps, and closing one does not refill anyone’s attention.

The pattern underneath all of this is the same one every reader knows from their own phone. The security-warning emails, the two-factor prompts, the “your password was seen in a breach” notices — there are now so many that most people have learned to dismiss them without reading. That habit of tuning out is exactly what an attacker counts on. The defence and the vulnerability have become the same reflex.

02 · Lesson · why it matters

When everything is urgent, nothing is

Attention is a finite supply. Flood it with warnings and the mind stops spending it — which is exactly the gap the one real warning slips through.

The alert that arrived on time, and was ignored

Almost every big breach, looked at afterward, has the same quiet detail buried in the timeline. The system did see it. An alert fired. A log line lit up. Somewhere, a tool noticed the intruder and said so.

And a human glanced at it, the way you glance at the four thousandth notification of the day, and moved on.

This is the threat a new analysis is naming directly: alert fatigue. Security teams at large organisations face thousands of warnings a day, most of them false alarms or low-stakes noise. The danger is no longer only that defenders miss a hidden clue. It’s that the clue is sitting right there, in plain sight, in an inbox so crowded that “plain sight” has stopped meaning anything.

Why the mind tunes out

This isn’t a story about lazy or careless people. It’s a story about a limit built into attention itself.

Attention is not free and not infinite. Treat every signal as urgent and the body learns, fast, that “urgent” is just the weather — a constant hum, not a call to act. Psychologists have a plain name for it: when a warning fires over and over with no real consequence, you stop responding to it. The brain is doing something sensible. It is refusing to spend a scarce resource on a signal that has, so far, always been noise.

The trouble is that the attacker is counting on exactly that economy of attention. They don’t need to hide the one alert that matters. They only need it to arrive in the same crowded stream as the thousands that don’t.

The shepherd’s problem, at machine scale

There’s an old story about a shepherd who cried wolf — who raised so many false alarms that when the real wolf came, no one looked up. We tell it to children as a lesson about lying. But the deeper mechanism has nothing to do with dishonesty.

The villagers weren’t fools. After enough false alarms, ignoring the shepherd was the rational move. Each cry had, by track record, been worth nothing. The cost of running up the hill again and again came to outweigh the cost of being wrong once. The system trained them to stop listening, and then the one true cry landed in a mind that had already, sensibly, tuned it out.

A security team is a village with millions of shepherds, most of them automated, most of them wrong most of the time. The same training happens, the same way, for the same reasons.

Triage is the honest response — and an admission

You can feel the whole industry quietly accepting this. This week the US cyber-defence agency CISA changed its instructions to federal agencies. The old rule was effectively “fix everything marked severe.” The new rule is “fix what is actually being attacked first” — is the flaw exposed to the open internet, already exploited, easy to automate?

That is triage. It is an admission, written into policy, that you cannot treat every warning as equally urgent — that pretending you can is its own failure. A hospital sorts the bleeding from the bruised because treating everyone at once means treating no one well. CISA is telling agencies the same thing about their alert queue: decide what to ignore for now, on purpose, so attention lands where it counts.

There’s even a cleaner version in the phishing numbers. The volume of fake-login emails fell about 20% over the past year — but the risk didn’t fall with it. Attackers sent fewer messages and made each one sharper. Less noise, more signal, on their side. The defenders who’d learned to tune out the obvious junk now face fewer, better-disguised lures. The flood and the filter are locked in a quiet race, and the filter is the harder thing to keep sharp.

You are already trained to ignore the real one

Here is where this stops being a story about distant security teams and becomes a story about you.

Your phone does the same thing to you that the alert queue does to the analyst. The breach notices. The two-factor prompts. The “your password was seen in a leak” emails. The cookie banners, the app-update nags, the “unusual sign-in” warnings. There are now so many that you’ve learned — sensibly, the way the villagers did — to dismiss them without reading.

And that learned reflex is precisely the vulnerability. The fake “delivery problem” text that knows your real address; the security email that’s actually the scam; the prompt that, this one time, is real — they all arrive in the same numbed stream you’ve trained yourself to swipe away. Your defence (ignore the noise) and your exposure (ignore the one that’s real) have collapsed into the same gesture.

Standing inside the flood

So the whole of it is humbling rather than tidy. Every defender drowning in alerts is also a person at home, ignoring alert number four thousand on their own screen. There is no seat above the flood — the analyst, the regulator, you, are all nodes inside the same overload, each rationally tuning out signals to survive the day, each leaving one gap that something real can slip through.

You can’t fix this with more vigilance, because more vigilance is the resource that’s already exhausted. What you can do is notice the reflex when it fires. The next time a warning arrives and your hand moves to dismiss it before you’ve read it, that motion is worth a half-second of suspicion. Not because you should be afraid of everything — you can’t be, no one can — but because the moment you’ve stopped looking is the exact moment the system, and whoever’s working it, is counting on. Knowing that won’t make you immune. It might make you pause on the one that matters.

03 · Lab · your turn

Buried in the Queue

Triage a rising flood of security alerts with limited attention, sort by the loud labels, and feel the one real intruder — wearing a quiet label — slip past unread.

More from Cybersecurity

Hundreds of trusted software packages were quietly hijacked — the name stayed the same, the recipe didn't Quiet malware copied passwords off 11 million machines — and the thefts left no gap to notice A spyware firm a court told to stop went after WhatsApp users anyway

Across the beats

An investor wants the studio behind Elden Ring to "maximise earnings" — and the dev says that's the threat The Chiefs gave Mahomes a half-billion dollars — and locked themselves in The fertilizer price spike from the Iran war is quietly unwinding — and dragging crops down with it