DirectDefense Reports the Top Threats From 2022 and What's Trending for 2023

Research found that phishing threats were low in 2022, while foreign login activity and application process analysis accounted for nearly 50% of incident alerts.

March 15, 2023

3 Min Read


DENVER  March 15, 2023  DirectDefense, Inc., an information security services company, today released its "Security Operations Threat Report" which identifies the top threats in 2022 and what’s already trending for 2023. Using its proprietary ThreatAdvisor software, DirectDefense evaluated the managed services activities logged for its clients last year.

Of the hundreds of thousands of alerts managed, DirectDefense investigated 100% of them and acted on or dismissed 77% so that only 23% needed client collaboration to close the event, saving over 1.1 million hours in alert investigation time for clients while providing 7x24x365 monitoring. There were seven threat types identified by the DirectDefense team, including custom alerts created by DirectDefense based on our clients’ unique needs and program support. Outside of custom alerts, foreign login activity and process analysis (suspicious application processes) represented almost 50% of the threats identified.

  • Custom Alerting – 30%

  • Foreign Login Activity – 27%

  • Process Analysis – 21%

  • Account Activity – 9%

  • Phishing Attempts – 7%

  • Mailbox Manipulation – 5%

  • Deceptive Technologies – 1%

Surprisingly, phishing accounted for a low number of client alerts. This infrequency could be the result of tighter organizational email security protocols or simply fewer phishing attempts overall due to previous year’s events where threat actors scraped email addresses and personal information from social networking sites and took other approaches, like brute force attacks. It’s worth noting that of the 7% phishing attempt alerts, 859 were positive phishing attempts and three of those escalated to an incident response engagement.

In 2022, DirectDefense spent nearly 30,000 hours on event triage, with approximately 7,600 hours attributed to level 1 / initial analysis and 21,700 to level 2 / secondary analysis and action.

Each DirectDefense SOC analyst spent an average of 1,723 hours on event triage and response.

"The number of hours spent investigating alerts, many of which require no action, can stop productivity in its tracks. Not to mention how alert fatigue often results in simply not investigating alerts, thereby potentially missing a very real threat – and the opportunity to respond quickly," said Jim Broome, President and Chief Technology Officer for DirectDefense. "Even when companies elect to handle certain alerts in-house, the benefit of having 100% of alerts immediately investigated by an MSSP removes a significant strain on organizational resources."

In looking at 2023, the DirectDefense team identified four primary threats that top the list for security concerns.

  • Ransomware: A serious threat facing organizations, the most common infiltration techniques for ransomware include supply chain attacks, data exfiltration to a separate location, Ransomware as a Service (RaaS) / pay-for-use malware platforms, out-of-date system patches, and phishing. Operational disruptions, data compromise and loss, and reputational damages are top concerns in any security breach, especially ransomware.

  • Cloud infrastructure attacks: A high incidence of cloud infrastructure attacks occurred because clients were allowing their developers to run a development cloud environment with little to no production controls oversight. Organizations need to ensure they have configuration requirements and service hardening procedures in place for all cloud environments, not just production.

  • Blind by design applications: There are many applications that don’t offer even the most basic security controls or audit logs. These blind-by-design applications are leaving organizations open to attack, and closing these gaps requires application testing for function and logic vulnerabilities, authentication mechanisms, room for abuse, and logging quality.

  • Emerging AI (ChatGPT): The threat from ChatGPT is far different than headlines suggest. Right now, AI is just a tool that can be used by both malicious actors and well-intentioned individuals. DirectDefense expects to see an increase in social engineering and phishing attacks using information from ChatGPT to execute.

The full report can be found at:

Follow DirectDefense




About DirectDefense, Inc.

DirectDefense provides enterprise risk assessments, penetration testing, ICS/SCADA security services, and 24/7 managed security services for companies of all sizes. Focused on building security resiliency, the firm offers comprehensive security testing services with specialization in application security, vulnerability assessments, penetration testing, and compliance assurance testing. Its team of highly talented consultants has worked with the majority of the Fortune 100 companies, in industries such as power and utility, gaming, retail, financial, media, travel, aerospace, healthcare, and technology. More information can be found at

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights