Security alert severity levels are frequently misunderstood because they appear to summarize importance, certainty, or impact in a single label. In practice, severity reflects how a detection system classifies an alert, not a confirmed outcome or consequence.
What Alert Severity Represents
Alert severity is a classification applied by a detection system to describe how an alert aligns with its internal criteria.
Severity levels are generally intended to communicate factors such as:
- Detection confidence based on available signals
- Potential scope or breadth implied by the observed activity
- How closely activity matches predefined conditions
- Tool-specific design assumptions and thresholds
Severity does not represent confirmation, intent, or actual impact. It is a descriptor of how the alert was categorized at the time it was generated.
Common Severity Categories
While naming conventions vary, many systems use abstract groupings similar to the following.
Informational
Informational alerts typically represent notable but expected activity. They often document events, state changes, or observations without implying abnormality or risk.
Low
Low-severity alerts generally indicate activity that deviates slightly from a baseline or meets minimal detection criteria. They provide visibility into behavior that may be routine or situational.
Medium
Medium-severity alerts usually reflect activity that more clearly matches a detection pattern. They often indicate conditions that warrant awareness without implying certainty or consequence.
High
High-severity alerts typically represent strong alignment with detection logic or broader potential scope. The label reflects how closely observed signals matched defined conditions, not confirmed outcomes.
Critical
Critical alerts are commonly used for detections that meet the highest internal classification thresholds. This designation reflects how the system categorizes the signal, not a guaranteed level of impact or intent.
Why Severity Varies Between Tools
Different tools may assign different severity levels to the same activity.
This variation can result from:
- Differences in detection logic and assumptions
- Variations in data sources and visibility
- Context available at the time of detection
- Design goals of the monitoring system
Severity labels are relative to the system that generated them and are not universally standardized.
Why High Severity Does Not Always Mean High Impact
Alerts labeled as “high” or “critical” may still correspond to expected, benign, or low-impact activity.
This can occur when:
- Detection logic prioritizes sensitivity
- Activity matches defined patterns without broader consequences
- Context reduces the significance of the observed behavior
Severity indicates how the alert was classified, not what ultimately occurred.
Why Low Severity Does Not Mean Irrelevant
Lower-severity alerts can still provide useful information.
They may:
- Establish baseline behavior
- Add context to other alerts
- Reveal patterns when viewed over time
- Document environmental changes
Severity does not determine whether an alert is meaningful in isolation or in combination with other signals.
Common Misunderstandings
- Treating severity as a verdict rather than a label
- Assuming severity reflects confirmed damage or outcome
- Expecting consistent severity classifications across tools
- Believing severity alone determines importance
- Ignoring lower-severity alerts entirely
- Interpreting severity as a measure of intent
- Assuming severity never changes with context
How This Site Uses Severity Information
This site documents alert severity as presented by the originating system. Severity is described to provide context about how an alert was classified at generation time.
No reinterpretation, re-scoring, or prioritization is applied. Severity information is presented for understanding, not instruction.