A false negative is harmful activity that should have been detected but was missed by a rule or control.
A false negative is a harmful event or behavior that should have been detected but was missed. In plain language, it is the case where suspicious or malicious activity happens, but the monitoring or detection system does not flag it.
False negatives matter because they create blind spots. A monitoring program can look busy and sophisticated while still missing the incidents that actually matter most.
They also matter because absence of alerts is not proof of safety. Security teams need to measure coverage, investigate gaps, and use practices like Threat Hunting to look beyond what automated detections happen to catch.
| Cause | Why it creates gaps |
|---|---|
| Missing telemetry | No data to detect on |
| Poor rule logic | Signals are ignored |
| Coverage gaps | Systems are not monitored |
False negatives appear in detection engineering, SIEM tuning, EDR coverage review, threat modeling, and post-incident analysis. Teams often learn about them after Incident Response or Root Cause Analysis shows that the environment had signals that the existing rules did not detect or elevate properly.
Security teams care about false negatives because missing serious activity is often more dangerous than processing extra noise.
| Outcome | What happened | Impact |
|---|---|---|
| False negative | Harmful activity occurred but was missed | Silent exposure or delayed response |
| False Positive | Alert fired without a real threat | Wasted time and alert fatigue |
| True positive | Real threat detected accurately | Effective response possible |
A company later discovers that unauthorized administrative actions occurred over several days without a corresponding alert, even though the necessary log sources existed. The missed detection is a false negative that prompts rule and workflow review.
A false negative is not simply “no alerts today.” It specifically means harmful or relevant activity occurred and the system failed to detect it.
It is also different from a False Positive, which is an alert that fired even though the intended threat was not actually present.
It is also a mistake to assume false negatives can be eliminated completely. The goal is to reduce the risk and shrink the gap between what happens and what gets detected.