Product FAQ: FN/FP Feedback Loop - Abnormal Security
Product FAQs  FN/FP Feedback Loop

Product FAQ: FN/FP Feedback Loop

False Positive Rate

Abnormal Security’s current false positive rate is approximately 1:1Million messages, meaning less than 1%. Our technology detects anomalies by analyzing thousands of signals comparing individual and sequences of events against behavioral norms to determine level of risk. When our models do make an error in determining level of risk, It is extremely rare to have a business-critical false-positive occur. 

Why do false positives happen?

Our software leverages a myriad of AI techniques to analyze thousands of signals before making a judgment on the threat level of an email. When a false positive does occur, we see exactly why that email was flagged and provide your team with a detailed report explaining why.

False Positive Reporting and Feedback Process

We take both false positives and negatives very seriously, and if these do happen we have a thorough protocol in place to remediate the situation and use this information to tune the system/models to increase efficacy.

When your team has identified a false positive, this can easily be reported through a 1-click process within the Abnormal Security Portal which moves the message back to the recipient’s inbox while notifying our team of the incident. We will investigate the false positive and provide a report detailing why the message was identified as malicious and how we’ll change to prevent similar future false positives.

False Negative Reporting and Feedback Process

A false negative can be reported within the portal by either uploading the email or manually inputting the following information:

  • Email Subject
  • Recipients
  • Sender
  • Date
  • Open Description
Reporting a False Negative

Below you can see an example of the portal. In the drop-down menu under your name on the top right of the portal, you will see an option to “Report Missed Attack”. Next, you will be asked to provide information on the email, along with the option to upload the message.

Here you can see an example of a remediated false negative report. Once our team reviews the flagged message and investigates why this happened, we will email your team with a report detailing our findings.

This is an example of the process of a report:

Commonly Asked Questions:

What happens after we submit any False Positives (FP) within the Customer Report Portal?

After submitting a false positive, there are several actions that will take place:

  1. We would move the message back to the user’s inbox
  2. We would scrub any history of this email from out threat log
  3. We would provide a report to the team acknowledging your submission and the changes we’re making to prevent us from capturing the same message in the future.

Does Abnormal Security have the ability to route suspicious messages where some element of the analysis is inconclusive and not shown within Threat Log?

We’ve incorporated this into the product roadmap, and are building a message routing system. This broader system and controls will allow security teams to:

  • Select the suspicious stream of emails
  • Select emails based on probable attack type — phishing/malware vs. spam
  • Select optionally based on recipient — e.g. targeting VIP
  • Change disposition of email — remediate / quarantine / add a banner
  • Send it to the security team for review — through Demisto or email notifications

What happens when you miss an attack (false negatives)?

  • This can be reported within the Customer Report Portal by uploading the email or specify the following attributes:
    • Email Subject
    • Recipients
    • Sender
    • Date
    • Open Description
  • Our team would then investigate and provide a report on how we missed this attack and changes we’re making to dete

Want to learn more?

Schedule a personalized product demo to see:

  • Threat analytics, insights and reporting
  • Automated Triage, Investigation and response tools
  • Platform integrations into SIEM, SOAR
  • …and more
Automated Triage, Investigation and response tools

Want to learn more?

Schedule a personalized product demo to see:

  • Threat analytics, insights and reporting
  • Automated Triage, Investigation and response tools
  • Platform integrations into SIEM, SOAR
  • …and more