Why are whitelist strategies risky for email security?

Whitelist strategies create security vulnerabilities when trusted vendors get compromised. As one security expert shared: 'When we had Proofpoint, we would have companies that we had whitelisted. Then one of them would get hit and start sending stuff out. They would walk right in.' Modern approaches favor real-time threat evaluation instead.

How do you justify email security costs beyond basic SEG protection?

Cost justification comes from quantifiable metrics showing missed threats. As explained by a practitioner: 'You can show them raw numbers of how much stuff gets blocked by IRONSCALES that gets missed by Microsoft. So there's your cost justification right there.'

How many phishing attacks do SEGs miss per month?

Research shows SEGs miss an average of 67.5 phishing attacks per 100 mailboxes monthly, with Barracuda missing 101 attacks, Proofpoint 68.4, Cisco IronPort 51.6, and Mimecast 38.4 per 100 mailboxes.

Why do smaller organizations face more missed email attacks?

Smaller organizations (1-99 mailboxes) face 751 missed attacks per 100 mailboxes from Barracuda alone because they lack dedicated staff to constantly tune rules and manage whitelists, unlike larger organizations with dedicated security teams.

What types of attacks do SEGs miss most often?

SEGs primarily miss credential theft attacks (32.8%) and vendor scams (34.3%), which are the exact threats that bypass traditional rule-based detection methods.

What is the three-quarantine problem with SEGs?

The three-quarantine problem refers to having quarantine locations in your SEG, quarantine in M365/Google, and users asking where emails went, creating operational complexity for IT teams managing multiple email security layers. As one expert noted: 'There's a balance there - Defense in Depth versus having three places to go find something.'

SEG

Three Security Vets Drop Uncomfortable SEG Truths

Audian Paxson July 2, 2025

What happens when you put three seasoned security practitioners in a room with data that shows exactly how many phishing attacks their tools are missing?

You get the kind of honest conversation most vendors don't want you to hear.

I just hosted a webinar that felt more like eavesdropping on a coffee shop conversation between security veterans than your typical vendor pitch-fest.

SEG Webinar Guest Speakers

Jason Phillips (Sensient Technologies), Jeff Rader (Hoosier Energy), and Michael Kobrowski (SMC) joined me to dig into some research that's been making waves... SEGs are missing 67.5 phishing attacks per 100 mailboxes every month.

That number hit different when it came from practitioners who'd lived through the pain.

The "We Had No Idea" Moment

The most telling part? None of these guys knew how bad their visibility gap was until they had a way to measure it.

Jeff's reaction was particularly memorable: "We were getting 10-15 misses a day that...became obvious once we could see them." Jason discovered his SEG was letting through 6,500 phishing emails in a single week. Michael admitted he was initially hesitant about "another tool" but got convinced quickly when he saw what was slipping through.

Before having visibility into what their SEGs missed, they relied on what Jason called "sharp eyes" - that one reliable employee who'd spot the suspicious stuff (we've all worked with that person).

The Maintenance Reality Check

One insight that landed hard: why smaller organizations get hammered worse. The data shows companies with 1-99 mailboxes face 751 missed attacks per 100 mailboxes from Barracuda alone.

That's not a typo.

SEG Gaps Smaller Orgs

Jason nailed the explanation...smaller teams can't babysit their SEGs the way larger organizations can. They don't have dedicated staff constantly tuning rules and managing whitelists. So, while the tools work the same way, the outcomes are dramatically different.

The Three-Quarantine Problem

Jeff dropped what might have been the line of the webinar: dealing with "three quarantine places is a drag."

Anyone who's managed email security knows this pain. You've got quarantine in your SEG, quarantine in M365/Google, and users asking where their emails went. Meanwhile, you're playing detective across multiple systems trying to track down that "urgent" message from the CEO that turned out to be legitimate.

The group wrestled with this exact tension during our discussion. As Jason put it: "There's a balance there...defense in depth versus having three places to go find something." Everyone gets that email filtering is a requirement, but the operational complexity of managing multiple layers can become its own problem.

Jeff's perspective captures it perfectly: you need the protection, but the simpler you can make the investigation process, the better off your team will be.

The Buzzword Winner

When we asked which industry buzzword makes them hit delete fastest, "AI" won decisively. Not because they're anti-technology, but because they're tired of vendors slapping "AI-powered" on everything without explaining what it actually does. And yes, I see the irony too, but TBC, we've been using (home-grown) AI in our email security platform for almost 10-years.

Michael summed it up: vendors need to show, not tell. Real data beats marketing speak every time.

What Actually Triggers Change

The conversation about what finally pushes security teams to look for better solutions got real, quickly. Between breaches, phish clicks, VIP complaints, and increasing time spent on email tickets...it's usually all of the above, plus the realization that you're flying blind.

As one panelist put it: "You find out when something bad happens" isn't a strategy anyone wants to stick with.

The Whitelist Vulnerability That Everyone Knows

Before diving into the numbers, Jason shared a story that'll sound familiar to anyone managing email security. When they used Proofpoint, they'd whitelist trusted vendors and partners. Standard practice, right?

Then one of those whitelisted companies got compromised.

"They would walk right in," Jason explained. "So it's nice to not have that anymore. When people say I need this whitelisted, I say, no. We don't do that. We'll evaluate the threat when it comes because we know it is coming at some point." (watch the video clip below)

That's the allowlist weakness problem in action, and it shows up in the data.

The Numbers Don't Lie

The research covered 1,921 IRONSCALES customers who also use SEGs, so we could measure exactly what traditional gateways miss:

Barracuda: 101 missed attacks per 100 mailboxes monthly
Proofpoint: 68.4 missed attacks per 100 mailboxes monthly
Cisco: 51.6 missed attacks per 100 mailboxes monthly
Mimecast: 38.4 missed attacks per 100 mailboxes monthly

What's getting through? Primarily credential theft (32.8%) and vendor scams (34.3%), the exact threats that bypass traditional rule-based detection.

Jason's whitelist story suddenly makes a lot more sense when you see vendor scams topping the list.

Want to See What You're Missing?

Curious about your own environment? We built a calculator that uses this same research data to estimate what your SEG might be missing. Takes about 8 seconds and uses real numbers from organizations like yours.

Try the SEG Missed Attacks Calculator →

Watch the Full Conversation

The 30-minute recording captures the complete discussion, including the war stories we couldn't fit here. No sales pitch, just practitioners sharing real experiences with real data.

Watch the Hidden Gaps Webinar →

Get the Research Details

The full whitepaper breaks down the methodology, vendor-specific findings, and attack type distributions. It's the kind of data you can actually use in budget discussions.

Download the Hidden Gaps in SEG Protection Report →

Sometimes the most valuable insights come from admitting what you don't know. In this case, most security teams don't know how many attacks their SEGs miss each month. Now you can find out.

Explore More Articles

Say goodbye to Phishing, BEC, and QR code attacks. Our Adaptive AI automatically learns and evolves to keep your employees safe from email attacks.

For Enterprises

For MSPs & MSSPs

Protect Better

Simplify Operations

Empower Your Org

15,000+ Customers and Counting

Case Studies

Reviews

Osterman Research: AI Trends in Cybersecurity

Case Study: Concentrix

Our Awards

HOW IRONSCALES WORKS

Platform Overview

API Integration

Artificial Intelligence

Human Element

TAKE A TOUR

Product Tours

Platform Overview Tour

GenAI Copilot for Outlook

GPT-Powered Spear Phishing Campaigns

Discover the Reality of Deepfake Threats: Stay Ahead With the Latest Insights

BY USE CASE

Business Email Compromise

Advanced Malware & URL Attacks

Credential Harvesting

Account Takeover Attacks

DMARC Management

Generative AI Attacks

Phishing Simulation Testing

Security Awareness Training

BY PLATFORM

BY PROJECT

BY ROLE

LEARN

Blog

Deepfake Insights

Cybersecurity Glossary

Resource Library

Guides

Platform Tours

CONNECT

Events

Newsletter

LinkedIn

The Hidden Gaps in SEG Protection

New Gartner® Email Security Magic Quadrant™

Are Deepfake Emails Phishing 3.0?

Phishing Prevention

Spear Phishing

Voice Phishing

BY TYPE

MSPs and MSSPs

Resellers

Technology Partners

ENGAGE

Become Partner

Partner Portal

Partner with IRONSCALES