Introduction

Tracking cybersecurity incidents is hard for a few reasons. Information about security incidents is highly fragmented across sources, so no single place gives you the full view.

At the same time, the most prominent incidents generate overwhelming coverage. That creates noise when you’re trying to track unique incidents.

You also typically don’t need to know about every incident everywhere. You have a specific set you’re interested in, but narrowing down on things like industry, geography, or specific attack type comes with its own set of challenges.

To make things harder, the majority of cyber security breaches don’t get widely publicized. Mainstream media typically covers the breaches attached to Fortune 500 names. And if you ask a regular search engine, you’ll get a narrow set of authority headlines. That includes using AI search or Deep Research, which summarizes events based on this exact type of search, which uses a ranking-first index.

As a result, if you’re monitoring risk and relying on traditional search, it’s easy to miss the important stories that matter to you. Ideally, your threat intelligence workflow gathers every single incident across all sources that you care about, and understands when multiple reports relate to the same incident. However, most workflows lack the needed recall and coverage to catch the incidents that go beyond the top-ranked results of a search engine.

In this article, we’ll demonstrate CatchAll, a recall-first web search API that can readily be used in your threat intelligence workflows. We’ll use it to surface all relevant security incidents in the US over a short time period.

How Do You Find Every U.S. Security Breach in 3 Days?

To find every U.S. security breach in a 3-day window, you have to search everything and filter down: one enumeration query against the full web, then validation and deduplication. We selected security incidents because they're relevant across industries, the scale is large enough to expose fragmented sources and poor signal-to-noise ratios, and the results clearly demonstrate traditional search's weaknesses.

We asked the CatchAll API about U.S. security incidents between May 10 and May 12, 2026. We asked it to include things like data breaches, ransomware attacks, cyber incidents, and hacks. The search took around 10 minutes to complete, and ran in three steps:

  • Scan: A query like this scans CatchAll’s full index of 2B+ pages, including national and regional news sites, cyber trade publications, disclosures, and a long tail of relevant blogs and aggregators.
  • Deduplicate: CatchAll automatically deduplicated the events in the resulting dataset using an advanced algorithm.
  • Enrich: CatchAll automatically enriched the results with industry classification and incident type categorization.

Deduplication addresses one of the big challenges of monitoring security incidents, namely the disproportionate share of articles about the most prominent incidents. Most security incidents are typically cited by only 1-2 sources, while the most popular ones have hundreds or thousands of articles written about them. This is why deduplication is a crucial aspect, letting you actually see the unique incidents taking place.

Enrichment matters for a similar reason. Teams usually want to focus on their specific industry and might only be interested in certain types of security incidents. This made it easy to filter the data to see which sectors dominated and what categories of incidents happened in the period.

The goal here was the complete picture of real-world security incidents, not just the polished headlines that reach mainstream media. Cyber risk is extremely networked, and a breach at a small third-party vendor could be an entry point for larger attacks. In fact, breaches involving third parties surged by 60% and accounted for nearly half of all data breaches, according to the 2026 Verizon Data Breach Investigations Report (DBIR).

What Do 272 Security Breaches in 3 Days Look Like?

The 3-day search returned 272 security breaches and incidents covered across 1,300 web pages in total.

The top 20 incidents alone accounted for almost three quarters of the coverage. That means 252 other incidents were reported in just one third of the citations. The picture is this skewed because two thirds of incidents only have a single article reporting them.

The reported incidents had a good spread across different types of sources. The biggest news outlets both nationally and regionally, dedicated cyber trade press, and disclosures/filings were all part of the picture. Additionally, niche blogs and aggregators, sources that often report on incidents that go under-the-radar of mainstream media, were well represented. National news alone misses over 80% of all incidents in the period, and the incidents national news does cover are the ones already reported widely elsewhere. To get a complete picture of all the security incidents that happened, diversifying the search across sources, like CatchAll does, is critical.

Most breaches occurred within the technology sector, followed by finance, government, healthcare, education and retail. Data breaches were the most common (40%) incident type across all industries. Infrastructure compromises were the second-most common incident type, notably concentrated within tech and finance. Phishing campaigns were the third-most reported incident type, and half of them occurred in the government.