Introduction
Tracking cybersecurity incidents is hard for a few reasons. Information about security incidents is highly fragmented across sources, so no single place gives you the full view.
At the same time, the most prominent incidents generate overwhelming coverage. That creates noise when you’re trying to track unique incidents.
You also typically don’t need to know about every incident everywhere. You have a specific set you’re interested in, but narrowing down on things like industry, geography, or specific attack type comes with its own set of challenges.
To make things harder, the majority of cyber security breaches don’t get widely publicized. Mainstream media typically covers the breaches attached to Fortune 500 names. And if you ask a regular search engine, you’ll get a narrow set of authority headlines. That includes using AI search or Deep Research, which summarizes events based on this exact type of search, which uses a ranking-first index.
As a result, if you’re monitoring risk and relying on traditional search, it’s easy to miss the important stories that matter to you. Ideally, your threat intelligence workflow gathers every single incident across all sources that you care about, and understands when multiple reports relate to the same incident. However, most workflows lack the needed recall and coverage to catch the incidents that go beyond the top-ranked results of a search engine.
In this article, we’ll demonstrate CatchAll, a recall-first web search API that can readily be used in your threat intelligence workflows. We’ll use it to surface all relevant security incidents in the US over a short time period.
How Do You Find Every U.S. Security Breach in 3 Days?
To find every U.S. security breach in a 3-day window, you have to search everything and filter down: one enumeration query against the full web, then validation and deduplication. We selected security incidents because they're relevant across industries, the scale is large enough to expose fragmented sources and poor signal-to-noise ratios, and the results clearly demonstrate traditional search's weaknesses.
We asked the CatchAll API about U.S. security incidents between May 10 and May 12, 2026. We asked it to include things like data breaches, ransomware attacks, cyber incidents, and hacks. The search took around 10 minutes to complete, and ran in three steps:
- Scan: A query like this scans CatchAll’s full index of 2B+ pages, including national and regional news sites, cyber trade publications, disclosures, and a long tail of relevant blogs and aggregators.
- Deduplicate: CatchAll automatically deduplicated the events in the resulting dataset using an advanced algorithm.
- Enrich: CatchAll automatically enriched the results with industry classification and incident type categorization.
Deduplication addresses one of the big challenges of monitoring security incidents, namely the disproportionate share of articles about the most prominent incidents. Most security incidents are typically cited by only 1-2 sources, while the most popular ones have hundreds or thousands of articles written about them. This is why deduplication is a crucial aspect, letting you actually see the unique incidents taking place.
Enrichment matters for a similar reason. Teams usually want to focus on their specific industry and might only be interested in certain types of security incidents. This made it easy to filter the data to see which sectors dominated and what categories of incidents happened in the period.
The goal here was the complete picture of real-world security incidents, not just the polished headlines that reach mainstream media. Cyber risk is extremely networked, and a breach at a small third-party vendor could be an entry point for larger attacks. In fact, breaches involving third parties surged by 60% and accounted for nearly half of all data breaches, according to the 2026 Verizon Data Breach Investigations Report (DBIR).
What Do 272 Security Breaches in 3 Days Look Like?
The 3-day search returned 272 security breaches and incidents covered across 1,300 web pages in total.
The top 20 incidents alone accounted for almost three quarters of the coverage. That means 252 other incidents were reported in just one third of the citations. The picture is this skewed because two thirds of incidents only have a single article reporting them.
The reported incidents had a good spread across different types of sources. The biggest news outlets both nationally and regionally, dedicated cyber trade press, and disclosures/filings were all part of the picture. Additionally, niche blogs and aggregators, sources that often report on incidents that go under-the-radar of mainstream media, were well represented. National news alone misses over 80% of all incidents in the period, and the incidents national news does cover are the ones already reported widely elsewhere. To get a complete picture of all the security incidents that happened, diversifying the search across sources, like CatchAll does, is critical.
Most breaches occurred within the technology sector, followed by finance, government, healthcare, education and retail. Data breaches were the most common (40%) incident type across all industries. Infrastructure compromises were the second-most common incident type, notably concentrated within tech and finance. Phishing campaigns were the third-most reported incident type, and half of them occurred in the government.
Incidents were reported evenly throughout the 3-day window. However, the most popular stories had a disproportionately large share of the coverage, and kept getting cited by sometimes hundreds of sources.
The chart below shows unique incidents by when they were first reported on the x-axis, while the y-axis shows how many citations they had. The top 7 big headlines eat up all the attention of a ranking-first search engine. The long tail of blue dots at the bottom represent real and important cyber incidents that stay invisible to traditional search approaches.
CatchAll automatically recognized which articles were about the same incident, and clustered these, making it easy to get a clean overview of everything that happened.
A few examples of incidents that only had a single citation include:
- 25M individuals confirmed affected by the 2024 Conduent attack, with Missouri regulators saying the company is withholding info. Cited only in TechTarget.
- 1.4M Medicare beneficiaries reissued new cards + numbers due to breach. Cited only in Cannon Courier, a Tennessee weekly newspaper.
- 700K records confirmed affected in a Telehealth platform breach. Cited only in HIPAA Journal.
These are exactly the incidents with material consequences that bypass mainstream media and would be missed entirely by traditional search.
Why Does Traditional Search Miss Most Security Incidents?
Traditional search would have missed most of the incidents CatchAll found. Google and traditional search engines are based around ranking the most relevant results, and use things like an outlet’s web authority to gauge that relevance. They also index articles from big news outlets faster, so reporting from niche publications, such as dedicated cyber press with potentially unique stories, gets delayed.
If you ask an AI agent (Claude, ChatGPT, Gemini, etc) to find security incidents, they’re relying on exactly these types of search engines to serve you the answer. You’re essentially being served the same answer, taken from the first couple of Google SERP results, in a different wrapper.
The infrastructure traditional search uses is great when you need one answer, but when you’re looking for completeness it’s the wrong form factor. In most cases, traditional search concentrates results to a very small fraction of incidents that happened in the real world. The type of recall-first search that CatchAll offers is built from the ground up to give you a complete picture, which is critical if you’re serious about building a cyber security and risk monitoring workflow.
Why Is Data Breach Monitoring So Hard Today?
A key problem in data breach monitoring is the fragmentation of information. No single source gives you the complete picture, and the majority of incidents have too few sources reporting on them to surface in traditional, ranking-based search. This leaves SOC teams and analysts with two challenges at once: their signal is weak, flooded with noise from the handful of most popular incidents, while the long tail of incidents stays invisible. The distance between what traditional search finds and what actually happened is a real information gap, and closing it requires a different search approach.
The data we got from the search with CatchAll shows the problem. Less than 20% of the 272 incidents found in the 3-day window were reported in national news; this small portion of incidents did, however, have 20+ citations on average. 80%+ of incidents came from sources scattered across regional news, cyber trade press, disclosures and blogs/aggregators, most often cited in a single source.
For teams monitoring security incidents, partial intelligence is a professional liability. The exact incidents you don’t see could be the ones that matter. Case in point: breaches at small, third-party vendors are a fast-rising risk, up 60% year over year, and increasingly someone else's entry point. That’s why surfacing the entire landscape, not just the loudest events, is so important. CatchAll uses a recall-first type of search built exactly for this.
What Is Data Breach Monitoring?
Data breach monitoring is the continuous tracking of disclosed breaches across news, filings, trade press, and blogs. A data breach is any security incident where unauthorized parties access sensitive data, while a data breach monitoring tool is designed to automate the tracking of these incidents. However, most incidents surface in only one or two places, so any tool is only as complete as the search underneath it.
How Does Recall-First Search Change AI Threat Intelligence?
Recall-first search changes AI threat intelligence by fixing the input layer: the model sees every incident, not just the ones that rank. More and more threat intelligence work is being handed to AI. Security teams are building monitoring agents, vendor-risk pipelines and automated intel gathering. But AI agents are only as good as the data they can retrieve. An agent built on a ranking-first index sees only the incidents that rank, while the majority, reported once in a regional or trade publication, never enters its context at all. And there’s a hidden danger compared to doing it manually. A human analyst scrolling through search results can see they’re scratching the surface. An AI returns a confident summary that looks complete, with nothing to tell you it was built from a fraction of what actually happened.
That’s why an automated monitoring workflow should have recall as a core metric. A pipeline built on traditional, ranking-first search will systematically drop the long tail. In our 3-day scan of U.S. security incidents, the long tail was most of the story: two thirds of incidents were only mentioned in one place.
Let’s say you have an agent monitoring a list of suppliers for vendor risk. One of the vendors gets breached and the only coverage is an article in a regional publication which never makes the top-ranked results. The agent simply reports “no incidents found”. A confident absence of data is an error that is both hard to spot and hard to rectify. You can clean data, but you can’t materialize missing data.
CatchAll’s recall-first search fixes the problem at its root. Instead of ranking results, it enumerates them. That means you get every matching incident across the index, clustered as unique events, and returned as a clean, structured JSON your pipeline can use directly. And because completeness is the whole point, we have a benchmark that measures the share of real-world events actually surfaced. In Q1 2026, CatchAll's observable recall was 79.8%. To put that in perspective, the next-best tool in the benchmark (Exa Websets) reached 19.6%, while OpenAI's deep research found under 1% of the observable events. The recall-first architecture clearly shows up in the numbers.
And the case for recall-first search becomes even stronger when looking at costs. The token economics of a recall-first search with built-in deduplication are far better than a pipeline built on ranking-first search that feeds raw search results to an LLM, often with hundreds of similar articles about the same headline breach.
Why Does Recall-First Search Matter Beyond Cybersecurity?
Security incidents are one clear case of the retrieval gap: in any workflow where the goal is to find everything, a search that ranks for relevance instead of completeness will surface only a fraction of what actually happened.
But the same gap also hits market intelligence teams tracking M&A and fundraising, compliance teams tracking regulatory actions, analysts watching financial risk signals, geopolitical and OSINT monitoring. These are crucial workflows where the information landscape is highly fragmented, and where the majority of reporting is concentrated around just a fraction of the incidents that actually happened.
With most real-world events reported once, in places that traditional, ranking-first search typically doesn’t reach, enumeration of these events is the foundation to build on. CatchAll's recall-first API is built to surface every matching event, and finds several times as many as other approaches.
Summary
We queried CatchAll to find US security incidents for a 3-day window in May 2026. It found 272 incidents after scanning 13,000+ candidate pages across more than 600 domains. The incidents were highly scattered across sources, and national news covered fewer than one in five.
This highlights a key challenge of data breach monitoring today: a fragmented information landscape where no fixed set of feeds, or traditional search engine, can give you the whole picture.
The solution is a recall-first search approach. If you want to see what a complete dataset looks like for your own use case, getting started with CatchAll is easy and you can get started for free. You get 2,000 credits when signing up, and you’ll also be able to set up a Monitor to turn on data breach monitoring for your industry, automatically on a schedule.