17%: The figure that changes your risk math

Most organizations deploy a Secure Email Gateway (SEG) assuming it will catch whatever their native email security provider would not be able to. But the data tells a different story. Nearly one in six of the riskiest inbound emails still evade the native + SEG layers on the first pass – 17% is the average SEG miss rate after Microsoft filtering.  

How did we calculate the miss rate? The figure comes from a volume-weighted analysis of real-world enterprise deployments where Darktrace operated alongside a SEG, compared to deployments without a SEG. It’s based on how each security layer treated malicious emails on the first instance – if the SEG missed the email at the initial filtering but caught it minutes or hours later we considered it a miss, because the threat had already been exposed to the user. We computed the mean per category miss count across the top three widely deployed SEGs and divided that by the total number of threats that had already bypassed native filters. The resulting rate is 17.8%, conservatively communicated as “about 17%.”

This result is a powerful directional signal – not a guarantee for every environment – but significant enough to merit a closer look.

What SEGs miss most (and why it matters)

Our analysis shows that SEGs most frequently miss context-driven, low-signal attacks.

These are the kinds of emails that look convincing to recipients and rely on business context, without overtly malicious indicators, including:

Solicitation and fraudulent requests (~21% miss rate)

Deceptive invoices, vendor “updates,” payment term changes, or urgent favors. These messages often lack obvious payloads and exploit business process mimicry, making them nearly indistinguishable from genuine correspondence in the eyes of static, rule-based filters dependent on payload analysis. 22% of breaches stemming from external actors were a result of social engineering in 2025 (Verizon 2025 Data Breach Investigations Report).

Phishing links (~20% miss rate)

Links to credential harvesters or later-weaponized sites using new or compromised domains, redirects, or shorteners. URL rotation and staging evade list-based controls; the linguistic and workflow context looks routine. This also includes threats that leverage legitimate cloud platforms to disguise their intent and avoid reputation analysis.  Phishing remains one of the most expensive cause of breaches, an average cost of $4.8 million (IBM Cost of a Data Breach Report 2025).

User impersonation (~19% miss rate)

Convincing messages that mimic executives, colleagues, or partners, often with subtle display-name or address manipulation. These attacks rely on social engineering and context, bypassing static detection and reputation checks.

Other notable misses: Credential harvesting lures and forged/abused sender addresses, both typically light on static indicators but heavy on contextual clues. 

Why SEGs miss these emails

Let’s look at some of the reasons SEGs fail to catch more advanced, context-driven attacks.

1. Attack-centric bias. SEGs excel at recognizing known-bad indicators (spam, commodity malware). But today’s high-impact threats are supercharged by AI and can be hyper-customized with polymorphic malware or personalized social engineering. They mirror normal business communications and weaponize trust, not binary patterns.  
2. Limited behavioral understanding. Without modeling each user’s “normal” pattern of life, subtle anomalies (timing, tone, counterpart, transaction patterns) can look benign, even if they should be flagged. Some modern solutions have begun to incorporate behavioral analysis into their products, but these are still supplements for additional information rather than integrated into the core threat detection engine.
3. Assumed trust. Account compromise and attacks that abuse legitimate services exploit trust. SEGs weren’t designed to handle these kinds of threats, in fact, they assume trust in order to minimize false positives, leaving them wide open to attackers.  
4. Siloed detection. Email rarely tells the whole story. Attacks pivot across email, identity, and SaaS; single-channel tools can’t connect those dots in real time. This issue is exacerbated when email security vendors are only focused on email activity, ignoring activity beyond the inbox like network or cloud account activity.
5. Adaptive evasion. Fast domain churn, benign-looking links, and clean hosting on trusted platforms routinely outpace static rules and blocklists. No matter how great your threat intelligence or threat research teams may be, there is a reliance on a first victim – which leads to defenders remaining one step behind attackers. 

How Darktrace / EMAIL catches the threats SEGs miss

Everywhere a SEG falters, Darktrace excels. Let’s take a look why.

• Self-Learning AI: Darktrace learns the unique communication patterns of every user, department, and supplier, flagging the subtle deviations that typify social engineering and impersonation. 
• A zero trust approach: According to Gartner, many organizations fail to extend their zero-trust strategy to email, leaving a critical gap. Darktrace assumes no trust, applying the zero trust principle across all aspects of email communication.
• Cross-domain context: Correlates behavior across email, identity, and SaaS, exposing multi-stage campaigns that a siloed SEG can’t piece together. 
• Better together with native providers: Operates alongside your native email security – not against it – so protection is additive. Darktrace ingests native signals and orchestrate unified quarantine without duplicating policy stacks or forcing you to disable built-in protections. 

For example: one of our customers, a global enterprise saw a surge of “document-share” notifications from a trusted collaboration platform. The domain and authentication looked fine; their SEG allowed it. Darktrace / EMAIL flagged it because the supplier’s sharing behavior and permission scope deviated from normal (volume, recipients, and access level). Follow-up confirmed the supplier account was compromised. Behavioral context – not rules or signatures – made the difference. 

Three steps to building a modern email security stack

Let’s end with three strategic takeaways for ensuring your email security is fit-for-purpose.

1. Defense-in-depth = diversity, not duplication

Why it matters: Two security layers with the same detection philosophy (e.g. SEG + native email security) create overlapping blind spots. Both native email security providers and SEGs are attack-centric solutions that rely on past threats and threat intelligence. True defense-in-depth ensures you are asking different questions of every email that comes through.

How to apply: Pair your native email security with behavioral AI that learns how your business communicates. Eliminate redundant layers that only add cost and latency. 

2. Coordinate the layers you keep

Why it matters:  Layers that don’t talk create delays and hand-offs; SEGs often become sole decision-makers by forcing native protections off. 

How to apply:  Favor an ICES approach that ingests native signals and can orchestrate unified quarantine, so detections become actions in one motion. 

3. Quantify your security gap with a POV

Why it matters:  Every environment is different. You need evidence before making changes to your stack.

How to apply:  Run Darktrace / EMAIL in observe mode next to your current stack to surface exactly what’s still getting through. Use those results to plan your transition and measure improvement. 

‍

Ready to claim 17% more protection? Request a demo with Darktrace / EMAIL to quantify what your SEG is missing, then decide how much of that residual risk you’re willing to accept. We’ll help you plan a clean, staged transition that preserves native protections and streamlines operations.  In the meantime, calculate your potential ROI using Darktrace / EMAIL with our handy calculator.

[related-resource]

Darktrace is proud to be named as a Leader in the Gartner® Magic Quadrant™ for Email Security Platforms (ESP). We believe this recognition reflects what our customers already know: our product is exceptional – and so is the way we deliver it.

In July 2025, Darktrace was named a Customers’ Choice in the Gartner® Peer Insights™ Voice of the Customer for Email Security, a distinction given to vendors who have scores that meet or exceed the market average for both axes (User Interest and Adoption, and Overall Experience). To us, both achievements are testament to the customer-first approach that has fueled our rapid growth. We feel this new distinction from Gartner validates the innovation, efficacy, and customer-centric delivery that set Darktrace apart.

A Gartner Magic Quadrant is a culmination of research in a specific market, giving you a wide-angle view of the relative positions of the market’s competitors. CIOs and CISOs can use this research to make informed decisions about which email security platform can best accomplish their goals. We encourage our customers to read the full report to get the complete picture.

This acknowledgement follows the recent recognition of Darktrace / NETWORK, also designated a Leader in the Gartner Magic Quadrant for Network Detection & Response and named the only Customers’ Choice in its category.

Why do we believe Darktrace is leading in the email security market?

Our relentless innovation which drives proven results  

At Darktrace we continue to push the frontier of email security, with industry-first AI-native detection and response capabilities that go beyond traditional SEG approaches. How do we do it?

• With a proven approach that gets results. Darktrace’s unique business-centric anomaly detection catches advanced phishing, supply chain compromises, and BEC attacks – detecting them on average 13 days earlier than attack-centric solutions. That’s why 75% of our customers have removed their SEG and now rely on their native email security provider combined with Darktrace.
• By offering comprehensive protection beyond the inbox. Darktrace / EMAIL goes further than traditional inbound filtering, delivering account and messaging protection, DLP, and DMARC capabilities, ensuring best-in-class security across inbound, outbound, and domain protection scenarios.  
• Continuous innovation. We are ranked second highest in the Gartner Critical Capabilities research for core email security function, likely thanks to our product strategy and rapid pace of innovation. We’ve release major capabilities twice a year for nearly five years, including advanced AI models and expanded coverage for collaboration platforms.

We deliver exceptional customer experiences worldwide

Darktrace’s leadership isn’t just about excelling in technology, it’s about delivering an outstanding experience that customers value. Let’s dig into what makes our customers tick.

• Proven loyalty from our base. Recognition from Gartner Peer Insights as a Customers’ Choice, combined with a 4.8-star rating (based on 340 reviews as of November 2025), demonstrates for us the trust of thousands of organizations worldwide, not just the analysts.  
• Customer-first support. Darktrace goes beyond ticket-only models with dedicated account teams and award-winning service, backed by significant headcount growth in technical support and analytics roles over the past year.
• Local expertise. With offices spanning continents, Darktrace is able to provide regional language support and tailored engagement from teams on the ground, ensuring personalized service and a human-first experience.

Darktrace enhances security stacks with a partner-first architecture

There are plenty of tools out there than encourage a siloed approach. Darktrace / EMAIL plays well with others, enhancing your native security provider and allowing you to slim down your stack. It’s designed to set you up for future growth, with:

• A best-in-breed platform approach. Natively built on Self-Learning AI, Darktrace / EMAIL delivers deep integration with our / NETWORK, / IDENTITY, and / CLOUD products as part of a unified platforms – that enables and enhances comprehensive enterprise-wise security.
• Optimized workflows. Darktrace integrates tightly with an extended ecosystem of security tools – including a strategic partnership with Microsoft enabling unified threat response and quarantine capabilities – bringing constant innovation to all of your SOC workflows.  
• A channel-first strategy. Darktrace is making significant investments in partner-driven architectures, enabling integrated ecosystems that deliver maximum value and future-ready security for our customers.

Analyst recognized. Customer approved.  

Darktrace / EMAIL is not just another inbound email security tool; it’s an advanced email security platform trusted by thousands of users to protect them against advanced phishing, messaging, and account-level attacks.  

As a Leader, we believe we owe our positioning to our customers and partners for supporting our growth. In the upcoming years we will continue to innovate to serve the organizations who depend on Darktrace for threat protection.  

To learn more about Darktrace’s position as a Leader, view a complimentary copy of the Magic Quadrant report, register for the Darktrace Innovation Webinar on 9 December, 2025, or simply request a demo.

‍

Gartner, Gartner® Magic Quadrant™ for Email Security Platforms, Max Taggett, Nikul Patel, 3 December 2025

GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved. Magic Quadrant is a registered trademark of Gartner, Inc. and/or its affiliates and is used herein with permission. All rights reserved.

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Darktrace.

[related-resource]