What Is True positive? Security Definition
This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.
On This Page
Quick Definition
In security operations, a true positive happens when your detection system detects something bad that is actually happening. For example, if an antivirus program correctly flags a virus that is really on your computer, that is a true positive. It means the system is doing its job properly by catching real threats and not giving false alarms.
Commonly Confused With
A false positive is an alert that incorrectly identifies benign activity as malicious. A true positive correctly identifies malicious activity. The difference is whether the underlying activity is actually a threat.
Like a smoke detector going off because of steam from a shower (false positive) versus going off because of actual fire (true positive).
A true negative occurs when a security system correctly identifies benign activity as benign and does not generate an alert. Unlike a true positive, there is no alert. It represents the system correctly ignoring normal behavior.
Your antivirus scanning a harmless document and not flagging it because it is indeed clean. That is a true negative.
A false negative is when malicious activity occurs but the system fails to detect it, producing no alert. This is the most dangerous outcome because an attack goes unnoticed. A true positive catches what a false negative misses.
A virus hiding from your antivirus so the scanner reports your system is clean, but the virus is actually running in the background.
Must Know for Exams
In major IT certification exams like CompTIA Security+, CompTIA CySA+, CISSP, CEH, and the Security Operations domain of the CISA, the concept of true positive appears frequently. These exams test not only the definition but also the ability to distinguish true positives from other alert types and to interpret monitoring scenarios.
For CompTIA Security+ (SY0-601 and SY0-701), the term is part of the "Security Operations" domain, specifically under indicator management and monitoring. Questions often present a scenario where a security analyst reviews logs and must classify an alert as a true or false positive. For example, a question might describe an IDS alert for a known web attack pattern. The candidate must decide whether the traffic is actually malicious or just similar-looking benign traffic. The correct classification depends on understanding that a true positive requires confirmed malicious activity.
In the CompTIA CySA+ (CS0-002 and CS0-003), true positives are central to the "Security Operations and Monitoring" domain. The exam expects you to analyze SIEM alerts, identify true positives among noise, and recommend tuning actions. Multiple-choice questions might present a table of alerts with descriptions and ask which ones are true positives. Scenario-based questions could give a log file with multiple entries and ask the candidate to determine which entries indicate an actual attack.
For the CISSP, true positives appear in the "Security Operations" domain, particularly in the context of monitoring and detection. The exam may test how true positives relate to metrics like recall and precision. Questions might ask about the trade-off between detecting threats and generating high false alarm rates. A candidate who understands that increasing sensitivity yields more true positives but also more false positives will choose the correct answer.
The CEH exam covers true positives in the context of IDS/IPS evasion and detection. A question might describe an attacker using evasion techniques to avoid detection, and the candidate must infer whether a given alert is a true positive or a false negative.
Common exam question types include: - Given an alert description, classify it as true positive, false positive, true negative, or false negative. - From a set of log entries, identify which ones represent actual security incidents versus benign activity. - Determine the impact of adjusting a detection rule's threshold on the number of true positives and false positives. - Interpret metrics from a detection dashboard and calculate the true positive rate or precision.
Mastering these distinctions is essential for scoring well on the monitoring and operations sections.
Simple Meaning
Imagine you have a smoke detector in your kitchen. When there is actual smoke from a burning piece of toast, the alarm goes off. That is a true positive, the detector correctly sensed a real fire and alerted you. Now think of a security system on your computer or network. A true positive is when that system says, "Hey, I found something dangerous," and it is right. This could be a virus, a hacker trying to break in, or someone on the inside stealing data. The key is that the alert matches a real, present threat.
In everyday life, we rely on true positives all the time. When your phone tells you a call is spam and it really is spam, that is a true positive. When a credit card company blocks a purchase because they correctly think someone stole your card, that is a true positive. The opposite would be a false positive, which is like the smoke detector going off when you are just boiling water and there is no fire.
For IT security professionals, true positives are the gold standard. They show that the tools, rules, and configurations you set up are working as intended. Every true positive means a potential attack or policy violation was caught before it could cause serious harm. However, not every alarm is a true positive, and learning to tell the difference is a huge part of working in a Security Operations Center (SOC).
Full Technical Definition
In cybersecurity operations, a true positive refers to an alert generated by a detection system that correctly identifies the presence of malicious activity, an attack, or a policy violation. It is one of the four possible outcomes in a detection matrix, alongside false positive, true negative, and false negative. The term is fundamental to understanding the effectiveness of intrusion detection systems (IDS), intrusion prevention systems (IPS), security information and event management (SIEM) platforms, endpoint detection and response (EDR) solutions, and antivirus software.
The internal process begins when a sensor or agent collects data from a monitored asset. This could be network traffic captured via a packet sniffer, logs from a firewall, or process behavior on an endpoint. The detection system then analyzes this data against a set of rules, signatures, or behavioral models. If the analysis triggers an alert, the system classifies it based on the rules. When the alert corresponds to actual malicious activity that is confirmed by a human analyst or automated context, it is designated a true positive.
From a technical standpoint, true positives are measured using metrics such as detection rate (also called True Positive Rate or recall), which is the number of true positives divided by the sum of true positives and false negatives. This rate is critical for evaluating the sensitivity of a detection system. For example, in a SIEM like Splunk or Microsoft Sentinel, correlation searches produce events. A true positive occurs when a logged event, such as a failed login followed by a successful login from a different country, actually matches a real brute-force attack.
In practice, achieving high numbers of true positives while minimizing false positives requires careful tuning. This involves adjusting thresholds, whitelisting known good behavior, and using more advanced techniques like machine learning anomaly detection. In compliance frameworks such as PCI DSS or SOC 2, the ability to consistently produce true positives is often required to demonstrate effective security monitoring.
True positives also play a role in threat hunting. Analysts use hypotheses and indicators of compromise (IOCs) to search for traces of malware or attacker tactics, techniques, and procedures (TTPs). When they find a match that is indeed malicious, that finding is a true positive. This confirms that the threat hunting methodology and tools are aligned with real attack patterns.
For certification exams, understanding true positives is essential for questions about alert classification, tuning IDS sensors, interpreting SIEM dashboards, and measuring security control effectiveness. Questions often present a log entry or alert description and ask the candidate to identify what type of event occurred.
Real-Life Example
Think of a security guard at a bank. The guard watches a monitor showing all the doors and vaults. One day, the guard sees a person wearing a mask trying to open the vault door with a crowbar. The guard immediately calls the police. This is a true positive, the guard correctly identified a real robbery attempt.
Now relate that to IT security. The security guard is like your intrusion detection system. The monitor is like your SIEM dashboard showing logs and alerts. The mask and crowbar are like malicious code or an attacker's unusual behavior. The guard's call is the alert that gets sent to the security team.
In another example, imagine you have a home security camera that sends you motion alerts. One night you get an alert that shows a person walking up your driveway. You check the footage and it is actually a delivery driver dropping off a package. That is a true positive for motion detection because there was real motion, but it may be less interesting if you set the camera to only alert for strangers. The point is that the system correctly detected motion, which is what it was designed to do.
In the IT world, a true positive might be a firewall blocking a connection from an IP address known to be part of a command-and-control server for ransomware. The firewall correctly identified the threat based on its threat intelligence feed and blocked it. The security team receives a log that says "Connection blocked, threat detected." When they investigate, they confirm the IP is indeed malicious. That is a textbook true positive.
Why This Term Matters
True positives matter because they represent the core purpose of any security system: finding real threats. Without true positives, security tools are useless. If a company invests millions in a SIEM but never gets a true positive, either there are no attacks (unlikely) or the system is failing to detect them. In either case, the organization is at risk.
From a practical standpoint, true positives directly reduce risk. Each true positive means an attack was interrupted, a data breach was prevented, or a policy violation was caught in time. Over time, tracking true positives helps security teams understand which threats are most common, which attack vectors are being exploited, and whether the existing controls are effective. This data drives improvements in security posture.
True positives also build trust. When a detection system consistently produces true positives, incident response teams and management gain confidence that the security operations are working. This trust is critical during audits or after a major incident, where evidence of true positives shows that monitoring was active and effective.
In terms of operations, analyzing true positives helps with tuning. If a system generates many false positives, analysts waste time investigating non-issues. But if the system also has few true positives, it might be missing real attacks. Finding the right balance is known as the sensitivity-specificity trade-off. Security engineers adjust rules, whitelist benign activities, and update signatures to maximize true positives while keeping false positives manageable.
For compliance, regulators often require evidence of effective monitoring. Reports that show a consistent stream of true positives with proper incident response documentation satisfy such requirements. Without true positives, an organization might struggle to prove that its security controls are operational and useful.
How It Appears in Exam Questions
Exam questions about true positives come in several patterns. The most common is the scenario-based classification. For example: "A security analyst receives an alert from the SIEM indicating that a user account attempted to access a restricted file share at 3 AM. The analyst investigates and finds that the user is a legitimate employee who was working late on a project and had been granted temporary access. This alert is a:" The correct answer is false positive because it triggered on benign activity. If instead the user was an attacker who had stolen credentials, the alert would be a true positive.
Another pattern is the configuration tuning question. For instance: "An IDS administrator notices a high number of alerts for FTP traffic. After investigation, most are legitimate file transfers by employees. What should the administrator do to improve detection without increasing risk?" The answer might involve whitelisting those FTP servers or reducing the sensitivity, which would decrease false positives but could also reduce true positives if done incorrectly.
Questions also appear as metrics interpretation. You might see a dashboard showing 200 alerts: 150 true positives, 30 false positives, 20 true negatives, and 0 false negatives. Then a question asks: "What is the true positive rate?" The candidate would calculate 150/(150+0) = 100%, meaning no attacks were missed. Or they might ask for precision: 150/(150+30) = 83.3%.
Troubleshooting-based questions show logs where a rule did not fire. For example: "A rule designed to detect port scans produced no alerts for a week, but the network team confirms port scans occurred. What is the issue?" The candidate must recognize that this means false negatives are occurring, and the rule needs tuning to catch more true positives.
Finally, some questions combine concepts. A question might describe a security team configuring a SIEM to reduce analyst workload. The team decides to increase the threshold for an alert to reduce the volume of false positives. The exam asks: "What is a potential negative consequence of this change?" The correct answer is that true positives for low-level attacks might be missed, leading to false negatives.
Practise True positive Questions
Test your understanding with exam-style practice questions.
Example Scenario
You are a security analyst working for a medium-sized company. You use a security monitoring tool that scans network traffic and emails for malware. One afternoon, you get an alert that says: "Suspicious file attached to email sent from external user to accounting department. File matches known ransomware signature."
You open the alert and see the email came from an unknown sender, and the attachment is named "Invoice_2024.exe." You know that executable files sent via email are often malicious. You check the email headers and see the sender's IP is from a country your company does no business with. You also check the file hash against a threat intelligence database and it matches a newly discovered ransomware variant.
Because you have confirmed the attachment is indeed malicious, this alert is a true positive. The security tool correctly identified a real threat. Your next step is to block the email at the gateway, delete it from the recipient's inbox if it was already delivered, quarantine the attachment, and notify the intended recipient about the attempted attack.
In this scenario, the true positive allowed you to prevent a potential ransomware infection that could have encrypted critical financial records. If the file had been a harmless PDF and the tool flagged it anyway, that would be a false positive. But since the file was real malware, the alert helped protect the company. This simple scenario shows why understanding true positives is vital for effective incident response.
Common Mistakes
Thinking any alert that is confirmed by an analyst is automatically a true positive.
If the analyst confirms the activity is benign, the alert is a false positive, even if the analyst verifies it. Confirmation alone does not make it a true positive; the content must be malicious.
Always verify whether the underlying activity is actually malicious. If it is benign, it is a false positive regardless of how much analysis was done.
Confusing true positive with detection rate or recall.
True positive is a single event. Detection rate is a metric that compares true positives to total actual positives. They are not interchangeable.
Remember: true positive is one alert that is correct. Detection rate is a formula: TP / (TP + FN).
Believing that a true positive always means an attack was stopped.
A true positive only means the threat was detected. It does not guarantee that it was blocked or prevented. The system might detect, but if no action is taken, the attack could succeed.
Understand that detection is different from prevention. A true positive is about detection accuracy, not about the outcome of the incident response.
Assuming that all alerts from a well-tuned system are true positives.
Even the best-tuned systems produce false positives. Security tools generate alerts based on patterns, and benign activity can mimic malicious patterns.
Treat every alert as suspect until proven otherwise. Use contextual information to confirm or reject the alert.
Exam Trap — Don't Get Fooled
{"trap":"The exam describes an alert that matches a known signature but the underlying activity is actually a legitimate penetration test authorized by the company. The question asks if this is a true positive.","why_learners_choose_it":"Learners see the signature match and immediately think of a true positive because the tool did its job.
They overlook the context that the activity is authorized and therefore not malicious.","how_to_avoid_it":"Always consider the full context. A true positive requires that the detected activity is malicious.
If it is authorized testing, it is not malicious. The alert is still a detection, but because the activity is benign, it is actually a false positive from the perspective of actual threat. Some frameworks call this a 'benign true positive,' but for most exams, it is classified as a false positive because it does not represent a real security incident."
Step-by-Step Breakdown
Data collection
A security sensor or agent gathers information from a source, such as network traffic, system logs, or file metadata. This raw data is the foundation for any detection.
Analysis and correlation
The collected data is analyzed against detection rules, signatures, or behavioral baselines. The system looks for patterns that match known threats or anomalies that deviate from normal behavior.
Alert generation
When a match occurs, the system generates an alert. The alert contains key details like timestamp, source IP, destination, event type, and severity. This is the trigger that signals a potential true positive.
Investigation and validation
A human analyst or automated system reviews the alert. They check additional context, such as related logs, threat intelligence feeds, and asset criticality. They determine if the activity is genuinely malicious or benign.
Classification
If the investigation confirms malicious activity, the alert is classified as a true positive. If it is benign, it becomes a false positive. This classification feeds into metrics and tuning decisions.
Incident response
Once confirmed as a true positive, the organization initiates incident response procedures. This may include containment, eradication, recovery, and post-incident analysis. The true positive thus drives actionable security operations.
Practical Mini-Lesson
Understanding true positives is about more than just a definition; it is about how to handle them in daily security operations. Let us walk through a practical scenario.
You are a SOC analyst monitoring a large network with thousands of endpoints. Your SIEM receives millions of events per day. Among them, a correlation rule fires: "Multiple failed logins followed by successful login from unusual location." The alert includes a user account name, the timestamp, and the source IP.
Your first step is to verify the alert context. You pull up the user's last 30 days of activity and see they typically log in from the corporate office in New York. The source IP for the alert is from a different country. You also check the Active Directory logs, the account had session activity that matches the time of the successful login. This strongly suggests that either the user's credentials were compromised or the user is traveling. Since this user has no travel history, you treat this as a likely true positive.
Next, you check for other alerts tied to the same IP. You find additional alerts for the same IP scanning internal ports. This multiplies the evidence. Now you are confident it is a true positive. You escalate to your incident response team, who disable the account and start forensic investigation.
Here is what professionals need to know: Not every true positive leads to a full incident. Some true positives are low severity, for example, an employee accessing a blocked website that contains malware. In that case, you might just block the site and inform the user. The key is to prioritize based on context, not just the label.
What can go wrong? If you misclassify a true positive as a false positive, you ignore a real attack. If you treat every alert as true, you waste resources. Training and experience improve classification accuracy. Many SOCs use a tiered response: Tier 1 analysts triage alerts and pass confirmed true positives to Tier 2 for deeper analysis.
Configuration context: To increase true positives, you can add more detection rules, use threat intelligence feeds, and tune thresholds. But over-tuning can cause false negatives. The goal is to find the sweet spot where true positives are high and false positives are manageable.
mastering true positives means learning to gather evidence, use context, and make decisions that protect the organization while maintaining operational efficiency.
Memory Tip
Think of a 'True positive' as a 'Truthful positive', the alert tells the truth about a real threat.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
CS0-003CompTIA CySA+ →220-1102CompTIA A+ Core 2 →SC-900SC-900 →SOA-C02SOA-C02 →CDLGoogle CDL →ISC2 CCISC2 CC →Legacy Exam Context
Older materials may mention these exam versions, but learners should use the current objectives for their target exam.
SY0-601SY0-701(current version)Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
Frequently Asked Questions
Can a true positive be ignored if it is low severity?
Generally, no. Even low-severity true positives should be logged and reviewed because they may indicate a pattern. However, organizations may prioritize based on risk. Ignoring any true positive could allow an attack to progress.
How do I increase the number of true positives without increasing false positives?
Use threat intelligence feeds, correlate multiple indicators, and deploy behavioral analysis. Fine-tune detection rules based on your environment's normal behavior. Whitelist known benign sources to reduce false positives.
What is the difference between true positive rate and precision?
True positive rate (recall) is the proportion of actual positives correctly identified: TP/(TP+FN). Precision is the proportion of positive identifications that were correct: TP/(TP+FP). Both are important metrics.
Is a true positive always a security incident?
Not necessarily. A true positive means a real threat was detected, but it may not escalate to a full incident if it is minor or successfully blocked. The threshold for an incident depends on the organization's severity classification.
Can a true positive come from a honeypot?
Yes. A honeypot is designed to attract attackers. Any activity on a honeypot is likely malicious, so alerts from honeypots are typically true positives.
Why do exam questions emphasize classifying alerts?
Because accurate classification is the first step in effective security operations. Misclassifying an alert can lead to missing real attacks or wasting resources on false alarms. Exams test this foundational skill.
Summary
A true positive is a cornerstone concept in security operations. It represents the correct detection of a real threat, and it is one of the four possible outcomes when a security system evaluates an event. Understanding true positives helps security professionals measure their detection systems, tune them for better accuracy, and respond effectively to actual attacks.
In exams, you will be asked to identify true positives from descriptions of logs, alerts, and scenarios. You need to be able to distinguish them from false positives, false negatives, and true negatives. The ability to classify alerts correctly is a core competency tested in certifications like CompTIA Security+, CySA+, CISSP, and CEH.
The key takeaway is this: a true positive is good news for security, it means your tools are working. But it is also a call to action. Every true positive requires validation, investigation, and the appropriate response. By understanding true positives thoroughly, you demonstrate that you grasp the fundamentals of security monitoring and can contribute meaningfully to a security team. Use the memory tip 'Truthful positive' to always remember that a true positive tells the truth about a threat.