Methods, systems, and apparatuses are provided for detecting a missing security alert by receiving an alert sequence generated by a network security provider, applying the received alert sequence to a security incident model, receiving an indication from the security incident model that the received alert sequence corresponds to a security incident defined by a predetermined sequence of alerts that includes at least one alert missing from the received alert sequence, and generating a notification to the network security provider that indicates at least one of the security incident or the missing alert(s). In addition, the security incident model may be generated by providing a set of historical alerts and a set of historical security incidents to a machine learning algorithm to generate the security incident model.