Often, organizations detect malicious activity, but fail to act on the detection.
An example scenario is that an attacker compromises an endpoint with EDR software enabled and generates several alerts. Despite being detected, with no one around to stop them, they are able to disable or work around the security software and achieve their objectives. This may happen late Friday night when no one is at work to review the alerts or over the Thanksgiving holiday while everyone is eating turkey with their families and watching the Cowboys game.
Monday morning, people come in to work and are greeted by a domain-wide ransomware attack.
Security alerts need to be reviewed 24 hours a day, 365 days a year; attackers know when IT staff is likely at home sleeping and will definitely attack on holidays, late at night, or over the weekend.
Security alerts need to be tuned to avoid excessive false positives or false negatives to avoid alert fatigue.