Alert fatigue and its related effects on SOC efficiency are self-evident problems. Less obvious and more complex are the cause, effect and possible solutions to these problems.
SOC analysts are inundated with a huge and continuous volume of alerts generated by security tools. Each alert is often meaningless absent correlation with other alerts. But finding relationships is time-consuming, and even if found, might be irrelevant to business security. Much of the alert volume is simply noise, but attempting correlation to find true positive alerts (signals) from the huge number of false positives (noise) is difficult, boring, and often pointless.
The reasons are numerous:
Absence of automated prioritization. Security tools are great at detecting alert signals but poor at prioritizing them. Alerts sometimes arrive with a score. “A tool might say, ‘I found a threat. The score is 32 out of 100’,” comments Obbe Knoop, founder and CEO at Lanxit. “What does that mean? What does a score of 100 out of 100 actually mean? Why give it a score of 32? Without context it is meaningless.”
Absence of alert context. Alerts suffer from a paucity if not complete lack of context. An alert might suggest the presence of a vulnerability and appear to be urgent; but full context might indicate that this device in that location has no outgoing connectivity and zero relevance to business continuity. It can be noted and queued behind more genuinely urgent alerts. It all depends on having accurate and full context to understand relevance.
Jeff Reed, CTO at SentinelOne, summarizes: “Alert fatigue isn’t necessarily the volume of alerts, but rather the relevance of the alerts.”
Criminal use of AI is increasing the pace, sophistication, and stealth of attacks. “Attackers are increasingly using AI to scale their operations – analyzing stolen data faster, generating more convincing phishing campaigns and automating parts of the intrusion process,” adds Reed. The result is continuous growth in the volume of alerts.
Defensive use of AI simultaneously increases the attack surface that bad actors can target. “AI systems themselves are also becoming part of the attack surface, introducing new risks around model manipulation, data exposure and misuse – and yet more alerts,” explains Reed.
“In short,” he adds, “human analysts simply cannot triage and investigate every signal at the pace modern environments produce them.”
This has two effects. Firstly, the pressure is continuous, and the stress level is constant and high. Secondly, there is no escape other than moving to a different job, while the analyst’s personal situation (such as ‘family and high mortgage’) may rule this out. This is a seedbed for burnout.
Put simply, the modern SOC analyst is in danger of both alert fatigue (affecting work) and burnout (affecting both work and health); and the business suffers from reduced security.
Effects
Burnout is not an illness. It is not something that can be cured; it can only be prevented or alleviated. One solution is indeed to change jobs – but then the company loses a highly specialized skill. It is easier to prevent burnout than to alleviate it. This would involve the simultaneous benefit of reducing or preventing alert fatigue.
Alert fatigue isn’t caused by occasional long hours and stress – it is caused by continuous long hours and continuous stress with no escape. If it isn’t prevented, the effect on the analyst could begin with a few missed false negatives and grow into a full business compromise.
For the analyst, it could start with subconscious, but overly aggressive filtering merely designed to keep up with the volume of fresh alerts. Within this filtering, too many alerts may be assumed to be false positives. Many will be but some may not, and true positive signals may be filtered out as noise.
The solution must be a business solution rather than an analyst reaction. The alternative to not keeping up with the volume of new alerts is that the noise generated will continue to grow, and both the cause and effect of alert fatigue will worsen.
Alert fatigue can transform an effective security defense into an unseen security threat. It can lead to slower containment, increased dwell time, and a consequent increase in blast radius.
Solutions
There are two obvious approaches to prevent alert fatigue: reduce the number of alerts by formal filtering to improve the signal to noise ratio, or improve the speed and efficiency of triaging through AI-assisted automation. The problem with the former is the potential to throw out true positives with the noise bathwater; while the problem with the latter is that AI is not yet foolproof.
Ariel Parnes, former colonel at IDF 8200 Cyber Unit, and current co-founder and COO at Mitiga, believes the solution to alert fatigue is to increase rather than decrease the alerts, but to more clearly surface and correlate associated alerts for the analysts.
The goal is to reconstruct every action, log, and signal into a unified attack sequence, so analysts aren’t triaging individual events but reading a complete, decoded story of attacker behavior.
“AI-native automation,” he suggests, “can turn alert floods into clear priorities: automating triage and accelerating investigations so the SOC leads every response rather than chasing it.”
Ismael Valenzuela, VP of threat intelligence at Arctic Wolf, agrees with the principle of using automation to give SOC analysts more time on threat investigation rather than continuous and repetitive alert triaging.
“Organizations are moving toward more operationalized models that combine automation, correlation, and continuous monitoring to reduce noise, improve prioritization, and give analysts the space to work both sides of that equation.”
Reed agrees. “Repetitive tasks such as log analysis, enrichment and early-stage investigation can be handled automatically, allowing analysts to focus on understanding attacker behavior and making strategic decisions. When machines handle the heavy data processing,” he adds, “security teams gain the clarity and time they need to respond effectively.”
His solution is to use artificial intelligence to provide automation. “AI is becoming essential for analyzing large volumes of telemetry, correlating signals across multiple environments and identifying the small number of events that actually represent real risk. Rather than presenting analysts with thousands of disconnected alerts, AI can group related activity, add context and prioritize incidents based on likely impact.”
Michael Brown, Field CISO at Presidio, adds, “Analysts should not be working on any raw alerts, only correlated incidents. This enables much faster investigations and remediations while reducing staff burnout and attrition.”
The question is, ‘How should this be done?’ Not all AI systems are created equal. AI only knows what it knows. It doesn’t know what it hasn’t learned – but it may still fabricate a wrong response.
Merlin Gillespie, CTO of Cybanetix, offers one approach. He suggests that using known IoCs as the primary indication of compromise is no longer sufficient. “Over the past few years, attacks have become more subtle. Threat actors now obtain access via stolen credentials and maintain persistence using ‘living off the land’ techniques, which makes detection far more difficult.”
So, agreeing with Parnes, he suggests, “This means we need to collect more alerts, not less, to catch and connect those small signs. Capturing more alerts and adopting a paranoid posture means those attacks can be spotted earlier, but it does of course increase the likelihood of alert fatigue and analyst burnout. It’s for this reason we need to let technology do the heavy lifting.”
The technology he recommends is a combination of machine learning (ML) and large language models (LLMs). “Together, they can be used to carry out 90% of alert triage and investigation. ML can analyze vast sets of data and identify patterns, anomalies and potential breaches. Over time, ML can even make inferences to anticipate attacks and improve detection,” he says.
“LLMs, on the other hand, can explain alerts, investigation findings, and provide case summaries, speeding up investigations and producing intelligible outputs.”
But he also warns there are still problems with AI. “The subjective nature means it is also prone to variance. During a recent experiment, we found an agent not only misinterpreted the threat but produced a fictitious killchain. This illustrates,” he says, “that AI doesn’t yet have the maturity needed.”
The key seems to be context. Everybody accepts that alert context is necessary for accurate correlation and prioritization, but there is little definition over what constitutes and what provides the necessary context.
Valenzuela links it to divergence from normal. “Effective noise reduction requires… understanding which assets are truly at risk and establishing what normal and abnormal look like in their specific environment,” he explains.
“Simply adding more tools without that context tends to increase complexity and volume rather than improve outcomes, creating what many describe as an ‘all noise, no signal’ problem.”
The priority, he adds, “Is to improve signal quality by enriching alerts with context and continuously adapting detection logic to reflect a changing environment, rather than relying on static rules.”
Rob Demain, CEO of e2e-assure, suggests that context can be understood by the analyst after AI has removed the humdrum layer of analysis. “AI removes the repetitive layer of work that consumes so much of an analyst’s day. The result is faster, more consistent first-response times, and a team whose energy is directed where it matters most: understanding context, refining threat intelligence, and making nuanced judgement calls that no automated system can replicate.”
Gillespie believes that context can be surfaced by the LLM part of a dual ML and gen-AI solution. Reed agrees. “AI can group related activity, add context and prioritize incidents based on likely impact.”
Toby Lewis, global head of threat analysis at Darktrace, also concurs. He accepts that extracting context from the noise is humanly difficult. “Building a tech stack that can combine these feeds without a huge amount of human legwork seems like a near impossible task but it’s one that AI makes vastly more plausible. Its ability to combine, correlate and analyze data in real-time creates that single picture.”
Brown provides a more complete description. “Mature SOCs auto-enrich their raw alert data so that analysts start their investigations with the context already assembled. This enrichment might include asset inventory data, asset criticality level, identity privileges, device ownership and physical location, historical behavior analytics, network traffic context, and much more.”
He explains, “Correlation and contextualization is what allows analysts to look at attack chains and not just alerts. Signals from different sources (endpoints, cloud logs, IAM system, network device telemetry, etc.) are linked to create an incident narrative and help analysts understand the bigger picture much faster.”
Full context can help locate the true positive alert within the noise. It can highlight what must be actioned immediately, and what may be queued for later action.
Knoop explains the importance of this context. “You could get an alert indicating a vulnerability on a machine. The vulnerability is scored at 100 out of 100 and is very urgent, so it needs immediate attention. The analyst panics.”
But, adds Knoop, “If you look at the full context, you might find the machine is in a lab somewhere, and isn’t connected to any business information. So, if something does happen to it, the revenue impact – the operational impact – on the business might be zero. But current tool sets don’t reason across context and everything else that’s happening.”
While artificial intelligence is a powerful new tool, it can also be a dangerous tool. AI only knows what it knows. If it doesn’t know the correct answer, it might hallucinate an inaccurate answer to fill the gap. Users of AI, which in our case are overworked and stressed SOC analysts, may not recognize the hallucination.
“AI is used to sift alerts,” warns Knoop, “and is separately used to automate responses. But it does so without full context, and without full context, wrong decisions leading to wrong actions can be made.”
His opinion is that context is vital to understanding and correctly responding to alerts, but that the current approach to context is generally too limited. To get full insight into whether the alert is important or just noise, context needs to be built through knowing everything about the business. He believes context needs to be taken to a new level – or in his own words, a new layer – that he calls ‘the reasoning layer’. For the last five years he has been developing such a reasoning layer – loosely classified in the emerging concept of security decision intelligence (SDI) – at Lanxit.
This reasoning layer must understand the business in its entirety. So, for equipment, it uses the company’s CMDB. It doesn’t simply know each device, it knows what information is handled by that device, which other devices are connected to it and the potential blast radius of an incident affecting that device.
This new reasoning layer also understands the company’s business sector; it understands what an attacker might be seeking; it understands through threat intelligence what current threats are targeting that sector. It has the potential to understand everything about the company – for example, which departments might be understaffed, and even potential attack areas that are not visible to the current security system.
“It’s a system that can reason in context between all the signals that are currently available – a new layer in security that sits on top of all the current security solutions. It takes input from those security solutions, the signals, and reasons between them,” explains Knoop.
“So, very simply, an alert is generated by a security tool. The reasoning layer picks up that alert and says, ‘Okay, this is an alert about this machine.’ It pulls the information about that machine from the CMDB, from the customer’s asset database. It compares it with the device information, then compares it with the business context. What industry is the customer in? Is it in the financial industry? Is it a manufacturer of cars? Is it a chemical manufacturer? So, what kind of threats have I seen in the world?”
Armed with all the information about the alert and full device and business context, the reasoning layer reasons across everything and provides a natural language response to the analyst. It doesn’t simply give a score; it suggests what action needs to be taken.
“It might respond, ‘this thing in your environment is a threat,” continues Knoop. “’The device has no access to anything else. Monitor it and patch it in the next cycle.’ Or it might respond, ‘This is a threat. You should act now, because it will have financial impact to your business.’”
Knoop’s reasoning layer for finding the signal in the noise and what action should be taken is a work in progress. It is currently a beta in test at various sites. But what it promises is a new approach to alert analysis rather than incremental additions to the traditional approach, a solution could be found in a completely new approach focusing on context and advice.
Whatever route is taken in the future, the need to solve the continuous and growing problem of alert fatigue is only getting more urgent.
Related: Ox Security Bags $60M Series B to Tackle Appsec Alert Fatigue
Related: XDR and the Age-old Problem of Alert Fatigue
Related: Conifers.ai Scores $25M Investment for Agentic AI SOC Technology
Related: AI Emerges as the Hope—and Risk—for Overloaded SOCs
