When a SOC is drowning in alerts, the instinct is to hire more analysts. More eyes, more throughput. The queue goes down temporarily. Then it comes back.
The real problem isn’t volume. It’s fidelity.
If half your alerts are false positives (and for most managed SOCs, half is roughly right), you’re not running a security operation. You’re running a noise filter staffed by humans. Every analyst who closes a false positive is an analyst who isn’t hunting. Every merge request filed to tune a detection rule is an engineering burden that compounds.
The product question is: what would it take to make the queue smarter, not just shorter?
Closing tickets is table stakes. Improving fidelity is the job.
The best operators aren’t the ones who close the most alerts. They’re the ones who make the detection logic better over time so that fewer bad alerts reach them in the first place.
That’s a compounding loop. Better detections → fewer false positives → freed analyst capacity → more hunting → better detections.
But the loop only turns if tuning is frictionless. If an analyst has to file an engineering MR to narrow a firing condition, the loop stalls. The cost of tuning exceeds the benefit, and analysts learn to close noise quietly instead of fixing it.
What the product needs to do
The rule of thumb I’ve been working from: tuning should always be one step from triage.
Close a false positive → immediate suggestion to adjust the detection condition, from within the same view. No code. No MR. No separate workflow.
That’s not a feature. It’s a prerequisite for everything else.
Detection quality metrics (false positive rate per rule, per team, over time) need to be visible and unambiguous. Not buried in a dashboard somewhere, but part of the operational picture. The measure of a well-run SOC shouldn’t be tickets closed. It should be whether the queue is getting sharper or noisier quarter over quarter.
The thing about AI
AI-assisted triage gets a lot of attention. Autonomous agents that pre-enrich alerts, classify FP vs TP, summarise findings. That’s genuinely useful. But it’s downstream of fidelity.
If the detection logic is bad, AI triage is doing expensive processing on noise. The leverage is at the detection layer, not the triage layer.
Fix the signal first. Then automate the triage.