[Webinar] Ghosts in the Machine: The Practitioners’ Guide to AI in the SOC & IR
.avif)
-min.webp)
Alert fatigue is the steady erosion of analyst attention caused by a high volume of noisy or low value alerts. It leads to missed signals, longer dwell times, and inconsistent investigations. In the latest State of AI in Security Operations survey of nearly 300 CISOs, SOC leaders, and practitioners, teams reported a median of about 960 alerts per day and said roughly 40% of alerts are never investigated.
The cost shows up as increased business risk from missed or incomplete investigations as well as increased turnover and low talent retention due to low morale and analyst burnout.
Reducing alert fatigue is a cross discipline effort. You need clean detections, reliable data, a crisp workflow, strong feedback loops, and metrics that guide decisions.
AI is already in the mix: 55% of companies use some AI for alert triage and investigation today, and security leaders expect AI to handle about 60% of SOC workloads within three years. Volume matters, but signal quality and decision speed matter more.
Capture a one week snapshot before making changes. Things to track include:
Create ground truth by sampling alerts across sources. Label true positive, false positive, benign true, and duplicate. Record what context changed the decision.
Collect a standard dataset for every high volume alert so your tuning and fatigue work share the same lens. Capture: alert name, alert source, alert count, total time investigated, median investigation time, and efficacy. These six fields expose cognitive load and poor yield.
Prioritize with a simple chart: plot efficacy on the Y axis, total time investigated on the X axis, and size points by alert count. See the below figure as an example. The lower right quadrant highlights the most impactful false positive tuning targets. Items on the left often suit light automation.
Set target thresholds tied to business risk. Example: a maximum of 30 minutes to first decision for identity alerts on privileged accounts.
Apply detection hygiene. Retire stale rules, consolidate duplicates, normalize severities, and right size thresholds. Map rules to MITRE ATT&CK to clarify intent and coverage.
Suppress and deduplicate correctly. Use time window correlation, asset level and user level aggregation, and guardrails that stop noisy detectors from firing repeatedly when a signal keeps toggling between “bad” and “normal.”
Tune vendor controls with intention. Adjust EDR sensitivity by asset class, refine email security dispositions with sandbox thresholds, and calibrate identity anomaly limits to real user behavior. Document each change and the metric you expect to move.
Before disabling or tuning, ask the same three second order questions:
Disable if the answer is no across the board. Otherwise tune and review in the next cycle.
Add a six month audit to catch vendor logic shifts or rule decay, then decide if you re enable or re tune.
Pull enrichment that changes decisions: asset criticality, data sensitivity, external exposure, identity risk, known bad indicators, exploitability, and recent change events.
Use a transparent scoring model that anyone can recalculate:
risk_score = base_severity
+ asset_criticality
+ identity_risk
+ exploitability
+ external_exposure
+ recent_change_flag (boosts risk if something just changed on the impacted asset or identity).
Normalize to a 0 to 100 scale and route by policy. Scores 80 to 100 go to senior analysts. Scores 50 to 79 go to standard triage.
Scores below 50 are candidates for auto closure after guardrail checks. Only close an alert automatically when enrichment confirms a known low risk pattern and you record an audit trail.
Make the first triage view decision ready. Show a compact evidence package with who, what, when, where, why it matters, and the next action. Link raw evidence and give a one line summary.
Define standard intake states: new, in triage, in investigation, waiting on data, resolved. Publish SLOs for time in triage and time in investigation.
Require consistent notes. A good case record includes a decision, the rationale, evidence references, and the follow up action. Short consistent notes beat long inconsistent narratives.
Give analysts a simple template to propose rule changes: rule name, problem, proposed change, expected impact.
Run weekly proposal reviews and a monthly outcome review. Add a quarterly comprehensive tuning cycle so both posts match on cadence. Keep a rollback plan for every change.
Track the effect of each change. Measure false positive rate shifts, dwell time, and coverage against mapped ATT&CK techniques. Publish a monthly summary.
Create governance that scales decisions. At acceptance time for any detection, check three gates:
Log every decision in a standing doc. If you disable a rule, move it to informational severity for auditability.
Automate enrichment, correlation, and safe closures. Fetch context, attach evidence, link related alerts, and tag duplicates.
Use AI to summarize evidence, propose testable hypotheses, and pivot across tools. Require transparency. Show data sources, list reasoning steps, and include confidence.
Baseline captured with the six field dataset. Bubble chart produced. Top ten lower right quadrant alerts tuned or retired using the three second order questions. Enrichment checklist defined. Queue states and SLOs visible.
Risk scoring and routing live. Auto closure policies in production with audit. Weekly proposal review and monthly outcomes review in place. Governance doc live with decision logs.
Quarterly comprehensive tuning executed. Metric review against targets. Regression checks on tuned rules. Short runbook published for continuous tuning and review.
Prophet Security’s Agentic AI SOC Platform lowers alert fatigue by automating evidence gathering, correlation, and safe closures with an audit trail. Prophet AI enriches every alert with asset, identity, and exposure context to determine the severity of each alert. The platform explains its reasoning and links source data so teams can validate decisions and meet audit needs. Teams use it to lower false positives, cut dwell time, and increase investigation throughput by 10x without adding headcount. Request a demo of Prophet AI to see it in action.
Alert fatigue in cybersecurity is the erosion of analyst attention caused by high volumes of noisy or low value alerts. It matters because it drives missed signals, longer dwell times, and inconsistent investigations, which raises business risk and contributes to burnout and turnover.
SOC teams should set a baseline by capturing a one week snapshot before making changes and by sampling alerts across sources to create ground truth. This baseline should track dwell time, false positive rate, investigation throughput per analyst, queue age distribution, reopen rate, suppression ratio, and context gap rate.
The metrics that best measure alert fatigue and SOC performance include alert dwell time, false positive rate, mean time to investigate, investigation throughput per analyst, backlog size, and reopen rate. Teams should also track total time investigated and median investigation time to surface time sinks and cognitive load.
You can prioritize detections by plotting efficacy versus total time investigated and sizing points by alert count to identify high impact false positive tuning targets. Before disabling anything, ask whether there has ever been a true positive, whether a simple logic change can remove most volume, and whether the detection uniquely catches the threat.
Detection hygiene practices that reduce noisy alerts include retiring stale rules, consolidating duplicates, normalizing severities, and right sizing thresholds mapped to MITRE ATT&CK. You should also implement suppression and deduplication with time window correlation and asset or user aggregation, tune vendor controls intentionally, and add a six month audit to catch drift.
Risk scoring and enrichment should improve triage by pulling context that changes decisions, such as asset criticality, identity risk, external exposure, exploitability, and recent change events. A transparent model that combines base severity with those factors and normalizes to a 0 to 100 scale enables policy based routing, with guardrailed auto closure for low risk patterns and an audit trail.
Automation and AI help with alert fatigue by fetching enrichment, correlating related alerts, tagging duplicates, and safely closing known low risk patterns with auditability. AI also summarizes evidence, proposes testable hypotheses, and pivots across tools with transparent reasoning, and in the latest survey 55 percent of companies use AI for triage and investigation today with leaders expecting AI to handle about 60 percent of SOC workloads within three years.
You can measure the impact of alert fatigue fixes and show ROI by tracking changes in dwell time, false positive rate, investigation throughput, backlog size, and auto closure share against the baseline. For example, with a median of about 960 alerts per day and roughly 40 percent never investigated, improving efficacy and time to first decision yields measurable hours returned to the team and more complete coverage.
Prophet Security reduces alert fatigue by automating evidence gathering, correlation, and safe closures with an audit trail. Prophet AI enriches each alert with asset, identity, and exposure context, applies a transparent risk score, and routes by policy to cut false positives, reduce dwell time, and increase investigation throughput.
Ajmal Kohgadai
.svg)
As the Director of Product Marketing at Prophet Security, Ajmal drives marketing and growth strategies and helps security professionals see how AI is transforming security operations.
-min.avif)
-min.avif)
