What is the difference between Wait Time and Work Time in a SOC?

Wait Time is the duration an alert sits in the queue before a human analyst picks it up. Work Time is the time spent actually investigating and resolving the alert. In most SOCs, Work Time is stable, but Wait Time fluctuates wildly under load, often causing significant delays in the total Cycle Time .

Why should SOC leaders focus on 95th percentile (p95) cycle time?

Risk lives in the tail , not the median. Average response times hide outliers where alerts sit for hours. Focusing on the 95th to 99th percentile reveals the true maximum wait times for alerts—often categorized as Low severity —which allows threats (like Scattered Spider ) to spread undetected while stuck in the queue.

How does an AI SOC improve alert response times?

An AI SOC shifts the operating model by bypassing the human queue entirely. Instead of automating only parts of the investigation, AI enables immediate triage and determination for every alert as it is created. This collapses the Cycle Time from hours (in the tail) to just minutes, turning latency into a systems processing issue rather than a staffing issue.

Why is "Queueing Theory" relevant to Security Operations?

A SOC functions like an ER waiting room : as utilization approaches capacity, the queue grows non-linearly. Even if analysts are fast, a burst of activity (e.g., a phishing wave) causes the Wait Time to explode. This dynamic means that without immediate processing, Low and Medium severity alerts are often deprioritized, creating a dangerous backlog of potential incidents.

What metrics should I check to evaluate my MSSP or in-house SOC performance?

To accurately gauge performance under load, ask these specific questions: What is the 95th percentile cycle time across all severities? What is the 95th percentile wait time specifically for Low severity alerts? If a threat actor triggers a Low severity alert, what is the maximum time it waits before the first touch?

Removing Alert Wait Time in the SOC: Bypassing the Human Queue

A lot of SOC performance conversations still orbit the same benchmark: “alert to fix in under 30 minutes.” By “alert to fix,” I mean the full clock from the moment an alert is created to the moment remediation actions are taken.

But when you dig in, that number is usually a median (50th percentile) or an average that hides the outliers. It hides the alerts where “30 minutes” quietly turns into hours.

SOC leader to SOC leader, the more useful question is this: How long are alerts waiting before anyone even looks at them, especially when the queue is under real load? Because risk does not live in the median. It lives in the tail, your 95th to 99th percentile. Put simply, if you lined up 100 alerts by how long they waited, the 95th percentile is what alert #95 looked like.

Long response times happen because a) alerts take long to investigate and b) the queue gets long as a result of long investigations on the long tail.

Think of your SOC like an ER waiting room. Doctors can be excellent. Triage can be efficient. But when too many patients arrive at once, the waiting room fills up, and the wait becomes the story.

In the SOC, it plays out the same way. Early morning might be under control. Then business hours hit. A burst of activity shows up and capacity gets consumed fast. Many alerts are noisy. All demand attention. Maybe it’s a phishing wave. Maybe you rolled out new detections. Maybe it’s Patch Tuesday fallout.

Your best analysts jump on alerts with a Critical or High severity label. At the same time, you may deliberately push coverage in the other direction, working Low severity alerts, then Medium, just to keep wait time from exploding. Then an escalation lands. The queue keeps growing. By lunch, you’re already behind because alerts are sitting in the queue waiting to be selected — some of them labeled Low severity alerts that turn out to be the first breadcrumb of an incident.

Your SOC is a queueing system (whether you call it that or not)

SOCs have gotten faster. The last decade of SOC automation, enrichment, correlation, and SOAR has reduced manual work and improved handling speed. We’ve also increased the share of alerts handled end-to-end by automation. But most SOCs still run on the same underlying model: humans decide what gets looked at next. Automation speeds up parts of the work, but it does not remove the line of alerts waiting to be selected.

Most environments still look like this:

Alert Created → Wait time (alert waits for human action) → Triage and decision (human picks it up) → Action

In this setup, there are two clocks that matter, and most teams only talk about one of them.

Wait time: the time from when an alert is created and enters the queue to when a human picks it up and takes the first real action. This is pure queue time. The alert exists, but nothing is happening yet. It’s worth noting that many MDRs and MSSPs write SLAs against this clock. The performance SLA is often based on when work is started, not when the alert is actually resolved.

Work time: the time from first real action to determination and action. This is the time it takes to work the alert to a conclusion, including quick triage, enrichment, pivots, scoping, and whatever response is needed.

Now, there’s one more fundamental building block.

Cycle time is the end-to-end clock from alert created to determination and action. Put simply, it’s how long an alert takes from entry to exit.

Simply put:

Cycle time = wait time + work time

This is where queueing theory becomes practical. In a human-queued SOC, work time is often fairly stable. Maybe it’s 10 minutes for a quick call. Maybe it’s 30 minutes when you need deeper context. But wait time is the wild card, and it’s the part that explodes when the system runs hot.

That’s the basic queueing dynamic. As utilization approaches capacity, the queue does not grow linearly. It grows non-linearly, and the tail gets ugly fast. A SOC can feel fine in the median while quietly accumulating a long tail.

In practice, say an alert fires. It waits in the queue for 10 minutes, then it takes 15 minutes to triage and reach a determination. The cycle time for that alert is 25 minutes.

This is why cycle time is so useful: it forces you to see the full system, not just the time spent working.

Severity becomes a routing policy

If wait time exists, it’s because the system has to answer one question all day long: Which alert do we work next?

That decision is usually driven by severity labels: Critical, High, Medium, Low. Severity starts as a signal. In a queue, it becomes something else. It becomes a routing policy. It decides which work gets priority and which work waits.

This is where the long tail shows up in practice.

Say a Critical alert fires. It waits in the queue for 10 minutes, and then it takes 15 minutes to perform quick triage and determine the activity was benign. The cycle time for that alert is 25 minutes.

Now look at the other end of the system.

An alert fires and it’s labeled Low severity because the detection intentionally catches a lot of activity. It sits in the queue for 6 hours before it’s picked up. The work time remains 10 to 15 minutes, but the cycle time for that class of alert is almost 6.5 hours.

And here’s the part that matters: attackers don’t care what severity label we assigned. If that Low severity alert was a true positive, the difference between a 25-minute cycle time and a 6.5-hour cycle time is the difference between containing quickly and giving it time to spread.

This is all to say: in practice, most cycle time problems are really wait time problems. If the end-to-end cycle time is 6+ hours for a Low severity alert, a meaningful chunk of that time was likely spent waiting for someone to even look at the alert.

A lot of SOCs have a queue problem that is more consequential than the investigation speed problem.

Severity is never perfect. Some real incidents start from alerts labeled Medium or Low. That’s why tail wait time for Medium and Low is risk sitting idle in the queue.

AI is the next phase: bypass alert wait time

Here’s the shift an AI SOC enables: immediate alert processing.

This goes beyond “more automation.” It’s a different operating model. In the automation era, the system is split. A subset of alerts are handled automatically, and the rest wait for a human to reach a determination. In the AI era, the point is to eliminate that split by eliminating the wait.

The workflow becomes:

Alert Created → Triage and decision (immediate) → Action

Automation improved the work step. AI changes the operating model by collapsing the queue. And importantly, this isn’t just faster enrichment. It’s reaching a determination immediately, so the queue stops setting the pace.

When you remove wait time, you don’t just go faster. You change what the system is optimized for. The long tail collapses. End-to-end cycle times move from hours, or days in the tail, to minutes. In many environments, you go from 30 minutes, or even 20 minutes, down to 3 to 4 minutes from alert creation to determination and remediation.

And that’s where “alert to fix” changes meaning. It’s no longer a 30-minute target you hit “on average” by tuning severity labels and managing a human queue. It becomes directly tied to the engineering decisions you’ve made to enable autonomous investigation and response.

In other words, it stops being a people-and-routing problem and becomes a systems processing problem. Latency is no longer gated by human capacity. It becomes a reflection of the systems you’ve put in place.

Put this into practice to gauge where you are today

Whether you run your SOC in-house or you outsource to an MDR or MSSP, you can get a quick read on how your alert system really behaves by pulling a few numbers and looking at performance under load.

Here are the questions I’d start with:

What’s the 95th percentile cycle time across all severities?
If your p95 cycle time is measured in hours, your system isn’t “slow.” It’s queue-bound.
What’s the 95th percentile wait time for a Low severity alert?
Not the average. Not the SLA. The tail.
If Scattered Spider triggered a Low severity alert, what’s the longest it could wait before first touch, and is that good enough?
That’s the real test. Severity labels are never perfect, and real incidents don’t politely arrive as “Critical.”

Want to compare notes?

If you’re a SOC leader wrestling with wait time, tail risk, or capacity, I’m happy to talk. Reach out on LinkedIn or X and let’s compare what you’re seeing. If it’s helpful, I can also walk you through what the no-wait-time model looks like in practice. Or request a demo of Prophet AI to see that model in action.

A Buyer's Guide to AI SOC Analysts

Your definitive guide to evaluating AI SOC solutions

Download eBook

Download Ebook

Frequently Asked Questions

Insights

Text Link

Jon Hencinski

AUTHOR

Jon is the Head of Security Operations at Prophet Security where he is focused on building the next wave of SOC innovation by leveraging AI to automate the manual, repetitive tasks of alert triage and investigation. Previously, he was the VP of Security Operations at Rapid7 and Expel.