All posts
Articles·4 min read·By ArmorPoint Team

Three signs your SOC is drowning in alerts

Alert fatigue is not a personality trait, it is a measurable operational problem. Here are three concrete signals it has set in, and what to do about each.

Every SOC manager has seen the same dashboard slide: critical alerts trending up and to the right, the team looking exhausted by 3pm on a Tuesday. The question is not whether you have alert fatigue. The question is how much of your real risk exposure is buried under it.

1. Mean time to triage is creeping up, even on critical alerts

Watch the percentiles, not the average. If your p50 triage time is climbing while your p95 stays flat, your team is getting through the obvious cases faster but the murky ones are sitting longer. That is the classic signature of analysts triaging what they can pattern-match instantly and deferring everything else.

What to do: review the past 30 days of deferred-then-closed alerts. How many turned out to be real? More than 5% is a tuning problem, not an analyst problem.

2. Same rule fires the same way every week

If you can predict which rules will be in the top 5 by volume next Tuesday, those rules are not detection rules anymore. They are background hum.

What to do: for the top 10 noisiest rules, ask of each: in the last 12 months has this rule fired on a real incident? If yes, what was the signal that distinguished the real one? Promote THAT signal to the rule. If no, the rule is dead weight.

3. New hires take more than 90 days to be useful

If onboarding a tier 1 analyst takes a full quarter, the problem is not training. The problem is your environment is so noisy that nobody can build good intuition until they have seen the same false positive 100 times.

What to do: pair onboarding with rule pruning. The new analyst tells you what is confusing. You delete or tune the rules causing the confusion.

The harder truth

None of these are tooling problems. You cannot buy your way out of alert fatigue, but you can tune your way out. The teams that do this well make rule pruning a quarterly ritual, not an annual project.

SOCAlert FatigueSIEM