Security operations centers face a mathematical impossibility. Recent surveys show alerts require extensive time to investigate fully, often exceeding an hour per alert. Enterprise SOCs receive thousands of alerts daily. The investigation capacity required far exceeds what even large 24/7 teams can provide.
The industry calls this "alert fatigue," implying analysts just need to handle more volume. That misses the real problem. Research from Devo found most analysts spend substantial time gathering and connecting evidence to transform an alert into an actionable security case. The investigation workflow itself consumes most analyst time, not the alert evaluation.
Consider what happens when a SIEM generates an alert: "Suspicious PowerShell execution detected on WORKSTATION-042 by user jsmith." An analyst sees this and begins the investigation tax.
The investigation workflow tax
First, determine if this is actually suspicious. PowerShell runs constantly in Windows environments for legitimate tasks. The analyst pivots to the EDR console to examine the full command line. Several minutes to authenticate, navigate, search by hostname, filter timeframe.
Next, check if jsmith has admin privileges. Pivot to Active Directory. Another authentication, another search. More time spent.
The PowerShell process spawned from Outlook. Pivot to email gateway logs. Different console, different query language, different authentication. More investigation reveals a phishing email arrived shortly before PowerShell execution.
Correlate: did other users receive the same email? Did anyone else execute similar PowerShell? Significant time across multiple systems.
Check threat intelligence: is the sender domain known malicious? Is the PowerShell pattern documented? Additional research required.
Verify impact: did PowerShell connect externally? Pivot to firewall logs. Modify files? Check EDR. Create persistence? Check scheduled tasks, registry, startup locations. Substantial evidence gathering across data sources.
Document findings: update ticket, correlate incidents, determine severity, assign next steps. Administrative overhead.
This workflow assumes the analyst knows exactly which tools to check, in which order, with which queries. Research shows investigations commonly require an hour or more when gathering context manually. Every alert becomes a capture the flag challenge for analysts with new unknowns every time.
Why tool sprawl makes it worse
Security leaders respond to detection gaps by deploying more tools. EDR, NDR, CASB, DLP, email security. Each promises better visibility. The result: research shows many SOC practitioners report their security tools increase rather than lower their workload.
Each tool generates alerts in its own format. A single security event triggers multiple overlapping alerts. Devo's research found most analysts unknowingly investigate the same incidents multiple times because different tools present the same underlying activity differently.
Even with perfect deduplication, alerts arrive with minimal context: "User logged in from unusual location." Analysts must manually gather context the detection system should have included. Where does this user normally log in? What's their role? What resources did they access?
This context gathering requires pivoting through multiple tools, each revealing one piece of the puzzle. The analyst becomes a data plumber, manually connecting information that should arrive correlated.
The false positive cascade
Studies show a substantial portion of security alerts are false positives. But this statistic understates the problem. An alert becomes a false positive only after investigation reveals it's benign. The investigation workflow still happens. The time investment applies equally whether the alert represents a real threat or routine operational activity.
Worse, high false positive rates create institutional learned helplessness. When most investigations lead nowhere, analysts naturally approach new alerts with skepticism. Research documents that this desensitization causes analysts to overlook, dismiss, or inadequately investigate alerts, including genuine threats.
Some organizations respond by tuning detection rules to reduce false positives. But tuning requires knowing which patterns indicate threats versus normal activity. That knowledge comes from... investigation. The same workflow that's unsustainable at scale. Teams suppress noisy detection rules to cope with volume, potentially creating blind spots where real attacks hide.
The architectural problem
The core issue isn't alert volume. It's detection architecture that separates detection from context.
Traditional detection follows this pattern:
- Tool observes event
- Tool matches event against rule or baseline
- Tool generates alert
- Alert contains minimal information (what triggered, when, where)
- Analyst must gather context from other systems
- Analyst determines if activity is malicious
- Analyst escalates or closes
Steps 5 and 6 consume the bulk of investigation time. The detection system offloaded the hardest part of detection to human analysts.
Compare this to detection that includes behavioral context:
- System observes behavioral timeline: ordered sequence of flows between an endpoint pair
- System generates representation of how flows in this sequence structured together
- System classifies this behavioral timeline's intent based on its structure
- Alert includes: what activity occurred in this behavioral timeline, why its structure appears malicious, what attacker objective this sequence accomplishes, complete flow context for this endpoint pair
- Analyst validates with context already present
- Analyst escalates or closes
The investigation workflow compresses dramatically when the detection includes the context for each behavioral timeline. Instead of gathering evidence across multiple tools, analysts validate evidence the system already assembled for that specific sequence.
What changes with context-rich detection
Foundation models for threat detection learn behavioral representations from network flow data. These systems evaluate behavioral timelines: ordered sequences of flows between a specific pair of endpoints. Each behavioral timeline is classified independently based on its structural patterns.
A reconnaissance behavioral timeline exhibits systematic enumeration structure. Lateral movement shows privilege escalation patterns. Exfiltration demonstrates collection-transfer timing correlation. The detection classifies each behavioral timeline's intent based on what that specific sequence attempts to accomplish, not by connecting it to other behavioral timelines.
When the system alerts on a reconnaissance behavioral timeline, the alert includes:
- Complete sequence of flows between that endpoint pair (not just the triggering event)
- Which structural patterns indicated reconnaissance
- MITRE ATT&CK tactic mapping (reconnaissance, not generic "suspicious activity")
- Behavioral timeline context showing how flows in that sequence related
Analysts still validate. But validation examines provided evidence rather than gathering evidence from scratch. The investigation workflow compresses dramatically because the detection system did the correlation work within each behavioral timeline.
This architectural shift eliminates most tool pivoting. The analyst doesn't need to check: Did other flows occur from this source IP? The behavioral timeline already shows all flows for this IP pair. Did the activity show escalation patterns?. Is this routine administration? The structural context distinguishes operational from malicious intent.
The human cost
ISC2's 2024 Workforce Study found the majority of cybersecurity professionals report increased stress levels. SANS 2025 surveys reveal most SOC analysts with limited experience leave within a few years.
This isn't just alert overload. It's spending extensive time gathering context only to determine the alert was routine. It's investigating the same incident multiple times because different tools presented it differently. It's knowing that many alerts never get investigated because there aren't enough hours.
One analyst described opening tickets with multiple IT teams, waiting days to conclude an alert was a false positive. Days. For one alert. When thousands arrive daily.
Security tools market themselves on detection capabilities: "catches more threats," "detects zero-day attacks." But detection without context just shifts the burden to analysts who lack time to investigate properly.
What actually matters
The SOC productivity crisis isn't about alert reduction. It's about investigation efficiency. An analyst can validate many context-rich alerts in the time it takes to investigate a few context-poor alerts.
Organizations need detection systems that provide behavioral context, not just event notifications. Systems that classify attacker intent, not just flag anomalies. Systems that present correlated evidence, not pointers to data sources.
With widespread staffing shortages and a global deficit of millions of cybersecurity professionals, hiring more analysts won't bridge the gap between alert volume and investigation capacity.
SOC teams don't need more alerts or better prioritization. They need detection architecture that includes the context required for rapid triage, eliminating the investigation tax that makes current alert volumes impossible to handle.
Get in touch to run a 30 day risk-free assessment in your environment. DeepTempo will analyze your existing data to identify threats that are active. Catch threats that your existing NDRs and SIEMs might be missing!
