There is a recognisable conversation that we have at least once a quarter with the CISOs of mid-large enterprises. It begins with a description of the SOC team — usually capable, often underfunded, always under-rested — and ends with some variation of: “We have so many alerts that we don’t trust them anymore.”
This is the modern paradox of endpoint detection and response. The technology category was built to solve a real problem — the lack of granular telemetry from endpoints that left organisations unable to detect attacks until well after impact. It solved that problem, comprehensively. And in solving it, it created a different one.
EDR generates alerts in volumes that exceed the cognitive capacity of any human team to investigate. Analysts triage on autopilot. The “noise” alerts get closed. The signal hidden in the noise gets closed with them. And the platform that was supposed to give defenders an edge becomes, at the operational level, a source of fatigue and quiet risk.
How we got here
The mechanics are straightforward. EDR platforms instrument endpoints at the kernel level, collecting process executions, network connections, file modifications, registry changes, and a long tail of other behavioural signals. They run detection logic — increasingly machine-learning-based — over this telemetry, and surface anomalies as alerts.
Every signal that could be malicious produces an alert. The platform’s vendor cannot afford to miss the genuine incident, so the detection thresholds err on the side of inclusion. The result, in a typical 5,000-endpoint environment, is somewhere between 3,000 and 15,000 raw EDR alerts per day. After deduplication and correlation, the volume reaching SOC analysts is typically 200 to 800 per day.
A two-person SOC tier-one team, working an eight-hour shift, has roughly nine seconds per alert if they investigate every one. They don’t investigate every one. Nobody does.
What gets investigated is the alert that looks important — high severity score, unusual host, recognisable indicator. What doesn’t get investigated is the alert that looks routine. Adversaries know this. Modern attack campaigns are designed to look routine.
What “fixing the SOC” actually means
The instinct, when alert volume exceeds capacity, is to add capacity. Hire more analysts. Outsource to a managed detection service. Deploy a SOAR platform to automate the triage. All of these have a place. None of them solve the underlying problem.
The underlying problem is that the alerts themselves are insufficiently informed. They tell the analyst what happened on a single endpoint. They do not tell the analyst whether the activity on that endpoint is part of a broader pattern, whether it is consistent with active threat actor TTPs, whether the destination IP is appearing in current campaigns, or whether the file hash has been flagged in intelligence the organisation already pays for.
Analysts re-derive this context manually, alert by alert, by pivoting between platforms — EDR to SIEM to threat intelligence to network logs and back. The pivot is where the cognitive load lives. Reducing alert volume by 20% does not help if every remaining alert still requires the same multi-platform investigation.
What helps is reducing the investigation effort per alert.
The shift toward operation-centric detection
The architectural shift we have been deploying for clients over the last 18 months is from alert-centric to operation-centric detection. Cybereason XDR, which we deploy in this space, frames the distinction explicitly: rather than presenting analysts with thousands of correlated-but-still-individual alerts, the platform aggregates related telemetry across endpoints, networks, identities, and cloud workloads into a single “operation” — a coherent narrative of an attempted attack that includes every artifact the platform observed.
The shift in analyst experience is significant. Where the alert-centric model surfaces 200 alerts requiring 200 investigations, the operation-centric model surfaces (in the same environment, on the same day) perhaps 8 to 15 operations. Each operation contains the equivalent of dozens of correlated alerts, but the analyst is no longer pivoting between them. The investigation surface has collapsed.
Importantly, this is not a triage compression — it is a detection logic shift. Alerts that would have been individually closed as “low severity” can become elements of a high-severity operation when correlated with other signals. The signal that was previously hidden in the noise is now the headline.
Where threat intelligence becomes a force multiplier
The other operational shift that materially reduces SOC fatigue is the integration of threat intelligence into the detection layer itself, rather than as a parallel reference resource analysts consult after the fact.
The mechanics: indicators of compromise from current campaigns — adversary infrastructure, file hashes, behavioural signatures — are pushed into the detection platform’s logic continuously. When an alert fires that matches active threat actor TTPs, it is presented to the analyst already enriched with attribution, campaign context, and confidence scoring. When an alert fires that does not match anything in current intelligence, that is itself a useful signal.
Silent Push, which we deploy for clients in financial services and critical infrastructure, sits at the intelligence-collection end of this pipeline — mapping adversary infrastructure before campaigns launch, so the indicators reaching the SOC’s detection logic are current rather than historical. Threater DNS operationalises this intelligence at the DNS and network layer, blocking traffic to known-malicious destinations before it reaches an endpoint that would have generated an EDR alert.
The compounding effect is what matters. Network-layer blocking removes alert generation. Operation-centric detection consolidates the alerts that remain. Intelligence enrichment reduces the investigation effort per remaining alert. The SOC analyst’s day-to-day cognitive load comes down measurably — not because alert volume dropped 90%, but because each remaining alert reaches them with the context that was previously absent.
Honest expectations
This is not a “fewer alerts” story. Mature deployments often run at similar alert volumes after this shift, but with substantially better signal density. The metric that improves most reliably is mean time to investigate — typically by 60% to 80% in the engagements where we have measured both before and after. That improvement is what frees up analyst capacity to actually pursue the harder investigations and threat hunting work.
The metrics that improve more slowly are the headline ones — mean time to detect, mean time to contain. These depend on the quality of the underlying detection logic and the speed of organisational response, neither of which a tooling change alone resolves. Realistic improvement programmes pair the technology shift with explicit attention to playbook quality, response delegation, and analyst training on the new investigation surface.
What to do this quarter
If your SOC is showing the signs of alert fatigue — analysts closing tickets without investigation, dwell time creeping up, internal threat hunters reluctantly absorbed into tier-one work — the productive question is not “how many more analysts do we need”. It is “how much of our current analyst time is spent re-deriving context that should be in the alert”.
Instrument it for a week. Sample 20 alerts. Measure the number of platforms an analyst touched and the duration spent on each. The result will tell you where the cognitive load lives — and where the actual leverage is.
Adding capacity to a fundamentally inefficient process is expensive. Re-architecting the process is, in the medium term, considerably less so.
Mellivor works with enterprise SOC teams on detection and response architecture, deploying Cybereason XDR, Gatewatcher NDR, Silent Push threat intelligence, and Lima Charlie SecOps capabilities. To assess your detection effectiveness, book a consultation.
