Why modern SOCs struggle with signal clarity, identity abuse, and alert overload and what must change to improve response speed and resilience.
Mark, as the VP of Product Research and Strategy at Vectra AI, what initially drew you to focus on the challenges facing Security Operations Centers, and how has that perspective shaped recent research?
We’ve always been fascinated by the disconnect between the volume of alerts SOCs receive and the very small fraction that actually matter. Early on, it became clear that alert fatigue wasn’t just an annoyance—it was a systemic risk. That realization drove our research focus: to quantify the scope of the problem and uncover how AI could separate noise from true attack signals. Over time, our work has evolved from simply measuring alert volume to analyzing detection fidelity, identity-driven threats, and the operational strain on analysts. What shaped our perspective was seeing firsthand how much talent and time gets wasted chasing meaningless alerts. Our research is designed to elevate the discussion from “do we have enough tools?” to “do we have the right signal?” because in today’s world of modern, multi-domain attacks, the SOC’s ability to focus on the right alerts—quickly—is the difference between business as usual and business disruption.
Your latest analysis involved millions of alerts across varied environments. What stood out most to you when reviewing the scale and depth of that data?
The sheer imbalance between detection and true threat stood out. Across more than a million behavioral signals we analyzed, fewer than 300 proved to be malicious. That’s 99.98% filtered out as noise before analysts even saw them.
Another eye-opening insight was how consistently identity misuse surfaced as the highest-risk contributor to escalated threats. In short, it wasn’t just the scale of the data, it was the clarity that emerged when correlating a handful of high-fidelity network and identity alerts that was truly eye-opening.
The report shows that less than 0.1% of detections turn out to be genuine threats after triage and analysis. What does that statistic tell us about the current state of SOC workflows?
It shows SOCs are stuck in workflows optimized for quantity, not quality. Teams receive thousands of alerts per day, but only a sliver are real. Yet analysts still spend hours triaging false positives, which drains talent and delays response. The statistic underscores that most current tools create an “attack signal problem” rather than solving it.
The right path forward is entity-centric workflows—shifting from event-by-event triage to focusing on the few hosts and accounts that truly matter. That’s where AI can elevate SOC efficiency by 40% or more.
Identity-based attacks have emerged as a dominant trend. Why do you think these types of threats remain overlooked despite their growing impact?
Because they don’t look like “attacks” in the traditional sense. When an attacker logs in with valid credentials, they appear legitimate to most tools, so SOCs miss the bigger picture of privilege abuse and lateral movement. The result: defenders are blind to the very tactic attackers prefer—logging in instead of hacking in.
Our data shows nearly half of confirmed malicious cases are tied back to identity abuse. Until detection platforms fuse identity with network and cloud signals, this blind spot will remain.
How can security teams refine their approach to filtering out noise while ensuring they don’t miss those rare but high-risk alerts?
It starts with AI-driven triage, stitching, and prioritization. Instead of reviewing every alert, teams should lean on automation to filter out up to 99% of noise. The key is context: correlating signals across hosts and/or accounts to highlight entities under true attack. That ensures the SOC sees the handful of critical alerts with confidence, not the thousands of potential threat events often deemed to be false positives.
What role do custom detections play in strengthening defenses, and why do they often reveal critical threats that standardized tools may overlook?
Behavior-based custom detections are the “secret sauce” for catching what generic models and signatures miss. They account for only about 5% of total detections, but they consistently surface high-priority threats unique to an organization’s environment.
Every enterprise has its own risks—whether that’s a sensitive dataset, a proprietary workflow, or an unusual system. Custom detections allow SOCs to tune for those realities. Think of them as extending the platform’s coverage to the things only you care about.
In terms of operational efficiency, how should SOC teams balance automation with human expertise to achieve both speed and accuracy in response?
The sweet spot is using automation to handle what machines do best—volume reduction, correlation, and prioritization—so analysts can focus on what humans do best: applying judgment, intuition, and creativity in investigations.
Over-automation risks losing context, while over-reliance on humans risks burnout and missed threats. SOCs that combine AI-driven triage, correlation and prioritization with human-led investigation and response see both speed and accuracy improve. It’s about turning analysts into decision-makers, not button-pushers.
From your perspective, what are the most common mistakes organizations make when it comes to prioritizing alerts, and how can they correct course?
The biggest mistake is treating all alerts equally. That creates false urgency and paralyzes teams. Another misstep is relying too heavily on static rules or the ability to detect a potential threat event – often part of compliance box-checking evaluation criteria, which only floods the SOC without adding value.
The corrective path is entity-based prioritization: focus on the risk to specific hosts and accounts, factoring in privilege, velocity, and attack stage. That lens immediately elevates what matters most.
How does bringing clarity into detection and prioritization ultimately reduce organizational risk and improve resilience against advanced attacks?
Clarity is what turns detection into post-compromise attack resilience. When SOCs can trust their signals, they respond to attacks faster and with greater precision. Our data shows customers gain 40% in efficiency and cut investigation times by 50% when noise is removed.
That speed directly reduces mean time to respond (MTTR), shrinking the attacker’s window of opportunity. In other words: clarity doesn’t just make SOCs more efficient, it makes organizations more resilient by catching attacks early in their progression before they escalate into full-blown incidents.
Looking ahead, how do you expect the evolution of AI-driven detection and analysis to reshape the way SOC teams operate over the next few years?
We’re moving toward an era of AI agents and analysts. Today, AI handles triage, stitching, and prioritization. Next, it will generate narrative reports, visualize attack paths, and operate as tier 1 analysts in the SOC.
Over the next three years, we’ll see AI move from assistive to autonomous with guardrails—filtering noise, confirming attacks, and even taking first-response actions. That doesn’t replace humans; it empowers them. The SOC of the future will be leaner, faster, and more confident because AI manages the alerts and humans manage taking action.
A quote or advice from the author: Our research makes one thing clear: SOCs don’t have an alert volume problem, they have an attack signal problem. With major breaches consistently growing year over year, security leaders must demand and evaluate detection and response people, process and technology based on their ability to efficiently and effectively cut through noise, elevate the real threats, and empower SOC teams to act fast. Building modern attack resilience isn’t about detecting more potential threats—it’s about getting the most accurate attack signal.
Mark Wojtasiak
VP of Product Research and Strategy at Vectra AI
Mark, also known as Woj, is the Vice President of Product Research and Strategy at Vectra AI. Passionate about cybersecurity and dedicated to simplifying the complex, Woj consistently advocates for cyber defenders in his approach to product development, marketing, and leadership.