I want to run some numbers with you. Not the vendor numbers, the ones that show up in slide decks with green arrows and percentage signs. The actual math. The kind you do on the back of a napkin when you’re trying to figure out why your team is drowning and your budget request keeps getting denied.
Start with what you have. A SOC with eight analysts. Three shifts to cover 24/7, which means at most three analysts on at any given time, more like two during nights and weekends. Each analyst works an eight-hour shift. That’s roughly sixteen analyst-hours of coverage during the day and eight at night, give or take PTO, sick days, meetings, bathroom breaks, and the mandatory compliance training your CISO scheduled for next Tuesday.
Now look at what’s coming in. The enterprise average, depending on whose report you read, is somewhere between 3,000 and 11,000 alerts per day. Forrester says 11,000. Vectra says about 3,000. D3 Security says 4,400. Let’s be conservative and use 4,000, which is probably low for anything over 5,000 employees.
4,000 alerts. Three analysts on the day shift. That’s 1,333 alerts per analyst per eight-hour shift, or about 167 per hour. One alert every 21 seconds.
Twenty-one seconds to open the alert, read the description, check the source IP, look up the asset, cross-reference with recent tickets, decide if it’s real, and either escalate or close. Twenty-one seconds.
You already know this is impossible. Everyone who works in a SOC knows this is impossible. And yet this is the staffing model most organizations run, and this is the alert volume most SIEMs produce, and somehow the expectation persists that humans will keep up.
They don’t keep up. They triage by gut. They start skipping the ones that look familiar. They close tickets without fully investigating because the queue is growing faster than they can work it. Tines surveyed SOC analysts and found that 71% experience burnout, and 64% are considering leaving their roles within a year. Average tenure is 18 to 24 months. Not because the work isn’t interesting, but because the volume is physically impossible and everyone pretends otherwise.
The false positive tax
It gets worse when you look at what’s actually in the queue.
Most industry estimates put the false positive rate somewhere between 50% and 90%, depending on the tools, the tuning, and how honest the person quoting the number is being. Let’s say 80%, which is consistent with what most SOC leaders I’ve talked to describe as roughly accurate for a mid-market environment running three or four security tools feeding into a SIEM.
80% of 4,000 is 3,200 alerts per day that are not real threats. Your team investigated them anyway, or at least clicked through them, because the platform presented them with the same urgency as the 800 that
were actually worth looking at. Those 3,200 false positives consumed analyst time, filled up the ticket system, and trained your new hires to assume that most alerts are garbage, which is a true belief that produces terrible investigative habits.
Trend Micro found that 54% of SOC teams feel overwhelmed by alert volume and 55% lack confidence in their ability to prioritize. Security experts spend 27% of their time handling false positives. Not 27% of their time on security. 27% of their time on things that turn out to not be security problems at all.
The math on this is painful. If your average false positive takes 8 minutes to investigate and close (which is fast, most estimates are higher), 3,200 false positives per day consume 426 analyst-hours. You have about 48 analyst-hours of coverage in a day (six analysts across three shifts, with some overlap). You need 426 hours to investigate the noise. You have 48 hours of humans. You are short by a factor of almost nine.
This is not a staffing problem. You cannot hire nine times your current headcount. Nobody can. The global cybersecurity workforce gap is 3.5 million. The candidates don’t exist, and even if they did, no CFO on earth is approving a 9x headcount increase for the SOC.
What happens when you fall behind
Here’s the part that doesn’t show up in reports but every SOC manager knows.
When the queue is unworkable, analysts develop coping strategies. Not official ones. Not the ones in the playbook. The real ones.
They triage by title. If the alert name looks familiar and they’ve seen it resolve as benign before, they close it without opening it. This works until the day an attacker uses a technique that triggers the same signature as a known false positive, and it gets auto-closed by a burned-out analyst at 2 AM who’s 300 alerts behind and trying to get the number down before shift change.
They batch-close. Select all, mark as reviewed. The ticket system shows 100% coverage. The reality is that maybe 30% of those alerts got a human pair of eyes for more than five seconds.
They focus on the ones that are already escalated and ignore the raw queue entirely. Which means the alerts that are the hardest to triage, the ambiguous ones, the novel ones, the ones that don’t match any known pattern, are exactly the ones that get skipped. These are also, not coincidentally, the alerts most likely to be real.
Devo’s research found that 83% of security professionals admit burnout has led to errors that resulted in actual security breaches. Not hypothetical risk. Actual breaches. The math isn’t just inefficient. It’s actively producing the outcome it’s supposed to prevent.
Why hiring doesn’t fix it
The instinct when the SOC is overwhelmed is to ask for more headcount. More analysts, bigger team, another shift. And sometimes that’s the right move, especially if you’re running a three-person SOC trying to cover 24/7.
But the math breaks down again pretty fast.
Let’s say you double your team from eight to sixteen. Your cost just went up by roughly $800,000 to $1.2 million annually (depending on market, seniority, benefits). Your alert volume didn’t change. You still have 4,000 alerts a day. Now each analyst sees 500 instead of 1,000 during their shift. That’s one alert every 57 seconds instead of every 21 seconds.
57 seconds is better than 21 seconds. It’s still not enough time to investigate anything properly. And that 4,000 number? It’s going up. Your company added a cloud provider last quarter. The EDR team rolled out a new detection package. Someone connected the identity provider to the SIEM. The number of alert sources only grows. Within a year, your doubled headcount is in the same position the original team was in.
This is the treadmill. You hire to match volume. Volume grows to match the tools you’re adding. You need more tools because the threat surface is expanding. More tools mean more alerts. The denominator never catches the numerator.
Analysts aren’t slow. The queue is impossible. There’s a difference, and confusing the two is how organizations burn through their best people and blame it on the talent market.
Where the time actually goes
I asked a SOC lead to break down how his Tier-1 analysts actually spend a shift. Not the official description. The real one.
About 40% of the shift is alert triage. Open, look, check, close. Most of it is false positives. About 20% is investigating the handful of alerts that look like they might be real, which involves opening four or five different tools, manually correlating data, and trying to build a picture from fragments. About 15% is writing tickets, updating the case management system, and documenting what was found. About 10% is in meetings or on calls. The remaining 15% is split between waiting for tools to load, context-switching between dashboards, and the kind of mental recovery time that nobody accounts for but everybody needs after three hours of staring at a queue.
The part that jumped out at me: the 20% spent investigating potentially real threats. That’s where the actual security work happens. Everything else is overhead. Triage is sorting. Documentation is paperwork. Meetings are meetings. The thing the analyst was hired to do, the thing that requires a trained human with security expertise, gets about a fifth of the shift.
If you could eliminate the 40% spent on false positive triage and redirect even half of it to investigation, you’d more than double your team’s effective security output without adding a single person. Not by making analysts faster. By removing the work that shouldn’t be on their desk in the first place.
The math that does work
I’m not going to pretend the answer is complicated. It’s not. The answer is that the triage step, the part where a human opens an alert, checks five tools, spends 8 to 20 minutes deciding if it’s real, and closes a ticket, needs to happen at machine speed for the 80% that are false positives and the 15% that are
duplicates and the percentage that are fragments of a larger incident that should have been one case instead of twelve.
The human should see what’s left. Not 4,000 alerts. The 200 to 300 cases that survived automated triage and still need a judgment call.
An MSSP reported going from 144,000 monthly alerts to 200 requiring human attention after deploying automated triage. That’s not a typo. 144,000 to 200. The analysts on that team didn’t lose their jobs.
They stopped triaging and started investigating, hunting, and tuning. The work got more interesting, not less, because they were finally spending their time on the 20% that matters instead of the 80% that doesn’t.
The napkin math works in the other direction too. 200 cases a day, across three analysts on a shift, is about 67 per analyst. That’s one case every 7 minutes. Seven minutes is enough time to review an
AI-generated investigation, verify the reasoning, check the verdict, and either approve the containment action or escalate for deeper analysis. That’s a workload a human can sustain for eight hours without burning out, without batch-closing, and without developing the habit of assuming everything is a false positive.
That’s the difference. Not between a good SOC and a bad SOC. Between a SOC where the math works and one where it doesn’t.
The conversation nobody wants to have
Here’s what I think is really going on.
Everyone in this industry knows the alert volume math is broken. The vendors know it, the analysts know it, the SOC managers know it, the CISOs know it. But the organizational conversation keeps happening in the wrong order.
The CISO asks for more headcount. The CFO asks for justification. The CISO says “we have 4,000 alerts a day and we can’t keep up.” The CFO says “you told me that last year and I gave you two more people.” The CISO says “the alert volume grew.” The CFO says “so it’ll grow again next year.” The CISO says “yes.” The CFO says “so what are we actually solving?”
The CFO is right. Hiring doesn’t solve a math problem where the numerator grows faster than the denominator. The answer is to change the equation. Not more people processing the same queue. A different queue. One where the machine handles the volume and the human handles the judgment.
The analysts who’ve made this transition describe it the same way almost every time. The job got harder. The queue is smaller but the cases are real, which means every one of them requires actual thought. There’s no more batch-closing, no more triage by title, no more coasting through the easy half of the shift. The boring part is gone. What’s left is the work they got into security to do in the first place. The 4,000 alerts aren’t going away. The number of humans who can process them isn’t going up. The math has been broken for years and everyone in a SOC already knows it. The only question is whether your organization fixes the equation or keeps running the same arithmetic and expecting a different result