Managed SIEM · Deep dive 02

Tuning out the noise: alerting a small team can live with

Nearly half of SOC alerts are false positives and most analysts are burnt out. Detection engineering is how you fix the signal, not the staffing.

Draft outline · Operations / human factors lens
The anchor

The SANS 2025 SOC survey named false positives the number-one detection challenge (73% of teams), and industry State-of-the-SOC data put false positives near half of all alerts with analyst burnout above 70%. For a small agency team the problem is not too few alerts, it is too many bad ones.

Sources we build on
Primary
SANS 2025 SOC Survey

Neutral industry survey quantifying the false-positive and alert-volume problem across real SOCs.

Journalism
ACM Computing Surveys: alert fatigue in SOCs

Peer-reviewed academic survey of alert fatigue causes and mitigations, entirely vendor-free.

Article outline
  1. The scale of the noise. What the 2025 numbers actually say about false positives and burnout.
  2. Detection engineering as a discipline. Rules as code, versioned, tuned against outcomes.
  3. ISM-relevant events first. Prioritising what an assessor and an incident actually care about.
  4. The tuning loop. Every false positive generates a change; the loop closes.
  5. Measuring signal quality. The metrics we hold ourselves to.
How it aligns to what we do

An operations and human-factors piece, not a threat piece. It reframes managed SIEM as signal quality rather than dashboards, which is exactly what a small, time-poor team needs. It also sets up the triage dive.

Points to hit
Control it ratifies
ISM / E8 Supports ISM event-logging, monitoring and incident-detection guidelines by making detections maintainable and outcome-driven.