Nearly half of SOC alerts are false positives and most analysts are burnt out. Detection engineering is how you fix the signal, not the staffing.
Draft outline · Operations / human factors lensThe SANS 2025 SOC survey named false positives the number-one detection challenge (73% of teams), and industry State-of-the-SOC data put false positives near half of all alerts with analyst burnout above 70%. For a small agency team the problem is not too few alerts, it is too many bad ones.
Neutral industry survey quantifying the false-positive and alert-volume problem across real SOCs.
Peer-reviewed academic survey of alert fatigue causes and mitigations, entirely vendor-free.
An operations and human-factors piece, not a threat piece. It reframes managed SIEM as signal quality rather than dashboards, which is exactly what a small, time-poor team needs. It also sets up the triage dive.