SOC Metrics

The Real Cost of False Positives in Your SOC

False positives are a signal-to-noise economics problem. See the analyst-hour math, the detection engineering levers, and where agents change the unit cost.
Published on
July 16, 2026
Go Back

Anyone who has spent time in a SOC knows where the hours go. 

The breaches themselves are rare. What fills the day is the stream of alerts that turn out to be nothing, and proving they're nothing is real work, because an analyst still has to pull the context, look at what the user was doing, and rule it out before moving on. When the queue runs to hundreds of alerts a day, that work quietly becomes the bulk of what the team does.

Most teams have already tried the obvious answers. Tightening detection rules cuts the noise, but it cuts real detections with it, and nobody wants to be the person who tuned out the alert that mattered. Suppressing the loudest sources has the same tradeoff. Hiring helps for a while, until alert volume grows past whatever headcount the budget allowed. None of it sticks, because the real issue sits underneath the rules and the staffing. Detections fire without enough context to judge them, and the missing context is usually data the SIEM was too expensive to keep. The same login alert is routine or hostile depending on logs that never made it into the platform.

Strike48 was built around that missing context.

Our agents triage every alert against the complete log record, dismiss the benign ones with the evidence attached so nobody has to take it on faith, and escalate the ones that hold up. The day-to-day difference is that a team stops grinding through hundreds of individual alerts and starts working a short list of investigations that actually deserve attention. This article gets into how that works in practice and what it changes about the job.

Unit-cost model

Want the model run against your own alert volumes?

Strike48 agents compress alert triage from roughly 70 minutes to single-digit minutes. Request a demo and run the math with your own data.

Key Takeaways

  • Every alert costs roughly $70 to $93 in analyst time to investigate, real threat or noise.
    At a 45% false positive rate, a five-analyst team burns around $360K a year confirming nothing was wrong.
  • Detection engineering sets the marginal cost upstream.
    Environment-tuned rules, documented suppressions, and detection-as-code review cycles keep FP rates below 30%.
  • The bigger number is the opportunity cost.
    In healthcare, where the average breach runs $7.42 million, alerts that age out while the queue stays full are the most expensive line in the model.
  • Tuning improves what enters the queue.
    Agentic triage changes what each alert costs to investigate, dropping the denominator from about 70 minutes to single-digit minutes.

What Does a False Positive Actually Cost Your SOC?

The marginal cost of one alert is mostly time. 

Industry analysis puts mean time to investigate a single alert at roughly 70 minutes when context is assembled by hand. At a fully loaded Tier 1 cost of $60 to $80 an hour, each alert runs $70 to $93 before the queue advances. Substitute your real figures. The model holds either way.

  • Total noise cost is the line that matters. Multiply alerts investigated by cost per alert, then apply your false positive rate. At the SANS median of 45%, nearly half of every investigation hour produces nothing but a closed ticket. The worked table in the next section turns that into an annual figure.

  • The number that moves the budget conversation comes later. The harder figure is the value of alerts that aged out because the queue never cleared. The opportunity cost section handles that math. The unit-cost model sets the baseline: noise is a budget allocation with an exact dollar sign.

How to Calculate Your SOC’s Cost of Noise

Four inputs run the whole model.

  • Daily alert volume per analyst
  • Confirmed false positive rate (your own data, or the SANS median of 45% as a starting point)
  • Average minutes per investigation
  • Fully loaded analyst-hour cost

Most SOC managers can reconstruct the first three in an afternoon. The table below runs the model at 70 minutes per investigation and $80 per analyst-hour, capped at what an eight-hour shift can actually work. Substitute your own figures.

Team Size Alerts Investigated/Day FP Rate Daily Hours Lost to FPs Annual Cost of Noise
2 analysts ~14 45% ~7 hrs ~$145K
5 analysts ~34 45% ~18 hrs ~$360K
10 analysts ~68 45% ~36 hrs ~$720K

These numbers are a floor. They exclude the opportunity cost of uninvestigated real threats, the recruiting cost of burnout-driven attrition, and the downstream cost of incidents missed entirely. Those stack on top.

Detection Engineering Sets the Marginal Cost

Detection engineering decides what enters the queue and how often it lies. Four levers do most of the work.

Lever What It Does Working Standard
Environment-tuned rules Rules anchored to environment-specific baselines, such as known imaging and lab subnets, EHR service accounts, and documented after-hours clinical workflows, fire far less on normal activity than generic SIEM content packs applied unchanged. Write to what your environment does. A nurse pulling charts at 2 a.m. is a shift pattern, not an anomaly, if your baselines say so.
Documented suppression Every silenced rule carries a timestamp, an approver, and the specific condition suppressed. Undocumented suppression is invisible debt no one remembers six months on. NIST SP 800-61r3 treats detection decisions as documented IR practice. Hold suppressions to the same standard.
Detection-as-code review cycles Rules are version-controlled, peer-reviewed, tested against a known-FP dataset before deployment, and retired on schedule. Review rules with no true positive in 90 days. Rewrite rules above 80% FP on trailing 30-day data.
FP rate as a tracked KPI FIRST’s metrics framework defines false positive rate as a first-class CSIRT metric, tracked per detection rule. If FP rate is not in the weekly SOC report next to MTTD, it is being tolerated, not managed.
The denominator problem

Tuned everything and the queue still will not clear?

That is the denominator talking, not the rules. See what Strike48 agents do to investigation time in an environment like yours.

What Aged Out While the Queue Was Full

The queue is a finite resource.
When false positives eat 45% of investigation capacity, the team is not investigating 45% of real alerts. Some are low-severity, and aging them out is acceptable risk. Anomalous PHI access at 3 a.m. is not. ISACA’s 2024 research found nearly two-thirds of cybersecurity professionals report growing job stress, with alert fatigue a primary driver. Fatigue produces prioritization errors, which compound the noise.

In healthcare, the benchmark for this line item is the worst in any industry.
IBM’s 2025 Cost of a Data Breach report puts the average healthcare breach at $7.42 million, the highest of any sector for the 14th consecutive year, with 279 days to identify and contain. Multiply that by the probability that a missed alert was the difference between containment and a full breach. Even conservative assumptions produce a number that dwarfs the cost of noise. Detection engineering reduces the cost per alert. Opportunity cost quantifies what happens when the queue still overflows after tuning. Both belong in the same briefing.

Where Agentic Triage Changes the Denominator

Everything in the model is downstream of one number: minutes per investigation. At 70 minutes per alert, the queue has a hard capacity ceiling. Detection engineering raises the quality of what enters the queue. It does not raise the ceiling. Raising the ceiling means changing what does the investigating.

  • Strike48 agents drop that number to single-digit minutes.
    Narrowly scoped Tier 1 agents triage every alert against complete log data, including the sources healthcare SOCs most often leave unmonitored, like EHR audit logs and medical device telemetry, with auto-generated parsers reading semi-structured logs directly when no parser exists yet. The full guide to agentic log management covers what complete data requires architecturally. The short version is that agents reasoning over partial data produce faster wrong answers, not better ones.

  • Agents and detection engineering are not in competition.
    Key actions, including endpoint isolation, account lockout, and Tier 2 escalation, require analyst approval, and every agent action lands on a verifiable audit trail. For a HIPAA-regulated SOC that is not overhead. It is the documentation the Security Rule’s audit controls already expect from monitoring activity. Detection engineers keep the work that decides what should fire. Agents handle investigation volume. The AI-enabled incident triage guide goes deeper on where that handoff belongs.

What a Reduced Unit Cost Means for Capacity Planning

Metric At ~70 Minutes per Alert At Single-Digit Minutes
Alerts a five-analyst team investigates daily ~34 Every alert in the queue
Suppression decisions Economic necessity Tuning choice
FP rate Workaround budget Tracked KPI per rule
Critical alerts aging out Daily occurrence Shrinking line item
  • A five-analyst team running the Strike48 Pre-Built SOC Package across Tier 1 investigates every alert, not a budget-constrained fraction. The security operations solutions page shows what that looks like deployed.
  • MTTD drops because investigations no longer wait on analyst availability to start. The guide on how to reduce MTTR covers the downstream effects on response time.

Run the Unit-Cost Math on Your Own Environment

The teams that compressed mean time to detection from over an hour to single-digit minutes did not suppress their way there. They changed the cost structure that made the queue unmanageable. The math here is replicable: four inputs, one worked table, one line item for whoever owns your security budget, whether that is a CISO or an IT director. Strike48’s search-in-place data foundation queries logs where they live across S3, Splunk, and Elastic, with no rip-and-replace migration, so the architecture is ready once the model is built.

If your alert volumes and analyst-hour costs produce a noise figure that belongs in your next budget cycle, request a demo and run the math against your own data.

Frequently Asked Questions About False Positive Reduction in the SOC

What is a realistic false positive rate for a SOC?

SANS survey data places the median in the 40 to 50% range. Mature detection-as-code programs with environment-specific tuning run below 30%. Anything above 60% means rule maintenance has fallen behind environment changes.

How does false positive rate connect to analyst burnout?

Alert fatigue is a primary driver of SOC analyst attrition. SANS research identifies working a queue that never produces meaningful results as a significant burnout accelerant. High FP rates add recruiting and onboarding cost on top of the direct noise cost.

What does FIRST recommend for tracking false positive rate?

FIRST’s CSIRT metrics framework includes false positive rate as a first-class KPI alongside MTTD, MTTR, and alert-to-incident ratio, tracked per detection rule so engineers can see which rules account for most of the noise.

Can agentic triage make the false positive problem worse?

Only if agents reason over incomplete data. Agents triaging against partial log coverage produce confident wrong answers faster than a human produces uncertain ones. Strike48 agents fire against complete log data, each scoped to a specific investigation task and governed by a GraphRAG knowledge graph that constrains what it reasons over. Narrow scope plus complete data produces determinations that reflect the actual environment.