
Anyone who has spent time in a SOC knows where the hours go.
The breaches themselves are rare. What fills the day is the stream of alerts that turn out to be nothing, and proving they're nothing is real work, because an analyst still has to pull the context, look at what the user was doing, and rule it out before moving on. When the queue runs to hundreds of alerts a day, that work quietly becomes the bulk of what the team does.
Most teams have already tried the obvious answers. Tightening detection rules cuts the noise, but it cuts real detections with it, and nobody wants to be the person who tuned out the alert that mattered. Suppressing the loudest sources has the same tradeoff. Hiring helps for a while, until alert volume grows past whatever headcount the budget allowed. None of it sticks, because the real issue sits underneath the rules and the staffing. Detections fire without enough context to judge them, and the missing context is usually data the SIEM was too expensive to keep. The same login alert is routine or hostile depending on logs that never made it into the platform.
Strike48 was built around that missing context.
Our agents triage every alert against the complete log record, dismiss the benign ones with the evidence attached so nobody has to take it on faith, and escalate the ones that hold up. The day-to-day difference is that a team stops grinding through hundreds of individual alerts and starts working a short list of investigations that actually deserve attention. This article gets into how that works in practice and what it changes about the job.
The marginal cost of one alert is mostly time.
Industry analysis puts mean time to investigate a single alert at roughly 70 minutes when context is assembled by hand. At a fully loaded Tier 1 cost of $60 to $80 an hour, each alert runs $70 to $93 before the queue advances. Substitute your real figures. The model holds either way.
Four inputs run the whole model.
Most SOC managers can reconstruct the first three in an afternoon. The table below runs the model at 70 minutes per investigation and $80 per analyst-hour, capped at what an eight-hour shift can actually work. Substitute your own figures.
These numbers are a floor. They exclude the opportunity cost of uninvestigated real threats, the recruiting cost of burnout-driven attrition, and the downstream cost of incidents missed entirely. Those stack on top.
Detection engineering decides what enters the queue and how often it lies. Four levers do most of the work.
The queue is a finite resource.
When false positives eat 45% of investigation capacity, the team is not investigating 45% of real alerts. Some are low-severity, and aging them out is acceptable risk. Anomalous PHI access at 3 a.m. is not. ISACA’s 2024 research found nearly two-thirds of cybersecurity professionals report growing job stress, with alert fatigue a primary driver. Fatigue produces prioritization errors, which compound the noise.
In healthcare, the benchmark for this line item is the worst in any industry.
IBM’s 2025 Cost of a Data Breach report puts the average healthcare breach at $7.42 million, the highest of any sector for the 14th consecutive year, with 279 days to identify and contain. Multiply that by the probability that a missed alert was the difference between containment and a full breach. Even conservative assumptions produce a number that dwarfs the cost of noise. Detection engineering reduces the cost per alert. Opportunity cost quantifies what happens when the queue still overflows after tuning. Both belong in the same briefing.
Everything in the model is downstream of one number: minutes per investigation. At 70 minutes per alert, the queue has a hard capacity ceiling. Detection engineering raises the quality of what enters the queue. It does not raise the ceiling. Raising the ceiling means changing what does the investigating.
The teams that compressed mean time to detection from over an hour to single-digit minutes did not suppress their way there. They changed the cost structure that made the queue unmanageable. The math here is replicable: four inputs, one worked table, one line item for whoever owns your security budget, whether that is a CISO or an IT director. Strike48’s search-in-place data foundation queries logs where they live across S3, Splunk, and Elastic, with no rip-and-replace migration, so the architecture is ready once the model is built.
If your alert volumes and analyst-hour costs produce a noise figure that belongs in your next budget cycle, request a demo and run the math against your own data.
SANS survey data places the median in the 40 to 50% range. Mature detection-as-code programs with environment-specific tuning run below 30%. Anything above 60% means rule maintenance has fallen behind environment changes.
Alert fatigue is a primary driver of SOC analyst attrition. SANS research identifies working a queue that never produces meaningful results as a significant burnout accelerant. High FP rates add recruiting and onboarding cost on top of the direct noise cost.
FIRST’s CSIRT metrics framework includes false positive rate as a first-class KPI alongside MTTD, MTTR, and alert-to-incident ratio, tracked per detection rule so engineers can see which rules account for most of the noise.
Only if agents reason over incomplete data. Agents triaging against partial log coverage produce confident wrong answers faster than a human produces uncertain ones. Strike48 agents fire against complete log data, each scoped to a specific investigation task and governed by a GraphRAG knowledge graph that constrains what it reasons over. Narrow scope plus complete data produces determinations that reflect the actual environment.