CybersecurityIncident Response

AI Overload: SOCs Struggle to Keep Pace with Alert Backlog

Analyst 207||Source: BleepingComputer
Security analysts overwhelmed in a brightly lit operations center with multiple screens.

“The post-tiering volume that hits human triage typically lands in the 120 to 150 alerts per day range.” That practical arithmetic, laid out by Rich Perkins of Prophet Security, is the clearest reason hiring more analysts alone won’t close today’s SOC gaps.

The math the industry doesn't want to admit

Perkins places the problem in plain numbers: at 120–150 post-tiering alerts a day and 20 minutes per investigation, SOCs face 40–50 analyst-hours of work daily. That outstrips typical teams of five to ten analysts, leaving many alerts for the next shift or never investigated. Perkins pairs this internal view with external trends: Mandiant’s M-Trends puts global median dwell time at 14 days and reports a collapse in the 2025 “hand-off” window to 22 seconds (from eight hours in 2022). Crowdstrike’s 2026 report finds average breakout time from initial access to exfiltration at 29 minutes. IBM’s Cost of a Data Breach research puts average time to identify and contain a breach at 241 days in 2025, with an average cost of $4.88 million — a modest improvement from 281 days in 2020 that has not matched rising security spend.

Four quick diagnostics every SOC should run

  • What percentage of alerts above your investigation threshold did your team actually investigate last quarter? Less than 90% signals a coverage gap.
  • How many detection rules did you suppress in the last 12 months without an engineering ticket to replace coverage? Each undocumented suppression is debt and an unmonitored attack surface.
  • What was your senior analyst turnover last year, and how long did replacements take to become productive? Turnover above 15% or ramp times over six months create fragility.
  • If alert volume doubled tomorrow, what would you stop doing first? That answer points to the program element already running on a thread.

Perkins’ point: if three or more answers are concerning, the conversation must shift from hiring to whether the underlying architecture can sustain the program desired.

What real deployments delivered

Perkins cites two customer examples. JB Poindexter & Co ran 4,407 investigations through Prophet AI in the first 60 days, with a mean time to investigate under four minutes — freeing roughly 1,469 analyst-hours, or about 6.3 analyst-years of capacity. Their CISO John Barrow described the result as “faster, more focused, and able to scale without adding immediate headcount.” Cabinetworks processed 3,200 alerts in 33 days; six escalated to humans, and the company achieved an unexpected 90% reduction in SIEM costs by removing the need to ingest and store raw EDR and identity telemetry used only for analyst pivots.

Perkins adds a practical note: every deployment requires two to four weeks of focused tuning before reaching steady state.

How CISOs are funding AI SOC platforms

Perkins describes three common funding paths, ordered by political difficulty. Path one substitutes unfilled headcount: a Tier 2 analyst fully loaded runs $180K–$300K, setting the baseline for displacement math. Path two is SIEM cost reduction: if the AI does the pivot work, SIEM ingest and storage can be cut; Perkins cites typical SIEM ingest savings of 30–60% of total SIEM spend when investigation telemetry drives costs. Path three is tool displacement — replacing a SOAR, case-management workflow, or managed service — the hardest fight and often a year-two conversation. Many programs combine paths one and two.

Where humans must still lead

Perkins is explicit about limits. Keep humans in the lead for: insider-threat investigations where the decisive signal lives in human context (manager conversations, personnel actions), novel TTPs that have no analog in training data, and highly regulated environments where data residency prevents telemetry from leaving a specific cloud or country. The design he recommends: AI handles telemetry pivots while humans retain the human-context investigations and the true outlier hunts.

Vendor and procurement questions that matter

Buyers should press vendors on three vendor-risk items before signing: data portability (exporting investigation history, Guidance configurations, and detection logic), runbook independence (whether Guidance rules are portable or vendor-specific), and contractual continuity (service obligations and data handling in acquisition or wind-down scenarios). Perkins notes most vendors can answer the first two; few give a clean answer on contractual continuity without significant pre-work. He also advises asking vendors where their tool fails — if a vendor has no clear answer, that is itself an answer.

Perkins’ closing point is straightforward: the operating model under the SOC, not headcount alone, determines whether a program can investigate the volume and depth the business needs. “Pick the conversation you want to be having,” he writes.

Read the original Prophet Security–sponsored piece on BleepingComputer

Alert FatigueEmerging ThreatsIncident ResponseSecurity OperationsThreat DetectionInformation OverloadSOC OperationsAnalyst Workload
Related Intelligence

Continue Reading

Technicians work in a dimly lit server room with rows of rack-mounted equipment and cables on the floor.

libssh2 Flaw Exposes Clients to Code Execution Risk

A critical flaw in libssh2, known as CVE-2026-55200, can be exploited by a malicious SSH server to trigger memory corruption on a connecting client, with no credentials or user interaction required. This vulnerability can be easily triggered with a public proof-of-concept now available.

Analyst 207
Diverse group of people collaborate around a large table with laptops and notes.

AI Exposes Thousands of Open-Source Vulnerabilities

This summer is shaping up to be a wild ride, with thousands of open-source vulnerabilities exposed and a new coalition, Athena, stepping in to save the day with AI-powered solutions. Led by Chainguard, Athena brings together over two dozen major companies to tackle the problem head-on.

Analyst 207
Diverse group of people engaged in respectful conversation around a table with laptops and notebooks.

Cybersecurity Forum Opens Weekend Discussion Thread

Join the weekend Bunker Talk thread, where the community comes together for a refreshing, no-holds-barred discussion that's free from the usual toxicity - with one key rule: respectful, fact-based conversation, even when politics get involved. Share your thoughts, hash out differences, and engage with the best commenting crew on the net in a space that values civility and substance.

Analyst 207
Secret Service agent in airport terminal looks concerned at personal smartphone.

US Secret Service Exposes Agents to Cyber Risk with Lax Mobile Security

The US Secret Service is putting its agents at risk of cyber attacks by allowing them to use personal phones for work, with over 15,000 instances of unsecured calls made during critical operations. This lax mobile security leaves them vulnerable to hackers, despite having access to supposedly secure government-issued devices.

Analyst 207