SOC analysts face alert overload, duplicate effort, survey finds

New research from Devo indicates widespread inefficiencies in security operations centres (SOCs), as most analysts inadvertently investigate identical incidents multiple times each month.

According to The Evolution Toward an Alertless SOC report, which surveyed 200 security professionals, 84% of organisations stated their SOC analysts unknowingly examine the same incidents several times a month, with 60% noting such duplications occur on a weekly basis.

The findings point to several challenges facing the prevailing alert-centric SOC model, including high alert volumes, frequent false positives, and insufficient context for each alert. These issues contribute to duplicate investigations and substantial time spent manually connecting related evidence.

The survey revealed that 83% of analysts feel overwhelmed by the volume of alerts, false positives, and lack of relevant alert context. Additionally, 85% of analysts confirmed they dedicate significant time collecting and linking evidence to transform an alert into a usable security case.

Devo's report suggests that these inefficiencies mean analysts are spending less time on forward-looking activities such as threat hunting. Instead, a reactive stance persists, with 47% of respondents saying their primary method of discovering security incidents is through alerts, compared to 33% who rely on proactive investigation.

Underperformance of SOC technology tools further hinders effectiveness. Case management capabilities were listed as not meeting expectations by 77% of the organisations surveyed, followed by threat intelligence integration (76%), reporting metrics (75%), investigation workflow automation (75%), and alert prioritisation accuracy (73%).

Rakesh Nair, Chief Technology Officer at Devo, commented: "Even with best-in-class technology and highly-skilled teams, the alert-centric model still leaves SOC analysts overwhelmed. As AI-enhanced threats become more prevalent, it's more important than ever to free analysts' time to focus on proactive investigation to maintain and improve organizations' security posture."

The survey also examined how artificial intelligence is used within SOCs. While the majority report strong adoption rates, current applications are mainly limited to basic functions such as setting alert severity (47%), triggering responses (42%), and detecting anomalies (41%).

Adoption of AI for more advanced tasks remains lower, with fewer than one in three organisations leveraging AI for automated alert triage. Just 36% use AI for alert enrichment, both important functions for reducing manual workloads in security operations.

Despite the current situation, organisations identified clear priorities for change in the coming year. The survey reports that 82% of respondents want to focus more on proactive investigations rather than solely responding to alerts, 81% aim to enhance alert correlation and enrichment capabilities, and 80% are seeking more cost-effective ways to analyse broader data sources.

The concept of an Alertless SOC, as outlined by Devo, presents a different operational model—incorporating intelligent automation and advanced investigation capabilities to allow analysts to dedicate their expertise to precision threat hunting and coordinated response. This approach represents a departure from the traditional Threat Detection, Investigation, and Response (TDIR) model, in favour of more contextual, proactive security workflows.

The Evolution Toward an Alertless SOC survey was conducted by Wakefield Research and gathered responses from 200 US-based security professionals with managerial or director-level roles at organisations of at least 1,000 employees, over a two-week period in early 2025.