Alert Fatigue
What is Alert Fatigue?
Alert FatigueThe desensitization of analysts caused by excessive, low-value, or repetitive security alerts that erodes attention and slows real incident response.
Alert fatigue arises when a SOC receives more alerts than its team can meaningfully investigate, with a high proportion being false positives or duplicates. Over time, analysts develop reflexes to dismiss or batch-close alerts, increasing the risk that a true positive is missed or handled too late. Causes include noisy detection rules, weak baselines, broad signatures, lack of enrichment, and overlapping tools. Remedies include alert tuning, deduplication, risk-based scoring, automation through SOAR playbooks, removing low-value detections, and tracking signal-to-noise metrics so leadership can prioritize quality over raw volume.
● Examples
- 01
Analysts auto-closing brute-force alerts because 99 percent are scanner noise from the internet.
- 02
A flood of duplicate EDR alerts after a software rollout that buries a real lateral-movement detection.
● Frequently asked questions
What is Alert Fatigue?
The desensitization of analysts caused by excessive, low-value, or repetitive security alerts that erodes attention and slows real incident response. It belongs to the Defense & Operations category of cybersecurity.
What does Alert Fatigue mean?
The desensitization of analysts caused by excessive, low-value, or repetitive security alerts that erodes attention and slows real incident response.
How does Alert Fatigue work?
Alert fatigue arises when a SOC receives more alerts than its team can meaningfully investigate, with a high proportion being false positives or duplicates. Over time, analysts develop reflexes to dismiss or batch-close alerts, increasing the risk that a true positive is missed or handled too late. Causes include noisy detection rules, weak baselines, broad signatures, lack of enrichment, and overlapping tools. Remedies include alert tuning, deduplication, risk-based scoring, automation through SOAR playbooks, removing low-value detections, and tracking signal-to-noise metrics so leadership can prioritize quality over raw volume.
How do you defend against Alert Fatigue?
Defences for Alert Fatigue typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Alert Fatigue?
Common alternative names include: Notification fatigue, Alarm fatigue.
● Related terms
- defense-ops№ 406
False Positive
A security alert that flags benign activity as malicious, costing analyst time and eroding trust in the detection that produced it.
- defense-ops№ 405
False Negative
Malicious activity that a detection failed to flag, leaving the threat unnoticed and allowing the attacker to continue without alerting defenders.
- defense-ops№ 1039
SIEM
A platform that aggregates, normalizes and correlates security telemetry from across the enterprise to enable detection, investigation, compliance and reporting.
- defense-ops№ 1062
SOAR
A platform that automates and orchestrates SOC workflows by chaining detections, enrichments and response actions into playbooks executed across security tools.
- defense-ops№ 307
Detection Engineering
The discipline of designing, testing, deploying, and maintaining security detections as code, with measurable coverage of adversary techniques.