Home
Blog
Investigations
June 11, 2025
4
min read

Breaking the SOC Alert Fatigue Cycle: Why Speed Metrics Are Killing Quality

Security operations centers face a critical crisis: alert fatigue is overwhelming analysts and creating dangerous investigation gaps. Traditional SOC metrics like MTTR and MTTI incentivize speed over thoroughness, forcing analysts into narrow investigation scopes that miss connected threats across enterprise environments. The fundamental challenge lies in systemic operational constraints. Analysts validate alerts, implement basic containment measures, and close cases without investigating broader attack scope—leaving lateral movement and data exfiltration undetected. This assembly-line approach creates a backlog of unresolved threats that eventually culminate in headline-grabbing breaches. Modern AI technology offers a transformative solution by correlating disparate data sources across endpoint logs, identity systems, cloud platforms, and network traffic in minutes rather than hours. Command Zero's platform automatically establishes comprehensive investigation scope, checking for related activity across AWS, Azure, identity providers, and SaaS applications when alerts trigger. The strategic approach acknowledges organizational reality: rather than eliminating established performance metrics, advanced technology empowers analysts to investigate comprehensively within existing time constraints, delivering higher-quality outcomes while maintaining operational efficiency in today's complex threat landscape.

investigations
Security Operations
Security Operations
Alfred Huger
Cofounder & CPO
In this article
H2 Title
H3 Title

SOC teams are drowning in signal overload. For organizations of any meaningful size, alert fatigue isn't just a buzzword—it's a daily reality that's getting worse. Security operations centers run like assembly lines, churning through massive queues of alerts they can't possibly address in full. The result? A dangerous backlog of unsolved items, any of which could lead to a full-scale breach.

This broken model stems from two fundamental problems:  

  1. Overly vocal security products designed to demonstrate value through volume, and  
  1. Time-based metrics that incentivize wrong behavior.

The metrics problem: MTTR and MTTI drive dangerous behavior

Mean Time to Resolution (MTTR) and Mean Time to Investigate (MTTI) have become standard SOC performance measures. These metrics judge analysts on how quickly they can close alerts, creating a perverse incentive structure that prioritizes speed over thoroughness.

When analysts know their compensation and career progression depend on processing alerts quickly, they develop tunnel vision. They investigate the narrowest possible scope of an incident, make the minimum viable decisions to close it out—reset credentials, add firewall rules—and move to the next case.

This approach misses a critical reality: every alert represents a signal connected to other signals. When an analyst discovers a compromised user identity, the right question isn't "How do I close this fastest?" but "What did this user do before I discovered the compromise? What other systems might be affected?"

Unfortunately, most analysts don't have time for that broader investigation. Even when they identify true positives, they focus on immediate containment rather than understanding the full attack scope.

The Cost of Narrow Investigations

Consider a typical endpoint alert scenario. An EDR system flags suspicious activity on a user's workstation. Under current time pressure, an analyst might:

  1. Validate the alert is legitimate
  1. Reset the user's credentials
  1. Add blocking rules to prevent similar activity
  1. Close the case

What they won't do—because they can't afford the time—is investigate whether that same user account accessed AWS EC2 instances, made unusual changes in Okta or Entra ID, or accessed sensitive SharePoint documents. The scope remains artificially narrow, leaving potential lateral movement and data exfiltration undetected.

The numbers tell the story clearly. While many of these cases turn out to be noise, the ones that represent real threats continue unabated. Eventually, that incomplete investigation becomes a headline-grabbing breach.

Why this technology must adapt to reality

With transformative technology like AI, the instinct might be to overhaul SOC metrics entirely—eliminate time-based KPIs and focus purely on investigation quality. But this approach ignores organizational reality. Organizations won't abandon 15-20 years of established SOC metrics overnight. Security products will continue generating massive alert volumes, and executives will still want measurable performance indicators.

The pragmatic solution requires technology that lets analysts investigate broadly within existing time constraints. Instead of fighting the system, we need tools that accelerate comprehensive investigations.

How AI changes the investigation game

Modern AI technology can extract data from multiple platforms simultaneously, assess relationships and risk, and present analysts with coherent threat narratives. This capability addresses two critical challenges:

Speed at Scale: AI can correlate disparate data sources—endpoint logs, identity systems, cloud platforms, network traffic—faster than any human analyst. What might take hours of manual investigation can happen in minutes.

Cross-Platform Expertise: Many SOC analysts lack deep expertise across every security tool in their environment. AI can bridge these knowledge gaps, analyzing data patterns across platforms that individual analysts might not fully understand.

The key isn't replacing human judgment but augmenting it. AI can quickly establish investigation scope, identify related activity across the entire environment, and present findings in ways that allow teams of analysts to validate conclusions and move to response.

Command Zero's approach: Immediate scope & impact

Our platform recognizes that when you're dealing with an alert, something is already wrong. Instead of starting with narrow investigation parameters, the system immediately searches for evidence of related activity across the entire environment.

When an endpoint alert triggers, Command Zero automatically checks for corresponding activity in AWS, Azure, identity providers, SaaS applications, and other connected systems. This isn't just correlation—it's comprehensive scope setting that happens in seconds, not hours.

The platform provides clear paths to remediation while working within existing time constraints. Analysts can quickly understand whether an incident is contained to a single system or represents broader compromise, making informed decisions about response priorities.

Building better SOC workflows with AI

The goal isn't to eliminate alerts or abandon performance metrics. It's to give analysts the tools they need to investigate comprehensively within existing operational constraints. When analysts can establish full incident scope quickly and confidently, they make better decisions about resource allocation and response priorities.

This technological approach acknowledges SOC reality while improving outcomes. Analysts still move through cases efficiently, but with complete visibility into threat scope and impact. The assembly line continues running, but with higher-quality output and reduced risk of missing critical attack progression.

The alternative—continuing to operate with narrow investigation scopes and artificial time pressures—guarantees that some percentage of incidents will escalate into full breaches. In today's threat landscape, that's a risk most organizations simply can't afford.

Book a demo today to see how Command Zero can help your analysts move beyond immediate scope and reduce overall risk.  

Alfred Huger
Cofounder & CPO

Continue reading

Investigations
Highlight

Investigating Service Principal Attacks with Graph API Activity Logs

Service principal attacks are escalating, with threat actors like Midnight Blizzard and Storm-0501 exploiting non-human identities to compromise enterprise environments. These attacks historically succeeded because reconnaissance activity—enumeration of users, groups, and roles—remained invisible to defenders through traditional directory audit logs. Microsoft's new GraphAPIAuditEvents table in Defender XDR Advanced Hunting changes this by capturing all Graph API requests, including reads, writes, and failures. This preview feature provides unprecedented visibility into service principal activity, enabling security teams to detect enumeration attempts, privilege escalation, and OAuth abuse before attackers execute their primary objectives. Leveraging Microsoft’s new GraphAPIAuditEvents, Command Zero automates the detection of previously invisible reconnaissance—such as permission enumeration—that legacy logs miss. By embedding expert knowledge into AI-assisted investigation frameworks, the platform correlates disparate data points (IPs, tokens, API calls) to expose complex attack chains. This transforms raw logs into finished investigations in minutes, enabling SOC teams to close the visibility gap and maximize productivity without sacrificing control or transparency.
Kiki Preteau
Dec 23, 2025
4
min read
Investigations
Highlight

The 51-Second Problem: Why SOCs Can't Keep Pace with Machine-Speed Adversaries

Adversaries achieved 51-second breakout times in 2024—faster than most SOCs can triage an alert. While top-performing teams reach Mean Time to Detect of 30 minutes to 4 hours, typical investigations take 90+ minutes before response coordination begins. By then, attackers have already moved laterally and established persistence. The bottleneck isn't analyst speed—it's investigation architecture. Analysts spend 60-70% of investigation time on mechanical tasks: translating questions into queries, context-switching between tools, manually correlating findings across systems, and maintaining investigation state. No amount of training can compress human-paced investigation processes to match machine-speed attacks. The solution requires eliminating mechanical work through investigation patterns that execute at machine speed, allowing analysts to focus on judgment and decision-making. Organizations achieving investigation velocity improvements aren't just deploying better technology—they're consolidating workflows, capturing expert methodologies in executable patterns, and redesigning SOC architecture for the threat landscape they actually face.
Eric Hulse
Dec 3, 2025
6
min read
Investigations
Highlight

Anthropic's GTG-1002 disclosure: When AI Becomes a Cyber Weapon of Mass Destruction, Investigation Capabilities Must Scale

When Chinese state-sponsored group GTG-1002 weaponized AI to attack thirty organizations simultaneously—with AI handling 80-90% of tactical operations—it exposed a critical gap in cybersecurity: offensive automation has scaled dramatically while defensive investigation remains human-paced. This blog examines how AI-augmented security investigations address the fundamental mismatch between AI-driven attack scale and traditional incident response capabilities. Command Zero's approach leverages LLM advancements to transform security investigations through question-driven frameworks that execute across multiple data sources simultaneously. Rather than replacing analysts, AI augmentation eliminates mechanical query work, enabling security teams to investigate thirty incidents with the same thoroughness as one. As threat actors increasingly weaponize AI for cyberattacks, defenders need investigation tools that match offensive automation's scale and speed. Learn how AI-augmented investigation helps SOC teams respond to sophisticated threats at machine speed while maintaining human expertise where it matters most—strategic analysis and decision-making.
Eric Hulse
Nov 18, 2025
7
min read
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept All