Home
Blog
Career
November 4, 2025
6
min read

Finding Your Way Upstream: Breaking the Burnout Cycle in Security Operations

During my twenty-plus years defending networks—from the Air Force to government contractor work to my current role in security research—I've watched exceptional analysts burn out from a systemic problem we refuse to address. Security Operations Centers face a fundamental challenge: analysts trapped downstream processing endless alert queues while upstream systemic issues multiply unchecked. This post examines the operational reality I've witnessed across countless customer engagements: talented security professionals drowning not from lack of skill, but from structural inefficiencies in our detection systems. What we find in practice is that elite SOC teams differentiate themselves through continuous tuning discipline and strategic pattern analysis. Key operational insights include: implementing systematic feedback loops that reduced alert volumes by 40% while improving detection rates, creating protected time for upstream analysis work, and recognizing that strategic thinking requires cognitive space—not perpetual crisis mode. For security leaders seeking sustainable, high-performance operations beyond reactive firefighting.

Security Operations
Eric Hulse
Director of Security Research
In this article
H2 Title
H3 Title

Introduction

I just returned from Playa Del Carmen, where our team just wrapped up our company offsite. Between strategy sessions and team discussions, I found myself on the beach at sunrise, coffee in hand, watching the waves roll in as the sky shifted from deep purple to brilliant orange. There's something about being away from your desk—truly away—that gives you perspective on the problems you live with every day.

Lunch and drinks with the team - guess who's rocking the sombrero! 

As I watched the sun climb above the horizon, a thought struck me: this same sun will set tonight and rise again tomorrow. It is an endless, perfect cycle, beautiful in nature, but exhausting when you apply that same cyclical inevitability to security operations.

Because that's exactly what we've created in our SOCs. The alerts will come tomorrow. And the day after. And the day after that. The tech stacks will expand, the data sources will multiply, and the queue will never hit zero. We've built a system where the sun rising means another day of drowning.

The Weight We Carry

During my twenty-plus years in this field—from my early days in the Air Force to contractor work doing offensive security to my current role in security research—I've watched exceptional analysts burn out and leave the field entirely. Not because they weren't good at their jobs. Not because they didn't care. But because the system we've built treats human beings like infinite resources in a finite game.

I've been there myself. There have been many times during my time in the industry days when I was running on four hours of sleep, drinking coffee like it was water, and genuinely believing that if I just worked harder, I could get ahead of the threats. I was wrong. You can't outwork an alert queue that refills faster than you can empty it. You can't out-caffeine systemic problems.

What finally changed for me wasn't working harder—it was working smarter. But more importantly, it was recognizing that I needed to step back to see the real problem. And that's something we're systematically failing to teach our analysts.

The Downstream Trap

There's a parable in Dan Heath's book "Upstream" that perfectly captures what's happening in security operations today. Two friends are having a picnic by a river when they hear screaming. They look up to see a child drowning in the water. One friend jumps in and pulls the child to safety. But before they can catch their breath, another child appears, struggling in the current. Then another. And another.

The first friend keeps jumping in, exhausting himself pulling kids from the river. The second friend starts running upstream along the riverbank. The first friend shouts, "Where are you going? I need help!" The second friend calls back: "I'm going upstream to tackle the guy who's throwing all these kids in the water!"

In our SOCs, we've trained an entire generation of analysts to be exceptional at jumping in the river. They can triage alerts with incredible speed. They can correlate events across multiple systems. They can write detailed incident reports. But we've never taught them to go upstream.

Going upstream in security operations means asking fundamentally different questions:
- Why are we generating 10,000 alerts per day?
- Which of these detection rules are creating more noise than signal?
- What patterns in our environment are triggering false positives?
- How can we tune our systems so analysts spend time hunting threats instead of drowning in alerts?

These aren't just efficiency questions. They're survival questions. Because every hour spent triaging noise is an hour not spent on genuine threats—and an hour closer to burnout.

What Effective SOCs Do Differently

The best SOCs I've worked with understand that tuning isn't a one-time project—it's an ongoing operational discipline. They recognize that every alert rule represents a hypothesis about what matters, and those hypotheses need continuous testing against reality.

During a customer engagement last year, I watched a tier-3 analyst walk through their tuning process. They weren't just turning off noisy rules. They were asking: "What is this rule actually detecting? What is the true positive rate? What context would make this signal actionable instead of just adding to the queue?"

This analyst had built a feedback loop where tier-2 analysts could flag patterns they were seeing repeatedly—not just individual false positives, but categories of noise. The team would then dedicate time each sprint to addressing the top noise generators. Not occasionally. Not when things got bad. Systematically, as part of their operational rhythm.

The results were dramatic. Over six months, they reduced their daily alert volume by 40% while simultaneously increasing their detection rate for genuine threats. Analysts reported higher job satisfaction. Turnover decreased. And response times improved because analysts weren't constantly context-switching between noise and signal.

But here's what struck me most: the leadership at this organization actively encouraged analysts to take time for tuning work instead of just grinding through the queue. They understood that going upstream required creating space to think, to analyze patterns, and to make changes that would compound over time.

The Strategic Imperative of Rest

Which brings me back to that beach in Playa del Carmen and a harder truth we need to face: you cannot go upstream when you're drowning downstream.

Strategic thinking requires cognitive space. Pattern recognition requires a mind that isn't running in constant crisis mode. Effective tuning requires the ability to step back and see the forest instead of just the individual trees on fire.

I learned this the hard way. After years of grinding, I finally took a proper vacation—two weeks, completely disconnected. When I returned, I looked at my monitoring systems with fresh eyes and immediately spotted patterns I'd been too buried to see. Rules that were triggering on normal behavior. Detection gaps we'd been working around instead of fixing. Processes that had calcified into bureaucracy.

That two-week break gave me back months of productivity. Not because I was "recharged" in some vague motivational sense, but because I could think clearly enough to identify and fix upstream problems.

A Call to Action: Swim Upstream

If you're a security analyst reading this, I want you to do two things. Not because I'm your manager or because it's what's expected of you, but because your career and your health depend on it.

First: Watch and monitor yourself with the same vigilance you monitor your networks.

Notice when you're working late more nights than not. Notice when you're dreading the alert queue before you even open it. Notice when you can't remember the last time you took a day off without checking your phone. These are indicators just as important as any SIEM alert.

Take strategic breaks. Take actual vacations where you disconnect. I know the culture in many SOCs makes this feel impossible. I know you feel like the team can't function without you. But that feeling—that you're indispensable to the daily alert grind—is itself a symptom of a system that needs fixing.

The best leaders I've worked with encourage their employees to take time off specifically because they understand that fresh perspective is a strategic asset. If your organization doesn't support this, that's signal data about whether this is a sustainable place for your career.

Second: Figure out who's throwing those kids in the river, and help stop them.

This means actively working to identify the upstream causes of your alert volume. Block time in your calendar—not "if you have time" but scheduled, protected time—to analyze patterns in your false positives. Document what you find. Propose tuning changes. Build the feedback loops that let you continuously improve your detection environment.

Some of this work can be done with tools like Command Zero, where you can capture investigative knowledge and turn repeated patterns into automated detections that actually work. But the tool matters less than the mindset: you are not just an alert processor. You are someone who can identify and fix systemic problems.

Going upstream is hard work. It requires political capital to change processes. It requires technical depth to tune complex detection systems. It requires patience because the benefits compound over time rather than giving immediate gratification.

But it's the only sustainable path forward. Because the alternative—staying downstream, jumping in the river day after day, watching the sun rise on another queue full of alerts—leads to one inevitable outcome: burnout.

The Sunrise After

That sunrise in Playa del Carmen reminded me why I got into this field in the first place. Not to process alerts. Not to live in a perpetual state of reactive firefighting. But to actually defend networks, to outsmart adversaries, and to build systems that make our organizations more resilient.

That mission is still possible. But it requires us to swim upstream, both in how we approach our work and in how we take care of ourselves in the process.

The alerts will keep coming. The tech stacks will keep expanding. The threats will evolve. That's the reality of our field.

But whether we drown in that reality or transform it—that's still up to us.

Take the break. Go upstream. Build something sustainable.

The sun will rise tomorrow. Make sure you're still around to take on the day.

Eric Hulse
Director of Security Research

Continue reading

Career
Highlight

The L1 SOC Analyst Crisis: Reddit Thread Reveals What's Really Breaking Security Operations

A recent Reddit thread from a drowning L1 SOC analyst exposes the systemic crisis breaking modern security operations. Facing thousands of daily alerts with 90%+ false positives, the analyst's plea: "Is this normal?" reveals five critical failures plaguing SOCs: process vacuums without structured detection engineering, knowledge capture crises where expert insights remain trapped in individual analysts' heads, immature tool implementations requiring years of tuning investment, broken tier structures failing to transfer expertise, and chaotic customer relationship management. This isn't just one analyst's struggle—it's an industry-wide pattern where organizations drown junior talent in alert fatigue while real threats slip through undetected. The root cause isn't technical—it's a knowledge problem. Mature SOCs solve this through captured investigative methodologies, formal tuning processes, and scalable expertise transfer. Without addressing knowledge capture and structured workflows, organizations will continue churning through analysts while their security posture deteriorates. The solution requires acknowledging that SIEM deployments need continuous engineering investment and that senior analysts' expertise must be systematically captured and scaled.
Eric Hulse
Nov 6, 2025
10
min read
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.
PreferencesDenyAccept All