Blog
By: Seth Summersett |
May 20, 2025

Common False Positives (and How AI SOC Helps)

If you’ve spent time reviewing alerts across dozens (or hundreds) of environments, as a consultant, job hopper, MSSP/MDR analyst, or internal security leader, you’ve probably had the same realization we have: every organization is unique, but the false positives? They’re everywhere.

In the SOC, false positives are more than just a nuisance. They’re a tax on your time, your talent, and your team. Vendors don’t want to miss real attacks (and we get it), but the result is a flood of “maybe” alerts that burden the humans meant to make sense of them.

At Embed, we’ve spent decades living in these alert queues. Below are four types of false positives we see again and again; and how an AI SOC (like the one we’re building) helps reduce the noise and surface the real threats.

Impossible Travel

“A user logged in from New York, then 10 minutes later from Tokyo. This is impossible travel. Must be suspicious.”

The reality
Maybe. But also, maybe not.

What’s at play?

  • GeoIP data can be inaccurate or misleading (my IP resolves to a city three hours away)
  • VPNs, proxies, and distributed entry points introduce complexity, was it really “impossible” or just a different corporate VPN gateway?
  • Mobile hotspots, coffee shop Wi-Fi, or failover to a cellular network can all cause unexpected geo shifts.
  • Were the logins failed attempts, not actual sessions?
  • Business travel and shared accounts add even more ambiguity.

How Embed helps
We autonomously evaluate the context. We don’t just look at the raw GeoIP deltas, we check session history, VPN usage, time of day, and account behavior across your network. When there’s noise, we suppress it. When it’s signal, you’ll see it; complete with full orientation and supporting evidence.

Brute Force / Failed Login

“Multiple failed login attempts detected. Possible brute force attack.”

The reality
This one is both ubiquitous and annoying. Anything internet-exposed gets scanned constantly. The challenge is separating real threats from background noise.

Common questions analysts are stuck asking themselves:

  • Was this a valid username for the system?
  • Is the threshold low, and the user was on vacation and simply forgot their password?
  • Was it a script or a human (i.e., speed of attempts)?
  • Was the same account targeted across multiple systems?

How Embed helps
Our agentic security platform autonomously explores failed logins across sources, correlates with known threats, and teases out human behavior from scripted behaviors. We’re not just looking at thresholds (10, 100, 1000 attempts?), it’s about speed, directionality, and context.

Port Probe

“An external host connected to an unprotected port on your EC2 instance. This indicates reconnaissance activity.”

The reality
Port probes often trigger when an IP reaches out to a known service port (like RDP, SSH, or HTTP) that isn’t protected by a firewall or security group. But here’s the challenge, anything exposed to the internet will get hit eventually.

The presence of a port probe doesn’t mean you’re being targeted, it’s most likely just random internet scanning noise. Shodan, masscan, botnets, and opportunistic crawlers generate endless “drive-by” connections to anything that answers in the public IP space.

Still, context is everything:

  • Did this external connection attempt lead to a successful handshake?
  • Was there any follow-up activity from the same IP or ASN?
  • Was the destination workload new, misconfigured, or unexpectedly public?

How Embed helps
Our solution enriches findings like this by correlating activity, access logs, and historical infrastructure data. We ask – was this just noise, or part of an attack?

If it’s just a harmless probe on a hardened system, we suppress it. If it’s a probe followed by more interesting context, we elevate it. This way, your team spends less time triaging port noise and more time stopping real attackers.

Malware – Generic.*

“AV/EDR detected a generic suspicious behavior on an endpoint.”

The reality
These alerts are frustratingly opaque. “Generic” detections don’t tell you what the tool thinks is malicious, simply that it thinks something is. No context. No narrative. Just an analyst staring at a blinking red dot trying to reverse engineer the story.

How Embed helps
Orientation is the first thing you see in our product: Who is involved? When did it happen? What was affected? That clarity is vital. Even when EDRs give you little to work with, we enrich alerts with surrounding context, known patterns, and metadata. We can’t magically make the underlying AV tools more specific, but we can help you deal with the volume by triaging every alert so that what’s left over has meaning.

False Positives Are Expensive

Beyond frustration, false positives come with real costs:

  • Financial: Key personnel may be pulled off-task or systems taken offline while FPs are investigated.
  • Operational: In severe cases, investigation-driven downtime can disrupt critical business functions.
  • Human: Analysts only have so much time. Every false positive distracts from higher-value detection, response, and strategic security work.

That’s why at Embed, we don’t think “alert triage” should be a manual sport. Our agentic platform applies security noise cancellation™ to surface only the most credible threats – so analysts can spend less time sifting through hay, and more time finding the needles.

Why Noisy Alerts Still Matter

It’s important to acknowledge that not all noisy alerts are meaningless. Buried inside the pile of false positives, there are early signals of real, dangerous threats. The challenge is separating the “almost always noise” from the “rare but high-risk” events without burning out your team.

In fact, history has shown us that some of the most damaging security breaches started as alerts that were ignored, misunderstood, or deprioritized:

  • Google (2009 – Operation Aurora): In this sophisticated APT attack linked to China, Google and over 20 other companies were compromised. Reports suggest that early signs of the attack were present in logs and security tools but failed to rise above the noise to actionable status until after significant data exfiltration had occurred.
    https://blog.google/outreach-initiatives/public-policy/transparency-in-the-shadowy-world-of-cyberattacks
  • Target (2013): The breach that exposed 40 million credit card records began with malware on a third-party HVAC vendor’s credentials. According to reports, Target’s security tools (including FireEye) did detect and alert on the intrusion—but the alerts were missed or disregarded due to alert fatigue and process gaps.
    https://www.cardconnect.com/launchpointe/payment-trends/target-data-breach
  • Equifax (2017): The attackers exploited a known vulnerability (Apache Struts) months after a patch had been released. Equifax received alerts about the unpatched systems from their scanning tools, but due to internal breakdowns, the vulnerability remained unremediated and became the initial foothold for attackers.
    https://www.breachsense.com/blog/equifax-data-breach

These aren’t just historical footnotes, they’re reminders of why noise reduction has to be smart. Blunt suppression strategies can be as dangerous as alert overload. That’s why at Embed, our agentic security platform doesn’t just suppress, it autonomously triages with context. Our goal is not to ignore noisy alerts, but to process them intelligently so you only need to focus on the ones that truly matter.

© 2025 embed security All rights reserved.