Blog
By: Seth Summersett |
July 16, 2025

The Economics of the SOC

Why Alert Fatigue is draining your security budget

and how to flip the math

07:58 AM: Liz, a tier-1 analyst, logs in to find 484 new alerts. By lunch she’s power-closing tickets with little more than a hunch as the queue keeps growing when each employee logs on to start their day. By 4:00 PM she’s spent the bulk of her day on alerts that never posed any risk. Tomorrow will look the same.

Sound familiar? Yeah, we know, we’ve lived it too.

Alert Triage is Broken!

This small fact causes SOC economics to not pencil.  When two-thirds of what you pay for never even gets looked at, and most of what is looked at is busy work, the value equation crumbles.  We’ve been the analyst.  We’ve been the data scientist.  We’ve been the manager.  We’ve done the math.  We get it.

You’ve seen the studies, surveys, reports, etc. – honestly for decades now.  Stats like 83% of companies reporting alert overload, 62% of alerts unreviewed, 3000-10K+ alerts per day depending on company size, 52% are false positives (FPs), etc…on and on.

If more than half of an analyst’s time is spent on tasks that are a false errand, this points to a flawed economic model.  Doesn’t matter if you’re an MDR, MSSP, or Enterprise, that’s wasting analyst time, attention, and resources.

Let’s break down the math clearly. An analyst earning roughly:

$130,000/yr is $65/hr – 60% of day is 5 hrs on FPs a day
comes to $325/day or $82,300 annually per analyst
Spent on false positives!


MDR Cost Curve is Breaking

As an MDR/MSSP, if analysts are spending most of their time on false positives, that’s not a workflow problem, that’s a margin problem.  Every hour analysts spend on noisy, low-fidelity alert triage directly impacts Cost of Goods Sold (COGS).

Historically, MDR/MSSP pricing has scaled with volume:

More endpoints, more alerts, more people

But that model doesn’t hold water when AI and automation can triage and disposition the vast majority of benign alerts faster and cheaper than analysts.

We’re entering a new landscape where MDR/MSSP economics are being reshaped by AI-first thinking.  Instead of selling your services “with software”, there’s a shift to “Service as Software”.  This means:

  • Fewer alerts require manual review
  • Outcomes are the new pricing model not effort
  • Exponential scaling with linear costs

We expect security teams to gain more precision, deal with less noise, and obtain faster time-to-value without needing to increase headcount or spend.  At Embed, we see alert triage evolving to decisions made by a system of models, not manual review.  But this doesn’t mean there are no analysts.  We’ve shared our views on that before.

It’s not just Financial

Analyst burnout and turnover directly impacts team effectiveness and morale. Not to mention that, slower Mean Time to Respond (MTTR) can dramatically amplify the damage of real threats.

Tribal knowledge is real.  As the tenure of an analyst grows so does their familiarity with your detection patterns, customer environments, and internal processes, procedures, and playbooks.  Making them more efficient as their tenure grows.  When they leave though, they’re not just returning their badge, they’re walking out the door with built up context, intuition and likely undocumented edge case knowledge.

Now, when you onboard that new analyst, it’s costly on several fronts.  They’ll likely be shadowed, which means other staff are less efficient, likely for weeks.  It’ll take them at least 90-days to build up institutional knowledge (tooling, context, detections, etc), but likely much longer to learn the edge cases.

The good news is that there’s a better way, and it doesn’t require burning out your team to scale.

Flip the Script

To flip this script, security teams are employing AI SOC, offloading the false positive burden to AI and Automation, prioritizing where humans spend their limited and invaluable time. Today’s AI SOC is much different than what was possible 5 years ago.  Leveraging Agentic AI and LLMs, along with other ML advances as a system of models approach allows us to do things we couldn’t a few years ago.

Conservatively, let’s assume that the AI SOC saves you 80% of the false positive triage, that now means:

$130,000/yr is $65/hr @ 1 hr on FPs a day
is $65/day or $16,445 annually per analyst
Reducing false positive review by $65,855 per analyst per year

Powering your team with Embed’s AI SOC platform gives you:

  • Precision: Reducing the number of false positives humans need to view
  • Coverage: Visibility across all alerts, reducing risk
  • MTTR: Accelerating accurate response, reducing risk
  • Analyst Satisfaction: Reducing burnout, increasing retention
  • Cost per Incident: Optimizing financial efficiency through faster response

References

  • https://smallbiztechnology.com/archive/2024/10/survey-shows-62-of-soc-alerts-ignored.html
  • https://www.devx.com/daily-news/soc-teams-overwhelmed-ignore-most-alerts/
  • https://www.fortinet.com/content/dam/fortinet/assets/white-papers/wp-information-overload-security-data.pdf
  • https://bufferzonesecurity.com/the-cost-of-false-positive-alerts-and-how-to-avoid-alert-fatigue/
  • https://www.helpnetsecurity.com/2023/07/20/soc-analysts-tools-effectiveness/

© 2025 embed security All rights reserved.