In 2022, our SOC processed approximately 8,000 security events per day across our client base. By 2024 that figure had grown to over 40,000. The growth is not because our clients became dramatically less secure — it reflects the explosion in connected endpoints, cloud services and network telemetry, combined with increasingly aggressive attacker activity.

Scaling analyst headcount linearly with event volume is not economically viable. The answer is intelligent automation — and the results have been transformative.

The Triage Problem

The fundamental challenge in any SOC is separating signal from noise. Security tools generate enormous volumes of alerts; the vast majority are false positives or low-priority informational events. An analyst who spends their day investigating false positives is an analyst who is not hunting real threats.

Before we deployed ML-assisted triage, our Level 1 analysts were spending approximately 70% of their time on events that ultimately required no action. That is a significant waste of skilled resource and, more critically, it creates fatigue that leads to genuine threats being missed.

How We Deployed ML Models

Supervised Classification for Alert Triage

We trained a classification model on 18 months of historical SOC data — alerts, analyst dispositions, investigation outcomes. The model now scores incoming alerts by probability of being a genuine threat, assigning each a confidence score. Alerts below a defined threshold are auto-closed with a documented rationale; those above are queued for analyst review with contextual enrichment pre-populated.

Result: Level 1 analysts now spend 78% of their time on confirmed or probable genuine events, up from 30%.

Behavioural Baselines and Anomaly Detection

Rather than relying purely on signature-based rules, we build behavioural baselines for each client environment — normal login times, typical data volumes, standard process execution patterns. Deviations from baseline are scored and fed into the triage pipeline. This approach catches novel attack techniques that have no existing signature.

In one notable case, this detected a compromised service account conducting slow, low-volume data exfiltration that would have evaded every signature rule in our SIEM. The account's data transfer pattern was statistically anomalous relative to its 90-day baseline, triggering investigation at 2am on a Sunday.

Automated Playbook Execution

For defined threat categories with high confidence scores, we have built automated response playbooks. A confirmed malware execution on an endpoint triggers automatic isolation, memory dump collection, hash submission to threat intelligence feeds and escalation to Level 2 — all within 45 seconds of initial detection, without analyst intervention for the initial containment.

The Results

  • Mean time to detect (MTTD): reduced from 4.2 hours to 23 minutes
  • Mean time to respond (MTTR) for P1 incidents: reduced from 47 minutes to 11 minutes
  • False positive rate: reduced from 71% to 18%
  • Analyst capacity for proactive threat hunting: increased from effectively zero to 4 hours per analyst per day

What This Means for Our Clients

Faster detection and response directly reduces breach impact. Every minute between initial compromise and containment is an opportunity for lateral movement, data exfiltration and further damage. Our ML-augmented SOC is not a cost-cutting measure — it is a capability multiplier that delivers materially better security outcomes.

If you are evaluating SOC providers, ask them about their detection and response metrics — specifically MTTD and MTTR by severity tier. Talk to our team about how we can apply these capabilities to your environment.