BIPI
BIPI

Tier-1 SOC Burnout Is a Detection Engineering Problem, Not a People Problem

Cybersecurity

When tier-1 analysts quit at 18-month intervals, leadership reaches for retention bonuses and engagement surveys. The actual cause is queue volume driven by noisy detections. Fix the rules and the people stay.

By Arjun Raghavan, Security & Systems Lead, BIPI · January 27, 2024 · 7 min read

#soc#operations#team-management

A bank CISO told us his tier-1 attrition was at 65% annual and asked what salary band would fix it. We pulled the queue stats first. Average analyst was closing 47 alerts per shift. 89% of those were closed as false positive or benign. Median time per alert was 4.2 minutes, most of which was repetitive enrichment. We told him: 'Pay them what you want, but they will keep leaving until you fix the alert volume'. He did not believe us. Six months later he had given everyone a 15% raise and attrition was 61%. Then he agreed to fix the detection content.

What burnout actually looks like

Tier-1 burnout has consistent symptoms:

  • Alert closure rate hits 50+ per shift, mostly as benign or duplicate
  • Analysts stop reading alert details and just pattern-match titles to known false positives
  • Quality goes down: real incidents get missed because they look like noise
  • Mid-shift exhaustion: analysts make mistakes in hours 5-8 of an 8-hour shift
  • Voluntary departures spike at 18-24 months of tenure, exactly when they have become useful

The cause is not the alerts being hard. It is the alerts being meaningless. Humans tolerate hard work. They do not tolerate work that has no impact.

Three changes that fix it

1. Cut the queue at the source

Audit your top 20 detection rules by alert volume. For most SOCs, those 20 rules generate 80% of alerts and 5% of true positives. Tune or retire them:

  1. Identify the top 10 noisiest rules in the last 30 days
  2. For each, calculate true-positive rate from analyst dispositions
  3. Anything below 5% TP rate gets either tuned (add suppression conditions, raise threshold) or moved to a quarantine queue (still logged, not pushed to analysts)
  4. Anything below 1% TP rate gets retired

For the bank we worked with, this single exercise dropped queue volume from 47 alerts per shift to 22. No detections were 'lost' in any meaningful sense, because the retired rules had not produced a true positive in over a year.

2. Automate enrichment to under 30 seconds

When an analyst opens an alert, they should see the asset owner, the user identity, the recent activity history, the IOC reputation, and the related alerts already populated. If they have to pivot to ServiceNow, then to AD, then to VirusTotal, that is 3 minutes per alert of pure friction. Multiply by 22 alerts and you have a full hour of context-switching tax per shift.

SOAR or even simple Python scripts triggered on alert ingestion can pull enrichment in parallel and append to the case. Time-to-first-judgment drops from 4 minutes to 90 seconds. Analysts feel like they are doing analysis, not data entry.

3. Give analysts ownership of rule tuning

The analyst who closes 200 false positives from a noisy rule knows exactly why it is noisy. They can identify the suppression condition in 5 minutes. But in most SOCs they have no path to fix the rule. Detection engineering is a separate team, behind a Jira queue, with a 6-week SLA. The analyst gives up and lives with the noise.

The fix: train tier-1 analysts on detection rule syntax (Sigma, KQL, SPL), give them a sandbox to test changes, and a fast review path (a senior analyst signs off in under 24 hours). Promote analysts who tune rules effectively. Suddenly fixing noisy detections becomes career-positive instead of impossible.

Measure what matters to humans

Standard SOC metrics (MTTD, MTTR, alerts closed) miss the human factor. Add these:

< 25
Target alerts per analyst per shift after tuning
> 30%
True positive rate on alerts that reach analysts
< 18 months
Tenure milestone where attrition risk peaks (intervene before it)
If your SOC's alert TP rate is below 15%, you are not running a SOC. You are running a noise factory and asking humans to be filters. Humans burn out fast in that role.

After implementing the three changes for the bank: queue dropped 53%, TP rate climbed from 11% to 34%, and 12-month attrition fell from 65% to 23%. Salary bands stayed the same. The fix was always the work, not the wallet.

Read more field notes, explore our services, or get in touch at info@bipi.in. Privacy Policy · Terms.