Security is tired of alert fatigue: Will AI finally let SOCs get some well-earned rest?
Veteran cybersecurity journalist Dan Raywood speaks to Dropzone AI about its new approaches to automating alert investigations.
Alert fatigue remains a persistent problem in today’s security operations centre (SOC). This old, familiar challenge still creates internal friction, contributes to staff turnover, and results in real alerts being missed.
More than 20 years after the term was first used in security, traditional SOCs are bogged down because they were designed for a volume of alerts that is now increasingly unsustainable. As a result, many SOC teams are looking for ways to better prioritise alerts for triage and improve the efficiency of their analysis processes.
One company addressing this problem is Dropzone AI, a US company that has recently expanded to EMEA. Brett Candon, VP of international operations, says the company typically sees organisations reduce manual triage by between 80% and 99% when using its automated service.
Dropzone AI describes its approach as autonomously investigating alerts to reduce mean time to resolution. The company’s platform is designed to analyse security alerts and present relevant information to human analysts for decision-making, and reduce the time analysts spend on repetitive tasks, including investigating false positives.
“It's time that they don't need to be adding to their daily workload. We're shrinking that right down and we're giving them all of the information they need to be able to make a decision within minutes rather than hours,” he says.
The concept is an Agentic AI defender that operates autonomously day and night, accelerating investigation times and enabling constant vigilance in a world where most SOCs lack the capacity for true 24/7 coverage.
Candon says: “So rather than thinking about it like an automation technology, it really is a new member of your team: it's an autonomous AI SOC analyst that is already trained to work with your existing technologies, is already trained to an elite level on how to strategise and come up with conclusions to the incidents that are occurring within your SOC.”
Asked whether this represents automated decision-making, Candon stresses that human oversight remains central. Some organisations use the platform to handle level one analysis, while others automate only parts of their workflow.
READ MORE: "CISOs should act now": Preparing for the UK Cyber Security and Resilience Bill
Technology adoption
Candon says organisations adopt the technology in different ways. Some have automated large portions of their SOC workflows, while others use it selectively for specific types of alerts or for out-of-hours coverage.
“So it really depends on the use case, and we can be flexible. The important thing is that humans remain in control and decide what comes to us. We can pull directly from existing security technologies,” he says.
Despite growing interest in automation, scepticism remains among many security professionals about delegating investigative tasks to AI-based systems. Candon acknowledges this hesitation, noting that AI capabilities have evolved significantly in recent years.
“You've got a lot of organisations that are kind of black box and you don't know what's happening at all; ours is more like a glass box where you're fully in control,” he says.
“Our analyst is an expert on working with your technologies. It's an expert on investigation strategies, but what it doesn't know is details about your specific organisation.”
READ MORE: The dark side of vibe-coding: AI-written code now the biggest security risk facing developers
Additional Layer
He adds that automation is increasingly being adopted following earlier deployments of SIEM, UEBA and SOAR tools, as well as low-code and no-code platforms. Dropzone AI is positioned as an additional layer that integrates with existing security technologies.
Candon argues that earlier generations of SOAR tools often failed to meet expectations. “It promised a lot, but it was extremely reactive and all based on something that had already happened, and you needed a team of programmers to know what they needed to write,” he says.
He suggests that this has led organisations to reconsider how automation can be applied more effectively, particularly as analyst workloads continue to increase. In this context, Dropzone’s technology is presented as an automated investigation tool that works alongside existing SOC teams.
“Also more importantly, the manager remains in control,” he says. “Just like with any other analyst that's sat in the ticketing queue, you're in complete control of what tickets go out and investigate. It's not completely autonomous, but it does the investigative work for you.”
READ MORE: AI-driven robot cars can be hacked and hijacked by street signs
Data Storage
On the role of language models, Dropzone says its platform does not store customer data for machine learning purposes, and that it does not train large language models on customer environments. Instead, each investigation is handled independently, using historical data, external lookups and threat intelligence sources, both commercial and open source. The platform also includes a URL sandbox for malware analysis.
Candon joins the company during a period of international expansion, as the Houston-based organisation seeks to extend its presence globally. This comes amid wider industry discussion about how SOC teams can adapt to rising alert volumes and increasingly automated attack techniques.
