Devo: 84% of organizations’ SOC analysts are unknowingly investigating the same incidents

Devo Technology, a security data analytics company, today unveiled the results of a new survey examining alert management in security operations centers (SOCs) and the growing need for a shift to an Alertless SOC. The Evolution Toward an Alertless SOC report found that the current alert-centric SOC architecture creates numerous pain points for analysts, including duplicated work.

Organizations reported that their analysts spend significant time manually gathering evidence from different tools, enriching data, and cross-checking data to understand if new alerts are connected to already-known incidents. More specifically, the survey found that: 

• 83% of analysts are overwhelmed by alert volume, false positives, and lack of alert context. 

• 85% of analysts spend substantial time gathering and connecting evidence to transform an alert into an actionable security case.

The alert-centric model also duplicates work, wasting analysts’ already limited time. A staggering 84% of organizations report that SOC analysts unknowingly investigate the same incidents several times a month or more. More specifically, 60% reported discovering duplicated investigations at least once per week.

Under-delivery from tools and a reactive approach hinder SOC efficiency

The study showed that analysts are more likely to take a reactive approach, working in response to alert notifications rather than proactively investigating and threat hunting. In total, 47% say they primarily discover security incidents through alerts, compared with just 33% who say discovery comes primarily through proactive investigation.

The under-delivery of tools in the SOC technology stack exacerbates this reactive approach. When asked to rank the top capabilities that are not meeting expectations, organizations cited case management (77%), threat intelligence integration (76%), reporting metrics (75%), investigation workflow automation (75%), and alert prioritization accuracy (73%). 

“Even with best-in-class technology and highly skilled teams, the alert-centric model still leaves SOC analysts overwhelmed,” said Rakesh Nair, chief technology officer at Devo. “As AI-enhanced threats become more prevalent, it’s more important than ever to free analysts’ time to focus on proactive investigation to maintain and improve organizations’ security posture.”

Organizations are ready to level up AI use in the SOC

While AI adoption in the SOC is widespread, current use cases are focused on basic functions like alert severity (47%), response triggers (42%), and anomaly detection (41%). A significant opportunity exists to leverage AI for more impactful, proactive security measures. Despite high demand, fewer than one in three organizations use AI for automated alert triage, and only 36% use it for alert enrichment, both critical for reducing manual labor. However, organizations are eager to advance within the next year:

• 82% want to prioritize proactive investigations instead of reactive alert responses.

• 81% aim to enhance alert correlation and enrichment.

• 80% seek cost-effective methods to analyze broader data sources.

The Alertless SOC charts a path away from the alert-centric SOC model

The Alertless SOC offers a new approach to SOC work by unleashing analysts’ expertise through intelligent automation and investigation capabilities. Devo’s vision for the Alertless SOC goes beyond the traditional Threat Detection, Investigation, and Response (TDIR)—it’s a fundamental reimagining of how SOC teams operate, replacing reactive alert management with precision threat hunting and coordinated response.

Read the full survey results and learn more about the Alertless SOC in Devo’s Evolution Toward an Alertless SOC report.

Methodology

The Evolution Toward an Alertless SOC survey was conducted by Wakefield Research among 200 US security operations professionals with seniority of manager or director who work at companies with a minimum of 1,000 employees between January 28 and February 10, 2025, using an email invitation and online survey.