The most damaging consequence of false positives in a security operations centre is not the burnout everyone talks about. It is something quieter and harder to see: the slow conditioning of a sharp analyst into someone who assumes everything is fine, according to Tim MalcomVetter, general manager at Coalition Security and co-founder of Wirespeed.
"The biggest real-world cost of false positives is actually normalcy bias, not burnout," MalcomVetter said. Burnout is real, he acknowledged, and good people leave for less stressful work. But the deeper harm is what happens to the ones who stay. "Far worse is when a sharp, open security mind is slowly conditioned and corrupted to believe everything is always okay."
The mechanism is repetition. When almost every alert turns out to be nothing, analysts begin to expect nothing, and that expectation reshapes how they work. They start clearing alerts reflexively, MalcomVetter said, and in doing so they lose the ability to catch the one that matters. He described analysts whose "false positive mouse clicks" go "on rapid fire," leading them to over-index on the assumption of a false alarm and miss the genuine threats buried among them.
That reflex has become dangerous in a way it was not a few years ago, because the attackers on the other side have sped up. MalcomVetter said AI is now visibly changing how intruders behave once they are inside a network. "We've observed attackers moving faster and more deliberately, which are indicators of high levels of automation and AI," he said. The result is a mismatch between the speed of the attack and the speed of the defence.
That mismatch is where normalcy bias turns costly. When an intruder can move toward their objective in minutes, an analyst conditioned to assume everything is fine provides exactly the cover the attacker needs. The "this is fine" confidence, MalcomVetter said, "provides camouflage for a large breach to evolve and consume the space allotted to it" before anyone recognises what is happening.
He framed the wider shift as one from human-speed defence to machine-speed defence. Teams are not merely fielding more alerts than before, he said – they are being forced to make higher-stakes decisions far faster than a person can realistically keep pace with. "The teams that don't adjust will not have sufficient time to validate and contain threats," he said, and the AI-enabled phase after an intruder gets in is what is forcing the change.
Leaning on the severity ratings that security vendors attach to their alerts does not fix the problem, MalcomVetter said, and can make it worse. Vendors have an incentive to avoid ever being accused of missing a breach, so they over-alert and tend to inflate how serious a detection looks. That noise becomes something attackers actively exploit. They refine their techniques in lab environments running the same security products, he said, "looking for ways to silently move laterally or under the cover of lower-severity alerts" – precisely the alerts a less experienced team is most likely to wave through as unimportant.
The cost of all that noise is not only missed threats. It is also economic, and it lands on the business. Skilled staff who should be reducing risk or generating revenue instead spend their days cycling through investigation and escalation that leads nowhere. "Noisy alerts erode both service quality and profitability by trapping skilled staff in a repetitive cycle of investigation and escalation instead of revenue-generating or risk-reducing work," MalcomVetter said.
None of this, in his telling, traces back to AI as the origin of the alert problem. Volumes have been climbing for years, he noted, as organisations add endpoints and move to the cloud, both of which generate more telemetry regardless of any attacker. Most honest SOC teams, he said, would not yet attribute their rising alert counts to AI at all. The AI effect shows up later – not in how many alerts arrive, but in how fast the real threat moves once it is inside, and how little margin a desensitised team has left to catch it.
Which is why the psychology, for MalcomVetter, is the part worth watching most closely.
"The psychology in the SOC is fascinating," he said.