Alert fatigue - the condition that arises from being overwhelmed by millions of vague alerts and false positives that require lengthy research - is an everyday occurrence for SOC teams, and results in missed threat signals along with delayed incident detection and response. According to the newly released 2025 SANS Detection & Response Survey (sponsored by Stamus Networks), the problem has escalated to crisis levels. False positives aren’t just slowing analysts down, they’re becoming one of the biggest obstacles to modern detection and response.
Here’s what the SANS data tells us and why false positives are now the biggest hidden risk facing defenders.
According to the survey, 73% of organizations list false positives as their number one challenge in threat detection, which is a dramatic rise from last year.
This means that even as detection tools become more sophisticated, they’re still producing too much noise for analysts to manage effectively, resulting in SOC teams spending more time dismissing noise than analyzing true threats.
More than 60% of respondents encounter false positives frequently or very frequently. Even more alarming: “very frequent” false positives jumped from 13% to 20% year-over-year. Detection engineering can’t keep up, and more alerts does not mean better detection.
Every false positive consumes analyst time, and attackers know it. More noise creates more cover for lateral movement, credential abuse, and data exfiltration. High noise environments become high-risk environments.
SOC burnout is real. The survey highlights persistent skill and resource gaps, and alert fatigue is a major contributor. Even well-staffed teams can’t operate effectively if their tooling overwhelms them.
Teams don’t need another tool generating alerts, they need technology that identifies true threats with confidence and minimizes noise without sacrificing visibility. This is where advanced NDR plays a critical role.
Solutions like Clear NDR use a combination of enriched network visibility, behavioral analysis, and high-confidence threat declarations to surface what matters and suppress what doesn’t.
Instead of adding to alert fatigue, Declarations of Compromise® (DoC) help analysts focus on the risks that require real action.
The SANS 2025 Detection & Response Survey highlights a reality that SOC teams have felt for years: alert volume is no longer the metric that matters. In fact, more alerts often mean more noise, more investigation backlog, and more opportunities for real threats to slip by unnoticed. What defenders truly need is clarity, the ability to quickly distinguish meaningful activity from the constant hum of routine network behavior.
Traditional detection tools remain vital, but they were never designed to shoulder the full weight of today’s hybrid environments, encrypted traffic patterns, and attacker tactics that intentionally evade or overwhelm single-layer detection systems. When these tools operate alone, they often generate incomplete or ambiguous signals, forcing analysts to spend valuable time interpreting alerts rather than acting on them.
This is why Network Detection and Response (NDR) has become an essential counterpart in modern security operations. NDR provides a broader, cross-environment view of activity, helping teams validate or dismiss alerts more confidently by offering the context and behavioral insight other tools cannot. It adds a layer of independent visibility that transforms scattered signals into something understandable and actionable.
And while many NDR platforms help reduce noise, the most effective ones take it a step further by providing precise, transparent, and explainable detections that show analysts why something is considered suspicious or malicious. This kind of visibility isn’t just helpful, it’s foundational. Without transparency, even accurate alerts become another source of uncertainty. With it, security teams gain the confidence to respond faster, tune with precision, and trust the intelligence driving their decisions.
Ultimately, SANS’ findings point to a simple truth: SOC teams don’t need more alerts, they need precise ones, backed by deeper context and greater transparency. NDR delivers that missing layer, ensuring that defenders aren’t just notified, but truly informed. In environments where every second counts, clarity isn’t just a competitive advantage, it’s a critical requirement for modern cyber defense.
If you're interested in reading the full 2025 SANS Detection and Response Survey, you can download it here. For more information on our Clear NDR solution, visit our product page or click the demo link, listed below the author bio.