EPS
← All batches·2605.08316

AI-Driven Security Alert Screening and Alert Fatigue Mitigation in Security Operations Centers: A Comprehensive Survey

topic: othertop score: 100released: 2026-05-12first surfaced: 2026-05-12arXivPDFthreats2026-05-12

Authors: Samuel Ndichu, Akira Yamada, Tao Ban et al.

arXiv · PDF

Summary

This is a survey of AI-driven security alert screening in Security Operations Centers (SOCs) from 2015 to 2026. The authors reviewed 119 papers and organized them into a four-stage workflow: filtering (removing noise), triage (prioritizing alerts), correlation (linking related alerts), and generative augmentation (adding context). They identify persistent gaps in deployment realism, adversarial robustness, cross-environment validation, and evaluation practices, and propose a research agenda for building trustworthy cognitive SOCs.

Main takeaways:

  • Synthesizes 119 records (87 core studies) into a four-stage taxonomy: filtering, triage, correlation, and generative augmentation
  • Identifies gaps in deployment realism, adversarial robustness, cross-environment validation, and evaluation standards
  • Alert screening reduces alert fatigue by filtering false positives, prioritizing high-severity incidents, and linking related events
  • The field lacks real-world validation and adversarial testing despite increasing AI adoption in SOCs
  • Proposes a research agenda toward trustworthy Cognitive Security Operations Centers

Relevance

No obvious connection to my persona or midtraining work — this is a survey of security alert triage systems in corporate security operations. Tangentially relevant only if I ever study how LLMs handle uncertainty or adversarial inputs in high-stakes classification tasks.

Threat model

Potential threat/caveat for clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)": this item discusses robustness, adversarial, evaluation.

Abstract

arXiv:2605.08316v1 Announce Type: new Abstract: Security alert screening is the downstream task of filtering, prioritizing, correlating, and contextualizing alerts for analyst attention in Security Operations Centers. This survey reviews artificial-intelligence-driven alert screening and alert-fatigue mitigation from 2015 to 2026. We synthesize 119 records, including 87 core studies, into a four-stage workflow taxonomy covering filtering, triage, correlation, and generative augmentation. We find persistent gaps in deployment realism, adversarial robustness, cross-environment validation, and evaluation practice. The survey concludes with a research agenda toward trustworthy Cognitive Security Operations Centers.