AI-Driven Security Alert Screening and Alert Fatigue Mitigation in Security Operations Centers: A Comprehensive Survey
Authors: Samuel Ndichu, Akira Yamada, Tao Ban et al.
Summary
This is a survey of AI-driven security alert screening in Security Operations Centers (SOCs) from 2015 to 2026. The authors reviewed 119 papers and organized them into a four-stage workflow: filtering (removing noise), triage (prioritizing alerts), correlation (linking related alerts), and generative augmentation (adding context). They identify persistent gaps in deployment realism, adversarial robustness, cross-environment validation, and evaluation practices, and propose a research agenda for building trustworthy cognitive SOCs.
Main takeaways:
- Synthesizes 119 records (87 core studies) into a four-stage taxonomy: filtering, triage, correlation, and generative augmentation
- Identifies gaps in deployment realism, adversarial robustness, cross-environment validation, and evaluation standards
- Alert screening reduces alert fatigue by filtering false positives, prioritizing high-severity incidents, and linking related events
- The field lacks real-world validation and adversarial testing despite increasing AI adoption in SOCs
- Proposes a research agenda toward trustworthy Cognitive Security Operations Centers
Relevance
No obvious connection to my persona or midtraining work — this is a survey of security alert triage systems in corporate security operations. Tangentially relevant only if I ever study how LLMs handle uncertainty or adversarial inputs in high-stakes classification tasks.
Threat model
Potential threat/caveat for clean result "Random obscure Latin 3-grams don't leak Gaperon-1125-1B's hidden pretraining trigger; leakage seen on famous Latin phrases at ~10% doesn't extend to the obscure-vocab neighborhood (MODERATE confidence)": this item discusses robustness, adversarial, evaluation.
Abstract
arXiv:2605.08316v1 Announce Type: new Abstract: Security alert screening is the downstream task of filtering, prioritizing, correlating, and contextualizing alerts for analyst attention in Security Operations Centers. This survey reviews artificial-intelligence-driven alert screening and alert-fatigue mitigation from 2015 to 2026. We synthesize 119 records, including 87 core studies, into a four-stage workflow taxonomy covering filtering, triage, correlation, and generative augmentation. We find persistent gaps in deployment realism, adversarial robustness, cross-environment validation, and evaluation practice. The survey concludes with a research agenda toward trustworthy Cognitive Security Operations Centers.