Reducing alert noise in SOCs with context-driven triage

AI-assisted development and growing telemetry volumes are making alerting systems noisier, not safer. The result is that responders spend time on low-impact findings while real exploit paths stay open. This talk introduces a context-driven triage model designed for high-volume environments: prioritize issues that are reachable, privilege-adjacent, and tied to critical services, and deprioritize the rest with clear rationale.

The session covers how to build an "impact lens" on top of existing detections: combine asset criticality, identity exposure, blast radius, and runtime reachability, where applicable, to produce a ranked queue that engineers can trust. The emphasis is on operational adoption: getting buy-in, reducing friction, and tracking metrics that prove improvement, including time to triage, rework, and escalation load.