The expanding cyberattack landscape coupled with the proliferation of cybersecurity tools are burying security professionals with alerts that are meant to flag potential threats.
Instead, security teams are wading through waves of false positives that make finding actual critical threats difficult, leading many to worry that they’re missing them altogether.
A growing number of studies are putting numbers to the issue. Vectra AI, which offers AI-driven extended detection and response (XDR) capabilities, found that 71% of SOC practitioners
worry they’ll miss a real attack that’s buried in a flood of alerts, while 51% say they can’t keep up with the increasing number of security threats.
In addition, 73% have more than 10 security tools, while 45% have more than 20.
In another study, device firmware security company Finite State outlined the cost of false positives to security teams, with 72% of respondents saying they
damage team productivity and 62% saying they hurt team morale.
Also, 59% said that, on average, false positives take more time to resolve than true positives and 62% said they’d rather immediately reduce false positives than catch more true positives.
'A Significant and Persistent Challenge'
“False positives ... pose a
significant and persistent challenge for organizations,” global professional services firm KPMG wrote. “These misleading alerts, which suggest potential security issues but turn out to be benign, can disrupt daily operations and drain the time of valuable resources. When security teams encounter a barrage of alerts, many of which eventually prove to be false positives, they inadvertently invest substantial time and effort in assessing these alerts for genuine security risks. This well-intentioned but often unproductive task can lead to a sense of frustration among security team members.”
Given this, security vendors are rolling out offerings – most armed with AI – that aim to reduce the number of false positives. One example is the Lloyds Banking Group
running out its Global Correlation Engine (GCE) that uses intelligent algorithms to analyze security alerts. WatchGuard’s new Total MDR services for MSSPs and MSPs that the company says reduces the detection and response time to an average of six minutes and the
number of false positives to fewer than one per month.
GuidePoint and Observo AI
Added into this mix is a new
partnership between
GuidePoint Security, an MSSP that offers a range of services, and
Observo AI, an AI-native data pipeline company. The companies are integrating GuidePoint’s SOC, incident response, and threat intelligence services with Observo AI’s technology, which uses agentic AI to monitor data patterns and pipeline performance to reduce noise, find anomalies, and cut the number of false positives.
The use of AI and machine learning in data pipelines bring a range of benefits, from cutting the noise and false positives to enriching logs, surfacing anomalies before they become alerts, and routing the right data to the right tools, Ricky Arora, Observo AI co-founder and chief operating officer,
wrote in a blog post.
“Security teams often describe their work as ‘searching for a needle in a haystack,’” Arora wrote. “But the problem isn’t just the search – it’s the haystack itself. The volume of telemetry grows relentlessly, and most of it is irrelevant to actual threat detection. Heartbeat logs, repetitive status updates, verbose debug output, and redundant events routinely consume the majority of a SOC’s attention and infrastructure – without adding meaningful value. Traditional SIEMs were never designed for this scale.”
Sentiment Scoring
Advanced data pipelines use a technique called “sentiment scoring,” which assigns relevance or risk ranking to each log or alert based on factors likes the severity of an event, how similar it is to known threat patterns, the context of the user, asset, or network behavior, and the correlation with threat intelligent and historical baselines, he wrote.
“Rather than dumping all events into a SIEM for post-processing, smart pipelines apply this logic upstream – flagging alerts with a confidence score or priority label that helps guide triage,” Arora wrote. “When every alert looks the same, the real threats get missed – or found too late. ... By surfacing the most likely indicators of compromise first, sentiment scoring gives analysts a clear starting point. Instead of starting from zero and working through a queue, they can focus immediately on the alerts that actually matter.”
In its partnership with GuidePoint, Observo AI is showing how MSSPs can get these capabilities into security operations for organizations.
Using AI and Machine Learning
As with most sectors, the trend in cybersecurity is toward incorporating AI and machine learning, with reducing false positives being a key benefit. Endpoint security vendor Emisoft in March said it was
integrating a machine learning model into its behavior blocker tool to “significantly reduce false positives while maintaining a 0% false negative rate. This ensures fewer false alarms without compromising security.”
That trend is sure to continue, with digital risk protection firm Brandefense writing that “machine learning algorithms can be trained on historical data to recognize the characteristics of false positives, enabling them to filter out irrelevant alerts before they reach human analysts. AI-driven systems can also adapt to new threats over time, continually refining their detection capabilities and reducing the likelihood of false positives.”
