False Positives Aren’t the Problem — Bad Process Is
Image Compliments Brian McGowan https://unsplash.com/@sushioutlaw

False Positives Aren’t the Problem — Bad Process Is

Scott Brumley Scott Brumley

Scott Brumley

Published Jul 15, 2025
+ Follow

I’ve lost count of how many times I’ve seen alerts get dismissed as false positives — not because they were invalid, but because no one had the time, context, or process to deal with them properly.

We don’t have a false positive problem. We have a process problem.

When Everything Looks Noisy, You Tune It Out

Here’s a common scenario: PowerShell kicks off a suspicious child process. The alert fires. It’s closed almost instantly as a false positive.

Why? Not because it was analyzed, contextualized, or correlated — but because someone recognized the pattern, assumed it was benign, and moved on.

That’s not a confident decision — that’s survival mode.

The reality is:

  • A single alert doesn’t tell a story
  • Analysts are working off limited information
  • Most tools don’t make correlation easy — they make it harder

The System Is the Problem

The issue isn’t the alert itself. It’s what we do (or don’t do) once it fires.

If your SOC doesn’t…

  • Enrich alerts automatically with user, asset, and threat context
  • Group related alerts into single cases that tell a complete story
  • Track and learn from past triage decisions
  • Make it dead simple for analysts to leave breadcrumbs

…then yeah — your metrics will show “false positives.” But that’s just what broken process looks like.

Recommended by LinkedIn

My Threat Model Did Not Include “Cops Materialize Mid-Slide”
My Threat Model Did Not Include “Cops Materialize…
Kadi (Grigg) McKean 1 week ago
The shared responsibility model needs to be rewritten.
The shared responsibility model needs to be rewritten.
Garrett McNamara 3 weeks ago
The Most Damning Piece of Evidence in the DeepDelver Substack & Three That Almost Made the Cut
The Most Damning Piece of Evidence in the DeepDelver…
Paul Wenham 1 month ago

What Actually Works

I've spent most of my career building repeatable processes — not just because it’s efficient, but because it’s necessary. In security, we don't scale with headcount — we scale with clarity.

What’s worked:

  • Correlate early. Don’t wait for a human to see the pattern.
  • Automate the boring parts. Enrich alerts, run checks, log decisions.
  • Log the “why.” Even a 3-word note is better than silence.
  • Review often. If you're closing the same alert every week, ask why it exists at all.

It's Not About Fewer Alerts — It's About Better Decisions

You can’t eliminate noise. But you can design your system to surface the right signals at the right time.

If you're constantly calling things false positives, take a step back and ask:

Is the alert the problem — or is the process broken?

Let’s Talk Shop

If you’re building a process-driven SOC — one that learns and improves — I’d love to hear how you’re doing it.

What’s working? What’s still messy?

To view or add a comment, sign in

More articles by Scott Brumley

See all articles

Others also viewed

Similar topics

Explore content categories