Glossary
False Positive
A false positive is a security alert that fires for behavior that turns out not to be malicious. Every detection rule trades off detection coverage against false-positive rate. False positives are unavoidable at scale but excess false positives drive alert fatigue and slow the SOC's response to real threats.
In depth
The cost of a false positive is rarely the alert itself — it's the cumulative friction across every analyst who triages it. A high-volume false-positive detection that takes ten minutes to dismiss costs hundreds of analyst-hours per quarter at most SOCs. Tuning detections at the source, building suppression rules, and quickly dismissing known-benign alerts are the standard mitigations.
False Positive and PocketSOC
PocketSOC reduces the time-cost of dismissing a false positive: a push notification on the phone, a 30-second read of the detection details, and a one-tap dismiss. No laptop boot, no console navigation. This is the kind of friction reduction that compounds across the year.
Related terms
Alert Fatigue →
Alert fatigue is the condition where SOC analysts become desensitized to security alerts because the signal-to-noise ratio is too low.
SOC →
A Security Operations Center (SOC) is the team and facility responsible for continuously monitoring an organization's security posture.
MTTR →
Mean Time to Respond (MTTR) is the average elapsed time between when a security alert is generated and when the SOC takes a meaningful response action.