Skip to content
Log in

Alert fatigue

Definition

The condition in which analysts receive more alerts than they can meaningfully review, leading to delayed responses, dismissed true positives, and reduced confidence in the alert system. Alert fatigue is the main operational risk of a poorly tuned detection pipeline and a leading factor in delayed breach detection.

Related terms

Alert correlation
The process of grouping multiple related events or alerts into a single higher-level alert representing one attack sequence. A correlation rule might...
Asset criticality
A pre-assigned score or label that records how important a system, service, or data set is to the organisation. Used during triage...
EDR (Endpoint Detection and Response)
An agent-based security tool deployed on individual endpoints (workstations, servers, mobile devices) that monitors process execution, file changes, network connections, and registry...
Escalation threshold
A defined criterion, based on severity level, asset type, or indicator type, that triggers handoff of an alert from a first-tier analyst...
False positive
A test result that indicates the presence of a target analyte when it is absent. In forensic serology this may mean incorrectly...
IDS/IPS (Intrusion Detection/Prevention System)
Network or host-based systems that inspect traffic or system calls for known attack patterns. An IDS generates alerts without blocking; an IPS...
Indicator of Compromise (IoC)
An observable artefact that suggests a system has been involved in a malicious event. Static analysis produces file-based IoCs: cryptographic hashes, embedded...
Severity matrix
A two-dimensional scoring tool that combines technical impact and business impact to assign a severity level to a confirmed incident. Outputs are...
SIEM (Security Information and Event Management)
A platform that aggregates log and event data from systems, networks, and applications across an environment, correlates events against detection rules, generates...
Triage
The structured process of evaluating an alert to determine whether it is a genuine security incident and, if so, what severity level...

Explained in these topics

  • Detection Sources and Alert PipelinesThe condition in which analysts receive more alerts than they can meaningfully review, leading to delayed responses, dismissed true positives, and reduced conf...
  • Triage and Incident PrioritisationA condition in which analysts are desensitised to alerts because the volume or false positive rate is too high to investigate thoroughly. Alert fatigue is a si...

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account