Share This:

SOC burnout has become a festering issue in the MSP world. Symptoms include analysts cycling through client environments, drowning in alerts, and quietly heading for the door. But the experts working closest to the problem say the conversation has been aimed at the wrong target for years.

“My honest view is that SOC burnout is usually a management failure rather than anything to do with the actual incidents,” says James Mockford, founder of ThreatCluster, a threat intelligence aggregation platform.

“People can cope with a bad day. What wears them down is being short-staffed, underpaid, having nowhere to progress to, and babysitting a queue full of alerts that nobody can explain the point of.”

MSPs feel this acutely, he notes. Analysts are constantly switching between client environments—often more than they should be covering. Once that queue becomes mostly noise, “the client stops trusting it and starts double-checking everything themselves. Now you’ve got two knackered teams instead of one.”

The visibility and alert overload challenge

The data backs up how widespread the dysfunction has become.

Nick Carroll, Manager of Cyber Incident Response at Nightwing, says this isn’t a new problem. It’s a persistent one. “Back in a 2021 SANS survey, 65 percent of respondents noted that limited visibility into attack surfaces was a primary cause of analyst pain. Today, 24 percent of cyber leaders still cite enterprise visibility as their biggest operational challenge, according to the 2026 SANS SOC survey.”

The alert math is brutal.

“Industry data reveals about 62 percent of Security Operations Center alerts and 40 percent of Data Loss Prevention alerts can go entirely unanswered. It is humanly impossible to triage every event when teams rely on manual workflows.”

So where do MSPs actually start?

Mockford emphasizes fixing conditions before tooling. “I’d fix the conditions before I touched the tooling, because that’s where most of the damage is.” Concretely, that means giving analysts a career path. After all, “hardly anyone wants to sit on L1 triage forever.”

It also means protecting real breaks during shifts. Teams also need enough coverage so one person’s vacation doesn’t leave alerts unwatched or force others into 60-hour weeks.

Make every alert earn its place

Once conditions are addressed, both experts point to the same tooling principle: every alert needs to justify its existence.

“Every alert needs a reason to exist,” Mockford says. “If you can’t tell me what it’s catching and what you’d do when it fires, get rid of it.” He recommends reviewing detections regularly because attacker techniques evolve. A six-month-old rule may have quietly stopped catching anything.

He also recommends letting analysts tune or remove noisy rules themselves rather than routing every change up the chain. “Your better people can already see which rules are rubbish, and making them keep clearing the same junk is a quick way to lose them.”

Carroll’s prescription leans into the engineering side. He recommends a threat intelligence-driven approach where “analysts can prioritize high-fidelity alerts that correspond to actual threat actor behaviors rather than chasing generic anomalies.” He also advocates detection-as-code principles. These include version control, continuous integration, and automated testing. The goal is to catch noisy rules before they reach an analyst’s queue.

On AI, he’s careful to separate adoption from integration. “A recent SANS survey noted that while 79 percent of SOCs now use AI tools, only 36 percent have truly integrated them into defined workflows. Simply buying AI tools is not enough.” His recommendation is to deploy AI agents for event enrichment and initial triage. That allows human analysts to focus on complex problem-solving and threat hunting.

Building resilience beyond technology

Beyond process and tooling, there’s a human dimension that’s becoming increasingly measurable.

Peter Coroneos, founder of the nonprofit Cybermindz, points to new research on resilience training for cyber teams. The organization focuses on helping combat burnout. An eight-hour iRest® protocol was delivered across eight one-hour sessions. It produced striking results: a 100 percent elimination of clinical acute burnout cases, a 77 percent reduction in broader at-risk burnout cases, and a 71 percent reduction in attrition risk among participants.

Sleep improved by 16 percent. The percentage of high-stress participants dropped from 14 percent to 4 percent. “As cyber threats continue to escalate globally, it’s essential for organizations to mitigate against the burnout-induced inability of cybersecurity staff to perform at their best,” Coroneos says. “Left unaddressed, the almost inevitable alternative is continuing degradation in the protection of critical systems and assets.”

The financial case is hard to ignore. Coroneos cites data showing that 74 percent of CISOs report attrition driven by stress.

He also notes that replacing lost staff costs roughly 1.5 to 2 times an employee’s salary when lost institutional knowledge and onboarding are factored in.

Almost all experts agree that burnout isn’t solved by wellness perks alone. Those perks can’t fix a broken system. It requires fixing staffing and career-path issues, ruthlessly reducing alert noise, engineering detection logic with discipline, and, increasingly, treating analyst resilience itself as a measurable, trainable skill.

As Mockford puts it bluntly: “None of the wellbeing stuff fixes a team that’s understaffed and drowning in noise.”

Photo: Pixel-Shot / Shutterstock


Share This:
Kevin Williams

Posted by Kevin Williams

Kevin Williams is a journalist based in Ohio. Williams has written for a variety of publications including the Washington Post, New York Times, USA Today, Wall Street Journal, National Geographic and others. He first wrote about the online world in its nascent stages for the now defunct “Online Access” Magazine in the mid-90s.

Leave a reply

Your email address will not be published. Required fields are marked *

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.