Sign up to save your podcasts
Or
Share Elastic's Darren LaCasse on Why SOC Teams Should Sort Alerts by Volume Before Severity
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Elastic's Darren LaCasse on Why SOC Teams Should Sort Alerts by Volume Before Severity
Darren LaCasse, Director of Threat Intelligence, Detection, & Response at Elastic, makes a case that most SOC leaders are solving alert fatigue the wrong way. Starting with critical alerts keeps teams treading water. His approach of sorting by volume first, clearing the biggest bucket, then using that momentum to ask why those alerts existed at all separates short-term queue management from the actual tuning work. He also walks through how his team built an in-house AI agent that cross-references threat intelligence against their own vendor lists, software asset inventory, and vulnerability data before it ever reaches a detection engineer, filtering hundreds of daily articles down to what is actually relevant to their environment.
Beyond tooling, Darren challenges how the industry frames the talent shortage. He does not think it is a skills problem. He thinks employers do not want to make the long-term investment in junior analysts, and that avoidance is where burnout compounds. He talks about how he leads that differently: sharing his own mistakes openly, encouraging his team to document every decision so he can back them up, and what he actually looks for when hiring (someone who has solved a real business problem creatively, not a polished resume).
Topics Discussed:
Reframing alert prioritization by sorting queues on volume rather than severity to build analyst momentum and reduce backlog
Using historical alert data to identify chronic tuning problems versus one-time spikes in SOC queue volume
Building in-house AI agents that cross-reference threat intelligence against asset inventory and vulnerability data for environment-specific relevance
Translating threat intelligence deliverables into detection rules by running source reports through AI agents and validating against internal data lakes
Evolving detection engineering from static, hand-built rules toward dynamic, AI-assisted scoring systems that aggregate signals into actionable investigations
Reframing the cybersecurity talent shortage as an employer investment problem rather than a pipeline or skills gap
Building team cultures where analysts feel safe to document decisions, admit mistakes, and take time off without guilt
Predicting the SOC analyst role shifting toward agent management, including tuning, output validation, and QA across AI-assisted workflows
Listen to more episodes:
Apple
Spotify
YouTube
View all episodes
By Dropzone AIDarren LaCasse, Director of Threat Intelligence, Detection, & Response at Elastic, makes a case that most SOC leaders are solving alert fatigue the wrong way. Starting with critical alerts keeps teams treading water. His approach of sorting by volume first, clearing the biggest bucket, then using that momentum to ask why those alerts existed at all separates short-term queue management from the actual tuning work. He also walks through how his team built an in-house AI agent that cross-references threat intelligence against their own vendor lists, software asset inventory, and vulnerability data before it ever reaches a detection engineer, filtering hundreds of daily articles down to what is actually relevant to their environment.
Beyond tooling, Darren challenges how the industry frames the talent shortage. He does not think it is a skills problem. He thinks employers do not want to make the long-term investment in junior analysts, and that avoidance is where burnout compounds. He talks about how he leads that differently: sharing his own mistakes openly, encouraging his team to document every decision so he can back them up, and what he actually looks for when hiring (someone who has solved a real business problem creatively, not a polished resume).
Topics Discussed:
Reframing alert prioritization by sorting queues on volume rather than severity to build analyst momentum and reduce backlog
Using historical alert data to identify chronic tuning problems versus one-time spikes in SOC queue volume
Building in-house AI agents that cross-reference threat intelligence against asset inventory and vulnerability data for environment-specific relevance
Translating threat intelligence deliverables into detection rules by running source reports through AI agents and validating against internal data lakes
Evolving detection engineering from static, hand-built rules toward dynamic, AI-assisted scoring systems that aggregate signals into actionable investigations
Reframing the cybersecurity talent shortage as an employer investment problem rather than a pipeline or skills gap
Building team cultures where analysts feel safe to document decisions, admit mistakes, and take time off without guilt
Predicting the SOC analyst role shifting toward agent management, including tuning, output validation, and QA across AI-assisted workflows
Listen to more episodes:
Apple
Spotify
YouTube