In our latest webinar, From Alert Overload to Automated Triage, D3’s Phil Beck (Director of Sales Engineering) and I (Amy Tom, Community Manager) centered the discussion around a simple question: is alert fatigue overblown? The honest answer was “it depends.”
According to the Software Analyst Cyber Research Group’s 2025 AI SOC Market Landscape report, 40% of all alerts are never investigated. 61% of security teams admit they have ignored alerts that later proved critical. The mean time to investigate sits at 70 minutes, while plenty of breaches succeed in under an hour. Every untouched alert is a head start you hand to the attacker.
So the numbers suggest that fatigue is not hype. But Phil pushed back on the blanket framing. If your detection engineering is tight and your alerts are focused, fatigue stays manageable. Even so, some teams will say that they don’t experience alert fatigue at all, while others are drowning in alerts and burned out.
The teams we talk to range from specialist MSSPs handling a couple hundred alerts a day to some of the world’s largest SOC teams. But one thing remains consistent. As the customer base grows, headcount never grows with it. Something has to give, and it’s usually the low and medium severity alerts… the ones that sit in the queue until nobody remembers to open them.
We asked live attendees what their biggest barrier to full alert coverage was. The industry stats and the virtual room were telling the same story: the ceiling isn’t the alerts, it’s the humans available to work on them.

The real question remains: does AI solve alert fatigue? Let’s dig deeper here.
The answer is “yes” with a catch
Phil’s take: if AI can investigate the 40% of alerts that were never going to get touched, you have already changed the math on alert fatigue.
But there’s a catch because you have to be precise about what “AI for the SOC” actually means; a lot of vendors say something similar but mean very different things. Most of the AI SOC market lives in the triage phase. You ingest an alert, enrich it, correlate the IOCs, and build a coherent picture instead of staring at a raw signal.
The Investigation phase goes deeper, and this is the real dividing line. A summary means an AI reads what your tools have already detected and writes it up cleanly, but an investigation means the AI follows the evidence across your network, email, endpoint, identity, and cloud, reconstructing what happened from many tools at once.
And the Response phase is the action layer: containment, closing the loop, remediating the behavior on the network. Not every tool has response capabilities.
If the AI you’re running only does one of those three, it’s not solving alert fatigue. It just shifts where the work lands.
What happens to analyst work when AI takes over
When AI takes on work that doesn’t require human judgment, like the enrichment, the IOC correlation, the cross-tool pivoting, then two things happen.
Senior analysts get their judgment time back. They spend it on the work they’re actually hired for: edge cases, high-stakes calls, investigations that genuinely need experience, instead of stitching together context a machine could have assembled automatically.
And junior analysts can develop faster. When AI shows its reasoning (which is based on the senior analyst’s workflows), a junior analyst can follow a senior-grade investigation on every alert. The skill gap closes through volume of exposure to good investigative processes, not training programs.
That reclaimed time eases the pressure and reduces alert fatigue.
Advice for adopting AI in the SOC: crawl, walk, run
Phil’s advice for adopting AI in the SOC came down to two things.
First, fix your foundation. AI amplifies whatever architecture sits underneath it. If your alert ingestion, data pipeline, and response logic are messy, AI just gives you garbage out faster. The orchestration layer is still the backbone, and it is what lets AI act on solid logic instead of improvising. Teams that succeed build a real foundation first.
Second, do not flip straight into full autonomy. D3 Morpheus offers four autonomy modes, from deterministic to assisted to led to autonomous, and the right path is crawl, walk, run. Start with an approval-gate model where the AI investigates and proposes actions while the analyst keeps control. As trust builds, dial it up per workflow. You never have to re-platform, and because the system is self-learning, it sharpens as it absorbs more of your environment. Zero to full autonomy overnight would be reckless. Earning your way there is the point..
So, does AI solve alert fatigue?
Phil’s take was a clear yes, and I think he’s right, with one honest qualifier. The market is still shifting and adapting. AI already changed how security teams work, and it’ll likely do it again.
But for now, AI can handle a lot of the repetitive tasks that take up analysts’ time. And because of that, it’s reducing alert fatigue.
The full session, including the live demo and Q&A, is now available on demand. And when you’re ready, see Morpheus investigate a live alert in 30 minutes.

