Notifications
Clear all
Topic starter
27/06/2026 1:18 pm
TL;DR: Security teams are overwhelmed by high volumes of user-reported threats, and this recorded Vision 2023 session with Anthony Coggins of Acrisure and Mick Leach of Abnormal Security focuses on how SOC leaders decide what to prioritise, respond faster, and scale efficiency without adding headcount. The governance lesson is that prioritisation is now a control problem, not just a staffing problem.
NHIMG editorial — here’s why we think this discussion matters
Questions worth separating out
Q: How should security teams prioritise threats when analysts are overwhelmed?
A: They should rank alerts by likely business impact, identity exposure, and containment urgency, not by arrival order or raw volume.
Q: Why does alert volume create governance risk for security operations?
A: High volume creates governance risk when teams can no longer apply consistent decision criteria.
Practitioner guidance
- Define triage rules for identity-linked alerts Create explicit criteria for what qualifies as high-priority when alerts involve user behaviour, access anomalies, or credential abuse so analysts do not improvise under pressure.
- Automate repetitive enrichment before case assignment Pre-populate cases with identity context, asset ownership, and recent activity so analysts spend time deciding, not gathering the same evidence repeatedly.
- Separate low-risk reports from high-consequence events Use escalation thresholds that reflect business impact and identity exposure, not just volume, so critical events rise above routine noise.
What to expect at the briefing
Abnormal AI's full session covers the operational detail this post intentionally leaves for the source:
- The live discussion of how Acrisure and Abnormal Security prioritise high-volume security work in practice.
- The specific ways SOC leaders think about scaling efficiency without expanding headcount.
- The questions they use to decide what gets deprioritised when threat volume keeps rising.
- The emerging SOC roles and operating model changes they expect in the next planning cycle.
👉 Watch Abnormal AI's recorded Vision 2023 session on SOC prioritisation and scaling →
Security operations prioritisation: what SOC teams need to change?
Explore further
27/06/2026 2:36 pm
Security operations prioritisation is now an identity governance problem as much as an operations problem. When teams are overwhelmed by volume, the issue becomes which alerts can be trusted to represent real identity risk and which cannot. That makes prioritisation part of the control plane for human identity, NHI, and emerging autonomous workflows. Practitioners should treat triage quality as a governance outcome, not a back-office efficiency metric.
A few things that frame the scale:
- 85% of organisations lack full visibility into third-party vendors connected via OAuth apps, according to The State of Non-Human Identity Security.
- Only 1.5 out of 10 organisations are highly confident in their ability to secure NHIs, compared to nearly 1 in 4 for securing human identities.
A question worth separating out:
Q: What should teams do when new attacks are appearing faster than the SOC can adapt?
A: They should tighten escalation criteria, improve case context, and revisit role design so the team can absorb unfamiliar attack patterns without breaking response quality. If the SOC cannot distinguish signal from noise quickly, the backlog becomes a security exposure rather than an operations issue.
👉 Read our full editorial: Security operations prioritisation is the real SOC scaling problem
