Alert fatigue is the condition that develops when a monitoring system generates alerts faster than the team can meaningfully respond to them. It is usually discussed as an operational efficiency problem. It is also a security problem, and the security implications are more serious than the operational ones.
An engineer who receives 200 alerts per day learns, through experience, that most of them do not require urgent action. This is rational adaptation to a broken system. The problem is that this adaptation is not selective. The engineer who has learned to deprioritise alerts does not deprioritise only the low-severity ones. They deprioritise all of them, because the system has not given them a reliable way to distinguish the critical from the routine.
The Security Implication
Security incidents generate alerts. A brute force attack against SSH generates authentication failure alerts. A port scan generates firewall alerts. A web application attack generates WAF alerts. In a well-tuned monitoring environment, these alerts stand out because they are unusual. In an alert-fatigued environment, they are indistinguishable from the background noise.
The documented pattern in several high-profile security breaches is that the monitoring system detected the intrusion and generated alerts. Those alerts were not acted upon because the team had been conditioned by months of alert noise to treat the monitoring system as unreliable. The breach was not a monitoring failure. It was an alert quality failure that produced a response failure.
The Signal-to-Noise Standard
A well-functioning alerting system should have a signal-to-noise ratio above 90%. This means that more than 90% of alerts that reach an engineer require action. Achieving this requires defining alert conditions precisely, tuning thresholds to reflect actual risk rather than default values, and regularly reviewing and retiring alerts that consistently produce false positives.
The process of improving alert quality is not glamorous. It requires reviewing every alert that fires over a period of weeks, classifying each as actionable or noise, and adjusting the system accordingly. It is time-consuming. It is also one of the highest-return investments in operational reliability and security posture available to an engineering team.
Ownership and Accountability
Alert quality degrades without active ownership. Someone needs to be responsible for the signal-to-noise ratio of the monitoring system, with the authority to retire noisy alerts and the accountability for the consequences of missing genuine ones. Without this ownership, alert quality drifts toward noise as the system accumulates alerts that were added for good reasons and never reviewed again.