Enterprise network expansion has led to an explosion in security alerts, causing severe alert fatigue among SOC analysts; this problem is exacerbated in managed-SOC models due to insufficient contextual information and limited business visibility. To address this, we propose AACT—a novel adaptive alert decision-making system grounded in real-world SOC operational feedback. AACT integrates supervised learning with behavior cloning, augmented by temporal alert aggregation, business-aware feature engineering, and uncertainty estimation, enabling automated alert classification, priority prediction, and closed-loop resolution of benign alerts. Crucially, the system supports cross-organizational generalization. Deployed in a production SOC for six months, AACT reduced displayed alerts by 61%, significantly improved malicious-alert detection accuracy, and achieved a false negative rate of only 1.36% at million-scale alert volume.

Enterprise networks are growing ever larger with a rapidly expanding attack surface, increasing the volume of security alerts generated from security controls. Security Operations Centre (SOC) analysts triage these alerts to identify malicious activity, but they struggle with alert fatigue due to the overwhelming number of benign alerts. Organisations are turning to managed SOC providers, where the problem is amplified by context switching and limited visibility into business processes. A novel system, named AACT, is introduced that automates SOC workflows by learning from analysts' triage actions on cybersecurity alerts. It accurately predicts triage decisions in real time, allowing benign alerts to be closed automatically and critical ones prioritised. This reduces the SOC queue allowing analysts to focus on the most severe, relevant or ambiguous threats. The system has been trained and evaluated on both real SOC data and an open dataset, obtaining high performance in identifying malicious alerts from benign alerts. Additionally, the system has demonstrated high accuracy in a real SOC environment, reducing alerts shown to analysts by 61% over six months, with a low false negative rate of 1.36% over millions of alerts.