False Discovery Rate (FDR) and Precision in Detection

Short definition

False Discovery Rate (FDR) and precision describe how often a SOC’s detections are wrong versus useful. They are the most reliable indicators of whether a detection pipeline produces actionable security outcomes or operational noise.

Extended definition

In a production SOC, detection quality matters more than detection volume. False Discovery Rate measures the proportion of alerts that turn out to be false positives, while precision measures how many alerts are actually valid security findings.

Most SOC failures are not caused by a lack of tools or coverage, but by unmanaged false discovery. As FDR increases, analyst trust erodes, triage slows, automation becomes risky, and real incidents are missed inside alert floods.

FDR and precision are not theoretical metrics. They are operational constraints that define how fast, how safely, and how predictably a SOC can function.

Deep technical explanation

In detection systems, every alert represents a probabilistic claim. The system is asserting that observed telemetry corresponds to malicious or policy-violating behavior.

FDR is calculated as:

False positives divided by total positive detections

Precision is the inverse framing:

True positives divided by total detections

In isolation, these metrics are simple. In production, they are deeply entangled with:

Telemetry quality and completeness
Correlation logic and rule scope
Behavioral baselines and seasonality
Asset criticality and identity context
Environmental entropy, such as shared infrastructure and multi-tenant noise

A common failure pattern we see is teams optimizing recall instead of precision. They widen detection logic to avoid missing attacks, but do not account for the compounding effect of weak signals across multiple data sources.

This leads to several systemic breakdowns:

Alert amplification

One weak signal replicated across endpoints, identities, and network flows creates dozens of alerts for a single benign activity.

Automation poisoning

SOAR playbooks triggered by low-precision alerts begin executing unnecessary containment actions, creating outages or trust loss.

Analyst fatigue feedback loop

As analysts learn that most alerts are false, triage quality drops. Real incidents start receiving the same treatment as noise.

Metric distortion

MTTD and MTTR appear acceptable on paper because alerts are closed quickly, but real threats are buried.

Crucially, FDR is not static. It changes with environment scale, user behavior shifts, business growth, cloud adoption, and even calendar events like product launches or marketing campaigns.

This is why static rule tuning fails long-term.

Practical examples

High FDR SIEM deployment

A SIEM flags every failed login across VPN, cloud IAM, and internal systems. During password resets or onboarding spikes, thousands of alerts are generated. Analysts bulk close alerts. A real credential stuffing attack blends into normal operations.

Low precision UEBA rollout

UEBA models flag every new developer accessing unfamiliar systems. Without asset context or role awareness, normal project work is treated as anomalous behavior, overwhelming the SOC.

SOAR without precision gating

An automated response disables accounts after identity alerts that are 70 percent false positives. Business users lose access repeatedly, and security is pressured to turn automation off entirely.