Common blue team antipatterns¶

Alert fatigue and tuning paralysis¶

Problem: So many alerts that real threats are missed. Teams spend all time tuning down false positives rather than hunting threats.

Better: Accept some false positives. Focus on high-fidelity detection of critical threats. Automate investigation of low-confidence alerts.

Problem: Believing perfect prevention is achievable. Assuming breach won’t happen if defences are good enough.

Better: Assume breach. Build detection and response capabilities as rigorously as prevention. Test incident response regularly.

Problem: Believing the right tool solves all problems. Deploying expensive technology without skilled people to use it effectively.

Better: People and process before technology. Train analysts, develop procedures, then add tools that amplify human capabilities.

Problem: Only investigating when alerts fire. Never proactively hunting for threats or testing defensive effectiveness.

Better: Balance reactive incident response with proactive threat hunting. Regularly validate that detections still work.

Problem: Blue team operates independently. No collaboration with red team, threat intel, IT operations, or business stakeholders.

Better: Build relationships across functions. Share intelligence, coordinate on improvements, align defensive priorities with business risk.

Problem: Can’t articulate defensive effectiveness. No visibility into detection coverage, response times, or improvement over time.

Better: Measure what matters: MTTD, MTTR, detection coverage, purple team exercise results. Use data to drive improvements.