The analyst closed the alert at two in the morning. It was the breach.
A security operations centre sees more signals than any team can chase, so most of the work is deciding what to close. Closing an alert is a decision, and after an incident the question is why this one was closed — answered, usually, from memory, because the tooling logged the action and not the reasoning.
The scale of the problem is no longer something a human can hold. Kenya's National KE-CIRT/CC detected 4.56 billion cyber threat events in the final quarter of 2025, against 842 million the quarter before, and issued nearly twenty million advisories in three months. Filtered down to a single enterprise the numbers are smaller, but the structure is the same: an alert queue in the thousands per day, of which the overwhelming majority are noise. Around nine in ten attacks begin with phishing, which is precisely why the alert that matters is camouflaged among the ones that do not.
The defender is no longer the only side using models. Kenya's authorities attribute part of the surge in detected events to attackers' own use of artificial intelligence — large language models drafting phishing that mimics legitimate correspondence, and deepfakes lending it a voice and a face. The effect on the triage desk is direct and unwelcome: as malicious messages become harder to distinguish from genuine ones, the rate of plausible-looking false positives climbs, and the analyst's margin for a confident close narrows. A faster model on the defending side does not solve this. A more disciplined one — that declines to clear what it cannot justify and says so — does.
Triage is a decision, not a detection. For every alert an analyst escalates, investigates, suppresses, or closes, and closing is the consequential one. The detection tooling has already done its job by raising the flag; the human or the automated rule that dispositions it is making the judgement that carries the risk. Over weeks of clearing false positives the analyst's threshold drifts, attention thins, and the team begins to tune out a class of alert entirely. This is alert fatigue, and it is the documented failure mode behind most major breaches: the signal was present, and nobody acted on it.
When the incident finally surfaces, the questions arrive in a fixed order. Was this detected. If so, why was it not acted on. Who saw it, and what did they decide. In Kenya those questions now have a statutory frame: the critical-infrastructure regulations require incident-response planning and breach reporting within twenty-four hours, and a designated operator that cannot account for how a detected threat was handled is exposed beyond the breach itself. The answer that the analyst closed the alert, with no recorded basis, is not a defence. It is an admission that the process had no memory.
Automation has made the gap worse, not better, where it has been deployed without governance. Security orchestration tools auto-triage and auto-close at machine speed, which is the only way to keep pace with the volume — but they log the action taken, not the reasoning behind it. When the closed alert turns out to be the intrusion, there is no record of why the rule decided it was benign, and the analyst who trusted the rule inherits a decision they cannot reconstruct. Speed without a rationale simply moves the undefended decision from the human to the machine.
For most African enterprises there is a further layer: the security operations centre is outsourced to a managed provider, and the disposition is made by an analyst at a third party, often in another time zone and another jurisdiction. The enterprise carries the regulatory and reputational consequence of a decision it did not make and cannot inspect. When the regulator asks why an alert was closed, the answer sits in a contractor's ticketing system, in a form that was never designed to be read by a supervisor or a court.
The operations that come through an incident intact are not the ones with the best detection. They are the ones that can show, for any alert that was closed, what the analyst or the rule was looking at, what cut against escalation, and why the call went the way it did. Detection is a commodity. The defensible disposition is not.
Closing an alert is the most consequential thing the SOC does, and the one thing the tooling does not make it explain.
Where each sits.
Akki governs the telemetry that feeds triage — the SIEM, the endpoint detection, the identity and network logs — as one inspectable substrate rather than a set of tools each holding its own fragment. Every input to a disposition is logged, so the basis for a close or an escalation can be reconstructed exactly when it is later questioned. Where the operation is outsourced, Akki is what lets the enterprise inspect the provider's decisions rather than take them on trust.
Solva structures the triage reasoning and refuses to auto-close on thin or ambiguous evidence. Where the signal does not support a confident disposition it surfaces what is missing and holds, rather than forcing the decision the rule would otherwise force silently. Underneath each disposition sits the audit trail — the signals weighed, the reasoning, the confidence the evidence warranted. This is the artefact the incident review reaches for, and the refusal to clear what cannot be cleared is what finally shortens the queue rather than lengthening it.
Here SyniSense does less than in the sharing and sovereignty articles, and that is worth stating. Most triage telemetry is internal. Where it contains personal data, or where the operation is run by an external provider who would otherwise read identifiable detail, SyniSense anonymises at the perimeter so the disposition can be reasoned without exposing customer or employee data beyond where it lawfully belongs. For a purely internal SOC, Akki and Solva carry the weight.
For the analyst, the close carries its own defence. Dispositioning an alert produces a reasoned record automatically, so the high-volume work no longer accumulates undocumented exposure, and the pressure to clear fast no longer trades directly against the risk of being unable to explain a close later. The list the analyst works is shorter and truer because the ambiguous alerts are held rather than waved through.
For the CISO, the post-incident review finally has artefacts. The question after a breach — was this foreseeable, and if so why was it not acted on — has a documented answer rather than a defensive reconstruction assembled after the fact. The twenty-four-hour reporting obligation can be met with an account that is grounded, not guessed.
For the relationship with a managed provider, the disposition becomes inspectable. The enterprise can see why its outsourced SOC closed an alert, which turns a blind dependency into a governed one and gives the contract something to be measured against beyond response-time service levels.
For the regulator, the operation presents as one that governs its decisions rather than merely its tooling. A SOC that can show why it closed what it closed is a different supervisory conversation from one that can only show that an alert existed and was dismissed.