Alert Fatigue
By SGT Adrian Morris
| Gray Space, 2026 E-Edition
Read Time: < 6 mins
U.S. military networks are overwhelmed with activity. This comes not just from threat actors, but also from their own infrastructure. In the changing world of cybersecurity, the Department of War (DoW) has adopted a “Defense in Depth” approach, creating multiple layers of tools to enhance security. This strategy had good intentions; however, the very tools designed to protect its networks now undermine its security posture.
In recent missions, our threat analysts have uncovered dozens of old, obsolete security tools by broadcasting traffic or testing network vulnerabilities. While this is not a new phenomenon, our team is increasingly identifying this problem, highlighting a growing issue within DoW networks.
The saturation of security tools creates confusion. Genuine threats are lost among false positives and overlapping alerts. As adversaries evolve, the DoW must face the unintended consequences of its well-meant strategy. It is time to rethink the current cybersecurity approach.
The Problem: Drowning in Defense
During a recent threat hunting operation, our team identified what appeared to be sophisticated lateral movement across DoW infrastructure—suspicious PowerShell executions, unusual network connections, and obvious signs of credential harvesting. After hours of analysis and reporting to local administrators, we received our answer: it was normal behavior from one of the security tools we didn’t know was running.
In theory, the concept of Defense in Depth has driven network stakeholders to implement layers of security through network monitoring, automated penetration testing, and vulnerability scanning. The idea is that by enabling security across all levels of the network rather than a typical firewall, adversaries have a lower chance of success. In practice, however, these decisions have begun to degrade the DoW’s security posture. Many networks have become so saturated with these tools that genuine threats disappear amid a sea of false positives and overlapping alerts.
Across U.S. military infrastructure, several factors have created a security paradox. High personnel turnover, combined with leadership incentives that reward visible action, has led to an abundance of endpoint detection and response (EDR) systems.
Most military networks are inherited, often when an incoming unit starts a new deployment or rotation. The personnel taking over naturally feel obliged to increase the security posture, and almost everyone’s first thought is to install new security software. After a decade or so of this cycle, these tools layer on top of each other without providing any true strategic value. During a recent mission, we observed eight EDRs running simultaneously within a single enclave. Extreme as that may sound, this is not far from the norm.
While there are approved software lists for the U.S. areas of operation, there are few specific guidelines on where to implement particular software. Some administrators prefer Nessus, some Red Seal, while some even love the infamous McAfee. Many DoW-approved devices also include proprietary security tools, like Cisco NetFlow and Palo Alto’s PAN-OS. In total, there are dozens of potential tools that one could encounter on a given DoW network, each running its own scans and generating its own alerts.
The combined EDRs have a profound effect on the analysts tasked with defending these networks. When suspicious activity repeatedly turns out to be a false alarm, pattern recognition becomes corrupted. Analysts begin to assume that anything anomalous is likely another monitoring service. This effect, commonly referred to as “alert fatigue,” degrades a Soldier’s ability to separate malicious activity from noise.
Alert fatigue is an adaptation of a healthcare concept known as “alarm fatigue,” coined by doctors who became numb to the noisy alarms of medical devices, and has been a recognized problem for decades. The core issue is psychology: after an overwhelming number of warnings and alerts, humans become desensitized. As it turns out, enabling every alert on a network only burdens analysts with reading a huge amount of data and burns them out. The result is not only slow mission execution, but also an organization paralyzed in its ability to secure the network.
The Accountability Gap
The most alarming discovery isn’t the fatigue itself, but the accountability gap it reveals. When we request a comprehensive list of third-party security tools deployed on a network, administrators consistently produce an incomplete inventory. Security tools are often forgotten when contracts expire, but the services can continue running without oversight. Devices come out of the box with their own internal scanning tools that blend into the network’s background noise over time.
With the level of access these scanners need to collect data and test vulnerabilities, security vendors become de facto persistent actors that remain untracked. These toolsets often have write permissions and have administrative access, scripting enabled, and remote capabilities. In an environment where defenders can’t distinguish their own tools from potential threats, adversaries don’t need zero-day exploits. All they need is to live off the land and abuse what’s already present.
The Solution: A Call to Action
The path forward requires acknowledging an uncomfortable truth: sometimes, enhancing security is not adding tools but removing them. Administrators across the DoW have an obligation to review the actions being taken on their networks and not take security for granted. If software is not absolutely necessary, it should be flagged for removal—especially if it can communicate across the network.
Furthermore, security analysts need to have realistic discussions with leadership and stakeholders regarding defense. It’s very tempting to avoid discussing the removal of what is technically a safeguard—I’ve personally engaged in these conversations, and it is rarely well received. However, as security professionals, it is our responsibility to give authentic assessments based on our expertise.
Leaders in the cyber field must reconsider the metrics they use to determine an efficient cyber defense strategy. Reporting metrics on the number of false positives, low-severity alerts, and unwanted information generated will go a long way toward “trimming the fat” and boosting defense capabilities. By taking a quality-over-quantity approach and rewarding efficient threat detection, we can facilitate creative problem-solving rather than deploying tools for the sake of optics.
A core contributor to this problem is the overlap in security capabilities in newer devices. Recognizing this problem, emerging technologies such as next-generation firewalls and AI-based EDRs can categorize all the network traffic, identify unnecessary alerts, and bring them to the attention of network operators for potential filtering. With these new developments, the DoW can streamline operations and disable alerts that do not provide defensive value.
Conclusion
The problem is ironic. In the pursuit of total visibility, administrators have created blind spots within their networks. Environments choked with overlapping tools, burnt-out analysts, and adversaries hiding in plain sight aren’t part of the resilient security posture that Defense in Depth was meant to create. It’s a cautionary tale of good intentions weaponized by poor execution.
Adversaries are already exploiting this phenomenon. Private security vendors such as CrowdStrike, ThreatLocker, and Splunk all highlight the increasing prevalence of “living-off-the-land” techniques, where threat actors exploit existing software to steal data rather than installing their own malware. In September 2025, an attack attributed to the group Salt Typhoon exploited CVEs in Cisco, Ivanti, and Palo Alto security tools to exfiltrate sensitive data.
The goal is not a return to minimalism but to rethink what “depth” actually means. Every tool should serve a distinct, documented purpose, providing value to network defenders rather than holding them back. True Defense in Depth requires strategic coordination. It demands accountability for every piece of software touching the network, transparency about what’s running and why, and the foresight to remove what doesn’t serve the mission.
Authors
SGT Adrian Morris is the Non-Commissioned Officer in Charge and Senior Host Analyst on the 03 National Cyber Protection Team. He has served as Crew Lead for over a dozen Defensive Cyber Operations within the CENTCOM and AFRICOM areas of responsibility.