L1
L1 Analyst
SOC · New York

Reports

SLA performance, AI accuracy indicators, and evidence of human validation.

SLA met (7d)Share of cases triaged within their SLA window over the last 7 days.
96%
Target: 95%
AI accept rateHow often analysts accept the AI's recommended verdict without changes.
88%
Trending up
Analyst overrideHow often analysts override the AI. 5–20% is healthy — too low means rubber-stamping, too high means low AI quality.
12%
Healthy band
FP rateReduction in false-positive workload after correlation, vs. triaging every raw alert individually.
-31%
vs. raw triage
L1 effort saved (7d)Triage time saved by AI-assisted summarisation and correlation, compared with manual L1 triage of every raw alert.
73%
≈ 184 analyst-hours
Avg. triage timeMedian time from case creation to L1 disposition.
4m 12s
Manual baseline: 16m
L3 escalations (7d)Cases escalated past L2 to L3 Insider Threat / IR specialists.
7
2 insider-threat
Redaction coverageShare of evidence with sensitive fields (SSN, account/loan #, email) tokenised before AI processing.
100%
NPI fields
QRadar EPS (24h avg)Events-per-second ingest from QRadar SIEM. Stays well below the licensed cap; bursts are absorbed by the Redis stream buffer.
48.2k
Peak 71k · cap 90k

False positives vs true positives (7d)Daily mix of confirmed-benign vs confirmed-malicious dispositions. Lower FP bars = better signal.

Daily dispositions
stacked — last 7 days
False positives
True positives

Analyst accept vs override (weekly)Weekly trend of analyst agreement with AI advisories. Watch for sudden jumps in override rate — may signal model drift.

Agreement trend
last 4 weeks
Accept88%
Override12%

Top DLP departmentsBusiness units generating the most DLP-driven cases. Helps target awareness training and policy tuning.

Hotspots
cases per business unit

Evidence of human validationAudit-ready proof that every case had a human in the loop. AI never closes a case on its own.

Cases dispositioned by analyst (7d)412 / 412 (100%)
AI-only closures0 (policy)
L2 acceptance of L1 handoffs94%
Audit completeness100% — every action logged
Redaction coverage (NPI fields)100% (SSN, account/loan numbers)
AI output is advisory. QRadar SIEM, Forcepoint DLP, and Forcepoint Proxy remain authoritative source systems. Every disposition reflects an analyst decision.

Top policies triggered (7d)Forcepoint DLP / Proxy policies that fired most often — useful for tuning thresholds and reducing alert noise.

NPI-SSN-Block
DLP
1,842FP 8%+12%
NPI-Loan#-Block
DLP
1,204FP 11%+4%
Egress-PII-Block
DLP
612FP 6%-2%
Personal-Cloud-Upload
PROXY
388FP 22%+19%
Unsanctioned-AI-Upload
PROXY
244FP 14%+31%
Email-Internal-Confidential
DLP
197FP 9%-5%

L3 escalations (7d)Cases handed off past L2 to L3 Insider Threat / Incident Response. These are the cases that warranted specialist attention.

CASE-2026-0847Bulk borrower-NPI egress by departing analystInsider ThreatMet · Confirmed TP
CASE-2026-0812Off-hours USB mass-write + DLP burstInsider ThreatMet · Confirmed TP
CASE-2026-0798Lateral movement after credential reuseIncident ResponseMet · Confirmed TP
CASE-2026-0776Privileged user — anomalous repo accessInsider ThreatAt risk · Under review
CASE-2026-0754Vendor account — unusual data pullIncident ResponseMet · Closed — benign
CASE-2026-0741Exec phishing landing + token theftIncident ResponseMet · Confirmed TP
CASE-2026-0729Repeat copy-paste of customer PIIInsider ThreatMet · Policy training

Enrichment egress guardrail (7d)Proof that only non-sensitive technical indicators leave the perimeter for external enrichment (VirusTotal, AbuseIPDB).

External enrichment calls allowed1,284
Blocked — indicator still contained PII11
Blocked — provider circuit-breaker OPEN4
Hash-only lookups (no full payload)612 / 612 (100%)
Guardrail uptime100%
The AI itself runs on local open-weights inference inside the customer perimeter; only non-sensitive technical indicators are sent to external enrichment providers, and PII never leaves.

QRadar ingest health (24h)Throughput from the authoritative SIEM. Stays well below the licensed EPS cap; bursts are absorbed by the Redis stream buffer.

EPS — 24h average48,200
EPS — peak71,400
EPS — licensed cap90,000
Offenses ingested412
Offenses promoted to cases38 (9.2%)
Buffer headroom22% — healthy
QRadar remains the authoritative SIEM. This platform consumes offences from QRadar and never writes back — telemetry stays inside QRadar for retention and audit.