What is a true positive in security?

True positives are what every detection program optimizes for. The challenge is finding them in volume, when 80% of alerts are false positives, even high true positive rates produce small absolute numbers that can be missed in the noise. The signal-to-noise ratio determines whether true positives are acted on quickly or buried. Catching every true positive within MTTD targets is the working definition of SOC effectiveness.

Command Zero's autonomous investigation produces a documented verdict for every alert, with supporting evidence attached. True positives are escalated to analysts with the investigation already complete, the analyst confirms findings and acts, rather than starting from scratch. False positives are dismissed with documentation, so the audit trail exists if a dismissed case later turns out to be related to an active incident.