
You are operating in a high-volume alert environment and need a consistent way to separate false positives from legitimate threats before the team burns time on the wrong incidents or misses a real attack.
How would you differentiate between a false positive and a legitimate security threat in a high-volume alert environment, and how would you structure the decision process so it scales under pressure?