Planned Rollout: June 2026 (Starts in June and ongoing enhancements)
As part of Cyflare’s continued investment in Enhanced Monitoring capabilities and ongoing improvements to our Managed Security Services, we will be implementing an important operational enhancement to how Endpoint Detection & Response (EDR) threats are evaluated, triaged, and escalated to customers.
This change is designed to improve the overall quality, fidelity, and actionability of security notifications delivered by the Cyflare SOC.
Historically, Cyflare’s SOC approach for EDR platforms, particularly SentinelOne and eventually additional EDR vendors, has been to escalate nearly all threats where the security tool performed a mitigation action (quarantine, kill, remediation, etc.), regardless of the overall confidence or severity of the threat.
While this process ensured customers had visibility into all mitigation activity occurring within their environment, it also resulted in a higher volume of low-fidelity alerts, benign detections, and false positives being escalated for customer review.
Beginning in June, Cyflare will transition to a more intelligence-driven escalation model focused on identifying and prioritizing legitimate security threats and operational concerns rather than escalating all mitigated activity by default.
Customers should expect to see:
Reduced alert and ticket volume related to benign or low-risk EDR detections
Increased focus on actionable and high-confidence security events
Improved signal-to-noise ratio from Cyflare SOC notifications
Enhanced analyst-driven threat dispositioning within supported EDR platforms
Under the previous process:
If SentinelOne (or another EDR platform) detected and mitigated an event
Cyflare would generally escalate the incident to the customer
This would occur even if analyst review determined the activity was likely benign or a false positive
This often resulted in customer notifications for activity that was:
Already successfully mitigated
Originating from trusted or known-good software
Representative of expected business operations
Under the new process, Cyflare will perform enhanced review and dispositioning of EDR detections before escalation decisions are made.
If activity is determined to be:
A known false positive
Benign operational activity
Previously approved software behavior
Otherwise non-actionable
The case may be internally dispositioned and documented without customer escalation.
Customers will still retain visibility within their EDR platform logs, case history, and Cyflare case closure details where applicable within the ONE platform.
SentinelOne detects a suspicious .vbs script using the On-Write Static AI engine and automatically quarantines the file.
Cyflare reviews the event and determines:
The file originated from a trusted source
The detection was a false positive
No malicious activity occurred
Despite this determination, the alert would still be escalated to the customer for validation and mitigation guidance.
Cyflare triage process will:
Validate the activity as benign
Disposition the detection as a false positive
Document findings directly within SentinelOne and Cyflare case records
Close the case without escalation
If a customer later determines the mitigation impacted legitimate operations, the Cyflare SOC can assist with un-mitigation or tuning requests upon engagement.
Some organizations utilize tools such as:
Advanced IP Scanner
Network enumeration utilities
Internal administrative scripts
Remote management tooling
These tools may periodically trigger EDR detections due to their behavior profiles.
Each mitigation would typically generate an escalation ticket to the customer.
If Cyflare has prior knowledge that the activity is expected or approved within the customer environment, analysts may:
Disposition the event internally
Document the activity appropriately
Close the event without customer escalation
While this change is intended to improve alert quality and reduce operational fatigue, there is an important tradeoff customers should understand.
Because some benign or approved activity may now be dispositioned internally rather than escalated, customers may occasionally experience:
Legitimate software quarantines
Interrupted scripts or tooling
Blocked administrative activity
These situations may occur without an immediate Cyflare escalation notification.
To ensure the success of this operational improvement, Cyflare strongly encourages customers and partners to:
Notify the SOC of any unexpected software quarantines or operational disruptions
Communicate known-good tools and administrative workflows commonly used in their environment
Continue collaborating on allow-listing, tuning, exclusions, and policy refinement where appropriate
Cyflare is simultaneously implementing additional internal monitoring and review processes to identify repetitive benign mitigations and proactively improve tuning opportunities over time.
The primary objective of this enhancement is to improve the value and urgency of Cyflare security notifications.
By reducing noise from low-fidelity detections and false positives, customers can have greater confidence that:
Escalated threats have undergone meaningful review
Notifications represent higher-confidence security concerns
SOC engagement is focused on activity requiring legitimate customer awareness or action
We believe this evolution will significantly improve operational efficiency, reduce alert fatigue, and strengthen the overall effectiveness of our Managed Security Services.
If you have questions regarding this upcoming change, tuning requests, or concerns about EDR mitigations within your environment, please contact the Cyflare SOC team at:
socir@cyflare.com
We appreciate your continued partnership as we evolve and enhance our security operations capabilities.