| Security Operations Centers (SOCs) must triage large volumes of alerts under strict operational constraints. In these environments, false positives, heavy workloads, and severe class imbalance can reduce decision consistency and increase the risk of missed incidents. This paper presents an AI-based decision support framework for the initial triage stage in a managed SOC. The approach models two binary decisions: whether an alert should be escalated and whether it should be reported to the client. The framework combines intrinsic alert information with contextual temporal features that describe recent analyst activity and workload. It also incorporates expertise-aware sample weighting and cost-sensitive learning through a normalized Bayes objective. Experiments on real alerts collected at the GMV CERT/SOC show that contextual workload modeling improves escalation decisions, whereas reporting depends mainly on intrinsic alert attributes. The results also indicate that temporal workload signals can help represent operational pressure during triage. Overall, the proposed approach supports alert triage while keeping the analyst in control and remains aligned with the practical constraints of real SOC environments. |
*** Title, author list and abstract as submitted during Camera-Ready version delivery. Small changes that may have occurred during processing by Springer may not appear in this window.