Skip to main content
ConceptsSIEMXDRFirewall

What is True Positive?

A true positive is a security alert that correctly identifies genuine malicious activity or policy violation. It is a real threat that warrants investigation, escalation, and response.

Definition

True Positive
A true positive is a security alert that correctly identifies genuine malicious activity or policy violation. It is a real threat that warrants investigation, escalation, and response.

How True Positive Works

True positives are the purpose of the entire detection apparatus. Every rule, behavioral model, and threat intelligence feed exists to surface true positives for analyst action. However, confirmed true positives vary in severity and urgency: a true positive for a blocked low-risk phishing attempt requires different handling than a true positive for active ransomware encryption on a file server.

True positive rate (detection rate or recall) measures what percentage of actual attacks the system catches. A high false-negative rate (missing real threats) is often more dangerous than a high false-positive rate, because undetected attacks cause damage while false positives only waste time. Balancing false positives and false negatives requires calibrating detection thresholds. Looser thresholds catch more attacks but generate more noise. Tighter thresholds reduce noise but miss more.

In post-incident analysis, analysts classify alerts as true positive, false positive, true negative (correctly not alerting on benign activity), or false negative (failing to alert on malicious activity). This classification drives detection improvement cycles.

True Positive in SOC Operations

Correctly identifying true positives under time pressure is the primary skill of a SOC analyst. SOCSimulator trains this by mixing genuine attack scenarios with realistic false-positive noise at configurable ratios, forcing you to develop the investigative discipline to distinguish real threats from benign misfires. True positive rate per analyst is a key SOC performance metric reflecting both detection quality and analyst proficiency.

Free forever

Practice True Positive in a Real SOC

SOCSimulator provides hands-on training with realistic SIEM, XDR, and Firewall interfaces. Build real analyst skills investigating true positive scenarios with zero consequences — free forever.

Start Free — No Credit CardTry Shift Mode

Related Terms

False PositiveConcepts

A false positive is a security alert that fires on legitimate, benign activity, incorrectly classify...

Alert TriageConcepts

Alert triage is the structured process of reviewing, prioritizing, and investigating security alerts...

TriageProcesses

In SOC operations, triage is the initial assessment where analysts rapidly evaluate an alert to dete...

Incident ResponseProcesses

Incident response (IR) is the structured process for preparing for, detecting, containing, eradicati...

EscalationProcesses

Escalation is the formal process of transferring an alert or incident to a higher-tier analyst, spec...

More Concepts Terms

IOCIOATTPsFalse PositiveAlert TriageThreat IntelligenceAll Concepts

Related SOC Training Resources

Career Path

SOC Analyst (Tier 1) Career Guide — Salary & Skills

Tier 1 SOC Analysts are the front line. You monitor alert queues, triage incoming detections, classify them as true or f…

Read more Career Path

Detection Engineer Career Guide — Salary & Skills

Detection Engineers build the rules, analytics, and automated workflows that determine what the SOC can see. You transla…

Read more Career Path

Security Engineer Career Guide — Salary & Skills

Security Engineers build and maintain the infrastructure that SOC analysts depend on. You deploy SIEMs, configure firewa…

Read more Comparison

SOCSimulator vs LetsDefend — Comparison

SOCSimulator wins on operational realism. You get multi-tool shift simulation with SLA pressure, noise injection, and al…

Read more Comparison

SOCSimulator vs CyberDefenders — Comparison

SOCSimulator trains the operational workflow: alert triage, correlation, and response under pressure. CyberDefenders tra…

Read more Tool

SIEM Training Console — SOCSimulator

The SIEM console in SOCSimulator replicates the workflow of enterprise platforms like Splunk Enterprise Security, Micros…

Read more Tool

XDR Training Console — SOCSimulator

The XDR console in SOCSimulator replicates the investigation workflow of platforms like CrowdStrike Falcon, Microsoft De…

Read more Tool

Firewall Training Console — SOCSimulator

The Firewall console in SOCSimulator replicates the log analysis experience of enterprise platforms like Palo Alto Netwo…

Read more Technique

MITRE ATT&CK Techniques — Detection Training Library

Browse all MITRE ATT&CK techniques with detection strategies and example alerts.

Read more Career Path

Cybersecurity Career Paths — 2026 Guide

Explore SOC analyst career paths with salary data, required skills, and certification roadmaps.

Read more Playbook

SOC Investigation Playbooks — Step-by-Step Guides

Practitioner investigation playbooks with decision trees and real SIEM queries.

Read more Feature

Shift Mode — Real-Time SOC Simulation

Practice alert triage under realistic time pressure with SLA timers and noise injection.

Read more

We use cookies to improve your experience and measure usage. Learn more