It is the end of a long shift.

Thirty alerts are already closed. The dashboard is calm. You can see the finish line. The handover meeting is twenty minutes away, and for the first time today, the queue is almost empty.

One last incident pops.

You open it. It looks routine. The kind of alert you have seen a hundred times. Same pattern, same source, same shape. You scan the evidence, run two quick checks, and close it. Clean.

You hand over. The incoming analyst sees a green dashboard. You log off, and for the first time in eight hours, your shoulders drop.

It feels good.

The Unease

Three hours later, you are eating dinner, and the thought arrives uninvited.

You cannot name what. There is no smoking gun in your memory, no specific detail your mind is flagging. Just a low background hum of unease, sitting under everything else, refusing to leave.

You try to dismiss it. The ticket was routine. You have closed a hundred like it. The dashboard was green.

The hum gets louder overnight.

The next morning, before your first coffee, you pull the ticket up again. You read it properly this time, line by line, not pattern-matching, not skimming. And whether or not you find anything you missed, one thing is now clear.

You closed a ticket yesterday on a verdict you had never actually tested.

Two Systems

What happened in those two moments, the close at the end of shift and the unease three hours later, is the cleanest possible illustration of a framework Daniel Kahneman won a Nobel Prize for naming. In his book Thinking, Fast and Slow, he describes two distinct systems running inside every human mind.

System 1 is fast. It is automatic. It recognises patterns, completes sentences, drives your car on a road you know. It is low-effort and almost always on. It is how you closed the ticket in ninety seconds at the end of shift.

System 2 is slow. It is deliberate. It is the system you use to multiply two three-digit numbers, to read a sentence with care, to reconstruct a chain of reasoning. It is high-effort, and you cannot run it for long without depleting yourself. It is the system that arrived three hours later, after dinner, when the noise of the day had subsided and your mind finally had the bandwidth to revisit what your fast brain had already disposed of.

System 2 did not arrive too slowly because something was wrong with you. It arrived too slowly because the SOC, by design, runs on System 1.

System 1 Is Not the Problem

This is the first thing to get right, because the rest of the article depends on it.

System 1 is not the enemy. It is the only reason you can do this job. If you ran every alert through full deliberate reasoning, you would close four tickets a shift instead of forty. You would burn out by month three. The analysts who have lasted in this work for ten or twenty years are not the ones who suppress their fast brain. They are the ones who have trained it on enough cases that its pattern-matching is sharp.

The problem is not that you used System 1 at the end of shift. The problem is that nothing in the room told you that this particular ticket was one where you needed to switch. Not the tooling. Not the workflow. Not the dashboard going green.

That is the analyst’s job. Not to run on System 2 always. That is impossible. Not to abandon System 1. That is suicidal at SOC volumes. The job is to read the evidence in front of you, including the evidence of your own thinking, and recognise when the fast version of the answer is going to be wrong.

The clearest signal that System 2 needs to take over is the one we covered in the last post. The moment you notice you are running into a bias, your fast brain is producing exactly the kind of cheap answer it evolved to produce, and you are about to commit to it. Confirmation pulls you toward the easy hypothesis. Anchoring fixes your reading to the alert label. Availability nudges you toward last week’s case. Automation hands you a verdict you never checked. Each one is a flag. Each one is the switch.

Five Triggers That Should Force the Switch

You will not catch every System 1 close in real time. Nobody does. But there are five conditions where you can install a small, repeatable habit of pausing before you commit.

One. You notice you are matching the pattern, not reading the evidence. This is the bias signal. The moment you find yourself thinking I have seen this before before you have actually looked at the data, you are on confirmation-and-anchoring autopilot. Stop and read the ticket as if you have never seen it.

Two. End of shift, or cognitive depletion. The scenario at the top of this article is not rare. It is the most common single failure mode in SOC work. Your last five tickets of a long shift deserve more scrutiny than your first five, not less. The dopamine of a clean dashboard is not evidence.

Three. An inherited verdict. A handover, a peer, or a previous shift hands you a conclusion. Looks like a false positive.We already cleared this. Your System 1 will accept the verdict and start working downstream of it. Rebuild the reasoning from raw evidence, or you are not investigating. You are inheriting.

Four. Conflicting evidence inside the same ticket. When two data points disagree and your brain quietly resolves the conflict in favour of the more familiar one, that resolution is System 1 erasing inconvenient information. Surface the conflict explicitly. Write it down. Do not let it dissolve.

Five. A tool or AI verdict that feels right too easily. Automation bias is System 1 outsourced. When a SIEM rule, an EDR verdict, or an LLM-generated summary lines up with your first instinct, you are receiving two System 1 outputs reinforcing each other. That is not corroboration. That is correlated error. Ask what you would have decided if the tool had said nothing.

Why the Unease Worked. Signal and Noise.

Now back to the dinner-table moment.

The unease three hours later was not magic. It was not intuition in the mystical sense. It was a signal.

Somewhere in the ticket you closed, there was a detail that did not fit the pattern your fast brain matched it to. System 1 noticed it. System 1 notices almost everything. But it did not flag it loudly enough to interrupt the close. During the shift, that signal was buried under the noise of thirty other alerts, the rhythm of the queue, and the dopamine of a clean handover.

After the shift, the noise floor dropped. The other thirty tickets were gone. The queue was someone else’s problem. And the signal that had been buried all afternoon finally rose above the noise.

This is the same signal-versus-noise problem you already understand from detection engineering, applied now to your own cognition. The goal of System 2 is not to manufacture suspicion. It is to lower the noise floor of your own thinking enough that the real signal, the detail that did not fit, has a chance to be heard before the close, not three hours after it.

The five triggers are how you do that without burning yourself out trying to be slow all the time. They are not a discipline of constant vigilance. They are a small set of conditions in which you have agreed, in advance, that the fast version of the answer is not good enough.

What Comes Next

If this post has done its job, the next time you reach the end of a long shift and one last ticket lands, you will hear a different question in your head. Not can I close this and go home, but which system is about to close this ticket, and is it the right one for the job.

This piece is part of the Analyst Framework series on The Analyst Mind. The series builds the cognitive toolkit a SOC analyst actually needs, one principle at a time. The biases that distort fast thinking. The questions that structure an investigation. The competing hypotheses that test your reasoning. The deliberate pause that catches what you almost missed. The moments where AI augmentation quietly becomes correlated error. Stay tuned.