I rewrote the alert pipeline this month
Notes from the systems side. Why the old version drowned us in noise and what we replaced it with.
Old pipeline: 200+ raw signals per day across all clients.
Most of them noise. Routine domain registrations that turned out not to be typosquats. Data broker entries already on our removal queue. Breach indicators duplicating earlier dumps. The team was spending hours on triage that should have been automated upstream.
New pipeline: model-based triage layer.
I built a small classification model that scores each signal on probability of being member-relevant before it hits the team's queue. Trained on six months of triage decisions. The output: about 35 signals per day across all clients reach a human, down from 200+.
What you'd notice as a member.
Briefs are tighter. Real-time alerts on Cover and Standing tiers are sharper. Fewer of them, higher quality. The team has more time for the 60-second judgement call.