When we were building security tooling we started digging into a problem most dev teams complain about:

Security alert fatigue.

Most vulnerability scanners produce huge volumes of alerts, and engineers end up spending a lot of time figuring out which ones actually matter.

So we tried to quantify it.

Based on industry averages:

• ~10 minutes spent triaging each alert

• dozens of scans per month

• multiple engineers involved in the process

For a mid-sized engineering team the numbers start looking pretty wild.

For example:

A team of 30 engineers running ~50 security scans per month could spend roughly:

• 850 hours per month dealing with vulnerability noise
• $85k/month in engineering time
• ~$1M/year in wasted effort

We ended up building a small calculator to estimate this for different team sizes.

You can try it here if you're curious:
https://kolega.dev/noise-tax-calculator

It was originally something we built internally while working on automated remediation tooling, but the numbers were interesting enough that we decided to publish it.

Curious what people's experience has been with vulnerability alert fatigue.

• Do your scanners produce lots of false positives?

• Or has tooling improved recently?