Detection Duplication Is a Quiet Budget Problem

Duplication rarely arrives as copy-paste. It arrives as overlapping intent—two teams solving similar risk with different syntax. Audits should begin with intent clusters, not string matches. Group rules by scenario, then score operational cost: alert volume, false-positive history, and maintenance owners.

Once grouped, assign a neutral facilitator who has not authored the rules. Facilitators summarize overlaps in plain language and invite authors to propose merges or boundaries. The output is a decision record, not a winner-takes-all debate.

We recommend pairing audits with a temporary freeze on new near-duplicate scenarios unless a gap analysis proves distinct coverage. Freezes sound harsh; they are kinder than unbounded queue growth.

Close the loop with analysts. If merges ship, measure rework for two sprints. If rework drops, celebrate the authors who retired noise. If rework rises, roll back surgically and document why. Activity logs love honest reversals more than silent drift.