Security Teams Are Fighting the Wrong DDoS: The One Happening in Their Heads

In this article:

• Why alert fatigue is a cognitive problem, not just a tooling problem
• What “critical ignoring” means for SOC operations
• How Schwartau’s “mental immune system” concept changes security thinking

Security teams have spent years trying to reduce alert fatigue. More tooling. Better correlation. Smarter detection. Now AI. And yet the problem hasn’t gone away, because the real issue was never just the volume of alerts, but the volume of information hitting the human brain.

Winn Schwartau believes we are effectively DDoSing ourselves.

That idea was the focus of a recent webcast and previously surfaced in his BSides London talk, where he argued that our “cognitive infrastructure is under attack” and that the next mandate for cybersecurity is to “strengthen and defend the human mental immune system.”

Security teams are trying to analyze everything. That, Schwartau says, is the failure point.

Watch or listen to the full episode with Winn:

CYBR.HAK.CAST Episode 13: Winn Schwartau

Winn Schwartau argues that the biggest threat facing defenders isn’t just technical, but cognitive: overwhelming information flows that push humans into “mental DDoS.” He has introduced the concept of “critical ignoring” as a prerequisite to critical thinking.

CYBR.SEC.Media, and CYBR.SEC.Media

Critical thinking is not the first step

The industry loves to talk about critical thinking: Train analysts. Improve investigations. Think deeper. Schwartau says that’s backwards. Critical thinking is not step one. It’s step two. Step one is critical ignoring.

That aligns directly with his broader MetaWar thesis: humans are overwhelmed by “TMI, algorithms, and digital addiction” that shape perception and behavior.

If everything gets through, the system breaks. That’s not a skills gap. It’s a systems failure.

SOCs already know this, just not explicitly

Security operations have been trying to solve this problem for years:

• SIEM tuning
• Detection engineering
• SOAR workflows
• AI SOC platforms

All of it is about reducing input. AI is now exposing the truth. It doesn’t just reduce alerts, it pre-processes them, enriches them, and filters them before humans ever see them.

Without that, analysts are operating without a functional “mental immune system,” Schwartau says.

The failure mode is predictable

When cognitive load exceeds capacity, the system breaks:

• Analysts ignore alerts
• Important signals get missed
• Teams default to shortcuts
• Burnout accelerates

Schwartau’s BSides framing made this clearer: the problem isn’t just technical overload—it’s biological and cognitive limits being exceeded. You cannot “train” your way out of that.

From cyber systems to cognitive systems

This is where Schwartau’s work has evolved.

• Time-Based Security: defend within time constraints
• MetaWar: defend perception, identity, and belief

MetaWar, as he defines it, is “the battle for control over one’s belief systems, identity, and sense of reality.”

That battle starts with attention, and attention is finite.

What this means for security leaders

If you’re still treating alert fatigue as a tooling problem, you’re behind.

This is a cognitive systems problem. The goal is not to see everything.
The goal is to ignore most things, intentionally and safely. That means:

• Designing detection with human limits in mind
• Measuring reduction, not visibility
• Treating attention as a constrained resource

AI helps—but only if it reduces cognitive load. Otherwise, it just accelerates the overload.

What it means to you

Security teams aren’t failing because they lack visibility but because they have too much of it. The next phase of security isn’t better detection, but building systems that protect the human brain from overload—so it can actually think.