Reducing False Positives (~55%) for a Security Solutions Provider with a Computer Vision Platform

Discovery and Use Case Prioritization

We began with a structured 4-week discovery sprint to align the CV solution with real incident patterns and operator needs.

• Collaborated with site operations leaders and three representative end customers to document the highest risk security scenarios, current response workflows, and recurring failure points.
• Reviewed 90 days of incident history and monitoring logs to identify where manual observation broke down, such as alert fatigue, blind spots, and inconsistent escalation.
• Defined an initial pilot cohort of 450 cameras across 12 sites to cover varied environments, including corridors, loading bays, parking lots, lobbies, and high-value zones, for training, validation, and operational tuning.

Data Pipeline, Curation, and Annotation

The client had petabytes of archived video, but it was not labeled in a way that supported reliable model training. We set up a scalable data pipeline focused on quality, coverage, and repeatability.

• Curated clips that represented both normal activity and edge cases, including night shifts, rain, glare, and uneven lighting.
• Built balanced datasets with positive and negative samples so models learned fine distinctions, such as escorted visitors versus true tailgating.
• Labeled the dataset with a clear taxonomy to support multiple detection and analytics needs:
  • People, vehicles, and key objects
  • PPE items such as helmets and high-visibility vests
  • Zones of interest, such as restricted areas, exits, fence lines, and parking slots
  • Interaction events such as entry into a secure zone, PPE violation in a PPE zone, abandoned object, and multiple people through a single access event
• Enforced a two-stage quality assurance workflow to keep label consistency high and reach agreement levels above 98 percent on the most critical classes.

CV Model Stack and Use Case Design

Using the curated labels, we implemented a modular computer vision model stack, trained and tuned per use case, so performance stayed consistent across site layouts.

• Object and person detection: Deployed a custom-trained detector based on a modern YOLO family architecture to detect people, vehicles, PPE, and everyday security-relevant objects.
• Multi-camera tracking: Added a tracking layer that combined a YOLOv8-based detector with a DeepSORT-style multi-object tracker to maintain identity across frames and support handoffs across cameras within a site.
• Zone and behavior analytics: Built rule logic and lightweight micro models on top of detection and tracking to interpret behaviors, including:
• Perimeter breach when a person crosses a defined virtual boundary
• Tailgating when detected entry counts exceed authorized limits
• Loitering using dwell time thresholds in sensitive zones
• Abandoned object when an item remains after the linked person leaves the scene
• Anomaly detection for unknown patterns: For complex areas with variable motion flows, we introduced an unsupervised anomaly component that learned normal behavior over time and flagged deviations.

Hybrid Edge and Cloud Architecture

To keep latency low and avoid streaming raw video to the cloud, we processed footage on site and sent only event data upstream.

• Edge inference: Containerized models run on NVIDIA Jetson devices at each site to ingest camera feeds and collect short evidence clips.
• AWS control plane: Central services ran on Amazon EKS, with Amazon RDS/DynamoDB for config and event metadata, and Amazon S3 for secure media storage.
• Resilience + bandwidth: Edge nodes kept running during outages, buffered critical events locally, and used adaptive streaming and event batching to stay within bandwidth limits.

All events and settings were made available through secure APIs and role-based dashboards for SOC teams and admins.

SOC Workflow and Operator Experience Optimization

The goal was not just detection accuracy, but faster, clearer decisions for security teams.

• Scored each event by risk using factors such as zone criticality, time window, and event type so operators could prioritize high-impact alerts first.
• Reduced noise by correlating and merging related detections, such as the same person loitering across adjacent cameras, into a single incident thread.
• Enabled customer-facing reporting through Amazon QuickSight and scheduled exports (PDF/CSV) generated from S3 and the operational databases for audits and compliance.

Continuous Learning, Monitoring, and Governance

To keep performance stable at scale, we operationalized the full lifecycle from monitoring to retraining and controlled rollouts.

• Implemented SageMaker-based MLOps pipelines for retraining and controlled deployments.
• Monitored live metrics using CloudWatch and Prometheus with Grafana dashboards to track drift, false positives, and missed detections.
• Fed exceptions back into a review loop where missed incidents and noisy alerts were selected for reannotation, then included in periodic retraining cycles.