MTTD and MTTR: Security Metrics Explained

What Are MTTD and MTTR?

Mean time to detect (MTTD) and mean time to respond (MTTR) are incident response metrics that measure how quickly an organization identifies and resolves security threats.

• MTTD tracks the average time between a security incident starting and the team detecting it.
• MTTR measures the time from detection to full containment and remediation.

Together, these metrics gauge SOC and overall security effectiveness and directly correlate with breach cost reduction.

Both metrics sit at the center of how security operations teams measure performance. A low MTTD means threats are often spotted before attackers can move laterally, establish persistence, or even encrypt or exfiltrate data. A low MTTR means the window between "we know about it" and "it's contained" stays narrow. The two metrics work in sequence: MTTD covers the time an attacker spends undetected, while MTTR covers the time the security team spends fighting back.

Mean Time to Detect (MTTD)

MTTD measures the average duration between the moment a security incident begins and the moment the organization's monitoring systems or analysts identify it. The clock starts when the attacker gains initial access and takes a malicious action, whether that's malware deployment, credential theft, or lateral movement. The clock stops when a detection system fires an alert that a human analyst confirms as a real threat.

Detection speed depends on several factors:

1. The quality of monitoring coverage
2. The signal-to-noise ratio in alert pipelines
3. Whether detection rules map to actual attacker behavior.

Organizations that rely solely on signature-based malware detection tend to have higher MTTD because novel attack techniques bypass predefined rules. Behavioral analytics and AI-powered detection tools bring MTTD down by flagging anomalies that rule-based systems miss.

MTTD and "dwell time" are closely related. Dwell time refers to the total period an attacker remains inside a network without being discovered. Mandiant's M-Trends 2025 report places median dwell time at 11 days globally, though individual incidents range from hours to months depending on the attack type and the organization's detection maturity.

Mean Time to Respond (MTTR)

MTTR measures the average time from when a security team confirms an incident to when the threat is fully contained and remediated. The acronym carries multiple meanings across industries: including mean time to respond, repair, recover, or resolve, but in cybersecurity, MTTR most commonly refers to mean time to respond or mean time to remediate, covering the entire response lifecycle from triage through containment and recovery.

Response time depends on a number of factors beyond just detection. Incident response playbook maturity, automation coverage, security and IT team staffing, and whether investigation tools provide sufficient context all shape how quickly analysts are able to respond to and close an incident.

MTTD vs. MTTR: Key Differences

These two metrics cover adjacent but distinct phases of the incident lifecycle. Optimizing one while ignoring the other creates gaps that attackers can exploit.

The relationship between the two is sequential, not parallel. A fast MTTR cannot compensate for a slow MTTD because the damage accrues during the detection gap. An organization that detects a breach in 150 days but contains it in 2 hours still suffers 150 days of attacker activity. Improving MTTD first reduces the total damage window; improving MTTR then compresses the recovery period.

How Do You Calculate MTTD and MTTR?

Both metrics use straightforward averages. The formulas look simple, but the measurement discipline behind them matters more than the math itself.

MTTD = Total detection time for all incidents ÷ Number of incidents

MTTR = Total resolution time for all incidents ÷ Number of incidents

Organizations typically calculate these metrics monthly or quarterly to spot trends. A single outlier, such as an advanced persistent threat that goes undetected for six months, can skew the average dramatically. That distortion is why some teams track median values alongside the mean.

MTTD Calculation Example

A security team handles five incidents in a quarter. The detection times break down as follows: Incident A was caught in two hours, Incident B in eight hours, Incident C in 45 minutes, Incident D in 72 hours, and Incident E in six hours. Total detection time is 88.75 hours across five incidents, producing an MTTD of 17.75 hours. That average looks reasonable until Incident D, a slow-burning insider threat that evaded detection for three days, gets examined on its own.

Outliers like that one above reveal detection blind spots that averages can hide.

MTTR Calculation Example

Using those same five incidents: response and remediation took one hour, four hours, 30 minutes, 48 hours, and three hours respectively. Total resolution time is 56.5 hours, yielding an MTTR of 11.3 hours. Here again, Incident D dominates the average. Breaking MTTR into subcomponents (time to triage, time to contain, time to eradicate, time to recover) provides a clearer picture of where the bottleneck sits. For most teams, the investigation and root cause analysis phase consumes the largest share of MTTR.

Why Do MTTD and MTTR Matter in Cybersecurity?

Detection and response speed translate directly into dollars. IBM's 2025 Cost of a Data Breach Report found that organizations using AI and automation extensively shortened their breach lifecycle by 80 days and reduced average costs by $1.9 million compared to those without. That financial gap explains why CISOs and boards track these metrics closely.

Regulatory pressure adds urgency to organizations developing MTTD and MTTR strategies. The SEC's cybersecurity disclosure rules require public companies to report material incidents within four business days of determining materiality. Organizations with slow detection, where MTTD stretches into weeks or months, face the compounded risk of both a larger breach and a compressed reporting window once the incident is finally discovered.

Insider threats present a particularly stubborn MTTD challenge. Unlike external attacks that often trigger network-level alerts, patterns of insider data theft unfold gradually through authorized access channels. The Ponemon Institute's 2026 Cost of Insider Risks report found that insider incidents take an average of 67 days to contain at a cost of $19.5 million per year per organization. Non-malicious insiders account for the majority of these incidents, making behavioral detection and data lineage capabilities critical for catching threats that signature-based tools miss entirely.

Cyber insurance underwriters are increasingly requesting MTTD and MTTR data during the application process. Consistent improvement in both metrics provides quantifiable evidence of security program maturity, which can lower premiums and strengthen coverage terms.

Insider threats drive some of the longest detection times in cybersecurity. Download the O'Reilly Guide to Proactive Data Security for a framework that moves from reactive alerting to early detection of risky insider behavior.

How MTTD and MTTR Fit With Other Incident Response Metrics

Security operations teams track dozens of performance indicators, but MTTD and MTTR alone do not capture the full incident lifecycle. Several related metrics fill in the gaps between detection, acknowledgment, containment, and recovery.

MTTA, MTTC, and Beyond

MTTA (Mean Time to Acknowledge) is gaining attention because it captures the dead time between an alert firing and an analyst picking it up. High MTTA often points to alert fatigue or understaffed SOCs. The SANS Institute's 2025 survey found that 73% of security teams cite false positives as their primary detection challenge, which directly inflates MTTA by burying real threats in noise.

MTTC (Mean Time to Contain) sits between detection and full remediation. Some organizations prefer MTTC over MTTR because containment, the act of isolating affected systems to stop the bleeding, matters more immediately than the longer eradication and recovery work that MTTR includes.

How To Reduce MTTD and MTTR

Improving both metrics requires addressing different parts of the incident lifecycle. Detection work centers on expanding coverage and improving signal quality; response work centers on process maturity and removing manual bottlenecks.

Strategies To Lower MTTD

• Expand detection coverage with behavioral analytics. Rule-based SIEM alerts catch known patterns, but behavioral analytics tools flag deviations from normal activity, including unusual data access patterns, abnormal login times, unexpected file movements. This matters most for catching insider threats and novel attack techniques that bypass signature-based detection.
• Reduce false positive volume. Every false alert competes for analyst attention. When 73% of SOC teams report false positives as their top challenge (per the SANS 2025 survey), the real threats get buried. Tuning correlation rules, applying AI-powered alert scoring, and suppressing known-benign patterns directly compresses MTTD by surfacing genuine threats faster. External threat intelligence (e.g. indicators of compromise, malicious IP ranges, malware hashes) gives detection systems a head start on known threats. Automated ingestion into SIEM and XDR platforms reduces the time between a threat appearing in the wild and an organization's ability to detect it.

Strategies To Lower MTTR

• Automate containment for high-confidence threats. SOAR platforms can isolate compromised endpoints, disable user accounts, and block malicious IP addresses within seconds of a confirmed alert.
• Build and drill incident response playbooks. Documented, severity-tiered playbooks remove decision-making delays during high-pressure incidents. Tabletop exercises test whether the playbooks work under simulated conditions and reveal coordination failures between teams.
• Consolidate investigation tools. Analysts who must switch between five or six separate consoles to investigate a single incident lose time on context-switching rather than analysis. Unified platforms that combine alert data, user behavior, and data lineage in a single interface compress the investigation phase of MTTR. Cyberhaven's AI & Data Security Platform provides this kind of consolidated visibility, tracing data flows from origin through every copy and transformation so analysts spend less time reconstructing what happened.
• Conduct post-incident reviews. Every closed incident generates data that can improve the next response. Tracking which playbook steps took the longest, where handoffs stalled, and what information analysts lacked creates a feedback loop that systematically reduces MTTR over time.

As AI-generated code and autonomous agents accelerate how data moves through organizations, the speed gap between attackers and defenders will keep widening. Organizations that treat MTTD and MTTR as standing KPIs, measured continuously and tied to concrete improvement plans, position themselves to adapt faster than those relying on periodic assessments. The NIST Cybersecurity Framework maps both metrics directly to its Detect and Respond functions, providing a structured starting point for organizations building or maturing their measurement programs.

For a closer look at how data lineage technology accelerates investigation and cuts response times, read the Data Lineage: Next-Gen Data Security Guide.

Frequently Asked Questions

What Is the Difference Between MTTD and MTTR?

Mean Time to Detect (MTTD) measures the average time between a security incident beginning and the security team identifying it. Mean Time to Respond (MTTR) measures the average time from detection to full containment and remediation. MTTD evaluates monitoring and detection effectiveness, while MTTR gauges the efficiency of incident response processes. The two metrics are sequential: MTTD covers the attacker's undetected activity, and MTTR covers the defender's response.

How Are MTTD and MTTR Calculated?

MTTD is calculated by adding the total detection time for all incidents in a period and dividing by the number of incidents. MTTR uses the same approach: total resolution time divided by incident count. For example, if five incidents took a combined 50 hours to detect, the MTTD is 10 hours per incident. Many teams also track median values to avoid distortion from outliers such as advanced persistent threats with months-long dwell times.

What Is a Good MTTD Benchmark in Cybersecurity?

The SANS 2023 Incident Response Survey found that the top 25% of organizations detect incidents within 60 minutes, and more than half detect within five hours. At the macro level, IBM's 2025 Cost of a Data Breach Report found organizations averaged 158 days to identify breaches, the lowest in nine years. The gap between SOC-level benchmarks (hours) and breach-level statistics (months) reflects the difference between detecting real-time alerts and discovering slow, stealthy intrusions that evade initial monitoring.

How Does AI Reduce MTTD and MTTR?

AI-powered security tools reduce MTTD by correlating alerts across data sources, flagging behavioral anomalies, and suppressing false positives that bury real threats. For MTTR, AI automates triage, generates investigation summaries, and recommends response actions. According to IBM's 2025 report, organizations using AI and automation extensively shortened their breach lifecycle by 80 days and saved $1.9 million per incident compared to those without AI.

What Is Dwell Time and How Does It Relate to MTTD?

Dwell time is the total duration an attacker remains undetected inside a compromised network. MTTD directly measures detection speed, so reducing MTTD shrinks attacker dwell time. Mandiant's M-Trends 2025 report places median dwell time at 11 days globally. That figure has held roughly steady for two years, but the speed of lateral movement after initial access continues to accelerate, making every hour of detection delay more consequential.