Continue your mission
Mean Time to Detect measures the average time between incident occurrence and security team identification, serving as the most critical cybersecurity metric because detection speed directly determines breach impact and cost.
# Mean Time to Detect (MTTD)
Mean Time to Detect (MTTD) is the average elapsed time between the moment a security incident begins and the moment an organization's security operations team identifies it. The metric exists because adversary dwell time is a direct multiplier of breach damage: every hour an attacker operates inside a network unchallenged is an hour spent exfiltrating data, escalating privileges, moving laterally, and staging destructive payloads. MTTD gives security leaders a single, repeatable number that reflects the organization's actual detection capability, not its theoretical one. Without that number, security investment decisions rest on assumptions rather than evidence. MTTD is not a vanity metric; it is an operational pressure gauge that tells the SOC whether its detection program is improving, degrading, or stagnant over time.
---
Mean Time to Detect (MTTD) is a time-based security operations metric defined as the arithmetic mean of all detection intervals measured across a specified population of confirmed security incidents within a defined period. A detection interval begins at the earliest confirmed moment of malicious activity (initial access, first command execution, or the earliest attacker-controlled indicator that can be reconstructed in post-incident analysis) and ends at the moment the security operations center formally identifies the incident as a security event requiring response.
MTTD is not the same as Mean Time to Respond (MTTR), which measures the interval from detection to containment or resolution. Confusing the two is common and consequential: an organization can have a low MTTD and a catastrophic MTTR, meaning it sees threats quickly but responds slowly. MTTD is also distinct from alert latency, which only measures the delay between an event occurring and an alert firing in a SIEM or detection platform. Alert latency does not account for the time elapsed before any detectable signal was generated.
The metric serves as a proxy for detection program effectiveness across three critical dimensions: coverage (whether detection rules and monitoring exist for attacker techniques), sensitivity (whether detection thresholds allow early-stage activity to trigger alerts), and operational maturity (whether the SOC processes incidents quickly once detection occurs). Organizations with mature detection programs typically achieve MTTD measurements in hours or days. Organizations with immature programs measure MTTD in weeks or months, often discovering breaches only through external notification from law enforcement, security researchers, or business partners.
MTTD does not measure the quality of a detection, only its speed. An organization can detect an incident quickly and still misclassify it, escalate it incorrectly, or lose critical forensic evidence through poor handling. MTTD must therefore be read alongside metrics that measure detection fidelity, such as false positive rate and analyst escalation accuracy. The goal is fast, accurate detection, not just fast detection.
---
The Calculation Framework
MTTD calculation requires four foundational elements: a complete inventory of confirmed security incidents, forensically accurate start times for each incident, consistently recorded detection times, and standardized incident classification. Without these elements, MTTD measurements are statistically meaningless.
The formula itself is straightforward: sum the detection intervals for all confirmed incidents in the measurement period, then divide by the total number of incidents. If fifteen incidents occurred in a quarter with detection intervals totaling 1,350 hours, the MTTD is 90 hours. The complexity lies entirely in establishing accurate timestamps for each interval endpoint.
Establishing Incident Start Times
The start of the detection interval is the earliest confirmed moment of attacker activity, determined through forensic reconstruction rather than initial alert timestamps. Most successful intrusions generate logged activity for substantial periods before triggering automated detection. Establishing the true start time requires analysts to work backward from the detection point using available telemetry: Windows Event Logs, EDR process execution records, DNS queries, authentication logs, file system timestamps, and network flow data.
This reconstruction process reveals the true scope of adversary dwell time. A SIEM alert may fire at 3:00 PM on Tuesday when an attacker moves laterally to a domain controller, but forensic analysis might reveal that the same attacker established initial access through a phishing email at 9:00 AM on Monday. The detection interval for MTTD purposes is 30 hours, not zero.
Organizations that record alert creation time as incident start time systematically undercount their MTTD by days or weeks. This error makes detection programs appear more effective than they actually are, preventing teams from understanding their true exposure window.
Defining Detection Endpoints
The end of the detection interval requires an organizationally consistent definition of "detection." Is it when the SIEM creates an alert? When an analyst opens the ticket? When the incident is escalated to a response team? When containment begins? Each choice produces different MTTD values for the same incident.
Most mature organizations define detection as the moment the SOC formally acknowledges an incident and assigns it for investigation. This definition captures both automated detection (the alert fires) and human validation (an analyst confirms it requires action). Organizations must enforce this definition consistently in their ticketing systems and document exceptions when they occur.
Detection Source Segmentation
Raw MTTD averages obscure the operational intelligence that security leaders need to make investment decisions. Segmenting MTTD by detection source reveals which mechanisms are performing effectively and which represent coverage gaps. The three primary detection sources are automated alerting (SIEM rules, EDR detections, network monitoring), proactive threat hunting (analyst-driven investigation), and external notification (third-party disclosure, law enforcement contact, vendor notification).
High-performing detection programs show dramatically different MTTD by source. Automated alerting might achieve 2-hour MTTD for commodity malware and credential stuffing attacks. Threat hunting might achieve 48-hour MTTD for advanced persistent threat activity that evades automated detection. External notification might show 30-day MTTD for supply chain compromises or insider threats. Each pattern tells the security team where their detection investments are working and where gaps exist.
ATT&CK Tactic Mapping
Segmenting MTTD by MITRE ATT&CK tactics provides tactical guidance for detection engineering teams. Organizations frequently discover that their MTTD for Initial Access is measured in hours while their MTTD for Lateral Movement is measured in weeks. This pattern indicates that perimeter detection is functioning but internal monitoring is insufficient.
The most operationally valuable MTTD segments are Initial Access (phishing, exploitation, supply chain), Persistence (backdoor installation, scheduled tasks, registry modification), Lateral Movement (credential reuse, remote service access, administrative share usage), and Exfiltration (large data transfers, external communication, cloud storage uploads). Different tactics require different detection approaches, and MTTD segmentation shows which approaches are succeeding.
Implementation Requirements
Accurate MTTD measurement depends on comprehensive log collection with synchronized timestamps across all monitored systems. Log sources must cover endpoint activity (process execution, file access, registry changes), network activity (DNS, HTTP, flow records), identity activity (authentication, authorization, privilege changes), and cloud activity (API calls, configuration changes, data access).
Organizations should conduct quarterly detection coverage assessments mapped to the MITRE ATT&CK framework to identify techniques that produce no detectable telemetry. Every uncovered technique represents MTTD that cannot be measured because no evidence of the activity exists. These blind spots extend actual dwell time invisibly.
Log retention policies directly affect MTTD measurement accuracy. Organizations that retain only 30 days of endpoint logs cannot forensically reconstruct incidents that span longer periods, leading to systematically undercounted MTTD for sophisticated intrusions that unfold over months.
Concrete Implementation Example
Consider a healthcare organization implementing MTTD measurement. They define detection as analyst acknowledgment in their ticketing system, establish a 90-day measurement period, and identify twelve confirmed security incidents during that period. Through forensic reconstruction, they determine that incident start times preceded alert generation by an average of 72 hours, indicating significant detection rule gaps. They segment their data by source: eight incidents detected through automated SIEM alerts (average 4-hour MTTD from alert to acknowledgment), two through threat hunting (average 16-hour MTTD), and two through external notification (average 480-hour MTTD). The overall MTTD is 74 hours, but the segmented view shows that automated detection is performing well for known attack patterns while novel or sophisticated attacks are evading detection entirely.
---
Financial and Operational Impact
The relationship between detection speed and breach cost is statistically robust across multiple studies and geographies. IBM's annual Cost of a Data Breach Report consistently demonstrates that organizations identifying breaches within 200 days experience significantly lower costs than those requiring longer detection periods. The cost differential frequently exceeds one million dollars per incident for enterprise-scale breaches.
Mandiant's M-Trends reporting shows global median dwell time decreasing from over 400 days in 2011 to under 30 days in recent years, but these improvements reflect industry averages rather than universal progress. Individual organizations without mature detection programs still experience dwell times measured in months or years, particularly for sophisticated state-sponsored intrusions or insider threats.
The financial impact extends beyond direct breach costs to include regulatory fines, customer churn, brand damage, and competitive disadvantage. Organizations that cannot demonstrate reasonable detection capabilities face higher insurance premiums, increased regulatory scrutiny, and customer contract requirements that may exclude them from business opportunities.
Strategic Consequences of Detection Failure
Organizations without formal MTTD measurement cannot answer fundamental questions about their security posture: How long do attackers operate undetected in our environment? Are we getting better or worse at finding threats? Where should we invest detection resources for maximum improvement? This blind spot leads to detection investments based on vendor marketing rather than operational evidence.
The 2020 SolarWinds supply chain compromise exemplifies catastrophic MTTD failure. The threat actor, tracked as UNC2452, accessed victim networks beginning in March 2020 through backdoored software updates. The campaign remained undetected until December 2020, representing a global MTTD of approximately nine months for thousands of affected organizations. These organizations had enterprise-grade SIEMs, EDR platforms, and trained security teams. The attackers succeeded through patient, low-noise tradecraft designed to blend with legitimate administrative activity.
SolarWinds demonstrates that MTTD is not automatically improved by security tool deployment. Detection capability requires strategic rule development, comprehensive log collection, and analyst training focused on specific threat actor techniques. Technology creates detection opportunity; operations deliver detection outcomes.
Common Organizational Misconceptions
Many organizations assume that deploying detection technology automatically reduces MTTD. A SIEM with poor rule coverage, insufficient log sources, or overwhelmed analysts will produce worse MTTD than a simpler monitoring environment with focused detection content and adequate staffing. MTTD measures outcomes, not tool inventories.
Another misconception is that low MTTD automatically indicates strong security. An organization might detect every commodity malware infection within minutes while completely missing sophisticated threats that avoid triggering automated rules. MTTD must be evaluated alongside detection breadth (what types of threats are detected) and detection accuracy (how many alerts represent actual threats rather than false positives).
Organizations also frequently conflate MTTD improvement with alert volume reduction. Reducing false positives improves analyst efficiency and response time, but it does not necessarily improve detection speed for new threats. MTTD improvement requires expanding detection coverage to earlier phases of attack campaigns, not just processing existing alerts more quickly.
Operational Warning Signs
Organizations with poor MTTD typically discover incidents through external notification rather than internal detection. If more than 20% of security incidents are disclosed by third parties, law enforcement, or business partners, the detection program has fundamental coverage gaps that extend MTTD invisibly.
Another warning sign is MTTD that varies dramatically by incident type without operational explanation. If malware infections are detected within hours but data exfiltration takes weeks to identify, the detection strategy is optimized for noisy, obvious attacks while missing subtle, high-impact threats.
Organizations that cannot forensically reconstruct incident timelines cannot calculate accurate MTTD, indicating insufficient logging, poor log retention, or inadequate analyst investigation capabilities. These deficiencies extend MTTD and prevent the organization from understanding the true scope of security incidents.
---
CDA approaches MTTD through the Threat Intelligence and Defense (TID) domain within the Planetary Defense Model framework. Under the Predictive Defense Intelligence (PDI) methodology, MTTD is not treated as a retrospective performance metric but as a leading indicator of detection program alignment with adversary behavior patterns.
The PDI principle "See the threat before it sees you" fundamentally reframes MTTD measurement. Rather than optimizing detection speed after compromise occurs, PDI focuses on engineering detection triggers that activate during the earliest stages of adversary reconnaissance and resource development, before initial access is achieved. This approach requires MTTD segmentation that extends beyond traditional post-compromise activities to include pre-compromise indicators.
CDA maps MTTD measurement directly to threat actor profiles relevant to each client's industry, geographic exposure, and technology environment. Rather than pursuing generic MTTD improvements, CDA identifies which specific adversary groups target the client's sector and analyzes their documented tradecraft patterns. If a client faces primarily ransomware operators who achieve initial access through exposed RDP services, MTTD optimization focuses on authentication monitoring and remote access detection rather than email security. If the threat model includes state-sponsored groups that conduct multi-month operations, MTTD measurement must account for low-and-slow techniques that generate minimal detection signals.
Detection Coverage Assessment Methodology
CDA conducts structured Detection Coverage Assessments that map client log sources and detection rules against MITRE ATT&CK techniques used by relevant threat actors. This assessment produces a coverage gap matrix that directly predicts where MTTD failures will occur. Techniques with no corresponding detection coverage represent infinite MTTD: the organization cannot detect these activities regardless of how long they persist.
The assessment prioritizes coverage gaps by adversary relevance rather than technique frequency. A technique used by commodity ransomware groups may affect thousands of organizations but present minimal risk to a client whose threat model is dominated by state-sponsored actors. Conversely, a technique used exclusively by sophisticated APT groups may appear statistically rare but represent the client's primary threat vector.
Active vs. Passive MTTD Measurement
CDA distinguishes between passive MTTD (detection achieved through automated alerting alone) and active MTTD (detection achieved when structured threat hunting supplements automated alerting). Most organizations measure only passive MTTD because they discover incidents through alerts rather than hunting, but this approach understates the detection program's full capability.
Active MTTD measurement requires organizations to conduct regular threat hunting exercises targeting specific techniques and document when hunting activities discover threats that automated alerting missed. The gap between passive and active MTTD quantifies the hunting program's value in concrete terms, providing justification for analyst time allocation and hunting platform investments.
Predictive MTTD Modeling
CDA develops predictive MTTD models that estimate detection time for threat scenarios that have not yet occurred. These models combine client detection coverage data with threat actor technique preferences to identify scenarios where MTTD would be catastrophically high. For example, if a relevant threat actor group relies heavily on Living Off The Land techniques that generate minimal detection signals, the model predicts extended MTTD even if the organization has never experienced this type of attack.
Predictive modeling allows security teams to address MTTD failures before they occur rather than measuring them after incidents happen. This proactive approach aligns with the PDI methodology's emphasis on seeing threats before they achieve operational success.
Within client engagements, CDA establishes baseline MTTD measurements during the assessment phase and sets improvement targets segmented by detection source, ATT&CK tactic, and threat actor profile. The resulting roadmap connects specific detection engineering investments to measurable MTTD outcomes, ensuring that detection program improvements address the client's actual threat environment rather than generic attack scenarios.
---
---
---
National Institute of Standards and Technology, August 2012. https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final
IBM Corporation, July 2023. https://www.ibm.com/reports/data-breach
Mandiant, Inc., March 2023. https://www.mandiant.com/resources/reports/m-trends
MITRE Corporation, continuously updated. https://attack.mitre.org
Center for Internet Security, May 2021. https://www.cisecurity.org/controls/v8
CDA Theater missions that address topics covered in this article.
Cryptographic technique that encrypts data while preserving its original format and length, enabling protection without breaking legacy system compatibility.
Guide to HTTP/2 security covering binary framing, HPACK compression attacks, rapid reset vulnerability, stream multiplexing risks, and mitigation strategies.
Explanation of Certificate Transparency framework, covering log servers, Signed Certificate Timestamps, monitoring capabilities, and detection of fraudulent certificates.
Written by CDA Editorial
Found an issue? Help improve this article.