MTTR and MTTD

MTTD and MTTR are the two headline metrics most security operations teams use to measure their effectiveness. They are simple to compute — total dwell time in seconds, divided by the number of incidents — but enormously revealing. A team with low MTTD and low MTTR catches and contains threats quickly; a team with high MTTD has visibility gaps; a team with low MTTD but high MTTR is seeing problems but is unable to act on them at speed.

MTTD measures the gap between initial compromise and detection. Industry studies typically place median MTTD in weeks or months — the IBM Cost of a Data Breach report has consistently put global average detection time above 200 days. The drivers are familiar: incomplete log coverage, alerts that fail to correlate across sources, fatigue from high false-positive rates, and detection rules that lag behind attacker tradecraft.

MTTR measures the gap between detection and containment. Strong MTTR depends on three things: clear, well-rehearsed runbooks for the most common incident types; tooling that lets responders pivot from alert to investigation to action without context-switching across consoles; and the authority to act decisively (isolate hosts, revoke tokens, take systems offline) without a chain-of-approval delay. Mature SOCs measure MTTR in minutes for high-severity incidents and hours for medium-severity ones.

Both metrics belong on the same dashboard alongside related measures: time-to-acknowledge, time-to-contain, and time-to-recover. Improving MTTD usually requires investment in detection engineering and telemetry; improving MTTR usually requires investment in automation, IR playbooks, and tabletop exercises. Tracking the trend over months matters more than the absolute number — a team where both metrics are falling quarter-over-quarter is improving, even if the current values are still uncomfortable.