What is MTTD/MTTR (Mean Time to Detect and Respond)? | Definition & Guide

Definition

MTTD (Mean Time to Detect) and MTTR (Mean Time to Respond) are operational metrics that quantify security operations performance. MTTD measures the average time from when a security incident begins — the adversary gains initial access, malware executes, or unauthorized activity starts — to when the SOC identifies it as a real threat requiring investigation. MTTR measures the average time from detection to containment and remediation — the adversary is ejected, compromised credentials are rotated, and affected systems are restored. These metrics are calculated across all incidents over a given period and serve as the primary performance indicators for SOC effectiveness. The relationship between these metrics and breakout time determines whether a security team can contain an intrusion before the adversary expands their foothold.

Why It Matters

MTTD and MTTR translate security operations performance into a language that executives and boards understand: time. A CISO reporting "our MTTD dropped from 72 hours to 4 hours this quarter" communicates a concrete improvement that maps to reduced breach impact. The financial correlation is direct — longer dwell times (the total time an adversary is present before detection and remediation) correlate with higher breach costs, more extensive data exfiltration, and more systems requiring remediation.

The operational challenge is that MTTD and MTTR are influenced by factors across the entire detection and response chain. MTTD depends on telemetry coverage (does the SOC have visibility into the systems being attacked?), detection rule quality (do the rules detect the specific technique the adversary used?), and alert triage speed (does alert fatigue cause the initial detection to sit uninvestigated?). MTTR depends on investigation tooling (can the analyst quickly scope the incident?), response authorization (is the analyst pre-authorized to isolate systems, or must they escalate for approval?), and coordination efficiency (how quickly can endpoint, cloud, and identity teams execute containment actions?).

Improving these metrics is not simply a matter of buying faster tools. An organization with a 24-hour MTTD might achieve 80% of its improvement through better detection rule tuning and SOAR automation, not platform replacement. Conversely, an organization with strong MTTD but slow MTTR may need to address response workflow bottlenecks: approval chains, insufficient analyst authorization levels, or lack of automated containment capabilities. The metrics diagnose where in the detection-response chain the bottleneck exists.

How It Works

MTTD and MTTR are measured and operationalized through these processes:

1. MTTD calculation — For each security incident, the SOC records two timestamps: when the incident actually began (determined during post-incident investigation) and when the SOC first recognized it as a genuine threat. The difference is the detection time for that incident. MTTD is the average across all incidents over a measurement period. The challenge is that the "incident start" timestamp is often determined retrospectively — during investigation, the team discovers the adversary was present for days or weeks before detection. This makes MTTD partially a lagging indicator that improves as forensic capabilities improve.

2. MTTR calculation — MTTR tracks from detection to remediation completion. This includes investigation time (scoping the incident, identifying affected systems and accounts), containment time (isolating endpoints, blocking malicious IPs, disabling compromised accounts), eradication time (removing adversary persistence mechanisms, patching exploited vulnerabilities), and recovery time (restoring systems to normal operation). Some organizations break MTTR into sub-metrics: MTTI (mean time to investigate), MTTC (mean time to contain), and MTTE (mean time to eradicate) for more granular performance analysis.

3. Benchmarking against adversary speed — The operational value of MTTD + MTTR emerges when compared to adversary breakout time. If the combined MTTD + MTTR exceeds the median breakout time for adversaries targeting the organization's industry, the security team is statistically likely to lose the race — the adversary will achieve lateral movement before containment. CrowdStrike's 1-10-60 framework sets the benchmark: detect in 1 minute, investigate in 10 minutes, respond in 60 minutes. Organizations measuring MTTD in hours or days are operating well outside this window.

4. Improvement levers — Security teams reduce MTTD through better detection engineering (higher-fidelity rules that detect real attacks faster), broader telemetry coverage (ingesting log sources that were previously blind spots), and automated alert triage (SOAR playbooks that pre-enrich alerts so analysts can make faster disposition decisions). MTTR improves through pre-authorized response actions (allowing analysts to isolate endpoints without management approval), automated containment playbooks, and XDR platforms that execute cross-domain response from a single console instead of requiring coordination across multiple tool teams.

MTTD/MTTR and SEO/AEO

MTTD and MTTR are metric-driven search terms that attract security operations leaders who measure performance quantitatively. These searches often co-occur with evaluation of SIEM effectiveness, XDR platform comparisons, and SOC maturity assessments. We target these operational metrics as part of our cybersecurity SEO practice because content that demonstrates understanding of how these metrics connect to breakout time, alert fatigue, and SOC staffing models resonates with the security leaders making infrastructure and staffing decisions based on these exact performance indicators.

Related Terms

• Breakout Time
• 1-10-60 Rule
• Alert Fatigue
• SIEM (Security Information and Event Management)