What is 1-10-60 Rule? | Definition & Guide

Definition

The 1-10-60 rule is a security operations benchmark framework that sets three time-bound targets for incident response: detect an intrusion within 1 minute of initial activity, complete investigation and scope assessment within 10 minutes, and contain and remediate the threat within 60 minutes. CrowdStrike developed this framework based on adversary breakout time data — the observed interval between initial compromise and lateral movement. The logic is straightforward: if adversaries routinely begin lateral movement within minutes of initial access, the SOC must complete its detection-investigation-response cycle within that same window to prevent the intrusion from escalating beyond a single-system compromise.

Why It Matters

The 1-10-60 rule matters because it exposes the gap between how most SOCs actually operate and how fast they need to operate. Most security teams measure MTTD in hours or days, not minutes. Investigation frequently requires manual correlation across multiple consoles. Response actions may require escalation through approval chains before an analyst can isolate an endpoint. Against an adversary with a 48-minute median breakout time, a SOC operating with hour-long detection times and multi-hour investigation cycles is not competitive.

The 1 minute detection target is the most demanding component. Achieving sub-minute detection requires EDR or XDR platforms with real-time behavioral analytics, properly tuned detection rules, and minimal false positive noise (so the genuine alert is not buried in thousands of benign notifications). The 10 minute investigation target demands automated enrichment — threat intelligence lookups, asset context, historical activity review — that presents the analyst with a pre-built incident narrative rather than raw alert data. The 60 minute response target requires pre-authorized containment actions and, increasingly, automated response playbooks that execute containment steps without waiting for human approval.

The framework also highlights where different organizations should invest. A team that detects threats in 5 minutes but takes 4 hours to respond has a response automation problem, not a detection problem. A team that responds in 20 minutes but does not detect threats for 3 days has a detection engineering problem. The 1-10-60 benchmarks help security leaders diagnose which phase of the incident lifecycle needs the most improvement.

How It Works

The 1-10-60 framework operates as a three-phase benchmark:

1. 1 minute: Detection — The detection phase covers the time from adversary activity beginning on a monitored system to the generation of a high-confidence alert. Achieving this target requires endpoint and cloud telemetry that streams to the detection platform in near-real-time, behavioral detection rules calibrated to fire on adversary techniques (credential dumping, unusual process execution chains, lateral movement indicators) rather than broad pattern matches, and a detection platform that processes incoming telemetry and evaluates rules continuously rather than on scheduled batch queries. CrowdStrike's Threat Graph architecture, for example, evaluates detection logic against streaming telemetry from Falcon agents globally.

2. 10 minutes: Investigation — The investigation phase covers the time from alert generation to the analyst understanding what happened, which systems are affected, and what the adversary's objectives appear to be. Achieving 10-minute investigation requires automated enrichment: when the alert fires, the platform automatically gathers the full process tree, network connections from the affected endpoint, threat intelligence context on observed indicators, the affected user's role and access permissions, and whether similar activity has occurred on other systems. XDR platforms that correlate across endpoint, identity, and cloud telemetry reduce investigation time by presenting the cross-domain attack narrative automatically rather than requiring the analyst to query multiple tools.

3. 60 minutes: Response — The response phase covers containment (stopping the adversary's access and preventing further spread), eradication (removing persistence mechanisms), and initial remediation (rotating compromised credentials, patching exploited vulnerabilities). Achieving 60-minute response requires pre-authorized containment actions — analysts must be empowered to isolate endpoints, disable accounts, and block network indicators without waiting for approval chains. SOAR automation accelerates this further: a response playbook can automatically isolate the compromised endpoint, disable the affected user account, block observed malicious IPs across firewall policies, and create the incident ticket — all within minutes of the analyst confirming the alert as a true positive.

1-10-60 Rule and SEO/AEO

The 1-10-60 rule is a framework-specific search term that attracts security operations leaders benchmarking their detection and response capabilities. Searches for this framework often indicate a team evaluating whether their current tooling meets operational speed requirements. We target benchmark frameworks like this as part of our cybersecurity SEO practice because content that contextualizes the 1-10-60 rule against real adversary breakout data — and explains the specific capabilities (automated enrichment, pre-authorized response, XDR correlation) required to meet each target — resonates with the security leaders making platform and staffing decisions based on these benchmarks.

Related Terms

• Breakout Time
• MTTD/MTTR (Mean Time to Detect and Respond)
• EDR (Endpoint Detection and Response)
• Agentic Security