Cyber Security. 28.03.25

Understanding incident metrics: MTTD and MTTR

Attackers are getting faster, stealthier and harder to stop. In this high-stakes environment, speed is no longer a nice-to-have in cyber security. It’s a measurable advantage that directly impacts your ability to contain damage and stay ahead of attackers.

Breaches are inevitable. What matters is how prepared your business is to minimise attacker dwell time.  Dwell time is the measurement that captures the entire length of the security incident, from when the threat enters your network to the point of remediation. This is sometimes referred to as the breach detection gap.

Historically, dwell times stretched well beyond three months (100 to 140 days). Today, that window is rapidly shrinking.

Why MTTD and MTTR matter

Security incidents are a given. The real differentiator is how quickly you can detect the threat and shut it down. The longer an attacker remains in your network, the more damage they can do.

According to Mandiant's M-Trends 2024 report, the global median attacker dwell time dropped to just 10 days, with ransomware-related breaches averaging around five days. Organisations with mature cyber security operations are now expected to detect and contain threats within 24 to 72 hours. These shrinking windows highlight the need for faster, smarter, and more proactive cyber threat intelligence strategies.

Defining the metrics

  • Mean Time to Detect (MTTD) is the average time it takes your team to identify a potential threat after it has entered your network.

  • Mean Time to Respond (MTTR) is the average time it takes to contain, remediate, or eliminate that threat once detected.

Both metrics are essential to evaluating the effectiveness of your cyber security operations.

MTTR MTTD

Measuring performance, driving improvement

What gets measured gets managed. Tracking your MTTD and MTTR helps security teams identify weaknesses, prioritise improvements, and demonstrate the value of their efforts to stakeholders. While there’s no industry-wide benchmark, most organisations aim for a continual reduction in these metrics.

Several factors influence MTTD and MTTR, including threat complexity, tooling, team skill, and the maturity of your incident response processes. A lower MTTD leads to earlier detection, enabling faster action. Likewise, reducing MTTR ensures minimal impact and a swifter return to normal operations. Together, they’re the clearest indicators of your organisation’s ability to manage threats with strong cyber security threat intelligence.

Best practices to lower MTTD and MTTR

If your goal is faster detection and faster response (and it should be), these strategies will set you on the right path:

  • Understanding the enemy: Tactics, techniques, and procedures (TTPs): Cyber threat intelligence hinges on understanding how attackers operate. Mapping threat actors' TTPs gives you context for alerts, helps analysts predict their next moves, and strengthens your detection rules. This is where cyber threat intelligence services make a difference, helping you act on relevant threat data rather than just collecting it.

  • Build and test an incident Response Plan: A strong incident response plan goes beyond process documentation. It needs to define your crown jewels, prioritise critical alerts, and map out clear escalation paths. Include tabletop exercises, red and purple team simulations, and scenario-based run-throughs to sharpen your team’s readiness.

  • Establish a baseline: Know what 'normal' looks like: Without a clear baseline, anomalies are harder to spot. Understanding standard network and user behaviour helps analysts identify unusual activity quickly. It also makes tuning detection tools and reducing false positives easier.

  • Accelerate with SOAR: Security Orchestration, Automation, and Response (SOAR) platforms tie tools together, apply playbooks, and reduce manual steps. They help you triage, enrich, and respond to incidents faster, significantly reducing your MTTR.

  • Leverage AI for smarter threat hunting: AI-powered cyber intelligence tools can sift through vast datasets, identify patterns, and flag suspicious behaviours earlier. Advanced threat-hunting platforms simulate attacker behaviour to test hypotheses and spot threats before they escalate proactively.

  • Invest in Offensive Security and Continuous Assessment: Penetration Testing, Red Teaming, and breach simulations provide a clear view of your defences under pressure. As one of only a few CVE Numbering Authorities in Australia, we help uncover and address vulnerabilities before they’re widely exploited.

  • Train people continuously: Helping people recognise and report threats quickly is one of the most effective ways to reduce MTTD. Our Security Awareness Training is designed to build that capability across your organisation.

SOC-Email-Banner

Top cyber security tools that drive results

The tools behind your security program matter, but so does how they’re integrated and managed. We work with a broad set of vendors to help our clients tailor and evolve the right stack for their environment.

  • XDR (Extended Detection and Response): Integrates data across endpoints, cloud, and network.

  • SIEM (Security Information and Event Management): Provides centralised logging, alerting, and forensics.

  • SOAR: Speeds up incident handling through automated workflows.

  • TIPs (Threat Intelligence Platforms): Operationalise cyber threat intelligence to stop known threats before they hit.

  • EDR (Endpoint Detection and Response): Monitors and responds to endpoint-level threats in real-time.

  • Breach & Attack Simulation (BAS): Continuously tests your defences under simulated attack conditions.

Each plays a role in closing the gap between detection and resolution. When well integrated and actively managed, these tools become a key part of a resilient threat response strategy.

AI and cyber security

 

How AI is impacting MTTD and MTTR in cyber security

Artificial intelligence is reshaping the speed and sophistication of cyber defence. Here’s how it’s transforming incident response:

  • Early detection: AI models detect anomalies in near real-time, flagging threats faster than human analysts

  • Smarter triage: Automated triage ensures threats are prioritised and routed efficiently

  • Pattern recognition: AI finds trends in threat behaviour, supporting proactive defence

  • Incident correlation: It connects isolated Indicators of Compromise into a coherent story, reducing manual effort and time to respond

By embedding AI into your cyber security threat intelligence workflows, your team can detect threats earlier, focus on what matters, and respond with confidence.

Your next step

Reducing MTTD, MTTR, and attacker dwell time takes structure, visibility, and fast decision-making. Understanding where you stand is a good place to begin.

Want to know how mature your current setup is? Try our 3-minute Security Operations Maturity Assessment. It delivers a tailored score, section insights, and a clear path forward.

Discover where you stand and how to level up

If you liked this article, you may also like:

Cyber Security Operations: it's not about the tools alone

How cyber security impacts your SEO strategy

The challenges of running a modern day SOC

Author

David Bingham

David Bingham is Security Sales Manager for The Missing Link’s Southern Region, where he leads with energy, empathy and a love of complex problem-solving. Known for blending strategic thinking with a passion for people, David creates space for his team—and clients—to thrive. He’s all about building trust, tackling cyber security challenges head-on, and keeping the conversation real (and fun). Whether he’s in a high-rise talking strategy or behind the decks as Melbourne techno DJ Obsessive Behaviour, David brings the same sharp focus, infectious energy and creative spark to everything he does.