Dwell Time.

The interval between an adversary's initial compromise of an environment and the defender's detection of that compromise — a headline industry metric reported annually by IR firms such as Mandiant. It belongs to the Defense & Operations category of cybersecurity.

The interval between an adversary's initial compromise of an environment and the defender's detection of that compromise — a headline industry metric reported annually by IR firms such as Mandiant.

Dwell time is the duration between initial intrusion and detection (sometimes broken into 'attacker dwell' until any defender action and 'detection dwell' until first confirmed alert). It is the single most cited efficacy metric in industry incident-response reports — Mandiant's M-Trends, IBM/Ponemon, CrowdStrike — and tracks how successful defenders are at finding adversaries before they finish their objectives. Historically median dwell times were measured in many months (Mandiant reported 416 days in 2011); by 2023–2024 medians had fallen to around 10 days globally for externally-notified incidents and a few days for ransomware-driven cases, both because attackers moved faster (ransomware shifted to days-to-encryption) and because defenders deployed better tooling (EDR, SIEM rule coverage, MDR). Dwell time alone can be misleading — fast detection of a brief intrusion may be worse than slow detection of a long one — so mature programs report it alongside Mean Time to Contain and Mean Time to Recover.

Defences for Dwell Time typically combine technical controls and operational practices, as detailed in the full definition above.

Common alternative names include: Attacker dwell time, Compromise-to-detect time.