Mean Time to Detect (MTTD)
What is Mean Time to Detect (MTTD)?
Mean Time to Detect (MTTD)The average elapsed time between the start of a security incident and the moment defenders identify it.
MTTD measures how quickly a security team becomes aware of malicious activity, typically from initial compromise to the first validated alert in the SIEM, SOAR or ticketing system. It is one of the core KPIs for SOC effectiveness and is closely tied to telemetry coverage, detection engineering and analyst triage workflows. Lower MTTD limits dwell time, reduces blast radius and improves the success of containment. Industry benchmarks vary widely by sector and maturity; mature teams often track MTTD per attack technique mapped to MITRE ATT&CK rather than a single global number.
● Examples
- 01
Going from a 200-day MTTD to a 4-hour MTTD by deploying EDR plus log-based detections.
- 02
Reporting MTTD weekly for ransomware-related techniques as part of SOC metrics.
● Frequently asked questions
What is Mean Time to Detect (MTTD)?
The average elapsed time between the start of a security incident and the moment defenders identify it. It belongs to the Defense & Operations category of cybersecurity.
What does Mean Time to Detect (MTTD) mean?
The average elapsed time between the start of a security incident and the moment defenders identify it.
How do you defend against Mean Time to Detect (MTTD)?
Defences for Mean Time to Detect (MTTD) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Mean Time to Detect (MTTD)?
Common alternative names include: Detection time, Time to detect.