Mean Time to Respond (MTTR)
What is Mean Time to Respond (MTTR)?
Mean Time to Respond (MTTR)The average time between detecting a security incident and initiating an effective response action against it.
MTTR (response) measures how quickly a SOC moves from a validated alert to executing the first meaningful response action — triage, investigation kickoff, containment playbook, or notification of stakeholders. It captures the operational latency between detection and action, and is influenced by alert quality, analyst staffing, runbook automation via SOAR, and on-call processes. Lower MTTR means attackers have less time to escalate privileges or move laterally before defenders push back. MTTR is most useful when tracked alongside MTTD, MTTC and MTTR (recover), each isolating a different stage of the incident lifecycle.
● Examples
- 01
Automating tier-1 triage with SOAR to cut MTTR from 90 minutes to 8 minutes.
- 02
Tracking MTTR per severity in the SOC scorecard for quarterly review.
● Frequently asked questions
What is Mean Time to Respond (MTTR)?
The average time between detecting a security incident and initiating an effective response action against it. It belongs to the Defense & Operations category of cybersecurity.
What does Mean Time to Respond (MTTR) mean?
The average time between detecting a security incident and initiating an effective response action against it.
How do you defend against Mean Time to Respond (MTTR)?
Defences for Mean Time to Respond (MTTR) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Mean Time to Respond (MTTR)?
Common alternative names include: Time to respond, Response time.