Dwell Time.

The interval between an adversary's initial compromise of an environment and the defender's detection of that compromise — a headline industry metric reported annually by IR firms such as Mandiant. Pertenece a la categoría de Defensa y operaciones en ciberseguridad.

The interval between an adversary's initial compromise of an environment and the defender's detection of that compromise — a headline industry metric reported annually by IR firms such as Mandiant.

Dwell time is the duration between initial intrusion and detection (sometimes broken into 'attacker dwell' until any defender action and 'detection dwell' until first confirmed alert). It is the single most cited efficacy metric in industry incident-response reports — Mandiant's M-Trends, IBM/Ponemon, CrowdStrike — and tracks how successful defenders are at finding adversaries before they finish their objectives. Historically median dwell times were measured in many months (Mandiant reported 416 days in 2011); by 2023–2024 medians had fallen to around 10 days globally for externally-notified incidents and a few days for ransomware-driven cases, both because attackers moved faster (ransomware shifted to days-to-encryption) and because defenders deployed better tooling (EDR, SIEM rule coverage, MDR). Dwell time alone can be misleading — fast detection of a brief intrusion may be worse than slow detection of a long one — so mature programs report it alongside Mean Time to Contain and Mean Time to Recover.

Las defensas contra Dwell Time combinan habitualmente controles técnicos y prácticas operativas, como se detalla en la definición.

Nombres alternativos comunes: Attacker dwell time, Compromise-to-detect time.