Dwell Time.

The interval between an adversary's initial compromise of an environment and the defender's detection of that compromise — a headline industry metric reported annually by IR firms such as Mandiant. Относится к категории Защита и операции в кибербезопасности.

The interval between an adversary's initial compromise of an environment and the defender's detection of that compromise — a headline industry metric reported annually by IR firms such as Mandiant.

Dwell time is the duration between initial intrusion and detection (sometimes broken into 'attacker dwell' until any defender action and 'detection dwell' until first confirmed alert). It is the single most cited efficacy metric in industry incident-response reports — Mandiant's M-Trends, IBM/Ponemon, CrowdStrike — and tracks how successful defenders are at finding adversaries before they finish their objectives. Historically median dwell times were measured in many months (Mandiant reported 416 days in 2011); by 2023–2024 medians had fallen to around 10 days globally for externally-notified incidents and a few days for ransomware-driven cases, both because attackers moved faster (ransomware shifted to days-to-encryption) and because defenders deployed better tooling (EDR, SIEM rule coverage, MDR). Dwell time alone can be misleading — fast detection of a brief intrusion may be worse than slow detection of a long one — so mature programs report it alongside Mean Time to Contain and Mean Time to Recover.

Защита от Dwell Time обычно сочетает технические меры и операционные практики, как описано в определении выше.

Распространённые альтернативные названия: Attacker dwell time, Compromise-to-detect time.