Incident Command Platform
← Glossary

MTTC — Mean Time to Contain

Mean Time to Contain (MTTC) is the average elapsed time between detecting a cybersecurity incident and successfully isolating the threat so it can no longer spread, exfiltrate data, or cause additional damage. MTTC focuses specifically on the containment phase of incident response.

Why MTTC Matters

Detection without rapid containment is insufficient. Once an incident is identified, every additional minute the adversary retains access increases the scope of compromise. During uncontained incidents, attackers continue lateral movement, deploy additional persistence mechanisms, encrypt more systems in ransomware scenarios, or exfiltrate larger volumes of data. MTTC directly measures how quickly the organization can stop the bleeding after awareness.

Insurance carriers and regulators increasingly scrutinize containment timelines. A long gap between detection and containment suggests a lack of preparedness, pre-authorized containment decisions, or operational capability -- all factors that affect coverage determinations and regulatory outcomes.

MTTC vs MTTR

MTTC and MTTR are often confused but measure different things. MTTC measures the time to isolate the threat -- stopping the adversary from causing further harm. MTTR (Mean Time to Respond or Recover) measures the broader timeline through full remediation and business recovery. Containment is a necessary precursor to recovery, but an incident can be contained long before systems are fully restored. Tracking both metrics separately provides a clearer picture of operational capability.

How to Reduce MTTC

Related Terms

Measure containment speed across every incident

IR-OS tracks containment timestamps and pre-authorized actions so your team can isolate threats faster.

Start free