MTTD — Mean Time to Detect

Mean Time to Detect (MTTD) is the average elapsed time between the moment a cybersecurity incident begins and the moment the organization first identifies it. It is one of the most widely tracked incident response metrics and a direct indicator of an organization's detection maturity.

Why MTTD Matters

Every hour an adversary operates undetected inside a network compounds the damage. During the detection gap, attackers establish persistence, move laterally across systems, escalate privileges, and exfiltrate data. A shorter MTTD reduces the blast radius of any incident. Industry data consistently shows that organizations with lower MTTD spend significantly less on breach remediation, face fewer regulatory penalties, and retain more customer trust than those with extended detection windows.

MTTD also directly affects regulatory exposure. Notification clocks under the SEC, GDPR, and state breach laws begin when the organization becomes aware of an incident. An extended MTTD does not pause these clocks -- it simply means the organization has less remaining time to investigate, notify, and contain once detection finally occurs.

How MTTD Is Calculated

The formula is straightforward: sum the time between incident start and detection across all incidents in a given period, then divide by the number of incidents. The challenge lies in accurately determining when an incident actually began, which often requires retrospective forensic analysis. Organizations should track MTTD by incident type (ransomware, BEC, insider threat) because the detection characteristics differ substantially across threat categories.

Factors That Drive MTTD Higher

• Insufficient logging and telemetry coverage across endpoints, network, and cloud environments
• Alert fatigue from poorly tuned SIEM rules generating excessive false positives
• Lack of 24/7 monitoring coverage, leaving nights and weekends unmonitored
• Missing correlation between identity, network, and endpoint signals
• Understaffed security operations teams unable to investigate alerts promptly

How to Reduce MTTD

Reducing MTTD requires investment in both technology and process. Deploy an EDR/XDR solution that provides continuous endpoint visibility. Tune SIEM detection rules to reduce false positive rates so analysts can focus on real threats. Implement automated alert enrichment through a SOAR platform to accelerate initial triage. Conduct regular detection engineering exercises that test whether your monitoring stack actually catches the threats you care about. Finally, track MTTD as a board-level metric and set explicit improvement targets each quarter.