Measures how long it takes an organization to identify a cybersecurity threat or anomaly from the moment it begins. It reflects the speed and efficiency of an organization’s monitoring and alerting systems. A low MTTD indicates strong visibility, effective threat detection tools, and a responsive security team.
MTTD Formula
Loading formula...Where:
- Loading formula...The timestamp marking when incident i actually began, such as when an attacker gained initial access or a system first became compromised.
- Loading formula...The timestamp when incident i was detected by monitoring systems or security analysts.
- Loading formula...The total number of incidents measured during the reporting period.
High MTTD values suggest detection gaps—such as insufficient logging, poor alert tuning, or limited staff coverage. Reducing MTTD often involves implementing automated detection platforms like SIEM, EDR, or XDR, supported by continuous threat intelligence and behavioral analytics.
MTTD is not just a performance metric—it’s a key indicator of risk exposure. The faster an organization detects a compromise, the smaller the window of opportunity for attackers to move laterally or exfiltrate data.