All Fundamentals

What Is Mean Time to Detect (MTTD)?

Mean time to detect (MTTD) is a core metric used by security teams to understand how quickly potential threats are discovered. It represents the average amount of time between the moment something malicious or suspicious begins in an environment and the moment the security team becomes aware of it.

emergent-threat-banner-1-1-1.jpeg

The First 24 Hours of a Cyberattack

See what responders prioritize and how investigations begin in the first day of an attack.

Why MTTD matters in cybersecurity

Early detection is an essential guardrail for reducing attacker dwell time – the period an adversary spends undetected inside an environment. Lower MTTD gives security teams a critical advantage in minimizing damage and preventing attackers from escalating privileges, moving laterally, or accessing sensitive systems.

MTTD also helps organizations understand where breakdowns might be happening within their visibility stack or processes. When the metric trends in the wrong direction, teams often discover issues such as poor log management, excessive noise, blind spots, or detections that fire too late to be meaningful.

In practice, MTTD is a reflection of how efficiently a SOC can notice and recognize signs of compromise.

How MTTD Is calculated

At its simplest, MTTD is calculated by averaging the total time between the start of a threat activity and when the team detects that activity:

MTTD = (total detection time across incidents) ÷ (number of incidents)

But determining the true “start time” of malicious activity can be harder than it sounds. Attacker behavior is not always visible immediately, and the first observable indicator may occur minutes – or hours – after the initial compromise.

To calculate MTTD accurately, teams typically rely on:

  • Event logs such as endpoint, network, identity, and cloud telemetry
  • Detection rules or automated alerts tied to suspicious activity
  • Timeline reconstruction during investigations
  • Normalized timestamps that account for different log sources

An example

An organization experiences three separate credential misuse attempts. Investigators determine each attempt went undetected for 5 minutes, 11 minutes, and 9 minutes before the SOC identified it. The MTTD for these events would be:

(5 + 11 + 9) ÷ 3 = 8.33 minutes MTTD

MTTD and other SOC metrics: How they work together

MTTD is part of a family of operational metrics that describe how an organization identifies, responds to, and contains threats. Each metric focuses on a different moment in the incident timeline.

MTTD vs. MTTR

  • MTTD measures how fast the team detects an issue.
  • Mean time to respond (MTTR) measures how fast the team remediates or resolves it.

A low MTTD paired with a high MTTR may signal bottlenecks deeper in the response lifecycle.

MTTD vs. MTTC

Mean time to contain (MTTC) evaluates the time it takes to stop an active threat from spreading. It falls between detection and full remediation.

MTTD vs. MTTI

Some organizations use mean time to identify (MTTI) to highlight the time to initially identify that anomalous behavior is worth investigating. MTTD and MTTI are sometimes used interchangeably, but MTTI can refer to a narrower decision point inside the detection workflow.

Taken together, these metrics help teams understand the complete incident lifecycle, not just detection.

What influences MTTD?

MTTD typically reflects how well security teams balance noise, coverage, and context. High-performing detection programs usually share a few common characteristics: strong visibility, precise rules, and the ability to automate repetitive work.

The most common factors that raise MTTD include:

  • Visibility gaps: Missing telemetry or shadow environments make early signals harder to catch.
  • Low-fidelity alerts: False positives overwhelm analysts, delaying real detections.
  • Fragmented tooling: Manual collection and correlation slow investigations.
  • High analyst workload: Overloaded SOCs may not triage signals quickly enough.
  • Slow detection engineering cycles: Outdated detection rules struggle to keep up with threat actor methods.

When these issues stack up, the organization’s ability to detect threats consistently declines – and MTTD rises.

How organizations improve MTTD

Reducing MTTD requires a combination of better visibility, smarter detections, and operational efficiency. You’ll often see teams focus on:

  • Expanding telemetry coverage: Ensuring consistent endpoint, cloud, and identity logs.
  • Reducing false positives: Tuning rules to eliminate noise and highlight high-risk behaviors.
  • Correlating events automatically: Using detections that bring related signals together.
  • Aligning detections to MITRE ATT&CK: Ensuring coverage across attacker techniques.
  • Automating enrichment: Adding context (user, asset, behavior) at the moment of detection.
  • Monitoring detection gaps: Regularly reviewing why certain events were caught late or not at all.

Ultimately, meaningful MTTD improvement comes from precise detection logic and streamlined workflows, not from chasing unrealistic benchmarks.

What Is a “good” MTTD?

Every organization’s detection baseline will look different depending on:

While some vendors promote “ideal” MTTD values, there is no universal standard. For example, detecting an endpoint malware infection may take seconds, whereas detecting lateral movement or credential misuse could take much longer.

The most realistic approach is not to pursue a single number, rather to set internal benchmarks, observe trends, and improve gradually.

Common pitfalls when measuring MTTD

Although MTTD seems straightforward, organizations often run into issues that reduce the metric’s accuracy or meaning. Let’s take a look at some of the more common pitfalls:

  • Irregular timestamps: Logs coming from different systems may not be synchronized.
  • Confusing “alert time” with “detection time”: An alert firing does not always represent the moment of understanding.
  • Missing telemetry: If key events aren’t captured, the “detection” will always appear later than it really was.
  • Overcounting alerts: Measuring alert volume instead of incident-level detection skews results.
  • Ignoring SOC workflow delays: Slow triage or queue backlogs can inflate detection time even when signals appear early.

Accurate measurement requires consistent frameworks, well-defined rules, and clear agreement on how detection time is determined.

IDR-hero.png

Command your SOC with next-gen SIEM

Gain instant visibility and AI-driven speed with Incident Command.

Frequently asked questions

Additional reading

Related security fundamentals

Recommended Blogs