A company’s IT team receives a report that customer data has been circulating on a dark web forum. After tracing the source, they discover the attacker had been inside the system for three months without ever being detected. During that time, the threat actor quietly accessed and extracted sensitive business data.
Cases like this are more common than most organizations expect. Attackers can maintain access for extended periods without triggering any visible alerts. By the time the breach surfaces, the damage is already done.
According to the IBM Cost of a Data Breach Report 2023, summarized by ResilientX, the average organization takes 204 days to identify a breach and another 73 days to contain it.
That puts the full identification-to-recovery cycle at roughly 277 days, which is exactly why Mean Time to Detect (MTTD) has become one of the most watched metrics in cybersecurity.
What Is Mean Time to Detect (MTTD)?
Mean Time to Detect (MTTD) is the average time a security team needs to detect a threat or security incident, measured from the moment the event first occurs in the system. The unit is typically hours or days, depending on the maturity of the organization’s monitoring capabilities.
Unlike MTTR (Mean Time to Respond), which measures how quickly a team handles a threat after it has been found, MTTD focuses on how quickly the threat is first identified. The lower the MTTD, the smaller the window attackers have to move freely inside the environment.
An example: A retail company discovers malware on its server on Thursday. After reviewing the logs, the malware had already entered the system on Monday, three days earlier. That gives this incident an MTTD of 72 hours. Once the malware was found, the team spent 4 hours isolating and cleaning the affected systems. Those 4 hours are what is called MTTR.
The Difference Between MTTD and MTTR
Both metrics are often referenced together, but they measure different phases of the incident response cycle. Understanding the distinction matters because improvements aimed at one will not automatically fix the other.
- MTTD (Mean Time to Detect): Measures how quickly a threat is found, calculated from when the threat first becomes active in the system. The question it answers: “When did we know there was a problem?”
- MTTR (Mean Time to Respond): Measures how quickly a threat is resolved after it has been detected. The question it answers: “How fast did we fix it?”
A high MTTD paired with a low MTTR means the team responds well once they know about a problem, but takes far too long to notice it in the first place. Both numbers need to improve together for the incident response cycle to be genuinely effective.
Why MTTD Matters for Business
Every hour a threat goes undetected is another hour attackers have to move deeper into the environment. In a ransomware scenario, a 24-hour detection delay can be enough to encrypt thousands of critical files and bring operations to a halt.
Beyond the operational risk, there are legal consequences that cannot be ignored. Regulations like the PDPA (Personal Data Protection Act) across Southeast Asia and the ISO 27001 standard require organizations to have documented, measurable incident detection mechanisms in place.
MTTD is not just a concern for the IT team. It directly affects customer trust, regulatory compliance, and the continuity of the business as a whole.
Benefits of Measuring and Monitoring MTTD
Tracking MTTD consistently delivers advantages that go well beyond technical readiness. Below are the concrete benefits organizations experience when they start taking this metric seriously.
- More Targeted Incident Response
Teams that know their MTTD can identify weak points in their detection process with much greater precision. Rather than acting on gut instinct, decisions are grounded in actual data recorded by the monitoring system.
Example: If MTTD for phishing incidents consistently sits at 48 hours, the team knows the gap is in the email detection layer, not at the endpoint level. Resources can be directed there specifically, rather than spending budget on areas that are already performing well. - Reduced Financial Exposure
IBM reports that organizations with a detection and response cycle under 200 days save an average of USD 1.42 million compared to those that take longer. That figure covers regulatory fines, forensic investigation costs, and customer compensation.
Which Means, every hour shaved off MTTD is not just a technical win. It carries real financial value for the business.
Stronger Trust With Clients and Partners - Customers and business partners are increasingly attentive to data security
Particularly in financial services, healthcare, and retail. When competing for enterprise contracts or going through procurement reviews, organizations that can demonstrate an MTTD under 24 hours hold a noticeably stronger position.
Transparency around metrics like MTTD also strengthens an organization’s standing during security audits conducted by enterprise clients or regulatory bodies. - Improved Security Team Efficiency
SOC teams that operate with a defined MTTD baseline know when their performance is below standard and when they are on track. A SOC that previously could only report “we did our best” to management can now present monthly MTTD trends as concrete evidence of team performance.
Without this number, evaluating a security team’s effectiveness tends to be subjective and difficult to justify at the business level.
How to Measure MTTD
Measuring MTTD gives organizations a clear picture of how quickly threats are actually being detected. With a defined number, security teams can assess the effectiveness of their monitoring and identify where improvements are needed.
At its core, MTTD is calculated from the gap between when an incident first occurs and when the threat is successfully detected. Results from multiple incidents are then averaged over a set period to track detection performance consistently.
The formula:
MTTD = Total Detection Time Across All Incidents / Number of Incidents
Example: In one month, the team recorded 5 incidents with detection times of 3 hours, 6 hours, 2 hours, 8 hours, and 5 hours. Total = 24 hours, divided by 5 incidents = MTTD of 4.8 hours for that month. That figure can then be compared to the previous month to see whether detection performance is improving or declining.
Step-by-Step Measurement Process
Accurate and consistent results require a shared definition of incident start time, detection time, and recording method across every case. Below are the steps most commonly used to calculate MTTD.
1. Establish the Starting Point (T0)
T0 is when the incident first occurs in the system, not when the first alert appears on a dashboard. Log data from endpoints, firewalls, or a SIEM (Security Information and Event Management) system is typically used to determine T0 accurately.
Example: A firewall log records a suspicious connection at 2:15 AM. Even if the team does not review it until midday, T0 is still logged as 2:15 AM, not the time the alert was read.
2. Record the Detection Time (T1)
T1 is when the security team first confirms the presence of a threat. Confirmation here does not mean a notification appeared. It means an analyst has verified that the alert is a genuine threat, not a false positive.
Example: An alert fires at 9:00 AM, but the analyst does not confirm it as a real threat until 10:30 AM after completing verification. T1 is 10:30 AM, not 9:00 AM.
3. Calculate the Gap and Average the Results
Collect data from all incidents within the same time period, then calculate the average gap between T1 and T0 across all of them. Do this consistently each month or quarter so detection trends become visible over time.
Example: T0 at 2:15 AM, T1 at 10:30 AM, the gap is 8 hours and 15 minutes. Collect the gaps from all incidents that month, add them together, then divide by the total number of incidents to get the average.
4. Segment by Incident Category
MTTD for malware can differ significantly from MTTD for insider threats or unauthorized access attempts. Breaking the data down by category gives a far more specific picture of which areas need attention.
Example: MTTD for malware averages 4 hours because EDR tools are already in place, but MTTD for insider threats sits at 72 hours because there is no User Behavior Analytics system yet. Without this breakdown, that specific gap would be invisible in the overall average.
What Is a Good MTTD Target?
There is no universal benchmark that applies to every organization. The right MTTD target depends on multiple factors: the industry, company size, monitoring maturity, cloud footprint, automation capabilities, and analyst headcount.
As a general principle, faster is better. Detecting malware at the endpoint can happen in seconds with the right tools in place, while threats like lateral movement or credential misuse may take considerably longer to surface.
The most realistic approach is to set internal benchmarks, track trends consistently, and improve gradually over time. Organizations with mature SOC (Security Operations Center) typically use 24 hours as an initial reference point for critical incidents.
How to Reduce MTTD
Lowering MTTD is not a single-step fix. There are several measures that can be implemented incrementally, adjusted to fit the capacity and scale of each organization.
Deploy a SIEM With Automated Alerting
A SIEM collects logs from multiple sources in real time and detects anomaly patterns that cannot be monitored manually. Without automation, security teams rely on manual checks that are slow and prone to missing early signals.
Example: Without a SIEM, analysts must review firewall, server, and endpoint logs separately, one at a time. With a SIEM, all logs are aggregated in one place and anomalies are flagged automatically, so analysts only need to verify alerts that the system has already prioritized.
Integrate Relevant Threat Intelligence
Threat intelligence provides context about active threats targeting a specific industry or region, so teams do not have to start every investigation from scratch. When a system already “knows” what current attack patterns look like, detection can happen significantly earlier.
Example: If a threat intelligence feed flags that a particular technique is actively being used against financial institutions across Southeast Asia, the SOC can update detection rules in the SIEM before the attack reaches the organization’s own infrastructure.
Invest in SOC Analyst Training
Even the most advanced tools will underperform if the analysts using them are not trained to recognize early threat signals. Many incidents already show indicators days before they are formally detected, but those signals get missed because analysts do not know what to look for.
Example: During a tabletop exercise simulating a targeted phishing attack, teams consistently discover that indicators like logins from unusual locations were already present in the logs long before the “official” incident occurred, but went unnoticed because no one had thought to look for them.
Address Alert Fatigue
Too many alerts slow detection down. When analysts are overwhelmed sorting through noise, critical signals get buried. Regularly tuning detection rules to cut false positives is a step that often gets deprioritized, despite having a direct impact on MTTD.
Example: An untuned SIEM can generate thousands of alerts per day, with 90% turning out to be false positives. After tuning, the alert volume drops sharply and analysts can concentrate on signals that genuinely require immediate attention.
Implement Zero Trust Architecture
Zero Trust operates on the assumption that no user or device is automatically trusted, including those already inside the internal network. Every access request is verified and logged, making suspicious activity much easier to identify early.
Example: If an internal account suddenly accesses a database it has never touched before, Zero Trust blocks the attempt and triggers a notification immediately, rather than allowing it simply because the account originates from inside the corporate network.
If an organization wants to strengthen its detection strategy while building a more proactive security system, a Zero Trust approach could be the next step. To gain a deeper understanding of the concept, benefits, and implementation, download our eBook and discover how Zero Trust helps reduce the risk of attacks and accelerate the detection of cyber threats.
Learn Zero Trust Security
Zero Trust Security is a security strategy that has become an urgent need for organizations amidst the high risk of cyber attacks and access abuse.
Zero Trust Security
Deepen your understanding of Zero Trust Security and learn its principles and implementation in depth by downloading this PDF. Your data security is our priority.
Conclusion
MTTD reflects how prepared an organization’s security posture is against threats that move fast and quietly. A high number does not mean an organization has never been attacked. It may mean the opposite: an attack already happened and no one knew.
Reducing MTTD takes the right combination of technology, consistent processes, and a team trained to recognize threat signals earlier.
For organizations looking to build this capability in a structured way, Adaptist Prime from Adaptist Consulting is built for exactly that. From SIEM implementation and threat intelligence integration to SOC team enablement, everything is designed so that MTTD improvement is measurable, not just assumed.
Ready to Manage Digital Identities as a Business Security Strategy?
Request a demo today and discover how IAM solutions centralize user logins through Single Sign-On (SSO), automate employee onboarding, and protect company data from unauthorized access without disrupting productivity with repeated logins.
FAQ
Dwell time is the total period an attacker spends inside a system before being fully removed, while MTTD only measures up to the point of detection. Dwell time covers the response and remediation phases as well.
No. Smaller organizations are often more exposed because their monitoring resources are limited, which means a high MTTD can cause proportionally greater damage.
Monthly for organizations handling a high volume of incidents, or at minimum quarterly for those still building out their security capabilities.
Yes, if the definition of “detection” is not standardized from the start. That is why establishing a consistent definition of T0 and T1 before any measurement begins is so important.
SIEM platforms like Splunk, Microsoft Sentinel, or IBM QRadar are the most widely deployed, paired with EDR tools like CrowdStrike or SentinelOne for endpoint-level visibility.
