Dwell Time
Dwell time is the amount of time an attacker remains in an environment before being detected, contained, or removed.
What Is Dwell Time?
This metric captures how long an intrusion persists before defenders take effective action. Long dwell time usually indicates gaps in visibility, alert triage, investigation speed, or response coordination, especially when attackers use stealthy techniques after initial access.
What Influences Dwell Time
- Detection Quality: Whether relevant behaviors generate useful alerts
- Coverage Gaps: Whether key systems or identities are monitored consistently
- Analyst Efficiency: How quickly teams validate and escalate suspicious activity
- Response Readiness: Whether containment actions are well-defined and timely
Why It Matters
Dwell time is closely tied to attacker opportunity. The longer an attacker stays undetected, the more time they have to expand access, move laterally, and reach sensitive systems or data.
How FourCore ATTACK Relates
FourCore ATTACK helps organizations reduce dwell time indirectly by validating detections, exposing missed attack behavior, and giving teams a repeatable way to improve response readiness.