Security Operations

Mean Time to Detect (MTTD)

Mean Time to Detect (MTTD)

Mean time to detect is the average amount of time it takes an organization to identify suspicious or malicious activity after it begins.

What Is MTTD?

MTTD measures the speed of the detection function across incidents or exercises. A lower MTTD generally indicates stronger visibility, better detection content, and faster triage, although the metric is most useful when it is measured consistently and segmented by attack type or control area.

What Affects MTTD

  1. Telemetry Coverage: Whether the right systems and identities are monitored
  2. Detection Logic: Whether analytics and rules surface meaningful attacker behavior
  3. Alert Quality: Whether analysts can trust and prioritize the signals quickly
  4. Operational Process: Whether triage and escalation paths are efficient

Why It Matters

Faster detection reduces attacker freedom of movement and limits the time available for escalation, persistence, or exfiltration. It is a practical way to measure whether detection engineering and monitoring investments are producing results.

How FourCore ATTACK Relates

FourCore ATTACK helps teams test real detection timing against simulated attacker behavior so MTTD improvements can be measured against realistic scenarios instead of assumptions.

Related Terms

Related Reading