What is MTTD?

MTTD Definition

MTTD (Mean Time to Detect) is a key security operations metric that measures the average time needed to detect an incident or threat. It’s calculated as the average of times from attack start to detection for all incidents in a given period.

How to Calculate MTTD?

MTTD = Σ(detection time - attack start time) / number of incidents

Example:

• Incident 1: detected after 2 hours
• Incident 2: detected after 30 minutes
• Incident 3: detected after 4 hours
• MTTD = (2 + 0.5 + 4) / 3 = 2.17 hours

MTTD Benchmarks

• Best in class: < 1 hour
• Good: 1-4 hours
• Average: 1-7 days
• Industry average: ~200+ days (for APT)

How to Improve MTTD?

• SIEM with real-time correlation: Faster pattern detection
• EDR on all endpoints: Eliminating blind spots
• Automation: Less manual analysis
• Threat intelligence: Known IOCs detected immediately
• 24/7 SOC: Continuous monitoring

MTTD and Other Metrics

• MTTD: Time to detect
• MTTR: Time to respond/remediate
• MTTA: Time to acknowledge
• Dwell time: Attacker’s time in the network

Why MTTD Matters

MTTD directly affects:

• Damage scale: Longer dwell time = more damage
• Data exfiltration: More time to steal data
• Lateral movement: More time to spread
• Recovery costs: More systems compromised

MTTD Challenges

• Determining attack start: Often unknown
• Silent attacks: APT may go undetected for months
• Alert fatigue: Too many alerts delay detection
• Visibility gaps: Unmonitored areas

MTTD is one of the most important SOC metrics, directly impacting the scale of potential damage.