What is MTTR?

MTTR Definition

MTTR (Mean Time to Respond or Mean Time to Remediate) is a security operations metric measuring the average time from incident detection to resolution. Depending on definition, MTTR may measure time to first response (Response) or complete threat removal (Remediate).

MTTR Variants

Mean Time to Respond:

• Time to first action
• E.g., machine isolation
• Faster metric

Mean Time to Remediate:

• Time to complete resolution
• Threat removal, recovery
• More comprehensive metric

Mean Time to Recover:

• Time to restore normal operations
• Often used in ITIL/availability

How to Improve MTTR?

• SOAR with playbooks: Response automation
• Pre-defined procedures: Ready procedures for incident types
• Permissions and tools: SOC has access to isolation
• Communication: Clear escalations
• Training: Regular exercises

MTTR in Regulatory Context

DORA: 4 hours for incident reporting NIS2: 24 hours for early warning

Fast MTTR is essential to meet regulatory time requirements.

MTTD + MTTR = Dwell Time

Dwell Time (attacker’s time in environment) = MTTD + MTTR

Minimizing both metrics reduces the time an attacker can cause damage.

MTTR Benchmarks

• Best in class: < 1 hour (for critical incidents)
• Good: 1-4 hours
• Average: 1-7 days
• Industry average: Weeks to months

Improving MTTR

Technology:

• SOAR automation
• EDR with response capabilities
• Pre-built playbooks
• Integrated tooling

Process:

• Documented procedures
• Clear escalation paths
• Regular drills
• Post-incident reviews

People:

• Trained analysts
• 24/7 coverage
• Empowered to act

MTTR is a critical SOC metric that directly impacts business damage from security incidents.