Short definition
Mean Time to Detect (MTTD) measures how long it takes for a SOC to recognize that a security incident is occurring, from the first relevant signal to confirmed detection.
Extended definition
MTTD is one of the most cited SOC performance metrics and one of the most misunderstood.
In theory, a lower MTTD indicates faster detection and reduced attacker dwell time. In practice, MTTD is heavily shaped by detection quality, alert noise, and operational behavior. Without context, it can easily become a misleading or even counterproductive metric.
MTTD does not measure security maturity by itself. It measures how a SOC’s detection pipeline behaves under real conditions.
Deep technical explanation
Mean Time to Detect is typically calculated as the time difference between:
- The earliest observable malicious activity in telemetry
- The moment the SOC identifies that activity as an incident
The problem is that both timestamps are subjective.
Common sources of distortion include:
Alert-driven bias
If detection is based on noisy alerts, MTTD appears low because alerts fire quickly, even if analysts do not recognize the incident until much later.
Post hoc detection
In some SOCs, incidents are only recognized during retrospective analysis. MTTD then reflects reporting lag rather than detection capability.
Detection fragmentation
Multiple alerts relate to the same incident, but none are recognized as an incident until correlated manually. MTTD reflects human stitching, not system detection.
Suppressed signal
To control alert noise, thresholds are raised. Detection happens later in the attack chain, inflating real dwell time while MTTD may still look acceptable.
MTTD is therefore downstream of several upstream factors:
- Detection precision and false discovery rate
- Security analytics quality
- Alert volume and triage efficiency
- Coverage gaps across attack stages
Improving MTTD without addressing these factors often leads to perverse outcomes, such as over-sensitive detections that flood analysts or automation that reacts too early and breaks systems.
Practical examples
Fast alerts, slow understanding
A SOC receives alerts within minutes of malicious activity, but analysts need hours to determine whether they represent a real incident. Reported MTTD is low, but the real risk remains high.
Late-stage detection
An attacker performs reconnaissance and lateral movement undetected. Detection only occurs during data exfiltration. MTTD reflects the final stage, not the true dwell time.
Metric gaming
Detections are reclassified to mark the first alert as the incident start, even when the incident is recognized much later. MTTD improves on dashboards without operational change.
Automation masking delays
SOAR tags alerts automatically as incidents. Mean Time to Detect drops sharply, but human response and containment remain slow.
Why it matters
MTTD matters because it influences:
- Attacker dwell time
- Scope and impact of incidents
- Confidence in SOC effectiveness
- Executive and board-level reporting
However, optimizing MTTD in isolation is dangerous. A low MTTD achieved through noisy detections or shallow analysis increases operational risk rather than reducing it.
The only meaningful MTTD improvement is one that comes from better signal quality and faster human understanding.
How BlueGrid.io uses it
At BlueGrid.io, MTTD is treated as a derived indicator, not a primary target.
Our approach includes:
- Anchoring MTTD to confirmed incident recognition, not first alert
- Correlating MTTD with false discovery rate and alert volume
- Using threat hunting results to identify early-stage detection gaps
- Avoiding automation that artificially improves metrics without improving outcomes
- Explaining MTTD limitations clearly to stakeholders
We focus on reducing attacker dwell time in reality, even if that means MTTD numbers improve more slowly.