What is MTTD & MTTR and How MTTD & MTTR Can Define Your S.O.C

Two questions always come up whether your organization has its own internal Security Operations Center (SOC), Internal Security Team (IST), or Managed SOC solution. How will they stand against a real-world attack? How long will it take for them to detect and or respond to the attack, breach, or alerts?

Article Quicklinks:


With Mean Time To Detect (MTTD) & Mean Time To Respond (MTTR), you can gauge how your security operations effectively respond to simulated or serious attacks against your infrastructure. With a simulated attack against your networks, such as a penetration test, vulnerability assessment, or purple teaming engagement, your team can face the most realistic adversary to exploit or simulate a possible ransom attack. 


By performing offensive security services, you’ll be able to gauge how long it took for your security operations to effectively respond or detect a threat residing within your environment and how your organization can drive down MTTD & MTTR times.


What You Should Know About MTTD & MTTR:

As we go on to discuss MTTD & MTTR in more detail, we want to highlight the top three most common misunderstandings:


  1. High MTTD & MTTR rates don’t necessarily mean that your security strategy is weak - it just means your security operations need to implement additional measures to help reduce possible downtime on your infrastructure environment if a real attack happens. 

  2. It’s completely understandable to panic during a simulation like a penetration test or purple teaming engagement when you realize that your meantime is above 4-5 hours to detect or respond; not everyone has the lowest MTTD & MTTR times at first!

  3. It’s never a good idea to think of other organizations' MTTD and MTTR as a standard to measure your own company. Each organization has its own complexities and can have seeded malware living in their environments for weeks, months, or years before they ever detect and respond.

Why Are MTTD & MTTR Important?

You might be thinking, Why would I care about how long it takes for my team to detect or respond? 


We’ve heard it before; as the saying goes, it’s not a matter of if but when your organization is attacked. Yes. Your organization may have had outstanding success against previous simulations, but they're just that: simulations.


To help you calculate MTTD & MTTR, we’ve included below how your organization can begin calculating these times during your next penetration test, vulnerability assessment, or purple teaming engagement.


MTTR and MTTD Calculation


To create awareness around the everyday attacks that happen in the cybersecurity community, MTTD & MTTR help you gauge and control these times more nimbly. With adversaries developing their tool kit of hacking capabilities as we speak, MTTD & MTTR can assist you in creating these plans for the day when your organization is attacked.


Our tips for lowering MTTD & MTTR:

To help decrease your MTTD and MTTR times, here are our top tips:

  1. The first step would be to have a robust incident response plan. With an incident response plan (IRP), your organization has the CISO-graded plan in place for any real-world incident against your organization and knows how to effectively detect and respond as one unit.

  2. Leverage automation and detection tools like Rapid7 & LogRhythm, which can inform your organization about events within your infrastructure. Many organizations leverage security orchestration tools and machine learning to qualify, alert, and attend to possible security threats.

  3. Ensure your security staff is cross-trained amongst different functions within your security operations. This will benefit your organization in case of unexpected downtime, platform readiness, and overall understanding of your security posture from a comprehensive perspective.

  4. Perform routine offensive security tests against your network to ensure your organization is battle-ready and as strong as can be to face the ever-evolving cyber threat landscape. We recommend testing at least once per year or as often as every 3 months.

  5. Properly training and educating everyone in your organization with the relevant knowledge to avoid adversary attacks, like phishing attacks or credential stuffing, is key to avoiding potential breaches of company information.


Relevant Content: What is the Difference Between XDR, MTTR & MTTD

Speak With Our Experts

Whether your organization needs to speak with our security experts or conduct offensive security services to test their organization's posture and gauge MTTD & MTTR rates, our team is here for you.


Contact us today to speak with our experts, and subscribe to our blog to learn more about our up-and-coming new security services!