During a monthly KPI review, the security operations center notices that an attacker gained initial access at 02:15, but the first security alert was not raised until 04:42. The SOC manager wants to reduce this 2-hour, 27-minute gap. Which KPI should the team monitor and improve?
The gap between when an incident begins and when it is first recognized is measured by Mean Time to Detect (MTTD). Lowering MTTD indicates faster detection, which shortens attacker dwell time and enables earlier containment. Mean Time to Respond and Mean Time to Remediate begin only after detection occurs, while Alert Volume is a raw count of alerts and not a time-based KPI.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is the importance of Mean Time to Detect (MTTD) in cybersecurity?