What is MTTD (Mean Time to Detect)?
Mean Time to Detect is the average elapsed time between when a security incident begins and when the SOC first identifies it. Lower MTTD means threats are caught faster, reducing attacker dwell time and potential damage.
Definition
- MTTD (Mean Time to Detect)
- Mean Time to Detect is the average elapsed time between when a security incident begins and when the SOC first identifies it. Lower MTTD means threats are caught faster, reducing attacker dwell time and potential damage.
How MTTD (Mean Time to Detect) Works
MTTD starts when the initial compromise or malicious activity occurs and ends when the SOC generates an alert or an analyst identifies the activity. It encompasses the full detection pipeline: log ingestion latency, detection rule evaluation, alert enrichment, and initial triage.
Industry benchmarks vary dramatically: mature SOCs with well-tuned SIEM and XDR achieve MTTD under 10 minutes for known attack patterns, while the global median dwell time for advanced persistent threats can exceed 200 days. Reducing MTTD requires investment in detection engineering, log coverage, and analyst training.
MTTD is measured per incident or per alert type. Tracking it over time reveals whether detection capabilities are improving. Large MTTD increases after infrastructure changes signal coverage gaps.
MTTD (Mean Time to Detect) in SOC Operations
MTTD is a core SOC performance metric displayed on every analyst dashboard. It directly measures how quickly the team spots threats. During shifts, your MTTD reflects how rapidly you recognize and begin investigating alerts. Improving MTTD is one of the primary goals of detection engineering programs.
Practice MTTD (Mean Time to Detect) in a Real SOC
SOCSimulator provides hands-on training with realistic SIEM, XDR, and Firewall interfaces. Build real analyst skills investigating mttd (mean time to detect) scenarios with zero consequences — free forever.
Related Terms
Mean Time to Respond is the average elapsed time between detecting a security incident and completin...
Security Information and Event Management (SIEM) is a platform that aggregates, normalizes, and corr...
Extended Detection and Response (XDR) is a security platform that unifies telemetry from endpoints, ...
Alert triage is the structured process of reviewing, prioritizing, and investigating security alerts...
More Concepts Terms
Related SOC Training Resources
SOC Analyst (Tier 1) Career Guide — Salary & Skills
Tier 1 SOC Analysts are the front line. You monitor alert queues, triage incoming detections, classify them as true or f…
Read more Career PathDetection Engineer Career Guide — Salary & Skills
Detection Engineers build the rules, analytics, and automated workflows that determine what the SOC can see. You transla…
Read more Career PathSecurity Engineer Career Guide — Salary & Skills
Security Engineers build and maintain the infrastructure that SOC analysts depend on. You deploy SIEMs, configure firewa…
Read more ComparisonSOCSimulator vs LetsDefend — Comparison
SOCSimulator wins on operational realism. You get multi-tool shift simulation with SLA pressure, noise injection, and al…
Read more ComparisonSOCSimulator vs CyberDefenders — Comparison
SOCSimulator trains the operational workflow: alert triage, correlation, and response under pressure. CyberDefenders tra…
Read more ToolSIEM Training Console — SOCSimulator
The SIEM console in SOCSimulator replicates the workflow of enterprise platforms like Splunk Enterprise Security, Micros…
Read more ToolXDR Training Console — SOCSimulator
The XDR console in SOCSimulator replicates the investigation workflow of platforms like CrowdStrike Falcon, Microsoft De…
Read more TechniqueMITRE ATT&CK Techniques — Detection Training Library
Browse all MITRE ATT&CK techniques with detection strategies and example alerts.
Read more Career PathCybersecurity Career Paths — 2026 Guide
Explore SOC analyst career paths with salary data, required skills, and certification roadmaps.
Read more PlaybookSOC Investigation Playbooks — Step-by-Step Guides
Practitioner investigation playbooks with decision trees and real SIEM queries.
Read more FeatureShift Mode — Real-Time SOC Simulation
Practice alert triage under realistic time pressure with SLA timers and noise injection.
Read more FeatureOperations — Guided Training Rooms
Structured CTF-style investigation rooms covering real-world attack scenarios.
Read more