MTTD: Mean Time to Detect
MTTR: Mean Time to Respond
Written by: Ron Temske, Vice President of Strategy, and Scott Hammond, Senior Security Engineer
In our Acronym Series, Nexum’s expert engineers define the industry’s most popular topics.
Acronyms: MTTD – Mean Time to Detect, and MTTR – Mean Time to Respond
MTTD is the amount of time an issue exists in a particular environment before it is detected.
MTTR is the amount of time it takes to respond to an issue once it is detected.
The sum of MTTD + MTTR is the total time from when the issue occurs to when responsive action begins.
MTTD is critical in security. Many security attacks are designed to evade detection so that the threat can persist for longer and do more damage, exfiltrate more data, etc.
A related acronym is advanced persistent threat (APT). As the name implies, the threat is persistent. These attacks are designed to evade many detection mechanisms and persist in the environment. You cannot respond until a threat is detected. Therefore, lowering MTTD is critical to improving the overall security of an environment.
Although you’ll find the term MTTD outside of the security industry, it has elevated importance in security since many attacks aim to avoid detection (whereas a disk drive failure, network outage, etc., are usually rapidly detected because there are no evasion techniques).
MTTR follows after MTTD. Once an issue is detected, MTTR measures how long it takes to respond to the issue. Note that MTTR is the time to respond, not the time to resolve the issue. Sometimes MTTR will be defined as “Mean Time to Resolve” or “Mean Time to Repair,” but those are less common.
While not always the case, it’s common that tools determine MTTD (whether you have the right security tools and policies to detect threats in your environment). In contrast, human intervention determines MTTR (how quickly an investigation can begin after a detected threat). With increasing AI and automation, MTTR is also undoubtedly becoming more tools-driven.