InfoSec Made Easy

In any mature security program, metrics drive decisions . You invest in controls, monitor alerts, and invest in tooling — but if you cannot quickly detect threats, the rest of your defenses may never get the chance to act. That’s where Mean Time to Detect (MTTD) becomes indispensable. Where Mean Time to Respond (MTTR) quantifies how swiftly you recover after an incident is detected — as discussed in depth in our MTTR post — *MTTD measures how long it takes for your team or systems to first become aware of a security incident. Without detection, containment and response are impossible.  What Is Mean Time to Detect (MTTD)? Mean Time to Detect (MTTD) is the average time between when a security incident begins and when your security team or monitoring systems become aware of it. In cybersecurity, this is often measured from the moment an attacker initiates activity — such as lateral movement, unauthorized access, or anomalous behavior — to when an alert or investigation identifi...

When discussing cybersecurity performance and resilience, most organizations first think about prevention: firewalls, patching cadence, penetration testing, vulnerability counts, and control coverage. These are necessary defenses, but like all defenses, they will eventually be tested. As discussed in the previous post on Mean Time to Respond (MTTR), how quickly an organization recovers after an incident is a critical indicator of security maturity. But there is a metric that sits squarely between detection and recovery that often gets overlooked, despite having a direct impact on risk and business impact: Mean Time to Contain (MTTC). What Is Mean Time to Contain (MTTC)? Mean Time to Contain (MTTC) measures the average amount of time it takes to stop an active security incident after it has been detected. Containment is not remediation. It is the act of preventing further damage while the incident is still in progress. Typical containment activities include: Isolating affected en...