Mean Time to Detect (MTTD) Calculator

Calculate mean time to detect by dividing total detection time by incident count and compare performance to a target benchmark.

Sum of detection times for all incidents in the reporting window, in hours.
Number of confirmed incidents included in the total detection time.
Optional benchmark. Defaults to 2 hours if left blank.

MTTD is sensitive to incident definitions and logging completeness; document your detection boundary before reporting results.

Examples

  • Total detection time 320 hours, 40 incidents, target 2 hours ⇒ Mean time to detect (MTTD): 8.00 hours per incident (480 minutes). Target: 2.00 hours. Gap: +6.00 hours vs target.
  • Total detection time 45 hours, 30 incidents, target 1.5 hours ⇒ Mean time to detect (MTTD): 1.50 hours per incident (90 minutes). Target: 1.50 hours. Gap: +0.00 hours vs target.

FAQ

What counts toward total detection time?

Use the elapsed time from incident start (or first malicious activity) to when your team detects or classifies it. Apply the same definition across every incident.

Should I include false positives?

No. MTTD should focus on confirmed incidents. Track false positives separately as alert quality metrics.

How often should MTTD be recalculated?

Most teams recalculate monthly or quarterly so the metric aligns with operational and board reporting cycles.

Additional Information

  • All incidents must share the same detection clock definition (for example, from compromise to alert creation).
  • Units are hours; the output also provides minutes for operational dashboards.
  • If the target field is blank, the calculator assumes a 2-hour benchmark and reports the variance.

Related calculators