What counts toward total detection time?

Use the elapsed time from incident start (or first malicious activity) to when your team detects or classifies it. Apply the same definition across every incident.

Should I include false positives?

No. MTTD should focus on confirmed incidents. Track false positives separately as alert quality metrics.

How often should MTTD be recalculated?

Most teams recalculate monthly or quarterly so the metric aligns with operational and board reporting cycles.

How to Calculate Mean Time to Detect (MTTD)

Mean time to detect (MTTD) tells you how quickly a security team recognizes confirmed incidents after they begin. It is a core SOC reliability metric because it links telemetry coverage, alert quality, and triage discipline to real-world dwell time. A precise MTTD calculation makes it easier to align service-level objectives, budget detection tooling, and explain detection posture to executives.

This walkthrough explains the MTTD definition, variables, and formulas, then shows a rigorous calculation workflow. It also outlines validation checks, limitations, and related metrics such as AI safety incident response coverage, policy drift early warning, and the MDR alert coverage gap calculator.

Definition and scope

MTTD is the average elapsed time between the start of a confirmed security incident and the moment your team detects or classifies it. It is reported in hours or minutes per incident. The metric is not about alert counts; it is about the time it takes to recognize a real event after it begins. Because of that, the definition of “incident start” and “detection” must be consistent across your dataset.

Most advanced teams use the earliest observable malicious activity as the start timestamp and the time an analyst opens a verified incident record as the detection timestamp. If your program uses automated incident classification, document exactly when the automation escalates the case, because that becomes your detection time boundary.

Variables, symbols, and units

Capture every incident in the same reporting window and use a single time unit, typically hours. Keep timestamps in UTC or another consistent timezone so you do not inject time-zone bias.

H_total – Total detection time for all incidents (hours).
N – Number of confirmed incidents in the period (count).
MTTD – Mean time to detect per incident (hours per incident).
MTTD_target – Optional detection target for benchmarking (hours).

Core formula

The metric is a straight average of detection time across incidents.

MTTD = H_total ÷ N

Detection variance = MTTD − MTTD_target

If your result is 6.4 hours, it means the average incident was detected 6.4 hours after it began. Negative variance indicates you are faster than the target, while positive variance signals you are slower than your detection goal.

Step-by-step calculation workflow

1. Confirm the detection boundary

Decide what qualifies as incident start and detection. For example, “start” could be the first suspicious process spawn in EDR telemetry, and “detection” could be the moment a Tier 2 analyst opens a verified incident. Write the boundary down so the measurement is repeatable.

2. Assemble incident timestamps

Extract incident start and detection timestamps from your SIEM, SOAR, or case management system. Normalize into a single timezone and filter out false positives or test data. Each row should have a unique incident ID and a detection duration in hours.

3. Sum total detection time

Convert each incident’s detection duration into hours and sum the values. This produces H_total, the total detection time across the reporting window. The sum should only include confirmed incidents, not benign alerts.

4. Divide by incident count

Count the number of incidents N and divide H_total by N. Round MTTD to two decimal places for reporting. If you have a detection target, subtract it to quantify the variance.

Validation checks

Validate that every incident in your dataset has both timestamps. Missing detection times bias MTTD downward because they effectively drop long-running cases. Check the distribution of detection times and flag outliers that may be caused by mis-logged incident start times.

A quick reasonableness test is to compare your MTTD against dwell time assumptions from past investigations. If your MTTD drops by 70% in a single period without major tooling changes, re-check the data extraction or incident classification rules.

Limits and interpretation

MTTD is an average and can hide long-tail detection failures. Pair it with percentile statistics such as p90 detection time, and track volume-weighted categories (malware, credential abuse, cloud misconfiguration) to identify where detection lags. The metric also assumes incident start time is observable, which is not always true for stealthy attacks.

Use MTTD alongside other SOC metrics such as alert coverage, containment time, and incident resolution efficiency. The goal is to shorten detection time without over-triggering; reducing MTTD at the expense of excessive false positives can overwhelm analysts and degrade response quality.

Worked example

A security team reviews 24 confirmed incidents in a quarter. The detection durations sum to 192 hours, so H_total = 192 hours and N = 24. MTTD = 192 ÷ 24 = 8.00 hours per incident. If the target is 6 hours, the variance is +2.00 hours, indicating the SOC is two hours slower than goal and should prioritize improved alerting or 24/7 triage coverage.

Embed: Mean time to detect calculator

Enter total detection time, incident count, and an optional target to compute MTTD in hours and minutes with consistent rounding for reporting dashboards.

Mean Time to Detect (MTTD) Calculator

Calculate mean time to detect by dividing total detection time by incident count and compare performance to a target benchmark.

MTTD is sensitive to incident definitions and logging completeness; document your detection boundary before reporting results.