5 Cybersecurity Incident Response Metrics To Keep an Eye On

29 October 2022 | by Xavier Bellekens

Incident Response Metrics

While implementing a cybersecurity incident response (IR) program, you need to ensure that your company can react swiftly to cyber threats. You can’t tell how effective your program and team are until you start collecting the right incident response metrics for your IR team.

We’ll examine five key metrics in this blog article that may be used to assess the overall efficiency of your cybersecurity incident response capabilities and that can help you fine tune your incident response program and your Security Operation Centre (SOC).

  1. Mean time to detect (MTTD)
  2. Mean time to inventory (MTTI)
  3. Mean time to respond (MTTR)
  4. Dwell time
  5. Cost of an incident

Additionally, you’ll learn how Lupovis Snare can be used to track or improve these KPIs as well as how our clients are using the platform to speed up alert triage and incident response investigations.

Mean Time to Detect (MTTD)


Mean time to detect, or MTTD, is a measure of how quickly an organization can detect a security breach. In other words, it is the average amount of time that passes between the moment a breach occurs and the moment it is discovered.

The shorter the MTTD, the better, as it means that breaches are being caught more quickly. There are a number of factors that can affect MTTD, including the size and complexity of an organization, the type of attacks being targeted, and the strength of its detection capabilities. Organizations with shorter MTTDs are typically better equipped to handle security breaches and minimize the damage they cause.

Read our full guide on MTTD here.

Lupovis Snare can help reduce the MTTD by deploying decoys within your infrastructure. Providing you better visibility of unknown unknowns and 100% alert fidelity coming through your SIEM.

Mean Time To Inventory (MTTI)


Mean Time to Inventory (MTTI) tracks the length of time it takes businesses to complete a full external asset inventory that identifies ownership to support value-based classification and protection.

For example, after a Common Vulnerabilities and Exposures (CVE) releases, MTTI becomes particularly important because there is an instant spike in attackers searching for the susceptible services.

Sadly, both of these cycles frequently start before the majority of businesses have finished their own initial inventory scans.

Having the ability to list all assets that must be updated in a record time is key for both SOC teams and Incident Response teams, given the faster you know which assets must be updated, the less chance you have to be vulnerable to a new CVE release.

Lupovis Snare can help identify and redirect new CVEs towards decoys assets, leaving your network untouched and safe.

Mean Time to Respond (MTTR)


Mean time to respond (MTTR) in cybersecurity is the average amount of time it takes to fix a problem once it’s been detected.

This can be contrasted with mean time to detect (MTTD), which is the average amount of time it takes to detect a problem in the first place.

MTTR is generally seen as a more important metric, as it directly impacts the amount of time that a system is down. Reducing MTTR is therefore a major goal for many organizations. There are a number of ways to do this, such as automated incident response, better training for staff, and investing in tools that make it easier to identify and fix problems.

By reducing MTTR, organizations can minimize the impact of incidents and get back up and running as quickly as possible.

Note, however, that when measuring MTTR, the incident has already happened, and it might already be too late for the organization. That being said, it’s a key incident response metrics.

How to calculate MTTR

The time taken to restore the system from the time the problem alert was received is added to the data on all incidents for a given time period to determine the MTTR.

The number of instances is then divided by the sum.

By identifying incidents early, or ahead of a cyberattack SOC teams and IR teams can tremendously reduce the MTTR and improve their incident response metrics . Lupovis allows SOC teams to analyze true positives alerts in a shorter period of time, hence increasing visibility and reducing MTTR. 

Dwell Time


Dwell time is the amount of time that passes between when a cyberattacker gains initial access to a system and when their presence is detected.

An average dwell ranges between 110 days to 314 days

A long time for adversaries to roam in your network. This gives attackers plenty of time to steal data or plant malware that can wreak havoc on a system

The goal of attackers is to increase their dwell time so they can do as much damage as possible before being caught.

Hence, dwell time is often used as a measure of an organization’s cybersecurity effectiveness. The longer the dwell time, the more likely it is that an attacker will be able to cause serious damage. As a result, organizations should strive to minimize their dwell time by implementing security controls and monitoring their networks closely.

Lupovis Snare, deploys deceptive assets to reduce dwell time by making it more difficult for hackers to move around undetected. By using fake data and decoy systems, organizations can make it harder for hackers to find the information they are looking for.

Cost of an incident


Cyber incidents can have a significant impact on an organization, causing financial losses, reputational damage, and operational disruption.

Measuring the cost of these incidents is essential for understanding the true extent of the damage and determining where to allocate resources for prevention and mitigation. Without accurate cost data, organizations may be under- or over-investing in cybersecurity, putting themselves at unnecessary risk.

Cost data also provides valuable insights into the effectiveness of existing security controls and can help to prioritize future investments. In short, measuring the cost of cyber incidents is a critical part of managing cybersecurity risks.

Your company’s security posture will be significantly strengthened if you concentrate on enhancing cybersecurity incident response metrics. A successful attack will have less of an impact if it is detected and dealt with quickly.

Due to the lack of contextual information required to support the investigation and resolve issues, SOC analysts and IR teams frequently find that the time it takes to investigate an incident is too long. Cyber Deception and Lupovis can help provide contextual data by deploying decoys answering questions such as “who, what, why, where, how and when” as well as raising 100% true positive alerts. In turn improving the MTTD, MTTR, reducing Dwell Time and reducing the costs of incidents to a minimum.

To learn more about how to deploy Lupovis or to start your free trial, contact us directly.

29 October 2022 | by Xavier Bellekens

Speak to an Expert

Whether you have a specific security issue or are looking for more information on our Deception as a Service platform, simply request a call back with one of our security experts, at a time that suits you.