What is MTTD (Mean Time To Detect)? A Detailed Guide

28 October 2022 | by Xavier Bellekens

In the realm of cybersecurity, MTTD is a metric that helps analysts to measure how quickly they are able to detect a breach or malware infection. The faster the MTTD, the sooner an organization can take action to mitigate the damage. There are various ways to reduce MTTD, such as by investing in cyber deception tools that can provide a high fidelity alert as soon as possible.

By reducing MTTD, organizations can improve their overall security posture and better protect themselves against attacks. You want to bring your systems back online as soon as possible, since every second that a system is down results in further financial loss.

It makes it obvious that you would want to maintain your organization’s MTTD values as low as possible as a result, and that MTTD should be one of the main key performance indicators you use for incident response. After all, you want to discover incidents quickly and resolve them as soon as possible.

However, there are other factors that make maintaining a low value for MTTD desirable, and since the focus of this piece is MTTD, we’ll discuss them now.

In this article, you’ll get a more thorough explanation of what MTTD means inside a business and how it can be used for systems monitoring. You’ll become aware of the significance of MTTD as a main key performance indicator. We’ll also demonstrate how to compute MTTD in reality because it wouldn’t make much sense to write a whole blog post about a measure without explaining how to calculate it.

After learning about MTTD, you’ll also learn about related measures, and we’ll look at a few tools that will help you monitor these metrics more effectively, and it’s importance during software outage, hardware outage and cybersecurity incidents.

Definition of MTTD

MTTD stands for Mean Time To Detect.

MTDD is the average amount of time that it takes for someone to notice an issue or problem. For example, if a system crashes, the mean time to detect would be the amount of time that it takes for someone to notice that the system has crashed.

MTDD can be used for all sorts of issues, from software bugs to hardware failures and incident management. The goal is to minimize the mean time to detect so that problems can be resolved as quickly as possible.

In some cases, mean time to detect can be more important than mean time to repair because it can help to prevent further damage. For example, if a breached system is detected quickly, it may be possible to avoid losing any data.

However, if the system infected is not detected until after the data has been lost, stolen or exfiltrated, then there is nothing that can be done to prevent the damage. This is why mean time to detect is such an important metric.

MTTD is often measured through incident management processes and compared against a previous time period and other incident detection times, and can be used to gauge performance of a Security Operation Center or SOC Analysts.

Why Keeping your MTTD Down Matters?


It is always better to catch problems early on, before they have a chance to snowball into larger issues. This is especially true when it comes to organizations and businesses.

The sooner you learn about issues inside your organization, the sooner you can fix them. This can save a lot of time, money, and headaches down the road. Of course, catching problems early requires a good incident monitoring infrastructure within the organization.

Organizations adopting DevOps for several reasons must look at MTTD as an objective measure of the speed with which an organization can detect and respond to infrastructure problems. This is important because one of the key goals of DevOps is to establish strategies, processes, and tools for balancing requirements across the software development life cycle, from coding and deployment to maintenance and upgrades.

Hence, MTTD KPI can indicate the fitness of the incident management processes available within the organization. It will also allow organization to track their progress and identify areas needing further improvement.

An organization shouldn’t have any trouble identifying problems fast if it has a great incident management plan and appropriate management tools in place, including strong monitoring and observability capabilities.

To put it another way, a low MTTD indicates strong incident management capabilities. The inverse can also be true: Incidents that aren’t detected fast reflect poorly on the monitoring strategies of a company.

How is MTTD Calculated?

The mean time to discover is a statistical measure used to calculate the average time it takes for a problem to be discovered. This metric is often used in conjunction with the Mean Time To Repair (MTTR) to get a complete picture of an issue’s lifespan.

To calculate MTTD, simply take the total number of hours an issue was present and divide by the number of times it was discovered. For example, if an issue was discovered three times over the course of six hours, the MTTD would be hours days.

MTTD = total time between failure & detection / # of failures

Here is another concrete example. If an incident started at 1 PM and was discovered at 1:55 PM.

Start by measuring how much time passed between when an incident began and when someone discovered it. In this case, it’s obvious it took 55 minutes for it to be discovered.

After that, you should compute the average detection time using records of the detection times from multiple instances.

Start timeDetection TimeElapsed Time (minutes)
1.001.5555
2.002.5151

The start and detection times for two occurrences are shown in the table above, along with the elapsed time, which is shown in minutes.

Simply sum up all the detection times, divide by the total number of occurrences, and you’ll get the MTTD for the incidences mentioned above.

(55+51) / 2

The result in this case is an overall MTTD of 53 minutes. As explained earlier, MTTD provides data driven insights on problem detection. This valuable metric can help improve DevOps teams response times, as well as improve processes to obtain shorter MTTD.

While MTTD can be a useful metric, it’s important to keep in mind that it only measures discovery time and doesn’t take into account the time it takes to actually fix the problem. As such, MTTD should be used in conjunction with other metrics to get a complete picture of an issue’s impact.

The Sooner You Learn About It, The Faster You Can Fix It


This statistic has yet another crucial application. It can act as, in a sense, a thermometer to gauge the condition of an organization’s incident response capability.

Consider this: if your company has a fantastic strategy for identifying outages and system problems, you can probably react to incidents fast and fix them.

The inverse is also true: if concerns are discovered too slowly, your organization may need to strengthen its incident management procedures. Don’t give up if this describes your organization!

Knowing where you can improve will give you an advantage. Equipping yourself with tools that can enhance your incident management response is the next stage. And as always, we have your back.

For example, a cyber deception solution that offers real-time detection can be an invaluable addition to your monitoring system. Consider Lupovis, a comprehensive platform that will give you proactive threat detection capabilities. If your organization struggles with incident detection and mean time to detect, Lupovis can help you get on track.

Give Lupovis a try today.

Thanks for reading!

28 October 2022 | by Xavier Bellekens

Speak to an Expert

Whether you have a specific security issue or are looking for more information on our Deception as a Service platform, simply request a call back with one of our security experts, at a time that suits you.