Mean-Time-To-Detect tracked + trending
Demonstrate that the organization systematically measures, tracks, and analyzes Mean-Time-To-Detect for security incidents with documented trending to support continuous improvement of detection capabilities.
Description
What this control does
Mean-Time-To-Detect (MTTD) is a key performance indicator measuring the average elapsed time between the onset of a security incident or anomalous activity and its detection by security monitoring systems or personnel. Organizations systematically track MTTD across incidents, categorize by attack type or asset class, and analyze trends over time to assess detection capability maturity. Effective MTTD tracking enables continuous improvement of detection rules, sensor coverage, and analyst response workflows, while declining MTTD indicates enhanced security posture.
Control objective
What auditing this proves
Demonstrate that the organization systematically measures, tracks, and analyzes Mean-Time-To-Detect for security incidents with documented trending to support continuous improvement of detection capabilities.
Associated risks
Risks this control addresses
- Prolonged dwell time enabling attackers to exfiltrate sensitive data, establish persistence mechanisms, or pivot laterally without detection
- Inability to assess effectiveness of detection controls and security monitoring investments due to lack of baseline metrics
- Regulatory penalties resulting from delayed breach notification caused by unknown or unmeasured detection latency
- Continued investment in ineffective detection tools or signatures without empirical evidence of performance degradation
- Executive leadership operating with inaccurate risk posture assessments due to absence of quantitative detection capability data
- Failure to identify gaps in log collection, sensor deployment, or alert tuning that contribute to detection blind spots
- Erosion of security program maturity as detection capabilities degrade unnoticed over time without trend analysis
Testing procedure
How an auditor verifies this control
- Request the organization's MTTD calculation methodology documentation including scope definition, time measurement start/stop criteria, and incident categorization taxonomy.
- Obtain MTTD tracking reports or dashboards covering the most recent 12-month period showing raw measurements, aggregated averages, and trend visualizations.
- Select a representative sample of 10-15 closed security incidents from the past six months spanning different severity levels and attack vectors.
- For each sampled incident, review case records to extract documented timestamps for initial compromise or malicious activity onset and first detection alert or observation.
- Recalculate MTTD for the sample using documented methodology and compare against reported metrics to validate calculation accuracy.
- Interview security operations leadership to understand how MTTD trends inform detection engineering priorities, tool evaluations, and staffing decisions.
- Review evidence of corrective actions taken in response to MTTD trend degradation, such as detection rule tuning, log source additions, or sensor redeployment.
- Verify that MTTD metrics are segmented by meaningful categories such as attack type, affected asset tier, or detection source to enable targeted improvement efforts.
Where this control is tested