Incident Glossary: What Every Term Actually Means
Security incident, data breach, P1, MTTD, MTTR, dwell time: these terms are used interchangeably across the industry, creating confusion and inconsistent measurement. This glossary defines each term precisely, distinguishes commonly confused pairs, and links to the pages where cost data for each concept is documented.
Key Distinctions
| Pair | Relationship |
|---|---|
| Event vs Incident | An event is any observable occurrence. An incident is an event that poses a threat. All incidents are events; not all events are incidents. |
| Incident vs Breach | A breach is a confirmed data disclosure. An incident includes threats, attacks, and failures that may not involve data disclosure. All breaches are incidents; not all incidents are breaches. |
| Security incident vs Service outage | A security incident involves a threat actor or policy violation. A service outage is an availability failure. The two can overlap (ransomware causes both) but are distinct categories. |
| MTTD vs dwell time | Equivalent. MTTD is the metric; dwell time is the informal description. Both measure time from attacker access to detection. |
| MTTR vs MTTC | MTTR includes initial response only in some definitions; MTTC (containment) is more specific. IBM's breach lifecycle separates detection (MTTD: 194 days) and containment (MTTC: 64 days) explicitly. |
| RTO vs RPO | RTO is time to restore service. RPO is the acceptable data loss window. Both are recovery objectives; RTO covers availability, RPO covers data recency. |
Full Term Definitions
A risk quantification formula: ALE = Single Loss Expectancy (SLE) x Annual Rate of Occurrence (ARO). Used in FAIR and traditional risk frameworks to estimate expected annual financial loss from a risk. See /how-to-calculate for practical application.
The scope of impact of an incident - how many systems, users, customers, or business functions are affected. A supply chain compromise affecting thousands of customers has a large blast radius. Containing blast radius is a key goal of segmentation and zero trust architecture.
A confirmed disclosure of sensitive data to an unauthorised party. A specific subset of security incidents. All breaches are incidents; not all incidents are breaches. Breach notification obligations (GDPR Art 33-34, HIPAA 45 CFR 164.400) are triggered by confirmed breaches, not by incidents generally.
The total time between an attacker's initial compromise and detection. Equivalent to MTTD. Mandiant M-Trends 2025 reports an 11-day global median. IBM data shows each day of dwell time costs approximately $24,000 in expected breach cost. Reducing dwell time is the primary mechanism by which AI security tools save money.
Security software deployed on individual endpoints (laptops, servers, workstations) that monitors for suspicious behaviour and enables investigation and response. EDR is the core tool for reducing breach dwell time and is a mandatory control for most cyber insurers.
Any observable occurrence in a system or network. Not all events are incidents. A failed login attempt is an event; 10,000 failed login attempts from one IP in 5 minutes is likely an incident. Events are logged and filtered; only a subset escalate to incidents.
A quantitative risk framework that structures risk as the probable frequency and magnitude of loss. FAIR enables organisations to calculate expected annual loss from specific threat scenarios in dollar terms, using ALE as the output metric. Used in enterprise risk quantification programmes.
An event that compromises, or threatens to compromise, the confidentiality, integrity, or availability of information or systems. Broader than a breach. Includes security incidents (cyberattacks, policy violations), availability incidents (outages), and operational incidents (data loss, system failure).
The programmatic function that manages incidents as a class - defining severity levels, escalation paths, on-call rotations, runbooks, and postmortem processes. Incident management is distinct from incident response (which is reactive to a specific incident). See /incident-management-cost for tooling costs.
The process of handling a specific incident from detection through containment, eradication, and recovery. Distinct from incident management (the programme). Incident response services are provided by specialist IR firms; see /response-cost for pricing.
A managed security service providing 24/7 monitoring, detection, and incident response. MDR bundles what would otherwise be separate SOC staffing, SIEM/XDR tooling, and IR retainer costs into a subscription. Pricing ranges $100K-$500K/yr for mid-to-enterprise deployments. See securityoperationscost.com.
The average time between alert generation and acknowledgement by a human responder. A low MTTA indicates good on-call practice and tooling. PagerDuty typically reports MTTA in minutes; poor MTTA can be hours or days in under-resourced teams.
The average time from detection to full containment of a threat. In IBM's breach lifecycle model, the global average MTTC is 64 days, meaning that even after detection, it takes over two months on average to fully evict an attacker from enterprise environments.
The average time from attacker access (or failure onset) to detection. IBM 2025: 194-day global average for breaches. Mandiant: 11-day median dwell time. Each day of MTTD costs approximately $24,000 in expected breach cost per IBM data. See /mttd-mttr.
Ambiguous metric. In SRE/DevOps: Mean Time to Recover (service restoration). In security: Mean Time to Respond (initial response) or Mean Time to Remediate (full eradication). Context determines meaning. IBM's combined breach lifecycle (MTTD + MTTC) averages 258 days globally.
Highest severity level. Definitions vary but typically mean: full service unavailability, all customers affected, or confirmed security breach in progress. Requires immediate all-hands response. PagerDuty data: average 25 P1 incidents/yr per organisation at $794K/each. See /types/service-outage.
High severity. Major customer impact or significant service degradation, but workarounds exist. Requires urgent response within 30-60 minutes. Typically generates pages to primary on-call but not broad all-hands escalation.
Lower severity levels. P3: significant impact on a subset of users or non-customer-facing systems; normal business hours response. P4: minor impact, informational, scheduled fix during next maintenance window.
A pre-documented, step-by-step procedure for responding to a specific type of incident. Playbooks reduce MTTA and MTTR by removing decision paralysis during high-stress incidents. Organisations with tested playbooks show 35% lower breach cost per IBM data.
The structured analysis conducted after an incident is resolved to understand root cause, contributing factors, detection failures, and remediation. Blameless postmortems focus on systemic improvement rather than individual fault. A key output is preventive action items.
The underlying, fundamental reason an incident occurred, as distinct from the symptoms or proximate triggers. For example: the root cause of a phishing-initiated breach might be lack of MFA (not the phishing email itself). Root cause analysis guides preventive investment.
The maximum acceptable data loss measured in time. An RPO of 1 hour means the organisation can tolerate losing up to 1 hour of data. RPO drives backup frequency design. A gap between RPO and actual backup frequency creates a data loss cost risk.
The maximum acceptable time from incident to restoration. An RTO of 4 hours means service must be restored within 4 hours of an outage. RTO drives infrastructure design (hot standby, failover). Revenue loss for every hour of actual recovery time beyond RTO is calculable using hourly revenue.
An incident involving a violation of security policy, a cyberattack, or a malicious action. Broader than a breach (which requires confirmed data disclosure). Security incidents include blocked intrusions, malware infections, DoS attacks, policy violations, and credential theft.
An availability-impacting incident where a service becomes partially or fully unavailable to users. May be caused by cyberattack, infrastructure failure, software bug, or human error. See /types/service-outage for cost data.
A platform that aggregates, correlates, and analyses security log data from across an organisation's environment. SIEM is the primary detection tool for security operations teams. AI-augmented SIEM is the mechanism IBM identifies as saving $1.9M per breach through faster detection.
A platform that automates repetitive security response tasks (ticket creation, enrichment, containment actions) to reduce analyst workload and response time. SOAR reduces MTTR by automating the first 30-60 minutes of incident response.
An evolution of EDR that correlates signals across endpoint, network, identity, and cloud to provide unified detection. XDR reduces false positive rates and provides broader coverage than point solutions. Mid-market XDR deployments typically cost $100K-$500K/yr.