Reference: Detection and Response Metrics · Updated April 2026
MTTD and MTTR: The Cost of Every Day You Don't Detect
$1.9M
AI saves per breach
80 days
Lifecycle cut by AI
~$24K
Cost per dwell day
11 days
Median dwell (Mandiant)
Definitions
| Metric | Definition | 2025 Benchmark |
|---|---|---|
| MTTD (Mean Time to Detect) | Time from attacker access to first detection | 194 days avg (IBM 2025); 11 days median (Mandiant) |
| MTTA (Mean Time to Acknowledge) | Time from alert to acknowledged incident | 4-8 hours for well-staffed SOCs; days for under-resourced teams |
| MTTC (Mean Time to Contain) | Time from detection to containment of the threat | 64 days avg (IBM 2025) |
| MTTR (Mean Time to Respond / Recover) | Ambiguous: used for both response and full recovery | 258 days combined detection + containment (IBM 2025) |
| Dwell time | Total time between compromise and detection (= MTTD) | Mandiant: 11-day median; nation-state: months to years |
| Breach lifecycle | Total time from initial attack to full containment | 258 days avg (IBM 2025); 178 days with AI tools |
The $24K Per Day Calculation
Derivation from IBM 2025 Data
AI savings per breach: $1.9M
Breach lifecycle reduction with AI: 80 days
Cost per day of dwell time: $1.9M / 80 days = $23,750/day
Rounded: approximately $24,000 per day of undetected breach
This is a rough but useful planning figure. The actual relationship is not perfectly linear: costs accelerate as dwell time extends and attackers move laterally, exfiltrate more data, and establish more persistent access. The first 30 days of a breach typically cost less per day than days 60-200. But for budgeting and ROI calculations, $24K per day of dwell time reduction is a defensible IBM-derived figure.
Industry Benchmarks for MTTD / MTTR
| Benchmark | Value | Source |
|---|---|---|
| Global average breach MTTD | 194 days | IBM CODB 2025 |
| Global average breach MTTC (containment) | 64 days | IBM CODB 2025 |
| Full breach lifecycle (MTTD + MTTC) | 258 days | IBM CODB 2025 |
| With AI security automation | 178 days | IBM CODB 2025 |
| Median dwell time (all incidents) | 11 days | Mandiant M-Trends 2025 |
| Ransomware median dwell (before encryption) | 5 days | Mandiant M-Trends 2025 |
| Nation-state median dwell | 38+ days | Mandiant M-Trends 2025 |
| Pre-AI average breach lifecycle (2019) | 287 days | IBM historical |
Containment Time vs Annual Cost (Insider Threats)
Ponemon's insider threat data shows a steeper cost-time relationship for insider incidents than for external breaches:
| Containment Time | Annual Org Cost | Incremental Cost vs Under 31 Days |
|---|---|---|
| Under 31 days | $10.6M | Baseline |
| 31-90 days | $14.2M | +$3.6M (+34%) |
| 91+ days | $18.7M | +$8.1M (+76%) |
Source: Ponemon Institute Cost of Insider Risks Global Report 2025
What Reduces MTTD
| Control | Detection Impact | Typical Cost |
|---|---|---|
| AI/ML-augmented SIEM | -80 days lifecycle (IBM 2025) | $150K-$800K/yr enterprise |
| XDR (Extended Detection and Response) | Correlates endpoint + network + identity signals | $100K-$500K/yr |
| Threat intelligence feed | IOCs before they hit your environment | $20K-$200K/yr |
| 24/7 MDR service | Continuous monitoring without in-house SOC staff | $100K-$500K/yr |
| UEBA (User and Entity Behaviour Analytics) | Critical for insider threat MTTD reduction | $50K-$300K/yr |
| Deception technology (honeypots) | Near-instant detection when attackers touch deceptive assets | $20K-$150K/yr |
The ROI Case for MDR: A Simple Model
// MDR ROI calculation (simplified)
Expected breach cost without MDR: $4.44M
Expected breach cost with MDR (AI-assisted): $4.44M - $1.9M = $2.54M
Annual MDR cost: $200K-$500K
Expected annual saving: $1.4M-$1.7M (vs MDR cost)
// This ignores breach probability. Adjust for your org's risk profile.
Frequently Asked Questions
What is MTTD in cybersecurity?
Mean Time to Detect is the average time between when an attacker first gains access and when the security team first becomes aware of the intrusion. IBM 2025 puts the global average at 194 days. Mandiant reports a much lower 11-day median for all incidents, reflecting that many breaches are detected quickly while a tail of sophisticated intrusions extends the average significantly.
What is MTTR and how does it affect cost?
MTTR is ambiguous: it means Mean Time to Respond in operations contexts, and Mean Time to Recover or Remediate in security contexts. IBM's combined breach lifecycle (detection + containment) averages 258 days. Each additional day of undetected breach adds approximately $24,000 in expected cost based on IBM's AI savings data.
How much does AI reduce breach cost?
IBM CODB 2025 reports organisations with extensive AI security automation saved $2.22M per breach on average compared to those with no AI. The primary mechanism is detection speed: AI cuts the breach lifecycle by 80 days, and each day of dwell time costs approximately $24,000.
What is the relationship between MTTD and containment time?
MTTD (detection) and MTTC (containment) together make up the breach lifecycle. Detection initiates the response but the clock does not stop until the attacker is fully evicted. IBM reports a 64-day average gap between first detection and full containment, as attackers often have multiple persistence mechanisms that must all be identified and removed.