Skip to Content

What Is MTTD?

Mean time to detect, or MTTD, is the average time it takes a DevOps team to detect a problem, such as a software bug or hardware failure, within an organization.

MTTD is one of the key performance indicators of incident management. Obviously, the sooner an organization discovers a problem, the better. Incidents often can lead to system downtime, which on average can cost $5,600 per minute, according to Gartner.

Although MTTD isn't the only metric available to DevOps teams, it's one of the easiest to track and measure, and it’s an essential metric for any organization that wants to avoid problems like system outages.

How to Calculate MTTD: Step by Step

To calculate MTTD:

  1. Keep track of all incidents using tools such as logs, a help desk, and/or an intrusion detection system (more on these tools below).
  2. Determine the goal of your MTTD calculation and what you want to calculate it for. MTTD is typically calculated for a certain facility or system over a specific time period, such as overnight, weekly, monthly, or annually. It can also be calculated for a specific technician or team.
  3. Use the previously mentioned tools to calculate the start time and detection time for each incident within the time frame you’ve chosen.
  4. Divide the total incident detection time by the number of incidents.

For example, let’s say the 24x7 operations support team for a large auto parts manufacturer tracks weekly MTTD for the entire facility. During the week of February 7-11, 2022, there were four incidents. Using systems logs, the team determined the start time and detection time of each incident and recorded them in a table as follows:

Start Time

Detection Time

Elapsed (min)

4:45 am

6:43 am

118

2:01 am

2:54 am

53

9:05 am

11:33 am

148

3:44 pm

5:09 pm

85

Slide

The mean time to detect is calculated as:

(118 + 53 + 148 + 85)/4

MTTD = 101 minutes

The auto parts manufacturer could then use this number to compare MTTD from this particular week to other weeks or to the same week in the previous year. If they’d calculated MTTD for a certain team, they could use this result to gauge the team’s performance over time. Some companies choose to remove outliers from the table, and many will also tier incidents by severity to see if MTTD varies according to the seriousness of the problem.

What Tools Do You Need to Monitor MTTD?

Monitoring MTTD mainly involves keeping track of anything that qualifies as an event or an issue, which can vary greatly from organization to organization.

The primary tools you need to monitor MTTD include:

Logs: Logs are automatically produced and time-stamped documentations of events relevant to a particular computer system or software application. For example, a web server’s access log lists all the individual files that people request from a website, including HTML files and any other associated files that get transmitted. Another example is a database log, which records all activity in the database, including all changes to records.

Help desks: Held desks are centralized help centers for product users who need help with anything related to the product, especially IT issues. They can be physical or online call centers or ticket systems that operate through SaaS applications. Help desks have a knowledge base that keeps records of customer issues, including what the issue was, when it was identified, and how it was resolved.

Intrusion detection systems: An intrusion detection system (IDS) is a system that monitors network traffic for suspicious activity and produces alerts when such activity is discovered. The primary functions of an IDS are reporting and anomaly detection, but some intrusion detection systems can take action when they detect malicious activity, including blocking traffic sent from suspicious IP addresses.

What Is a Good MTTD?

What constitutes a “good” MTTD will vary greatly depending on the company, its product, the industry, and the particular threat or intrusion the company wants to prevent or intercept. Obviously, the best possible MTTD is zero, meaning you catch the threat actor before it even has a chance to cause damage.

A zero MTTD is, of course, very hard to achieve. According to Ponemon Institute, which provides the industry standard benchmark for MTTD, the average time to identify and contain a data breach was 280 days in 2020 and 279 days in 2019.

To figure out what a good MTTD is for your particular company, you should look not only at the overall average for all companies but also try to get information on how other companies in your sector do with MTTD. Also, you need to calculate what the cost of the average data breach is for your company and how much your company can afford to lose per breach without causing serious financial hardship to the company.

There are various steps you can take to lower MTTD:

  • Invest in the best possible cybersecurity talent and solutions.
  • Make sure all internal teams are aligned and communicating around potential cyber threats.
  • Accurately and consistently record incidents and maintain a reliable and thorough event log.
  • For every incident, always examine what caused it and how to prevent it or detect it faster moving forward.

Other things that can help organizations lower their MTTD include security orchestration, automation and response (SOAR) technologies, and incident response plans.

Who Should Use MTTD and When?

Any company with systems or networks that need to stay up and running and secure can benefit from regularly measuring MTTD.

MTTD should always be measured at the times when the occurrence of the incident would cause damage. For example, for a manufacturing facility that only operates at night, you would only want to be checking for incidents at night. It wouldn’t make sense to include daytime data.

What Is the Next Metric after Detection?

MTTD reflects the amount of time it takes your team to discover a potential security incident. But, the next step after detection is response.

Mean time to respond, or MTTR, is the time it takes to control, remediate, and/or eradicate a threat once it’s been discovered.

Learn more about MTTR.

12/2024
Making the Future More Efficient and Affordable
To address a disk space shortage,Reynaers invested in Pure Storage FlashArray and an ActiveCluster storage system.
Case Study
4 pages

Browse key resources and events

PURE360 DEMOS
Explore, Learn, and Experience

Access on-demand videos and demos to see what Pure Storage can do.

Watch Demos
AI WORKSHOP
Unlock AI Success with Pure Storage and NVIDIA

Join us for an exclusive workshop to turn AI pilots into production-ready deployments.

Register Now
ANALYST REPORT
Stop Buying Storage, Embrace Platforms Instead

Explore the requirements, components, and selection process for new enterprise storage platforms.

Get the Report
SAVE THE DATE
Mark Your Calendar for Pure//Accelerate® 2025

We're back in Las Vegas June 17-19, taking data storage to the next level.

Join the Mailing List
CONTACT US
Meet with an Expert

Let’s talk. Book a 1:1 meeting with one of our experts to discuss your specific needs.

Questions, Comments?

Have a question or comment about Pure products or certifications?  We’re here to help.

Schedule a Demo

Schedule a live demo and see for yourself how Pure can help transform your data into powerful outcomes. 

Call Sales: +44 8002088116

Mediapr@purestorage.com

 

Pure Storage, Inc.

2555 Augustine Dr.

Santa Clara, CA 95054

800-379-7873 (general info)

info@purestorage.com

CLOSE
Your Browser Is No Longer Supported!

Older browsers often represent security risks. In order to deliver the best possible experience when using our site, please update to any of these latest browsers.