Why don't all MDR providers publish MTTD and MTTR?

There's no industry-standard methodology. MTTD can be measured from first exploit, first alert, or first log entry, and each gives a very different number. Providers who publish metrics often cherry-pick favorable methodologies. Ask how they measure, not just what the number is.

MTTD and MTTR explained for MDR buyers

Q: What does MTTD stand for?

MTTD stands for Mean Time to Detect, the average time between when a threat enters your environment and when the MDR provider identifies it. Good MDR providers aim for MTTD under 15 minutes for known threat patterns, though novel attacks may take longer.

Q: What does MTTR stand for?

MTTR stands for Mean Time to Respond (or Resolve), the average time from threat detection to containment or resolution. This includes investigation, triage, and response actions. Top MDR providers target MTTR under 30 minutes for automated containment.

MTTD and MTTR

MTTD, mean time to detect

How long between a threat entering your environment and the MDR provider identifying it.

Good: <15 minutes for known patterns. Novel attacks may take hours.

MTTR, mean time to respond

How long from detection to containment or resolution. Includes investigation, triage, and action.

Good: <30 minutes for automated containment. Complex incidents take longer.

Measurement problems

There is no industry-standard methodology for measuring MTTD or MTTR. This means two providers can claim “15-minute MTTD” and mean completely different things:

When does the clock start? At first exploit? First log entry? First alert? First investigation? Each gives a very different number.
What counts as “detected”? An automated alert firing? An analyst confirming the alert? A notification sent to you?
What's included in the mean? All incidents? Only confirmed true positives? Only incidents during business hours?
When does MTTR stop? At containment (endpoint isolated)? At investigation complete? At full remediation?

What to ask instead

Don't just ask “what's your MTTD?” Ask these follow-up questions:

“How do you define MTTD? When does the clock start?”
“What percentage of incidents are included in that number?”
“Can I see a sample incident timeline?” From first evidence to containment, with timestamps.
“What's your SLA, and is it contractual?” SLA commitments matter more than mean metrics because they have consequences for missing them.
“Do you publish these metrics externally? How often?” Providers who publish quarterly reports are more accountable.

SLA vs. MTTD/MTTR

An SLA (Service Level Agreement) is contractual. The provider commits to responding within a specific time frame and may face penalties for missing it. MTTD and MTTR are averages with no consequences.

SLA commitments across the market range from ≤15 minutes to ≤24 hours. Some providers have no formal SLA at all. If you care about response speed, the SLA matters more than self-reported mean metrics.

Detection quality

Fast detection means nothing if it generates false positives. A provider with 5-minute MTTD that sends you 50 false alerts per day is worse than one with 15-minute MTTD that sends you 3 verified alerts per week. Ask about:

False positive rate: What percentage of alerts turn out to be noise?
Alert volume: How many notifications do you send per week for an organization my size?
Enrichment: When you do alert me, how much context is included? (Timeline, affected systems, recommended actions, severity assessment.)

FAQ

What does MTTD stand for?

Mean Time to Detect. The average time from threat entry to identification. Good MDR targets <15 minutes for known patterns.

What does MTTR stand for?

Mean Time to Respond. From detection to containment. Top providers target <30 minutes for automated containment.

Why don't all MDR providers publish these numbers?

No standard methodology exists. Providers who publish metrics often cherry-pick favorable methodologies. Ask how they measure, not just what the number is.