MTTR
MTTR (Mean Time To Respond) measures the average time between a security alert being raised and the start of a qualified response — containment, isolation, or active investigation. It is the single most useful operational metric to compare two SOC offers.
What MTTR measures
MTTR (Mean Time To Respond) is the average elapsed time from when an alert is raised by a detection tool to when a qualified human action begins on it. “Qualified action” matters: an automatic acknowledgement does not count, nor does a follow-up email two days later.
MTTR is sometimes confused with MTTD (Mean Time To Detect — time between the malicious activity actually happening and the alert firing) and MTTR-meaning-Resolve (full closure of the incident, often hours or days). When comparing SOC offers, make sure you compare the same definition.
Why it matters
Most ransomware attacks observed in 2026 unfold over 5 to 9 days between initial compromise and encryption trigger. The lower your MTTR, the more of those days you actually use to detect, contain and neutralise — instead of recovering after the fact.
See our article Anatomy of a ransomware attack on an SMB for the full chain.
MTTR at Hexceos
Average measured MTTR in 2025: 11 minutes on 187 qualified incidents at our managed SOC. Contractual MTTR for critical incidents is generally committed below 30 minutes, 24/7. See our managed SOC service for the full SLA scope.
Last updated: 19 May 2026