Skip to main content

4.3 Metrics That Actually Matter

Most guides mention MTTR without defining it. Here are 4 metrics with precise definitions.

#	Metric	Definition	Formula	Owner	What “Good” Looks Like
1	MTTD (Mean Time to Detect) — SOC	Average time from ADR alert generation to SOC analyst acknowledging/opening the alert in the SIEM	Σ(alert_acknowledged_time - alert_created_time) / count(alerts)	SOC Leader	Level 1: < 4 hrs Level 2: < 1 hr Level 3: < 15 min
2	MTTT (Mean Time to Triage) — SOC	Average time from alert acknowledgement to triage decision (escalate/close /investigate)	Σ(triage_decision_time - alert_acknowledged_time) / count(alerts)	SOC Leader	Level 1: < 2 hrs Level 2: < 30 min Level 3: < 10 min
3	MTTR (Mean Time to Remediate) — AppSec	Average time from vulnerability discovery (by ADR) to verified fix in production	Σ(patch_verified_in_prod_time - vuln_first_detected_time) / count(vulns)	AppSec Leader	Level 1: < 90 days Level 2: < 30 days Level 3: < 14 days (for Critical/High)
4	Block Coverage % — AppSec	Percentage of Tier 1/2 applications with Block Mode enabled for high-confidence rules	count(apps_with_block_mode) / count(tier1_and_tier2_apps) × 100	AppSec Leader	Level 1: 0% (Monitor only) Level 2: > 50% Tier 1 Level 3: > 80% Tier 0+1

How to use these metrics:

Track monthly. Report quarterly to CISO.
Use them to validate your maturity level (4.1, 4.2). If your MTTD is 6 hours, you’re not at “Level 3” regardless of what else you’ve done.
Don’t compare to industry benchmarks. Compare to your own previous quarter. The trend is the signal.

In this section:

Was this helpful?

Would you like to provide feedback? Just click here to suggest edits.