Dwell time is the number of days an attacker remains undetected inside your network between initial compromise and discovery. According to Mandiant's M-Trends 2024 report, the global median dwell time dropped to 10 days in 2023, down from 16 days in 2022 and 21 days in 2021. While this trend is positive, it masks significant disparities: organizations without 24/7 monitoring still average 24 days of dwell time, and in certain sectors like manufacturing and education, median dwell time exceeds 45 days. Every additional day an attacker spends inside your environment increases the scope of compromise, the volume of data exfiltrated, and the cost of remediation. IBM's 2024 Cost of a Data Breach Report found that breaches identified in under 200 days cost USD 3.93 million on average, while those taking longer than 200 days cost USD 4.95 million, a difference of over one million dollars.
Key Takeaways
- Global median dwell time dropped from 21 days (2021) to 10 days (2023), but varies dramatically by organization maturity.
- Breaches detected in under 200 days cost USD 1.02 million less than those detected later (IBM, 2024).
- Organizations with 24/7 SOC monitoring achieve 6-day median dwell time vs. 24 days without.
- MTTD (Mean Time to Detect) and MTTR (Mean Time to Respond) are the two most critical SOC performance metrics.
- Automation and threat hunting are the most effective methods to reduce dwell time.
What Are MTTD and Dwell Time?
Dwell time (also called attacker dwell time or time-to-detection) measures the elapsed time between when an attacker first gains access to a system and when the intrusion is discovered. It is the broadest measure of detection effectiveness.
MTTD (Mean Time to Detect) is the average time it takes to identify a security incident across all incidents over a given period. While dwell time focuses on individual incidents, MTTD provides an aggregate metric for SOC performance evaluation.
MTTR (Mean Time to Respond) measures the average time from incident detection to containment or resolution. Together, MTTD and MTTR form the complete picture of an organization's incident response efficiency.
The relationship is straightforward: total incident impact = dwell time + response time. Reducing either metric directly reduces breach damage and cost.
The Dwell Time Trend: Progress and Gaps
The cybersecurity industry has made meaningful progress in reducing dwell time over the past decade:
| Year | Global Median Dwell Time (Mandiant) | Notable Context |
|---|---|---|
| 2011 | 416 days | APT-dominated threat landscape |
| 2015 | 146 days | Rise of commercial EDR solutions |
| 2018 | 78 days | Managed detection services emerge |
| 2020 | 24 days | XDR and automated detection mature |
| 2021 | 21 days | Ransomware forces faster detection |
| 2022 | 16 days | MDR adoption accelerates |
| 2023 | 10 days | Automation and threat hunting impact |
Source: Mandiant M-Trends Reports 2012-2024.
However, this global median obscures critical differences. Mandiant's data shows that internally detected incidents had a median dwell time of 13 days, while externally notified incidents (where a third party, law enforcement, or the attacker themselves revealed the breach) had a median of 28 days. Organizations relying on external notification are consistently slower to detect threats and face significantly higher remediation costs.
Dwell Time by Detection Source
| Detection Source | Median Dwell Time (2023) | Percentage of Incidents |
|---|---|---|
| Internal detection (SOC/security team) | 13 days | 54% |
| External notification (third party) | 28 days | 29% |
| Attacker notification (ransomware note) | 5 days | 17% |
Source: Mandiant M-Trends 2024.
The 5-day figure for attacker notification warrants attention. Ransomware operators intentionally reveal themselves after completing their objectives (encrypting systems, exfiltrating data). A 5-day dwell time before ransomware deployment means the attacker had 5 days of undetected lateral movement, privilege escalation, and data staging. The actual compromise began much earlier.
The Financial Impact of Longer Dwell Times
IBM's 2024 Cost of a Data Breach Report provides the clearest financial evidence for investing in detection speed:
| Breach Lifecycle | Average Total Cost | Difference |
|---|---|---|
| Identified in under 200 days | USD 3.93 million | Baseline |
| Identified in over 200 days | USD 4.95 million | +USD 1.02 million (+26%) |
The cost increase is driven by several factors that compound with dwell time:
- Expanded scope of compromise: Longer dwell time allows attackers to move laterally across more systems, compromise more accounts, and access more sensitive data. Each additional system compromised increases forensic investigation costs and remediation effort.
- Greater data exfiltration: According to CrowdStrike's 2024 Global Threat Report, the average time from initial access to data exfiltration is now 62 minutes for the fastest actors. Every day of undetected presence allows for additional data theft.
- Regulatory penalties: Under NIS2, organizations must report significant incidents within 24 hours. Longer dwell times often mean the incident is more severe when finally detected, resulting in more complex regulatory reporting and potentially larger penalties. See our guide to incident response planning and NIS2 reporting.
- Business disruption: Breaches with longer dwell times require more extensive remediation, often involving complete rebuilds of compromised infrastructure rather than targeted cleanup.
- Reputation damage: Extended breaches that affect customers or partners result in greater trust erosion and longer recovery periods for brand reputation.
Dwell Time Benchmarks by Industry
Detection capabilities vary significantly across sectors. Based on data from Mandiant, IBM, and CrowdStrike reports:
| Industry | Typical Dwell Time Range | Primary Challenge |
|---|---|---|
| Financial services | 5-15 days | High regulatory pressure drives investment; complex environments create blind spots |
| Healthcare | 15-30 days | Legacy systems, medical device visibility gaps, understaffed security teams |
| Manufacturing | 25-50 days | OT/IT convergence, limited monitoring of industrial systems, shift to ransomware targeting |
| Retail | 10-25 days | High transaction volumes create noise; POS and e-commerce attack surfaces |
| Education | 30-60 days | Open network environments, limited budgets, large and diverse user populations |
| Government | 15-40 days | Varied maturity across agencies; targeted by nation-state actors with advanced TTPs |
| Technology | 5-15 days | Higher security maturity offset by attractiveness as a target and complex supply chains |
How to Reduce MTTD: Practical Strategies
1. Implement 24/7 Security Monitoring
The single most impactful action is ensuring continuous monitoring. Mandiant data shows organizations with 24/7 SOC monitoring achieve a median dwell time of 6 days versus 24 days for those with business-hours-only coverage. For most organizations, this means engaging a SOC as a Service provider or MDR service rather than building an internal 24/7 capability.
2. Deploy Endpoint Detection and Response (EDR/XDR)
EDR provides deep visibility into endpoint activity that network-level monitoring misses. According to Forrester, organizations with EDR deployed across 90%+ of endpoints reduce dwell time by an average of 40% compared to those relying solely on network monitoring and SIEM. XDR extends this by correlating endpoint, network, cloud, and identity telemetry for cross-domain threat detection.
3. Conduct Proactive Threat Hunting
Threat hunting is the practice of proactively searching for threats that have evaded automated detection. SANS Institute research found that organizations with dedicated threat hunting programs detect threats 2.5 times faster than those relying solely on automated alerts. Effective hunting requires skilled analysts armed with threat intelligence, hypothesis-driven methodologies, and access to comprehensive telemetry.
4. Leverage Automation and SOAR
Security Orchestration, Automation, and Response (SOAR) platforms reduce detection time by automating repetitive tasks that slow human analysts. Automated alert enrichment (adding context from threat intelligence, asset databases, and user directories), automated triage (filtering known false positives), and automated containment (isolating endpoints, blocking IPs) collectively reduce both MTTD and MTTR. Forrester reports that SOAR adoption reduces MTTR by up to 80%.
5. Reduce Alert Noise
Alert fatigue is one of the primary enemies of fast detection. A poorly tuned SIEM can generate thousands of alerts per day, burying real threats in noise. According to a study by Critical Start, SOC analysts waste an average of 32% of their time investigating false positives. Regular SIEM tuning, alert prioritization frameworks (such as risk-based scoring), and AI-assisted correlation significantly improve the signal-to-noise ratio.
6. Improve Log Coverage and Visibility
You cannot detect what you cannot see. Many organizations have significant visibility gaps in their logging, particularly in cloud environments, SaaS applications, and OT/IoT networks. A comprehensive detection strategy requires log collection from all critical sources: endpoints, network devices, identity platforms (Active Directory, Azure AD), email gateways, cloud infrastructure (AWS CloudTrail, Azure Activity Log), and business applications.
The Role of SOC and MDR in Reducing Dwell Time
Whether internal or outsourced, the SOC is the organizational function responsible for MTTD. The effectiveness of a SOC in reducing dwell time depends on three factors:
- People: Skilled analysts who can distinguish real threats from noise and perform threat hunting. The ISC2 2023 Workforce Study reports 3.4 million unfilled cybersecurity positions globally, making talent the primary bottleneck for most organizations.
- Process: Well-defined triage procedures, escalation paths, and response playbooks that ensure consistent, fast action regardless of which analyst is on shift.
- Technology: Integrated detection and response tools (SIEM, EDR/XDR, SOAR, threat intelligence platforms) that provide comprehensive visibility and enable rapid investigation.
For organizations that cannot build all three internally, MDR providers offer a complete solution. Gartner notes that MDR providers typically demonstrate MTTD of under 1 hour for threats matching known indicators and under 24 hours for novel threats requiring investigation, significantly outperforming the capabilities of most internal security teams.
Orizon's Oversight service provides continuous threat monitoring with industry-leading detection times, combining automated detection with expert human threat hunting to minimize dwell time for European organizations.
Measuring and Tracking Dwell Time
To improve dwell time, you must first measure it. Key metrics to track include:
- MTTD by incident severity: Track detection time separately for critical, high, medium, and low severity incidents. Critical incidents should have the shortest MTTD.
- MTTD by detection source: Measure whether incidents are detected internally (proactive) or externally (reactive). A high percentage of external notifications indicates detection gaps.
- MTTR (Mean Time to Respond): Track from detection to containment. Combine with MTTD for total incident lifecycle.
- False positive rate: Monitor the percentage of investigated alerts that turn out to be benign. A rate above 50% indicates tuning is needed.
- Detection coverage: Map your detection capabilities against the MITRE ATT&CK framework to identify technique blind spots.
Review these metrics monthly and trend them quarterly. Set improvement targets based on industry benchmarks and track progress against them. The goal is not perfection but continuous improvement: reducing MTTD from 30 days to 15, then from 15 to 7, demonstrates measurable security improvement that justifies ongoing investment.