MTTD and MTTR are two of the most widely used metrics in security operations. They show up in MSSP service-level agreements, board presentations, and annual security reviews, and they’ve helped many teams improve how they detect and respond to threats.
Teams running mature exposure management programs often find that these two metrics don’t capture everything they need to measure. There’s a specific gap between identifying a risk and reducing it, and that gap matters more as AI changes the speed at which attackers operate.
This article covers what MTTD and MTTR measure, what MTRER adds to the picture, and how to use all three together.
Security Metrics: From MTTD and MTTR to Exposure Reduction
Security metrics have tended to track the most pressing operational bottleneck of the moment.
MTTD emerged as the headline KPI when detection was the constraint. Faster detection meant less time for an attacker to move laterally and a smaller blast radius. Investment flowed into SIEM platforms, behavioral analytics, and threat hunting, and detection times improved.
MTTR followed. Detection speed is only useful if it leads to action, and MTTR pushed security operations toward faster response workflows, more structured playbooks, and tighter integration between detection and remediation teams. It remains the standard measure in managed security SLAs today.
Gartner’s Continuous Threat Exposure Management (CTEM) framework, introduced in 2022, extended the thinking further. CTEM moved security programs from measuring response speed toward continuously identifying and prioritizing exploitable risk, using real-world attack path analysis rather than raw CVSS scores. You can read more about how the five-stage CTEM process works in our full explainer.
MTRER builds on that foundation. Developed by Zynap, it’s been created to measure what MTTD, MTTR, and CTEM don’t track directly, which is how quickly exposures move from identified to operationally reduced.
What Is MTTD in Cybersecurity? (Mean Time to Detect)
Mean Time to Detect (MTTD) measures how long it takes a security team to identify that a threat event or suspicious activity has occurred, covering the interval from when an attack begins to when it’s flagged by a detection system or analyst.
As a core SOC metric, MTTD is still a meaningful signal. A shorter MTTD means less time for an attacker to establish persistence, and for MSSPs with tight response SLAs and enterprise teams managing large attack surfaces, it remains a reliable baseline measure.
What MTTD Covers
- Time from attack initiation to first detection alert
- SOC analyst notification and triage time
- Detection across endpoint, network, and identity layers
- Baseline for measuring improvement in threat hunting programs
How to Calculate MTTD
The formula is straightforward. You add up the time between when each incident actually began and when it was detected, then divide by the number of incidents.
MTTD = total detection delay across all incidents / number of incidents
So if your SOC handled four incidents over a month and the gaps between compromise and detection were 6, 10, 2, and 22 hours, that’s 40 hours of detection delay across four incidents, which gives an MTTD of 10 hours. On average, threats sat undetected for ten hours before anyone noticed.
Some frameworks also track MTTA, Mean Time to Acknowledge, which measures the gap between an alert firing and an analyst confirming engagement with it, a useful leading indicator of SOC responsiveness before MTTD fully kicks in.
As detection capabilities matured through the 2010s, alert volumes often grew faster than analyst capacity to act on them. That shift moved the operational bottleneck downstream, toward response and remediation, which is what gave MTTR its prominence as the next headline metric.
What Is MTTR in Cybersecurity? (Mean Time to Respond)
Mean Time to Respond (MTTR) measures how long it takes from detecting a threat or vulnerability to resolving it, and it’s one of the most widely tracked incident response metrics in security operations.
MTTR covers both incident response timelines and patch deployment, and the terms Mean Time to Respond and Mean Time to Remediate are often used interchangeably across the industry.
Mean Time to Respond vs. Mean Time to Remediate
These two terms share the same acronym but track slightly different stages.
Mean Time to Respond measures how long it takes to contain or neutralize an active threat, isolating a compromised endpoint, revoking credentials, or blocking a malicious process.
Mean Time to Remediate measures how long it takes to fully resolve the underlying issue, patching a vulnerability, closing a misconfiguration, or removing persistent access.
Most managed security SLAs use MTTR to cover both stages together, and it remains the dominant performance measure for incident response and vulnerability remediation today.
What MTTR Covers
- Time from detection to active threat containment
- Time from vulnerability identification to patch deployment
- Incident response cycle time
- Managed security SLA compliance measurement
How to Calculate MTTR
MTTR is calculated the same way as MTTD. You add up the total time spent responding to and remediating incidents, then divide it by the number of incidents.
MTTR = total response and remediation time / number of incidents
So if a team resolved five incidents in a total of 20 hours, the MTTR is four hours. Timing usually starts at detection and stops when the incident is fully remediated, though some teams start it at acknowledgement instead. It’s worth being clear about where your timing starts and stops before you compare your numbers with anyone else’s.
MTTR does have a limit, though. It doesn’t capture proactive risk reduction, the work security teams do to reduce exploitable exposure before an attacker triggers a detection event. We’ll return to that gap shortly.
Vulnerability Remediation Beyond the Patch Window
CTEM programs identify and prioritize exposures by exploitability. MTTR measures how fast patches are deployed after a vulnerability is flagged. Between those two things sits a specific window, a validated exploitable exposure that exists but hasn’t yet been reduced. MTRER is designed to measure how long that window stays open.
Several factors make this gap worth tracking on its own:
- Patches aren’t always available immediately.
Many vulnerabilities are actively exploited before vendor patches ship. The window between public disclosure and weaponization has narrowed, and in some cases security teams are managing exposures with no available patch yet. - Not all systems can be patched on demand.
Legacy infrastructure, operational technology environments, and supplier-connected systems often can’t be taken offline during a standard change window. For a significant portion of enterprise attack surfaces, patching this quarter simply isn’t an option. - Risk can be reduced well before patching.
Network segmentation, WAF rules, IAM scope reduction, and runtime controls can all reduce the usefulness of an attack path considerably faster than a change window allows. MTTR doesn’t capture that reduction. - AI has changed attacker speed.
According to M-Trends 2026, the time between initial access and secondary actor activity is now 22 seconds. Sysdig’s 2025 threat research found that AI-assisted privilege escalation can occur in under 8 minutes. Security teams are developing metrics that reflect the current reality of how quickly risk needs to be reduced. (Sources: M-Trends 2026, Mandiant/Google; Sysdig Threat Research 2025)
Adding MTRER to the measurement mix tracks what happens across that gap, complementing MTTR rather than replacing it.
What Is MTRER? Mean Time to Reduce Exploitable Risk
MTRER stands for Mean Time to Reduce Exploitable Risk. Developed by Zynap, it measures how quickly a security team reduces the usefulness of a specific attack path, whether a patch is available or not.
MTRER connects directly to Gartner’s CTEM framework. CTEM defines the five-stage process for scoping, discovering, prioritizing, and validating exposures. MTRER picks up at the point where most CTEM programs reach their operational limit, the transition from knowing what’s exposed to measuring how quickly that exposure is reduced.
“Exposure management becomes meaningful only when exposure reduction becomes measurable.”
Every action that contributes to MTRER operates inside existing governance. This is governed, auditable, reversible risk reduction, and the evidence trail it generates aligns directly with what DORA, NIS2, and the EU AI Act require.
Patch-Based Reduction
- Vendor patch deployment through validated change windows
- Staged rollout with rollback capability
- Compliance evidence for regulatory reporting
Compensating Controls
- Network segmentation to isolate vulnerable assets
- WAF rules and virtual patching at the network edge
- IAM scope reduction and privilege hardening
- Token revocation and session invalidation
- Runtime controls and process hardening
Continuous Validation
- Testing that mitigation actions actually closed the attack path
- Re-validation as the environment changes over time
- Ongoing documented evidence that the path remains closed
MTRER vs. MTTR at a Glance
| MTTR | MTRER | |
|---|---|---|
| Core question | How fast did you respond and remediate? | How fast did you reduce the usefulness of the attack path? |
| Requires a patch | Yes | No |
| Works on legacy and OT systems | Limited | Yes, via compensating controls |
| Measures current path viability | No | Yes |
| Operates inside governance | Depends on change window | Yes, by design |
| Continuous regulatory evidence | No — incident-driven | Yes |
| Board-level framing | Operational | Financial and operational |
Attack Surface Reduction: Two Approaches That Work Together
MTRER operates across two parallel tracks that run simultaneously.
Lane 1: Governed Patching
The durable, audit-ready lane.
CAB approvals, staged deployment with rollback capability, compliance evidence generation. This is how vulnerabilities close permanently and how teams produce the evidence trail that DORA, NIS2, and the AI Act require. It runs on timescales of days to weeks.
Lane 2: Immediate Mitigation
The fast, governed, exposure-reducing track. Segmentation, virtual patching, IAM scope reduction, runtime controls, and continuous validation that the attack path is closed. Lane 2 reduces exploitable risk considerably faster than a change window allows, while Lane 1 continues in parallel.
MTRER measures both lanes together. Running Lane 2 alongside Lane 1 means the organization has a mechanism for reducing risk inside the attacker’s operational window, while governance and patch cycles run at their own pace. Both lanes operate inside governance, and both contribute to the audit trail.
Security Maturity Assessment: The MTRER Scale
Many regulated enterprises sit at Level 2 or Level 3 today, and the move up to Level 4 is usually the hardest. They’re already good at finding and prioritizing exposures, but reducing them is still mostly manual, and the work slows down each time it passes from one team to the next.
| Level | Description | Typical MTRER |
|---|---|---|
| L1 — Ad Hoc | Reactive, siloed tools, ticket-driven response | Weeks or undefined |
| L2 — Defined | SOC and SIEM in place, IR runbooks exist | Days |
| L3 — Measured | MTTD and MTTR baselined, CTEM program started | Hours |
| L4 — Managed | Governed automation active, two-lane mitigation running | Under 1 hour |
| L5 — Self-Defense | Continuous governed reduction, MTRER flywheel operating | Minutes |
How MSSPs Can Use MTRER to Scale Security Services
For MSSPs, MTRER gives you more to show your clients.
MTTR tells a client how quickly you responded after an incident, while MTRER tells them how much risk you reduced before one could happen. For clients who care about staying compliant and resilient, that’s a stronger story to tell.
Most MSSP teams hit the same wall, because the exposures coming through CTEM programs pile up faster than analysts can work through them. MTRER gives each client a clear number to bring down, so analysts can focus on the work that lowers it the most, rather than just working through alerts one by one.
There’s a clear business upside too. MSSPs using Zynap’s platform report that each analyst can look after twice as many clients, that revenue grows by 40 to 60%, and that operating margin per customer improves by 20 to 35%. Those gains come from letting governed automation handle routine Tier 1 and Tier 2 work across all of their clients at once.
Enterprise Vulnerability Management and MTRER
And for enterprise security teams tracking vulnerability management metrics, MTRER points to a gap many organizations already feel, the distance between spotting a risk and being able to show it’s been reduced.
That gap is usually a coordination problem. The SOC, Vulnerability Operations, IAM, and Cloud teams each have their own tools and approval cycles, so a confirmed exposure can get stuck as it passes from one team to the next. MTRER makes that delay visible and measurable, because it tracks the time from confirming an exposure to actually reducing it, rather than the time from detection to closing an incident.
It also ties the day-to-day security work directly to money. IBM’s 2024 Cost of a Data Breach Report puts the average breach at $4.88 million globally, rising to $5.17 million when the breach came from a known exposure that hadn’t been dealt with. The same report shows that every hour you cut an attacker’s time inside the network saves around $26,000. (Source: IBM Cost of a Data Breach Report 2024) MTRER is the number that connects the SOC’s daily work to those costs.
On the compliance side, DORA, NIS2, and the EU AI Act all ask for ongoing proof that risk is coming down over time. MTRER produces that proof continuously, rather than only after an incident. Enterprise teams using Zynap typically report a 30 to 45% reduction in MTTR within 90 days, along with 40 to 70% fewer irrelevant alerts.
CISO Metrics: How MTRER Translates to Business Risk
Boards have moved on from alert counts and detection times to a harder question, whether cyber risk is quietly slowing the business down. And often it is, with research from 2025 finding 37% of board-level initiatives delayed by exactly that concern.
MTRER is the metric that answers it, and once you map it against IBM’s breach-cost data, risk reduction stops being a technical story and turns into a number the CFO and the board can read for themselves.
That direction isn’t a Zynap idea either. Gartner expects preemptive security to climb from under 5% of IT security spending in 2024 to half of it by 2030, as the whole field moves from measuring how fast you react to how much risk you cleared before you had to. (Source: Gartner, Strategic Technology Trends 2026)
Our preemptive cybersecurity guide explains what this shift means for security teams.
Reducing MTRER with a Preemptive Security Automation Platform
MTRER tracks how fast you reduce an exploitable risk once you’ve found it, and doing that week after week, across siloed teams and change windows that move slower than attackers do, is hard for even the best-run teams. That’s the operational problem Zynap was built to solve.
It’s a preemptive security automation platform for MSSPs and enterprise security teams, and its multi-agent engine, NINA, connects the tools you already run, from EDR and SIEM to IAM and cloud, then turns the intelligence they produce into action, so you can bring an exposure down quickly without waiting for a patch. The workflows stay governed and auditable, every action is traceable and reversible, and the evidence is ready when DORA, NIS2, or an auditor asks for it.
There’s no rip and replace, because you keep the tools you’ve got and Zynap works as one operational layer across them, through more than 70 integrations and inside your governance rather than around it.
- AI Agents and NINA: how Zynap’s specialist agents reduce MTTD and MTTR through context-driven automation
- Automation Workflows: how governed workflows operate across your existing stack
- Zynap for MSSPs: multi-tenant operations and the unit economics of preemptive security
- Zynap for Enterprises: how enterprise security teams reduce MTRER at scale
It all comes down to being able to show progress, not just activity. MTRER gives you a trend you can take to a board or a client, evidence that’s ready when an auditor asks, and a clearer sense of which exposures to reduce first. None of that removes the hard work, but it points the work in the right direction, which is where Zynap is designed to help.
More Reading
What Is CTEM? Continuous Threat Exposure Management Explained: Gartner’s five-stage exposure management framework and how it connects to MTRER as an outcome metric
Preemptive Cybersecurity: What It Is and How It Works: the shift from reactive to preemptive security and what it means for operations teams
Incident Response Automation: A Practical Guide: how automation changes the operational model for MSSPs and enterprise teams