Mean Time to Detect and Mean Time to Contain are the two numbers that decide whether a breach becomes a headline. Here are the targets we hold our SOC to — and how we hit them.
Two numbers separate a contained incident from a public breach: Mean Time to Detect (MTTD) and Mean Time to Contain (MTTC). The longer either runs, the more expensive the incident becomes — in dollars, in regulatory exposure, in customer trust, and in executive time. Every other SOC metric is downstream of these two.
This is what good looks like in 2026, what most organizations actually achieve, and the operational decisions that close the gap.
Definitions, because the industry uses them inconsistently
Mean Time to Detect: the elapsed time between the first observable evidence of malicious activity in your telemetry and the moment a human analyst confirms that activity is in fact malicious and warrants response. Note the two-clock structure. The first clock is the time the data existed and was not noticed. The second is the time from alert generation to analyst confirmation. Both count.
Mean Time to Contain: the elapsed time between confirmed malicious activity and the moment the attacker no longer has access to act on objectives. Containment is not eradication. It is stopping the bleeding — isolating affected hosts, disabling compromised accounts, revoking active sessions, blocking command-and-control channels, cutting network paths.
Mean Time to Respond and Mean Time to Recover are different metrics that come later in the lifecycle. Confusing them with MTTD and MTTC is the most common reason vendor SLAs do not mean what buyers think they mean.
Industry baselines
The published benchmarks are sobering. The most recent IBM Cost of a Data Breach report puts industry-wide mean time to identify a breach at 194 days and mean time to contain at 64 days. Mandiant's M-Trends puts global median dwell time at around 10 days, but that figure is dragged down by ransomware (where dwell is short because detonation is loud) and dragged up by espionage cases where dwell can run years.
For ransomware specifically, dwell time has compressed dramatically. Many crews now go from initial access to encryption in under 24 hours. Some affiliates of the most aggressive ransomware-as-a-service operations have demonstrated full attack chains — initial access, credential theft, lateral movement, backup destruction, encryption — in under five hours. Your SOC has hours, not weeks, to detect and contain.
If your current MTTD is measured in days and your MTTC is measured in weeks, you are not solving the problem ransomware actually presents.
Maverc MDR targets
The Maverc MDR service operates against signed SLAs:
- MTTD under 5 minutes for high-fidelity detections backed by behavioral analytics across endpoint, identity, network, and cloud telemetry.
- MTTC under 30 minutes for containment actions on managed endpoints, identity providers, and cloud control planes.
- 24/7 human analyst review on every escalation. Not just tier-1 triage with tier-2 batched the next business day.
- Threat hunting hypothesis cycles every two weeks against your specific environment, not generic queries.
These are not aspirational targets. They are the numbers we report to clients monthly, with the underlying timestamps available for audit.
How those numbers are actually achieved
Hitting sub-five-minute detection requires four things working together:
Curated detection content. Out-of-the-box vendor rules generate noise at a rate no human SOC can sustain. Effective detection content is tuned to your environment, mapped to MITRE ATT&CK techniques relevant to your threat model, and validated through purple team exercises. Maverc maintains a content library that is reviewed and updated weekly against current threat intelligence.
Behavioral analytics, not just signature matching. Identity threat detection that flags impossible travel, OAuth consent abuse, and stale token reuse. Endpoint detection that flags process lineage anomalies and living-off-the-land tooling. Network detection that flags command-and-control beaconing patterns, not just bad domains.
Telemetry breadth. A SOC that only sees endpoint cannot detect identity attacks. A SOC that only sees network cannot detect cloud control plane abuse. The minimum telemetry stack for credible detection in 2026 includes EDR on every endpoint, identity provider logs, email security telemetry, network metadata at the perimeter and at critical internal segments, and cloud audit logs from every cloud account.
Response automation for the obvious cases. High-confidence detections trigger automated playbooks: host isolation, identity disable, token revocation, blocking the source IP. The human analyst confirms within the SLA window and either reverses the action (rare) or proceeds to investigation (common). Automation does not replace the analyst — it buys the analyst time.
Hitting sub-thirty-minute containment requires direct, pre-authorized integrations with your control planes. The SOC must be able to isolate a host without filing a ticket, disable a user without paging the identity team, revoke a session without waking the cloud architect. Pre-negotiated authority and tested integrations are the difference between contained and headline.
What to demand from your provider
If you are buying or evaluating an MDR service, the questions to ask are simple and specific:
- What are your contractual SLAs for MTTD and MTTC? Get them in writing, with the calculation methodology.
- How do you measure them? What clock starts when? What evidence backs the report?
- What containment actions are you authorized to take in our environment without our approval, and how fast?
- What integrations to our identity provider, EDR, email, network, and cloud do you have today?
- Show me three real incident timelines from anonymized cases — initial signal, escalation, containment, full timeline.
- What is your analyst-to-customer ratio on the night shift?
If those questions are met with marketing language instead of specific numbers, the provider is selling alerts, not outcomes.
The internal SOC version
If you run your SOC in-house, the same disciplines apply. Track MTTD and MTTC on every escalated incident. Review them monthly. Set internal targets that are realistic for your maturity, then improve them quarterly. Invest in the gaps that the data exposes — telemetry, content, automation, authority. The numbers will tell you where to spend.
The organizations with the best detection and response programs in 2026 share a common pattern: they treat MTTD and MTTC as executive-level metrics, they measure them honestly, and they invest against the trend line. Everyone else is one bad day away from learning the numbers the hard way.
