Glossary
Dwell Time
Dwell time is the elapsed period between when an attacker initially compromises an environment and when they are detected. Industry benchmarks have measured median dwell times anywhere from a handful of days for prepared SOCs to over 100 days for less mature organizations. Reducing dwell time is the headline goal of detection engineering.
In depth
Dwell time is the inverse of detection speed. The longer an adversary operates undetected, the more credentials they steal, the more systems they pivot to, and the more entrenched they become. Once dwell time exceeds the rotation period of any compensating control — credentials, MFA tokens, network segmentation rules — the attack becomes substantially harder to evict.
Dwell Time and PocketSOC
Dwell time is bounded by the slowest link in the detect-and-respond chain. If after-hours alerts sit unaddressed for hours because the on-call analyst can't triage from their phone, that is dwell time accumulating. PocketSOC compresses the response side of the chain — see after-hours triage.
Related terms
MTTR →
Mean Time to Respond (MTTR) is the average elapsed time between when a security alert is generated and when the SOC takes a meaningful response action.
Incident Response →
Incident response (IR) is the structured process of preparing for, detecting, containing, eradicating, recovering from, and learning from security incidents.
SOC →
A Security Operations Center (SOC) is the team and facility responsible for continuously monitoring an organization's security posture.