Glossary

MTTR (Mean Time to Respond, Mean Time to Recovery, Mean Time to Resolve)

Mean Time to Respond (MTTR) is the average elapsed time between when a security alert is generated and when the SOC takes a meaningful response action. Lower MTTR means faster containment and less dwell time for an active threat. SOC programs track MTTR as one of the headline performance metrics.

In depth

The "R" in MTTR is overloaded — it can mean Respond, Recovery, or Resolve depending on the framework. SOC teams should be precise: Mean Time to Acknowledge (MTTA) measures time-to-pickup, MTTR typically measures time-to-containment, and Mean Time to Eradicate or Mean Time to Recovery covers full remediation.

Drivers of high MTTR include alert noise, context-switching cost, slow access to investigation tools, and waiting for the on-call to get to a workstation. Each of these has different fixes.

MTTR and PocketSOC

One concrete MTTR lever is removing the laptop-and-VPN dependency for after-hours triage. PocketSOC compresses the steps between push notification and first response action — see the after-hours triage use case for the workflow.

SOC →

A Security Operations Center (SOC) is the team and facility responsible for continuously monitoring an organization's security posture.

Dwell Time →

Dwell time is the elapsed period between when an attacker initially compromises an environment and when they are detected.

Alert Fatigue →

Alert fatigue is the condition where SOC analysts become desensitized to security alerts because the signal-to-noise ratio is too low.

Incident Response →

Incident response (IR) is the structured process of preparing for, detecting, containing, eradicating, recovering from, and learning from security incidents.