Security Testing

How do you work out MTTR (Mean Time to Response)?

MTTR is all about looking at where you're handing your information over to the people who are responsible for fixing the vulnerabilities. Once it's handed over, the process has begun. So, we know where the timer starts, but where does it end?
Thomas Ballin
1 minute read

MTTR is all about looking at where you're handing your information over to the people who are responsible for fixing it. It's only fair to be able to measure time to response from the point where something has been handed over to somebody with some responsibility to see it through its life cycle.

Once vulnerabilities are owned by somebody within the business, you can start a clock. When you then stop that clock and say that you have responded to something will depend on your organisation and the kind of thresholds that you have.

You can say that you've responded to something when you've implemented the first line of defence in depth control or first compensating control. This has technically treated the issue in some part.

However, it may be more accurate to measure MTTR in two different ways: your corrective action, and your preventative action. Then, you can calculate MTTR in addressing some sort of fix, and MTTR in addressing the systemic problem that's causing those vulnerabilities to appear in the first place.

Security Testing

How do you work out MTTR (Mean Time to Response)?

MTTR is all about looking at where you're handing your information over to the people who are responsible for fixing the vulnerabilities. Once it's handed over, the process has begun. So, we know where the timer starts, but where does it end?
Thomas Ballin
3
min read
two white dot

MTTR is all about looking at where you're handing your information over to the people who are responsible for fixing it. It's only fair to be able to measure time to response from the point where something has been handed over to somebody with some responsibility to see it through its life cycle.

Once vulnerabilities are owned by somebody within the business, you can start a clock. When you then stop that clock and say that you have responded to something will depend on your organisation and the kind of thresholds that you have.

You can say that you've responded to something when you've implemented the first line of defence in depth control or first compensating control. This has technically treated the issue in some part.

However, it may be more accurate to measure MTTR in two different ways: your corrective action, and your preventative action. Then, you can calculate MTTR in addressing some sort of fix, and MTTR in addressing the systemic problem that's causing those vulnerabilities to appear in the first place.

Prioritise Your Testing Programme Around Your Development Schedule

Detect Vulnerabilities Faster
Patch Vulnerabilities Faste
Be more compliant
Book a Demo

Related Posts

Vulnerability Management
How do you understand performance over time?
In order to get to grips with the performance of your software or product over time, you really need to be taking incremental measurements of your cybersecurity.
Thomas Ballin
February 2, 2021
Security Testing
Automated penetration testing - 5 key business benefits
Automated penetration testing is becoming increasingly popular. But how does this compare to manual penetration testing? Understand the main key benefits.
Thomas Ballin
June 4, 2024
Vulnerability Management
Will there come a day where there are 0 vulnerabilities to find?
There's a growing potential for AI to remove many sources of vulnerabilities, but does that mean we're going to see a day where code is being written without any vulnerabilities being introduced into systems?
Thomas Ballin
June 4, 2024
cytix frame image
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.