Which metric is used to measure how quickly threats are detected after they occur?

Time-to-detect measures how fast a threat is found after it first occurs. It captures the detection velocity of your security program—the interval from the moment a threat materializes to the moment your tools or analysts recognize and alert on it. A shorter time-to-detect means threats are discovered quickly, reducing dwell time and limiting potential damage, while a longer time-to-detect means attackers can operate unseen longer. This is distinct from time-to-remediate, which starts counting after detection and tracks how long it takes to contain or fix the issue. Patch compliance gauges how up-to-date systems are with security patches, not how quickly threats are found. Incident reduction looks at the overall number of incidents over time, not the speed of detection after occurrence. For example, if a threat starts at 10:00 and is detected at 10:30, the time-to-detect is 30 minutes.