Industrial Cybersecurity & OT Risk calculator

Mean Time to Detect Cyber Calculator

Mean Time to Detect Cyber estimates how long it takes an OT security team to work through a queue of alerts and actually confirm a real threat, factoring in the extra time correlation and escalation demand. OT SOC managers and IR leads use it to expose when alert volume outpaces analyst throughput, the condition under which a genuine intrusion sits unnoticed in a noisy queue. It divides alerts to review by triage throughput, then adds an allowance for the correlation and escalation work that raw triage time ignores. It matters because in industrial environments, every extra hour of dwell time gives an attacker more room to map controllers and stage a disruptive or unsafe action.

What this calculator does

  • Estimate cyber detection workload time using alert or event count, detection review rate, and triage allowance.
  • Use it when evaluating OT monitoring coverage, SOC handoff, alert triage, and mean time to detect improvement.
  • It computes required detection time as the alert queue divided by triage throughput, scaled up by a correlation-and-escalation allowance.

Formula used

  • Base cyber detection time = OT cyber alerts or events to review ÷ detection triage completion rate
  • Required cyber detection time = base cyber detection time × allowance factor

Inputs explained

  • OT cyber alerts queued for triage:
  • Analyst triage throughput:
  • Correlation and escalation overhead:

How to use the result

  • Use it to right-size analyst staffing or tuning thresholds, and to check whether your MTTD meets the dwell-time targets your IR plan assumes.
  • It models average steady-state triage, not the surge of a live incident or the variability between trivial and complex alerts, so treat the result as a planning baseline rather than a guaranteed detection SLA.

Common questions

  • How do you calculate mean time to detect for cyber alerts? Divide the number of alerts to review by your analyst triage throughput to get base time, then multiply by one plus the correlation-and-escalation allowance. With 96 alerts at 14 alerts/hour, base detection time is about 6.86 hours; a 30% allowance raises the required detection time to roughly 8.91 hours.
  • What is a good mean time to detect in OT? Lower is always better, and mature OT SOCs target hours rather than the days or weeks that industrial dwell times historically ran. If your computed MTTD exceeds your IR plan's containment window, you have a staffing or tuning problem to fix.
  • Why add a correlation and escalation allowance? Raw triage time assumes each alert is dispatched in isolation, but real detection requires correlating related alerts, enriching with context, and escalating - the 30% allowance here turns 6.86 base hours into a more realistic 8.91 hours.
  • How do I lower mean time to detect? Cut the alert queue through better tuning and suppression of false positives, raise triage throughput with automation and playbooks, or reduce the correlation overhead with better SIEM enrichment. Each lever maps directly to one input in this tool.
  • What drives a high alert queue in OT? Untuned detection rules, noisy protocol baselines after network changes, and over-broad anomaly thresholds. Dividing a bloated queue by a fixed analyst rate is what pushes detection time into dangerous territory.

Last reviewed 2026-05-12.