Industrial Cybersecurity & OT Risk worked example

Mean Time to Detect Cyber at 35% correlation and escalation overhead: a worked example

Push correlation and escalation overhead up to 35% and the picture changes. This example computes every intermediate figure at that operating point. Use it when evaluating OT monitoring coverage, SOC handoff, alert triage, and mean time to detect improvement.

The inputs for this scenario

  • OT cyber alerts queued for triage: 96 alerts (unchanged)
  • Analyst triage throughput: 14 alerts / hr (unchanged)
  • Correlation and escalation overhead: 35 % (raised for this scenario; the documented default is 30)

Working through the calculation

  • Applying the documented formula (Base cyber detection time = OT cyber alerts or events to review รท detection triage completion rate) to the inputs above produces each figure below.
  • At this operating point the engine returns 9.26 hr for required cyber detection time, the number this scenario is built around.
  • At this operating point the engine returns 6.86 hr for base cyber detection time.
  • At this operating point the engine returns 35 % for correlation and escalation allowance.
  • At this operating point the engine returns 14 pieces / min for detection triage completion rate.

How this compares with the baseline

  • Against the tool's baseline example, where correlation and escalation overhead sits at 30% and the headline result is 8.91 hr, this scenario comes in 3.85% above the baseline at 9.26 hr.
  • It computes required detection time as the alert queue divided by triage throughput, scaled up by a correlation-and-escalation allowance. The value of this scenario is the size of the gap it exposes: that gap, priced out over a year, is the budget you can justify spending to close it.

Results at a glance

  • Required cyber detection time: 9.26 hr (headline result)
  • Base cyber detection time: 6.86 hr
  • Correlation and escalation allowance: 35 %
  • Detection triage completion rate: 14 pieces / min

Run it with your numbers

  • Every input above is editable in the live Mean Time to Detect Cyber calculator, which recalculates instantly and can be shared with the inputs intact.

Last reviewed 2026-05-12.