Industrial Cybersecurity & OT Risk worked example

Mean Time to Detect Cyber at 22% correlation and escalation overhead: a worked example

Here is what the math looks like when conditions slip. We hold every other input steady and drop correlation and escalation overhead to 22%, then walk the calculation through step by step. Estimate cyber detection workload time using alert or event count, detection review rate, and triage allowance.

The inputs for this scenario

  • OT cyber alerts queued for triage: 96 alerts (held at the documented default)
  • Analyst triage throughput: 14 alerts / hr (held at the documented default)
  • Correlation and escalation overhead: 22 % (the input this scenario stresses; the baseline uses 30)

Working through the calculation

  • The calculation starts from the formula this tool documents: Base cyber detection time = OT cyber alerts or events to review รท detection triage completion rate.
  • Required cyber detection time works out to 8.37 hr at these inputs, and this is the headline figure for the scenario.
  • Base cyber detection time works out to 6.86 hr at these inputs.
  • Correlation and escalation allowance works out to 22 % at these inputs.
  • Detection triage completion rate works out to 14 pieces / min at these inputs.

How this compares with the baseline

  • Against the tool's baseline example, where correlation and escalation overhead sits at 30% and the headline result is 8.91 hr, this scenario comes in 6.15% below the baseline at 8.37 hr.
  • The practical read: the gap between this scenario and the baseline is entirely attributable to correlation and escalation overhead, so recovering it is worth quantifying in dollars before considering equipment or staffing changes. It models average steady-state triage, not the surge of a live incident or the variability between trivial and complex alerts, so treat the result as a planning baseline rather than a guaranteed detection SLA.

Results at a glance

  • Required cyber detection time: 8.37 hr (headline result)
  • Base cyber detection time: 6.86 hr
  • Correlation and escalation allowance: 22 %
  • Detection triage completion rate: 14 pieces / min

Run it with your numbers

  • To rerun this with your own numbers, open the live Mean Time to Detect Cyber calculator, set correlation and escalation overhead to your actual value, and adjust the remaining inputs to match your operation.

Last reviewed 2026-05-12.