Looking for security documentation and consultancy? Visit ridgelinecyber.com
Sign In

ES0.4 Key Metrics: MTTD, MTTR, and What Actually Matters

· Module 0 · Free
Operational Objective
The endpoint security conversation with executives and auditors inevitably turns to metrics. "What is our MTTD? What is our MTTR? How do we compare to industry benchmarks?" These metrics are useful for executive dashboards but dangerously misleading as engineering targets. A SOC that improves MTTR from 4 hours to 2 hours by auto-closing low-confidence alerts has improved the number without improving the security posture. An ASR rule in block mode that prevents 47 execution attempts per month is a more meaningful measurement of endpoint security effectiveness than any time-based metric — but it never appears on the CISO's dashboard. This subsection separates the metrics that measure real endpoint security effectiveness from the vanity metrics that measure activity, and shows you how to build the measurement framework that drives actual engineering decisions.
Deliverable: An endpoint security metrics framework that distinguishes between executive-facing indicators and engineering-facing measurements, with specific KQL queries for each metric and the interpretation context that prevents metric gaming.
Estimated completion: 25 minutes
ENDPOINT SECURITY METRICS — WHAT MATTERS VS WHAT GETS MEASUREDVANITY METRICS (activity, not security)• MTTD (without technique breakdown)• MTTR (without outcome verification)• Total alerts generated (volume ≠ coverage)• Alerts closed per analyst per day• % devices with AV "up to date"• Compliance policy "pass rate" (without CA)These can improve while security degradesENGINEERING METRICS (actual security posture)• ASR rules in block mode (count + % fleet)• ASR block events per rule per month• Custom detection rule count + TP rate• ATT&CK technique coverage %• Exposure score + device risk distribution• Devices with Sysmon + audit policy configuredThese measure whether defenses actually work

Figure ES0.4 — Vanity metrics measure activity and look good on dashboards. Engineering metrics measure whether the endpoint security stack actually prevents, detects, and contains attacks. Both have a place — but only engineering metrics drive configuration decisions.

Microsoft Secure Score at 49.7% showing top recommended actions including ASR rules

Figure ES0.4a — Microsoft Secure Score provides a posture assessment across Identity (67.82%), Data (100%), Device (48.11%), and Apps (44.19%). The top recommended actions are endpoint security controls: ASR rules (block Office child processes, block credential stealing from LSASS, block unsigned processes) and AV real-time protection. A Device score of 48% indicates that over half of available endpoint security controls are not yet deployed — the gap this course closes.

Why MTTD and MTTR are necessary but insufficient

Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) are the most commonly reported SOC metrics. They appear in every vendor pitch, every analyst report, and every board-level security presentation. They matter because they measure speed — and speed matters during an active incident. A SOC that detects an AiTM attack in 8 minutes and contains it in 15 minutes produces a fundamentally different outcome than one that takes 4 hours for each.

The problem is that MTTD and MTTR can be optimized without improving security. Auto-closing low-severity alerts reduces MTTR to near zero for those alerts — but the alerts are closed, not investigated. Detecting only commodity threats (for which MDE has built-in detections) produces a fast MTTD for those threats — but says nothing about detection capability for targeted attacks. A SOC that handles 95% of alerts in under 10 minutes but misses the 5% that represent actual compromise has excellent MTTD/MTTR numbers and a catastrophic security posture.

The metrics that drive endpoint security engineering decisions are different. They measure what the stack actually prevents, what it actually detects, and what coverage gaps remain.

Expand for Deeper Context

ASR block rate per rule. The number of times each ASR rule in block mode prevented an attack technique per month. This metric directly measures prevention effectiveness. An ASR rule that blocks 200 execution attempts per month is preventing 200 potential compromises. An ASR rule that blocks zero has two possible interpretations: either the technique is not being attempted against your environment (good), or the rule is not configured correctly (investigate). The metric is actionable: high block rates validate the rule’s deployment. Zero block rates prompt investigation into whether the rule is actually enforced.

Custom detection true positive rate. The percentage of custom detection rule alerts that are confirmed true positives. A custom detection with a 5% TP rate generates 95% false positive noise — it degrades SOC effectiveness. A custom detection with an 80% TP rate is a high-quality detection. The metric drives detection engineering: rules below a threshold (30% TP rate is a reasonable minimum) need to be tuned or retired. Rules above 80% can safely trigger automated response.

ATT&CK technique coverage. The percentage of MITRE ATT&CK techniques relevant to your threat model that are covered by at least one detection rule (built-in or custom). This metric measures detection breadth. A SOC with 95% MTTD but only 20% technique coverage detects fast but detects little. The Defender XDR Threat Analytics reports provide a starting point for mapping your coverage against active threat campaigns.

Exposure score trend. MDE’s Defender Vulnerability Management assigns an exposure score based on the security posture of your fleet — unpatched vulnerabilities, misconfigured security controls, risky devices. The absolute number matters less than the trend. A decreasing exposure score means your hardening efforts are reducing the attack surface. An increasing score means new vulnerabilities are being introduced faster than they are being remediated.

The metrics that drive endpoint security engineering

Prevention metrics measure whether your prevention controls are configured and effective:

The percentage of ASR rules in block mode across the fleet tells you how much of the prevention layer is actually preventing. If 3 of 18 ASR rules are in block mode on 60% of devices, your prevention coverage is approximately 10% of its potential. The target is not 100% of rules in block mode — some rules have legitimate business conflicts that keep them in audit or warn mode permanently. But the metric tracks progress.

AV cloud protection level across the fleet reveals how many devices are operating with enhanced protection. Default level is functional. High+ catches significantly more unknown threats. The metric shows you the gap between what your license provides and what your configuration delivers.

Detection metrics measure whether your detection layer finds real threats:

The total custom detection rule count matters because zero custom rules means you depend entirely on Microsoft’s built-in detections. Built-in detections are good for commodity threats but do not cover your organisation’s specific patterns, your environment’s normal baselines, or the targeted techniques that your threat model identifies as highest risk.

The hunting cadence — how frequently analysts execute proactive hunting queries — measures whether the detection layer extends beyond automated rules. A SOC that hunts weekly finds threats that scheduled rules miss because the hunt can adapt to emerging intelligence in real time.

Forensic readiness metrics measure whether evidence will exist when needed:

The percentage of endpoints with advanced audit policies, PowerShell ScriptBlock logging, and Sysmon configured tells you whether your IR team can reconstruct attacker actions after containment. This metric is binary for each endpoint — either the logging is configured or it is not. Partial logging (audit policy configured but PowerShell logging missing) creates evidence gaps.

Decision Point

Your CISO wants a single metric for the monthly board report that represents overall endpoint security posture. You have two options: (A) composite MTTD/MTTR across all alert severities, or (B) MDE’s exposure score combined with ASR enforcement percentage. Option B is more honest. The exposure score measures actual attack surface — it accounts for unpatched vulnerabilities, missing configurations, and risky devices. The ASR enforcement percentage measures how much of the prevention layer is active. Together, they answer the board’s real question: “how protected are we?” MTTD/MTTR answers a different question: “how fast do we react when something happens?” Both matter. But the board wants to know about protection, not reaction speed. Present MTTD/MTTR as a secondary metric alongside the exposure score as the primary indicator.

Try it: query your current endpoint security metrics

Run these KQL queries in Advanced Hunting (security.microsoft.com → Hunting → Advanced hunting) to measure your current state:

ASR enforcement status across the fleet:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

DeviceEvents
| where ActionType startswith "Asr"
| summarize
    BlockEvents = countif(ActionType endswith "Blocked"),
    AuditEvents = countif(ActionType endswith "Audited")
    by DeviceName
| summarize
    DevicesWithBlocks = dcountif(DeviceName, BlockEvents > 0),
    DevicesAuditOnly = dcountif(DeviceName, BlockEvents == 0 and AuditEvents > 0),
    TotalDevices = dcount(DeviceName)

Custom detection rule effectiveness (last 30 days):

1
2
3
4
5
6
7
8
9

AlertInfo
| where Timestamp > ago(30d)
| where DetectionSource == "CustomDetection"
| summarize
    TotalAlerts = count(),
    TruePositives = countif(Classification == "TruePositive"),
    FalsePositives = countif(Classification == "FalsePositive"),
    BenignTruePositives = countif(Classification == "BenignTruePositive"),
    ByRule = dcount(Title)

Device health and onboarding coverage:

1
2
3
4
5
6
7

DeviceInfo
| where Timestamp > ago(1d)
| summarize arg_max(Timestamp, *) by DeviceId
| summarize
    TotalDevices = count(),
    HealthyDevices = countif(SensorHealthState == "Active"),
    OnboardedDevices = countif(OnboardingStatus == "Onboarded")

These three queries give you the starting metrics for your endpoint security engineering effort. Record the results — you will compare them against your targets as you progress through this course.

Compliance Myth: "We need to achieve a specific MTTD to pass our audit"

The myth: Auditors require specific MTTD and MTTR numbers. We need to get MTTD under 15 minutes and MTTR under 1 hour to satisfy the compliance requirement.

The reality: No major compliance framework specifies MTTD or MTTR thresholds. PCI DSS requires that security incidents are “identified and responded to in a timely manner” (Requirement 12.10.5) — “timely” is context-dependent, not a specific number. ISO 27001 A.5.25 requires that information security incidents are “responded to in accordance with the documented procedures” — it measures process existence, not response speed. NIST CSF requires “timely detection of cybersecurity events” — again, no specific threshold. The specific MTTD/MTTR numbers in vendor presentations are industry benchmarks for comparison purposes, not compliance requirements. What auditors actually verify: do you have incident response procedures? Are they followed? Is there evidence of detection and response? Can you demonstrate the process worked? Focus on building the detection and response capability. The metrics will follow.

Troubleshooting

“Our CISO only cares about MTTD/MTTR — they do not want to hear about ASR enforcement percentages.” Present both. Lead with the metric the CISO cares about (MTTD/MTTR), then show the metric that explains it. “Our MTTR improved by 15% this quarter because we moved 6 ASR rules from audit to block mode, preventing 340 incidents that would have required analyst response.” The CISO gets the number they want. You get the engineering investment you need. The ASR enforcement metric explains the MTTR improvement, creating a clear cause-and-effect narrative that justifies continued investment.

“We do not have enough data to calculate meaningful metrics — we only have 3 months of MDE telemetry.” Three months is sufficient for most endpoint security metrics. ASR audit data stabilises within 2-4 weeks (you can identify false positive patterns and make enforcement decisions). Device health metrics are real-time. Exposure score is calculated daily. The only metric that benefits from longer data is hunting effectiveness, which requires baseline establishment. Start measuring now with whatever data you have. The trend matters more than the absolute number.

“Our managed SOC provides metrics in their monthly report — why do we need our own?” Because your MSSP’s metrics measure their performance, not your security posture. MSSP reports show: alerts handled, mean response time, incidents escalated. They do not show: ASR enforcement coverage, custom detection rule TP rate, technique coverage gaps, forensic readiness completeness. You need both sets of metrics — the MSSP’s operational metrics and your own engineering metrics — to have a complete picture.

Building the measurement cadence

Metrics without cadence are snapshots that never become trends. The measurement cadence for NE’s endpoint security program:

Daily (automated): Device health summary query (ES2.8) — total devices, active sensors, inactive sensors. AV health query — devices with stale signatures. These run as saved queries or Sentinel automation rules and alert on threshold violations. No analyst time required unless an alert fires.

Weekly (15 minutes): ASR enforcement summary — how many rules are in block mode across the fleet, how many block events occurred this week (by rule). Hunting cadence check — were the weekly hunting queries executed? Any findings? This is a quick status check during the security team standup, not a deep analysis.

Monthly (2 hours): Custom detection performance review — for each active custom detection rule, calculate the TP rate over the last 30 days. Rules below 30% TP rate are flagged for tuning. Rules above 80% TP rate are candidates for automated response actions. Exposure score trend — is the score improving (hardening efforts reducing attack surface) or degrading (new vulnerabilities being introduced faster than remediation)? Generate the executive dashboard for the CISO’s monthly report.

Quarterly (half day): ATT&CK technique coverage mapping — which techniques in the threat model are covered by detections (built-in + custom)? Which gaps remain? This drives the detection engineering backlog for the next quarter. Maturity model re-assessment — score each layer of the architecture against the maturity model from ES0.9. Compare to the previous quarter’s scores. The delta is the progress metric that justifies continued investment.

The cadence ensures metrics are not a one-time assessment but a continuous measurement system that tracks improvement and catches degradation before it becomes a security incident.

Operational Artifact — Endpoint Security Metrics Dashboard Specification

Build two views. Executive view: Exposure score trend (30-day), MTTD/MTTR by severity, device compliance rate, major incidents this month. Keep it to 4-6 numbers. Engineering view: ASR rules in block mode (count and % fleet), ASR block events per rule, custom detection count and TP rate, hunting queries executed this week, ATT&CK technique coverage %, devices with Sysmon and audit policy configured, onboarding coverage %, sensor health distribution. The executive view goes in the CISO’s monthly report. The engineering view goes in the security engineering team’s weekly standup. Module ES15 (capstone) builds both dashboards with KQL and Sentinel workbooks.

Your SOC's MTTD improved from 45 minutes to 12 minutes over the last quarter. Your CISO presents this as evidence that the endpoint security posture has strengthened. What question should you ask before accepting this conclusion?
How many alerts were auto-closed to achieve this number? — this question identifies gaming, but a faster MTTD could be legitimate even without auto-closure.
Did the detection coverage change during this period? If the MTTD improvement came from faster handling of existing alert types (commodity malware, known patterns), the speed is faster but the coverage is unchanged. If MTTD improved because new custom detection rules were deployed that detect previously invisible attacks, both speed AND coverage improved. The critical question is whether faster detection of a narrow set of threats is being presented as improved security posture overall. A 12-minute MTTD for commodity malware combined with zero detection capability for credential theft, lateral movement, and persistence techniques is not an improved security posture — it is faster handling of the threats you were already catching.
What is the industry benchmark for MTTD? — comparing to benchmarks tells you how you rank against peers, but does not tell you whether your security posture actually improved.
How many analysts contributed to the improvement? — this measures SOC efficiency, not endpoint security effectiveness.
© 2026 Ridgeline Cyber Defence™ Ltd. Content may not be reproduced or redistributed. Worked artifacts may be adapted for use within your organization.

You're reading the free modules of this course

The full course continues with advanced topics, production detection rules, worked investigation scenarios, and deployable artifacts. Premium subscribers get access to all courses.

View Pricing See Full Syllabus
← Previous Next →