MTTD-MTTR Compression Use Case
Return to Use Cases

Every security team tracks two numbers: Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR). With traditional SIEMs, measuring MTTD is almost pointless — the architecture guarantees it will be slow.

Splunk's default correlation search runs on a 1-hour batch cycle. If an event arrives one second after the batch fires, it waits for the next run. Worst case: up to 2 hours before a matching rule even sees it. That's 2 hours of MTTD before MTTR can even start.

MTTR is gated by MTTD. Your SOC can't respond to what it can't see. The fastest analysts in the world sit idle while the attacker moves laterally, dumps credentials, and establishes persistence.

How spotr.io does it?

Detection (MTTD → sub-second): Events are evaluated on the stream the moment they arrive. No indexing. No scheduled search. No batch window. There is no worst case because there is no cycle.

Response (MTTR → compressed): The AI SOC Analyst automatically performs risk analysis, triage, and initial investigation. Signals arrive pre-enriched with full context — who, what, where, risk score, and recommended action. Your analyst confirms and acts. They don't hunt.

Noise (fewer, better signals): The detection hierarchy — filter, threshold, sequence, anomaly, behavioral — produces higher-fidelity signals. Group-by aggregation on the stream correlates by host, user, and process tree before triggering. Less noise means faster human decisions.

The Conversation

"What's your current MTTD?" — Most can't answer. The honest ones say 15–60 minutes. Anyone on Splunk defaults is closer to 1–2 hours.

"What happens to MTTR when detection takes an hour?" — It doesn't start.

"What if detection was sub-second and triage was automated?" — MTTD collapses. MTTR becomes the only metric that matters — and your team actually controls it.