Penetration TestJan Kahmen6 min read

What doesMean Time to Contain (MTTC) mean?

Mean Time to Contain is a critical metric in IT security. It describes the average time it takes to detect problems.

Table of content

Security experts regularly warn of the ever-growing threats posed by cybercriminals. The question is no longer whether a company will fall victim to an attack, but rather when. Improving cybersecurity in companies is therefore a key step towards data security.

The Mean Time to Contain: What does MTTC mean?

Mean Time to Contain is a critical metric when it comes to IT security. It describes the average time it takes to uncover problems. Thus, MTTC encompasses the time required to detect and resolve incidents. At the same time, the IT team ensures that the probability of a similar incident is reduced. This makes the Mean Time to Contain an important measurement tool in the context of incident response management.

Definition and explanation of terms

The abbreviation MTTC stands for Mean Time to Contain. This metric describes the performance of your incident management. It focuses on different measures that occur during a security incident:

  • The time to analyze the likelihood of further similar incidents.
  • The time frame to confirm the results.
  • The time required to minimize the probability of occurrence.

Thus, Mean Time to Contain represents the holistic view of your response time to security incidents. In addition, it provides you with the knowledge you need to measure and improve cybersecurity over the long term.

Calculation of Mean Time to Contain

The MTTC includes the sum of the time required to respond to a security incident. This time frame includes the effort to fix vulnerabilities that enabled the attack. With the help of the data collected in this way, security incidents can be prevented more easily in the future.
The basis for the calculation is the sum of the time spent on the individual incidents. This is divided by the number of security incidents. As a result, you get the mean time of the metric.
Typically, organizations choose to calculate the Mean Time to Contain on a regular basis. Therefore, it makes sense to include all incidents within a predefined time frame. To significantly improve response time, a monthly review is recommended.


Mean Time to Contain is just one metric that helps you improve your IT security measures. In addition to it, there are other relevant metrics:

  • MTTD: The Mean Time to Detect is the average time it takes to detect a security incident. This metric helps you analyze your current cyber monitoring and improve effectiveness.
  • MTTA: Mean Time to Acknowledge focuses on the amount of time it takes to recognize a security incident as such. Only when the team notices such an incident can the appropriate alerts be issued. The more time that passes before an incident is recognized, the later it is possible to correct the problem.
  • MTTR: The Mean Time to Respond describes the average time until an affected system can be run again. The goal here is to restore the normal state. It begins with the reporting of the incident, which is normally done as part of the MTTA, and ends with the problem being rectified.
  • MTTC: Mean Time to Contain looks at your holistic security incident response. So it combines the individual metrics and starts with the time required to detect a security incident. Additionally, it includes the time frame necessary to minimize the likelihood of future similar incidents occurring.

The Importance of MTTC to Cyber Security.

Mean Time to Contain is an important metric designed to strengthen IT security. It can be used to better evaluate the effectiveness of tools and security strategies. This includes all the steps required to detect, analyze and contain a security incident. Especially for serious incidents, On-Demand Penetration Testing can help the security team. This can help ensure that the fix brings the desired security.
Mean Time to Contain takes into account several aspects of Incident Response Management that can significantly improve IT security. Nevertheless, it is useful to always consider this metric in relation to other metrics. This will help you more quickly determine which areas of Mean Time to Contain you need to improve.

Reduce MTTC: Best Practices for Improving Mean Time to Contain

To improve your Mean Time to Contain, focus on the following best practices:

  • Analyze incoming incidents in as much detail as possible to find the best possible solution. Automated consolidation of different data sets is a good way to do this.
  • Keep an eye on monitoring and carry out regular security measures. This includes, for example, regular pentests.
  • Have an action plan ready to respond quickly, even with scarce resources.
  • Automate your incident management system to be informed of new incidents quickly and comprehensively.
  • Assemble a dedicated security team that can take immediate initial action in the event of an emergency.


Mean Time to Contain is an important metric for improved IT security. It looks at how you respond to security incidents and how quickly the operation succeeds. Real-time threat information in particular plays a key role here. In addition, it is recommended that you work with an isolated or external security team such as the experts at Turingpoint. This will enable you to improve your Mean Time to Contain even in the short term and make threats more transparent.


Curious? Convinced? Interested?

Schedule a no-obligation initial consultation with one of our sales representatives. Use the following link to select an appointment: