Incident Response Runbooks — What to Measure

Goal: How quickly can we identify and validate a real threat?

• Mean Time to Detect (MTTD): The average time it takes from the start of an incident to when it is first detected.
• Mean Time to Acknowledge (MTTA): The average time from when an alert is generated to when an analyst begins investigation.
• Alert Fidelity Rate: The ratio of true positive alerts to total alerts (True Positives / (True Positives + False Positives)).

Goal: How quickly can we stop the bleeding and remove the threat?

• Mean Time to Contain (MTTC): The average time from when an incident is acknowledged to when it is effectively contained (e.g., host isolated, account disabled).
• Mean Time to Remediate (MTTR): The average time from containment to full eradication of the threat from all affected systems.
• Containment Success Rate: The percentage of incidents that are contained before spreading to other systems.

Goal: How effectively can we restore operations and learn from our mistakes?

• Mean Time to Recover (MTTR): The average time it takes to restore all systems and services to full operation after remediation.
• Post-Incident Report (PIR) Completion Rate: The percentage of major incidents for which a PIR is completed within a set timeframe (e.g., 48 hours).
• Remediation Item Closure Rate: The percentage of action items identified in PIRs that are closed within their target deadline.