Dwell time

How it works

Dwell time is calculated as the interval between the moment of initial compromise (often the attacker's first access) and the moment of effective detection by the defending team. It is closely tied to MTTD (Mean Time To Detect), which expresses the statistical average across a set of incidents, and to MTTR (Mean Time To Respond or Mean Time To Contain), which extends the analysis through the containment phase. The challenge in measuring it stems from the fact that the compromise date is only known after the fact, usually reconstructed during forensic investigation from logs and recovered artifacts.

In practice, dwell time breaks down into several phases that map onto the tactics of the MITRE ATT&CK framework:

• Initial access and persistence: the attacker gains a first foothold and works to survive reboots and session rotation.
• Internal reconnaissance: enumeration of hosts, accounts, shares, and exposed services to map the target.
• Privilege escalation and lateral movement: pivoting from one system to another to reach higher-value assets.
• Actions on objective: data exfiltration, encryption, sabotage, or installation of a persistent payload.

Each of these phases is an opportunity for detection. The earlier detection occurs in this chain, the shorter the dwell time and the tighter the blast radius of the incident remains. It is worth distinguishing dwell time from the simple lifetime of an alert: a control may fire a signal early, yet if that signal is buried among low-confidence detections and never triaged, the effective dwell time keeps growing. In other words, dwell time is shaped as much by the signal-to-noise ratio of a detection stack as by its raw sensor coverage.

Why long dwell time amplifies damage

Time always favors the attacker. A high dwell time means the adversary has had the leisure to methodically explore the environment, identify sensitive data, neutralize backups, and disable protections before acting. With modern ransomware, the staging phase often precedes encryption by days or even weeks: locating domain controllers, stealing privileged credentials, and exfiltrating data in preparation for double extortion.

Reducing dwell time therefore mechanically reduces the scale of the impact. Detection during reconnaissance or the onset of lateral movement, rather than at the point of exfiltration, turns a major crisis into a manageable incident. This is precisely why security teams strive to compress this interval, without drowning analysts in alerts or multiplying false positives that erode trust in detection tooling.

The role of deception

Deceptive security tackles the dwell time problem at its root by placing decoys, honeypots, breadcrumbs, and honeytokens across the network, designed to be discovered by an attacker during reconnaissance. A legitimate defender has no reason to interact with these artifacts; any interaction is therefore a high-fidelity signal with virtually no false positives.

This approach shifts detection far earlier in the attack chain. Where a traditional solution might only surface a compromise after weeks, a decoy touched during enumeration or on the first lateral movement hop generates a near-immediate alert. Dwell time then drops from the order of weeks to that of minutes or hours, and because the alert carries so little ambiguity, the subsequent time-to-containment shrinks as well.

• Early detection: decoys trigger during reconnaissance, before the attacker reaches critical assets.
• Reliable signal: interaction with a decoy is intentional, which sharply reduces noise and false positives.
• Intrusion mapping: honeytokens and breadcrumbs reveal the path taken and accelerate containment.