KPIs in Incident Response

Here are 20 essential KPIs, with short definitions to guide your tracking and improvement efforts:

Mean Time to Detect (MTTD): Avg. time taken to identify an incident.
Mean Time to Respond (MTTR): Avg. time between detection and first mitigation action.
Mean Time to Contain (MTTC): Avg. time to stop the incident from spreading.
Mean Time to Resolve (MTTRv): Avg. time to fully fix and close the incident.
Number of Incidents Detected: Total incidents identified in a time period.
Percentage of Incidents by Severity Level: Distribution of incidents by criticality.
First Response Time: Time from detection to initial analyst response.
Number of Reopened Incidents: Count of incidents reopened after closure.
False Positive Rate: Percentage of alerts flagged as incidents that weren’t real.
Detection Accuracy: Ratio of true positives to total alerts.
SLA Compliance Rate: % of incidents resolved within agreed SLA timelines.
Incident Recurrence Rate: Rate at which similar incidents reoccur.
User-Reported vs. System-Detected Incidents: Comparison of manually vs. automatically detected issues.
Cost per Incident: Average financial impact of each incident.
Time to Escalation: Time from detection to escalation to a higher tier/team.
Incident Closure Rate: % of incidents resolved within a defined period.
Incident Root Cause Categories: Classification of underlying causes.
Volume of Phishing/Malware/Ransomware Incidents: Count of incidents by type.
Percentage of Automated vs. Manual Responses: Share of responses handled automatically.
Resolution SLA Breach Rate: % of incidents resolved after SLA deadlines.

Tracking these helps teams reduce downtime, improve security posture, and meet business expectations.