What is MTTR?
MTTR measures the average time from detection to full remediation. For identity-based incidents, full remediation requires invalidating active session cookies, revoking refresh tokens, and verifying affected applications have ended the compromised session – not just resetting a password.
Why identity MTTR doesn't behave like infrastructure MTTR
Traditional MTTR was built for infrastructure: a server fails, you restore it, you measure the elapsed time. Identity threats break that model in two ways.
First, the clock starts late – the initial exposure (a credential stolen by an infostealer or phish) is rarely detected when it happens; it surfaces days, weeks, or months later, so there’s a hidden dwell time most programs never count.
Second, “remediated” is multi-step: a password reset alone leaves live sessions and refresh tokens valid, so an incident logged as closed can still be open.
The hidden dwell time is where identity MTTR balloons – organizations relying on breach notification can wait months after data is published.
See how recapture compresses that gap in the 2026 Annual Identity Exposure Report →
Compressing MTTR at both ends
Cutting identity MTTR means attacking detection and remediation together:
- Detect faster. Recapturing data from criminal sources surfaces exposure in hours to days, not months.
- Remediate automatically. Identity Guardians forces resets and session revocations through AD, Okta, and Entra ID in minutes, removing the approvals that stretch timelines.
- Run the full sequence. Credential reset, session revocation, refresh-token invalidation, and verification that SSO apps terminated the session.
- Confirm completeness. Endpoint Threat Protection supplies the scope to verify the job is actually done.
MTTD, MTTR, and MTTC compared
Several mean-time metrics describe incident response and are easy to conflate:
- MTTD (Mean Time to Detect) – exposure to awareness. Fast recapture can shrink this to hours.
- MTTR (Mean Time to Remediate) – detection to fully closed, which for identity means killing sessions and refresh tokens, not just resetting a password.
- MTTC (Mean Time to Contain) – sometimes tracked separately, the point at which the threat can no longer spread, which may come before full remediation.
Strong MTTD with weak MTTR is the common failure mode: you learn about exposure quickly but take days to fully invalidate it because remediation is manual.
Your true MTTR clock may have started months ago without an alert.
Check Your Exposure to see what’s already been sitting open.
Frequently Asked
From the moment exposure is confirmed to the moment all affected artifacts – credentials, session cookies, refresh tokens – are remediated. It typically spans four phases: detection, investigation (scoping), remediation execution (resets and revocations), and verification. Automation through Identity Guardians and SOAR compresses investigation and execution to minutes for standard exposures.
Because of hidden dwell time: the gap between when data is stolen and when the organization learns of it. Traditional detection can surface stolen data months after it first appears in criminal markets, so elapsed time from theft to remediation is often measured in months. Direct recapture cuts that detection window to hours or days.
MTTD (Mean Time to Detect) measures time from exposure to awareness; MTTR measures time from detection to completed remediation. You can have strong MTTD via fast recapture but weak MTTR if remediation requires manual steps and approvals across identity systems. Automating through the IdP removes that bottleneck.