Many organizations measure incident response by time-to-close. This incentivizes analysts to suppress alerts rather than investigate impact.
Common broken KPIs
- Mean Time To Close (MTTC)
- Alerts closed per analyst
- Tickets resolved per day
None of these measure lateral movement, data access, or persistence.
Metrics that actually matter
- Time to initial access discovery
- Time to blast radius confirmation
- Unexplained access duration
Split containment from investigation
Containment speed matters. Investigation depth matters more. Mixing them creates shallow response.