An incident response program can post strong MTTR numbers and still miss the attack that finally lands. The disconnect is structural: the standard incident response metrics (MTTR, MTTD, ticket throughput) measure process speed, not whether the program can actually catch the next intrusion. CISOs who treat the dashboard at face value end up surprised when the breach review arrives.
The three measurements below are second-order indicators. Each correlates with what determines whether an incident response program holds under pressure. The share of cases that escalate beyond a one-line ticket, how long an attacker stays inside per kill-chain stage, and how often a human spots an incident the SIEM did not.
Playbook escalation rate beats raw ticket throughput
Ticket throughput is the metric every incident response team can show: number of tickets opened, closed, and the average time between the two. The problem is that most security tickets are noise. Phishing reports that turn out to be marketing emails, EDR alerts on benign updates, false positives on cloud-config drift. Closing a thousand of these per quarter measures triage capacity, not the program’s ability to handle an actual attack. As a recent NCSC analysis of SOC metrics noted, ticket-volume targets routinely cause real incidents to get closed out as false positives.
The metric that does predict program strength is the share of tickets that escalate to playbook-level response. A case exits initial triage and engages a documented procedure: containment, forensics, lateral-movement hunt, executive notification. A program where 2-3% of tickets escalate is operating in normal noise. A program where the escalation rate drops to zero for six weeks is either suppressing escalation or staring at a SIEM tuned to silence. A program where escalation jumps to 8% over a week is either inside an active incident or has a tuning problem worth investigating.
The mature pattern: tracked monthly, broken down by incident type, with the trend line reviewed alongside the SIEM rule-fire trend. When playbook escalations rise while SIEM volume holds steady, the analyst team is finding things the rules did not. When they fall while SIEM volume rises, the team is buried in noise.
Dwell time per kill-chain stage, not just total dwell
The Mandiant M-Trends reports cite global median dwell time as a headline number: the days between intrusion and detection. Useful for industry benchmarking, less useful for program tuning. A 16-day median dwell tells the CISO the program took 16 days to detect, but does not say where in the kill chain the detection happened or which stages the attacker moved through unobserved.
The operationally consequential cut is dwell time per kill-chain stage. How long did the attacker sit at initial foothold before lateral movement began? How long did lateral movement take before the first credential dump? How long between data staging and exfiltration? Each stage has a different control surface. Long dwell at initial foothold points at EDR coverage gaps. Long dwell at lateral movement points at network-segmentation and east-west visibility. Long dwell at exfiltration points at DLP and egress-monitoring blind spots.
A program that compresses dwell at one stage but not the others has a tuning problem; the controls have learned to catch one tactic and not the others. The CISA-published incident reviews for federal compromises give the granularity needed to map this for your own environment, and the MITRE ATT&CK framework gives the stage labels the IR team should use when classifying.
Analyst-spotted vs SIEM-spotted incidents
The third of the three incident response metrics is the ratio of incidents the SIEM caught against incidents a human analyst caught first. Most IR teams do not track this; the assumption is that SIEM rules cover the detection surface and analyst work is response. The assumption is wrong in the cases that matter.
A program where 95% of incidents are SIEM-spotted has either an unusually mature rule set or, more often, an analyst team that has stopped looking. The rules cover what was seen last quarter; novel attacker tradecraft routes around them by construction. When attackers change tactics, the analyst-spotted rate is the leading indicator that the rule set is now behind. A healthy ratio shifts depending on the threat landscape, but a sustained drop in analyst-spotted incidents over a quarter is a warning that hunt capacity is decaying.
The instrumentation is straightforward: tag each incident at creation with detection source (SIEM rule ID, EDR alert, analyst hunt, external report, user report). Roll up monthly. The mature pattern: 70-80% SIEM-spotted in normal periods, with the analyst-spotted share rising when the threat landscape shifts. A flat 95-5 split month over month is the metric to investigate, not the one to celebrate.
Building the incident response metrics dashboard your program actually needs
One sentence of sequencing: instrument the second-order metrics first because they expose the gaps that throughput dashboards hide; then keep MTTR and MTTD as supporting signals, not headline ones. The same conclusion appears in CSI’s prior coverage of metrics that matter for CISOs: the headline numbers are the ones that explain board decks, not the ones that catch the next intrusion.
Track playbook escalation rate as a weekly trend line – Define playbook-level response in the IR procedure, tag tickets that escalate, review the rate alongside SIEM rule-fire volume. The combination tells you whether analysts are finding what the rules miss or being buried by them.
Measure dwell time per kill-chain stage, not as a single global number – Map each incident to the MITRE ATT&CK stages observed, capture the time the attacker spent at each, and report the stage-specific medians. The stage where dwell time is highest is the control surface that needs the next investment, regardless of where overall dwell sits.
Track the analyst-spotted vs SIEM-spotted ratio month over month – Tag incidents with detection source, report the ratio in the quarterly threat brief. A sustained drop in the analyst-spotted share is the leading indicator that hunt capacity is decaying and the rule set is falling behind the threat landscape. Teams closing this gap typically rotate detection-engineering and threat-hunting responsibilities so the same analysts who write rules also test them with adversarial intent.
The incident response metrics that predict whether the program holds under pressure are not the headline MTTR and ticket-throughput numbers. They are the playbook escalation rate when the SIEM goes quiet, the kill-chain stage where the attacker is sitting longest, and the moment when analyst-spotted incidents start dropping. Those three signals tell the CISO whether the next intrusion will be caught at stage one or discovered in the breach review.
Join our LinkedIn group Information Security Community!
