Benchmark Study: MTTD and MTTR Across EDR Configurations in 180-Day Controlled Simulations
We ran 180 days of controlled adversary simulations across 6 EDR configurations. The results: rule density past a threshold hurts MTTD, SIEM integration drops MTTR by 61%, and the single highest-leverage configuration change is structured alert triage.
This benchmark study ran controlled adversary simulations across six different EDR configurations over 180 days in Threatstealth-operated lab environments. The goal was to measure how configuration choices — alerting strategy, rule density, SIEM integration, and triage workflow — affect MTTD and MTTR independently of threat actor behaviour.
Configurations Tested
| Config | Alert strategy | Rule density | SIEM integration | Triage workflow |
|---|---|---|---|---|
| A (baseline) | Default vendor rules | Low | None | Ad-hoc |
| B | Default vendor rules | High | None | Ad-hoc |
| C | Default vendor rules | Low | Bidirectional | Ad-hoc |
| D | Default vendor rules | High | Bidirectional | Ad-hoc |
| E | Custom tuned rules | Medium | Bidirectional | Structured daily |
| F (optimised) | Custom tuned rules + LOLBAS | Medium | Bidirectional | Structured daily + automation |
MTTD Results
The most counter-intuitive finding: high rule density (Config B vs A) increased MTTD by 34%. More rules generate more alerts; more alerts create backlog; backlog delays triage; delayed triage increases MTTD. Alert volume is the enemy of MTTD — not detection coverage.
SIEM integration (Config C vs A) reduced MTTD by 28% independently of rule density, by providing correlation context that accelerated analyst triage decisions.
| Config | Median MTTD | vs. Baseline | Key factor |
|---|---|---|---|
| A (baseline) | 14.8 hours | — | Default rules, no SIEM, ad-hoc triage |
| B | 19.8 hours | +34% | High rule density overwhelms triage capacity |
| C | 10.7 hours | -28% | SIEM correlation reduces per-alert investigation time |
| D | 16.2 hours | +9% | SIEM benefit cancelled by high-density alert noise |
| E | 5.4 hours | -64% | Custom rules reduce noise; structured triage reduces queue |
| F (optimised) | 2.1 hours | -86% | Full optimisation: tuned rules + SIEM + structured triage + automation |
MTTR Results
MTTR was most strongly affected by SIEM integration and triage workflow structure. SIEM integration (bidirectional — EDR feeding SIEM and SIEM feeding EDR context back) reduced MTTR by 61% across all configurations where it was present. Structured daily triage reduced MTTR by an additional 39% beyond SIEM integration alone.
| Config | Median MTTR | vs. Baseline |
|---|---|---|
| A (baseline) | 8.4 days | — |
| B | 10.1 days | +20% |
| C | 3.3 days | -61% |
| D | 4.1 days | -51% |
| E | 1.9 days | -77% |
| F (optimised) | 0.7 days | -92% |
The Highest-Leverage Configuration Change
The single highest-leverage configuration change was not a new detection rule or a more expensive tool. It was structured alert triage: a defined daily window (30–60 minutes, morning) in which all critical and high alerts are reviewed in priority order with a defined disposition workflow.
Without structured triage, even well-tuned EDR configurations with SIEM integration left critical alerts unactioned for days. With structured triage, even the baseline configuration (Config A) improved MTTR by 43% compared to ad-hoc triage.
- Structured triage impact on MTTD: -39% vs. ad-hoc triage with same rules and SIEM
- Structured triage impact on MTTR: -43% vs. ad-hoc triage with same rules and SIEM
- Alert automation impact on MTTR: -28% vs. structured triage alone (auto-closing known false-positive patterns)
- Rule tuning impact on MTTD: -51% vs. default vendor rules at the same rule density
- Combined effect (Config F): -86% MTTD, -92% MTTR vs. baseline Config A
Recommendations
- Reduce rule density before adding new rules — remove or suppress any rule with >70% false-positive rate
- Implement SIEM bidirectional integration as the highest-priority infrastructure investment
- Establish structured daily triage before any other workflow change — it is the highest-leverage and lowest-cost intervention
- Prioritise LOLBAS and credential theft detection rules — highest-fidelity, lowest false-positive category in the benchmark
- Measure MTTD and MTTR per-configuration weekly — treat them as operational KPIs, not annual audit metrics