Enter Incident Response Inputs
Example Data Table
| Scenario | MTTD (min) | MTTA (min) | MTTC (min) | MTTE (min) | MTTR (min) | Automation % | Adjusted Response (min) |
|---|---|---|---|---|---|---|---|
| Ransomware Alert | 12 | 38 | 55 | 120 | 180 | 55 | 360.42 |
| Phishing Campaign | 25 | 28 | 44 | 68 | 95 | 48 | 219.87 |
| Privilege Misuse | 35 | 42 | 60 | 88 | 130 | 30 | 312.58 |
| Endpoint Malware | 18 | 30 | 40 | 72 | 105 | 62 | 206.11 |
Formula Used
MTTD = Detection Time
MTTA = Triage Time + Acknowledgment Time + Notification Delay + Handoff Delay
Core Response Time = MTTD + MTTA + MTTC + MTTE + MTTR
Full Lifecycle Time = Core Response Time + Evidence Collection Time + Post-Incident Review Time
Severity Factor = 0.8 + (Severity Weight × 0.12)
False Positive Penalty = 1 + (False Positive Rate ÷ 100)
Reopen Penalty = 1 + (Reopened Incidents ÷ Incident Count)
Automation Factor = 1 - ((Automation Coverage ÷ 100) × 0.35)
Adjusted Response Time = Core Response Time × Severity Factor × False Positive Penalty × Reopen Penalty × Automation Factor
Downtime Cost = Downtime Hours × Cost per Hour
Time per Incident = Adjusted Response Time ÷ Incident Count
Efficiency Score uses adjusted time, benchmark, automation, analyst count, false positives, and reopen rate to produce a bounded operational score out of 100.
How to Use This Calculator
Enter the number of incidents, severity weighting, and available analysts. Then add timing values for detection, triage, acknowledgment, containment, eradication, recovery, evidence work, and review.
Next, enter automation coverage, false positive rate, reopened incidents, affected assets, downtime, hourly loss, SLA target, and internal benchmark time.
Press the calculate button. The calculator will display the results directly below the header and above the form. Review lifecycle timings, efficiency, downtime cost, and SLA variance.
Use the CSV button to export structured metrics for spreadsheets. Use the PDF button to download a portable report with inputs and computed results.
FAQs
1. What does this calculator measure?
It estimates how long an incident takes across detection, acknowledgment, containment, eradication, recovery, evidence handling, and review. It also highlights downtime cost and SLA performance.
2. Why include false positive rate?
False positives consume analyst effort and delay real incident handling. Adding that percentage helps reflect operational drag that often stretches real response timelines.
3. How does automation affect the result?
Higher automation lowers the response multiplier. This models faster alert enrichment, routing, containment actions, and repetitive investigation steps that tools can perform consistently.
4. What is the difference between MTTC and MTTR?
MTTC focuses on isolating and controlling the incident. MTTR focuses on restoring systems or services to normal operating condition after eradication and validation.
5. Why track reopened incidents?
Reopened incidents often indicate incomplete containment, poor validation, or recurring compromise. They increase total workload and usually signal hidden weaknesses in playbooks or verification steps.
6. Can I use this for SLA reporting?
Yes. Enter your target minutes, then compare the adjusted response time with that threshold. The calculator shows whether performance is within or above SLA.
7. Does this replace SIEM or SOAR tooling?
No. It complements those systems by translating operational inputs into planning metrics. It is useful for reporting, forecasting, staffing reviews, and improvement tracking.
8. Is the efficiency score a standard framework?
It is a practical composite score, not a universal standard. Use it internally for trend analysis, team benchmarking, and comparing improvement scenarios over time.