Mean Time to Contain Calculator

Measure average containment time for security cases. Review patterns, outliers, and SLA attainment clearly, instantly. Make incident response decisions using consistent evidence every day.

Calculator Input

Enter incident timestamps, weights, and exclusions. Large screens show three columns, smaller screens show two, and mobile shows one.

Use a custom label for your reporting view.
Used to measure within-target containment performance.
The calculator uses completed incidents only.

Incident 1

Useful for drills, test alerts, or invalid cases.

Incident 2

Useful for drills, test alerts, or invalid cases.

Incident 3

Useful for drills, test alerts, or invalid cases.

Example Data Table

Use these sample entries to test the calculator quickly.

Incident Detected At Contained At Severity Criticality
Phishing Mailbox Compromise 2026-03-10 08:15 2026-03-10 12:45 3 3
Ransomware Endpoint Isolation 2026-03-11 01:20 2026-03-11 10:50 5 5
Privileged Account Misuse 2026-03-12 09:05 2026-03-12 16:35 4 4
Malware Beaconing Alert 2026-03-13 14:00 2026-03-13 18:10 2 3

Formula Used

MTTC = Σ(Contained Time − Detected Time) ÷ Number of Included Incidents
Weighted MTTC = Σ(Duration × Severity × Criticality) ÷ Σ(Severity × Criticality)
SLA Attainment = (Incidents Within Target ÷ Included Incidents) × 100

This calculator measures containment duration for each completed incident, then averages those durations to produce Mean Time to Contain.

Severity and criticality create an optional weight, helping you see whether high-impact incidents are taking longer to contain than low-impact ones.

Median, 95th percentile, fastest, slowest, and standard deviation add deeper operational context beyond the basic average.

How to Use This Calculator

  1. Set your SLA target in hours.
  2. Enter each incident name, detected timestamp, and contained timestamp.
  3. Assign severity and asset criticality values from 1 to 5.
  4. Exclude drills, false positives, or non-reportable cases when needed.
  5. Click Calculate MTTC to generate summary cards, a results table, and a Plotly chart.
  6. Use the CSV button to export tabular results.
  7. Use the PDF button to save a printable results snapshot.

FAQs

1) What does MTTC measure?

MTTC measures the average time required to contain confirmed security incidents after detection. It helps teams understand containment speed and operational readiness.

2) Why use detected time instead of initial compromise time?

Most teams track containment performance from detection because compromise time is often unknown. Detection-to-containment gives a more reliable operational metric.

3) What is weighted MTTC?

Weighted MTTC gives more influence to incidents with higher severity and criticality. It is useful when leadership cares more about important assets and major threats.

4) Should false positives be included?

Usually no. False positives, exercises, and invalid alerts can distort your real operational performance. Excluding them keeps the metric cleaner and more defensible.

5) Why is median containment important?

Median containment reduces the effect of rare extremes. It often shows typical team performance better than the average when a few incidents take unusually long.

6) What does the 95th percentile show?

The 95th percentile shows a near worst-case containment time. It helps identify tail risk and whether a few cases are harming service levels.

7) How should I choose SLA hours?

Choose an SLA that reflects business risk, regulatory requirements, coverage hours, staffing model, and incident class. Review it regularly as your program matures.

8) Can this support monthly reporting?

Yes. Enter incidents from one reporting period, calculate results, and export the output. Repeating this monthly supports trend reporting and leadership dashboards.

Related Calculators

Important Note: All the Calculators listed in this site are for educational purpose only and we do not guarentee the accuracy of results. Please do consult with other sources as well.