What does dwell time measure in incident response metrics?

Dwell time measures how quickly you patch a vulnerability after it’s discovered, capturing the remediation speed of the vulnerability management process from discovery to deployment of a fix or mitigation. This metric directly shows how fast defensive actions close gaps once new information is available, helping prioritize patching and reduce exposure. In practice, you’d track the elapsed time from when vulnerability details are reported or identified to when patches are applied across affected systems. The other scenarios describe attacker presence, the initial breach, or recovery actions after compromise, which are related to different aspects of incident dynamics rather than how fast you remediate once discovery occurs.