What does dwell time refer to in threat hunting?

Dwell time is the period an attacker remains in the environment without being detected. It captures the span from the initial foothold or breach to the moment the intrusion is detected and containment begins. This metric shows how effective your monitoring and threat hunting are at spotting intrusions early; shorter dwell time means faster detection, less opportunity for lateral movement, and reduced risk of data exfiltration. It’s not about how long you wait to patch something, isolate a system after detection, or file a report—the focus is on how long the attacker stays hidden inside. In practice, dwell time can range from minutes to days or weeks, and reducing it is a primary goal of proactive hunting, improved visibility, and proactive detection techniques.