Dwell time is the amount of time an attacker or unauthorized activity remains in the environment before being detected or removed.
Dwell time is the amount of time an attacker or unauthorized activity remains in the environment before being detected or removed. In plain language, it measures how long a harmful presence stays active or unnoticed.
Dwell time matters because longer undetected activity usually means more opportunity for an attacker to move, observe, extract, or disrupt. Even when the initial compromise is limited, a long dwell time often increases the chance of broader damage.
It also matters because dwell time reflects the effectiveness of detection, response speed, and visibility. Organizations use it as one way to think about how quickly suspicious activity becomes visible and actionable.
Dwell time appears in Threat Hunting, incident metrics, post-incident analysis, exposure reporting, and security-program maturity discussions. Teams connect it to Anomaly Detection, Indicators of Compromise, Containment, Cloud Detection and Response, and Attack Graph.
Security teams often look at dwell time during post-incident review because it helps reveal where detection, escalation, or investigation should have happened sooner.
A suspicious administrative session begins on Monday but is not recognized as malicious until Thursday, after unusual cloud activity and lateral access attempts are correlated. The incident’s dwell time covers that gap between compromise and detection.
Dwell time is not the same as total incident duration. An incident may continue after detection while response and recovery are underway. Dwell time focuses on the period before the activity is found or stopped.
It is also different from Containment. Containment is the action taken to limit harm. Dwell time measures how long the threat remained present before that happened.