Blog How TruSTAR Uses MTTD and MTTR as North Star Metrics

How TruSTAR Uses MTTD and MTTR as North Star Metrics

The north star metrics for Data-Centric Security Automation are the minimization of MTTD (Mean Time to Detection) and MTTR (Mean Time to Resolution). At TruSTAR, we view this as a constrained optimization problem and see optimizing intelligence coverage and coverage quality as the two most important ways to achieve that goal.

To get a better understanding of what these concepts mean, how they relate to each other, and how intelligence management solutions can help, see our blog: Toward MTTD & MTTR as North Star Metrics.

Where We Are Today

For the Detection Use Case, our customers leverage TruSTAR to collect, prepare and prioritize indicators from across their external threat intel sources along with their historical events, and connect that into their lighthouse detection tools. As the data from these sources is managed in Enclaves our customers can achieve much needed visibility into how different intelligence sources are performing in terms of coverage. Here are some examples of key metrics:



Metric Impact

What are the different types of indicators your intel sources are focused on?

Source Suitability, Impact on Coverage


How many high priority indicators are each of your intel sources creating?

Impact on Coverage


How much of an overlap exists between the sources you subscribe to?

Impact on Coverage


How varying are their opinions on the indicators that overlap between them?

False Positives



Some example graphs are presented here for illustrative purposes.

Indicator Types by Source

Visibility into the types of indicators that are predominant in your external threat intel sources is the first step toward optimizing coverage to advance Data-Centric Security Automation.   

Source Coverage by Indicator Type

Naturally, you want to make sure you have strong alignment between your threat intel sources and the detection and response tools as destinations. File hashes, bitcoin addresses and malware names may be valuable for some tools and workflows, while IPs and URLs may be more relevant for others. 

Sources by Priority Score

You’ll also want to see which of your sources are providing strong opinions or labels in the form of scores for your currently unlabeled data. 

In the above three graphs, you can see that Facebook ThreatExchange has an outsized amount of email addresses with high maliciousness scores. This can help align FBTX with certain use-cases, such as Triaging suspicious emails reported to the Security Operations Center.

Where We’re Going Tomorrow

While this baseline level of visibility is critical, it’s only the beginning. In the coming months, we’ll be making more investments and releasing more features designed to help customers optimize their Coverage to accelerate MTTD and MTTR. 

  • With visibility into which indicator types matter most, we can match our customers with the intel sources that fit their needs best - even sources outside of the customers’ current subscribed sources.
  • With feedback from detection and response tools, our customers will see the false positive rate from each intel provider - and TruSTAR will recommend tuning and weighting strategies to minimize noise, FPs and therefore, MTTR.

As our customers adopt a Data-Centric Security Automation approach and integrate more of their detection and response tools, TruSTAR will return increasing signal on how to leverage existing sources, reduce redundancies and recommend new sources to expand Coverage in a way that optimizes your investments in intelligence.

For more information on how TruSTAR’s Intelligence Management Platform can help your organization reduce MTTD and MTTD, reach out to us at

Presidential Executive Order: “Collect and Preserve” Incident Data. Is this the Catalyst for Cybersecurity’s Black Box? President Biden’s Executive Order (EO) on Improving the Nation’s Cybersecurity defines a solid path forward for the Federal government and its ... Read More
Only the Paranoid Survive, Recast for Cybersecurity Andrew Grove's seminal business management book Only the Paranoid Survive offers a fitting title for the current state of cybersecurity and a roadmap ... Read More
The Data Dilemma in Cybersecurity Last week, the Wall Street Journal reported that the “scarcity of data needed to train models is slowing progress” toward the promise of fortifying ... Read More
The Good, Bad, and Ugly of Threat Intelligence with Patrick Coughlin Recently Co-Founder and CEO of TruSTAR, Patrick Coughlin, sat down with Ron Eddings and Chris Chocran from Hacker Valley Podcast to discuss how ... Read More