Ten minutes to validate. Sixty minutes to contain. That's all the time you have between initial detection and business-critical damage when facing modern cyber attacks. The 10/60 rule isn't just another security framework. It's the difference between stopping a breach and explaining one to regulators.

While ransomware groups can encrypt entire networks in under an hour and business email compromise (BEC) attacks occur in real-time, most organizations still take days or weeks to detect intrusions. Master these two benchmarks, and you transform security incidents from business disasters into manageable events.

Let’s understand what is 10/60 in detail and how it can help improve incident response times.

The 10/60 framework gives security teams two actionable benchmarks: validate a threat within 10 minutes and contain it within 60. This model focuses on realistic goals that drive faster, more effective response. To consistently hit these targets, organizations must streamline tools, improve coordination, and eliminate bottlenecks.

These are the core elements that make 10/60 achievable:

• Start With Rapid Validation: The first goal is confirming a threat within 10 minutes. It requires clear triage workflows and immediate access to relevant data. Analysts need contextualized alerts, unified visibility, and reduced noise so they can focus on what matters and act without delay.
  
  

• Prioritize Fast Containment And Recovery: The 60-minute window calls for more than detection. Teams must isolate compromised assets, remove malicious access, and initiate system recovery quickly. Delayed action gives attackers time to entrench and expand, turning minor intrusions into major breaches.
  
  

• Close Technology and Process Gaps: Many security teams still rely on siloed tools, manual investigation steps, and limited automation, barriers that make 10/60 performance nearly impossible. Alert fatigue, slow correlation across systems, and fragmented response workflows create costly delays.
  
  

• Invest in People and Preparedness: Even with advanced tooling, skilled analysts and disciplined playbooks are essential. Ongoing training, well-documented procedures, and routine exercises prepare teams to act under pressure and reduce time-to-containment in real-world scenarios.

Reaching 10/60 isn’t just about speed. It’s about building a response model that’s fast, focused, and repeatable. When technology, process, and people align, organizations gain the ability to contain threats before they escalate, reducing impact and reinforcing resilience.

Faster detection limits the damage attackers can cause. The quicker a threat is identified, the less time it has to escalate privileges, move across systems, or steal sensitive data. Catching a breach in its first minutes often means stopping it before any serious harm is done.

Despite this, many threats go undetected for weeks or even months. Some studies show average detection times still range from 13 to nearly 200 days giving attackers ample time to operate unnoticed. Nearly half of organizations report that slow detection directly increases the impact of a breach.

Many attacks move fast. A phishing email can lead to credential theft and cloud access in minutes. Ransomware may begin encrypting files within half an hour. Business email compromise and insider threats can unfold before monitoring systems even register suspicious behavior.

Modern attackers use automated toolkits to speed up every step, from lateral movement to data exfiltration. Traditional defenses struggle to keep up. Real-time analytics and automated investigation are now essential to reach the ten-minute detection goal, cutting off threats before they escalate and controlling the cost of response.

Stopping a threat within the first hour prevents it from spreading. Quick containment blocks key attacker actions like moving laterally, stealing data, escalating privileges, or launching ransomware before they cause real damage. Shrinking this breakout window reduces the impact, cost, and recovery time of an incident.

A strong 60-minute response follows a set sequence. It starts with isolating affected systems and suspending compromised accounts. Next comes capturing evidence for forensics, removing malware, fixing exploited vulnerabilities, and restoring clean systems. Throughout, key stakeholders are kept informed so response stays coordinated.

Manual steps alone rarely meet the one-hour target. Automated playbooks in SOAR and EDR platforms handle tasks like isolating networks or resetting credentials as soon as a threat is confirmed. Context such as affected systems, attack method, and business priority, is surfaced immediately to help analysts act faster.

Each minute saved reduces downtime, lowers costs, and limits fallout. Hitting the 60-minute mark turns response from recovery into prevention.

Hitting the 10/60 benchmark, detecting threats within 10 minutes and containing them within 60, requires a strong foundation of visibility, automation, preparation, and discipline. These strategies build the speed and structure needed to respond with confidence.

• Deploy Real-Time Visibility Across Your Entire Environment: Feed telemetry from endpoints, networks, and cloud services into a centralized console. This unified view ensures alerts appear quickly and provides the context needed to identify privilege abuse, lateral movement, or malware activity before it spreads.
  
  

• Shift From Rule-Based Filters to Behavioral Analytics: Use platforms that learn normal activity patterns and highlight subtle deviations, such as off-hours logins or unauthorized file transfers. These systems reduce false positives and help analysts focus on high-impact threats with greater efficiency.
  
  

• Turn Playbooks Into Muscle Memory: Document every response step, assign clear responsibilities, and pre-authorize actions like isolating devices or disabling accounts. Consistent use of scripted procedures shortens decision time and prevents escalation during critical incidents.
  
  

• Infuse Threat Intelligence Into Detection and Response: Automate the flow of attacker tactics, techniques, and indicators into your security stack. Correlating fresh threat data with internal activity improves accuracy and speeds up threat validation.
  
  

• Drill Regularly and Refine After Every Incident: Run tabletop exercises each quarter to validate workflows, surface process gaps, and reinforce team readiness. Follow every drill or incident with a post-mortem, update your playbooks, and retrain staff to strengthen future response efforts.

Consistent 10/60 performance doesn’t come from one-time changes. It grows through deliberate practice, ongoing adjustment, and a commitment to continuous improvement.

You prove progress toward the 10/60 benchmark by measuring a small set of time-based indicators and sharing them with leadership in plain business language. These include:

• Mean Time to Detect (MTTD) measures how long, on average, it takes you to surface a new threat. Traditional industry averages stretch to 197 days—a gap you close only with real-time monitoring and automation.

• Mean Time to Investigate (MTTI) tracks the minutes between detection and validated understanding of scope and impact. Ten minutes is the goal; anything longer erodes precious containment time.

• Mean Time to Respond (MTTR) represents the clock that matters most to the business: how quickly you fully contain or eradicate the threat. Your target is 60 minutes, far below the multi-day response times that some organizations still experience with legacy processes.

• Dwell Time measures total attacker presence in the environment. Driving dwell time toward zero limits data loss and legal exposure.

• False Positive Rate tracks the percentage of alerts you dismiss as benign. Lowering it frees analysts to focus on high-fidelity events and accelerates every other metric.

Track these KPIs against an initial baseline, chart improvement quarterly, and benchmark against established frameworks. Translate each gain into business impact—fewer outages, smaller breach-response bills, and stronger compliance posture and then package the story for executives. Regular metric reviews secure budget for the automation, staff, and training that keep you on pace for 10/60.

Abnormal’s behavioral AI accelerates threat detection and response, aligning with the 10/60 incident response model. By analyzing user behavior across platforms like email, Slack, and Teams, it quickly identifies anomalies that indicate compromise.

Powered by large language models and graph intelligence, Abnormal delivers context-rich, real-time threat detection, surpassing the limits of signature-based tools. Intelligent alert prioritization reduces false positives and streamlines investigations with clear, actionable context.

The result: faster, more effective responses that keep your organization ahead of evolving threats.

Request a demo to see how Abnormal can elevate your security operations.