Dwell time is dead. Dwell cost is the metric.
The shift from how-long-did-they-stay to how-deep-did-they-reach. A new SOC measurement model built on blast radius.
Dwell time — the interval between intrusion and detection — was the SOC industry's favorite slide for a decade. It is a lagging indicator that rewards the wrong behaviors.
01Why dwell time was the wrong metric
Two intrusions with identical dwell times can have vastly different impact. A week of loitering in a jump box is not the same as a week inside your identity provider.
02What dwell cost measures
Dwell cost is the integral of blast radius over time: what the adversary could reach, weighted by sensitivity, multiplied by how long they had access.
03Operating on it
Dwell cost is computable in real time from segmentation graphs, identity graphs, and asset sensitivity labels you already maintain.