What does dwell time measure in incident response metrics?

• A. The time an attacker has remained undetected within a network.
• B. The time to break into a network after initial contact.
• C. The time to patch a vulnerability after discovery.
• D. The time to restart a compromised system.

Answer: (C)

Dwell time measures how quickly you patch a vulnerability after it’s discovered, capturing the remediation speed of the vulnerability management process from discovery to deployment of a fix or mitigation. This metric directly shows how fast defensive actions close gaps once new information is available, helping prioritize patching and reduce exposure. In practice, you’d track the elapsed time from when vulnerability details are reported or identified to when patches are applied across affected systems. The other scenarios describe attacker presence, the initial breach, or recovery actions after compromise, which are related to different aspects of incident dynamics rather than how fast you remediate once discovery occurs.