Cisco is continually refining our approach to measuring TTD so that we can ensure we are tracking and reporting the most accurate estimate of our median TTD. Recent adjustments to our approach have increased our visibility into files that were categorized as “unknown” when first seen and then later identified as “known bad” after continuous analysis and global observation. With a more holistic view of data, we are better able to pinpoint when a threat first emerged and exactly how long it took for security teams to determine that it was a threat.

...

Cisco defines “time to detection,” or TTD, as the window of time between a compromise and the detection of a threat. We determine this time window using opt-in security telemetry gathered from Cisco security products deployed around the globe. Using our global visibility and a continuous analytics model, we are able to measure from the moment malicious code runs on an endpoint to the time it is determined to be a threat for all malicious code that was unclassified at the time of encounter.

High