Mean time to contain

Mean time to contain is the average time it takes to limit an incident after it is detected or suspected. It is a practical resilience metric because it reflects how quickly teams can reduce attacker reach, protect critical identities, and prevent one compromise from spreading further.

Expanded Definition

Mean time to contain measures the average interval between detecting or suspecting an incident and reducing its operational reach. In NHI security, the metric is less about closure and more about limiting blast radius across service accounts, tokens, API keys, certificates, and delegated agent permissions. It is closely related to incident response maturity, but it is not the same as mean time to recover, which focuses on restoring normal operations after containment is complete. In practice, teams use this metric to judge whether identity boundaries, credential revocation paths, and isolation procedures are fast enough to stop attacker movement. The NIST Cybersecurity Framework 2.0 treats response and recovery as distinct functions, which helps explain why containment speed deserves its own measurement. Definitions vary across vendors when applied to agentic systems, especially where an AI agent can keep executing after initial detection unless tool access is revoked immediately. The most common misapplication is treating mean time to contain as a general help desk response metric, which occurs when teams measure ticket acknowledgement instead of attacker isolation.

Examples and Use Cases

Implementing mean time to contain rigorously often introduces operational friction, because faster containment can require aggressive credential rotation, service interruption, or temporary isolation of active workloads.

• An exposed cloud access key is detected in logs, and the incident team revokes the key, blocks related sessions, and isolates affected roles before lateral movement can begin.
• An AI agent is suspected of abusing a compromised token, so its tool permissions are suspended while investigators validate whether the token was used for model abuse or data exfiltration.
• A leaked secret appears in source control, and the team contains the issue by rotating credentials, invalidating downstream sessions, and checking for reuse across environments. Research on secrets handling in the State of Secrets in AppSec shows why slow secret remediation keeps exposure alive.
• A sudden spike in suspicious API calls from a workload identity triggers containment actions that sever federation trust before additional privileges are exercised.
• Attackers begin using publicly exposed AWS credentials within minutes; containment must therefore be measured in minutes, not days, as highlighted in the LLMjacking research.

Why It Matters in NHI Security

Mean time to contain is a governance signal because NHI incidents often spread faster than human account incidents. A compromised secret can authenticate instantly, and an over-privileged agent may continue acting until its tokens, keys, or delegated scopes are revoked. That makes containment speed a direct indicator of whether identity controls are actually enforceable under pressure. It also exposes whether secrets are centralized, whether revocation is automated, and whether the organisation can separate detection from disruption without waiting on manual approvals. NHI Management Group research in The State of Secrets in AppSec found that the average estimated time to remediate a leaked secret is 27 days, which is far too slow for active compromise. The DeepSeek breach is a reminder that exposed credentials and data can quickly create a containment problem far beyond the original incident. Organisations typically encounter the importance of this metric only after a token leak, agent misuse, or cloud credential exposure has already triggered live attacker activity, at which point mean time to contain becomes operationally unavoidable to address.

Related resources from NHI Mgmt Group

• Mean Time To Access
• Mean Time To Resolution
• Mean Time to Remediation
• Mean time to repair