What is dwell time for cybersecurity?

Dwell time refers to the amount of time a malicious actor has access to a compromised system before an MSP detects a threat. The longer the dwell time, the more opportunity an attacker has to cause damage, steal sensitive information, and spread harmful software and viruses to other parts of a company’s network.

Dwell time definition

Dwell time measures the period during which cyber criminals have free access to a system — from initial or presumed penetration to detection. 

Any amount of dwell time is an opportunity for cyberthieves wielding increasingly sophisticated threat technology to drain a company of funds, functionality, and highly sensitive information. As a result, dwell time is always an issue, even if it is down on average overall in recent years.

Why dwell time matters for cybersecurity

Reducing dwell time is an important part of effective cybersecurity management. Dwell time matters in cybersecurity because the longer a breach remains undetected, the more time an attacker has to cause harm. During this period, attackers can:

  • Steal sensitive information: Attackers can use the time they have on a compromised system to steal sensitive information, such as financial data, personal information, intellectual property, and trade secrets.
  • Spread the attack: Attackers can use the compromised system as a beachhead to spread the attack to other systems within the network, potentially compromising entire organizations.
  • Escalate privileges: By compromising a single system, attackers may be able to escalate their privileges and gain access to other parts of the network.
  • Install malicious software: Attackers can use the time they have on a system to install malware or other malicious software that can further compromise the network and steal information.
  • Damage systems: Attackers can also use the time they have on a system to cause damage to systems, applications, and data.

Any one of these issues can cause major problems for an organization. As a result, reducing dwell time is crucial for limiting the damage caused by a breach and mitigating risk. By detecting and responding to breaches quickly, MSPs can prevent attackers from causing significant harm and limit the spread of an attack.

How MSPs can reduce dwell time for their clients

MSPs play a crucial role in helping their clients reduce dwell time in order to minimize the impact of cyber attacks. ConnectWise’s cybersecurity center explains our process in detail and some of the tools we offer to support in this area.

The job of an MSP, in terms of reducing dwell time and minimizing the destruction of a cyberattack, is a three-pronged operation that includes: 

Below are some general steps MSPs take to reduce dwell time for their clients.


Threat detection is all-important. Threat detection steps MSPs can take include: 

  • Implement real-time monitoring: MSPs can implement real-time monitoring of clients' networks, using security information and event management (SIEM) tools and intrusion detection systems (IDS). These tools can alert MSPs to potential breaches, allowing them to respond quickly and reduce dwell time.
  • Use endpoint protection: MSPs can deploy endpoint protection solutions, such as antivirus and anti-malware software, on clients' systems to detect and prevent attacks in real-time.
  • Use managed detection and response (MDR) services: Managed detection and response services combine security operation centers (SOC) and cybersecurity tech in order to provide 24/7 cybersecurity monitoring as well as eliminating and mitigating threats as they appear.
  • Conduct regular vulnerability scans: MSPs can conduct regular vulnerability scans of clients' systems to identify and address potential security weaknesses before they can be exploited.
  • Implement a backup and disaster recovery plan: MSPs can work with clients to develop and implement disaster recovery plans that outline steps to take in the event of a breach. This can help MSPs respond more quickly and reduce dwell time.
  • Regular security training: MSPs can provide regular security training to clients' employees to help them identify and respond to potential threats.
  • Update security policies: MSPs can work with clients to update and enforce security policies, including those for password management, access control, and data backup and recovery.
  • Consider SOC-as-a-service (SOCaas): SOCaaS enables organizations to get all the benefits of a SOC for full cybersecurity protection without having to build internal teams to do so.

Threat hunting

Threat hunting is a proactive approach to cybersecurity in which security teams actively search for signs of breaches in their networks, rather than simply waiting for alerts from security tools and dealing with threat effects after the fact. The goal is to detect and respond to threats before they cause significant harm.

Threat hunting teams use a combination of technologies and techniques to search for signs of potential threats, including: 

  • Reviewing logs and network traffic
  • Analyzing endpoint data
  • Using machine learning algorithms 

SOCaaS suites also offer great benefits for threat hunting, as they allow not only 24/7 support in the event of a cybersecurity incident, but also work proactively to identify potential threats and risk areas as they appear.

Once a team detects a threat, they will take these steps: 

  1. Investigation: Once a potential security threat has been identified, the threat hunter will launch a detailed investigation to determine the nature and extent of the threat. This may involve collecting additional data, analyzing system configurations, or working with other security professionals to gather more information.
  2. Containment: If a threat is confirmed, the next step is to contain it to prevent it from spreading to other parts of the network. This may involve isolating infected systems, disconnecting devices from the network, or disabling access to sensitive data.
  3. Eradication: Once the threat has been contained, the threat hunter will work to eradicate it completely. This may involve removing malware, patching vulnerabilities, or reinstalling systems.
  4. Recovery: After the threat has been eradicated, the threat hunter will work to recover any data or systems that may have been impacted. This may involve restoring backups, reconfiguring systems, or performing other recovery activities.
  5. Post-Incident Review: Finally, the threat hunter will conduct a post-incident review to evaluate the response to the threat, identify areas for improvement, and update incident response plans accordingly.

Threat hunting is an ongoing and ever-evolving process, not a case-by-case triage method. It requires full time MSP cooperation and skilled technicians. The ConnectWise CRU (Cybersecurity Research Unit) is an example of such a team of industry experts. The CRU uses a combination of seasoned cybersecurity knowledge and research of the latest trends and threats to help protect MSPs and their clients.

Incident response

Incident response refers to the way an MSP identifies, targets, and neutralizes a threat after detecting it. The goal of incident response is to: 

  • Reduce dwell time
  • Detect breaches quickly
  • Respond to them promptly in order to limit the impact of the attack 
  • Eradicate malware and malicious actors
  • Recover systems and data
  • Implement prevention measures

Incident response teams use a combination of technologies and processes to detect and respond to breaches as quickly as possible, with the goal of reducing dwell time. This may include: 

Options like ConnectWise’s Incident Response Service give MSPs immediate access to expert cybersecurity analysts in the event of a critical incident. Get support whenever you need it to help return to normal operations as quickly as possible.

Incident response protocols are similar to those threat hunters use. Incident response teams, however, put a predetermined plan into place once a threat is detected, rather than actively scanning for threats. Incident response steps include: 

  1. Triage: Once an incident has been detected, the next step is to assess the severity of the incident and determine the appropriate response. This involves gathering information about the incident, determining the scope of the breach, and prioritizing response efforts.
  2. Containment: The threat must be given as little room to spread as possible.
  3. Eradication: The threat must be neutralized.
  4. Recovery: This may involve restoring backups, reconfiguring systems, or performing other recovery activities.

It can be terrifying to identify a threat only to discover that it penetrated your organization’s systems weeks or months prior. While MSPs are working toward real-time threat identification and capture, the reality is that some threats will come in under the radar, and the damage they do will have to be mitigated where it can’t be prevented.

ConnectWise offers cybersecurity demos for those looking for just the right dwell time reduction method. Explore our website to learn more. 


In incident response, dwell time refers to the amount of time between the initial compromise of a system and the discovery of the breach. During this time, an attacker may have access to sensitive information, systems, and applications, potentially causing harm.

In threat hunting, dwell time refers to the amount of time between the initial compromise of a system and the discovery of the breach by the threat hunting team. The goal of threat hunting is to reduce dwell time and detect threats as early as possible in order to prevent or limit the damage they can cause.