# Security Operations Insights

In this guide, you will use Radiant Security’s Security Operations Insights to track key performance indicators that reflect security posture, attack surface, and operational efficiency. You will learn how to view and interpret:

* Incident Overview
* Response Time
* Resource Utilization

### Access Insights

To access Insights:

1. In the navigation menu, click **Insights**.

<figure><img src="/files/NteyJOeBiR15D5c6KyxK" alt=""><figcaption></figcaption></figure>

2. Select the desired time range from the drop-down to filter the dashboard data. You can choose to select a relative time range: **Last 7 Days, Last 30 Days**, **Last 90 Days**, and **Last Year** or specify your own time range using the date and time picker.

<div align="left"><figure><img src="/files/RCWnyhXfKtx2zJ4GW5Fv" alt="" width="375"><figcaption></figcaption></figure></div>

{% hint style="info" %}
**Note**: All dates are displayed in UTC time.
{% endhint %}

### Incident Overview

The Incident Overview dashboard provides a high-level summary of all incidents on a given date. It includes key metrics for the overall volume of **Alerts** and **Incidents**, \*\*\*\*and an **Alerts reduction** percentage.

<figure><img src="/files/jJmCeVLtx2Tkn1ZJtbRp" alt=""><figcaption></figcaption></figure>

It features four visualizations: **Active incidents**, **Incident management over time, Vendor false positive rate,** and **Vendor alert volume**.

#### Active incidents

This visualization provides a breakdown of open incidents according to incident type (BEC, Endpoint, Identity, Network, and Phishing). You can click on any incident type to go to the **Incidents** page where you’ll find more information about all incidents of that type within the chosen time range.

<div align="left"><figure><img src="/files/eOHzb3VNAzSKqV9EGKTT" alt="" width="375"><figcaption></figcaption></figure></div>

#### Incident management over time

This visualization displays a time series chart that shows the volume of incidents that are created and incidents that are closed.

You can view the following metrics in this visualization:

1. **Total incidents created**: The total number of incidents created on a given date.
2. **Total incidents closed**: The total number of incidents closed on a given date.
3. **Average Closure Rate**: The percentage of incidents that were closed versus created over the given time period.

Hover over the chart to open a detailed summary of incidents for a given date.

<figure><img src="/files/OGHwCVWMszdYe49G9DpM" alt=""><figcaption></figcaption></figure>

#### V**endor false positive rate**

This visualization illustrates the number of false positives (benign) versus true threats (malicious) alerts that were generated by each vendor and automatically triaged by Radiant Security.

Hover over each line in the chart to open a quick summary of false positive rates for each vendor.

<figure><img src="/files/4YVAfIWrfpRTAdsMnkjG" alt=""><figcaption></figcaption></figure>

#### **Vendor alert volume**

This visualization compares the total volume of alerts generated by each vendor. Vendors that generate a high number of alerts contribute to an increased workload for your team. Radiant Security reduces this workload through automatic triage, freeing up valuable time for your team.

**Merged alerts** group alerts related to the same incident, while **Unique alerts** represent distinct incidents.

<div align="left"><figure><img src="/files/ZxVwdufNbvyTraomzxr5" alt=""><figcaption></figcaption></figure></div>

### Response Time

Response Time provides insight into the average time it takes for your organization to detect and resolve security incidents. There are several visualizations: **MTTD**, **Industry MTTD**, and **Incident response cycle**.

#### MTTD

Mean Time to Detect (MTTD), also known as dwell time, measures the average time it takes your organization to identify a security incident. The MTTD is calculated by measuring the time it takes to detect a true positive alert, starting from the initial event that triggered the alert and continuing until the end of triage. This metric helps assess the efficiency of incident detection, with a lower MTTD indicating a more efficient incident detection capability.

<div align="left"><figure><img src="/files/e49Tm9YQYEbwkssvs2nU" alt="" width="361"><figcaption></figcaption></figure></div>

{% hint style="info" %}
**Note:** **MTTD** shows how long it takes to detect a true positive alert—from the triggering event to the end of triage. It’s measured *before* the alert reaches Radiant.
{% endhint %}

#### Industry MTTD

The Industry MTTD is a fixed value that’s calculated based on industry averages taken from the [2023 SANS Incident Response Survey](https://www.sans.org/white-papers/2023-survey-event-incident-response/). You can compare your MTTD to the industry MTTD to identify strengths and weaknesses in threat detection. A low MTTD compared to industry MTTD indicates a strong and effective security posture.

<div align="left"><figure><img src="/files/XbhbKt9tXJFQSFb23vmN" alt="" width="362"><figcaption></figcaption></figure></div>

#### Incident response cycle

This visualization provides a time series chart that compares the MTTR with the industry MTTR. You can use these metrics as benchmarks to assess your team's responsiveness.

You can view the following metrics in this visualization:

1. **MTTR**: Mean Time to Respond (MTTR) measures the average time taken to fully remediate an incident once it has been detected for your organization. An incident is considered fully remediated once all remediation tasks have been completed. A lower MTTR value indicates that the incident response process is fast and highly effective.
2. **Radiant MTTR**: The average time it takes for all Radiant Security users to fully remediate incidents after detection.
3. **Industry MTTR**: The Industry MTTR is a fixed value that’s calculated based on industry averages taken from the [2023 SANS Incident Response Survey](https://www.sans.org/white-papers/2023-survey-event-incident-response/).

Hover over the chart to open a detailed comparison of MTTR and industry MTTR for a given date.

<figure><img src="/files/HENoEqPLr3wNXt9NEebb" alt=""><figcaption></figcaption></figure>

## Resource utilization

Resource utilization provides insights into the effectiveness of your organization’s resource usage. The following visualizations are available:

1. **Total Hours saved**
2. **Cost saved**
3. **FTEs headcount saved**
4. **Automation by incident type**
5. **Tasks automated by a workflow**
6. **Tasks completed by a single-click**
7. **Tasks done manually**
8. **Tasks ignored**

{% hint style="info" %}
**Note**: Calculations for this visualization are derived from default values based on the industry averages. You can customize the default data values to get a specific overview of your savings by clicking the **View default values** option next to **Total** **Hours** **saved** or **Cost saved**.

![](/files/hc75itysss3AVEbHnblo)
{% endhint %}

#### **Total Hours saved**

`Total Hours Saved = Total Incidents Processed During an [Incident Lifecycle Stage] × Average Time (minutes) Per Incident`

This visualization provides a doughnut chart showing the total amount of hours saved by automating the incident lifecycle stages. For example, the total triage hours saved is calculated by multiplying the total number of alerts triaged by the average time it takes to manually triage an alert. Similarly, this chart breaks down the amount of hours saved for other stages of the incident lifecycle: triage, investigation, containment, and remediation.

Hovering over each section of the chart will highlight the stage of the lifecycle.

<figure><img src="/files/UcZeQDA0QJZAxmZrFokY" alt=""><figcaption></figcaption></figure>

#### **Cost saved**

`Cost saved = Total Hours Saved × Analyst’s Hourly Salary`

The total dollar amount saved by leveraging Radiant Security’s automation capability compared to manual effort. This number is calculated by the total hours saved multiplied by an analyst’s hourly salary.

<figure><img src="/files/lPkAI8QEdQmzRSomezAC" alt=""><figcaption></figcaption></figure>

#### **FTEs headcount saved**

`FTE Headcount Saved = Total Hours Saved ÷ 40`

This metric converts the amount of saved hours into the equivalent number of full-time employees (FTEs) needed to manually complete the work over a traditional 40-hour work week. This provides you with a tangible measure of workload reduction in the form of FTEs.

<div align="left"><figure><img src="/files/gIr6OnWYBJxKYcPwwZBu" alt="" width="375"><figcaption></figcaption></figure></div>

#### **Automation by incident type**

This visualization compares the type of task that was executed for each incident type. The tasks are automated, single-click, manual, or ignored.

Hover over each line in the chart to open a detailed summary of tasks executed per incident type.

<figure><img src="/files/nsLqUe0x9qxuByzaBcfT" alt=""><figcaption></figcaption></figure>

#### **Tasks automated by a workflow**

The percentage of tasks that were executed by a workflow.

#### **Tasks completed by single-click**

The percentage of remediation and containment tasks that were executed using one-click mitigation.

#### **Tasks done manually**

The percentage of tasks that were executed manually.

#### **Tasks ignored**

The percentage of tasks that were ignored.

<figure><img src="/files/NUpSUrxv7nHVBEOpT6kQ" alt=""><figcaption></figcaption></figure>

## FAQ

<details>

<summary>How often is the data updated?</summary>

Data is updated about every minute.

</details>

<details>

<summary>What time zone is the data calculated in?</summary>

All time is calculated in Universal Time Coordinated (UTC).

</details>

<details>

<summary>How is it possible to achieve an average closure rate of over 100%?</summary>

The average closure rate is calculated using the total number of incidents *created* and the total number of incidents *closed* on a given date. For example, imagine that yesterday 10 incidents were created. Today, an additional 15 incidents were created, bringing the total number of incidents to 25. Then, today all 25 incidents from the past two days were closed. The number of closed incidents exceed that of the number of created incidents on a given date. This is how the average closure rate can exceed 100%.

</details>

<details>

<summary>What else can I leverage if I want to lower my MTTR?</summary>

**Y**ou can set up automations using Workflows to reduce your MTTR. Automation allows incidents to be contained and remediated within minutes, rather than waiting on a manual response.

</details>

<details>

<summary>How are the metrics calculated?</summary>

1. **MTTD**: Measures the time it takes to detect a true positive alert, starting from the initial event that triggered the alert and continuing until the end of triage. MTTD is calculated *before* the alert reaches Radiant—it reflects the detection process itself and cannot be changed within Radiant.
2. **Industry MTTD**: A fixed value that’s calculated based on industry averages taken from the [2023 SANS Incident Response Survey](https://www.sans.org/white-papers/2023-survey-event-incident-response/).
3. **MTTR**: The average time taken to fully remediate an incident once it has been detected.
4. **Radiant MTTR**: The average time it takes for all Radiant Security users to fully remediate incidents after detection.
5. **Industry MTTR**: A fixed value that’s calculated based on industry averages taken from the [2023 SANS Incident Response Survey](https://www.sans.org/white-papers/2023-survey-event-incident-response/).
6. **Cost saved**: Cost saved = Total Hours Saved × Analyst’s Hourly Salary This metric is based on industry average. You can customize the default data values to get a specific overview of your savings. Just click the **View default values** option next to **Cost saved** to customize the default values.
7. **Total Hours saved**: Total Hours Saved = Total Incidents Processed During an \[Incident Lifecycle Stage] × Average Time (minutes) Per Incident This metric is based on industry average. For example, the total Triage hours saved is calculated by multiplying the total number of alerts triaged by the average time it takes to manually triage an alert. You can customize the default data values to get a specific overview of your savings. Just click the **View default values** option to customize the default values per incident lifecycle stage.
8. **FTEs headcount saved**: FTE Headcount Saved = Total Hours Saved ÷ 40

</details>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://help.radiantsecurity.ai/manage-radiant/security-operations-insights.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.