At RSA Conference 2025, we surveyed more than 70 cybersecurity professionals, asking some critical questions about their threat detection and incident response (TDIR) process. These weren’t random attendees. Every respondent was a vetted practitioner actively involved in TDIR, working directly within incident response (IR) teams or security operations centers (SOCs).
Considering the entire TDIR process below, we asked “What percentage of time is spent in the ‘analyze’ phase?”
Their responses confirmed what many in the industry already suspect: The biggest challenge in the TDIR process isn’t detection or response. It’s the analysis phase.
The Race Against Time
In today’s cybersecurity landscape, speed is everything. Attackers are moving faster, alerts are flooding security consoles, and defenders are expected to respond before meaningful damage is done. Industry metrics such as:
- MTTD: Mean time to detect
- MTTR: Mean time to respond
They are often tracked and reported. But what about the time in between, in the analysis phase?
That’s where mean time to knowledge (MTTK) comes in. This is the time it takes an analyst to figure out what actually happened after a detection alert was triggered. It’s the analyze or “investigation” phase—the point where detection transitions to action. And based on our RSA Conference survey, this is where teams are spending most of their time:
- 79 percent of respondents said they spend 20 to 40 percent or more of their time in the analyze phase of incident response.
- More than half of those respondents said it was more than 40 percent.
This isn’t just a productivity issue; it’s a visibility and risk issue. Delays in understanding the threat lead to delays in containing it. And that creates a wider window of opportunity for attackers.
Why the “Analyze” Phase Is So Difficult
Detection is becoming more streamlined thanks to tools such as endpoint detection and response (EDR), security information and event management (SIEM), and extended detection and response (XDR) that consolidate alerts and signals. But investigation is a different challenge entirely. It requires understanding the full scope of the incident.
- Was it a real threat or a false positive?
- What did the attackers do before and after the alert?
- Did they access or exfiltrate sensitive data?
- Are they still in the environment?
Common tools such as log-based systems or endpoint agents provide partial visibility. They’re also often susceptible to evasion techniques (such as fileless malware, and log manipulation) and are limited by short data retention windows. These limitations leave critical gaps in the investigation process.
This is where network data becomes invaluable.
Network Visibility: The Foundation for Knowledge
According to our survey, 84 percent of IR and SOC professionals feel that network visibility is critical to their ability to detect, investigate, and respond to threats. That’s not surprising. The network captures everything regardless of endpoint blind spots, attacker evasion, or log manipulation. But not all network data is created equal.
Packet-level data provides the most complete, unaltered record of what happened. It can’t be manipulated or erased by the attacker, and it reveals key attacker behaviors such as lateral movement, command-and-control communication, and data exfiltration.
Reduce MTTK, Reduce Risk
When you reduce MTTK, you accelerate the entire incident response lifecycle. That means less time wasted on manual analysis, fewer false positives sent up the chain, and a smaller window of opportunity for attackers to do damage.
The message from RSA 2025 couldn’t be clearer: Security teams need better tools to investigate faster. It’s no longer enough to detect a threat; you need to understand it, validate it, and use that knowledge to determine and respond to it appropriately without delay.
NETSCOUT Omnis Cyber Intelligence and Adaptive Threat Analytics were built to meet that need, combining comprehensive packet-level visibility with scalable analytics to power faster, more confident decisions.
Learn how NETSCOUT Omnis Cyber Intelligence can help by providing comprehensive network visibility with scalable deep packet inspection (DPI) to detect, investigate, and respond to threats more efficiently.