Skip to main content

Woburn, MA – May 21, 2024 – Today Kaspersky released data from its 2023 MDR Analyst Report, revealing that, last year, the Kaspersky SOC team needed an average of 36 minutes to respond to high-severity incidents, a 17% improvement from the previous year.

Every year Kaspersky prepares a report based on the results of the analysis of MDR incidents identified by the Kaspersky SOC team. In this report, experts highlight incidents that require action from customers, and divide them into high, medium and low-severity types. High-severity incidents mean human-driven attacks or malware threats that have a significant impact on the customer’s IT systems. Medium-severity incidents have no evidence of direct human involvement in the attack, but may affect the customer’s infrastructure without severe consequences, while low-severity incidents do not affect customer’s IT systems, but require a number of precautionary measures to be taken.

According to the new report, in 2023 the Kaspersky SOC team needed an average of 36.37 minutes to report high-severity incidents. Medium-severity incidents, which are often due to malware and are the most common, saw an increase in response times from 30 to almost 33 minutes that is explained by the general increase in these types of incidents.

Finally, the occurrences with the lowest severity, normally the consequences of potentially unwanted software, spent more time in the queue before being analyzed by SOC team, resulting in a waiting time of just over 48 minutes. 

As for the response efficiency, approximately 74% of incidents were resolved after just one alert[1], indicating clear response scenarios and the effective termination of attacks.

Around 24% of incidents required attention based on 2-10 alerts, indicating cases where automatic resolution was not sufficient and required a human specialist’s involvement. Examples include ongoing attacks like the exploitation attempts following a network compromise or phishing campaigns, which often require manual investigation after multiple alerts.

A small proportion (2%) of incidents involved more than 10 alerts. Reasons included complex threats requiring thorough investigation before action or situations where the customer opted for monitoring only, such as in cyber exercises.

“High-severity incidents with direct human involvement must be dealt with swiftly and decisively to contain the damage and prevent the company’s financial and reputational losses,” said Sergey Soldatov, head of security operations center at Kaspersky. “This is why we always aim to reduce the response time to such critical incidents. With the multi-layered protection offered by our MDR, we can continue to fight cyber criminals effectively in this continually shifting threat landscape.”

In response to the findings of the MDR analysis, Kaspersky recommends organizations the following:

1.     Carry out regular inventory of membership in privileged groups, in order to have a formal procedure for privileges and access management.

2.     Implement threat hunting practices in combination with classic alert-driven monitoring.

3.     Conduct a range of cyber exercises to test the efficiency of security mechanisms used in your company.

4.     Adopt a multi-layered security approach to guard against incidents. This includes robust endpoint protection, network security, and threat intelligence working with cybersecurity experts.

5.     In case a company lacks dedicated cyber security staff, use managed security services such as Kaspersky Managed Detection and Response (MDR), Kaspersky Compromise Assessment and Kaspersky Incident Response to get additional expertise and cover the entire incident management cycle from threat identification to continuous protection and remediation.

To get more insights from Kaspersky MDR Analyst report 2023, please follow this link.


About Kaspersky

Kaspersky is a global cybersecurity and digital privacy company founded in 1997. With over a billion devices protected to date from emerging cyberthreats and targeted attacks, Kaspersky’s deep threat intelligence and security expertise is constantly transforming into innovative solutions and services to protect businesses, critical infrastructure, governments and consumers around the globe. The company’s comprehensive security portfolio includes leading endpoint protection, specialized security products and services, as well as Cyber Immune solutions to fight sophisticated and evolving digital threats. We help over 220,000 corporate clients protect what matters most to them. Learn more at

[1] An alert is an event in the organization's IT infrastructure that is marked as unusual or suspicious, and that may pose a threat to the security of the organization's IT infrastructure.

Kaspersky SOC team reduces response time to high-severity incidents by 17%

Kaspersky Logo