Close Menu
    Friday, April 17
    Book cover: The Reliability Operating Model
    Reliability is an operating model problem
    The Reliability Operating Model
    How Leaders Build Decision Loops Under Load • Nathan J. Reuck
    Most organizations do not fail because they lack talent or technology. They fail because decision making collapses under pressure. This book shows how high performing teams capture decisions, manage authority, coordinate action, and preserve clarity when signals are noisy and time is compressed.
    Incident command Escalation paths Decision records Leadership behaviors under load
    View on Amazon Incident command articles
    For senior engineers, SRE leaders, engineering managers, and executives accountable for uptime and outcomes.
    AIOps

    MTTD Is Lying to You. And It’s Costing You Incidents You Never See.

    Nate ReuckBy Updated:No Comments5 Mins Read14 Views
    Server rack with blinking green monitoring lights in a dark data center
    Photo by Domaintechnik Ledl.net on Unsplash

    Mean Time to Detect looks like control. A clean number that says you are catching problems quickly.

    Most teams are not measuring detection. They are measuring when someone finally reacts. That gap is where outages grow teeth.

    If you want MTTD to mean anything, you need to redefine it, expose where it breaks, and remove the friction that keeps your team from acting.

    The definition everyone avoids

    Here is the version that actually matters:

    MTTD is the time from first observable symptom to first meaningful action.

    Not when the alert fires. Not when PagerDuty triggers. Not when someone acknowledges.

    When something is wrong and someone does something about it.

    A real timeline, not the one in your dashboard

    This is what actually happens:

    10:02  latency starts creeping
10:03  alert fires
10:05  someone glances and ignores it
10:09  error rate increases, second alert triggers
10:10  Slack chatter starts
10:11  someone joins and begins investigation

    Most dashboards say MTTD is near zero.

    Reality is nine minutes.

    That gap is where your system degraded quietly, your customers felt it, and your team hesitated.

    Detection is where belief begins

    Your systems usually surface signals early. Metrics drift. Queues build. Logs point to trouble before users complain.

    Detection does not happen when the signal exists. It happens when someone trusts it enough to act.

    That trust step is where time disappears.

    Most teams do nothing to optimize it.

    Why MTTD stalls even as tooling improves

    You add better Observability. Faster pipelines. More dashboards. Smarter alerts.

    MTTD barely moves.

    Because the constraint is no longer technical. It is behavioral.

    Engineers hesitate when alerts are noisy, when ownership is unclear, when past alerts were wrong, or when the first step is not obvious.

    That hesitation is your MTTD.

    You do not fix it with more data. You fix it by making action obvious and low-risk.

    Alerting is a trust contract

    Every alert makes a promise.

    “If this fires, you should act immediately.”

    Most alerts break that promise.

    They fire too often, lack context, and require interpretation. Engineers learn to wait for confirmation instead of acting.

    If an alert does not trigger immediate, confident action, it is not detection. It is noise.

    The real shape of MTTD

    Detection is a chain:

    • A signal exists
    • It becomes observable
    • An alert triggers
    • Someone sees it
    • Someone believes it
    • Someone acts

    Most teams optimize the first half.

    The second half dominates.

    You can have perfect telemetry and still have SLOw detection because belief and action are slow.

    Noise erodes trust

    False positives do more than annoy. They train your team not to trust the system.

    Response shifts from immediate action to delayed validation. Eventually, engineers rely on secondary signals like Slack chatter or customer reports.

    At that point, your monitoring system is no longer your primary detection mechanism.

    You fix this by being strict:

    • If an alert does not require immediate action, it should not page
    • If the right response is “watch it,” it should not interrupt
    • If it cannot be trusted without digging, it is not ready

    Trust is the currency of detection.

    Architecture shapes detection

    Detection quality follows system design.

    Tightly coupled systems fail ambiguously. Signals overlap. Ownership is unclear. Engineers slow down because they have to think.

    Well bounded systems fail clearly. Signals map to components. Ownership is obvious. The path forward is immediate.

    MTTD improves because interpretation disappears.

    The fastest teams remove decisions

    Strong SRE teams focus on clarity, not perfection.

    When an alert fires, the next step is obvious:

    • What broke
    • Who owns it
    • What to check first

    They tolerate some noise only when validation is fast.

    If confirmation takes seconds, engineers act. If it takes minutes, they hesitate.

    The goal is not zero false positives. It is zero hesitation.

    Where AI actually helps

    Most teams try to improve detection by adding signals.

    The real opportunity is removing hesitation automatically.

    • Attach context to alerts
    • Surface likely root causes from past incidents
    • Show the first action, not just the symptom
    • Collapse multiple signals into one clear problem

    The win is not faster alerting.

    The win is faster belief.

    What to change this week

    Do not redesign everything. Fix the points of hesitation.

    • Redefine MTTD as “first symptom to first action” and measure it against real incidents
    • Audit paging alerts and remove anything that does not require immediate action
    • Force every paging alert to answer three questions: what broke, who owns it, what is the first action
    • In incident reviews, replace timeline discussions with one question: where did we hesitate and why

    If you do only this, your MTTD will move.

    What good actually feels like

    You will see it before you measure it.

    • Incidents are caught before customers notice
    • Alerts trigger immediate action without debate
    • Ownership is never questioned
    • Runbooks are used in the first minutes
    • There is no waiting for confirmation

    At that point, MTTD becomes a byproduct of a system people trust.

    The line to remember

    MTTD is not detection.

    It is the delay between knowing and believing.

    Fix that, and the number takes care of itself.

    Stay Sharp

    New articles on AIOps and SRE, straight to your inbox.

    Practical content for practitioners. No noise, no vendor pitches.

    No spam. Unsubscribe any time.

    Share.

    Nate Reuck is a Senior SRE and Incident Management leader with deep experience operating large-scale cloud platforms and distributed systems. He specializes in reliability engineering, incident response, on-call operations, and building durable operating models that scale. Nate's focus is reducing toil, improving MTTR, and turning incidents into repeatable learning through strong runbooks, automation, and clear ownership. He works closely with engineering, product, and partner teams to align reliability with real business outcomes, and believes strong systems, clear decision paths, and empowered teams win over heroics. Nate is also an author, builder, and lifelong learner with a passion for technology, systems thinking, and continuous improvement.

    Related Posts

    Comments are closed.

    Get new articles by email: