The average enterprise takes 197 days to detect a breach. One hundred and ninety-seven days of an adversary operating inside the network, exfiltrating data, establishing persistence, and moving laterally through systems. By the time the breach is discovered, the damage is comprehensive and the attacker has long since achieved their objectives. The 1-10-45 standard exists to compress those 197 days into 56 minutes. One minute to detect. Ten minutes to investigate. Forty-five minutes to contain and respond.
This is not an aspirational benchmark. It is an operational standard that NINtec Cyber Security, NINtec's cybersecurity division, implements for enterprise clients. Achieving it requires a fundamentally different approach to security operations, one built on AI-powered detection, automated investigation, and orchestrated response rather than human analysts manually reviewing alerts.
The Numbers That Matter
The 197-day average mean time to detect is not a failure of security tools. Modern enterprises deploy dozens of security products: firewalls, endpoint detection, SIEM platforms, vulnerability scanners, identity management systems, and more. The problem is that these tools generate an overwhelming volume of alerts, most of which are false positives. Security operations centre analysts spend their days triaging alerts, and the sheer volume means that genuine threats are buried in noise.
Research consistently shows that SOC analysts can effectively investigate 20 to 25 alerts per day. A mid-sized enterprise generates thousands. The mathematics is straightforward: when alert volume exceeds investigation capacity by two orders of magnitude, adversaries operate in the gap between detection and investigation. They trigger alerts that are technically correct but deprioritised because the SOC is overwhelmed. The 1-10-45 standard addresses this by automating the triage process so that human analysts focus only on confirmed, high-severity threats.
The cost of the detection gap is not abstract. Breaches discovered after 200 days cost, on average, significantly more than those discovered within 30 days. The extended dwell time allows attackers to escalate privileges, establish multiple persistence mechanisms, compromise additional systems, and exfiltrate larger volumes of data. Reducing detection time from months to minutes fundamentally changes the economics of incident response.
Why the Standard Exists
The 1-10-45 framework maps to the phases of the cyber kill chain. One minute is the detection window because modern attacks move through initial access and execution phases rapidly. If an attacker establishes a foothold and the SOC does not detect it within the first minute, the adversary begins lateral movement and privilege escalation, which are exponentially harder to contain.
Ten minutes is the investigation window because containment decisions require context. Which user account was compromised? Which systems were accessed? Is this a credential theft attack, a ransomware deployment, or a data exfiltration operation? These questions must be answered before containment actions are taken, because incorrect containment, such as isolating the wrong system, can cause business disruption without stopping the attack.
Forty-five minutes is the response window because containment must be thorough enough to prevent the attacker from re-establishing access through alternative pathways. Blocking one compromised account while the attacker holds credentials for three others is not containment. Effective response requires identifying all compromised assets, revoking all compromised credentials, and closing the initial access vector, all within a timeframe that prevents the attacker from adapting.
How NINtec Cyber Security Achieves 1-10-45
The one-minute detection target is achieved through the combined operation of two proprietary platforms. the endpoint protection platform provides continuous endpoint and network monitoring using behavioural analysis rather than signature matching. Rather than looking for known malware signatures, the endpoint protection platform identifies anomalous behaviour patterns that indicate compromise: unusual process execution chains, abnormal network connections, credential access patterns that deviate from the user's baseline, and file system modifications consistent with encryption or exfiltration.
the threat intelligence platform provides external threat intelligence and attack surface monitoring. It continuously scans the client's external-facing assets for vulnerabilities, exposed credentials, and indicators that the organisation is being targeted. When the threat intelligence platform detects reconnaissance activity or credential exposure on dark web forums, it generates pre-incident alerts that elevate the SOC's readiness before an attack materialises. The combination of internal behavioural detection and external threat intelligence provides the comprehensive visibility required for one-minute detection.
The ten-minute investigation target is achieved through automated enrichment. When the endpoint protection platform generates a detection alert, the system automatically correlates it with data from every connected security tool: SIEM logs, endpoint telemetry, network flow data, identity provider logs, and cloud service audit trails. The AI investigation engine constructs a complete incident timeline, identifies all affected assets, and produces a severity assessment with recommended containment actions. The human analyst reviews a complete incident package rather than starting an investigation from scratch.
The forty-five-minute response target is achieved through Security Orchestration, Automation, and Response integration. Pre-approved containment playbooks are executed automatically for threat categories where the response is well-defined: isolating compromised endpoints, disabling compromised accounts, blocking malicious IP addresses, and revoking compromised access tokens. For novel or complex threats, the SOAR platform presents recommended actions for analyst approval, reducing response time from hours of manual execution to minutes of review and approval.
The AI Layer
AI is the critical enabler of the 1-10-45 standard because human analysts cannot process information at the speed and scale required. The AI layer operates across three functions. First, alert triage uses machine learning models trained on historical alert data to classify incoming alerts as true positive, false positive, or requiring further investigation. This reduces the effective alert volume by more than 80 percent, ensuring that analysts spend their time on genuine threats.
Second, threat intelligence correlation uses natural language processing to ingest and analyse threat intelligence feeds, security advisories, and dark web monitoring data. The AI identifies when a new vulnerability or attack technique is relevant to the client's specific technology stack and automatically adjusts detection rules and alert priorities. This ensures that the detection system adapts to evolving threats without requiring manual rule updates.
Third, automated response orchestration uses decision models to select and execute containment actions based on threat type, severity, and business context. The models consider factors such as the criticality of affected systems, the time of day, and the potential business impact of containment actions. An endpoint serving a critical production workload receives different treatment than a developer workstation, even if the threat is identical. This context-aware automation prevents the over-aggressive containment that can cause more business disruption than the attack itself.
Post-Quantum Security Note
The 1-10-45 framework addresses current threat landscape dynamics, but the security landscape is evolving toward a quantum-capable future. NINtec Cyber Security is integrating post-quantum cryptographic standards into its security stack, ensuring that the communication channels used for detection, investigation, and response remain secure even as quantum computing matures. The harvest-now-decrypt-later threat means that security telemetry transmitted today using vulnerable encryption could be compromised in the future. By migrating security operations infrastructure to post-quantum cryptography proactively, NINtec Cyber Security ensures that its clients' security data remains confidential regardless of quantum computing developments.