Cost of Detection Delay Calculator
How much does a slow response cost you? IBM finds that breaches taking over 200 days to identify and contain cost about $1,880,000 more than those resolved in under 200 days. Set your base breach cost and how many days it takes to identify and contain a breach, and this calculator places it on that cost curve — showing the adjusted total and the extra you pay versus a fast (<100-day) response. Numbers update as you drag the slider. Anchored to IBM benchmarks as of Jun 25, 2026; the base cost is editable.
| Lifecycle | Adjusted cost | Versus your dwell time |
|---|---|---|
| Fast (100 days) | $2,670,000 | $-1,710,800 |
| The 200-day line | $3,610,000 | $-770,800 |
| Your dwell time (241 days) | $4,380,800 | — |
| Slow (300+ days) | $5,490,000 | $1,109,200 |
Adjusted cost = Base cost + Δ × fraction
Δ = $1,880,000 (IBM >200 vs <200-day delta)
fraction = clamp( (days − 200) ÷ 100, −0.5, +1.0 )
Extra vs fast = Adjusted cost at your days − Adjusted cost at 100 days
How it works
Of all the levers that move the cost of a data breach, how long it takes to find and shut down is one of the most powerful — and one of the most controllable. IBM’s Cost of a Data Breach research draws a stark line at 200 days: breaches that take longer than that to identify and contain cost, on average, about $1,880,000 more than breaches resolved in under 200 days. This calculator turns that finding into a number you can act on, placing your breach on the cost curve according to how fast you respond.
The clock it measures is the breach lifecycle, sometimes called dwell time. It runs from the moment a breach begins to the moment it is fully contained, and it has two halves. Time to identify is how long the breach goes unnoticed — the period an attacker can quietly move through your systems, escalate access and exfiltrate data. Time to contain is how long it then takes, once you know, to lock the attacker out and stop the bleeding. Both halves cost money, which is why the input here is the combined identify-plus-contain figure rather than detection alone. The global average lifecycle sits around 241 days, the default in the slider above.
Why does cost rise so steeply with time? Because nearly every component of a breach grows the longer it runs. More records are exposed, so notification and credit-monitoring bills climb. More systems are touched, so forensics and remediation take longer. Downtime stretches, so lost business deepens. Regulators and customers take a dimmer view of a breach that festered for months, so legal and reputational costs swell. A fast, well-rehearsed response truncates all of these at once — which is why the curve bends sharply upward past the 200-day mark and why shaving weeks off a slow response can be worth six figures.
It helps to picture the two halves of the lifecycle as a relay. The identify phase is the silent stretch, and it is usually the longer of the two: an intruder who is never noticed cannot be stopped, and the average breach goes undetected for a remarkably long time before anything triggers an alert. Every day in that phase is a day of unmonitored access, in which the attacker can widen their foothold, harvest credentials and stage data for theft. The contain phase begins only once someone realizes what is happening; from there the question becomes how quickly the organization can scope the damage, isolate affected systems and evict the intruder for good. A team that has rehearsed this — with clear roles, runbooks and the tooling already in place — closes it out in days; a team improvising under pressure can take weeks. Because the calculator sums both phases, it rewards investment in either: better detection to shorten the silent stretch, and a tested plan to shorten the cleanup.
The model is deliberately simple and transparent. It takes your base cost — what the breach would cost at a moderate, under-200-day lifecycle — and adjusts it around the 200-day line. At exactly 200 days the adjustment is zero. For faster resolution it applies a credit, down to a floor that represents a genuinely fast, well-contained breach; for slower resolution it adds a premium, up to the full $1,880,000 by roughly 300 days. The fraction applied is the number of days above or below 200, divided by 100, capped between −0.5 and +1.0. It is a linear planning approximation of IBM’s two-bucket finding, not a precise per-day price — and because the base cost is an editable field, you can anchor the whole curve to a figure that reflects your own breach.
A worked example
Take the default scenario, pre-filled above. A company expects a breach to cost about $3,610,000 if contained reasonably promptly — IBM’s representative figure for a sub-200-day lifecycle. But its monitoring is thin and its incident-response plan untested, so realistically it would take 241 days — the global average — to identify and contain an incident.
- At 241 days, the fraction is (241 − 200) ÷ 100 = 0.41, so the adjustment is $1,880,000 × 0.41 = $770,800.
- Adjusted cost = $3,610,000 + $770,800 = $4,380,800.
- A fast (100-day) response would cost $2,670,000 — the fraction there is capped at the −0.5 floor.
- So the slow response costs about $1,710,800 extra compared with resolving it fast.
That $1,710,800 gap is the prize for getting faster. Drag the slider and watch it move: pull the lifecycle down toward 100 days and the adjusted cost falls toward $2,670,000; push it past 300 days and it climbs to the full premium of $5,490,000. Each week you can take off the identify-and-contain clock is money that stays in the business. The controls that shorten that clock most — security analytics, automation and a rehearsed incident-response plan — are exactly the ones whose payback you can size with the security control ROI calculator: the avoided cost you see here becomes the benefit side of that ROI. For the full reasoning behind dwell time and how detection and containment each drive the bill, read why faster detection saves money.
Frequently asked questions
What does the $1.88M figure mean?
IBM’s Cost of a Data Breach research finds that breaches taking more than 200 days to identify and contain cost on average about $1,880,000 more than breaches resolved in under 200 days. The 200-day line is where the cost curve bends sharply upward: the longer an attacker dwells undetected, the more data is exfiltrated, the more systems are touched and the more expensive the cleanup, notification and lost business become. This calculator places your breach on that curve using the number of days you enter.
What is dwell time, and how is it different from detection time?
Dwell time — what IBM calls the breach lifecycle — is the full clock from the moment a breach begins to the moment it is fully contained. It has two parts: time to identify (how long the breach goes unnoticed) and time to contain (how long it then takes to shut it down). Detection is only the first half. A breach can be spotted quickly but take weeks to contain, and both halves drive cost, which is why the input here is the total identify-plus-contain figure. The global average lifecycle is around 241 days.
How is the adjusted cost calculated?
The model anchors to IBM’s $1,880,000 delta and ramps it linearly around the 200-day line. At 200 days the adjustment is zero (your base cost). It scales down to a credit for fast resolution and up to the full $1,880,000 premium for slow resolution: the fraction applied is the days above or below 200, divided by 100, capped between −0.5 (a fast, well-contained breach) and +1.0 (a slow one, by roughly 300 days). It is a transparent planning approximation of IBM’s two-bucket finding, not a precise per-day cost, and the base cost is editable so the model fits your own breach.
How do I cut dwell time?
The controls that shorten the breach lifecycle most in IBM’s data are security analytics (SIEM/EDR), extensive AI and automation, and a tested incident-response plan — together they can take many weeks off the identify-and-contain clock. Because the cost curve is steep past 200 days, shaving even a few weeks off a slow breach can be worth six figures. To turn that saving into a return on investment, price the control against the loss it avoids with the security control ROI calculator.
Is the base cost the same as a full breach estimate?
The base cost here is meant to be your breach’s cost at a moderate (<200-day) lifecycle, which the tool then adjusts up or down for speed. The default, $3,610,000, is IBM’s representative figure for breaches contained in under 200 days. For a tailored base figure that reflects your industry, records and security posture, build one with the data breach cost estimator and paste it in — the dwell-time adjustment will then apply to a number that is genuinely yours.
Disclaimer. BreachCostLab provides cost and risk estimates for informational purposes only, based on published industry benchmarks (e.g. IBM/Ponemon Cost of a Data Breach, Verizon DBIR) and publicly available statutory figures as of the verification date shown (Jun 25, 2026). These figures are estimates for planning, not a prediction of the cost of any specific incident, and are not legal, financial, insurance, or compliance advice. Actual breach costs vary widely; for regulatory obligations consult qualified counsel. Always verify current figures with the cited sources.