> ## Documentation Index
> Fetch the complete documentation index at: https://docs.wirespeed.co/llms.txt
> Use this file to discover all available pages before exploring further.

# Get MTTD/MTTV/MTTR/MTTC for cases matching search filters

> Averages time-to-detect, time-to-verdict, time-to-remediate, and time-to-close across all cases matching the same filters as the search endpoint. Pagination and sort fields are ignored.



## OpenAPI

````yaml https://api.wirespeed.co/v1/openapi.json post /v1/cases/metrics
openapi: 3.0.0
info:
  title: Wirespeed API
  description: The public Wirespeed API. v1 is the first stable contract.
  version: '1.0'
  contact: {}
servers:
  - url: https://api.wirespeed.co
security: []
tags: []
paths:
  /v1/cases/metrics:
    post:
      tags:
        - Cases
      summary: Get MTTD/MTTV/MTTR/MTTC for cases matching search filters
      description: >-
        Averages time-to-detect, time-to-verdict, time-to-remediate, and
        time-to-close across all cases matching the same filters as the search
        endpoint. Pagination and sort fields are ignored.
      operationId: CasesController_getSearchMetrics
      parameters: []
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/SearchCasesDto'
      responses:
        '200':
          description: ''
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/CasesSearchMetricsDto'
        '400':
          description: ''
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/HttpError'
      security:
        - bearer: []
components:
  schemas:
    SearchCasesDto:
      type: object
      properties:
        size:
          type: number
        page:
          type: number
        filter:
          type: string
        search:
          type: string
        orderBy:
          type: string
        orderDir:
          type: string
          enum:
            - asc
            - desc
        days:
          type: number
          description: >-
            Number of days for time-based filtering (1-365). Used by
            stats/widget endpoints to set the time window.
        startDate:
          type: string
          description: Start date (inclusive, ISO8601 string)
        endDate:
          type: string
          description: End date (inclusive, ISO8601 string)
        statuses:
          type: array
          description: Filter cases by status
          items:
            type: string
            enum:
              - NEW
              - PROCESSING
              - ESCALATED
              - HUNTING
              - MONITORING
              - CHATOPS
              - CLOSED
        verdict:
          type: string
          enum:
            - MALICIOUS
            - SUSPICIOUS
            - BENIGN
          description: Filter cases by verdict
        assetId:
          type: string
          description: Filter cases involving a specific asset
        severity:
          type: string
          enum:
            - INFORMATIONAL
            - LOW
            - MEDIUM
            - HIGH
            - CRITICAL
          description: Filter cases by severity
        assetType:
          type: string
          enum:
            - USER
            - PROCESS
            - USER_AGENT
            - FILE
            - ENDPOINT
            - LOCATION
            - IP
            - DOMAIN
          description: Filter cases by asset type
        exclusionId:
          type: string
          description: Filter cases by exclusion rule
        onlyWasEscalated:
          type: boolean
          description: Only include cases that were escalated
        onlyWasContained:
          type: boolean
          description: Only include cases that were contained
        onlyWasMobile:
          type: boolean
          description: Only include cases that involve mobile devices
        onlyWasMonitored:
          type: boolean
          description: Only include cases that had a monitor
        onlyChatOps:
          type: boolean
          description: Only include cases that involved chat ops
        integrationPlatform:
          type: string
          enum:
            - admin-by-request
            - aws
            - axonius
            - bitwarden
            - box
            - checkpoint-firewall
            - checkpoint-harmony
            - cisco-catalyst
            - cisco-duo
            - cisco-meraki
            - cisco-secure-access
            - cisco-umbrella
            - cisco-xdr
            - connectwise-psa
            - crowdstrike-falcon
            - cyberark
            - darktrace
            - email
            - exium
            - fleet-dm
            - fortianalyzer
            - fortinet
            - freshservice
            - generic-json
            - generic-syslog
            - google-alert-center
            - google-chronicle
            - google-directory
            - google-security-center
            - halcyon
            - halo-itsm
            - have-i-been-pwned
            - horizon3
            - hyas-protect
            - ipinfo
            - jamf-pro
            - jamf-protect
            - jira-cloud
            - jira-data-center
            - jumpcloud
            - kandji
            - manage-engine-ad-audit-plus
            - microsoft
            - microsoft-entra
            - microsoft-teams
            - microsoft-teams-v2
            - mimecast
            - ninjaone
            - odoo-helpdesk
            - okta
            - one-password
            - onelogin
            - orca-security
            - pager-duty
            - palo-alto-networks-cortex
            - picus
            - ping-one
            - reversing-labs
            - safebreach
            - sandfly
            - sentinel-one
            - service-now
            - slack
            - sms
            - smtp
            - sonic-wall
            - sophos
            - splunk
            - stairwell
            - tenable-nessus
            - thinkst-canary
            - tracebit
            - unifi
            - vectra
            - watchguard-firebox
            - windows-event-logs
            - wirespeed
            - wiz
            - wordfence
            - zscaler-zpa
          description: Filter cases by integration platform
        hideDemoClients:
          type: boolean
        categoryClass:
          type: string
          enum:
            - ENDPOINT
            - IDENTITY
            - CLOUD
            - EMAIL
            - NETWORK
            - DATA
            - POSTURE
            - OTHER
        category:
          type: string
          enum:
            - OTHER__DIAGNOSTIC
            - OTHER__INFORMATIONAL_EVENT
            - OTHER__WARNING
            - OTHER__UNKNOWN
            - OTHER__DECEPTION
            - OTHER__DECEPTION__SIMULATION
            - OTHER__CUSTOM_DETECTION
            - CLOUD__INVOCATION
            - CLOUD__DISCOVERY
            - CLOUD__DATA_TRANSFER
            - CLOUD__PERSISTENCE
            - CLOUD__PUBLIC_BUCKET
            - ENDPOINT__DISCOVERY
            - ENDPOINT__EXECUTION
            - ENDPOINT__LIVE_OFF_THE_LAND
            - ENDPOINT__NUISANCE
            - ENDPOINT__MALWARE_DISCOVERY
            - ENDPOINT__MALWARE_EXECUTION
            - ENDPOINT__LATE_STAGE
            - ENDPOINT__PERSISTENCE
            - ENDPOINT__REMOTE_MANAGEMENT
            - ENDPOINT__LATERAL_MOVEMENT
            - ENDPOINT__IMPACT
            - ENDPOINT__EVASION
            - ENDPOINT__EXPLOITATION
            - ENDPOINT__SIMULATION
            - ENDPOINT__PLANNED_CHANGE
            - IDENTITY__LOGIN
            - IDENTITY__REJECTED_MFA
            - IDENTITY__DISCOVERY
            - IDENTITY__BRUTE_FORCE
            - IDENTITY__PUBLIC_CREDENTIAL_EXPOSURE
            - IDENTITY__PRIVATE_CREDENTIAL_EXPOSURE
            - IDENTITY__PERSISTENCE
            - IDENTITY__ACCOUNT_COMPROMISE
            - IDENTITY__SIMULATION
            - NETWORK__INBOUND_CONNECTION
            - NETWORK__OUTBOUND_CONNECTION
            - NETWORK__PHISHING
            - NETWORK__NOISY
            - NETWORK__DISCOVERY
            - EMAIL__PHISHING
            - EMAIL__PHISHING_REPORTED
            - EMAIL__EVASION
            - EMAIL__MALWARE
            - EMAIL__MALICIOUS_LINK
            - EMAIL__GRAYMAIL
            - EMAIL__SPAM
            - EMAIL__BUSINESS_EMAIL_COMPROMISE
            - DATA__DATA_TRANSFER
            - DATA__DATA_SHARE
            - POSTURE__POSTURE
            - POSTURE__HEALTH
        createdAt:
          description: Filter by creation date
          allOf:
            - $ref: '#/components/schemas/DateFilterDto'
        groupIds:
          description: >-
            Filter cases by group IDs (OR) — matches cases with detections whose
            users or endpoints belong to any of the specified groups
          type: array
          items:
            type: string
    CasesSearchMetricsDto:
      type: object
      properties:
        mttdSeconds:
          type: number
          description: Mean time to detect in seconds
          nullable: true
        mttvMilliseconds:
          type: number
          description: Mean time to verdict in milliseconds
          nullable: true
        mttrMilliseconds:
          type: number
          description: Mean time to remediate in milliseconds
          nullable: true
        mttcSeconds:
          type: number
          description: Mean time to close in seconds
          nullable: true
      required:
        - mttdSeconds
        - mttvMilliseconds
        - mttrMilliseconds
        - mttcSeconds
    HttpError:
      type: object
      properties:
        message:
          type: string
        statusCode:
          type: number
      required:
        - message
        - statusCode
    DateFilterDto:
      type: object
      properties:
        gt:
          type: string
          description: Filter for dates greater than this value
        gte:
          type: string
          description: Filter for dates greater than or equal to this value
        lt:
          type: string
          description: Filter for dates less than this value
        lte:
          type: string
          description: Filter for dates less than or equal to this value
  securitySchemes:
    bearer:
      scheme: bearer
      bearerFormat: JWT
      type: http

````