first_alert_visible
First alert visible
Signup → an alert appears on the operator dashboard.
The Move 15 onboarding bar lands a real, triaged alert in under sixty seconds. This is the moment "this works" registers.
P50
—
P95
—
P99
—
Target latency
Time to First Magic
Our target: signup to first triaged alert in under a minute.
Five measurable moments, instrumented end to end. This is the bar we are building toward — and the number we intend to publish and defend once tenants are live.
1. What “first magic” means
Apple measured the iPod by how long it took the operator's brain to register “this works.” That moment is concrete. It either happens fast or it does not happen at all. Most security platforms hide it under a kickoff call and a six-week deployment.
Sandworm instruments five measurable moments where the platform proves itself: an alert visible on the dashboard, a triage action recorded, a Move 12 response action fired, an investigation opened, an attestation downloaded. Every one is timestamped server-side and stored in themagic_momentstable. The first occurrence per tenant is the only one counted.
The target above is for the first moment — signup to first triaged alert visible. The other four are below.
2. The five moments
The five moments we instrument, and the latency targets we are building toward for each.
first_triage_action
First triage action
Operator first clicks, dismisses, or escalates.
The first time a human reaches into the queue and touches a finding. The agent has done the work; the operator confirms the verdict.
P50
—
P95
—
P99
—
Target latency
first_response_action
First response action
Move 12 fires its first remediation for the tenant.
notify_slack, revoke_session, block_ip, or isolate_host — citation-gated, bounded, audited. The platform stops acting on alerts and starts closing them.
P50
—
P95
—
P99
—
Target latency
first_investigation_opened
First investigation opened
Operator pivots from triage queue into the case file.
A real investigation, with the related-events timeline, the federated search across products, and the agent context already loaded.
P50
—
P95
—
P99
—
Target latency
first_attestation_downloaded
First attestation downloaded
Operator pulls a signed receipt from the trust portal.
Ed25519-signed monthly attestation, verifiable against the published key. The proof that what the platform did is what the platform recorded.
P50
—
P95
—
P99
—
Target latency
3. Why this is a forcing function
The TTFM target is on the marketing site because we want every PM decision to land against it. If a roadmap item would slow the first-alert path by ten percent, that is a regression against the target. If a deployment would harm the response-action moment, the instrumentation is built to surface it before a customer would notice.
Naming the target is the commitment. Operators see it, investors see it, the engineering team sees it. The forcing function is structural — moving the target TTFM down a few seconds is worth more than shipping a feature nobody touches.
The five moments were chosen because each one is a category of work that has to actually happen for the platform to be doing its job. Detection, action, response, investigation, attestation. If any of the five never fires, the customer is not getting what they paid for.
4. How we will measure this
- Source:
auth-service
magic_momentstable. Five producing services write the first occurrence of each moment per tenant; the unique constraint guarantees idempotency. - Sampling:
aggregator scans the table at request time, sorted by
seconds_to_moment(a stored generated column). Response cached for five minutes via Cache-Control. - Differential privacy:
ε=3.0 Laplace noise applied to each percentile. Calibrated to the Move 6/7 federation pattern — an individual tenant's exact timing cannot be recovered from the public number.
- Cohort:
once live, every Sandworm tenant since the metric was introduced. No filtering by industry, region, or tier. The Sovereign-only cohort, when it grows, will get its own published number.
- Verifiability:
in v26.5 the aggregator output will be signed and posted to the public trust portal as an attestation, so the published number can be verified against the platform's own records.
Pull your own number
After onboarding, your tenant's TTFM is available from the sandworm CLI: sandworm metrics ttfm. The output includes your P50, P95, and P99 for each of the five moments — compared to the published platform target.