Mitigation cutover is the operational transition from normal routing to active scrubbing once an attack is detected, and a defensive control a thorough DDoS test is built to time. In an on-demand model, traffic is diverted to a scrubbing center (via BGP announcement or DNS change) only when an attack starts; in always-on mode the path is permanent. The cutover delay defines how long the origin stays exposed.
Why it matters in DDoS testing
The window between attack onset and full scrubbing is where outages happen. A test measures detection time, diversion propagation (BGP convergence or DNS TTL expiry), and the moment clean traffic resumes, then characterizes what fails during that gap. An always-on path removes the cutover delay but changes the steady-state latency and cost profile, a trade-off worth measuring rather than assuming.
For how cutover timing factors into a resilience score, see DDoS resilience testing.