Home

TTPs

Tactics, techniques, and procedures, abbreviated as TTPs, is a term used to describe patterns of behavior in security contexts. In cybersecurity, TTPs refer to how threat actors operate to achieve their objectives, while in military and law enforcement contexts it denotes the methods used to plan and execute operations. TTPs are used to categorize and analyze how adversaries behave across campaigns and incidents.

Tactics are the high-level goals or objectives that an actor pursues during an operation, such as initial

In practice, defenders map observed activity to TTPs to understand threat models, guide detection, and prioritize

TTPs are dynamic and evolve as actors adapt to defenses and new technologies. While useful for analysis

access,
execution,
persistence,
privilege
escalation,
defense
evasion,
credential
access,
discovery,
lateral
movement,
exfiltration,
and
command
and
control.
Techniques
are
the
concrete
methods
used
to
accomplish
a
tactic,
for
example
phishing
to
gain
initial
access,
malware
delivery,
or
living-off-the-land
techniques
that
abuse
legitimate
tools.
Procedures
are
the
specific,
repeatable
steps
actors
follow
to
implement
a
technique,
including
the
particular
tools,
commands,
configurations,
and
environment
details.
mitigations.
Threat
intelligence
collects
and
shares
TTPs
to
inform
risk
assessment
and
incident
response
planning.
Frameworks
such
as
MITRE
ATT&CK
provide
organized
catalogs
of
techniques
linked
to
tactics,
enabling
analysts
to
compare
campaigns,
track
actor
behavior,
and
communicate
findings
consistently.
and
defense
planning,
TTPs
do
not
guarantee
prediction
of
an
actor’s
exact
capabilities
or
intent,
and
public
data
may
omit
details
of
procedures.
See
also
MITRE
ATT&CK,
cyber
threat
intelligence.