tactics, techniques, and procedures (TTPs)

Charlie Yianni
#
min read
Back to glossary

What are TTPs?

TTPs stands for Tactics, Techniques, and Procedures. It’s a structured way of describing how cyber attackers plan and execute their operations. TTPs are commonly used in threat intelligence and cybersecurity frameworks like MITRE ATT&CK to categorize and track adversary behavior.

  • Tactics are the high-level goals of an attack (e.g. initial access, data exfiltration).
  • Techniques are general methods used to achieve those goals (e.g. phishing, credential dumping).
  • Procedures are the specific tools and processes used by attackers (e.g. sending a spear-phishing email with a malicious macro).

Examples of TTPs

Let’s break down an example:

  • Tactic: Persistence
  • Technique: Create or modify system process
  • Procedure: Attacker adds a malicious script to a startup folder

Another example:

  • Tactic: Credential Access
  • Technique: Brute Force
  • Procedure: Use Hydra to automate password guessing via SSH

How are TTPs tracked?

The most well-known resource for mapping TTPs is the MITRE ATT&CK framework. It catalogs attacker behaviors across the full lifecycle of an attack, helping teams understand and defend against real-world adversaries.

How TTPs are used in detection and response

TTPs help:

  • Build detection rules that match known techniques
  • Enhance threat intelligence by attributing activity to specific groups
  • Map incidents to known attack chains to assess scope and respond

Security operations teams use TTP data to create alert logic in SIEMs and EDR tools, simulate attacks for red teaming, and prioritize defenses.

The difference between TTPs and IOCs

  • TTPs describe behaviors and strategies (e.g. "attacker uses valid accounts")
  • IOCs (Indicators of Compromise) are data points like IPs, hashes, or URLs

TTPs are more resilient over time because even if the tools change, attacker behavior often stays consistent.

Strengthen your defenses with Intruder

Intruder helps you uncover exploitable weaknesses before attackers do. Our unified exposure management platform supports smart prioritization and real-world context, so you focus on what matters most.

Start a free 14-day trial of Intruder and take a proactive step toward better security.

Sign up for your free 14-day trial

Try for free
Charlie Yianni
Cyber Security Content Specialist

Sign up for your free 14-day trial

Try for free