Skip to content
Log in

Tactics, Techniques, and Procedures (TTPs)

Definition

A three-level description of adversary behaviour. Tactics are the high-level goals (initial access, persistence, exfiltration). Techniques are the specific methods (spear-phishing, pass-the-hash). Procedures are the step-by-step actions observed in a particular campaign. The MITRE ATT&CK framework organises TTPs across 14 tactic categories.

Related terms

Indicator of Compromise (IoC)
An observable artefact that suggests a system has been involved in a malicious event. Static analysis produces file-based IoCs: cryptographic hashes, embedded...
MITRE ATT&CK
A publicly available knowledge base of adversary tactics, techniques, and procedures derived from real-world intrusion observations. Maintained by the MITRE Corporation. Techniques...
CSIRT (Computer Security Incident Response Team)
A dedicated team responsible for coordinating the response to confirmed security incidents. The CSIRT manages containment, forensic investigation, communication to stakeholders, and...
Diamond Model
An analytic framework that structures a cyber intrusion event around four linked elements: adversary, capability, infrastructure, and victim. The model makes explicit...
Dwell time
The period between an attacker gaining initial access and their detection. Reducing dwell time is a primary goal of threat hunting. The...
Escalation Path
The predefined chain of notification and decision-making authority that an incident follows as its severity increases. Documented in the IR plan before...
Hunting hypothesis
A testable statement specifying what adversary behaviour might be present, which data source would show it, and what analytic would surface it....
SOC (Security Operations Centre)
A function providing continuous monitoring, alert triage, and early detection of security events. The SOC is the first tier of response: it...
STIX
Structured Threat Information eXpression. A standardised, machine-readable language for encoding and sharing threat intelligence objects such as indicators, threat actors, campaigns, and...
TAXII
Trusted Automated eXchange of Intelligence Information. The transport protocol used to share STIX content between organisations. TAXII defines server and client roles,...
Threat actor
An individual or group responsible for a security incident or malicious campaign. Threat actors are categorised by motivation (financial, espionage, hacktivism, destruction)...
Threat hunting
A proactive, human-led process that searches for evidence of adversary activity in an environment under the assumption that automated controls have been...

Explained in these topics

  • Key Terms and Stakeholders in Incident ResponseA three-level description of adversary behaviour. Tactics are the high-level goals (initial access, persistence, exfiltration). Techniques are the specific met...
  • Proactive Threat Hunting MethodologyThe methods and patterns an adversary uses to achieve their objectives. TTP-based hunting targets behavioural patterns rather than specific artifacts, making i...
  • Threat Intelligence FundamentalsThe behavioural signature of an adversary. Tactics are the high-level goals (e.g., initial access, persistence). Techniques are the specific methods used to ac...

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account