Skip to content
Log in

TTPs (Tactics, Techniques, and Procedures)

Definition

The behavioural fingerprint of a threat actor: the broad goals and approaches they pursue (tactics), the specific methods they use to achieve each tactic (techniques), and the granular implementation details (procedures). TTPs are harder to change than tools or infrastructure and are therefore the most reliable layer of attribution evidence.

Related terms

Attribution
The process of identifying the threat actor responsible for a cyberattack. Attribution is a confidence-weighted analytical conclusion, not a binary fact. It...
Confidence level
An explicit label attached to an attribution assessment indicating how strongly the available evidence supports the conclusion. Standard tiers are low, medium,...
False flag
A deliberate deception in which an attacker plants indicators designed to make the intrusion appear to originate from a different actor. Common...
Technical vs. legal attribution
Technical attribution identifies the infrastructure and tooling used in an attack and may link it to a known cluster or actor profile....
Threat actor cluster
A named collection of observed activity linked by shared infrastructure, malware, and TTPs, without necessarily having confirmed the real-world identity of the...

Explained in

  • Attribution in Cyber InvestigationsThe behavioural fingerprint of a threat actor: the broad goals and approaches they pursue (tactics), the specific methods they use to achieve each tactic (tech...

Your journey to becoming a forensic professional starts here.

Practice with mock tests, learn from structured notes, and get your questions answered by a global forensic community, all in one place.

Continue learningCreate Your Account