What Is TTP?
TTP is a structured way to describe attacker behavior during an intrusion.
TTP stands for tactics, techniques, and procedures. In cybersecurity, TTP describes the behavioral patterns attackers use: what they are trying to achieve, the method they use, and the specific way they carry it out. Security teams use TTPs to understand adversary behavior, investigate incidents, improve detections, and communicate attack patterns in a more durable way than simple indicators alone.
Unlike a single IP address or file hash, TTPs focus on how an attacker operates. That makes them useful in threat intelligence, threat hunting, and incident response. For related concepts, see what is ioc and what is mitre attack.
How TTP works
TTP is not a tool or product. It is a model for analyzing and describing behavior in a consistent way.
Tactics describe the objective
A tactic is the high-level goal at a given stage of an attack. It answers the question: What is the attacker trying to accomplish right now?
Examples of tactics include:
- Initial access
- Execution
- Persistence
- Privilege escalation
- Credential access
- Lateral movement
- Exfiltration
- Impact
Tactics provide context, but they are broad. They tell you the purpose of the activity, not the exact method.
Techniques describe the method
A technique is the general method used to achieve a tactic. It answers: How is the attacker doing it?
Examples include:
- Phishing for initial access
- PowerShell for execution
- Scheduled tasks for persistence
- Credential dumping for credential access
- Remote services for lateral movement
Techniques are more actionable than tactics because defenders can often map detections, logging, and controls to them.
Procedures describe the real-world implementation
A procedure is the specific way an attacker applies a technique in an actual intrusion. It answers: Exactly how did this happen in this case?
Examples might include:
- Sending an invoice-themed phishing email to finance staff
- Running an obfuscated PowerShell command
- Creating a scheduled task with a misleading name
- Dumping credentials using a particular tool
- Using an existing remote admin utility already present in the environment
Procedures are the most detailed part of TTPs, and they often change faster than tactics or techniques.
Why TTPs matter in security
TTPs matter because attacker behavior often lasts longer than individual indicators of compromise.
An attacker can change:
- IP addresses
- Domains
- File hashes
- Malware filenames
- Hosting providers
But they may still rely on the same techniques for credential theft, persistence, or lateral movement. That makes TTPs useful for:
- Detection engineering
- Threat hunting
- Incident response
- Threat intelligence reporting
- Control validation
- Security gap analysis
In other words, TTPs help defenders focus on patterns that are more likely to repeat.
How defenders use TTPs
Security teams use TTPs in several practical ways.
Incident response
During an investigation, responders use TTPs to reconstruct what happened and summarize attacker behavior.
For example, instead of saying only “malware was found,” they may report:
- Initial access through phishing
- Persistence via scheduled task
- Credential access through dumping
- Lateral movement using remote admin tools
That gives a clearer picture of the intrusion lifecycle.
Threat intelligence
Threat intelligence teams use TTPs to describe how a threat actor or campaign operates. This is often more useful than sharing only short-lived indicators.
A good intelligence summary may tell defenders:
- Which tactics are commonly used
- Which techniques are recurring
- Which procedures appeared in recent cases
Detection engineering
Detection teams map alerts and analytics to attacker behavior. That helps them identify which techniques they can currently detect and where coverage gaps exist.
For example, a team may know it can detect:
- Suspicious PowerShell execution
- Unusual scheduled task creation
- Credential dumping behavior
- Remote execution from admin tools
This is often more valuable than relying only on lists of known bad infrastructure.
Threat hunting
Threat hunters use TTPs to search for suspicious behavior even when no known indicator is available.
Instead of asking, “Did we talk to this bad IP?” they may ask:
- Did a user document spawn PowerShell?
- Were credentials accessed from an unusual process?
- Did one workstation suddenly initiate remote admin activity across multiple hosts?
That behavior-first approach is one reason TTPs are central to mature hunting programs.
TTP vs IOC
TTPs and IOCs are related, but they are not the same.
IOC
An indicator of compromise is a specific artifact linked to malicious activity, such as:
- A file hash
- A malicious domain
- An IP address
- A registry key
- A process name
IOCs are useful, but they often expire quickly because attackers can change them.
TTP
A TTP describes behavior:
- The goal
- The method
- The implementation
TTPs tend to be more durable because attacker tradecraft changes more slowly than atomic indicators.
A good defense program uses both, but TTPs often provide more long-term value.
TTP and MITRE ATT&CK
One of the most common ways to organize TTPs is through MITRE ATT&CK. ATT&CK maps adversary behavior into a shared framework of tactics and techniques, making it easier for defenders to:
- Describe incidents consistently
- Map detections to known behaviors
- Compare one intrusion to another
- Evaluate defensive coverage
That is why ATT&CK is commonly referenced in SOCs, threat intelligence reports, purple team exercises, and product evaluations.
When you will encounter the term TTP
You are most likely to encounter TTP in environments that analyze attacker behavior in a structured way.
Common examples include:
- Threat intelligence reports
- Incident response summaries
- SOC investigations
- Detection engineering programs
- Threat hunting workflows
- Purple team and adversary emulation exercises
- Security leadership reporting
You may hear a team say something like:
- “The actor used credential access and lateral movement TTPs.”
- “We need better detection coverage for these techniques.”
- “The procedures changed, but the overall TTP pattern looks familiar.”
That language helps teams discuss behavior rather than isolated artifacts.
How smaller teams can apply TTP thinking
You do not need a large security operations center to benefit from TTP-based thinking. Smaller teams can still use it to ask better questions, such as:
- How would an attacker likely get initial access here?
- What techniques would they use after login?
- Which behaviors can we actually detect?
- Where do we have little visibility?
Even basic security improvements support this approach, such as stronger password hygiene with Try 1Password → and endpoint protection tools like Get Malwarebytes → that can surface suspicious execution behavior. These are not substitutes for full detection engineering, but they can help smaller teams reduce common exposure.
Final takeaway
TTP stands for tactics, techniques, and procedures. It is the framework security teams use to describe attacker behavior in a structured, reusable way. Tactics explain the objective, techniques explain the method, and procedures explain the exact implementation.
TTPs matter because they help defenders understand how an intrusion happened, improve detection coverage, and focus on behavior that often outlasts simple indicators. If IOCs tell you what was seen, TTPs help explain how the attacker actually operated.