What are Tactics, Techniques, and Procedures (TTP)?

Tactics, Techniques, and Procedures—usually shortened to TTPs—describe the patterns that define how a threat actor operates.

Think of tactics as the overall goals an attacker pursues, like gaining initial access or exfiltrating data. Techniques are the specific methods they use to achieve those goals, such as spear phishing or exploiting unpatched vulnerabilities. Procedures drill down further into the exact steps and tools an attacker follows in a given operation.

Security teams use TTPs to profile adversaries because while individual indicators like IP addresses or malware signatures change constantly, behavioral patterns tend to remain consistent. A sophisticated attacker might rotate through dozens of domains or malware variants, but they often stick with familiar techniques because those methods work and the attacker has refined them over time.

Understanding TTPs helps defenders move beyond playing whack-a-mole with individual threats and instead anticipate what an adversary will do next based on their established patterns.

The concept of TTPs comes from military intelligence, where analysts have long studied enemy behavior to predict future actions and develop countermeasures. The framework became prominent in cybersecurity during the mid-2000s as defenders realized that signature-based detection alone wasn't enough to stop determined adversaries.

Early antivirus tools could catch known malware, but sophisticated attackers simply modified their code to evade signatures. Meanwhile, the same attackers often repeated behavioral patterns—the same reconnaissance methods, the same privilege escalation techniques, the same data staging procedures.

The MITRE ATT&CK framework, introduced in 2013 and publicly released in 2015, gave the security community a common language for describing TTPs in a structured way. It catalogs adversary behaviors observed in real-world intrusions and maps them to specific tactics and techniques. This shared vocabulary transformed how organizations hunt for threats and share intelligence, making TTP analysis a standard part of serious security operations rather than something only government intelligence agencies practiced.

TTPs matter because they give defenders a fighting chance against well-resourced adversaries who constantly change their tools. When you focus only on indicators of compromise—things like file hashes, domains, or IP addresses—you're always one step behind because attackers can swap those out in minutes. But changing TTPs requires retraining operators, developing new playbooks, and abandoning techniques that have proven successful. That's expensive and time-consuming, which is why even sophisticated threat groups often stick with familiar patterns for months or years.

Security teams use TTPs to build detection rules that catch entire classes of attacks rather than individual variants. If you know an adversary typically uses PowerShell for execution and WMI for lateral movement, you can monitor for those behaviors regardless of what specific malware they're running.

TTPs also improve threat hunting by giving analysts a roadmap of what to look for. Instead of waiting for an alert, hunters can proactively search for evidence of known adversary techniques in their environment. When organizations share TTP information through threat intelligence feeds, the entire community benefits from collective knowledge about how attackers actually operate.

Plurilock's offensive security services operate from deep knowledge of real-world attacker TTPs, not theoretical checklists. Our adversary simulation services replicate the actual tactics, techniques, and procedures used by sophisticated threat groups so you can test your defenses against realistic attack patterns.

We don't just run automated scans—our teams, which include former intelligence professionals and practitioners from elite cyber units, manually emulate adversary behavior to find the gaps that tools miss.

Whether you need red team operations that mirror specific threat actors or purple team exercises that improve your detection capabilities, we bring practitioner expertise focused on the TTPs that matter most to your threat landscape.