What are Tactics?

Tactics are the specific technical methods and procedures used by threat actors to achieve their objectives during a cyberattack.

In cybersecurity frameworks like MITRE ATT&CK, tactics represent the "why" behind an adversary's actions—the tactical goals they are trying to accomplish at each stage of their attack campaign.

Common tactics include initial access (gaining entry to a target system), persistence (maintaining access over time), privilege escalation (obtaining higher-level permissions), defense evasion (avoiding detection), credential access (stealing authentication information), discovery (gathering information about the target environment), lateral movement (spreading through a network), collection (gathering target data), and exfiltration (stealing data from the organization).

Each tactic can be accomplished through multiple techniques and procedures, giving attackers flexibility in how they pursue their goals. Understanding tactics helps security teams anticipate adversary behavior patterns and develop comprehensive defense strategies that address not just specific attack methods, but the underlying strategic objectives that drive malicious activity across the entire attack lifecycle.

The concept of organizing cyberattacks into distinct tactical categories emerged from military doctrine, where tactics have long been understood as the art of arranging and employing forces in combat. Early cybersecurity approaches focused primarily on identifying specific malware signatures or attack techniques, but this method proved inadequate as adversaries grew more sophisticated and adaptive.

The shift toward tactical thinking gained momentum in the 2000s as security researchers realized that threat actors followed predictable patterns of behavior even when their specific tools changed. A ransomware operator might switch between different encryption programs, but the underlying tactics—initial access, lateral movement, data encryption—remained consistent.

MITRE formalized this tactical framework with the ATT&CK knowledge base in 2013, initially focused on enterprise Windows networks. The framework organized adversary behavior into a matrix of tactics and techniques based on real-world observations of cyberattacks. This approach transformed how defenders thought about threats, moving beyond signature-based detection to behavior-based analysis. The tactical model acknowledged that while attackers constantly develop new exploits and malware variants, their fundamental objectives during different attack phases remain relatively stable, making tactical categorization a more durable foundation for defense.

Understanding attacker tactics fundamentally changes how organizations approach defense. Instead of playing whack-a-mole with individual malware samples or exploits, security teams can build defenses around the tactical objectives adversaries must achieve to succeed. An attacker might use a zero-day exploit today and a phishing email tomorrow for initial access, but they still need that initial foothold—and defenses can focus on detecting and preventing that tactical goal regardless of the specific technique employed.

This tactical perspective proves especially valuable as attack surfaces expand. Cloud environments, remote workforces, and interconnected supply chains create countless potential vulnerabilities, making it impossible to defend every possible attack vector. Focusing on tactics lets defenders prioritize controls that disrupt adversary objectives at critical junctures. Blocking lateral movement, for instance, can contain a breach even if initial access occurs.

The tactical framework also improves threat intelligence sharing and security team communication. When organizations discuss threats in tactical terms, they can compare notes about adversary behavior patterns without getting mired in technical minutiae. A red team can structure their testing around realistic tactical sequences, and incident responders can quickly assess which stage of an attack they're facing, making tactical thinking a practical tool for coordination across security functions.

Plurilock's offensive security services put tactical frameworks into practice through realistic adversary simulation that tests defenses against complete attack chains, not just isolated vulnerabilities.

Our red team operations mirror how real threat actors move through tactical phases—from initial compromise through data exfiltration—revealing gaps in your ability to detect and respond to tactical progressions before actual adversaries exploit them.

We bring former intelligence professionals and senior practitioners who understand how attackers think tactically, delivering adversary simulation services that prepare your team to recognize and disrupt malicious tactical objectives at every stage of the attack lifecycle.