Frameworks

Tactics, Techniques, and Procedures (TTPs)

Tactics, Techniques, and Procedures (TTPs)

Tactics, techniques, and procedures describe how threat actors pursue objectives, what methods they use, and how those methods are operationalized during an intrusion.

What Are TTPs?

In practical terms, tactics describe the attacker's goal, techniques describe the method used to achieve that goal, and procedures describe the specific implementation details observed from a group or campaign. Security teams use TTPs to understand attacker behavior beyond simple indicators.

How TTPs Are Used

  1. Threat Intelligence: Tracking recurring attacker behavior across campaigns
  2. Adversary Emulation: Reproducing realistic attack methods in a controlled setting
  3. Detection Engineering: Building detections around behaviors instead of single artifacts
  4. Threat Hunting: Searching for suspicious patterns tied to attacker tradecraft

Why TTPs Matter

TTPs are harder for attackers to change than individual hashes, domains, or IP addresses. That makes them more durable for building detections, planning purple team exercises, and mapping coverage to MITRE ATT&CK.

How FourCore ATTACK Relates

FourCore ATTACK helps teams validate whether they can detect and disrupt the TTPs most relevant to their threat model by safely emulating them in controlled test scenarios.

Related Terms

Related Reading