TTPs (Tactics, Techniques, and Procedures)

TTPs, short for tactics, techniques, and procedures, are how the security industry describes the way an attacker actually operates. Instead of reducing a threat to a single file hash or IP address, TTPs capture behavior in layers: the goal an adversary is pursuing, the general method they use, and the precise steps they take to pull it off. This layered view is the backbone of modern threat intelligence and the language defenders use to compare incidents and build durable detections.

The Tactic, Technique, and Procedure Hierarchy

The three letters describe three altitudes of the same activity, from abstract goal to concrete keystrokes:

A concrete example makes the hierarchy click. Suppose an intruder wants to move deeper into a network. The tactic is credential access. The technique they choose is OS credential dumping (T1003). The procedure is the literal recipe: they upload a renamed copy of a credential-dumping tool, run it against the LSASS process to extract hashes, then save the output to a temporary file before exfiltrating it. Change the tool or the file name and the procedure shifts, but the technique and tactic stay the same. That stability is exactly why TTPs are more valuable to defenders than disposable indicators.

How Defenders Use TTPs

Mapping observed activity to TTPs is the daily work of threat hunting and detection engineering. The dominant framework for this is MITRE ATT&CK, which assigns every technique a stable identifier (like T1003) so teams can speak a common language. When an analyst tags an incident with ATT&CK IDs, anyone in the industry can immediately understand what happened, compare it to past intrusions, and check whether their own sensors would have caught it.

Tactic (goal)

↓narrows to

Technique T1003

↓realized by

Procedure (exact steps)

TTPs also sit near the top of the so-called pyramid of pain: the higher a defense is built on the pyramid, the more it hurts an attacker to evade it. Rotating an IP or recompiling a binary is trivial, but changing how a group genuinely operates, its techniques and procedures, is slow and expensive. Detections grounded in TTPs therefore age far more gracefully than signature-based ones.

When TTPs Outrun the Framework

A vivid recent example comes from AI-assisted intrusions. When Anthropic investigated an attack that abused its own models, its team mapped the adversary's behavior to MITRE ATT&CK and found that most steps lined up neatly with existing technique IDs, from reconnaissance to credential access to exfiltration. But one capability had no technique ID at all: the autonomous orchestration of the attack by the model itself, stringing the steps together with minimal human input. That gap, documented in our breakdown of how hackers use AI, shows that TTP catalogs are living documents. As adversaries adopt new methods, the framework has to grow to describe them.

The lesson holds whether you defend or attack: indicators tell you what an attacker touched, but TTPs tell you how they think. Learn to read behavior at all three altitudes and you stop chasing yesterday's hashes and start anticipating tomorrow's moves.