® 
TTP (Tactics, Techniques and Procedures)
Definition
TTP stands for Tactics, Techniques and Procedures — the methods and approaches cybercriminals use in attacks. TTPs are the building blocks of threat intelligence.
TTP (Tactics, Techniques and Procedures) describes the methods and approaches cybercriminals and threat actors use in their attacks. TTPs are the building blocks of threat intelligence and the foundation of the MITRE ATT&CK framework. Knowledge of TTPs enables security teams to understand, predict and proactively detect threats.
How do TTPs work?
TTPs are hierarchically structured. Tactics describe the attacker's strategic goal: what do they want to achieve? (Initial Access, Persistence, Privilege Escalation, Lateral Movement, Exfiltration). Techniques describe how the attacker achieves the tactical goal. Procedures describe the specific implementation by a particular threat actor.
Importance of TTP knowledge
Traditional IOC-based detection is reactive: it detects known hashes and IP addresses that change rapidly. TTP-based detection is more strategic: underlying attack techniques change much more slowly than specific tools and indicators. An attacker can change malware and C2 infrastructure daily, but their fundamental approach remains recognisable.
Impact on organisations
TTP knowledge transforms security operations from reactive to proactive. Threat hunters formulate hypotheses based on TTPs of relevant threat actors. Detection rules are designed to recognise techniques rather than specific indicators. Purple teaming validates whether the organisation can detect relevant TTPs.
Protection
Use MITRE ATT&CK to measure detection coverage per technique. Integrate TTP knowledge from threat intelligence into detection rules. Conduct TTP-based threat hunting. Test detection of specific TTPs via purple teaming.
How DEFION helps
DEFION integrates TTP knowledge across all services: Red Teaming simulates relevant TTPs, Purple Teaming validates detection, and Managed Threat Hunting proactively searches for TTP patterns.