TTPs (Tactics, Techniques, and Procedures)
TTPs — Tactics, Techniques, and Procedures — are the behavioral fingerprint of a threat actor. Where other threat intelligence artifacts describe what was left behind after an attack, TTPs describe how an adversary operates: the strategic objectives they pursue, the technical methods they employ to reach those objectives, and the specific step-by-step implementations that leave traces across a target environment. TTP analysis is essential for CISOs, SOC managers, security analysts, and enterprise security teams who need to detect, investigate, and neutralize threats based on attacker behavior rather than brittle, reactive signatures.
What Are TTPs in Cybersecurity?
The term TTP originated in military intelligence and counterterrorism doctrine, where understanding an adversary's patterns of behavior was considered more durable intelligence than knowing which weapon they used in a specific incident. Cybersecurity adopted the framework for the same reason: an attacker can change their malware, rotate their infrastructure, and abandon compromised accounts overnight — but the fundamental ways they think about gaining access, maintaining persistence, and exfiltrating data tend to be consistent. Behavioral patterns are harder to change than tools.
Within the security context, each layer of the TTP hierarchy operates at a different level of abstraction. A Tactic is the adversary's immediate technical objective — the "why" of a particular action. Examples include Initial Access, Persistence, Privilege Escalation, and Exfiltration. Tactics answer the question: what is the attacker trying to accomplish at this stage of the intrusion? They are intentionally high-level, describing a category of goal rather than a specific method.
A Technique is the method an adversary uses to achieve a Tactic. Techniques are more granular: they describe a specific approach, such as Phishing (T1566) to achieve Initial Access, or Process Injection (T1055) to achieve Privilege Escalation or Defense Evasion. The MITRE ATT&CK framework catalogs hundreds of techniques across all major tactic categories, and many techniques have Sub-Techniques that describe even more specific variants — for example, T1055.001 (Dynamic-link Library Injection) as a sub-technique of Process Injection.
A Procedure is the concrete, observed implementation of a Technique by a specific threat actor or campaign. If Phishing is the Technique, a Procedure describes how a particular nation-state group sends spearphishing emails with malicious Office macros targeting energy sector HR departments. Procedures are the lowest level of abstraction — they describe exactly what was observed in an intrusion, tied to real adversary groups and documented campaigns. This three-tier structure means that even when procedures evolve, the underlying technique and tactic often remain stable, allowing defenders to maintain detection coverage across actor retooling.
Why TTP-Based Detection Fundamentally Changes Threat Response
Legacy SOC operations were largely built around indicators of compromise: known-bad IP addresses, file hashes, domain names, and signatures extracted from malware samples. This approach has a fundamental ceiling. IoCs age rapidly — an attacker who discovers their infrastructure is flagged will rotate it within hours — and they offer no insight into the functional behavior of an intrusion. A SOC team that detects a known-bad IP address knows that something happened, but not what stage of the kill chain the attacker is at, which assets are at risk, or how far the intrusion may have progressed.
TTP-based detection inverts this model. Rather than looking for the artifacts of known attacks, TTP-aware detection looks for the behavioral patterns common to all attacks pursuing a given objective — regardless of the specific tools or infrastructure used. An attacker using a novel, never-before-seen piece of malware will still need to perform process injection to escalate privileges, still need to query Active Directory to identify targets for lateral movement, and still need to stage data before exfiltrating it. Those behavioral patterns are detectable even when the underlying tooling is completely unknown.
The Detection Accuracy Gap Between Symptom-Based and Behavior-Based SOCs
Most enterprise SOCs today still operate primarily on symptom detection: antivirus alerts, hash-based detections, and rule-based SIEM queries triggered by known-bad indicators. These approaches are necessary but not sufficient. They catch the attacks that have already been documented, cataloged, and turned into signatures — which means they systematically miss novel techniques, zero-days, and living-off-the-land attacks that use legitimate system tools to avoid triggering signature-based detection entirely.
A TTP-aware SOC closes this gap by detecting the behavior pattern regardless of the specific implementation. When Behavioral Analytics is applied at the TTP level — tracking which processes are spawning child processes, which accounts are accessing resources outside their normal baseline, which systems are making unusual outbound connections — the detection surface expands dramatically. The signal is no longer "this file matches a known-bad hash" but "this sequence of behaviors matches the pattern associated with T1055 Process Injection followed by T1078 Valid Accounts abuse."
This shift also directly reduces Alert Fatigue. Signature-based detection tends to produce high volumes of low-fidelity alerts because any file resembling a known pattern triggers a hit. TTP-based detection produces fewer, higher-context alerts that are annotated with the adversary objective, the kill chain stage, and the likely next steps — giving analysts actionable intelligence rather than a fire hose of raw events.
TTP Coverage Across the MITRE ATT&CK Framework
The MITRE ATT&CK framework provides the canonical vocabulary for TTP documentation and detection mapping. Its taxonomy covers fourteen tactic categories for enterprise environments, each with multiple techniques and sub-techniques. Understanding which portions of ATT&CK a SOC has detection coverage for is one of the most useful ways to quantify and improve defensive posture.
MITRE ATT&CK Tactic
Example Technique
ATT&CK ID
CognitiveSOC™ Detection Signal
Initial Access
Phishing: Spearphishing Attachment
T1566.001
Malicious document execution chains, macro invocation from email client process tree
Persistence
Boot or Logon Autostart Execution
T1547
Registry Run key modifications, scheduled task creation outside change windows
Privilege Escalation
Process Injection
T1055
Cross-process memory writes, unusual remote thread creation in privileged processes
Lateral Movement
Use Alternate Authentication Material: Pass the Hash
T1550.002
NTLM authentication anomalies, lateral logon events without corresponding credential prompt
Collection
Data Staged: Local Data Staging
T1074.001
Large file aggregation in temp directories, unusual archive creation prior to outbound transfer
Exfiltration
Exfiltration Over Web Service
T1567
Anomalous upload volume to cloud storage APIs, DNS-based covert channel patterns
The table above illustrates how technique-level detection translates into specific observable signals. Rather than waiting for an antivirus to flag a known malware family, each row represents a behavioral pattern that can be detected regardless of the specific tool used to execute it. This is the fundamental advantage of ATT&CK-aligned detection engineering.
How to Apply TTP-Based Detection in a SOC Environment
Shifting a SOC from indicator-based to TTP-based detection is a multi-layer operational and tooling transformation. It requires changes to detection logic, triage workflows, analyst training, and the underlying data collection strategy. The following sections cover the practical implementation steps that security teams can act on.
Map Existing Detection Coverage to MITRE ATT&CK
Before building new detection content, the first step is understanding where coverage already exists and where gaps are most dangerous. This means inventorying every active detection rule, SIEM query, EDR policy, and analytics use case, and tagging each one with the ATT&CK technique it addresses. Tools like MITRE ATT&CK Navigator provide a visual heat map of coverage — showing which tactic categories are densely covered and which techniques, especially those favored by threat actors targeting the organization's sector, have no detection content at all.
Coverage mapping should be prioritized by threat intelligence relevant to the organization's industry and geography. A financial institution's coverage gaps carry different risk than a manufacturing firm's. Once gaps are identified, detection engineering efforts can be sequenced by risk — starting with high-frequency techniques known to be used by active threat actors in the relevant sector, then expanding methodically across the matrix.
Enrich Alerts with TTP Context During Triage
A raw alert that says "suspicious PowerShell execution detected" gives an analyst a data point. An alert tagged to T1059.001 (Command and Scripting Interpreter: PowerShell), placed in the context of a broader Kill Chain Mapping sequence showing prior Initial Access and Persistence activity on the same host, gives an analyst a story. The difference between these two alert presentations can be the difference between a 45-minute investigation and a 4-hour one.
TTP enrichment at the alert level means adding technique labels, tactic context, and associated kill chain stage to every finding before it reaches the analyst queue. This requires integration between the SIEM or detection platform and a structured ATT&CK knowledge base, but even simple tagging during rule authoring — annotating each detection rule with the technique it maps to — provides significant triage benefit. When combined with Incident Phase Labeling, this enrichment gives analysts immediate situational awareness about where in an intrusion they are looking.
Leverage Agentic AI for Continuous TTP Correlation
Manual TTP correlation — reviewing a series of events across multiple systems and identifying that they collectively represent a coherent attacker behavior pattern — is cognitively demanding work. An analyst reviewing twelve alerts in isolation may not recognize that three of them, taken together, represent the Reconnaissance → Credential Access → Lateral Movement sequence of a specific threat actor profile. This is precisely the kind of pattern recognition that benefits from automation at scale.
Agentic AI applied to TTP detection can continuously correlate low-fidelity signals across long timeframes, matching behavioral sequences to known threat actor procedures even when those sequences span days or weeks. This sustained correlation capability addresses one of the most persistent weaknesses in manual SOC operations: the inability to maintain investigative context across shift changes and alert volume spikes. When agentic systems surface a correlated TTP chain to a human analyst, the investigation starts not from zero but from a structured hypothesis about attacker intent and progress through the kill chain.
Use TTP Intelligence to Improve MTTD
Mean Time to Detect is one of the most consequential SOC performance metrics, and TTP-based detection has a direct structural impact on it. Indicator-based detection is retroactive by nature — it can only fire on artifacts from attacks that have already been documented. TTP-based detection can fire on behavioral patterns mid-attack, during techniques like lateral movement or privilege escalation that occur well before exfiltration. This earlier detection point compresses MTTD by catching intrusions at an earlier kill chain stage, before the most damaging phases of an attack are executed.
Frequently Asked Questions About TTPs and MITRE ATT&CK
What is the difference between TTPs and IoCs?
Indicators of Compromise (IoCs) are artifacts left by an attack: a specific IP address, a file hash, a malicious domain. They describe the physical evidence of a breach — the digital equivalent of a fingerprint at the scene. IoCs are highly specific, time-sensitive, and tied to the particular tools and infrastructure an attacker used in a specific campaign. Once an attacker rotates their infrastructure or recompiles their malware, the corresponding IoCs become obsolete.
TTPs describe behavior rather than artifacts. They answer not "what did the attacker leave behind?" but "how did the attacker operate?" A TTP like Process Injection (T1055) applies to any attacker using that technique regardless of which specific tool they used to execute it. Because TTPs describe method rather than artifact, they remain valid intelligence even after an attacker changes all their tooling — making them more durable and strategically valuable for long-term detection engineering.
How does TTP-based detection improve MTTD?
Indicator-based detection can only fire after an attack's artifacts have been cataloged — meaning it is fundamentally reactive. A novel piece of malware, or an attack conducted entirely with legitimate system tools, may generate no matching IoCs and go undetected through its most critical phases. TTP-based detection fires on behavioral patterns that are inherent to the attack method, which can be observed during execution rather than only after the fact.
By detecting techniques like credential dumping, lateral movement, and data staging as they occur — rather than waiting for a post-breach forensic analysis to identify known-bad hashes — TTP-aware SOCs can intervene earlier in the attack sequence. This structural advantage directly reduces MTTD because the detection opportunity exists at every stage of the intrusion rather than only at points where known-bad artifacts appear. Earlier detection translates directly into reduced dwell time and smaller blast radius when incidents do occur.
What is the MITRE ATT&CK framework and how does it relate to TTPs?
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible, structured knowledge base of adversary behaviors compiled from real-world attack observations. Maintained by MITRE Corporation, it provides a standardized taxonomy for describing TTPs — organizing them by tactic category, documenting the detection data sources relevant to each technique, and cataloging which threat actor groups have been observed using each technique in the wild.
ATT&CK is both a vocabulary and a tool. As a vocabulary, it gives security teams a shared language for describing attacker behavior that works across vendors, tools, and organizations — enabling more precise communication during incident response and threat intelligence sharing. As a tool, the ATT&CK Navigator allows organizations to map their existing detection coverage against the full technique library, visually identifying gaps. Detection engineering teams use ATT&CK technique IDs as the canonical reference when building and tagging detection rules, which is what enables the kind of structured TTP enrichment that platforms like CognitiveSOC™ apply to alert triage and investigation workflows.
