What is TTPs?
Tactics, Techniques, and Procedures (TTPs) describe the behavioral patterns, methods, and operational processes threat actors use to conduct attacks, providing a more durable characterization of adversary behavior than individual IOCs.
Definition
- TTPs
- Tactics, Techniques, and Procedures (TTPs) describe the behavioral patterns, methods, and operational processes threat actors use to conduct attacks, providing a more durable characterization of adversary behavior than individual IOCs.
How TTPs Works
The TTP framework originates from military intelligence and was adapted for cybersecurity through MITRE and others. Tactics represent the adversary's high-level goals (Initial Access, Lateral Movement, Exfiltration). Techniques describe how they achieve each goal (spearphishing attachment, pass-the-hash, data compressed before exfiltration). Procedures are the specific implementation details observed in a particular campaign (the exact phishing lure, the specific tools used).
This three-tier hierarchy maps directly to the MITRE ATT&CK framework, which organizes thousands of observed adversary behaviors into a structured matrix by tactic and technique. TTPs are valuable for threat intelligence because they are far more durable than IOCs. A threat actor can change IP addresses in minutes, but changing fundamental operational procedures requires significant retooling.
Security teams use TTP knowledge to build detection coverage across the ATT&CK matrix, identify visibility gaps, and prioritize defensive investments based on techniques used by adversaries targeting their industry.
TTPs in SOC Operations
Understanding TTPs lets you think like the attacker. When you see suspicious PowerShell (a technique), you immediately consider what tactic it serves (execution? defense evasion?) and what the next technique in the chain might be (persistence? lateral movement?). TTP-based thinking transforms reactive alert response into proactive investigation and more accurate incident scoping.
Practice TTPs in a Real SOC
SOCSimulator provides hands-on training with realistic SIEM, XDR, and Firewall interfaces. Build real analyst skills investigating ttps scenarios with zero consequences — free forever.
Related Terms
MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques observed in...
An Indicator of Compromise (IOC) is an observable artifact, such as a file hash, IP address, domain ...
An Indicator of Attack (IOA) is a behavioral signal that identifies adversary intent and technique i...
Threat intelligence is analyzed, contextualized information about current and emerging cyber threats...
Threat hunting is the proactive, human-led process of searching through security telemetry to find h...
More Concepts Terms
Related SOC Training Resources
SOC Analyst (Tier 1) Career Guide — Salary & Skills
Tier 1 SOC Analysts are the front line. You monitor alert queues, triage incoming detections, classify them as true or f…
Read more Career PathDetection Engineer Career Guide — Salary & Skills
Detection Engineers build the rules, analytics, and automated workflows that determine what the SOC can see. You transla…
Read more Career PathSecurity Engineer Career Guide — Salary & Skills
Security Engineers build and maintain the infrastructure that SOC analysts depend on. You deploy SIEMs, configure firewa…
Read more ComparisonSOCSimulator vs LetsDefend — Comparison
SOCSimulator wins on operational realism. You get multi-tool shift simulation with SLA pressure, noise injection, and al…
Read more ComparisonSOCSimulator vs CyberDefenders — Comparison
SOCSimulator trains the operational workflow: alert triage, correlation, and response under pressure. CyberDefenders tra…
Read more ToolSIEM Training Console — SOCSimulator
The SIEM console in SOCSimulator replicates the workflow of enterprise platforms like Splunk Enterprise Security, Micros…
Read more ToolXDR Training Console — SOCSimulator
The XDR console in SOCSimulator replicates the investigation workflow of platforms like CrowdStrike Falcon, Microsoft De…
Read more TechniqueMITRE ATT&CK Techniques — Detection Training Library
Browse all MITRE ATT&CK techniques with detection strategies and example alerts.
Read more Career PathCybersecurity Career Paths — 2026 Guide
Explore SOC analyst career paths with salary data, required skills, and certification roadmaps.
Read more PlaybookSOC Investigation Playbooks — Step-by-Step Guides
Practitioner investigation playbooks with decision trees and real SIEM queries.
Read more FeatureShift Mode — Real-Time SOC Simulation
Practice alert triage under realistic time pressure with SLA timers and noise injection.
Read more FeatureOperations — Guided Training Rooms
Structured CTF-style investigation rooms covering real-world attack scenarios.
Read more