Skip to content

    Tactics, Techniques and Procedures (TTPs)

    What are Tactics, Techniques and Procedures?

    Tactics, Techniques and Procedures (TTPs) is a cybersecurity term used to describe three components in a process used by actors—malicious or benign—to develop threats and plan cyberattacks.

    Tactics represent the “why” of an ATT&CK technique or sub-technique. It is the adversary’s tactical goal: the reason for performing an action. 
    For example: an adversary may want to achieve credential access.

    Techniques represent “how” an adversary achieves a tactical goal by performing an action.
    For example: an adversary may dump credentials to achieve credential access.

    Procedures are the specific implementation the adversary uses for techniques or sub-techniques. 
    For example: a procedure could be an adversary using PowerShell to inject into lsass.exe to dump credentials by scraping LSASS memory on a victim. Procedures are categorized in ATT&CK as the observed in the wild use of techniques in the "Procedure Examples" section of technique pages.

    Should an incident occur in your organization, forensic analysis of the TTPs employed in the attack will help you establish attribution, identify the attack vector, implement the appropriate incident response, and move to protect yourself from further attacks.

    Resources for protecting your organization from threat actors:


    7 Steps to Recognize and Combat Cybercrime


    How to Build Your Incident Response Plan

    Free eBook

    Cybersecurity for Dummies


    Anatomy of a Privileged Account Hack: How to Know the Risks and Keep them Contained

    Free Tools

    Customizable Cybersecurity Incident Response Plan Template

    Privileged Access Security Toolkit