TTP

TTPs describe how threat actors operate at increasing levels of specificity: tactics (high-level goals like Initial Access), techniques (specific methods like Spearphishing), and procedures (exact tool usage and command sequences). The MITRE ATT&CK framework organizes known TTPs by threat actor group.

Aligning defenses to TTPs makes security more resilient because adversaries change tools far more often than they change fundamental behaviors.