What are TTPs?
TTPs (Tactics, Techniques, and Procedures) are the patterns of behavior that describe how an adversary operates, the strategic goals (tactics), the methods used to achieve them (techniques), and the specific implementation details (procedures).
Updated 2026-05-19
TTPs are the most durable indicators in threat intelligence. An adversary can change infrastructure (IP addresses, domains), tools (malware families, frameworks), and personnel, but their TTPs evolve slowly because they reflect how the group thinks and operates. Defenders who track TTPs detect adversaries across campaigns; defenders who track only IOCs miss the same actor returning under different infrastructure.
How Command Zero handles TTPs.
Command Zero's encoded question library is organized by MITRE technique and by TTP pattern. When an analyst suspects a specific threat actor or attack pattern, the relevant questions are immediately available. Investigation findings tag back to TTPs in the Casebook, building an organizational record of which adversary patterns have been seen and how they were detected. The compounding effect: every investigation makes future TTP-based hunting and detection more effective.
Book a Command Zero demo.
Live in under an hour. No migration. Zero training data required.
Book a Demo