created time
Apr 3, 2022 05:08 AM
last update
Apr 9, 2022 04:06 AM

What is TTP?

A tactic is the highest-level description of the behavior; techniques provide a more detailed description of the behavior in the context of a tactic; and procedures provide a lower-level, highly detailed description of the behavior in the context of a technique. The behavior of an actor. - NIST CSRC
Abstract definitions tend to lead to “so what?”, what is it that defenders need to understand?
  1. Tactics are sub-objectives (WHAT). When attacks are successful, there will be impacts to Confidentiality (e.g. attacker’s objective is to steal), Integrity (tamper) & Availability (deny) for Informational Systems. For Cyber-Physical systems, attacks can impact Safety with kinectic consequences (i.e. damage).
  1. Techniques are specific methods (HOW) to achieve various sub-objectives. Different systems require different techniques.
  1. Procedures are stringing techniques (WHEN to do WHAT, think OODA) together to achieve the desired offensive objectives.

Why Automate with AutoTTP?

  • Tedious to manually re-run complex pen-testing procedures for regression tests, product evaluations, generate data for researchers & so on
  • Modular & reusable
  • Organise with whatever TTP mental-models you prefer


  • Pentesting-as-Code, goes hand-in-hand with Infra-as-Code to use in a Cyber-Range
  • Any offensive tooling with API