Procedures: The missing link

If you’ve ever tried to move from knowing adversary behaviour to actually defending against it, you’ve probably hit the same wall we all have; abstraction.

MITRE ATT&CK® has been a game-changer for understanding how adversaries operate, but “Tactics” and “Techniques” only get us so far when you’re trying to write a detection rule, simulate an attack, or validate control coverage.

That’s why we thought the release of Procedures in Tidal Cyber’s Threat-Led Defense Platform is a big deal. It’s the first time anyone has delivered a structured, operationalised library of real-world adversary procedures  and it’s built to make Threat-Led Defence actually work at the technical level.

So, as a defender, we've unpicked what we think are the highlights for you.

Why procedure matters

Every defender knows “TTPs”,  Tactics, Techniques, and Procedures,  but until now, the “P” has always been the missing link.

• Tactics tell us why adversaries act.
• Techniques tell us what they do.
• Procedures finally show us how they do it — in the specific, technical detail we need to act.

It’s impossible to write a rule, build a detection, or simulate an adversary against a whole “Technique.” You need procedure-level insight. That’s exactly what this update from Tidal Cyber delivers: The ability to see and use real-world adversary behaviours in a structured, actionable way.

The challenge as we see it

We’ve all read CTI reports that mention “Procedure Examples”,  but they’re usually just one-liners describing a threat actor’s use of a (Sub-)Technique, often missing the technical depth defenders actually need. With nearly 700 techniques and sub-techniques across 14 tactics, scaling real threat intel into usable detail has been next to impossible. The data’s out there buried in thousands of reports,  but surfacing and structuring it consistently has never been achieved.

Until now.

What’s New: The Procedures Library

Tidal Cyber has built the industry’s first-ever structured Procedures Library, sitting at the heart of their Threat-Led Defense platform.

What makes it valuable is

• 20,000+ real-world “Sightings” -  each representing a specific, observed instance of threat activity.
• 2,300+ “Clusters” -  grouping similar Sightings for a higher-level analytical view.
• Linked directly to ATT&CK tactics, techniques, sub-techniques, and technology platforms (Windows, Linux, macOS).
• Mapped to detection components, capabilities, and visibility requirements giving you an instant view of where you’re strong, and where you’re blind.

This means you can now see adversary behaviors the way they actually happen, understand which tools in your stack detect or mitigate them, and identify where your coverage truly stops.

How they did it

The library was built using clearly-aligned definitions:

“A Procedure is a clearly defined, repeatable set of technical actions that an adversary, or simulated adversary, executes to achieve a specific objective.”

That definition became the foundation for a huge data engineering effort. Tidal’s proprietary AI,  developed after its acquisition of Zero-Shot Security,  processed over 1,500 technical threat reports, extracting procedure-level data points buried deep within them.  This isn’t more threat intel. It’s operationalised threat intel that's structured, linked, and ready to use.

What you can do with it

This is about giving defenders precision not more noise. With Procedures integrated directly into Tidal Cyber’s platform, defenders can now:

1. See real-world Procedures mapped to your stack’s capabilities:  Understand which behaviours your current tools detect and which they don’t.
2. Use Coverage Maps to visualise exposure:  Move from “we think we’re covered” to “we know exactly which TTPs we can stop.”
3. Build detections and simulations faster:  Use structured Procedures as a foundation for new rules, tests, or red-team exercises.
4. Prioritise your next move:  Focus on the behaviors that matter most to your environment — not every technique in the book.

What it means for Threat-Led Defence

Threat-Led Defence only works when intelligence is usable.  Tidal Cyber’s Procedures close the gap between intel and action. By structuring how adversaries actually execute behaviours and linking that directly to detection logic, visibility needs, and control mapping,  it’s now possible to operationalise Threat-Led Defense at scale.

Whether you’re:

• writing detection,
• running purple team exercises,
• building your next hunt query, or
• reporting on coverage to leadership,

you’ll have the procedure-level intelligence you’ve been missing.

Why we think our Community should care

This release represents something bigger than a product update, it’s a shift in how the defender community can use threat intel. For years, we’ve been guessing and now we can prove it.

Procedures turn abstract TTP's into defensible actions. They let us measure what really matters, but are we ready for how attackers actually operate?

In Summary

This is the kind of progress that moves Threat-Led Defence from concept to capability. If you’re ready to close the gap between what you know and what you can do, it’s time to explore what these new Procedures can unlock for your team.

Unlock the value of Procedures

NARC gives you the "how" behind the attack, not just the headline tactics & techniques. NARC centers on procedures, automatically pulling them from unstructured data and reports to provide the fidelity customers need to defend against the threats that matter most.

Download

About this Sponsor

Built by the Team Behind ATT&CK® Tidal Cyber is powered by the practitioners who helped make MITRE ATT&CK® the industry’s common language for adversary behaviour.

With deep roots in ATT&CK stewardship, evaluation programs, and hands-on threat-informed defense, their team has productised the approach they pioneered, making it practical, scalable, and ready for your day-to-day defense.

Visit Site