Skip to content

Threat-Led Defense Starts with Procedures, Not Techniques

  • October 9, 2025
Tidal Cyber

Your Threat-Led Defense platform shows comprehensive ATT&CK coverage. Your last assessment confirmed that your detections align to adversary techniques across multiple attack stages. Yet somehow, a breach still occurs using the very techniques you thought your defenses could stop.

This happens when defenses are mapped to what adversaries do, not how they do it.

By their design, Tactics, Techniques, and Sub-Techniques offer a high-level abstraction for describing adversary behavior. But in practice, defenders need far more specificity to act as it is literally impossible to write a detection rule or adversary simulation around an entire “Technique”.

Without procedural objects and that granular detail, security teams can’t fully operationalize threat intelligence or that procedural-level detail to improve their defenses.

Techniques Alone Don’t Tell the Full Story

Mapping defenses to frameworks like ATT&CK techniques is essential. It provides a common language across teams, organizes threat intelligence, and helps measure alignment. But it can also create a false sense of security.

Let’s use T1003: Credential Dumping as an example.

Your stack might appear covered because your EDR monitors credential dumping, your SIEM has corresponding rules, and your assessment marks it “green.”

But there are many ways to perform credential dumping, and your coverage may only apply to one or two common procedures, such as LSASS access using Mimikatz, while dozens of other methods remain unmonitored.

An adversary doesn’t execute “T1003.” They might run rundll32.exe with specific parameters, invoke comsvcs.dll to dump LSASS, perform a DCSync operation, or extract credentials from NTDS.dit.

Each method requires distinct data sources, detection logic, and control coverage. A rule optimized for one may completely miss another even though both map to the same technique.

Focusing exclusively on techniques gives the illusion of readiness. Effective real-world defense requires understanding the exact procedures adversaries use, and prioritizing security resources accordingly.

How Surface-Level Mapping Creates Hidden Risk

When organizations build their detection and validation programs solely around technique-level mappings, several issues emerge:

  • False confidence in coverage. Tools may claim ATT&CK alignment without specifying which procedures they detect. You believe you’re protected against credential dumping when you only cover one variant, but leave others exploitable.

  • Noisy or generic detections. Technique-level rules often over-trigger on legitimate administrative activity, leading to alert fatigue, long tuning cycles, and eventual rule suppression.

  • Lack of prioritization. With every sub-technique weighted equally, teams can’t focus resources where it matters most against the procedures their relevant adversaries actually use.

These gaps manifest in real incidents labeled “control bypassed” or “not detected”. That isn’t because the control was missing, but because it wasn’t aligned to the adversary’s method of execution.

Threat-Led Defense Turns Procedures into Actionable Defense

Tidal Cyber’s Threat-Led Defense platform bridges this gap with Procedure-level intelligence to address traditional challenges by providing a granular level of adversary behavior detail, while also having relationships with many existing objects to streamline their use and operationalization. 

Rather than stopping at technique-level the platform maps each control, detection, and validation to the commands, parameters, and processes adversaries use in practice. This transforms ATT&CK from a static reference into a living model of defensive readiness.

With this visibility, teams can:

  • See exactly which adversary behaviors their tools detect or miss.
  • Validate whether controls pass/fail based on real-world adversary behavior.
  • Prioritize tuning and investments based on measurable coverage improvement.

This level of insight allows defenders to understand how threats manifest across EDR, SIEM, and IAM systems and make targeted improvements that strengthen their overall defense.

Procedures: The Missing Layer in Threat Intelligence

Procedures transform threat intelligence into real-world operational defense. Where techniques describe what they are using, procedures reveal how they do it and the exact technique they actually use.

The Tidal Cyber Threat-Led Defense platform continuously curates and updates procedural intelligence from more than 1,500 technical reports to extract relevant, actionable Procedures, buried within the data. This enables organizations to:

  • Identify which adversary behaviors are already covered and which remain exposed.
  • Quantify the defensive impact of new detections or configuration changes.
  • Focus engineering and hunting efforts on the procedures most relevant to their threat landscape.

Anchoring defense programs at this level enables teams to move from assumption-driven processes to evidence-driven readiness.

Operationalizing Procedures Across the Defensive Stack

Tidal Cyber’s Threat-Led Defense platform operationalizes procedural intelligence through four continuous steps:

  1. Map: Connect threat intelligence, detections, and controls to specific adversary behavior.

  2. Measure: Use Coverage Maps to visualize where gaps exist in their defenses and whether they can defend against adversary behavior

  3. Validate: Feed control validation results back into the model to confirm which defenses succeed or fail.

  4. Optimize: Tune detections, refine configurations, and reallocate spend based on measurable coverage improvements.

This creates a feedback loop that connects intelligence, detection engineering, and risk management. The result is a system that offers proof about what threats the organization’s defenses can stop and which ones need high-priority attention.

Delivering Value for Threat-Led Defense

Tidal Cyber’s new Procedures Library is deeply integrated with our Coverage Map and defensive Capabilities, giving defenders a decisive edge. Procedures represent how adversaries actually execute behaviors in the real world, bringing the clarity and specificity needed to move from high-level intel to concrete action. By mapping these behaviors to detection logic, visibility needs, and specific tools in your stack, Tidal Cyber enables defenders to operationalize threat intelligence with precision. Whether you’re engineering detections, hunting threats, simulating adversaries, or prioritizing CTI, we make it easy to act on threat intelligence, not just collect it.

Tidal Cyber turns insight into impact.  

 
Data-Driven Threat-Informed Defense

Meet Tidal Enterprise Edition

Quickly and easily develop custom threat profiles and defensive stacks, see your coverage and identify gaps and redundancies, and get daily recommendations to improve your cybersecurity posture.

Learn More