Why Terminology Confusion Still Undermines Modern Defense
Cybersecurity discussions are filled with familiar language. Security teams talk about the latest threats and threat landscape, attack techniques and behavior, adversary tradecraft, and detection coverage. These terms appear constantly in threat intelligence reports, product documentation, and security strategy conversations.
Yet despite their frequent use, they are not always used precisely. In many cases, security teams use terms like "behavior," "techniques," and "procedures" interchangeably. This creates an important problem. When the language used to describe threats becomes imprecise, the defenses built to stop those threats can become imprecise as well.
At a top level, the majority of organizations know that their adversaries work in patterns. They are aware that attackers do reconnaissance, access, escalate privileges, laterally move, and steal data. Models like MITRE ATT&CK have proven useful as a framework in structuring these ideas and offering a common taxonomy.
However, knowing that an adversary might perform “lateral movement” or “credential dumping” does not mean a security team understands how that activity actually unfolds in their actual environment. Techniques are abstract accounts of attacker behavior and can be helpful for categorization, but they do not necessarily lead to actionable defenses.
The difference between conceptual and operational threat understanding and defense is often reduced to a single element: procedural precision.
Procedures define how attacks are actually executed capturing the specific steps, tools, and sequences adversaries use. Without this detail, teams may know what attackers can do, but not how they do it in order to disrupt the attack.
Techniques Describe Possibility. Procedures Describe Execution
To explain why the procedures are important, it is useful to clarify the distinction among a few terms frequently used in cybersecurity.
"Adversary behavior" is a general term to describe how attackers operate across campaigns such as gaining access, escalating privileges, or maintaining persistence. Techniques provide a standardized way to represent that behavior, defining the common methods adversaries use to achieve objectives (e.g., spearphishing for initial access or token theft for credential abuse). These techniques help defenders consistently map threats to controls.
However, techniques describe what attackers do at an abstract level, not how they actually execute attacks in a real environment. That level of detail is captured in procedures, which define the step-by-step executions, tools, and sequences used by adversaries in the wild.
Procedures operate at a different level.
A procedure describes how an attack is actually carried out in practice. It captures specific commands, scripts, tools, and sequence of actions an adversary uses to execute a technique.
Consider the example of credential theft:
A technique might define credential dumping as a method for extracting account credentials from memory. This helps defenders understand the type of activity that may occur.
A procedure, however, shows exactly how that activity is performed. It includes the specific tool used, the command syntax executed on a host, the privileges required, and the sequence of steps the attacker follows to achieve the outcome.
The distinction is subtle but critical.
Techniques describe the possibility of an attack.
Procedures describe the reality of how that attack is executed.
For defenders, that difference determines whether a control can truly detect or stop the activity in practice, not just in theory.
Why Abstraction Breaks Down in Real Security Operations
Describing threats abstractly can be beneficial when it comes to organizing knowledge, but can be dangerous when relied upon as the primary basis for planning your cybersecurity defenses.
Many organizations build detection coverage around techniques. Security teams map their controls to techniques listed in security frameworks and assume that this mapping provides adequate defensive coverage.
In practice, this assumption often falls short. Techniques are abstract and can be executed in many different ways. The same objective can be achieved through multiple variations of executions, and a detection built for one approach may completely miss another. For example, an organization might deploy multiple detections designed to identify lateral movements. These designs might be configured to identify specific network events or authentication patterns commonly seen with a known attack path. However, the moment an adversary changes their sequence of commands, implements a different protocol, or employs a different toolset, they can bypass the designs.
From the perspective of a dashboard or coverage report, the organization appears well protected. Multiple detections exist for the relevant technique, and the security team has mapped its controls accordingly.
From the perspective of an adversary executing a real attack procedure, the environment may remain largely unmonitored.
This is one of the central challenges of abstraction in cybersecurity. Aligning defenses to generalized techniques instead of actual adversary procedures can make coverage appear stronger than it actually is.
Security teams may believe they have mitigated a threat, but in reality, they’ve only addressed a limited set of the procedures through which that threat can be carried out.
Procedural Precision Changes How Defenses Are Prioritized
Procedural accuracy alters how organizations think about defensive priorities.
Without procedural insight, prioritization often becomes generic. Security teams attempt to cover as many techniques as possible across a wide range of potential threats. Resources are allocated broadly, and detection rules accumulate over time.
The result is frequently a large collection of controls that are difficult to evaluate and even harder to prioritize.
A procedure-led approach shifts from abstract possibilities to how attacks are executed in practice. By understanding the specific procedures adversaries use in real-world campaigns, especially those targeting similar industries, security teams can make more precise and informed defensive decisions. Instead of preparing for hypothetical scenarios, they can prioritize defenses against the way attacked are actually carried out.
That shift delivers several key advantages:
First, it increases relevance. Defenses are aligned to observed adversary tradecraft, grounded in how attacks are executed in real environments, not theoretical scenarios.
Second, it simplifies decision making. Rather than managing large volumes of generalized detections, teams can focus on the specific behaviors and execution patterns that matter most.
Third, it improves the effectiveness of security investments. Rather than managing large volumes of generalized detections, teams can focus on the specific behaviors and execution patterns that matter most.
Ultimately, procedural precision enables organizations to move from broad, generalized coverage to defenses that are intentionally aligned to how attacks actually happen.
From Threat Intelligence to Actionable Defensive Validation
Threat intelligence plays an important role in modern security operations, but its value depends on how it is operationalized.
Adversary campaigns, techniques, and infrastructure that are used in attacks are usually described in threat reports. This information will assist organizations in understanding the evolving threat landscape and emerging threats.
Nevertheless, the intelligence kept at a conceptual level is hardly translated into defensive action. Procedures bridge the gap between threat intelligence and operational defense.
The procedural level of threat intelligence analysis enables the extraction of the actual steps adversaries follow to carry out attacks. These processes may then be applied to determine the ability of the available defenses to detect or prevent such actions.
Teams of security experts can simulate adversaries' actions in controlled settings and observe how their surveillance measures respond. Detection logic can be evaluated against real execution patterns rather than theoretical threat models.
This type of validation provides far more meaningful feedback than technique-level mapping alone. It allows defenders to determine whether a control actually works against the tradecraft used by real attackers.
As a result, threat intelligence becomes procedure-led and evolves from a source of information into a driver of measurable defensive improvement.
Measuring Security Outcomes Through Procedural Testing
The fact that procedural analysis helps to promote quantifiable security results is one of the greatest benefits of this methodology.
Conventional measures of security are activity oriented. Organizations quantify the number of alerts raised, controls implemented, or vulnerabilities repaired within a specific time frame. These are measures of operational effort, but not of defensive effectiveness.
Procedural testing leads to more evidence-based practice.
Organizations can assess their defenses against known adversary procedures to determine the effectiveness of their detection capabilities. Security teams can map defenses against procedures to determine whether they can defend against an attack or fail.
This produces metrics that directly relate to defensive capability.
For example, instead of reporting how many new controls were deployed in a quarter, a security team can report how many adversary procedures targeting their industry have been successfully detected and disrupted.
This kind of measurement shifts the discourse of cybersecurity performance. Security leaders can demonstrate the performance of defenses against real threats rather than abstract risk models.
The executives will have a better understanding of whether their security investments are performing and measure the reduction of attacker success and residual risk.
Procedures as the Foundation of Threat-Led Defense
Adversaries are increasingly active and adaptive. Their campaigns evolve rapidly, adjusting to defensive controls as they encounter them. Defenses built on abstraction alone struggle to keep pace in this environment.
Techniques remain valuable for organizing knowledge and communicating threat categories. However, effective defense ultimately depends on understanding how those techniques are executed in real attacks. Procedures capture that execution. They reveal the tools, commands, and sequences adversaries use to carry out attacks in practice.
When defenses are aligned to those procedures, organizations can assess their security posture against real-world attack patterns. Detection logic can be validated against concrete execution paths rather than theoretical assumptions.
This is the foundation of Threat-Led Defense. Instead of focusing solely on attack categories or abstract behaviors, defenses are grounded in the specific procedures adversaries use in practice.
For security teams, the shift is straightforward but powerful:
It means moving from knowing what adversaries might do to prove that defenses can stop what they actually do.
In modern cybersecurity, that level of precision turns confidence from assumption into evidence.
Conclusion
Tidal Cyber is the first true Threat-Led Defense platform built to flip the traditional defensive model by putting real adversary behavior at the center of your defense strategy.
By mapping techniques, sub-techniques, and procedures to ATT&CK, we reveal exactly where you’re exposed and how attackers actually operate. It’s a level of precision you’ve never had before, empowering your security team to proactively reduce risk and optimize high-impact security investments.
Threat-Led Defense is Tidal Cyber’s unique implementation of Threat-Informed Defense, enhanced with procedure-level granularity to make CTI more relevant and actionable.