Tactics, Techniques and Procedures. The layered vocabulary security teams use to describe what an adversary is doing.
TTP stands for Tactics, Techniques and Procedures. It is the layered vocabulary security teams use to describe adversary behaviour at increasing levels of specificity. Tactics name the goal (Initial Access, Execution, Defense Evasion). Techniques name the means (T1078 Valid Accounts, T1059 Command and Scripting Interpreter). Procedures describe the specific implementation an attacker used in a real incident.
MITRE ATT&CK is the canonical TTP catalogue: roughly 200 techniques across 14 enterprise tactics. Detection rules typically express coverage in TTP terms (this rule detects T1059.001 PowerShell execution), and threat-intelligence reports describe campaigns as a sequence of TTPs the actor used.