In cybersecurity, tactics are the specific, concrete actions that security teams execute to carry out operational objectives. They're what your team actually does on a given day.
Tactics are bounded activities with clear starts and ends: running a vulnerability scan against a specific subnet, applying a critical patch to production systems, updating a firewall rule to block a newly identified malicious IP range, rotating credentials after a detected anomalous login, or completing a phishing simulation for a specific business unit. Each one is measurable. Either it happened or it didn't.
Tactics operate within the structure that operations provides. An operational objective might be "maintain a patching program that remediates critical CVEs within 15 days of disclosure." The tactics that support it include scanning to identify unpatched systems, testing in staging, deploying through change management and verifying successful installation. The operation sets the standard; the tactics execute within it.
In threat intelligence, "tactics" carries a more specific meaning. The MITRE ATT&CK framework organizes adversary behavior into tactics (the high-level goal: initial access, persistence, lateral movement, exfiltration) and techniques (the specific method used to achieve that goal). This usage is distinct from the operational planning sense, though both describe execution-level activities.
Tactical metrics are direct. Patch coverage at 30 days, phishing click rate, mean time to respond, percentage of systems with current AV signatures - these are ground-level measurements. They feed the operational metrics that program managers report upward, which in turn feed the strategic indicators that boards and executives use for resource decisions.
