New procedure-focused operating model moves beyond technique-level abstraction to disrupt adversary execution and reduce attacker success
Tidal Cyber announced a bold evolution of its product vision, redefining Threat-Led Defense around adversary procedures, the step-by-step execution attackers use to achieve impact and declaring procedures the missing layer in modern cybersecurity.
For more than a decade, security programs have structured threat data around objects for campaigns, malware, and attack patterns. We can model tactics and we can model techniques but what about procedures? Organizations aligned tools to frameworks, built coverage dashboards and invested in exposure scoring. Visibility improved but breaches continue.
According to Tidal Cyber, the reason is structural: technique-level mapping describes categories of behavior, but not how attacks are actually executed.
“Technique mapping became a proxy for security assurance,” said Rick Gordon, CEO and co-founder of Tidal Cyber. “But abstraction does not stop execution. Procedures are the actual steps of how attacks succeed. If you are not modeling and disrupting execution, you are tracking exposure, not stopping attacks.”
Procedures represent the concrete sequence of adversary actions from initial access through lateral movement to impact. They are the operational reality between technique classification and breach.
Tidal Cyber’s Threat-Led Defense model operationalizes procedures as structured, measurable objects within its platform. With a Procedures Library of over 20,000 objects and growing, Tidal Cyber enables organizations to understand exactly how adversaries execute attacks, identify where defenses break down and prioritize remediation recommendations based on disrupting attacks rather than static exposure data.
The company said this shift moves security programs beyond tool alignment and coverage mapping toward intentional defense construction designed to reduce the probability of attacker success and residual risk.
Also Read:ย CIO Influence Interview With Jake Mosey, Chief Product Officer at Recast
“Attacks don’t happen because of a lack of technique coverage, they continue because coverage isn’t focused on execution,” said Frank Duff, co-founder of Tidal Cyber. “Procedures are how adversaries move through environments and execute attacks. When defenders model procedures, we give defenders execution clarity – and that’s what changes outcomes.”
Importantly, Tidal Cyber’s Threat-Led Defense platform also incorporates the role of vulnerabilities. “Not every vulnerability increases attacker likelihood or impact,” Gordon emphasized. “Vulnerabilities matter when – and only when – they amplify procedures and increase the probability of successful execution.”
As part of the announcement, Tidal Cyber expanded its NARC AI engine to transform unstructured threat intelligence into structured adversary procedures. Instead of stopping at indicators or campaign references, the platform translates intelligence into procedure-led defensive guidance tied directly to prioritization and action.
While frameworks such as MITRE ATT&CK remain essential for categorization and communication, Tidal Cyber said they do not provide procedural execution specificity. The company’s approach builds on those structures while introducing what it describes as the execution layer required to make attacker execution defensible.
With this announcement, Tidal Cyber formally establishes adversary execution as the unit of measurement in Threat-Led Defense shifting the market conversation from exposure visibility and technique-level abstraction to attacker disruption.
Catch more CIO Insights:ย Why CIOs are becoming chief risk orchestrators?
[To share your insights with us, please write toย psen@itechseries.com ]
