TTP Persistence vs Indicator Churn

Interactive 12-month APT campaign timeline showing how hash values, infrastructure, artifacts, and tools rotate constantly while TTPs remain unchanged. Click each layer to see the operational context behind each rotation frequency.

By Mohamed Habib Jaouadi•May 19, 2026•

Post Related

#cti

#threat-intelligence

#ttp

#pyramid-of-pain

#detection-engineering

#mitre-att&ck

TTP Persistence vs Indicator Churn

A simulated 12-month APT campaign. Each tick mark is an indicator rotation. Click a layer for context.

JanFebMarAprMayJunJulAugSepOctNovDec

Stable period

Indicator rotated (new hash / IP / domain / tool)

The Pattern

Same adversary. Same campaign. Same objectives. Hash values rotate 31 times. Infrastructure rotates 12 times. TTPs rotate zero times. Detection built on TTPs survives every rotation. Detection built on hashes is obsolete before the analyst who wrote it has finished their coffee.