Tradecraft is the practical craft of cyber operations: the techniques, procedures, and habits an attacker uses to gain access, stay hidden, and complete an objective. It includes choices about phishing delivery, malware execution, persistence, credential theft, command-and-control, and operational security. Good tradecraft is not just about using tools; it is about using them in a way that blends into normal activity and reduces the chance of detection.
In cyber security, tradecraft matters because mature threat groups are often recognized less by a single malware sample than by their repeatable methods. Updated tooling can signal improved tradecraft, such as cleaner delivery paths, better evasion, or more disciplined targeting. Defenders look for these patterns by monitoring identity abuse, suspicious domains, unusual login behavior, and changes in how an attacker moves through an environment. Strong controls can force even skilled operators to expose mistakes.



