TLP
What is TLP?
TLPTLP is a simple labeling scheme maintained by FIRST that signals how sensitive shared cyber information is and with whom it may be redistributed.
The Traffic Light Protocol (TLP) is a non-technical, four-color marking system standardized by FIRST and used by CSIRTs, ISACs, and governments worldwide. The current TLP 2.0 levels are CLEAR (formerly WHITE — share without restriction), GREEN (community), AMBER (limited to recipients' organizations and clients on a need-to-know basis), AMBER+STRICT (recipients' organizations only), and RED (named recipients only, no further sharing). TLP does not enforce technical access controls; it establishes shared expectations so analysts can exchange sensitive information without ambiguity. Labels typically appear in document headers, STIX markings, and MISP distribution settings.
● Examples
- 01
A CERT advisory marked TLP:AMBER+STRICT must stay inside the receiving organization.
- 02
A MISP event tagged TLP:GREEN may circulate within a sector community.
● Frequently asked questions
What is TLP?
TLP is a simple labeling scheme maintained by FIRST that signals how sensitive shared cyber information is and with whom it may be redistributed. It belongs to the Defense & Operations category of cybersecurity.
What does TLP mean?
TLP is a simple labeling scheme maintained by FIRST that signals how sensitive shared cyber information is and with whom it may be redistributed.
How does TLP work?
The Traffic Light Protocol (TLP) is a non-technical, four-color marking system standardized by FIRST and used by CSIRTs, ISACs, and governments worldwide. The current TLP 2.0 levels are CLEAR (formerly WHITE — share without restriction), GREEN (community), AMBER (limited to recipients' organizations and clients on a need-to-know basis), AMBER+STRICT (recipients' organizations only), and RED (named recipients only, no further sharing). TLP does not enforce technical access controls; it establishes shared expectations so analysts can exchange sensitive information without ambiguity. Labels typically appear in document headers, STIX markings, and MISP distribution settings.
How do you defend against TLP?
Defences for TLP typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for TLP?
Common alternative names include: Traffic Light Protocol, TLP 2.0.
● Related terms
- defense-ops№ 1105
STIX
STIX is an OASIS standard that defines a structured, machine-readable language for representing and exchanging cyber threat intelligence between organizations and tools.
- defense-ops№ 684
MISP
MISP is an open-source threat intelligence platform for collecting, storing, correlating, and sharing structured indicators and analyst context across trusted communities.
- defense-ops№ 1133
TAXII Protocol
TAXII is an OASIS application-layer protocol over HTTPS for publishing, discovering, and consuming cyber threat intelligence — typically STIX content — between organizations.
- defense-ops№ 771
OTX
OTX is an open, community-driven threat intelligence exchange — originally AlienVault, now LevelBlue OTX — where researchers publish indicators bundled into Pulses.
- defense-ops№ 1148
Threat Intelligence
Evidence-based knowledge about threats and threat actors — including indicators, TTPs and context — used to guide security decisions and detection.
- forensics-ir№ 524
Incident Response
The organised process of preparing for, detecting, analysing, containing, eradicating, and recovering from cyber security incidents, then capturing lessons learned.