TLP — Traffic Light Protocol

The Traffic Light Protocol (TLP) is a standardized information-sharing classification system maintained by FIRST (Forum of Incident Response and Security Teams). TLP uses four color designations to indicate how far information may be shared beyond its original recipients, enabling trust-based information exchange during and after cyber incidents.

The Four TLP Levels

• TLP:RED -- For the eyes and ears of individual recipients only. Information tagged TLP:RED cannot be shared with anyone outside the specific exchange. Use this for information that could cause significant harm if shared more broadly, such as active exploitation details or victim-specific intelligence.
• TLP:AMBER -- Limited sharing within the recipient's organization and with clients or customers who need to know. TLP:AMBER+STRICT further limits sharing to the recipient's organization only. Use this for information that requires organizational awareness but should not be shared externally.
• TLP:GREEN -- May be shared within the recipient's community but not publicly. Use this for information useful to the broader security community, such as threat advisories or defensive recommendations.
• TLP:CLEAR -- No restrictions on sharing. Information can be distributed freely and published publicly. Use this for general awareness content and public threat reporting.

TLP in Incident Response

During an active incident, TLP governs how information flows between the organization, its DFIR firm, outside counsel, law enforcement, sector ISACs, and peer organizations. IOCs shared under TLP:AMBER can be used by partner organizations for defensive purposes but cannot be published. Sensitive details about the attack vector or affected data shared under TLP:RED stay within the immediate response team. Getting TLP designations right prevents premature disclosure that could tip off the attacker, violate legal obligations, or damage business relationships.

Why TLP Matters for Trust

Effective threat intelligence sharing depends on trust between organizations. TLP provides a simple, universally understood mechanism for the information source to express sharing expectations. Organizations that consistently respect TLP designations build trust with information-sharing partners and receive better, more timely intelligence in return. Violating TLP boundaries damages trust and can result in being excluded from sharing communities.