Intelligence notes

Traffic Light Protocol (TLP)

3 min read

Traffic Light Protocol (TLP)

BLUF

The Traffic Light Protocol (TLP) is a structured information-sharing classification system that defines how a recipient may distribute information received from a source. Developed by the UK NISCC (2001) and standardized by FIRST as TLP 2.0 (2022), TLP provides a simple, internationally recognized vocabulary for controlling information flow in threat intelligence sharing contexts. Its four color-coded designations (TLP:RED, TLP:AMBER, TLP:AMBER+STRICT, TLP:GREEN, TLP:CLEAR) encode sharing restrictions from no-further-distribution to unrestricted. TLP is operationally mandatory in CTI communities (ISACs, MISP communities, government-industry programs) and is embedded in STIX 2.1. Understanding TLP is a prerequisite for participation in any professional threat intelligence sharing program.

TLP Designations

TLP:RED — Restricted to Named Recipients Only

Information for the eyes and ears of specific recipients only; not for further distribution beyond the immediate recipients, even within the same organization.

Use cases: highly sensitive information shared in a closed briefing; victim-specific IOCs during an active incident; information that would identify a confidential source if shared beyond the immediate recipient.

TLP:AMBER — Limited Distribution Within Organization

Information may be shared with members of the recipient’s organization or their clients, on a need-to-know basis.

TLP:AMBER+STRICT (TLP 2.0 addition): restricts sharing to the recipient organization only — not to clients or subsidiaries. Stricter than TLP:AMBER.

Use cases: IOC feeds from a government-industry ISAC; vulnerability information specific to an organization’s systems; threat actor TTP details with organizational specificity.

TLP:GREEN — Community-Wide Distribution

Information may be shared within the defined community or sector, but not published to the internet or wider public.

Use cases: sector-specific threat intelligence within a financial ISAC; vulnerability reports within a government-contractor community; threat actor profiles within a law enforcement sharing program.

TLP:CLEAR — Unrestricted

Information may be shared freely, including public distribution and publication.

Note: TLP 2.0 renamed TLP:WHITE to TLP:CLEAR to avoid ambiguity with government white/unclassified classification terminologies.

Use cases: published IOC feeds; public threat actor profiles; vulnerability disclosures after coordinated disclosure period; public OSINT-derived intelligence products.

TLP 1.0 vs. TLP 2.0

ChangeTLP 1.0TLP 2.0
WHITE renamedTLP:WHITETLP:CLEAR
AMBER+STRICTNot definedAdded as explicit designation
CapitalizationMixedTLP:[COLOR] all-caps enforced
STIX integrationInformalFormally defined in STIX 2.1

Technical Integration

STIX 2.1: TLP markings applied via object_marking_refs property using FIRST-maintained canonical marking-definition IDs for each TLP level.

MISP: TLP tags applied directly to events and attributes; MISP sharing groups map functionally to TLP levels.

Operational Rules

  1. Honor received markings: TLP:AMBER received means no external sharing, regardless of how useful broader sharing would be.
  2. Apply TLP when sharing: all intelligence products shared externally must carry an explicit TLP designation. Absence of TLP is not TLP:CLEAR.
  3. TLP does not govern classification: TLP applies to unclassified information. Classified information uses separate government classification systems.
  4. Downgrading requires source approval: sharing TLP:RED beyond specified recipients requires explicit originator approval.
  5. For OSINT products: public-release → TLP:CLEAR; community products → TLP:GREEN; org-specific → TLP:AMBER; specific-recipient sensitive → TLP:RED.

Key Connections

Cyber Threat Intelligence — TLP mandatory in professional CTI sharing OSINT Legal Framework — TLP governs non-legal sharing; legal framework governs mandatory sharing obligations Intelligence Confidence Levels — apply both confidence levels and TLP to all shared products Dark Web Methodology — TLP:AMBER/RED for dark web-derived intelligence

Graph View

Backlinks