What Is the Traffic Light Protocol (TLP)? The 5 TLP Labels Explained

The Traffic Light Protocol (TLP) is a simple, widely adopted system of labels that tells the recipient of sensitive information exactly how widely they're allowed to share it. Created to make information sharing easier and safer, TLP uses familiar traffic-light colors so that anyone — from a SOC analyst to a CISO — instantly understands the sharing boundaries attached to a threat report, advisory, or indicator.

In short: TLP answers one question that's critical to threat intelligence sharing — "who am I allowed to pass this to?" Get it wrong and you either burn a trusted source or leave partners exposed.

Why TLP exists

Effective cyber defense depends on sharing. When one organization spots a new attack, sharing the indicators and details quickly helps everyone else defend. But sharing carries risk: some information is sensitive — it might reveal an ongoing investigation, expose a victim, or tip off the attacker if it leaks. Without a common standard, people either over-share (causing harm) or under-share (defeating the purpose). TLP solves this by attaching a clear, universally understood handling label to information at the moment it's shared, removing ambiguity and building the trust that makes sharing communities — like ISACs — work.

The five TLP 2.0 labels

The protocol is maintained by FIRST (the Forum of Incident Response and Security Teams). The current version, TLP 2.0, defines five labels. They run from most restrictive to least restrictive:

TLP:RED — Not for disclosure, restricted to participants only

The most sensitive. Information may not be shared with anyone beyond the specific individuals present in the meeting or exchange where it was disclosed. No forwarding to your wider team, not even within your own organization. Used when wider distribution could cause serious harm — for example, details of an active, sensitive incident.

TLP:AMBER+STRICT — Limited disclosure, restricted to the organization

Introduced in TLP 2.0. Recipients may share the information within their own organization on a need-to-know basis, but not with clients or external parties. The "+STRICT" addition exists specifically to say "organization only — do not pass to your customers."

TLP:AMBER — Limited disclosure, organization and clients

Recipients may share within their own organization and with their clients or customers who need it to protect themselves, on a need-to-know basis. Sharing beyond that is not permitted.

TLP:GREEN — Limited disclosure, community-wide

Information may be shared with peers and partner organizations within the recipient's broader community or sector, but not via publicly accessible channels. Think "share with the trusted community, but don't post it on the open internet."

TLP:CLEAR — Disclosure is not limited

Information may be shared freely, with no restrictions, subject to standard copyright rules. (In the original TLP this label was called TLP:WHITE; TLP 2.0 renamed it to CLEAR.) Use this for advisories meant for the widest possible audience.

What changed in TLP 2.0

If you've seen older TLP references, two changes matter:

• TLP:WHITE was renamed TLP:CLEAR to avoid ambiguity and for inclusivity.
• TLP:AMBER+STRICT was added to distinguish "share within your organization only" from the original AMBER's "organization and clients."

Using the current labels matters because mixing versions causes exactly the confusion TLP is meant to prevent.

How to use TLP correctly

• Label clearly. Place the TLP label in a prominent, unambiguous position — in the subject line and at the top of the document or message, written as "TLP:AMBER" with no space.
• Respect the most restrictive label. If a document mixes information, the strictest applicable label governs handling.
• When in doubt, ask the source. If you're unsure whether you can share something, check with whoever marked it before forwarding.
• TLP is not a legal control. It's a trust-based convention, not encryption or access control. It works because communities honor it — and someone who violates it loses access to future sharing.
• Apply it to your own outputs. When you produce a threat intelligence report, label it so recipients know how to handle it.

TLP in the threat intelligence ecosystem

TLP rarely travels alone. It underpins trusted sharing in ISACs and other communities, and it complements the technical standards for exchanging intelligence. Where STIX and TAXII define how to structure and transport indicators, TLP defines how far they may travel. Threat intelligence platforms like MISP build TLP directly into their data models so handling rules follow the data automatically. You'll also encounter the related Permissible Actions Protocol (PAP), which complements TLP by describing what defensive actions a recipient may take on an indicator without risking tipping off the adversary — for example, whether you may actively block or only passively monitor it. Where TLP governs who you can share with, PAP governs what you can do with the information. Together, these standards turn ad-hoc sharing into a disciplined, scalable practice.

Common TLP mistakes to avoid

TLP is simple, but it's misused often enough to be worth calling out the pitfalls:

• Mixing old and new labels. Using "TLP:WHITE" in a TLP 2.0 context, or treating AMBER and AMBER+STRICT as interchangeable, creates exactly the confusion TLP exists to prevent. Standardize on the current version.
• Hiding the label. A TLP marking buried in the footer or omitted from a forwarded email is easily missed. Put it in the subject line and at the top of the content.
• Over-restricting by default. Marking everything TLP:RED "to be safe" defeats the purpose of sharing — information that can't be acted on protects no one. Match the label to the actual sensitivity.
• Re-labeling someone else's information. You don't get to loosen a marking a source applied; if you need to share more widely, ask the originator.
• Forgetting it's voluntary. TLP relies on trust, so honoring markings scrupulously is what keeps you inside the sharing community.

The bottom line

The Traffic Light Protocol is a deceptively simple but essential tool: five labels — RED, AMBER+STRICT, AMBER, GREEN, and CLEAR — that remove all ambiguity about how far a piece of sensitive information may be shared. It's the social contract that makes threat intelligence sharing possible, working on trust rather than technical enforcement. Master the labels, apply the strictest one when content is mixed, and always honor what a source has marked. To see threat intelligence flowing from the many sources that rely on these sharing norms, explore our live threat intelligence feed, aggregated continuously from dozens of authoritative publishers.