Permissible Actions Protocol
PAP is a companion scheme to TLP that tells recipients what they may do with threat intelligence, such as whether they can actively probe attacker infrastructure or only use it passively. It uses similar color codes to keep handling rules simple and consistent. It matters because acting carelessly on shared intel, like scanning an attacker's server, can tip off the adversary and burn an investigation.