TLCTC is the Rosetta Stone for Cyber Risk.
10 logically‑derived, non‑overlapping cyber threat clusters that connect strategic cyber risk & -security management, operational security, and secure development into one common language.
TLCTC is a free & open framework. No paywalls, no certifications to buy, no consulting funnel. Built to be used, challenged, and evolved by the community.
Licensed under CC BY 4.0 · Attribution required, commercial use permitted.
Short Video Explainer to connect easier
Bridging Strategy, Operations & Development
Three domains speak different dialects. TLCTC is the shared reference that closes the gaps between them.
From Cause to Consequence
Six moves from a threat’s root cause to the metric your board understands.
The Dual-Layer Bow-Tie: One Event, Two Altitudes
The strategic layer speaks clusters and risk appetite. The operational layer speaks TTPs and data risk events. Same pivot, two readings — one consistent bridge.
The Bow-Tie: One Pivot, Two Sides
Threats act on the left. Consequences unfold on the right. The System Risk Event — Loss of Control — is the pivot between them.
Threats Are Sequences, Not Labels
Every attack is a chain of atomic causes — #9→#4→#1 — one cluster per step, read across three layers: System, Data and Business Risk Events.
10 Causes × 6 Functions = 60 Control Objectives
Cross the ten clusters with the six NIST CSF functions and control coverage becomes falsifiable: every gap is a named, empty cell.
One Number the Board Understands
How do you tell the Board if you are secure? “We stopped 100 viruses” is a vanity metric. The Detection Coverage Score (DCS) is a strategic KPI derived from Attack Velocity.
Mean Time to Detect ÷ Attack Velocity
You are faster than the adversary.
Winning
The adversary completes the step before you detect it.
Losing
If a Ransomware group moves from #4 Identity Theft to #1 Abuse of Functions (Admin Rights) in 10 minutes, and your SIEM alerts in 15 minutes:
You are systematically blind to this attack. No amount of “hard work” by analysts will fix this — you need automation.
Watch the Model Run on a Real Incident
A 17-step Active Directory ransomware cascade, replayed step by step: the tracer keeps returning to #1 Abuse of Functions, and every Data Risk Event stacks in the ledger.
One Framework, Four Audiences
Each domain speaks TLCTC in its own dialect. Pick a bubble above — or a section below — to see the integrations, tools and reading tailored to your role.
Regulators & Standards
Harmonize reporting obligations and fix the “cyber in the name” taxonomy gap.
Strategic Leadership
Enable board-level communication and link operational reality to strategic risk.
Opsec
Map attacker techniques to root-cause clusters. Unify incident classification with a common threat language.
Development & Engineering
Prioritize weaknesses and design threats by root cause. Build security into every phase of development.
The Full Archive, Through Your Lens
Every post, tagged by target audience. Pick your lens — or search the lot.