Universal, Non‑overlapping Cyber Threat Language

The Universal Cyber Threat Framework Bridging Strategy, Operations & Development

TLCTC is the Rosetta Stone for Cyber Risk.

10 logically‑derived, non‑overlapping cyber threat clusters that connect strategic cyber risk & -security management, operational security, and secure development into one common language.

Go To White Paper V2.1 TLCTC Monster Prompts
TLCTC Executive Summary Why Exactly Ten?

TLCTC is a free & open framework. No paywalls, no certifications to buy, no consulting funnel. Built to be used, challenged, and evolved by the community.

Licensed under CC BY 4.0 · Attribution required, commercial use permitted.

the TLCTC definitions #1 ABUSE OF FUNCTIONS #2 SERVER EXPLOITS #3 CLIENT EXPLOITS #4 IDENTITY THEFT #5 MITM ATTACK #6 FLOODING ATTACK #7 MALWARE EXECUTION #8 PHYSICAL ATTACK #9 SOCIAL ENGINEERING #10 SUPPLY CHAIN
Framework Position

Escaping Semantic Chaos

Why we need a universal language

Beyond MITRE NIST CVE

The Way Out Into Understanding

STRATEGIC CISO & Risk Mgmt ISO 27001/5 NIST CSF/SP 800-30 FAIR OPERATIONAL SOC & Threat Intel MITRE ATT&CK • SOC CKC • STIX • CVE DEVELOPMENT DevSecOps & SDLC OWASP • CVE • CWE PASTA • OCTAVE Rosetta Stone TLCTC 10 CLUSTERS Translation Gap Intelligence Gap Design Gap

The Bow-Tie Model

Cause → Incident → Consequence

The Power of Causality
A risk event is a deviation from a strategic goal. IT Goal: "Operate securely" Risk Event: "Compromise of System" GOVERN — Risk Appetite, Responsibilities, Metrics (Cross-cutting) CAUSE SIDE Threat Clusters RISK EVENT / INCIDENT Asset Compromise CONSEQUENCES CONTROL PROTECT IDENTIFY (indirectly) CONTROL DETECT CONTROL RESPOND CONTROL RECOVER Preventive controls affect the likelihood of an event occurring Detective and reactive controls influence the consequences "A control failure is a control risk — it is a deviation from the control objective"

The TLCTC Cyber Bow-Tie Event Chain

Full causal chain: 10 Threat Clusters → Risk Events → Business Impact

Explore Causality
Cyber Threat Clusters IT Risk Events Business Risk Events PREVENT PREVENT PREVENT PREVENT PREVENT PREVENT PREVENT PREVENT PREVENT PREVENT PREVENT Prevent from lateral movement (#1-#10) REACT REACT REACT (Online Fraud/Scam/Extortion) #1 Abuse of Functions #2 Exploiting Server #3 Exploiting Client #4 Identity Theft #5 Man in the Middle #6 Flooding Attack #7 Malware #8 Physical Attack #9 Social Engineering #10 Supply Chain Attack System Risk Event "Loss of Control" or "compromised it system" Asset: IT-System System Risk Event "Loss of Control" Data Risk Event Loss of Confidentiality Data Risk Event Loss of Integrity Data Risk Event Loss of Accuracy Data Risk Event Loss of Availability Error in Use Error in Use Abuse of Rights Abuse of Rights Error in Use Abuse of Rights Other System Risk Events (non-cyber): System Risk Event "Software Failure" System Risk Event "Hardware Failure" Business Risk Events: Consequences = e.g. Databreach PID Business Risk Events: Consequences = e.g. Money Out Business Risk Events: Consequences = e.g. payment interruption Consequence 1 Consequence 2 Consequence 3 Consequence 1 Consequence 2 Consequence 3 Consequence 1 Consequence 2 Consequence 3

Control Matrix — 60 Control Objectives

10 Threat Clusters × 6 NIST CSF Functions · each cell holds Local + Umbrella controls (Whitepaper §8.1, §9)

NIST CSF Integration
NIST CSF FUNCTIONS operational lifecycle (Identify → Recover) GOVERN IDENTIFY PROTECT DETECT RESPOND RECOVER GV ID PR DE RS RC #1 Abuse of Functions #2 Exploiting Server #3 Exploiting Client #4 Identity Theft #5 Man in the Middle #6 Flooding Attack #7 Malware #8 Physical Attack #9 Social Engineering #10 Supply Chain Attack CELL = 1 CONTROL OBJECTIVE = NIST verb + TLCTC noun e.g., DETECT · #7 Malware Local Control asset / system specific Umbrella Control enterprise-wide / shared GOV-Umbrella cross-cutting · ERM integration TOTAL 10 × 6 = 60 Objectives Only the GOV-Umbrella controls are cross-cutting — they form the integration layer to Enterprise Risk Management (policies, ERM forums, risk appetite, assurance). All other Local & Umbrella controls remain cluster-specific (Whitepaper §8.1.3, §9).

Attack Paths — Three-Layer Model

Horizontal cause-side TLCTC sequence (SRE) · vertical escalation to DRE · further escalation to BRE

Open Architect
BRE Business Risk Event organizational consequence DRE Data Risk Event C / I / A on data assets SRE System Risk Event cause-side TLCTC sequence BRE Fraudulent transfer financial loss no BRE DRE present, but no organizational consequence no BRE no DRE means no escalation path DRE: C Credentials exposed phished by user no DRE credential USE only (R-CRED rule) DRE: I Wire transfer altered payment integrity Δt: 5m Δt: 2h #9 SOCIAL ENGINEERING BRIDGE #4 IDENTITY THEFT INTERNAL #1 ABUSE OF FUNCTIONS INTERNAL phishing email delivers credential form attacker logs in as the user approves wire transfer via legitimate function ||boundary|| eBanking example: phishing → identity theft → function abuse. Each step escalates only as far as it can — no DRE means no BRE.

The “Detection Coverage Score”: A New Metric for the Board

Strategic KPI derived from Attack Velocity (Δt)

Read more about velocity

How do you tell the Board if you are secure? “We stopped 100 viruses” is a vanity metric. The Detection Coverage Score (DCS) is a strategic KPI derived from Attack Velocity.

Formula
DCS = (Mean Time to Detect) ÷ (Attack Velocity Δt)
Score < 1.0

You are faster than the adversary.

Winning

Score > 1.0

The adversary completes the step before you detect it.

Losing

Example

If a Ransomware group moves from #4 Identity Theft to #1 Abuse of Functions (Admin Rights) in 10 minutes, and your SIEM alerts in 15 minutes:

DCS = 15 ÷ 10 = 1.5

You are systematically blind to this attack. No amount of “hard work” by analysts will fix this — you need automation.

Enlarge Logic Map
Core Theory Scientific Foundations

The Logical Foundations of TLCTC

Why TLCTC is not a new logical model — but a domain-specific application of established scientific principles to a field that has stubbornly resisted formalization.

Explore the Logic

Regulators & Standards

Compliance & Industry

Harmonize reporting obligations and fix the “cyber in the name” taxonomy gap.

Key Integrations
Standards and Regulations Gap Analysis Critics: The Audit Trap
Logical Trap: Control-First Regulation - Must Read!
The Control Fixation Reflex
TLCTC Actor Profiler Regulators Monster Prompt

Strategic Leadership

CISO & Risk Mgmt

Enable board-level communication and link operational reality to strategic risk.

Key Integrations
The CISO as Strategic Partner The Two-Layer Cyber Risk Management NIST CSF 2.0 FAIR Integration
The Power of Causality - Must Read!
Control Matrix Tool CISO Monster Prompt

Opsec

SOC & Threat Intelligence

Map attacker techniques to root-cause clusters. Unify incident classification with a common threat language.

Key Integrations
MITRE ATT&CK Mapping Threat Report Chaos The Kill Chain Fallacy MITRE CVE & NIST NVD Enrichment
Attack Path Architect Tool ATT&CK Mapper TLCTC Radar App SOC Monster Prompt CTI Monster Prompt

Development & Engineering

DevSecOps & Secure SDLC

Prioritize weaknesses and design threats by root cause. Build security into every phase of development.

Key Integrations
MITRE CWE Strategic Mapping SSDLC Hub — Make Design Reviews Bite SSDLC Phase-by-Phase Reference Beyond STRIDE: Upgrading TMT Critique: The CWE Reboot
Threat Modeling Tool CWE Mapper DevSecOps Monster Prompt
Latest

Insights from the TLCTC Blog & Tools

RSS
Loading insights...