Universal, Non‑overlapping Cyber Threat Language

TLCTC is the Rosetta Stone for Cyber Risk.

10 logically‑derived, non‑overlapping cyber threat clusters that connect strategic cyber risk & -security management, operational security, and secure development into one common language.

Free & Open

TLCTC is a free & open framework. No paywalls, no certifications to buy, no consulting funnel. Built to be used, challenged, and evolved by the community.

Licensed under CC BY 4.0 · Attribution required, commercial use permitted.

Short Video Explainer to connect easier

Escaping Semantic Chaos

Why we need a universal language

The Missing Hub

How TLCTC connects the disparate pieces of the cybersecurity landscape

NIST CSF 2.0 × TLCTC

Where the ten clusters plug into the CSF core functions

Framework Position

Bridging Strategy, Operations & Development

Three domains speak different dialects. TLCTC is the shared reference that closes the gaps between them.

STRATEGIC CISO & Risk Mgmt ISO 27001/5 NIST CSF/SP 800-30 FAIR OPERATIONAL SOC & Threat Intel MITRE ATT&CK • SOC CKC • STIX • CVE DEVELOPMENT DevSecOps & SDLC OWASP • CVE • CWE PASTA • OCTAVE ROSETTA STONE TLCTC 10 CLUSTERS TRANSLATION GAP DESIGN GAP INTELLIGENCE GAP
The Model

From Cause to Consequence

Six moves from a threat’s root cause to the metric your board understands.

Concept 01 / 06

The Dual-Layer Bow-Tie: One Event, Two Altitudes

The strategic layer speaks clusters and risk appetite. The operational layer speaks TTPs and data risk events. Same pivot, two readings — one consistent bridge.

CAUSE EVENT CONSEQUENCES STRATEGIC OPERATIONAL Threat Clusters Generic vulnerabilities of asset types #1 – #10 · STABLE Threats / TTPs Specific vulnerabilities of specific assets CVE · ATT&CK · VOLATILE Appetite & Tolerance Business Impact Analysis (BIA) BOARD METRICS Consequences Data Risk Events (C · I · Av · Ac) DRE → BUSINESS RISK EVENT RISK EVENT System Compromise LOSS OF CONTROL One bow-tie, two altitudes: the strategic layer sets appetite per cluster, the operational layer works attack paths — both meet at the same risk event.

Read: From Threat to Business Impact — Operationalizing the Two-Layer Framework

Concept 02 / 06

The Bow-Tie: One Pivot, Two Sides

Threats act on the left. Consequences unfold on the right. The System Risk Event — Loss of Control — is the pivot between them.

A risk event is a deviation from a strategic goal. IT Goal: "Operate securely" Risk Event: "Compromise of System" GOVERN — Risk Appetite, Responsibilities, Metrics (Cross-cutting) CAUSE SIDE Threat Clusters RISK EVENT / INCIDENT Asset Compromise Generic Vulnerability CONSEQUENCES CONTROL PROTECT IDENTIFY (indirectly) CONTROL DETECT CONTROL RESPOND CONTROL RECOVER Preventive controls affect the likelihood of an event occurring Detective and reactive controls influence the consequences "A control failure is a control risk — it is a deviation from the control objective"

Zoom in, and the same shape holds the whole incident.

Cyber Threat Clusters IT Risk Events Business Risk Events PREVENT PREVENT PREVENT PREVENT PREVENT PREVENT PREVENT PREVENT PREVENT PREVENT PREVENT Prevent from lateral movement (#1-#10) REACT REACT REACT (Online Fraud/Scam/Extortion) #1 Abuse of Functions #2 Exploiting Server #3 Exploiting Client #4 Identity Theft #5 Man in the Middle #6 Flooding Attack #7 Malware #8 Physical Attack #9 Social Engineering #10 Supply Chain Attack System Risk Event "Loss of Control" or "compromised it system" Asset: IT-System System Risk Event "Loss of Control" Data Risk Event Loss of Confidentiality Data Risk Event Loss of Integrity Data Risk Event Loss of Accuracy Data Risk Event Loss of Availability Error in Use Error in Use Abuse of Rights Abuse of Rights Error in Use Abuse of Rights Other System Risk Events (non-cyber): System Risk Event "Software Failure" System Risk Event "Hardware Failure" Business Risk Events: Consequences = e.g. Databreach PID Business Risk Events: Consequences = e.g. Money Out Business Risk Events: Consequences = e.g. payment interruption Consequence 1 Consequence 2 Consequence 3 Consequence 1 Consequence 2 Consequence 3 Consequence 1 Consequence 2 Consequence 3
Concept 03 / 06

Threats Are Sequences, Not Labels

Every attack is a chain of atomic causes — #9→#4→#1 — one cluster per step, read across three layers: System, Data and Business Risk Events.

BRE Business Risk Event organizational consequence DRE Data Risk Event C / I / A on data assets SRE System Risk Event cause-side TLCTC sequence BRE Fraudulent transfer financial loss no BRE DRE present, but no organizational consequence no BRE no DRE means no escalation path DRE: C Credentials exposed phished by user no DRE credential USE only (R-CRED rule) DRE: I Wire transfer altered payment integrity Δt: 5m Δt: 2h #9 SOCIAL ENGINEERING BRIDGE #4 IDENTITY THEFT INTERNAL #1 ABUSE OF FUNCTIONS INTERNAL phishing email delivers credential form attacker logs in as the user approves wire transfer via legitimate function ||boundary|| eBanking example: phishing → identity theft → function abuse. Each step escalates only as far as it can — no DRE means no BRE.
Concept 04 / 06

10 Causes × 6 Functions = 60 Control Objectives

Cross the ten clusters with the six NIST CSF functions and control coverage becomes falsifiable: every gap is a named, empty cell.

NIST CSF FUNCTIONS operational lifecycle (Identify → Recover) GOVERN IDENTIFY PROTECT DETECT RESPOND RECOVER GV ID PR DE RS RC #1 Abuse of Functions #2 Exploiting Server #3 Exploiting Client #4 Identity Theft #5 Man in the Middle #6 Flooding Attack #7 Malware #8 Physical Attack #9 Social Engineering #10 Supply Chain Attack CELL = 1 CONTROL OBJECTIVE = NIST verb + TLCTC noun e.g., DETECT · #7 Malware Local Control asset / system specific Umbrella Control enterprise-wide / shared GOV-Umbrella cross-cutting · ERM integration TOTAL 10 × 6 = 60 Objectives Only the GOV-Umbrella controls are cross-cutting — they form the integration layer to Enterprise Risk Management (policies, ERM forums, risk appetite, assurance). All other Local & Umbrella controls remain cluster-specific (Whitepaper §8.1.3, §9).
Concept 05 / 06

One Number the Board Understands

How do you tell the Board if you are secure? “We stopped 100 viruses” is a vanity metric. The Detection Coverage Score (DCS) is a strategic KPI derived from Attack Velocity.

The Formula
DCS = MTTD ÷ Δt

Mean Time to Detect ÷ Attack Velocity

Score < 1.0

You are faster than the adversary.

Winning

Score > 1.0

The adversary completes the step before you detect it.

Losing

Example

If a Ransomware group moves from #4 Identity Theft to #1 Abuse of Functions (Admin Rights) in 10 minutes, and your SIEM alerts in 15 minutes:

DCS = 15 ÷ 10 = 1.5

You are systematically blind to this attack. No amount of “hard work” by analysts will fix this — you need automation.

Concept 06 / 06

Watch the Model Run on a Real Incident

A 17-step Active Directory ransomware cascade, replayed step by step: the tracer keeps returning to #1 Abuse of Functions, and every Data Risk Event stacks in the ledger.

AD-DOMAIN-ADMIN-CASCADE-2025
composite reference path · Lynx · Storm-2603 · Storm-0300 (2025)
DRE Ledger
    The cascade is structurally #1 Abuse of Functions — the tracer keeps returning to #1 — with #4 for credential application and #7 only where foreign executable content executes. Each step’s Data Risk Event pops at the node and stacks in the ledger; “ransomware” is the outcome at s13 (#7 + [DRE: Ac]), never a cluster of its own.
    Read the full #1-Cascade forensic analysis
    For Every Audience

    One Framework, Four Audiences

    Each domain speaks TLCTC in its own dialect. Pick a bubble above — or a section below — to see the integrations, tools and reading tailored to your role.

    Audience 01 · Compliance & Industry

    Regulators & Standards

    Harmonize reporting obligations and fix the “cyber in the name” taxonomy gap.

    Audience 02 · CISO & Risk Mgmt

    Strategic Leadership

    Enable board-level communication and link operational reality to strategic risk.

    Audience 03 · SOC & Threat Intelligence

    Opsec

    Map attacker techniques to root-cause clusters. Unify incident classification with a common threat language.

    Audience 04 · DevSecOps & Secure SDLC

    Development & Engineering

    Prioritize weaknesses and design threats by root cause. Build security into every phase of development.

    From the Blog

    The Full Archive, Through Your Lens

    Every post, tagged by target audience. Pick your lens — or search the lot.

    RSS