The Origin: The "Alien" in the Room
"My journey didn't begin with a framework; it began with a sense of profound alienation."
As a security professional, I would sit in meetings with experts, stakeholders, and vendors, and realize we were speaking entirely different languages. One person called "Ransomware" a threat; another called "Data Loss" a threat; a third listed "Missing Patches" as a threat.
I felt like an alien. How could we manage risk if we couldn't even agree on what a "threat" was? The industry was drowning in a semantic blur, conflating causes, effects, and control failures. This frustration became my motivation. I realized that to solve the "Identify" problem in operational risk, I had to stop listening to the noise and go back to first principles.
The Foundation: Axioms and the Thought Experiment
I retreated to the drawing board to invest my time in a logic-based solution. I established non-negotiable Axioms—fundamental truths such as "Threats are on the cause side of the Bow-Tie" and "Every generic vulnerability corresponds to exactly one threat cluster".
Through a rigorous Thought Experiment, I derived the 10 Top Level Cyber Threat Clusters (TLCTC). These weren't arbitrary categories; they were the mathematical result of mapping the generic vulnerabilities inherent in all IT systems.
What Causality Unlocks
A strictly cause- and vulnerability-based taxonomy isn't just a tidier list. It is the prerequisite for two capabilities the industry has otherwise been unable to express — because outcome-based or process-based frameworks simply cannot carry them.
Attack Path Notation, Velocity & Boundaries
A formal grammar for incidents: #9 →[Δt=24h] #7 →[Δt=5m] #4. Sequential and parallel steps, velocity classes (Δt), domain boundaries ||[ctx][@A→@B]||, transit operators, intra-system crossings, and Data Risk Events — all derivable only because each step names a single generic vulnerability.
10 × (6 × 2) Control Matrix & Boardroom Bridge
Ten threat clusters (the nouns) crossed with six NIST CSF functions and two scopes (the verbs) yield one shared grid the SOC, the CISO, and the Board can all read. The same nouns drive Threat & Capability Radars, Risk Appetite statements, and KRIs — turning "cyber risk" into something a board can actually appetite, budget, and govern.
The Hurdle: "Control Catalogue Fixation"
I felt I had solved the logical problem. But when I brought this concept to my first peer reviews, I hit a wall. The reaction wasn't excitement; it was a collective "So what?"
I realized then that the industry is suffering from "Control Catalogue Fixation." Security professionals are conditioned to look for solutions (firewalls, EDR, policies) before they understand the problem—and this isn't entirely their fault. Regulators reinforce this mindset by demanding evidence of controls rather than evidence of threat understanding. Compliance frameworks ask "what controls do you have?" not "what threats are you facing?" The result is an industry so focused on how to stop bad things that it has lost sight of what is actually attacking them.
Logic alone wasn't enough. I had to prove that correct identification changes the outcome.
Bridging the Gap: Applying Reality to Defense
I expanded the framework to demonstrate that accurate threat identification isn't just academic—it is the only way to align the three critical pillars of an organization:
-
Strategic Alignment: Moving leadership away from vague "cyber fear" to defined Risk Appetite and Key Risk Indicators (KRIs) based on specific clusters. → CISO as Strategic Partner
-
Operational Defense: Empowering SOCs to stop chasing alerts and start tracking Attack Paths and Attack Velocity, distinguishing between the initial compromise (e.g., #9 Social Engineering) and the final payload (e.g., #7 Malware). → MITRE ATT&CK Bridge
-
Secure Development (SDLC): Defining the distinct security responsibilities of the Programmer (Architecture/Strategy) versus the Coder (Implementation). → SSDLC Hub
The Receipts: From Logic to Inventory
The axioms, thought experiment, and core definitions came together over the Christmas holidays of 2022 — two weeks at the drawing board. "So What?" demanded proof, and the three and a half years since have been spent building the public-facing inventory below. Each artifact exists because logic alone wasn't enough — every one was written to settle a specific objection, bridge a specific framework, or show TLCTC working on a real incident.
Tools — Logic in Code
Apps that put TLCTC in the user's hands: drag-drop modeling, attack-path documentation, capability-based control planning.
Standards & Frameworks Bridged
Each link is a written reconciliation — what the standard does well, what it leaves in the threat-axis gap, and where TLCTC slots in.
Threat Reports Re-Read in Cause-Mode
Industry reports decomposed against the 10 clusters — to demonstrate that "ransomware up 40%" is an outcome statement, not a threat statement.
The Future: A Call for Harmonization
I have built the TLCTC framework as a "one-man show" to solve a problem that plagued me for years. The logic is sound, and the application is proven.
"But I cannot shift the landscape alone. To move beyond 'Control Catalogue Fixation,' we need global harmonization."
I invite major players—NIST, MITRE, and Standards Bodies—to adopt this causal-based taxonomy. It is time we stopped speaking different languages. It is time to anchor cyber defense in causal reality.
Clearing the Fog: Scope & Misconceptions
To truly adopt causal reality, we must first unlearn the misconceptions that have plagued our industry for decades. Here is how TLCTC resolves the "Semantic Blur."
Process is Not Taxonomy
Why the "Kill Chain" approach describes time, not threats, and why mixing them creates operational chaos.
"Cyber" in the Name
A critical look at why Standards (ISO/NIST and many others) are essential for governance but fail at granular threat identification.
EU Regulation vs. TLCTC
How to align Operational Risk with Compliance (NIS2/DORA) without letting compliance dictate your threat model.
The Decision Tree
A practical guide to scoping incidents: Is it a System Risk Event? Or just a Process Failure?
Due Diligence: Examining the Landscape
I did not create TLCTC in a vacuum. To ensure I wasn't reinventing the wheel, I spent months mapping the existing landscape of global standards, regulations, and frameworks. The goal was not to replace them, but to identify the specific Taxonomy Gap that TLCTC now fills.
