Logo
TLCTC
Blog / Framework Architecture

The Two-Layer Framework: Bridging Cybersecurity Strategy and Operations

How TLCTC connects boardroom decisions with SOC implementation through a clear separation of strategic and operational concerns.

BK
Bernhard Kreinz
18 min read
Click to Enlarge
TLCTC Dual-Layer Bow-Tie Model A bow-tie diagram mapping Cyber Threat Clusters (Cause) to Business Consequences, split between Strategic and Operational layers. CAUSE EVENT CONSEQUENCES STRATEGIC OPERATIONAL Risk Event Cyber Incident (Loss of Control)
Threat Clusters
Generic vulnerabilities of
asset-types
Threats / TTPs
Specific vulnerability of
specific assets
Appetite & Tolerance
Business Impact Analysis
(BIA)
Consequences
Data Risk Events
(C-I-A Impact)->Business Risk Event
Figure 1: The TLCTC Dual-Layer Bow-Tie. The central Risk Event acts as the pivot point between Strategic Risk (Top) and Operational Security (Bottom).
"The best frameworks don't just organize information—they bridge the gap between those who decide and those who defend."

The Fundamental Problem

Ask a CISO what keeps them up at night, and you'll hear about board presentations, risk appetite, and resource allocation. Ask a SOC analyst what keeps them up at night, and you'll hear about detection rules, false positives, and attack techniques.

They're talking about the same threats, but in completely different languages.

The Disconnect in Action:
  • Board Meeting: "We need to address our supply chain risk exposure"
  • SOC Meeting: "We detected suspicious npm package behavior and need to update our YARA rules"

Same threat (#10 Supply Chain Attack), different universes.

This disconnect creates critical problems:

  • Strategic decisions lack operational grounding – Risk appetites are set without understanding what controls actually exist.
  • Operational activities lack strategic context – SOC teams detect threats without knowing which ones the board cares most about.
  • Communication breaks down – Technical teams can't explain risks in business terms; leadership can't translate priorities into technical requirements.
  • Resources are misallocated – Investment decisions don't align with actual threat landscape or control effectiveness.
Cause, not effect:

TLCTC models threats (#1–#10) as the causes that exploit generic vulnerabilities. Outcomes like "ransomware", "data breach" or "denial of service" are events that result from a sequence of such threats, for example #9->#7->#4->(#1+#7). The two-layer framework always starts its reasoning from the cause side.

Click to Enlarge
🏢 BOARDROOM / EXECUTIVE LEVEL Priorities • Risk Appetite • Compliance • Budget Allocation Key Questions • Are we secure? • What's our exposure? • Where should we invest? ❌ No Clear Translation ⚠️ THE DISCONNECT Different Languages No Common Framework ❌ No Clear Translation 🛡️ SOC / OPERATIONAL LEVEL Inputs / Data • CVEs • MITRE TTPs • Detection Rules Activities • Alert triage • Threat hunting • Incident response
Figure 2: The communication gap between strategic and operational levels.

The Solution: A Two-Layer Framework

The TLCTC framework addresses this fundamental disconnect through a carefully designed separation of concerns: a Strategic Layer for decision-making and governance, and an Operational Layer for implementation and execution—connected by a clear, consistent bridge.

Core Principle:

Strategic decisions should be made using stable, universal concepts (the 10 threat clusters). Operational implementation should use precise, detailed specifications (specific vulnerabilities, TTPs, controls). Both layers reference the same underlying framework but serve different purposes.

Scope of Each Layer

Strategic Management Layer

  • Works with TLCTC clusters #1–#10 and their generic vulnerabilities
  • Defines risk appetite and tolerance per cluster
  • Defines control objectives per cluster × NIST CSF function
  • Owns KRIs and high-level KCIs at cluster / objective level
  • Maintains governance artefacts (policies, standards, accountability)
  • Deliberately avoids TTPs, CVEs, tool configurations

Operational Security Layer

  • Implements TLCTC sub-threats (TLCTC-XX.YY) in tooling and processes
  • Works with concrete vulnerabilities (CVE/CWE) and MITRE TTPs
  • Models and detects attack paths across domains
  • Implements and operates local and umbrella controls
  • Owns KCIs and KPIs for control effectiveness and operational performance
  • Feeds metrics back to the strategic layer to inform KRIs
Click to Enlarge
📊 STRATEGIC LAYER – Where Decisions Are Made KRI / Metrics Key Risk Indicators Risk Appetite and Tolerance Control Objectives per Cluster x NIST Strategic Notation #X The 10 Clusters #1 – #10 Generic Vulns of asset types 🧭 NIST CSF BRIDGE – Control Structure GOVERN IDENTIFY PROTECT DETECT RESPOND RECOVER ⚙️ OPERATIONAL LAYER – Where Defense Happens Specific Vulns CVEs / CWEs TTPs MITRE ATTACK Attack Path Instance #9.2 → #3.1 → #7.1 Incident / Event Loss of Control / Compromized Asset Implementations Controls / Tools KCI / KPI Performance Metrics Ops Notation TLCTC-XX.YY Incident Feedback Performance Data
Figure 3 (Corrected): The TLCTC Two-Layer Architecture. Note the logical flow: Strategic Clusters and Generic Vulns now explicitly map to Operational TTPs and Specific Vulns (dashed lines). The Operational Layer follows a causal chain: Vulns → TTPs → Path → Incident.

The Strategic Layer: Where Decisions Are Made

Purpose and Scope

The Strategic Layer is where organizations make decisions about:

  • Which threats to prioritize
  • How much risk to accept
  • Where to invest resources
  • What the security program should achieve

Key Components

📋 Strategic Layer Components

  • The 10 TLCTC Clusters – Universal threat taxonomy (#1-#10)
  • Generic Vulnerabilities – Root causes that enable each cluster
  • Risk Appetite & Tolerance – How much exposure is acceptable per cluster
  • Control Objectives – What controls should achieve (structured by NIST CSF functions)
  • Strategic Notation – Human-readable format (#X for communication)
  • Key Risk Indicators (KRIs) – Leading indicators of emerging threats per cluster
  • Governance Framework – Policies, standards, and accountability structures

Who Works Here?

  • CISO and security leadership
  • Board of Directors / Audit Committee
  • Risk Management teams
  • Compliance officers
  • Business unit leaders

Strategic Layer in Practice

Example: Board Risk Discussion

CISO: "Our risk assessment shows elevated exposure to #10 Supply Chain Attack and #4 Identity Theft. Based on industry trends, I recommend lowering our risk tolerance for #10 from 'Moderate' to 'Low' and increasing our control objectives in the PROTECT function."

Board Member: "What does that mean in terms of investment?"

CISO: "We need to strengthen controls targeting the generic vulnerability—our reliance on third-party components. Specifically, Software Composition Analysis tools and enhanced vendor security requirements. Estimated investment: $500K."

Outcome: Clear decision made using strategic concepts, without getting lost in technical details about specific CVEs or scanning tools.

TLCTC Cyber Radar TLCTC Cyber Radar
Figure 4: Example radar showing organization's threat exposure across all 10 TLCTC clusters. High-risk areas (#4 Identity Theft, #7 Malware, #9 Social Engineering, #10 Supply Chain) require immediate attention.

Strategic Artifacts

Artifact Purpose Audience Update Frequency
Risk Register (TLCTC-based) Track threats by cluster Leadership, Board Quarterly
Risk Appetite Statement Define acceptable exposure per cluster Board, Executives Annually
Control Objectives Matrix Map NIST functions to clusters CISO, Risk Managers Annually
Cyber Threat Radar Visualize threat landscape All stakeholders Monthly
KRI Dashboard Monitor emerging risks CISO, Board Monthly

The Operational Layer: Where Defense Happens

Purpose and Scope

The Operational Layer is where organizations:

  • Implement specific security controls
  • Detect and respond to threats
  • Hunt for sophisticated attacks
  • Manage vulnerabilities and patches
  • Execute incident response

Key Components

🔧 Operational Layer Components

  • Specific Vulnerabilities – CVEs, specific weaknesses (CWE) in actual systems
  • Tactics, Techniques, Procedures (TTPs) – How attackers actually operate (MITRE ATT&CK)
  • Attack Paths – Sequences of threat clusters in real attacks (e.g., #9->#3->#7)
  • Control Implementations – Actual tools, configurations, processes
  • Operational Notation – Machine-readable format (TLCTC-XX.YY for automation)
  • Key Control Indicators (KCIs) – Control effectiveness metrics (are controls doing their job?)
  • Key Performance Indicators (KPIs) – Operational performance metrics (e.g., MTTR, patch latency)
  • Detection Rules – SIEM rules, IDS signatures, behavioral analytics
  • Incident Response Playbooks – Step-by-step response procedures per cluster

Who Works Here?

  • SOC analysts and threat hunters
  • Security engineers and architects
  • Vulnerability management teams
  • Incident responders
  • Security operations managers

Operational Layer in Practice

Example: SOC Detection and Response

SOC Analyst: "SIEM alert: Suspicious PowerShell execution detected on endpoint DESKTOP-7821. Correlating with TLCTC framework..."

Analysis:

  • Initial phishing email (TLCTC-09.00 Social Engineering)
  • Malicious macro in attachment (TLCTC-03.00 Exploiting Client)
  • PowerShell dropper execution (TLCTC-07.00 Malware)
  • Attack path: #9->#3->#7

SOC Manager: "This maps to our #7 Malware response playbook. Execute containment procedures and escalate per the defined workflow. Also, this attack path matches the known APT29 attack profile we've been tracking."

Outcome: Clear, consistent response based on threat cluster identification, with immediate understanding of which playbook to execute.

In more complex scenarios that cross domains (for example, from the internet into your internal network), the same attack-path notation can be extended with explicit domain boundaries, for example: Internet[#9->#3->#7] -> Corporate[#4->#1->#7]. This keeps the description cause-oriented while making the movement between environments explicit.

SIEM - Attack Path Detection ● ACTIVE ⚠ HIGH SEVERITY ALERT Endpoint: DESKTOP-7821 | User: john.doe@company.com Timestamp: 2025-11-15 14:23:47 UTC | Confidence: 95% Detected Attack Sequence: #9 Social Eng TLCTC-09.00 Phishing email 14:15:33 #3 Exploit Client TLCTC-03.00 Macro exploit 14:16:12 #7 Malware TLCTC-07.00 PowerShell dropper 14:23:47 ← NOW ✓ Recommended Actions (Playbook: TLCTC-07.00) 1. Isolate endpoint DESKTOP-7821 from network 2. Terminate PowerShell process (PID: 8472) 3. Execute #7 Malware incident response playbook AUTO-RESPONSE: ON
Figure 5: SIEM automatically classifies attack steps using TLCTC operational notation (TLCTC-XX.YY), enabling immediate playbook selection.

Operational Artifacts

Artifact Purpose Audience Update Frequency
SIEM Detection Rules Automated threat detection SOC Analysts Continuous
Vulnerability Scan Results Identify specific weaknesses Vuln Management Weekly
Incident Response Playbooks Step-by-step response per cluster IR Team, SOC Quarterly
Attack Path Database Historical attack sequences Threat Intel, SOC Continuous
Control Implementation Matrix Document deployed controls Security Engineers Monthly
KCI/KPI Dashboard Monitor control effectiveness and operational performance Security Ops Mgr Daily/Weekly

The Bridge: Connecting Strategy and Operations

The real power of the two-layer framework lies in how the layers connect. Without a bridge, they're just two separate activities. With the bridge, they become a unified defense system.

Control Objectives: The Primary Bridge

Control objectives serve as the primary connection point, structured using NIST Cybersecurity Framework (CSF) functions:

  • GOVERN (GV) – Establish cybersecurity governance
  • IDENTIFY (ID) – Understand vulnerabilities enabling each cluster
  • PROTECT (PR) – Implement controls to prevent cluster realization
  • DETECT (DE) – Discover when cluster threats materialize
  • RESPOND (RS) – React to realized threats per cluster
  • RECOVER (RC) – Restore capabilities after cluster-based incidents

Here NIST CSF functions are used strictly as a structuring grid for control objectives per TLCTC cluster. TLCTC provides the threat and cause model; NIST CSF provides the verbs.

How It Works:
  1. Strategic Layer defines control objectives per cluster and NIST function (e.g., "Protect from #7 Malware execution")
  2. Bridge translates objectives into implementation requirements
  3. Operational Layer implements specific controls (e.g., "EDR with behavioral analysis", "Application whitelisting")
  4. Metrics Flow Back – KCIs and KPIs inform KRIs, enabling strategic decisions based on operational reality
Click to Enlarge
📊 Strategic Layer Risk Appetite #7 Malware = LOW KRI Incidents/Mo: < 2 Threshold Monitor Control Objective KCI (green) KPI (green) 🌉 Bridge - Control Objectives Implementation Requirements • EDR Deployment • App Whitelisting • Email Filtering ⚙️ Operational Layer Control 1: EDR Control 2: App Ctrl Control 3: Gateway BCI (Baseline Control Indicators) EDR Cov: 98% Detect Rate: 94% Block Rate: 87% BPI (Baseline Performance Indicators) MTTR: 4.2h Contain: 15min False Pos: 2% Weekly Monthly Report Quarterly Risk Review
Figure 6: The Feedback Loop. Strategic decisions drive operational implementation, while operational metrics inform strategic risk assessment.

Indicator Hierarchy: Data/Metric → Baseline Indicator → (KPI → KCI → KRI)

To keep the bridge measurable and consistent, indicators are organised in a simple hierarchy:

  • Data/Metric – Raw events and telemetry.
  • Baseline Indicator – Simple aggregations.
  • KPI – Operational performance metrics (e.g., MTTR).
  • KCI – Control effectiveness metrics.
  • KRI – Aggregated risk indicators at TLCTC cluster level.

Example: Full Bridge in Action

Scenario: Addressing Supply Chain Risk (#10)

Strategic Layer Activities:

  • Board sets risk appetite for #10 Supply Chain Attack to "Low"
  • CISO defines control objective: "IDENTIFY and PROTECT against compromised third-party components"
  • KRI established: "Number of unvetted dependencies in production code"

Bridge Translation:

  • Control objective requires: Software Composition Analysis (SCA)
  • Implementation requirements: Automated scanning, SBOM generation, vendor risk assessment
  • Success criteria: 100% dependency visibility, <7 day remediation for critical findings

Operational Layer Implementation:

  • Deploy Snyk/Dependabot for SCA scanning
  • Integrate SCA into CI/CD pipeline (map to TLCTC-10.02 Development Vector)
  • Create SIEM rules for detecting anomalous behavior in dependencies
  • Establish KCI: "% of builds with SCA scan passed"
  • Establish KPI: "Mean time to remediate critical dependency vulnerabilities"

Feedback Loop:

  • Weekly: Security engineer reviews KCI (95% builds scanned)
  • Monthly: Security ops manager reviews KPI (4.2 day MTTR)
  • Quarterly: CISO reports KRI to board (Unvetted dependencies: 12, down from 47)
  • Board confirms risk appetite being met, authorizes continued investment

Dual Notation System

The framework uses two complementary notation systems:

Layer Notation Format Use Case Example
Strategic Human-readable #X Executive communication #9->#3->#7
Operational Machine-readable TLCTC-XX.YY SIEM rules, automation TLCTC-09.00->TLCTC-03.00->TLCTC-07.00
Why Two Notations?
  • Strategic (#X): Easy to read, quick to understand, perfect for presentations.
  • Operational (TLCTC-XX.YY): Structured format enables sorting, filtering, automation, and database queries.

Complete Layer Comparison

Click to Enlarge
Two-Layer Framework Comparison 📊 STRATEGIC LAYER Audience: • Board of Directors • CISO & Executives • Risk Managers Focus: • What threats matter most? • Where to invest resources? • Are we within risk appetite? Time Horizon: • Quarterly / Annual Notation: #9 -> #3 -> #7 Artifacts: • Risk Register • Cyber Threat Radar • KRI Dashboard • Board Reports Decisions: • Risk appetite, budgets, priorities BRIDGE NIST CSF & TLCTC ⚙️ OPERATIONAL LAYER Audience: • SOC Analysts • Security Engineers • Incident Responders Focus: • How do we defend? • What controls to implement? • How to detect & respond? Time Horizon: • Daily / Weekly / Monthly Notation: TLCTC-09.00 -> TLCTC-03.00 Artifacts: • SIEM Rules • IR Playbooks • KCI/KPI Dashboard • Attack Path DB Actions: Detection, response, implementation Control Objectives Metrics

Practical Implementation Guide

Step 1: Establish Strategic Foundation

  1. Create TLCTC-based Risk Register: List all 10 clusters and assess likelihood and impact per cluster.
  2. Define Risk Appetite per Cluster: Board workshop to establish tolerance levels (High/Medium/Low).
  3. Establish Control Objectives Matrix: Define objectives across NIST functions for each cluster.
  4. Define Strategic KRIs: Set leading indicators and thresholds.

Step 2: Build Operational Capabilities

  1. Map Existing Controls to Clusters: Inventory controls and tag with NIST CSF function.
  2. Implement TLCTC in SIEM: Add TLCTC cluster field to incident records.
  3. Develop Cluster-Based Playbooks: Create incident response playbook for each cluster.
  4. Establish KCIs and KPIs: Define control performance metrics.

Step 3: Connect the Layers

  1. Create Reporting Bridge: Map KCIs/KPIs to KRIs.
  2. Establish Feedback Mechanisms: Monthly ops reviews and quarterly strategic reviews.
  3. Enable Bi-Directional Communication: Ensure both layers speak the same language.
gantt
    title Implementation Roadmap: Two-Layer Framework Adoption
    dateFormat YYYY-MM-DD
    axisFormat %b
    
    section Phase 1: Strategic Foundation
    Risk Register Creation           :a1, 2025-01-01, 30d
    Risk Appetite Definition         :a2, after a1, 20d
    Control Objectives Matrix        :a3, after a2, 25d
    KRI Framework                    :a4, after a3, 15d
    
    section Phase 2: Operational Build
    Control Mapping                  :b1, 2025-03-15, 30d
    SIEM Integration                 :b2, after b1, 25d
    Playbook Development             :b3, 2025-04-01, 45d
    KCI/KPI Definition               :b4, after b2, 20d
    
    section Phase 3: Bridge & Refinement
    Reporting Connections            :c1, 2025-06-01, 30d
    Feedback Loop Establishment      :c2, after c1, 25d
    Dashboard Development            :c3, 2025-06-15, 40d
    Training & Refinement            :c4, 2025-07-15, 60d
    Continuous Improvement           :milestone, 2025-09-15, 0d
Key Milestones & Dependencies Phase 1 (Months 1-3) Strategic Foundation ✓ Risk register with TLCTC ✓ Board approval of risk appetite ✓ Control objectives defined ✓ KRI framework established Deliverable: Executive-approved strategic framework Phase 2 (Months 4-6) Operational Build ✓ Controls mapped to clusters ✓ SIEM TLCTC integration ✓ Incident playbooks created ✓ KCIs/KPIs defined Deliverable: Operational capabilities aligned to strategy Phase 3 (Months 7-12) Bridge & Refine ✓ Reporting dashboards live ✓ Feedback loops active ✓ Bi-directional flow working ✓ Continuous improvement Deliverable: Fully integrated two-layer framework

Real-World Success Patterns

Pattern 1: Incident-Driven Improvement

Scenario: Organization experiences ransomware incident.

Operational Response (Immediate):

  • SOC identifies attack path: #9->#3->#7->#4->#1+#7
  • Executes containment per #7 Malware playbook
  • Documents specific TTPs and IOCs
  • MTTR: 6 hours (KPI tracked)

Strategic Response (Post-Incident):

  • CISO presents to board using attack path notation
  • Board understands: Started with Social Engineering (#9), progressed through multiple clusters
  • Risk appetite review: Lower tolerance for #9 and #7
  • Investment decision: Enhanced email security + EDR upgrade

Pattern 2: Proactive Risk Management

Scenario: KRI shows increasing #10 Supply Chain risk.

Strategic Trigger:

  • Monthly KRI report shows 23% increase in risky dependencies
  • Threshold breach triggers strategic review

Operational Implementation:

  • Deploy advanced SCA platform
  • Create automated blocking rules for critical findings
  • Within 2 months: KRI drops 31%, control objective met

Pattern 3: Threat Intelligence Integration

Scenario: Industry alert about new APT campaign.

Operational Analysis:

  • Threat intel team receives external attack path: #10->#7->#4->#2->#7
  • Translates APT TTPs to TLCTC clusters
  • Creates detection rules mapped to each cluster

Strategic Communication:

  • CISO briefs leadership: "New campaign targets financial sector via supply chain (#10), focus on #4 credential theft"
  • Risk assessment: High likelihood given our sector, high impact

Coordinated Response:

  • Strategic: Accelerate planned MFA rollout (addresses #4)
  • Operational: Implement new detection rules, increase monitoring

Key Benefits Summary

Strategic Layer Benefits

  • Clear communication with board and executives
  • Risk-based resource allocation
  • Consistent risk assessment methodology
  • Meaningful risk appetite statements
  • Long-term program planning
  • Regulatory compliance alignment

Operational Layer Benefits

  • Precise threat classification
  • Consistent incident response
  • Effective threat hunting
  • Clear control implementation guidance
  • Measurable security outcomes
  • Automated tool integration
The Ultimate Benefit: Organizational Alignment

When strategy and operations speak the same language, your entire security program becomes coherent: Executives understand what they're approving, security teams understand priorities, and investments align with actual risk.

Getting Started

Week 1: Assessment

  • Review current risk register and threat taxonomy
  • Evaluate how well strategy and operations are currently connected
  • Identify quick wins (e.g., adding TLCTC tags to existing incidents)

Week 2-4: Strategic Foundation

  • Create TLCTC-based risk register
  • Present framework to leadership
  • Begin risk appetite discussions
  • Define initial control objectives

Month 2-3: Operational Integration

  • Train SOC team on cluster identification
  • Update SIEM with TLCTC fields
  • Map existing controls to clusters
  • Create first cluster-based playbook

Month 4-6: Build the Bridge

  • Establish KRI/KCI/KPI framework
  • Create executive dashboards
  • Run first integrated strategic/operational review
  • Refine and improve based on feedback
Pro Tip:

Start small with one threat cluster. Pick your highest-risk area (often #7 Malware or #4 Identity Theft) and implement the two-layer approach for just that cluster. Prove the value, then expand.

Additional Resources

  • TLCTC White Paper v1.9.1: Complete framework documentation with detailed definitions.
  • JSON Architecture Guide: Technical implementation for threat intelligence sharing.
  • Attack Path Notation Guide: How to document and communicate attack sequences.
  • NIST CSF Integration: Detailed mapping of control objectives to framework functions.

Conclusion

The cybersecurity industry has struggled for too long with the disconnect between strategic intent and operational reality. Boards make decisions without understanding implementation; SOC teams detect threats without knowing strategic priorities. Tools and techniques proliferate without clear connection to business risk.

The TLCTC two-layer framework solves this fundamental problem by providing a stable strategic language for risk decisions, a precise operational framework for implementation, and a clear bridge between them.

"The best defense isn't just strong controls or good threat intelligence—it's an organization where everyone from the board to the SOC speaks the same language and works toward the same goal."

The two-layer framework gives you that common language. The rest is up to you.

References

  1. Kreinz, B. The Two-Layer Framework: Bridging Cybersecurity Strategy and Operations, TLCTC Blog, 2025.
  2. TLCTC White Paper v1.9.1, Section 4: Architecture and Implementation.