What is TLCTC?
The Top Level Cyber Threat Clusters (TLCTC) framework is a cause-oriented, axiomatic threat taxonomy. It classifies cyber threats by why compromise happens — the generic vulnerability the attacker exploits — not by what happens (outcomes like “ransomware”, “data breach”, or “insider threat”). Exactly 10 non-overlapping clusters cover the entire threat space, governed by 10 axioms and a small set of normative classification rules. It is licensed under CC BY 4.0 and maintained openly. For the framework, whitepaper, glossary, tools, and more: tlctc.net.
The problem this integration solves
Most SOAR deployments structure playbooks around outcomes: a “Ransomware Playbook,” a “Phishing Playbook,” a “Data Exfiltration Playbook.” TLCTC’s Axiom III prohibits this — outcomes are consequences, not threats. When playbooks branch on the consequence, you end up duplicating work across every CVE that produces the same outcome and missing the actual generic vulnerability the attacker exploited.
A cause-oriented SOAR turns this inside out: one master playbook per cluster, regardless of the eventual outcome. A #3 Exploiting Client playbook covers every browser exploit you’ll ever face. A #4 Identity Theft playbook handles every credential-application step regardless of how the credential was obtained. A #10 Supply Chain playbook fires at the Trust Acceptance Event no matter which package was compromised.
That’s what this integration ships.
What’s in the release
The integration is published in two parallel builds — same functional scope, packaged for two different Palo Alto Networks SOAR platforms:
| Build | Target | Format |
|---|---|---|
integrations/cortex-xsoar/ |
Cortex XSOAR 6.2.x | Per-object YAML/JSON for direct upload via Settings UI |
integrations/cortex-xsoar-8/ |
Cortex XSOAR 8.x + Cortex XSIAM | Marketplace Content Pack (marketplaces: ["xsoar","marketplacev2"]) |
Both builds ship:
- 10 cluster-scoped master playbooks —
TLCTC-01-AbuseOfFunctionsthroughTLCTC-10-SupplyChain. One per cause, none per outcome. - An ATT&CK→TLCTC classifier that derives the cluster automatically from the technique IDs your XDR/SIEM already produces.
- A Velocity-Class router branching response by Δt: VC-4 record-only (EDR enforces sub-second), VC-3 auto-contain (minutes), VC-2 human-gated (hours), VC-1 hand-off to threat hunting (days+).
- An RS Container sub-playbook implementing both Direct Response and Propagated PR controls — automatic GDPR Art. 33 and NIS2 Art. 23 trigger logic based on the Data Risk Event chain.
- A Layer 3 attack-path emitter that produces a schema-valid JSON instance on incident close, ready for archival, retro-analysis, or cross-incident pattern study.
Tagged release: cortex-xsoar-v1.0.0.
Where to find what
Start here
- Top-level overview — picks the right build for your platform.
- Integration repo root — both builds, side by side.
XSOAR 6.2 build
| What | Where |
|---|---|
| Architecture overview | README.md |
| Click-by-click install runbook | deploy.md |
| Five acceptance test cases | test-cases.md |
| 10 master playbooks | playbooks/ |
| Classification + Layer 3 emitter | automations/ |
| ATT&CK→TLCTC lookup list | lists/attck-tlctc-lookup.json |
| Custom incident fields | incident-fields/ |
XSOAR 8.x + XSIAM Content Pack
| What | Where |
|---|---|
| Pack overview & differences from 6.2 | README.md |
demisto-sdk install runbook |
deploy.md |
| Pack manifest | pack_metadata.json |
| Playbooks (dispatch + 2 sub + 10 master) | Playbooks/ |
| Classify + Emit scripts | Scripts/ |
| Layout (8.x LayoutsContainer) | Layouts/ |
| Release notes | ReleaseNotes/1_0_0.md |
Underlying TLCTC artefacts the integration depends on
| Artefact | Purpose | Location |
|---|---|---|
| Layer 1 framework definition | The 10 clusters, 10 axioms, 6 rules | json-schemas/layer-1/tlctc-framework.v2.0.json |
| Layer 3 schema | What the emitter validates against | json-schemas/layer-3/tlctc-attack-path.schema.json |
| ATT&CK→TLCTC source mapping (698 techniques) | Source of truth for the lookup list | mappings/mitre-attack-enterprise/ |
| Glossary (RS Container, Velocity Class, Operational Notation) | Concept definitions referenced by playbooks | documentation/tlctc-glossary.md |
| Whitepaper | Full v2.1 specification | documentation/tlctc-v2.0-whitepaper.md |
The five rules the classifier enforces
The integration is interesting because the classification automation doesn’t just look up a technique → cluster. It enforces the framework’s normative rules so that a single ATT&CK technique can fire multiple cluster playbooks when the framework demands it.
| Rule | Effect on SOAR | Test case |
|---|---|---|
| Axiom VI — Single-Cluster Rule | One step = one cluster. Multi-cluster techniques get split into multiple steps. | T1566.001 fires both the #9 and #7 playbooks. |
| R-EXEC | When Foreign Executable Content executes, a #7 step is recorded with fec_executed: true. |
T1059.001 (PowerShell) becomes #1 → #7 — interpreter is #1, the script is #7. |
| R-CRED | Credential application is always #4, no matter how the credential was obtained. | T1078 fires the #4 playbook even when paired with a separate #1 acquisition step. |
| R-ROLE | Classify by the role of the flawed component. Server-role = #2, client-role = #3. |
T1190 → #2; T1189 (drive-by) → #3. |
| R-SUPPLY | #10 is placed at the Trust Acceptance Event — not at the upstream compromise. |
T1195.002 → #10 at the moment the artefact becomes authoritative inside the target. |
The full test suite — five reproducible cases with expected playbook firing sequences and emitted Layer 3 paths — lives in test-cases.md.
Why this matters operationally
Three concrete payoffs once the pack is live:
- One playbook covers every CVE that shares a cause. A new browser zero-day arrives → your
#3 Exploiting Clientplaybook already covers it. No content update required. - Regulatory triggers stop being ad-hoc. GDPR Art. 33 and NIS2 Art. 23 fire deterministically based on the Data Risk Event chain (DRE on PII for GDPR; severity threshold for NIS2) — implemented as the Propagated PR branches of the RS Container sub-playbook. No more chasing notification deadlines case by case.
- Every closed incident produces a comparable artefact. The Layer 3 attack-path JSON emitted on close is schema-validated and structurally identical across incidents. Cross-incident pattern study, attacker-profile analysis, and risk register updates run on a single shape.
Getting started
- Pick your build: 6.2 or 8.x/XSIAM (the integrations index has the deciding table).
- Run the deploy runbook end-to-end — both builds include a complete install path with smoke tests:
- Run the five acceptance tests before promoting to production. Failures point to either a stale lookup list or a misconfigured ATT&CK feed.
- Wire your XDR/SIEM to the classifier — anything that produces ATT&CK technique IDs will work; adapt the mapper if your feed uses a non-standard field path.
Questions, contributions, and issue reports are welcome on the TLCTC GitHub repo.
The TLCTC framework, schemas, mappings, tools, and integrations are published under CC BY 4.0. Learn more at tlctc.net.