{ "version": "https://jsonfeed.org/version/1.1", "title": "TLCTC Blog — Top Level Cyber Threat Clusters", "home_page_url": "https://www.tlctc.net/", "feed_url": "https://www.tlctc.net/feed.json", "description": "Essays, analyses, and case studies on the TLCTC framework — a cause-oriented cyber threat taxonomy of 10 mutually exclusive clusters anchored in a Bow-Tie risk model.", "language": "en-US", "authors": [ { "name": "Bernhard Kreinz" } ], "items": [ { "id": "https://www.tlctc.net/tlctc-propagated-controls.html", "url": "https://www.tlctc.net/tlctc-propagated-controls.html", "title": "Propagated Controls — Managing Controls Over Event Chains", "content_text": "Companion note to TLCTC v2.0 that lifts the Propagated PR mechanism out of the glossary and generalizes it to four sources — regulatory, contractual, BCM, internal policy. A PR control for a downstream BRE executes as an RS step of an upstream event. Includes GDPR vs NIS2 and BCM/RTO worked examples, the canonical RS(Eₙ) formula, and a formal Rule of Propagation: a PR control for Eₙ₊ₓ is hosted in the earliest event whose classification suffices to trigger the obligation.", "summary": "Companion note to TLCTC v2.0 that lifts the Propagated PR mechanism out of the glossary and generalizes it to four sources — regulatory, contractual, BCM, internal policy. A PR control for a downstream BRE executes as an RS step of an upstream event. Includes GDPR vs NIS2 and BCM/RTO worked examples, the canonical RS(Eₙ) formula, and a formal Rule of Propagation: a PR control for Eₙ₊ₓ is hosted in the earliest event whose classification suffices to trigger the obligation.", "tags": [ "Framework & Concepts", "Regulations & Compliance" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-05-13T00:00:00+00:00" }, { "id": "https://www.tlctc.net/sabsa-tlctc-blog.html", "url": "https://www.tlctc.net/sabsa-tlctc-blog.html", "title": "SABSA × TLCTC: Architecture Method, Threat Ontology, and the Predefined Control Objective", "content_text": "SABSA and TLCTC are routinely compared as competing frameworks. They are not. SABSA is an architectural method without a threat taxonomy; TLCTC is a threat ontology without an architectural method. This essay shows how SABSA, TLCTC, NIST CSF, and external control catalogues compose into the four-way structure enterprise security architecture actually needs — and why control objectives are predefined (60 verb-noun cells: CSF × TLCTC), not authored. Introduces the governance-umbrella archetype that binds local and operational umbrella controls to enterprise intent.", "summary": "SABSA and TLCTC are routinely compared as competing frameworks. They are not. SABSA is an architectural method without a threat taxonomy; TLCTC is a threat ontology without an architectural method. This essay shows how SABSA, TLCTC, NIST CSF, and external control catalogues compose into the four-way structure enterprise security architecture actually needs — and why control objectives are predefined (60 verb-noun cells: CSF × TLCTC), not authored. Introduces the governance-umbrella archetype that binds local and operational umbrella controls to enterprise intent.", "tags": [ "Standards Integration", "Framework & Concepts" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-05-12T00:00:00+00:00" }, { "id": "https://www.tlctc.net/sbom-for-ai-control-fixation.html", "url": "https://www.tlctc.net/sbom-for-ai-control-fixation.html", "title": "The Control Fixation in the Security Properties — A TLCTC critique of G7 SBOM-for-AI", "content_text": "The G7's Software Bill of Materials for AI (Évian, 2026) defines seven clusters — six describe what an AI system is made of, one (Security Properties) describes what it is defended with. TLCTC v2.1 critique: the SP cluster has no threat view, conflates SRE and DRE, and is scope-blind to Model/Dataset/System/Infrastructure. Prompt-injection case study (#1 vs #3 vs #10) and a three-axis threat × element × event-side matrix that fixes it.", "summary": "The G7's Software Bill of Materials for AI (Évian, 2026) defines seven clusters — six describe what an AI system is made of, one (Security Properties) describes what it is defended with. TLCTC v2.1 critique: the SP cluster has no threat view, conflates SRE and DRE, and is scope-blind to Model/Dataset/System/Infrastructure. Prompt-injection case study (#1 vs #3 vs #10) and a three-axis threat × element × event-side matrix that fixes it.", "tags": [ "Standards Integration", "Framework & Concepts" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-05-12T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-plus-ncsc-proposal.html", "url": "https://www.tlctc.net/tlctc-plus-ncsc-proposal.html", "title": "TLCTC+ for NCSCs and CERTs: A National Reporting Extension Proposal (v0.3)", "content_text": "A working proposal (v0.3) extending TLCTC v2.1 with a national reporting profile (TLCTC+) for NCSCs and CERTs. Six tracks — Cause / SRE / DRE / BRE / Impact / Report — layered over a TLCTC path, with structured PATTERN, BRE, IMPACT, and REPORT catalogues. Anchored at #9 Social Engineering (with required v2.1 boundary operator), covering romance scams, CEO fraud, BEC, fake tech support, account-takeover-enabled fraud, supply-chain regulatory reporting, and ransomware service outages — without polluting the threat taxonomy. Three case classes: core_cyber_incident, hybrid_cyber_enabled_harm, pure_9_digital_crime.", "summary": "A working proposal (v0.3) extending TLCTC v2.1 with a national reporting profile (TLCTC+) for NCSCs and CERTs. Six tracks — Cause / SRE / DRE / BRE / Impact / Report — layered over a TLCTC path, with structured PATTERN, BRE, IMPACT, and REPORT catalogues. Anchored at #9 Social Engineering (with required v2.1 boundary operator), covering romance scams, CEO fraud, BEC, fake tech support, account-takeover-enabled fraud, supply-chain regulatory reporting, and ransomware service outages — without polluting the threat taxonomy. Three case classes: core_cyber_incident, hybrid_cyber_enabled_harm, pure_9_digital_crime.", "tags": [ "Standards Integration", "Framework & Concepts" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-05-12T00:00:00+00:00" }, { "id": "https://www.tlctc.net/gtig-ai-threat-tracker-2026.html", "url": "https://www.tlctc.net/gtig-ai-threat-tracker-2026.html", "title": "Ten Clusters, Not Eleven — TLCTC reads the GTIG AI Threat Tracker (May 2026)", "content_text": "Reading Google Threat Intelligence Group's May 2026 AI Threat Tracker through TLCTC v2.1: every finding lands in one of the existing ten cause clusters. PROMPTSPY decomposes to #9 → #7 with #1 inside the FEC loop; SANDCLOCK via LiteLLM is the canonical 2026 #10 Trust Acceptance Event; AI voice cloning is a higher-fidelity #9. AI does not create a new threat — it collapses Δt across the bow-tie, migrating VC-2 transitions to VC-3 and VC-4. Includes a 14-finding mapping table, a velocity-collapse table, a PROMPTSPY full-chain deep-dive, and a cluster radar.", "summary": "Reading Google Threat Intelligence Group's May 2026 AI Threat Tracker through TLCTC v2.1: every finding lands in one of the existing ten cause clusters. PROMPTSPY decomposes to #9 → #7 with #1 inside the FEC loop; SANDCLOCK via LiteLLM is the canonical 2026 #10 Trust Acceptance Event; AI voice cloning is a higher-fidelity #9. AI does not create a new threat — it collapses Δt across the bow-tie, migrating VC-2 transitions to VC-3 and VC-4. Includes a 14-finding mapping table, a velocity-collapse table, a PROMPTSPY full-chain deep-dive, and a cluster radar.", "tags": [ "Threat Analysis", "Case Study" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-05-11T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-prompt-index.html", "url": "https://www.tlctc.net/tlctc-prompt-index.html", "title": "TLCTC v2.1 Monster Prompts — One per Peer Group", "content_text": "Five audience-shaped TLCTC v2.1 monster prompts — CTI/Forensic, SOC/Detection, DevSecOps/Engineers, CISO/Risk, and Regulators/Standards. Same canonical taxonomy core; persona, inputs, and outputs reshaped for each peer group. Pick the prompt that matches your role and paste it into your LLM of choice.", "summary": "Five audience-shaped TLCTC v2.1 monster prompts — CTI/Forensic, SOC/Detection, DevSecOps/Engineers, CISO/Risk, and Regulators/Standards. Same canonical taxonomy core; persona, inputs, and outputs reshaped for each peer group. Pick the prompt that matches your role and paste it into your LLM of choice.", "tags": [ "Tools & Applications", "AI Automation" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-05-09T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-prompt-cti.html", "url": "https://www.tlctc.net/tlctc-prompt-cti.html", "title": "TLCTC v2.1 — Deep Classifier Prompt for Threat-Intel & Forensic Analysts", "content_text": "The CTI/forensic specialist variant of the TLCTC monster prompt: full notation pedagogy, 22 worked examples, every R-* rule, the unresolved-step protocol, and the verification checklist — built for threat-intel analysts and incident responders who need taxonomic rigor.", "summary": "The CTI/forensic specialist variant of the TLCTC monster prompt: full notation pedagogy, 22 worked examples, every R-* rule, the unresolved-step protocol, and the verification checklist — built for threat-intel analysts and incident responders who need taxonomic rigor.", "tags": [ "Tools & Applications", "AI Automation" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-05-09T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-prompt-soc.html", "url": "https://www.tlctc.net/tlctc-prompt-soc.html", "title": "TLCTC v2.1 — SOC & Detection Prompt | Translate ATT&CK + Telemetry into Attack Paths", "content_text": "The SOC variant of the TLCTC monster prompt — translate live alerts, ATT&CK technique IDs, EDR/SIEM telemetry, and IOC sets into TLCTC v2.1 attack paths with Δt velocity, ATT&CK pivots, detection-coverage call-outs, and response priority by velocity class.", "summary": "The SOC variant of the TLCTC monster prompt — translate live alerts, ATT&CK technique IDs, EDR/SIEM telemetry, and IOC sets into TLCTC v2.1 attack paths with Δt velocity, ATT&CK pivots, detection-coverage call-outs, and response priority by velocity class.", "tags": [ "Tools & Applications", "AI Automation" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-05-09T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-prompt-devsecops.html", "url": "https://www.tlctc.net/tlctc-prompt-devsecops.html", "title": "TLCTC v2.1 — DevSecOps & Engineering Prompt | Cluster Exposure for Code, Designs, and CWEs", "content_text": "The DevSecOps variant of the TLCTC monster prompt — paste in code, design docs, CWE entries, dependency lists, or threat-model components and get per-component cluster exposure, CWE-grounded fixes, and shift-left controls.", "summary": "The DevSecOps variant of the TLCTC monster prompt — paste in code, design docs, CWE entries, dependency lists, or threat-model components and get per-component cluster exposure, CWE-grounded fixes, and shift-left controls.", "tags": [ "Tools & Applications", "AI Automation" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-05-09T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-prompt-ciso.html", "url": "https://www.tlctc.net/tlctc-prompt-ciso.html", "title": "TLCTC v2.1 — CISO & Risk Prompt | Cluster-Attributed Risk + Control Gaps + Board Bullets", "content_text": "The CISO variant of the TLCTC monster prompt — paste in incident summaries, audit findings, or risk-register entries and get a cluster-attributed risk narrative, a control-gap table mapped to NIST CSF 2.0, FAIR loss-event framing, and board-ready talking points stripped of notation.", "summary": "The CISO variant of the TLCTC monster prompt — paste in incident summaries, audit findings, or risk-register entries and get a cluster-attributed risk narrative, a control-gap table mapped to NIST CSF 2.0, FAIR loss-event framing, and board-ready talking points stripped of notation.", "tags": [ "Tools & Applications", "AI Automation" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-05-09T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-prompt-regulators.html", "url": "https://www.tlctc.net/tlctc-prompt-regulators.html", "title": "TLCTC v2.1 — Regulators & Standards Prompt | Harmonize Reporting Taxonomies + TLCTC+ BRE", "content_text": "The Regulators variant of the TLCTC monster prompt — paste in NIS2 / DORA / SEC 8-K-style filings or CERT bulletins and get cluster classification of root cause, TLCTC+ Business Risk Event (BRE) consequence tags, a crosswalk to existing reporting taxonomies, and gap commentary on what the source filing failed to express.", "summary": "The Regulators variant of the TLCTC monster prompt — paste in NIS2 / DORA / SEC 8-K-style filings or CERT bulletins and get cluster classification of root cause, TLCTC+ Business Risk Event (BRE) consequence tags, a crosswalk to existing reporting taxonomies, and gap commentary on what the source filing failed to express.", "tags": [ "Tools & Applications", "AI Automation" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-05-09T00:00:00+00:00" }, { "id": "https://www.tlctc.net/chaos-ransomware-tlctc-analysis.html", "url": "https://www.tlctc.net/chaos-ransomware-tlctc-analysis.html", "title": "Chaos Ransomware: A Rapid7 Analysis Through the Lens of the TLCTC", "content_text": "Rapid7's forensic write-up of an intrusion branded \"Chaos ransomware\" — but no encryption ever happened. TLCTC v2.1 decomposition into seven classified steps (#9 → #4 → #1 → #4 → #1 → #7 → #7), with Teams as transit (not attack surface), the MFA self-enrollment hijack as its own #1, and an operator-gated VC-2 pause inside ms_upd.exe that the \"ransomware\" framing would have hidden. Closes on [DRE: C] only — no [DRE: Ac].", "summary": "Rapid7's forensic write-up of an intrusion branded \"Chaos ransomware\" — but no encryption ever happened. TLCTC v2.1 decomposition into seven classified steps (#9 → #4 → #1 → #4 → #1 → #7 → #7), with Teams as transit (not attack surface), the MFA self-enrollment hijack as its own #1, and an operator-gated VC-2 pause inside ms_upd.exe that the \"ransomware\" framing would have hidden. Closes on [DRE: C] only — no [DRE: Ac].", "tags": [ "Threat Analysis", "Case Study" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-05-08T00:00:00+00:00" }, { "id": "https://www.tlctc.net/apache-2.4.67-tlctc-analysis.html", "url": "https://www.tlctc.net/apache-2.4.67-tlctc-analysis.html", "title": "Apache HTTP Server 2.4.67 — TLCTC Decomposition of 11 CVEs", "content_text": "Cause-side classification of the 11 CVEs closed in Apache HTTP Server 2.4.67 (4 May 2026). The batch splits into five #2 (server-side request handling), five #3 in mod_proxy_ajp via R-ROLE (response-parsing of attacker-controlled backend output), and one #6 (mod_md unbounded allocation). Why CVSS, RCE labels, and CISA-ADP enrichment hide the right control surface — and why three IAV-Yes CVEs concentrate the patch-window risk.", "summary": "Cause-side classification of the 11 CVEs closed in Apache HTTP Server 2.4.67 (4 May 2026). The batch splits into five #2 (server-side request handling), five #3 in mod_proxy_ajp via R-ROLE (response-parsing of attacker-controlled backend output), and one #6 (mod_md unbounded allocation). Why CVSS, RCE labels, and CISA-ADP enrichment hide the right control surface — and why three IAV-Yes CVEs concentrate the patch-window risk.", "tags": [ "Threat Analysis", "Case Study" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-05-06T00:00:00+00:00" }, { "id": "https://www.tlctc.net/cve-2026-31431.html", "url": "https://www.tlctc.net/cve-2026-31431.html", "title": "CVE-2026-31431 (\"Copy Fail\") — TLCTC Analysis", "content_text": "A Linux kernel privilege-escalation primitive in the AF_ALG / algif_aead path. The CVE itself is #2.2 Exploiting Server; four realistic in-the-wild chains (server compromise, container escape, phishing, supply chain) all end at the same kernel step. Why ATT&CK T1068 conflates cause and effect.", "summary": "A Linux kernel privilege-escalation primitive in the AF_ALG / algif_aead path. The CVE itself is #2.2 Exploiting Server; four realistic in-the-wild chains (server compromise, container escape, phishing, supply chain) all end at the same kernel step. Why ATT&CK T1068 conflates cause and effect.", "tags": [ "Threat Analysis", "Case Study" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-05-04T00:00:00+00:00" }, { "id": "https://www.tlctc.net/cortex-xsoar-tlctc-integration.html", "url": "https://www.tlctc.net/cortex-xsoar-tlctc-integration.html", "title": "Cause-Oriented SOAR: TLCTC for Cortex XSOAR and XSIAM", "content_text": "One master playbook per TLCTC cluster, none per outcome. Cortex XSOAR 6.2.x and XSOAR 8.x / XSIAM builds shipping a Velocity-Class router, RS Container sub-playbook with GDPR Art. 33 / NIS2 Art. 23 triggers, an ATT&CK→TLCTC classifier, and a Layer 3 attack-path emitter.", "summary": "One master playbook per TLCTC cluster, none per outcome. Cortex XSOAR 6.2.x and XSOAR 8.x / XSIAM builds shipping a Velocity-Class router, RS Container sub-playbook with GDPR Art. 33 / NIS2 Art. 23 triggers, an ATT&CK→TLCTC classifier, and a Layer 3 attack-path emitter.", "tags": [ "Tools & Applications", "Standards Integration" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-05-04T00:00:00+00:00" }, { "id": "https://www.tlctc.net/missing-axis-d3fend-tlctc.html", "url": "https://www.tlctc.net/missing-axis-d3fend-tlctc.html", "title": "The Missing Axis — D3FEND and TLCTC, Two Layers of One Stack", "content_text": "MITRE's D3FEND knowledge graph is the most rigorously structured catalog of defensive countermeasures the industry has produced — yet inherits the threat-axis gap from ATT&CK that TLCTC was built to fix. A layered-stack analysis showing where D3FEND fits, where it doesn't, and why the pairing with TLCTC is more than additive.", "summary": "MITRE's D3FEND knowledge graph is the most rigorously structured catalog of defensive countermeasures the industry has produced — yet inherits the threat-axis gap from ATT&CK that TLCTC was built to fix. A layered-stack analysis showing where D3FEND fits, where it doesn't, and why the pairing with TLCTC is more than additive.", "tags": [ "Framework & Concepts", "Standards Integration" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-05-02T00:00:00+00:00" }, { "id": "https://www.tlctc.net/control-fixation-reflex.html", "url": "https://www.tlctc.net/control-fixation-reflex.html", "title": "The Control Fixation Reflex", "content_text": "Why the cybersecurity industry can't stop counting controls — and what it has stopped asking. Names the autonomic reflex that operates at the control layer as if it were the foundational layer, and traces how it propagates through standards, vendors, auditors, GRC tools, maturity models, and the boardroom.", "summary": "Why the cybersecurity industry can't stop counting controls — and what it has stopped asking. Names the autonomic reflex that operates at the control layer as if it were the foundational layer, and traces how it propagates through standards, vendors, auditors, GRC tools, maturity models, and the boardroom.", "tags": [ "Standards & Critique", "Philosophy" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-05-01T00:00:00+00:00" }, { "id": "https://www.tlctc.net/cve-2026-21510.html", "url": "https://www.tlctc.net/cve-2026-21510.html", "title": "CVE-2026-21510: When the Warning Doesn't Warn", "content_text": "A Windows Shell bypass slips past SmartScreen and Mark-of-the-Web. Through TLCTC, the chain is #9 → #3 → #7, but the CVE itself is #3 Exploiting Client. Why CWE-693 (Protection Mechanism Failure) misleads strategically.", "summary": "A Windows Shell bypass slips past SmartScreen and Mark-of-the-Web. Through TLCTC, the chain is #9 → #3 → #7, but the CVE itself is #3 Exploiting Client. Why CWE-693 (Protection Mechanism Failure) misleads strategically.", "tags": [ "Threat Analysis", "Standards & Critique" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-04-29T00:00:00+00:00" }, { "id": "https://www.tlctc.net/cve-2026-35414.html", "url": "https://www.tlctc.net/cve-2026-35414.html", "title": "CVE-2026-35414: A 15-Year-Old Comma in OpenSSH", "content_text": "An OpenSSH certificate principal containing a comma can grant unauthorized root access. Through TLCTC, the scenario decomposes as #4 → #2, but the CVE itself is #2 Exploiting Server. A worked example of cause-oriented CVE classification.", "summary": "An OpenSSH certificate principal containing a comma can grant unauthorized root access. Through TLCTC, the scenario decomposes as #4 → #2, but the CVE itself is #2 Exploiting Server. A worked example of cause-oriented CVE classification.", "tags": [ "Threat Analysis", "Standards Integration" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-04-28T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-veris.html", "url": "https://www.tlctc.net/tlctc-veris.html", "title": "Incident Reporting with VERIS and TLCTC", "content_text": "See a practical example of how the VERIS vocabulary for describing incidents can be mapped to TLCTC.", "summary": "See a practical example of how the VERIS vocabulary for describing incidents can be mapped to TLCTC.", "tags": [ "Standards Integration", "Threat Analysis" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-04-27T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-10x10x10-fun-fact.html", "url": "https://www.tlctc.net/tlctc-10x10x10-fun-fact.html", "title": "10 × 10 × 10 — A Fun Fact about TLCTC", "content_text": "Three independent pillars of TLCTC — Definitions (Semantic), Axioms (Ontological), Principles (Logical) — each ended up numbering exactly ten. Not designed. Just ended up that way.", "summary": "Three independent pillars of TLCTC — Definitions (Semantic), Axioms (Ontological), Principles (Logical) — each ended up numbering exactly ten. Not designed. Just ended up that way.", "tags": [ "Framework & Concepts", "Research & Insights" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-04-19T00:00:00+00:00" }, { "id": "https://www.tlctc.net/ad-ransomware-tlctc-cascade.html", "url": "https://www.tlctc.net/ad-ransomware-tlctc-cascade.html", "title": "The #1-Cascade — Active Directory, Domain Admin, and Ransomware under the TLCTC Lens", "content_text": "A forensic-level TLCTC v2.1 decomposition of how attackers reach Domain Admin and deploy ransomware. Shows why the entire post-DA phase is structurally #1, with attack path notation, event IDs, and DRE annotations grounded in 2025 IR data.", "summary": "A forensic-level TLCTC v2.1 decomposition of how attackers reach Domain Admin and deploy ransomware. Shows why the entire post-DA phase is structurally #1, with attack path notation, event IDs, and DRE annotations grounded in 2025 IR data.", "tags": [ "Threat Analysis", "Framework & Concepts" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-04-18T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-ssdlc.html", "url": "https://www.tlctc.net/tlctc-ssdlc.html", "title": "SSDLC for Developers: The \"S\" Problem and How TLCTC Fixes It", "content_text": "Design reviews are theatre? Make them bite. A developer-first entry point to Secure SDLC with the TLCTC threat clusters, attack-path design reviews, and a CWE triage shortcut.", "summary": "Design reviews are theatre? Make them bite. A developer-first entry point to Secure SDLC with the TLCTC threat clusters, attack-path design reviews, and a CWE triage shortcut.", "tags": [ "Framework & Concepts", "Standards Integration" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-04-18T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-semantic-diffusion-dread-stride.html", "url": "https://www.tlctc.net/tlctc-semantic-diffusion-dread-stride.html", "title": "The End of Semantic Diffusion: DREAD vs STRIDE vs TLCTC", "content_text": "Compare Microsoft's DREAD and STRIDE with the cause-oriented TLCTC framework to understand why cybersecurity must stop blending causes with outcomes for genuine semantic precision.", "summary": "Compare Microsoft's DREAD and STRIDE with the cause-oriented TLCTC framework to understand why cybersecurity must stop blending causes with outcomes for genuine semantic precision.", "tags": [ "Framework & Concepts", "Threat Analysis" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-04-12T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-regulation-dora-tlpt.html", "url": "https://www.tlctc.net/tlctc-regulation-dora-tlpt.html", "title": "DORA TLPT", "content_text": "detailed analysis of the DORA TLPT and a comparison with the Top Level Cyber Threat Clusters (TLCTC) framework...", "summary": "detailed analysis of the DORA TLPT and a comparison with the Top Level Cyber Threat Clusters (TLCTC) framework...", "tags": [ "Regulations & Compliance" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-04-10T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-diamond-model.html", "url": "https://www.tlctc.net/tlctc-diamond-model.html", "title": "Comparative Analysis: TLCTC vs. DIAMOND", "content_text": "The Diamond Model of Intrusion Analysis is a powerful relational framework for threat intelligence — but its vertices lack internal causal structure. TLCTC fills that gap.", "summary": "The Diamond Model of Intrusion Analysis is a powerful relational framework for threat intelligence — but its vertices lack internal causal structure. TLCTC fills that gap.", "tags": [ "Standards Integration", "Framework & Concepts" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-04-04T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-npm-supply-chain.html", "url": "https://www.tlctc.net/tlctc-npm-supply-chain.html", "title": "The npm Supply Chain Attack Is Not a Package Story. It Is a Trust-Acceptance Story.", "content_text": "Why npm supply chain attacks are fundamentally trust-acceptance failures. Learn to map malicious packages, typosquatting, and dependency confusion to TLCTC clusters.", "summary": "Why npm supply chain attacks are fundamentally trust-acceptance failures. Learn to map malicious packages, typosquatting, and dependency confusion to TLCTC clusters.", "tags": [ "Threat Analysis", "Framework & Concepts", "Supply Chain" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-03-19T00:00:00+00:00" }, { "id": "https://www.tlctc.net/https://github.com/Barnes70/TLCTC/blob/main/v2.1-Proposals/TLCTC_v2.1_Full_Extension_Spec.pdf", "url": "https://www.tlctc.net/https://github.com/Barnes70/TLCTC/blob/main/v2.1-Proposals/TLCTC_v2.1_Full_Extension_Spec.pdf", "title": "TLCTC v2.1: Full Extension Spec - Boundary & Transit Operators", "content_text": "v2.1 adds transit and intra-system boundary operators to the notation—tracking how attacks relay through intermediate carriers and escalate within hosts. Same ten clusters, sharper observability.", "summary": "v2.1 adds transit and intra-system boundary operators to the notation—tracking how attacks relay through intermediate carriers and escalate within hosts. Same ten clusters, sharper observability.", "tags": [ "Framework & Concepts", "Notation & Standards" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-03-15T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-zero-trust-semantic-problem.html", "url": "https://www.tlctc.net/tlctc-zero-trust-semantic-problem.html", "title": "The Semantic Problem with \"Zero Trust\"", "content_text": "Deconstructing Zero Trust as a meta-principle. Why the industry's blurriness regarding Zero Trust is structurally inevitable and how to pin it to concrete TLCTC clusters.", "summary": "Deconstructing Zero Trust as a meta-principle. Why the industry's blurriness regarding Zero Trust is structurally inevitable and how to pin it to concrete TLCTC clusters.", "tags": [ "Framework & Concepts", "Strategic Threat Intelligence" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-03-15T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-iec62443-v2.html", "url": "https://www.tlctc.net/tlctc-iec62443-v2.html", "title": "IEC 62443 Meets TLCTC v2.1: Filling the Threat Taxonomy Gap in Industrial Cybersecurity", "content_text": "How TLCTC v2.0's cause-oriented taxonomy, velocity classes, and attack path notation fill the threat identification gap in IEC 62443 industrial cybersecurity risk assessments.", "summary": "How TLCTC v2.0's cause-oriented taxonomy, velocity classes, and attack path notation fill the threat identification gap in IEC 62443 industrial cybersecurity risk assessments.", "tags": [ "Standards Integration", "Framework & Concepts" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-03-01T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-banks-operational-risk-basel.html", "url": "https://www.tlctc.net/tlctc-banks-operational-risk-basel.html", "title": "The Crux of Banks Regarding Operational Risk Management", "content_text": "Why Basel's Event Categories Structurally Undermine the Risk Standards They Claim to Implement. A deep dive into the contradiction between ISO 31000, COSO ERM, and Basel OPE25 Table 2.", "summary": "Why Basel's Event Categories Structurally Undermine the Risk Standards They Claim to Implement. A deep dive into the contradiction between ISO 31000, COSO ERM, and Basel OPE25 Table 2.", "tags": [ "Risk Management", "Regulations & Compliance", "Framework & Concepts" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-02-26T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-agentic-ai-consequences.html", "url": "https://www.tlctc.net/tlctc-agentic-ai-consequences.html", "title": "The Consequence Amplifier: Agentic AI on the Right Side of the Bow-Tie", "content_text": "How Autonomous Tool Access Transforms Damage Patterns. A deep dive into the right side of the Bow-Tie, exploring Velocity, Scope, and Autonomy Amplification.", "summary": "How Autonomous Tool Access Transforms Damage Patterns. A deep dive into the right side of the Bow-Tie, exploring Velocity, Scope, and Autonomy Amplification.", "tags": [ "Threat Analysis", "Framework & Concepts", "AI Security" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-02-25T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-agentic-ai-microscope.html", "url": "https://www.tlctc.net/tlctc-agentic-ai-microscope.html", "title": "Agentic AI Under the Microscope", "content_text": "Why 'AI Security' is not a threat category. A cause-based decomposition of agentic AI threats using the TLCTC framework, separating generic software vulnerabilities from AI-specific attack vectors.", "summary": "Why 'AI Security' is not a threat category. A cause-based decomposition of agentic AI threats using the TLCTC framework, separating generic software vulnerabilities from AI-specific attack vectors.", "tags": [ "Threat Analysis", "Framework & Concepts" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-02-25T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-why10-explainer.html", "url": "https://www.tlctc.net/tlctc-why10-explainer.html", "title": "The \"Why Ten?\" Question: Explaining the 10 Clusters", "content_text": "A deep dive into the logic and thought experiment behind the creation of exactly ten, non-overlapping clusters.", "summary": "A deep dive into the logic and thought experiment behind the creation of exactly ten, non-overlapping clusters.", "tags": [ "Framework & Concepts" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-02-20T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-hazard-omission.html", "url": "https://www.tlctc.net/tlctc-hazard-omission.html", "title": "Why the TLCTC Does Not Need the \"Hazard\"", "content_text": "A structural argument for terminological precision. Why importing the 'Hazard' concept from safety engineering into cybersecurity creates semantic diffusion and how TLCTC solves it.", "summary": "A structural argument for terminological precision. Why importing the 'Hazard' concept from safety engineering into cybersecurity creates semantic diffusion and how TLCTC solves it.", "tags": [ "Framework & Concepts", "Risk Management" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-02-14T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-generic-vulnerabilities.html", "url": "https://www.tlctc.net/tlctc-generic-vulnerabilities.html", "title": "Generic Vulnerabilities: Software & Hardware Failure", "content_text": "A deep dive into non-adversarial IT risk events using the TLCTC Bow-Tie methodology. Analyzing the logical vs material imperfections that cause infrastructure failures.", "summary": "A deep dive into non-adversarial IT risk events using the TLCTC Bow-Tie methodology. Analyzing the logical vs material imperfections that cause infrastructure failures.", "tags": [ "Framework & Concepts", "Risk Management" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-02-12T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-attack-path-examples.html", "url": "https://www.tlctc.net/tlctc-attack-path-examples.html", "title": "TLCTC Attack Path — 20 Annotated Examples", "content_text": "Master the TLCTC mapping logic with 20 real-world scenarios. From supply chain implants to zero-click exploits, learn to denote causal paths and Data Risk Events correctly.", "summary": "Master the TLCTC mapping logic with 20 real-world scenarios. From supply chain implants to zero-click exploits, learn to denote causal paths and Data Risk Events correctly.", "tags": [ "Framework & Concepts", "Threat Analysis" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-02-08T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-dora-cyber-risk-failure.html", "url": "https://www.tlctc.net/tlctc-dora-cyber-risk-failure.html", "title": "Why DORA Will Fail Regarding Cyber Risks", "content_text": "A structural critique of the EU's Digital Operational Resilience Act. Why mandating 'risk-based' management without a threat taxonomy creates a quiet failure of compliance over security.", "summary": "A structural critique of the EU's Digital Operational Resilience Act. Why mandating 'risk-based' management without a threat taxonomy creates a quiet failure of compliance over security.", "tags": [ "Regulations & Compliance", "Framework & Concepts" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-02-07T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-nist-threat-chaos.html", "url": "https://www.tlctc.net/tlctc-nist-threat-chaos.html", "title": "22 Definition Entries for 'Threat' — On One NIST Page", "content_text": "NIST's glossary lists 22 conflicting definitions for a single core term. Explore how this semantic chaos propagates und wieso Präzision für das Risikomanagement auf Vorstandsebene erforderlich ist.", "summary": "NIST's glossary lists 22 conflicting definitions for a single core term. Explore how this semantic chaos propagates und wieso Präzision für das Risikomanagement auf Vorstandsebene erforderlich ist.", "tags": [ "Standards & Critique", "Language & Standards" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-01-27T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-gdpr-nis2-triggers.html", "url": "https://www.tlctc.net/tlctc-gdpr-nis2-triggers.html", "title": "GDPR vs NIS2: Different Trigger Points for Compliance Events", "content_text": "The same incident can trigger different compliance obligations. GDPR is triggered by PII exposure (Data Risk Event), while NIS2 is triggered by the Incident itself (Cyber Risk Event).", "summary": "The same incident can trigger different compliance obligations. GDPR is triggered by PII exposure (Data Risk Event), while NIS2 is triggered by the Incident itself (Cyber Risk Event).", "tags": [ "Regulations & Compliance", "Framework & Concepts" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-01-24T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-everyone-blind-spot.html", "url": "https://www.tlctc.net/tlctc-everyone-blind-spot.html", "title": "TLCTC for Everyone: The \"Blind Spot\" Method", "content_text": "Stop worrying about complexity. Learn the 10x5 matrix logic through the 'Blind Spot' exercise—a simplified starting point for individuals and SMEs to audit their own security.", "summary": "Stop worrying about complexity. Learn the 10x5 matrix logic through the 'Blind Spot' exercise—a simplified starting point for individuals and SMEs to audit their own security.", "tags": [ "Framework & Concepts", "Risk Management" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-01-15T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-quantum-ai-velocity.html", "url": "https://www.tlctc.net/tlctc-quantum-ai-velocity.html", "title": "Quantum Computing and AI: New Magic, Same Threats", "content_text": "A strategic analysis of how Quantum and AI act as threat amplifiers. While the 10 clusters remain stable, the shift to high-velocity (VC-3) attacks mandates a transition to automated and architectural controls.", "summary": "A strategic analysis of how Quantum and AI act as threat amplifiers. While the 10 clusters remain stable, the shift to high-velocity (VC-3) attacks mandates a transition to automated and architectural controls.", "tags": [ "Framework & Concepts", "Threat Analysis" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-01-08T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-govcert-blocked-filetypes.html", "url": "https://www.tlctc.net/tlctc-govcert-blocked-filetypes.html", "title": "GovCERT-CH Blocked Filetypes: TLCTC Analysis", "content_text": "A strategic restructuring of the GovCERT-CH blocked filetypes list. Why conflating Tier 1 (Native FEC) with Tier 3 (Parser Bugs) creates false confidence.", "summary": "A strategic restructuring of the GovCERT-CH blocked filetypes list. Why conflating Tier 1 (Native FEC) with Tier 3 (Parser Bugs) creates false confidence.", "tags": [ "Threat Analysis", "Standards Integration" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-01-06T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-file-type-fallacy.html", "url": "https://www.tlctc.net/tlctc-file-type-fallacy.html", "title": "The File Type Fallacy: Why Extension Blocklists Miss the Point", "content_text": "Applying TLCTC's cause-based classification to understand the three-tier distinction: native executables, application-mediated execution, and data files requiring parser exploits.", "summary": "Applying TLCTC's cause-based classification to understand the three-tier distinction: native executables, application-mediated execution, and data files requiring parser exploits.", "tags": [ "Framework & Concepts", "Threat Analysis" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2026-01-06T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-semantic-diffusion.html", "url": "https://www.tlctc.net/tlctc-semantic-diffusion.html", "title": "The End of Semantic Diffusion", "content_text": "Why cybersecurity is stuck in a pre-paradigmatic phase. Thomas Kuhn, Semantic Diffusion, and the scientific necessity of a shared threat language.", "summary": "Why cybersecurity is stuck in a pre-paradigmatic phase. Thomas Kuhn, Semantic Diffusion, and the scientific necessity of a shared threat language.", "tags": [ "Philosophy", "Framework & Concepts" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-12-30T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-enisa-2025-threat-report.html", "url": "https://www.tlctc.net/tlctc-enisa-2025-threat-report.html", "title": "ENISA Threat Landscape 2025 - TLCTC Analysis", "content_text": "A strategic decomposition of 4,900+ incidents from the ENISA Threat Landscape 2025 report. Mapping the landscape to TLCTC clusters to reveal the polarization between human manipulation and server exploitation.", "summary": "A strategic decomposition of 4,900+ incidents from the ENISA Threat Landscape 2025 report. Mapping the landscape to TLCTC clusters to reveal the polarization between human manipulation and server exploitation.", "tags": [ "Research & Insights", "Threat Analysis" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-12-25T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-control-first-regulation.html", "url": "https://www.tlctc.net/tlctc-control-first-regulation.html", "title": "The Logical Contradiction in Control-First Regulation", "content_text": "Why cybersecurity regulations mandate controls without identifying threats, contradicting the standards they cite. A structural critique of the regulatory gap. Reminder: Dont conflate compliance risk with cyber risk!", "summary": "Why cybersecurity regulations mandate controls without identifying threats, contradicting the standards they cite. A structural critique of the regulatory gap. Reminder: Dont conflate compliance risk with cyber risk!", "tags": [ "Regulations & Compliance", "Framework & Concepts" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-12-25T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-mtrends-2025.html", "url": "https://www.tlctc.net/tlctc-mtrends-2025.html", "title": "M-Trends 2025: TLCTC Analysis", "content_text": "A cause-based analysis of Mandiant's M-Trends 2025 Report. Reframing outcome-based data (Ransomware, Dwell Time) into root-cause clusters to reveal the true 2025 threat landscape.", "summary": "A cause-based analysis of Mandiant's M-Trends 2025 Report. Reframing outcome-based data (Ransomware, Dwell Time) into root-cause clusters to reveal the true 2025 threat landscape.", "tags": [ "Research & Insights", "Threat Analysis" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-12-25T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-threat-report-chaos.html", "url": "https://www.tlctc.net/tlctc-threat-report-chaos.html", "title": "The Same Attack, Four Different Stories", "content_text": "Verizon, CrowdStrike, Mandiant, and ENISA all see the same threats but speak different languages. Why the industry needs a common denominator.", "summary": "Verizon, CrowdStrike, Mandiant, and ENISA all see the same threats but speak different languages. Why the industry needs a common denominator.", "tags": [ "Research & Insights", "Threat Analysis" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-12-25T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-enisa-gap-analysis.html", "url": "https://www.tlctc.net/tlctc-enisa-gap-analysis.html", "title": "ENISA Gap Analysis: Integrating TLCTC for Semantic Precision", "content_text": "A deep dive into ENISA's current cybersecurity framework gaps and how TLCTC's cause-oriented taxonomy provides the missing semantic layer for EU compliance (NIS2/DORA).", "summary": "A deep dive into ENISA's current cybersecurity framework gaps and how TLCTC's cause-oriented taxonomy provides the missing semantic layer for EU compliance (NIS2/DORA).", "tags": [ "Framework & Concepts", "Regulations & Compliance" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-12-24T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-cve-nvd.html", "url": "https://www.tlctc.net/tlctc-cve-nvd.html", "title": "Enhancing CVE Details", "content_text": "Enhancing CVE Details with the TLCTC Framework: A Strategic Approach incl. json.", "summary": "Enhancing CVE Details with the TLCTC Framework: A Strategic Approach incl. json.", "tags": [ "Standards Integration", "Tools & Applications" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-12-24T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-cobaltstrike-mapping.html", "url": "https://www.tlctc.net/tlctc-cobaltstrike-mapping.html", "title": "Cobalt Strike Capabilities Mapped to TLCTC Framework", "content_text": "Comprehensive Implementation Guide: Mapping Cobalt Strike features to TLCTC V2.0 clusters, with corrections for credential dumping (R-CRED) and LOLBAS execution sequences.", "summary": "Comprehensive Implementation Guide: Mapping Cobalt Strike features to TLCTC V2.0 clusters, with corrections for credential dumping (R-CRED) and LOLBAS execution sequences.", "tags": [ "Tools & Applications", "Threat Analysis" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-12-23T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-mitm-encryption-scion.html", "url": "https://www.tlctc.net/tlctc-mitm-encryption-scion.html", "title": "Beyond Encryption: Understanding the Full Scope of Communication Path Threats", "content_text": "Why encryption addresses only half the #5 threat. A deep dive into Path Control (SCION), Post-Quantum TLS, and East-West traffic defense.", "summary": "Why encryption addresses only half the #5 threat. A deep dive into Path Control (SCION), Post-Quantum TLS, and East-West traffic defense.", "tags": [ "Framework & Concepts", "Threat Analysis" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-12-23T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-crowdstrike-2025-threat-report.html", "url": "https://www.tlctc.net/tlctc-crowdstrike-2025-threat-report.html", "title": "TLCTC Analysis: CrowdStrike 2025 Threat Hunting Report", "content_text": "A strategic TLCTC breakdown of the 2025 report. Visualizing the shift to 81% malware-free attacks (#1, #4) and mapping adversaries like Scattered Spider to the 10 Clusters.", "summary": "A strategic TLCTC breakdown of the 2025 report. Visualizing the shift to 81% malware-free attacks (#1, #4) and mapping adversaries like Scattered Spider to the 10 Clusters.", "tags": [ "Research & Insights", "Threat Analysis" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-12-22T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-crowdstrike-2025-report.html", "url": "https://www.tlctc.net/tlctc-crowdstrike-2025-report.html", "title": "TLCTC Intelligence Brief: The 2025 CrowdStrike Global Threat Report", "content_text": "The 2025 CrowdStrike report confirms a strategic shift to Identity (#4) and Abuse of Functions (#1). 79% of attacks are now malware-free, with a 48-minute breakout time.", "summary": "The 2025 CrowdStrike report confirms a strategic shift to Identity (#4) and Abuse of Functions (#1). 79% of attacks are now malware-free, with a 48-minute breakout time.", "tags": [ "Research & Insights", "Threat Analysis" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-12-22T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-sme-private-controls.html", "url": "https://www.tlctc.net/tlctc-sme-private-controls.html", "title": "Control Matrices for Starters (SME & Priv)", "content_text": "TLCTC is not only for Big Orgs. No. See the unified 10x12 and 10x6 control matrices for SMEs and Private users, mapped to NIST CSF 2.0 functions. Take it as a Starter Kit", "summary": "TLCTC is not only for Big Orgs. No. See the unified 10x12 and 10x6 control matrices for SMEs and Private users, mapped to NIST CSF 2.0 functions. Take it as a Starter Kit", "tags": [ "Tools & Applications", "Framework & Concepts" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-12-18T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-cwe-reboot.html", "url": "https://www.tlctc.net/tlctc-cwe-reboot.html", "title": "Time for a Reboot: Why MITRE CWE Needs Taxonomic Discipline", "content_text": "MITRE's latest update adds 12 organizational containers, not weaknesses. An analysis of why 20 years of 'integration' created a registry without a taxonomy.", "summary": "MITRE's latest update adds 12 organizational containers, not weaknesses. An analysis of why 20 years of 'integration' created a registry without a taxonomy.", "tags": [ "Standards Integration", "Framework & Concepts" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-12-12T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-orx-rethink-cyber-event.html", "url": "https://www.tlctc.net/tlctc-orx-rethink-cyber-event.html", "title": "Why ORX Must Rethink the \"Cyber Event\": A Methodological Critique", "content_text": "Why the ORX Reference Taxonomy's static 'Cyber Event' category fails at defense. How TLCTC's causal, velocity-aware approach resolves overlap and operational blind spots.", "summary": "Why the ORX Reference Taxonomy's static 'Cyber Event' category fails at defense. How TLCTC's causal, velocity-aware approach resolves overlap and operational blind spots.", "tags": [ "Framework & Concepts", "Risk Management" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-12-11T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-bow-tie-causality.html", "url": "https://www.tlctc.net/tlctc-bow-tie-causality.html", "title": "The Power of Causality: Why the Bow-Tie Model Transforms Cyber Risk Management", "content_text": "Transforming cyber risk from guesswork to science by mapping the causal flow from Threat Clusters to Business Impact using the TLCTC Bow-Tie logic.", "summary": "Transforming cyber risk from guesswork to science by mapping the causal flow from Threat Clusters to Business Impact using the TLCTC Bow-Tie logic.", "tags": [ "Framework & Concepts", "Threat Analysis" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-12-05T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-ssdlc-integration.html", "url": "https://www.tlctc.net/tlctc-ssdlc-integration.html", "title": "Threat-Driven Development: Integrating TLCTC into the SSDLC", "content_text": "Why most 'secure by design' initiatives fail—and how cause-oriented threat modeling using TLCTC transforms development from Design to Decommissioning.", "summary": "Why most 'secure by design' initiatives fail—and how cause-oriented threat modeling using TLCTC transforms development from Design to Decommissioning.", "tags": [ "Standards Integration", "Framework & Concepts" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-12-04T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-harbor-integration.html", "url": "https://www.tlctc.net/tlctc-harbor-integration.html", "title": "TLCTC Harbor Integration App", "content_text": "A client-side app integrating Harbor Registry scans with TLCTC. Map CVEs to the 10 Clusters and visualize strategic risk.", "summary": "A client-side app integrating Harbor Registry scans with TLCTC. Map CVEs to the 10 Clusters and visualize strategic risk.", "tags": [ "Tools & Applications", "Standards Integration" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-12-03T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-mitre-aml-mapping.html", "url": "https://www.tlctc.net/tlctc-mitre-aml-mapping.html", "title": "MITRE ATT&CK for ML (AML) × TLCTC", "content_text": "An interactive tool mapping MITRE ATT&CK for Machine Learning (AML) techniques to the 10 TLCTC clusters. Strategic threat analysis and risk management for AI systems.", "summary": "An interactive tool mapping MITRE ATT&CK for Machine Learning (AML) techniques to the 10 TLCTC clusters. Strategic threat analysis and risk management for AI systems.", "tags": [ "Tools & Applications", "Standards Integration", "AI Security" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-12-01T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-capability-based-planning.html", "url": "https://www.tlctc.net/tlctc-capability-based-planning.html", "title": "Kill the Hype: Capability-Based Planning via the 10x(6x2) Matrix", "content_text": "Transform capability planning from consulting theater into engineered defense. Introducing the 10 Clusters × 6 Functions × 2 Scopes matrix strategy.", "summary": "Transform capability planning from consulting theater into engineered defense. Introducing the 10 Clusters × 6 Functions × 2 Scopes matrix strategy.", "tags": [ "Framework & Concepts", "Strategic Threat Intelligence" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-11-30T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-microsoft-threat-modeling-stride.html", "url": "https://www.tlctc.net/tlctc-microsoft-threat-modeling-stride.html", "title": "Beyond STRIDE: Upgrading Microsoft Threat Modeling to TLCTC", "content_text": "Why the Microsoft Threat Modeling Tool needs to evolve from STRIDE's list-based approach to TLCTC's causal attack paths. A blueprint for modernizing DevSecOps.", "summary": "Why the Microsoft Threat Modeling Tool needs to evolve from STRIDE's list-based approach to TLCTC's causal attack paths. A blueprint for modernizing DevSecOps.", "tags": [ "Standards Integration", "Tools & Applications" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-11-30T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-audit-trap.html", "url": "https://www.tlctc.net/tlctc-audit-trap.html", "title": "The Audit Trap", "content_text": "Why Compliance Doesn't Equal Security—and How Threat-Control Mapping Fixes It. Learn how strict threat-control mappings with TLCTC break the circular nightmare.", "summary": "Why Compliance Doesn't Equal Security—and How Threat-Control Mapping Fixes It. Learn how strict threat-control mappings with TLCTC break the circular nightmare.", "tags": [ "Strategy & Governance", "Framework & Concepts" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-11-30T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tools/actor-profile-designer.html", "url": "https://www.tlctc.net/tools/actor-profile-designer.html", "title": "Strategic Threat Profiling: The Actor Profile Designer", "content_text": "A strategic guide to designing, scoring, and visualizing threat actor capabilities. Includes the full download of 40+ Google APT groups mapped to TLCTC.", "summary": "A strategic guide to designing, scoring, and visualizing threat actor capabilities. Includes the full download of 40+ Google APT groups mapped to TLCTC.", "tags": [ "Tools & Applications", "Threat Analysis" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-11-29T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-app-gallery.html", "url": "https://www.tlctc.net/tlctc-app-gallery.html", "title": "TLCTC App Suite Gallery", "content_text": "The central hub for all TLCTC applications: Architect V3.0, Threat Radar, Attack Path Designer, and JSON utilities.", "summary": "The central hub for all TLCTC applications: Architect V3.0, Threat Radar, Attack Path Designer, and JSON utilities.", "tags": [ "Tools & Applications", "Framework & Concepts" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-11-29T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-Architect-V3-UserGuide.html", "url": "https://www.tlctc.net/tlctc-Architect-V3-UserGuide.html", "title": "TLCTC Architect V.0 - User Guide & Technical Documentation", "content_text": "The official guide to modeling attack paths, visualizing velocity (Δt), and using the JSON schema in TLCTC Architect V3.0.", "summary": "The official guide to modeling attack paths, visualizing velocity (Δt), and using the JSON schema in TLCTC Architect V3.0.", "tags": [ "Tools & Applications", "Framework & Concepts" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-11-24T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-social-engineering-bifurcation.html", "url": "https://www.tlctc.net/tlctc-social-engineering-bifurcation.html", "title": "Cyber Crime Taxonomy: The Critical #9 Bifurcation", "content_text": "Taxonomy/Definition: Understanding where social engineering splits determines everything. #9.1 (Liability) vs #9.2 (Cyber Threat). A guide to precise classification and response.", "summary": "Taxonomy/Definition: Understanding where social engineering splits determines everything. #9.1 (Liability) vs #9.2 (Cyber Threat). A guide to precise classification and response.", "tags": [ "Framework & Concepts", "Threat Analysis" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-11-24T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-infographics.html", "url": "https://www.tlctc.net/tlctc-infographics.html", "title": "TLCTC Infographics: Learn with Images", "content_text": "A high-resolution gallery of the Nano 2 infographic series, featuring the Cyber Bow-Tie, the IT Monolith thought experiment, and the Attacker's Perspective and many more. Images can empower Words!", "summary": "A high-resolution gallery of the Nano 2 infographic series, featuring the Cyber Bow-Tie, the IT Monolith thought experiment, and the Attacker's Perspective and many more. Images can empower Words!", "tags": [ "Tools & Applications", "Framework & Concepts" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-11-23T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-emerging-tech-radar.html", "url": "https://www.tlctc.net/tlctc-emerging-tech-radar.html", "title": "Mapping the Chaos: Introducing the TLCTC Emerging Tech & Actors Radar", "content_text": "Introducing a standardized visualization and JSON format that maps emerging technologies and threat actors directly to the 10 TLCTC clusters.", "summary": "Introducing a standardized visualization and JSON format that maps emerging technologies and threat actors directly to the 10 TLCTC clusters.", "tags": [ "Strategic Threat Intelligence", "Framework & Concepts", "Tools" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-11-22T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-glossar.html", "url": "https://www.tlctc.net/tlctc-glossar.html", "title": "TLCTC Glossary V2.0: The Complete Definitions", "content_text": "The definitive guide to TLCTC V2.0. Comprehensive definitions for the 10 Clusters, plus new concepts: Attack Velocity (Δt), DCS, and the new JSON Architecture.", "summary": "The definitive guide to TLCTC V2.0. Comprehensive definitions for the 10 Clusters, plus new concepts: Attack Velocity (Δt), DCS, and the new JSON Architecture.", "tags": [ "Framework & Concepts", "Reference" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-11-22T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-topology-of-cyber-attacks.html", "url": "https://www.tlctc.net/tlctc-topology-of-cyber-attacks.html", "title": "The Topology of Cyber Attacks", "content_text": "Why #8, #9, and #10 are fundamentally different. A deep dive into Bridge Clusters, Domain Boundaries, and the architecture of modern cyber defense in TLCTC V2.0.", "summary": "Why #8, #9, and #10 are fundamentally different. A deep dive into Bridge Clusters, Domain Boundaries, and the architecture of modern cyber defense in TLCTC V2.0.", "tags": [ "Framework & Concepts", "Threat Analysis" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-11-20T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-eu-regulation.html", "url": "https://www.tlctc.net/tlctc-eu-regulation.html", "title": "Cyber Risk: EU Regulation vs. TLCTC", "content_text": "A detailed comparison of EU Regulations (NIS2, DORA, CRA) and the TLCTC Framework regarding definitions, taxonomy, and operational synergy.", "summary": "A detailed comparison of EU Regulations (NIS2, DORA, CRA) and the TLCTC Framework regarding definitions, taxonomy, and operational synergy.", "tags": [ "Regulations & Compliance", "Framework & Concepts" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-11-20T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-attack-velocity.html", "url": "https://www.tlctc.net/tlctc-attack-velocity.html", "title": "The Fourth Dimension: Attack Velocity (Δt)", "content_text": "Why Attack Velocity (Δt) defines your true defense reality. Introducing TLCTC V2.0 temporal notation and the Detection Coverage Score (DCS).", "summary": "Why Attack Velocity (Δt) defines your true defense reality. Introducing TLCTC V2.0 temporal notation and the Detection Coverage Score (DCS).", "tags": [ "Framework & Concepts", "Threat Analysis" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-11-20T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-grok-ai-validation.html", "url": "https://www.tlctc.net/tlctc-grok-ai-validation.html", "title": "Grok AI 4.1: Validation of the TLCTC Framework", "content_text": "An independent, critical analysis by Grok AI confirming that TLCTC fills the 'missing link' gap between strategic risk management and operational security, validating its uniqueness against MITRE and NIST.", "summary": "An independent, critical analysis by Grok AI confirming that TLCTC fills the 'missing link' gap between strategic risk management and operational security, validating its uniqueness against MITRE and NIST.", "tags": [ "Framework & Concepts", "AI Analysis" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-11-20T00:00:00+00:00" }, { "id": "https://www.tlctc.net/TLCTC-JSON-Architecture.html", "url": "https://www.tlctc.net/TLCTC-JSON-Architecture.html", "title": "TLCTC JSON Architecture", "content_text": "A technical guide to the TLCTC JSON architecture, separating universal framework definitions from specific attack instances for scalable, worldwide threat intelligence sharing.", "summary": "A technical guide to the TLCTC JSON architecture, separating universal framework definitions from specific attack instances for scalable, worldwide threat intelligence sharing.", "tags": [ "Framework & Concepts", "Tools & Applications" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-11-19T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-ai-analysis-prompt.html", "url": "https://www.tlctc.net/tlctc-ai-analysis-prompt.html", "title": "TLCTC Enhanced Prompt for AI Analysis", "content_text": "A ready-to-paste prompt that instructs an AI to analyze any Security Report, Cyber Incident Report, or similar document through the lens of the Top Level Cyber Threat Clusters (TLCTC) framework.", "summary": "A ready-to-paste prompt that instructs an AI to analyze any Security Report, Cyber Incident Report, or similar document through the lens of the Top Level Cyber Threat Clusters (TLCTC) framework.", "tags": [ "Tools & Applications", "Framework & Concepts" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-11-17T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-NIST-Threat-Definition.html", "url": "https://www.tlctc.net/tlctc-NIST-Threat-Definition.html", "title": "NIST and Cyber Threat Definition and its Consequences", "content_text": "NIST's frameworks are process-oriented, creating a structural gap in risk management. We analyze why this gap exists and how a cause-oriented taxonomy like TLCTC is essential to bridge it.", "summary": "NIST's frameworks are process-oriented, creating a structural gap in risk management. We analyze why this gap exists and how a cause-oriented taxonomy like TLCTC is essential to bridge it.", "tags": [ "Standards Integration", "Framework & Concepts" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-11-17T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-dbir-2025.html", "url": "https://www.tlctc.net/tlctc-dbir-2025.html", "title": "2025 DBIR Analysis Through the TLCTC Lens", "content_text": "Mapping the Verizon Data Breach Investigations Report to the Top Level Cyber Threat Clusters Framework v2.0. Key findings on Ransomware, Credential Misuse, and Edge Device Exploitation.", "summary": "Mapping the Verizon Data Breach Investigations Report to the Top Level Cyber Threat Clusters Framework v2.0. Key findings on Ransomware, Credential Misuse, and Edge Device Exploitation.", "tags": [ "Research & Insights", "Threat Analysis" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-10-24T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-NIST-NICE.html", "url": "https://www.tlctc.net/tlctc-NIST-NICE.html", "title": "Integrating NIST NICE Tasks with the TLCTC Framework", "content_text": "A practical framework for integrating NIST NICE tasks with the 10 Top Level Cyber Threat Clusters (TLCTC) to bridge the gap between workforce development and real-world threats.", "summary": "A practical framework for integrating NIST NICE tasks with the 10 Top Level Cyber Threat Clusters (TLCTC) to bridge the gap between workforce development and real-world threats.", "tags": [ "Standards Integration", "Framework & Concepts" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-10-24T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-KillChainFallacy.html", "url": "https://www.tlctc.net/tlctc-KillChainFallacy.html", "title": "The Kill Chain Fallacy: Why Process is Not Taxonomy", "content_text": "An analysis of why the Cyber Kill Chain fails at threat categorization and attack path notation, and how the TLCTC framework provides the missing causal link for Risk Management.", "summary": "An analysis of why the Cyber Kill Chain fails at threat categorization and attack path notation, and how the TLCTC framework provides the missing causal link for Risk Management.", "tags": [ "Framework & Concepts", "Threat Analysis" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-10-15T00:00:00+00:00" }, { "id": "https://www.tlctc.net/blog-tlctc-two-layer-framework.html", "url": "https://www.tlctc.net/blog-tlctc-two-layer-framework.html", "title": "From Threat to Business Impact: Operationalizing the TLCTC Two-Layer Framework", "content_text": "The TLCTC framework bridges the critical gap between boardroom risk discussions and SOC operations through a two-layer approach centered on the cyber risk event (system compromise/loss of control).", "summary": "The TLCTC framework bridges the critical gap between boardroom risk discussions and SOC operations through a two-layer approach centered on the cyber risk event (system compromise/loss of control).", "tags": [ "Framework & Concepts", "Standards Integration" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-10-03T00:00:00+00:00" }, { "id": "https://www.tlctc.net/blog-ckc-attack-tlctc-synthesis.html", "url": "https://www.tlctc.net/blog-ckc-attack-tlctc-synthesis.html", "title": "CKC x ATT&CK x TLCTC: A Practical Synthesis", "content_text": "A guide for modern defenders on synthesizing CKC for timelines, ATT&CK for techniques, and TLCTC for a cause-oriented taxonomy and governance integration.", "summary": "A guide for modern defenders on synthesizing CKC for timelines, ATT&CK for techniques, and TLCTC for a cause-oriented taxonomy and governance integration.", "tags": [ "Standards Integration", "Threat Analysis" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-10-01T00:00:00+00:00" }, { "id": "https://www.tlctc.net/blog-cwe-514-covert-channel-mapping.html", "url": "https://www.tlctc.net/blog-cwe-514-covert-channel-mapping.html", "title": "Mapping CWE-514 (Covert Channel) to TLCTC: A Cause-Oriented Analysis", "content_text": "A deep dive into mapping CWE-514 to TLCTC #8, explaining the cause-oriented logic, multi-stage attack paths like #1 → #8, and why specific CWEs are better for control selection.", "summary": "A deep dive into mapping CWE-514 to TLCTC #8, explaining the cause-oriented logic, multi-stage attack paths like #1 → #8, and why specific CWEs are better for control selection.", "tags": [ "Standards Integration", "Threat Analysis" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-10-01T00:00:00+00:00" }, { "id": "https://www.tlctc.net/blog-eu-cybersecurity-act-csa.html", "url": "https://www.tlctc.net/blog-eu-cybersecurity-act-csa.html", "title": "EU Cybersecurity Act (CSA): TLCTC Pain Points & Fixes", "content_text": "We assess the EU Cybersecurity Act (CSA) through the TLCTC framework, highlighting where certification may under‑deliver and how to fix it.", "summary": "We assess the EU Cybersecurity Act (CSA) through the TLCTC framework, highlighting where certification may under‑deliver and how to fix it.", "tags": [ "Regulations & Compliance", "Framework & Concepts" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-09-28T00:00:00+00:00" }, { "id": "https://www.tlctc.net/blog-tlctc-cra-pain-points.html", "url": "https://www.tlctc.net/blog-tlctc-cra-pain-points.html", "title": "Cyber Resilience Act (CRA): TLCTC Pain Points & Fixes", "content_text": "We assess the EU Cyber Resilience Act exclusively through the TLCTC framework and highlight where CRA implementation may under‑deliver unless stakeholders adopt a cause‑oriented threat language.", "summary": "We assess the EU Cyber Resilience Act exclusively through the TLCTC framework and highlight where CRA implementation may under‑deliver unless stakeholders adopt a cause‑oriented threat language.", "tags": [ "Regulations & Compliance", "Framework & Concepts" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-09-28T00:00:00+00:00" }, { "id": "https://www.tlctc.net/blog-eu-regulation-tlctc-taxonomy.html", "url": "https://www.tlctc.net/blog-eu-regulation-tlctc-taxonomy.html", "title": "EU Cyber Regulation Will Fail Without a Common Threat Taxonomy (Enter TLCTC)", "content_text": "The EU's flagship cyber regulations (NIS2, Cybersecurity Act, CRA) will under-deliver on actual cyber risk reduction because they lack a shared, cause-based understanding and categorization of cyber threats. TLCTC provides the unifying taxonomy.", "summary": "The EU's flagship cyber regulations (NIS2, Cybersecurity Act, CRA) will under-deliver on actual cyber risk reduction because they lack a shared, cause-based understanding and categorization of cyber threats. TLCTC provides the unifying taxonomy.", "tags": [ "Regulations & Compliance", "Framework & Concepts" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-09-28T00:00:00+00:00" }, { "id": "https://www.tlctc.net/blog-iso27001-iso27005.html", "url": "https://www.tlctc.net/blog-iso27001-iso27005.html", "title": "Why \"Cyber\" in the Name Doesn't Win Cyber Wars", "content_text": "ISO standards are essential for governance, but they lack a cyber-specific threat taxonomy. Learn how TLCTC fills this critical gap to create a truly path-aware defense program.", "summary": "ISO standards are essential for governance, but they lack a cyber-specific threat taxonomy. Learn how TLCTC fills this critical gap to create a truly path-aware defense program.", "tags": [ "Standards Integration", "Framework & Concepts" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-09-28T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-blog-cyber-hype.html", "url": "https://www.tlctc.net/tlctc-blog-cyber-hype.html", "title": "The Tactics Evolve. The 10 Threats Are Constant.", "content_text": "A critique of the 'constantly evolving' threat landscape narrative. TLCTC reveals the strategic stability of 10 core threats, enabling a shift from reactive firefighting to proactive, cause-oriented defense.", "summary": "A critique of the 'constantly evolving' threat landscape narrative. TLCTC reveals the strategic stability of 10 core threats, enabling a shift from reactive firefighting to proactive, cause-oriented defense.", "tags": [ "Framework & Concepts" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-09-28T00:00:00+00:00" }, { "id": "https://www.tlctc.net/blog-attack-path-supply-chain.html", "url": "https://www.tlctc.net/blog-attack-path-supply-chain.html", "title": "Attack Path Notation: Domain Boundaries and Supply-Chain Transitions", "content_text": "Learn about TLCTC's sequential attack-path notation system for mapping domain boundaries and supply-chain transitions using #10 markers to denote trust domain crossings.", "summary": "Learn about TLCTC's sequential attack-path notation system for mapping domain boundaries and supply-chain transitions using #10 markers to denote trust domain crossings.", "tags": [ "Framework & Concepts", "Threat Analysis" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-09-14T00:00:00+00:00" }, { "id": "https://www.tlctc.net/blog-tlctc-ai-conversation-from-scratch.html", "url": "https://www.tlctc.net/blog-tlctc-ai-conversation-from-scratch.html", "title": "Gemini 2.5 Pro: Chat about the biggest problem in cyber riskmanagement and cyber threats discussions.", "content_text": "An in-depth AI analysis of the TLCTC framework through conversation format. Exploring whether Bernhard Kreinz's novel cybersecurity approach truly solves the industry's biggest problem or reinvents existing solutions. Features detailed discussion on the Rosetta Stone metaphor and framework actionability.", "summary": "An in-depth AI analysis of the TLCTC framework through conversation format. Exploring whether Bernhard Kreinz's novel cybersecurity approach truly solves the industry's biggest problem or reinvents existing solutions. Features detailed discussion on the Rosetta Stone metaphor and framework actionability.", "tags": [ "Framework & Concepts" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-09-03T00:00:00+00:00" }, { "id": "https://www.tlctc.net/blog-tlctc-octave.html", "url": "https://www.tlctc.net/blog-tlctc-octave.html", "title": "Comparing OCTAVE and TLCTC", "content_text": "While OCTAVE pioneered organizational-focused security evaluation, TLCTC advances the field with structured, cause-based threat classification that integrates seamlessly with modern security frameworks.", "summary": "While OCTAVE pioneered organizational-focused security evaluation, TLCTC advances the field with structured, cause-based threat classification that integrates seamlessly with modern security frameworks.", "tags": [ "Standards Integration", "Framework & Concepts" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-06-28T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-fillthegap.html", "url": "https://www.tlctc.net/tlctc-fillthegap.html", "title": "The Missing Link: Bridging Strategy and Operations", "content_text": "How TLCTC bridges the critical gap between high-level risk management and hands-on operational security.", "summary": "How TLCTC bridges the critical gap between high-level risk management and hands-on operational security.", "tags": [ "Framework & Concepts", "Standards Integration" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-06-15T00:00:00+00:00" }, { "id": "https://www.tlctc.net/blog-tlctc-radar-applications.html", "url": "https://www.tlctc.net/blog-tlctc-radar-applications.html", "title": "Visualizing Threats with TLCTC Cyber Radars", "content_text": "An innovative approach to communicate and prioritize diverse cyber threats for different stakeholders.", "summary": "An innovative approach to communicate and prioritize diverse cyber threats for different stakeholders.", "tags": [ "Tools & Applications" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-06-14T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-big-picture.html", "url": "https://www.tlctc.net/tlctc-big-picture.html", "title": "The Big Picture: Connecting NIST, MITRE and more", "content_text": "Understand TLCTC's role as a unifying layer for strategic frameworks like NIST and operational ones like MITRE.", "summary": "Understand TLCTC's role as a unifying layer for strategic frameworks like NIST and operational ones like MITRE.", "tags": [ "Standards Integration", "Framework & Concepts" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-06-13T00:00:00+00:00" }, { "id": "https://www.tlctc.net/nist-csf-tlctc.html", "url": "https://www.tlctc.net/nist-csf-tlctc.html", "title": "Integrating TLCTC with NIST CSF 2.0", "content_text": "A practical guide on mapping TLCTC to the NIST Cybersecurity Framework to enhance your security posture.", "summary": "A practical guide on mapping TLCTC to the NIST Cybersecurity Framework to enhance your security posture.", "tags": [ "Standards Integration" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-06-12T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-nist-ai-rmf-mitre-cti.html", "url": "https://www.tlctc.net/tlctc-nist-ai-rmf-mitre-cti.html", "title": "AI Security: NIST AI RMF, MITRE ATLAS & TLCTC", "content_text": "A look at securing AI systems by integrating the NIST AI Risk Management Framework and MITRE ATLAS using TLCTC.", "summary": "A look at securing AI systems by integrating the NIST AI Risk Management Framework and MITRE ATLAS using TLCTC.", "tags": [ "Standards Integration", "Threat Analysis" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-06-11T00:00:00+00:00" }, { "id": "https://www.tlctc.net/blog-MFAbypass.html", "url": "https://www.tlctc.net/blog-MFAbypass.html", "title": "MFA Bypass Attacks Through the TLCTC Lens", "content_text": "Examining MFA bypass techniques and attack paths, and how to classify them using TLCTC.", "summary": "Examining MFA bypass techniques and attack paths, and how to classify them using TLCTC.", "tags": [ "Threat Analysis", "Standards Integration" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-06-10T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-sdlc-prog-coder.html", "url": "https://www.tlctc.net/tlctc-sdlc-prog-coder.html", "title": "Distinguishing Between Coding and Programming in TLCTC", "content_text": "The Distinction: Programmer vs. Coder.", "summary": "The Distinction: Programmer vs. Coder.", "tags": [ "Framework & Concepts", "Standards Integration" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-06-08T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-mitre-enterprise.html", "url": "https://www.tlctc.net/tlctc-mitre-enterprise.html", "title": "ATT&CK - Detection Meets Risk Management", "content_text": "MITRE ATT&CK and TLCTC: Detection Meets Risk Management.", "summary": "MITRE ATT&CK and TLCTC: Detection Meets Risk Management.", "tags": [ "Standards Integration", "Threat Analysis" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-06-07T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-sonar-cwe.html", "url": "https://www.tlctc.net/tlctc-sonar-cwe.html", "title": "Vulnerability Insights: SonarQube, CWE, and TLCTC", "content_text": "Mapping static analysis findings from SonarQube through CWE to the strategic view of TLCTC.", "summary": "Mapping static analysis findings from SonarQube through CWE to the strategic view of TLCTC.", "tags": [ "Standards Integration", "Tools & Applications" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-06-06T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-NIST.SP.800-218.html", "url": "https://www.tlctc.net/tlctc-NIST.SP.800-218.html", "title": "Aligning with NIST SP 800-218 (SSDF) using TLCTC", "content_text": "How to use TLCTC to structure and demonstrate compliance with the Secure Software Development Framework.", "summary": "How to use TLCTC to structure and demonstrate compliance with the Secure Software Development Framework.", "tags": [ "Standards Integration" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-06-05T00:00:00+00:00" }, { "id": "https://www.tlctc.net/mitre-tlctc.html", "url": "https://www.tlctc.net/mitre-tlctc.html", "title": "Enhancing Threat Intel with STIX, ATT&CK, and TLCTC", "content_text": "A proposal for extending STIX and ATT&CK objects with a TLCTC extension for better strategic context.", "summary": "A proposal for extending STIX and ATT&CK objects with a TLCTC extension for better strategic context.", "tags": [ "Standards Integration", "Tools & Applications" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-06-03T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-threat-modeling-manifesto.html", "url": "https://www.tlctc.net/tlctc-threat-modeling-manifesto.html", "title": "The Threat Modeling Manifesto & TLCTC", "content_text": "Analyzing the values and principles of the Threat Modeling Manifesto in the context of the TLCTC framework.", "summary": "Analyzing the values and principles of the Threat Modeling Manifesto in the context of the TLCTC framework.", "tags": [ "Threat Analysis", "Framework & Concepts" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-05-30T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-stride.html", "url": "https://www.tlctc.net/tlctc-stride.html", "title": "Comparative Analysis: TLCTC vs. STRIDE", "content_text": "An analysis of the similarities, differences, and complementary nature of TLCTC and the STRIDE framework.", "summary": "An analysis of the similarities, differences, and complementary nature of TLCTC and the STRIDE framework.", "tags": [ "Threat Analysis", "Standards Integration" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-05-28T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-pasta.html", "url": "https://www.tlctc.net/tlctc-pasta.html", "title": "Comparative Analysis: TLCTC vs. PASTA", "content_text": "Enhance the PASTA methodology by using TLCTC for a structured and comprehensive threat analysis stage.", "summary": "Enhance the PASTA methodology by using TLCTC for a structured and comprehensive threat analysis stage.", "tags": [ "Threat Analysis", "Standards Integration" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-05-27T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-fair.html", "url": "https://www.tlctc.net/tlctc-fair.html", "title": "Comparative Analysis: TLCTC vs. FAIR", "content_text": "Explore how TLCTC can provide the foundational cyber threat event categories for a FAIR quantitative risk analysis.", "summary": "Explore how TLCTC can provide the foundational cyber threat event categories for a FAIR quantitative risk analysis.", "tags": [ "Standards Integration", "Framework & Concepts" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-05-26T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-blog-IsoSae21434.html", "url": "https://www.tlctc.net/tlctc-blog-IsoSae21434.html", "title": "Automotive Security: ISO/SAE 21434 & TLCTC", "content_text": "Applying TLCTC as a high-level threat categorization layer for the TARA method in the automotive security standard.", "summary": "Applying TLCTC as a high-level threat categorization layer for the TARA method in the automotive security standard.", "tags": [ "Standards Integration", "Threat Analysis" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-05-25T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-LINDDUN.html", "url": "https://www.tlctc.net/tlctc-LINDDUN.html", "title": "Privacy Threat Modeling: LINDDUN & TLCTC", "content_text": "How the LINDDUN privacy threat modeling framework can be complemented by the cyber threat perspective of TLCTC.", "summary": "How the LINDDUN privacy threat modeling framework can be complemented by the cyber threat perspective of TLCTC.", "tags": [ "Threat Analysis", "Regulations & Compliance" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-05-24T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-NIS2.html", "url": "https://www.tlctc.net/tlctc-NIS2.html", "title": "Meeting NIS2 Directive Requirements with TLCTC", "content_text": "How the TLCTC framework helps organizations structure their approach to NIS2 compliance and incident reporting.", "summary": "How the TLCTC framework helps organizations structure their approach to NIS2 compliance and incident reporting.", "tags": [ "Regulations & Compliance" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-05-22T00:00:00+00:00" }, { "id": "https://www.tlctc.net/tlctc-regulatorsANDstandards.html", "url": "https://www.tlctc.net/tlctc-regulatorsANDstandards.html", "title": "Cyber in the Name", "content_text": "TLCTC Framework vs. Existing Standards & Regulations - See it yourself", "summary": "TLCTC Framework vs. Existing Standards & Regulations - See it yourself", "tags": [ "Framework & Concepts", "Regulations & Compliance" ], "authors": [ { "name": "Bernhard Kreinz" } ], "date_published": "2025-04-16T00:00:00+00:00" } ] }