Every term on this page passes the same test and fails it in the same way. They each feel like a category because they appear in the slot where a category should live — in a risk register column, on a control catalogue's "threats addressed" line, in a CVE advisory's "type" field. None of them is a category, because none of them names a cause .
The Kreinz Thesis names this directly: cybersecurity regulations and frameworks mandate controls without identifying threats. The vocabulary gap is structural, not stylistic. When NIS2 obliges organisations to address "incidents," when DORA requires reporting on "ICT-related operational risks," when NIST CSF tells defenders to "identify threats," when MITRE ATT&CK lists 14 "tactics" as if they were threats — every one of these uses a vocabulary that does not distinguish what an attacker exploited from what an attacker accomplished, where an attacker stood from how an attacker proceeded, when an attacker acted from why an attacker succeeded.
The fix is one move repeated everywhere: cause goes in the cluster slot, everything else goes to its proper layer. Disclosure state, severity, actor identity, attack outcome, internal transitions, boundary crossings, chain sequences — all useful, all real, all elsewhere. The cluster is what stays in the column where threat classification lives. The framework is the discipline of refusing to put anything else there.
That's the audit. The register above holds every defined TLCTC framework term and every industry buzzword the framework refuses to file as a cause — sitting side by side, with the same test applied to each. A handful have been called in full essays so far; the rest are queued, or are simply definitions that anchor the vocabulary the buzzwords keep getting confused with. The cockpit and the cases are two readings of the same point. Either should land.◆