---
type: "term"
title: "Generic Vulnerability"
description: "The single root level vulnerability category defining a cluster — the strategic level attack surface towards a specific class of threats."
resource: "tlctc:term:generic-vulnerability"
tags:
  - "glossary"
---
# Generic Vulnerability

The single root-level vulnerability category defining a cluster — the **strategic-level attack surface** towards a specific class of threats. For every generic vulnerability, there is exactly one TLCTC cluster (per Axiom VI). The generic vulnerability is what the threat cluster targets: it is the exposed surface that enables the attack vector and through which the attack path proceeds. Generic vulnerabilities are stable across technologies and implementations, persisting regardless of specific IT system types, software implementations, or evolving attack techniques. All specific vulnerabilities (CVEs) are instances of a generic vulnerability; all generic vulnerabilities map to exactly one threat cluster.

The 10 generic vulnerabilities (attack surfaces) are: functional scope/trust (#1), server-side implementation flaws (#2), client-side implementation flaws (#3), identity-artifact binding (#4), lack of end-to-end communication protection (#5), finite capacity limitations (#6), designed execution capability (#7), physical accessibility (#8), human psychological factors (#9), and third-party trust dependencies (#10).

**Reference:** §4.2.2 (Global Definitions), §4.2.8 (Step 2), Axiom VI (§2)




**Related reading:** [Mandiant M-Trends 2025 — TLCTC](https://www.tlctc.net/tlctc-mtrends-2025.html), [ENISA Threat Landscape 2025 — TLCTC](https://www.tlctc.net/tlctc-enisa-2025-threat-report.html), [ENISA Gap Analysis — TLCTC](https://www.tlctc.net/tlctc-enisa-gap-analysis.html), [Same Attack, Four Stories — vendor report comparison](https://www.tlctc.net/tlctc-threat-report-chaos.html), [NIST threat definitions — structural gap](https://www.tlctc.net/tlctc-NIST-Threat-Definition.html), [22 NIST definitions of "threat" — TLCTC](https://www.tlctc.net/tlctc-nist-threat-chaos.html), [Evolving VERIS — replace Action axis with TLCTC](https://www.tlctc.net/tlctc-veris.html), [LINDDUN vs TLCTC — complementary approaches](https://www.tlctc.net/tlctc-LINDDUN.html), [PASTA threat modeling × TLCTC](https://www.tlctc.net/tlctc-pasta.html), [IEC 62443 × TLCTC v2.0 — industrial cybersecurity](https://www.tlctc.net/tlctc-iec62443-v2.html), [Diamond Model × TLCTC — structuring the empty spaces](https://www.tlctc.net/tlctc-diamond-model.html), [ISO/SAE 21434 × TLCTC V2.0 — automotive](https://www.tlctc.net/tlctc-blog-IsoSae21434.html), [ISO 27000 × TLCTC — name vs game](https://www.tlctc.net/blog-iso27001-iso27005.html), [OCTAVE × TLCTC v2.0 — causal taxonomy](https://www.tlctc.net/blog-tlctc-octave.html), [MITRE CWE needs a taxonomic reboot](https://www.tlctc.net/tlctc-cwe-reboot.html), [EU Cybersecurity Act (CSA) × TLCTC V2.0](https://www.tlctc.net/blog-eu-cybersecurity-act-csa.html), [Cyber Resilience Act (CRA) — TLCTC pain points & fixes](https://www.tlctc.net/blog-tlctc-cra-pain-points.html), [TLCTC × Threat Modeling Manifesto](https://www.tlctc.net/tlctc-threat-modeling-manifesto.html), [End of Semantic Diffusion — Kuhn & TLCTC](https://www.tlctc.net/tlctc-semantic-diffusion.html), [Logical foundations of TLCTC](https://www.tlctc.net/tlctc-logical-foundation.html), [Why exactly ten? — TLCTC architecture](https://www.tlctc.net/tlctc-why10-explainer.html), [Generic vulnerabilities — software & hardware failure](https://www.tlctc.net/tlctc-generic-vulnerabilities.html), [blog-tlctc-two-layer-framework.html](https://www.tlctc.net/blog-tlctc-two-layer-framework.html), [Why TLCTC does not need the "Hazard"](https://www.tlctc.net/tlctc-hazard-omission.html), [Agentic AI under the microscope — TLCTC](https://www.tlctc.net/tlctc-agentic-ai-microscope.html), [AI conversation deep dive on TLCTC](https://www.tlctc.net/blog-tlctc-ai-conversation-from-scratch.html), [TLCTC — the missing link between strategy and ops](https://www.tlctc.net/tlctc-fillthegap.html), [Tactics evolve, 10 threats are constant](https://www.tlctc.net/blog-cyber-hype.html), [Tactics evolve, 10 threats are constant — TLCTC](https://www.tlctc.net/tlctc-blog-cyber-hype.html), [TLCTC for everyone — the Blind Spot method](https://www.tlctc.net/tlctc-everyone-blind-spot.html), [Programmer vs Coder in TLCTC (Secure-Dev pt 1)](https://www.tlctc.net/tlctc-sdlc-prog-coder.html), [SSDLC phase-by-phase reference — TLCTC v2.1](https://www.tlctc.net/tlctc-ssdlc-integration.html), [TLCTC v2.1 monster prompt — DevSecOps](https://www.tlctc.net/tlctc-prompt-devsecops.html), [Understanding cyber threats — a common language](https://www.tlctc.net/tlctc-executive-summary.html), [TLCTC — the missing link (brief)](https://www.tlctc.net/tlctc-brief-doc.html)

See also: Vulnerability, Attack Vector, Attack Surface Analysis