Abstract
TLCTC Architect V3.0 is the official web-based environment for modeling cyber threats using the V2.0/V3.0 framework updates. This documentation covers interface usage, Attack Velocity ($\Delta t$) calculation, and the strict JSON schema required for interoperability with SIEM/SOAR systems.
1. Overview
TLCTC Architect is a specialized, web-based tool designed for cybersecurity professionals to model, visualize, and document attack paths using the Top Level Cyber Threat Clusters (TLCTC) framework. It bridges the gap between strategic risk communication and operational technical analysis.
The tool adheres strictly to the TLCTC axioms (e.g., separation of cause/effect, distinct bridge vs. internal clusters) and supports the V2.0/V3.0 features such as Attack Velocity ($\Delta t$), Domain Boundaries, and Combined Steps.
Key Features
- Attack Path Visualization: Dynamic rendering of attack steps across Responsibility Spheres (Vendor, Organization, Customer) with automated boundary detection.
- Strategic Notation Engine: Real-time generation of standardized attack path strings (e.g.,
#9 -> #4 || [2d] || (#1 + #7)). - Risk Layering: Visualizes the cascade from Technical Compromise (Attack Path) → Data Risk (C/I/A) → Business Risk.
- Case Management: Create, save, and switch between multiple investigation cases locally.
- Local Persistence: All data is saved securely in the browser's Local Storage.
- Report Generation: "Print Mode" for PDF reports and high-resolution PNG export.
- Interoperability: JSON Import/Export for threat intelligence sharing.
2. Usage Guide
2.1 Interface Structure
The application is divided into three main zones:
- Header & Toolbar: Contains global actions (Theme toggle, Export, Print) and the Strategic Notation display.
- Sidebar (Editor): The control center for defining threat steps, managing cases, and entering technical details.
- Main Canvas: The visualization area (Attack Path Diagram) and the detailed Case Documentation table.
2.2 Creating an Attack Path
- Define the Step: Select a Threat Cluster from the dropdown. The tool categorizes them into "Bridge" (Cross-Domain) and "Internal" clusters.
- Set Context: Choose the Responsibility Sphere (
@Org,@Vendor, etc.) where the action occurs. - Add Timing: Enter the Duration ($\Delta t$) since the last step (e.g., 2 hours). This calculates Attack Velocity.
- Optional Details: Add Date/Time, Description, CVEs, IoCs, or MITRE TTPs.
- Risk Consequences: If the step causes a specific impact (e.g., Data Leak), select a Data Risk type. This unlocks the Business Risk field.
Note: Leaving these blank marks the step as a "Near Miss" or "Intermediate Step". - Commit: Click "Add Step". The visualization updates instantly.
2.3 Advanced Features
- Combined Steps: Use the "Add Combined Step" toggle to model simultaneous actions (e.g.,
#1 Abuse of Functions + #7 Malware Execution). - Editing: Click any node in the diagram or row in the documentation table to load that step back into the Sidebar for editing.
- Boundaries: The tool automatically detects when a step changes Sphere (e.g., from
@Vendorto@Org) and draws a visual "BOUNDARY" pillar.
3. Technical Specification: JSON Import/Export
The TLCTC Architect uses a strict JSON schema for exporting cases (.json files). This ensures data integrity when sharing Threat Intelligence between analysts or integrating with other tools (SIEM/SOAR).
3.1 JSON Structure
The root object represents a single Case.
schema-structure.json
{
"title": "string", // The name of the Case/Incident
"created": "ISO8601", // Creation timestamp
"path": [ // Array of Step Objects
{ ...step_object... },
{ ...step_object... }
],
"type": "TLCTC-Case", // Meta tag for validation
"version": "3.0" // Schema version
}3.2 Step Object Definition
Each item in the path array must adhere to this structure:
| Field | Type | Req | Description |
|---|---|---|---|
| id | number | Yes | Unique timestamp-based ID (e.g., 1715620000000) |
| cluster | number | Yes | Primary TLCTC Cluster ID (1-10) |
| cluster2 | number | No | Secondary TLCTC Cluster ID for combined steps (1-10) |
| sphere | string | Yes | Domain: "Org", "3rd Party", "Customer", "Physical" |
| dtVal | string | No | Delta Time value (e.g., "2") |
| dtUnit | string | No | Delta Time unit (s=sec, m=min, h=hr, d=day, w=wk) |
| date | YYYY-MM-DD | No | Date of occurrence |
| time | HH:MM | No | Time of occurrence |
| description | string | No | Narrative description of the step |
| cve | string | No | Common Vulnerabilities and Exposures ID |
| cwe | string | No | Common Weakness Enumeration ID |
| mitre | string | No | MITRE ATT&CK Technique ID (e.g., "T1566") |
| ioc | string | No | Indicators of Compromise (hashes, IPs, URLs) |
| software | string | No | Affected Asset or Software name |
| dataRisk | object | No | See Risk Object below. Null if no impact. |
| bizRisk | object | No | See Risk Object below. Null if no impact. |
3.3 Risk Object Definition
Used for both dataRisk and bizRisk fields.
risk-object.json
{
"type": "string", // Only for Data Risk: "C", "I", "A", "CIA"
"title": "string", // Short title (e.g., "Confidentiality Loss")
"desc": "string" // Detailed description of the consequence
}3.4 Example JSON Payload
Here is a valid example of a simple attack path (#9 -> #4):
example-payload.json
{
"title": "Phishing Campaign Alpha",
"created": "2025-11-24T20:00:00.000Z",
"type": "TLCTC-Case",
"version": "3.0",
"path": [
{
"id": 1732480000001,
"cluster": 9,
"sphere": "Customer",
"dtVal": "0",
"dtUnit": "m",
"description": "Attacker sends phishing email to customer support.",
"mitre": "T1566",
"dataRisk": null,
"bizRisk": null
},
{
"id": 1732480000002,
"cluster": 4,
"sphere": "Customer",
"dtVal": "15",
"dtUnit": "m",
"description": "Support agent clicks link, credentials harvested.",
"dataRisk": {
"type": "C",
"title": "Credential Theft",
"desc": "User credentials exposed to attacker."
},
"bizRisk": null
}
]
}{
"title": "Incident Analysis: Lynx Ransomware (Clean)",
"created": "2025-11-28T12:00:00.000Z",
"path": [
{
"id": 1732800000001,
"cluster": 9,
"cluster2": null,
"sphere": "Org",
"dtVal": "0",
"dtUnit": "m",
"date": "2025-11-17",
"time": "08:00",
"description": "Initial Access: User targeted via Phishing / Social Engineering. Attacker psychologically manipulates user to interact with malicious archive.",
"cve": "",
"cwe": "CWE-200",
"mitre": "T1566.001",
"software": "Email Client",
"ioc": "Subject: 'Financial Statement'; Attachment: 'statement.tgz'",
"dataRisk": null,
"bizRisk": null
},
{
"id": 1732800000002,
"cluster": 7,
"cluster2": null,
"sphere": "Org",
"dtVal": "2",
"dtUnit": "m",
"date": "2025-11-17",
"time": "08:02",
"description": "Execution: User executes the loader (e.g., PureCrypter) contained in the archive. This exploits the environment's ability to execute foreign code.",
"cve": "",
"cwe": "",
"mitre": "T1204.002",
"software": "OS Loader",
"ioc": "Hash: a1b2c3d4...",
"dataRisk": null,
"bizRisk": null
},
{
"id": 1732800000003,
"cluster": 4,
"cluster2": null,
"sphere": "Org",
"dtVal": "10",
"dtUnit": "m",
"date": "2025-11-17",
"time": "08:12",
"description": "Lateral Movement: Attacker utilizes compromised Domain Admin credentials to pivot to the Domain Controller. This is the critical 'Loss of Control' event for the domain.",
"cve": "",
"cwe": "CWE-287",
"mitre": "T1078",
"software": "Active Directory",
"ioc": "User: ADMIN_SVC",
"dataRisk": {
"type": "C",
"title": "System Compromise",
"desc": "Loss of control over Domain Controller."
},
"bizRisk": null
},
{
"id": 1732800000004,
"cluster": 1,
"cluster2": null,
"sphere": "Org",
"dtVal": "15",
"dtUnit": "m",
"date": "2025-11-17",
"time": "08:27",
"description": "Discovery & Exfiltration: Abuse of legitimate functions (7-Zip, Web Requests) to archive data and exfiltrate to temp.sh. Also includes creation of impersonation accounts.",
"cve": "",
"cwe": "",
"mitre": "T1048",
"software": "7-Zip, temp.sh",
"ioc": "Outbound connection to temp.sh",
"dataRisk": {
"type": "C",
"title": "Data Exfiltration",
"desc": "Confidentiality loss of sensitive virtualization infrastructure maps."
},
"bizRisk": {
"title": "Regulatory Exposure",
"desc": "Potential GDPR/CCPA notification requirement due to data theft."
}
},
{
"id": 1732800000005,
"cluster": 7,
"cluster2": 1,
"sphere": "Org",
"dtVal": "5",
"dtUnit": "m",
"date": "2025-11-17",
"time": "08:32",
"description": "Impact: Combined Action. Deployment of Lynx Ransomware (#7) via abused admin tools (#1). Encryption of virtualization infrastructure.",
"cve": "",
"cwe": "",
"mitre": "T1486",
"software": "Lynx Ransomware Binary",
"ioc": "Extension: .lynx",
"dataRisk": {
"type": "A",
"title": "Loss of Availability",
"desc": "Encryption of critical VM datastores."
},
"bizRisk": {
"title": "Operational Stoppage",
"desc": "Total halt of business operations. Financial loss estimated at $50k/hour."
}
}
]
}
4. Browser Support & Requirements
- Browser: Modern Chrome, Firefox, Edge, or Safari (ES6+ support required).
- Storage: Requires LocalStorage to be enabled.
- Printing: Best results with "Background Graphics" enabled in print settings.
- Security: The app runs entirely client-side. No data is sent to any server.