TLCTC v2.0 Control Matrix generated by Claude 4.5 Opus
Practical Controls for SME & Private Users
SME Mode — 10 Clusters × 6 Functions × 2 Aspects
For organizations with an IT-responsible role. Each function has Technical/Process and Organizational/Awareness aspects.
📖 Reference Information
What is TLCTC?
Top Level Cyber Threat Clusters is a cause-oriented framework that classifies cyber threats by the generic vulnerability they exploit, not by outcomes or actors. It provides a stable vocabulary for discussing and managing cyber risk across 10 non-overlapping clusters.
NIST CSF 2.0 Functions
GOVERN (ownership & policy), IDENTIFY (know your risks), PROTECT (prevent), DETECT (spot threats), RESPOND (act quickly), RECOVER (restore & learn). Controls are mapped to each function per threat cluster.
SME vs Private
SME mode assumes a dedicated IT role, budget, and basic infrastructure (10×12 matrix). Private mode assumes personal devices, home/mobile context, and free tools only (10×6 matrix). Both are fully operational.
Cross-Cutting Controls
Some controls (like Updates) protect against multiple clusters simultaneously. These are marked with ⟲ in the matrix. Prioritize these for maximum security ROI.
How Updates Protect Each Cluster
| Cluster | What Updates Fix | Example |
|---|---|---|
| #1 Abuse of Functions | Close feature abuse vectors, fix insecure defaults | Windows feature updates changing default permissions |
| #2 Exploiting Server | Patch listening services vulnerabilities | EternalBlue (SMB), PrintNightmare, BlueKeep (RDP) |
| #3 Exploiting Client | Browser engines, document parsers, media handlers | Chrome zero-days, PDF exploits, Office macros |
| #4 Identity Theft | Authentication mechanisms, session handling | Kerberos fixes, cookie security, token validation |
| #5 Man in the Middle | TLS/SSL libraries, certificate handling, protocols | OpenSSL patches, TLS 1.3 adoption, HSTS preload |
| #6 Flooding Attack | Resource handling, connection limits, memory mgmt | TCP stack improvements, SYN cookie updates |
| #7 Malware | OS hardening, execution controls, AV signatures | AMSI updates, Defender definitions, kernel protections |
| #8 Physical Attack | Encryption, lock screen, firmware security | BitLocker improvements, Secure Boot updates, TPM |
Why #2 (Exploiting Server) Matters for Home Users
Your Windows PC runs server processes that listen for network connections. These are attack vectors even on home networks:
| Service | Port | Risk | Notable Exploits |
|---|---|---|---|
| SMB (File Sharing) | 445 | High | EternalBlue (WannaCry), SMBGhost |
| RDP (Remote Desktop) | 3389 | High | BlueKeep, DejaBlue |
| Print Spooler | Various | High | PrintNightmare, multiple CVEs |
| LLMNR/NBT-NS | 5355/137 | Medium | Name resolution poisoning |
| UPnP/SSDP | 1900 | Medium | Device discovery attacks |
| Windows Remote Mgmt | 5985/5986 | Medium | WinRM exploitation |
| mDNS (Bonjour) | 5353 | Low | Service discovery abuse |
Key Actions: Enable Windows Firewall, disable unused services, keep Windows Update on automatic, consider disabling SMBv1.
Interactive Matrix
Click any cell to expand and see detailed controls. Use the SME/Private toggle to switch between organizational and personal views. Color coding matches NIST CSF functions.
Export Options
Download as JSON for system integration or programmatic use. Download as CSV for spreadsheet editing, customization, and printing. Exports include the currently selected mode.
Prioritization
Start with cross-cutting controls (marked ⟲) for maximum impact. Focus on PROTECT column first, then DETECT. GOVERN ensures sustainability of all other controls.
Customization
Export to CSV, customize controls for your environment, add responsible parties and deadlines. Re-import to your GRC tool or use as a living checklist.