Logo
TLCTC
Core Paper · Version 2.3.0 · June 2026

A Cause-Oriented Cyber Threat Taxonomy: The Top Level Cyber Threat Clusters Framework

The canonical, citable definition of the framework — ten cause-oriented threat clusters, ten axioms, and a reproducible classification method.

BK
Bernhard Kreinz
CC BY 4.0 DOI 10.5281/zenodo.20633177
Download PDF (0.7 MB) View on Zenodo Repository

Abstract

Cybersecurity discourse routinely uses the term "cyber threat" to denote several distinct concepts at once: the cause of a compromise, its outcome, the actor responsible, and the technique employed. This conflation impedes consistent classification, comparable incident documentation, and clear communication of cyber risk between leadership, risk functions, and technical teams. Established frameworks address adjacent layers — control objectives, adversary techniques, software weaknesses, and quantitative risk — but none provides a compact, non-overlapping taxonomy on the cause side that holds stable across system types.

The Top Level Cyber Threat Clusters (TLCTC) framework proposes ten top-level threat clusters, each defined by the single generic vulnerability it initially targets. The taxonomy separates threats (causes) from system events, data risk events, business consequences, and actor identity. This paper presents the framework's derivation logic, its design principles and threat topology, the ten cluster definitions, the ten axioms that constrain interpretation, and the classification rules that keep assignment reproducible, together with example mappings expressed in an attack-path notation. By distinguishing a stable strategic management view from a concrete operational security view, TLCTC functions as a translation layer linking strategic risk governance, security operations, and secure software development.

Keywords

cyber threat taxonomy cyber risk taxonomy cybersecurity ontology cyber threat classification threat modeling cause-oriented taxonomy TLCTC Top Level Cyber Threat Clusters

How to Cite

Kreinz, B. (2026). A Cause-Oriented Cyber Threat Taxonomy: The Top Level Cyber Threat Clusters Framework (Version 2.3.0) [Preprint]. Zenodo. https://doi.org/10.5281/zenodo.20633177 
@misc{kreinz2026tlctc,
  author    = {Kreinz, Bernhard},
  title     = {A Cause-Oriented Cyber Threat Taxonomy: The Top Level
               Cyber Threat Clusters Framework},
  year      = {2026},
  version   = {2.3.0},
  publisher = {Zenodo},
  doi       = {10.5281/zenodo.20633177},
  url       = {https://doi.org/10.5281/zenodo.20633177}
}

Companion Material

Paper PDF (v2.3.0) Direct download of this paper — the canonical, citable definition of the framework (0.7 MB, CC BY 4.0). DOI-versioned copy also on Zenodo.
Repository Machine-readable framework JSON, three-layer schemas, MITRE ATT&CK / CWE / CISA KEV / Sigma mappings, 50+ classified attack paths, and standalone tools (CC BY 4.0).
Application Paper Classification in practice, governance, controls, and indicators — the companion that puts the taxonomy to work. Read on GitHub.