Blog / Framework Position

What SANS Cannot Give You

“We follow SANS” sounds like a threat answer. It isn’t. Decompose the phrase and it becomes two other things — neither of which is a cause taxonomy.

BK
Bernhard Kreinz
~5 min read

This is a short post with one job: take the word “SANS” apart, show you where each half already fails the completeness question, and route you to the arguments that prove it.

“SANS” is two things, and it left the building

When a security conversation invokes “SANS,” it almost always means one of two artifacts — and, tellingly, SANS no longer owns either of them outright.

The controls half · a HOW framework

The CIS Controls

Born as the “SANS Top 20,” stewardship passed to the Council on Cyber Security in 2013 and to the Center for Internet Security in 2015. Today SANS teaches them; CIS owns them. The 20 became 18, then gained a Govern function in v8.1. It is a prioritized list of what to do.

The threat half · a behavior catalogue

MITRE ATT&CK

SANS detection, CTI, and purple-team training lean on ATT&CK to answer “what are the threats?” ATT&CK is a knowledge base of adversary techniques based on real-world observation — how attacks were seen to unfold, indexed for engineers.

Both are excellent at what they are. Neither is a cause taxonomy — a closed, mutually-exclusive enumeration of the generic vulnerabilities that make attacks possible in the first place. And that gap is exactly the one the assurance question falls into.

The controls half: already answered

“Are we covered per the SANS controls?” is really “are we covered per CIS?” — and that question has an answer, written three times over. The CIS Controls measure along an asset axis (users, devices, data, software, network). They have no cause axis. So they cannot show you how your control effort is distributed across the causes of harm — and therefore cannot demonstrate completeness or balanced due care.

A control set can be fully implemented and still be silently lopsided by cause. When 153 v8.1 Safeguards land 19 preventive measures on server exploitation and 1 on flooding, the framework has no coordinate in which that fact can even register. That’s not this post’s argument to re-run — it’s already made below.

The threat half: the map that redraws itself

Here is the sharper point, and it is one ATT&CK makes against itself.

A behavior catalogue is, by design, open-ended and provisional. It grows as observation grows. Its categories split, merge, get revoked, and get renamed as the field learns more. That is a virtue for a detection index and a disqualifier for an assurance baseline — because you cannot certify completeness against a set whose own authors keep re-drawing its boundaries.

You don’t have to take that on faith. On 28 April 2026, ATT&CK v19 split the long-standing Defense Evasion tactic into two — Stealth and Defense Impairment — because lumping “hiding” together with “breaking your defenses” had become unhelpful. Practitioners were warned that their threat models, detection rules, and risk reports would quietly fall out of alignment if they didn’t update. That is the machinery working exactly as intended for a behavior catalogue. It is also the precise thing a cause taxonomy must never do.

ATT&CK Enterprise (v19, Apr 2026) — techniques222
… sub-techniques475
… and rising, release over release↗ open
TLCTC generic vulnerability clusters10
… since the framework was frozenclosed
A new technique in the wild maps onto an existing cause; it does not force a boundary redraw. That is the difference between an index of observed behavior and a closed axis of cause.
The tell is in the vocabulary. When a cause taxonomy sees a new attack, it asks “which of the ten does this exploit?” When a behavior catalogue sees enough new attacks, it asks “do we need to split a tactic?” One question has a bounded answer set. The other never closes.

None of this makes ATT&CK wrong. It makes ATT&CK the wrong tool for the completeness question — a question it was never built to answer and does not claim to. In TLCTC, ATT&CK isn’t a rival; it’s a reference mapping that enters at the technique end. Every technique resolves to a cluster (or a short path). The cause axis is what makes that resolution possible — and what makes “have we covered every type of threat?” a question with an answer.

HOW
CIS Controls — what to do
OBSERVED
ATT&CK — how attacks were seen
CAUSE
TLCTC — why they were possible

Two-thirds of “SANS” is HOW-to-do and how-it-looked. The completeness question lives in the third column — and neither half of SANS is standing in it.

Where this argument actually lives

This post routes. The proofs are here:

SANS teaches you HOW to defend and gives you a superb catalogue of how attacks have been seen. What it can’t hand you is the closed list of why attacks are possible — the axis on which completeness is even a meaningful word. That part is free, published, and CC BY 4.0.

ATT&CK figures: MITRE ATT&CK Enterprise v19, released 28 April 2026 (222 techniques, 475 sub-techniques; Defense Evasion split into Stealth / Defense Impairment). CIS Controls lineage: SANS Top 20 → Council on Cyber Security (2013) → Center for Internet Security (2015); v8 consolidated 20→18 Safeguards, v8.1 added the Govern function. Cause-axis distribution figures from the accompanying v8.1 → TLCTC mapping; strategy grain illustrative, pending ratification.