This is a short post with one job: take the word “SANS” apart, show you where each half already fails the completeness question, and route you to the arguments that prove it.
“SANS” is two things, and it left the building
When a security conversation invokes “SANS,” it almost always means one of two artifacts — and, tellingly, SANS no longer owns either of them outright.
The CIS Controls
Born as the “SANS Top 20,” stewardship passed to the Council on Cyber Security in 2013 and to the Center for Internet Security in 2015. Today SANS teaches them; CIS owns them. The 20 became 18, then gained a Govern function in v8.1. It is a prioritized list of what to do.
MITRE ATT&CK
SANS detection, CTI, and purple-team training lean on ATT&CK to answer “what are the threats?” ATT&CK is a knowledge base of adversary techniques based on real-world observation — how attacks were seen to unfold, indexed for engineers.
Both are excellent at what they are. Neither is a cause taxonomy — a closed, mutually-exclusive enumeration of the generic vulnerabilities that make attacks possible in the first place. And that gap is exactly the one the assurance question falls into.
The controls half: already answered
“Are we covered per the SANS controls?” is really “are we covered per CIS?” — and that question has an answer, written three times over. The CIS Controls measure along an asset axis (users, devices, data, software, network). They have no cause axis. So they cannot show you how your control effort is distributed across the causes of harm — and therefore cannot demonstrate completeness or balanced due care.
The threat half: the map that redraws itself
Here is the sharper point, and it is one ATT&CK makes against itself.
A behavior catalogue is, by design, open-ended and provisional. It grows as observation grows. Its categories split, merge, get revoked, and get renamed as the field learns more. That is a virtue for a detection index and a disqualifier for an assurance baseline — because you cannot certify completeness against a set whose own authors keep re-drawing its boundaries.
You don’t have to take that on faith. On 28 April 2026, ATT&CK v19 split the long-standing Defense Evasion tactic into two — Stealth and Defense Impairment — because lumping “hiding” together with “breaking your defenses” had become unhelpful. Practitioners were warned that their threat models, detection rules, and risk reports would quietly fall out of alignment if they didn’t update. That is the machinery working exactly as intended for a behavior catalogue. It is also the precise thing a cause taxonomy must never do.
None of this makes ATT&CK wrong. It makes ATT&CK the wrong tool for the completeness question — a question it was never built to answer and does not claim to. In TLCTC, ATT&CK isn’t a rival; it’s a reference mapping that enters at the technique end. Every technique resolves to a cluster (or a short path). The cause axis is what makes that resolution possible — and what makes “have we covered every type of threat?” a question with an answer.
Two-thirds of “SANS” is HOW-to-do and how-it-looked. The completeness question lives in the third column — and neither half of SANS is standing in it.
Where this argument actually lives
This post routes. The proofs are here:
-
The full argument: a controls list on an asset axis cannot answer a cause-side completeness question.
-
The blind spot in one chart — 153 Safeguards mapped by cause, and the 19:1 skew the framework cannot perceive about itself.
-
The evidence base: the full v8.1 → cluster mapping behind both arguments.
-
The closed cause axis itself — the thing neither half of “SANS” provides.
ATT&CK figures: MITRE ATT&CK Enterprise v19, released 28 April 2026 (222 techniques, 475 sub-techniques; Defense Evasion split into Stealth / Defense Impairment). CIS Controls lineage: SANS Top 20 → Council on Cyber Security (2013) → Center for Internet Security (2015); v8 consolidated 20→18 Safeguards, v8.1 added the Govern function. Cause-axis distribution figures from the accompanying v8.1 → TLCTC mapping; strategy grain illustrative, pending ratification.