Top Level Cyber Threat Clusters

A Universal Framework for Cyber Threat Categorization

White Paper V1.6.3

The Top Level Cyber Threat Clusters (TLCTC) framework serves as a "Rosetta Stone" connecting strategic planning to operational security through logically-derived, non-overlapping threat categories. This fills a critical gap in current standards while complementing existing risk management approaches.

Download White Paper (PDF) White Paper (HTML Navigator) Executive Briefing (Summary) TLCTC vs. Standards

The TLCTC Advantage

Addressing the fragmentation in cyber threat communication and categorization.

Universal Taxonomy

Provides 10 logically-derived, non-overlapping threat categories for comprehensive understanding.

Bridge Strategy & Operations

Creates a common language for CISOs, security teams, and risk managers.

Framework Agnostic

Complements and enhances existing standards like MITRE ATT&CK, NIST CSF, and FAIR.

Why TLCTC? (Intro)

The Problem TLCTC Solves

The 10 Top Level Cyber Threat Clusters

The foundational building blocks for understanding *how* adversaries operate. Click to explore definitions.

Abuse of Functions

Misusing legitimate features.

Exploiting Server

Leveraging server-side code flaws.

Exploiting Client

Leveraging client-side code flaws.

Identity Theft

Compromising credentials/auth.

Man in the Middle

Intercepting communications.

Flooding Attack

Overwhelming capacity/resources.

Malware

Executing foreign malicious code.

Physical Attack

Unauthorized physical interaction.

Social Engineering

Manipulating individuals.

Supply Chain Attack

Compromising third-party elements.

Core Concepts & Framework Synergy

Understanding TLCTC's foundational elements and its powerful integration with existing cybersecurity standards.

Key Concept Components

TLCTC Definitions

Axioms (check white paper)
The Thought Experiment
Definitions and Clarifications
Definitions (incl. JSON)
Glossary
Enumeration V2.0
WP Section

Concept Applicability

Scope of Software and Hardware
at Interface Level (API)
at Function Call Level
Vertical Stack Application
WP Section

Bow-Tie

Bridging Strategy & Operations

Strategic Management Layer & Architecture
Operational Layer
CISO's Guide
WP Section

Cyber Bow-Tie

Cyber Bow Tie

Basic Bow-Tie & Event Chains
Alternative Visualization (V2)
CISO's Guide
WP Section

Framework Integration

NIST CSF

NIST CSF

Identify, Protect, Detect alignment
NIST CSF Integration
NIST AI RMF 1.0 - NIST AI 100-1 - NIST AI 600-1 Integration
WP Section

SSDLC

Developer Exp. Blog
Coding vs Programming
SonarQube & CWE
NIST SP 800-218 (SSDF)
PASTA Example
IEC 62443 Example
WP Section

MITRE

MITRE (Overview )

ATT&CK Enterprise Initial
CWE Alignment
MITRE Atlas AI (AML)
CAPEC Integration
ATT&CK & STIX

STIX/TAXII

Enhancing STIX

VERIS Framework

VERIS Example

NVD CVE Enhancement

Enhancing CVE Details

Vulnerability Mapping

SonarQube with CWE
WP Section

Call to Act (MITRE & STIX)

WP Section

Practical TLCTC Tools

Leverage these tools to apply the TLCTC framework in your organization.

Cyber Threat Radar

Cyber Threat Radars

Holistic Views: Org, Customers, 3rd Parties, State Level.

Try the Radar App
WP Section

Threat Actor Profiling

CrowdStrike 2024 Mapped

Cobalt Strike Mapping

Profile Designer
WP Section

Attack Path Designer

Attack Path Notation & Design

Enumeration V2.0

Complex Scenarios: WP Section

Path Designer App
Notation WP Section

CVE 2 TLCTC Mapper

Value for All Stakeholders

TLCTC delivers clear benefits across strategic leadership, technical teams, and regulatory bodies.

Strategic Leadership

Enhanced Strategic Decision-Making
Quantifiable Risk Management
Improved Board-Level Communication
Stronger Cybersecurity Governance

Security Operations & Technical Teams

Consistent Incident Classification (CSIRTs/CERTs)
Enhanced MITRE Integration (ATT&CK, CAPEC, CWE)
Streamlined Threat Intelligence Sharing (STIX)
Precise Attack Path Analysis for SOCs
Standardized Threat Intel Framework
Improved Vulnerability Prioritization (CVEs)

Standards Bodies & Regulatory Agencies

Developing Clearer Threat Standards (NIST/ISO/CIS)
Framework Harmonization (CISA/ENISA)
Global Consistency for EU Agencies
Enhanced National & International Coordination (NCSCs)

Critical Perspectives & The TLCTC Dialogue

Engaging with critiques and fostering an open discussion for the evolution of the TLCTC framework.

Critical TLCTC Analysis

The "Why Ten?" Question
Framework remains open to evolution
Call To Act: Challenges NIST and MITRE

Cluster Refinement

Analysis of Cluster Maturity
Open for community discussion
WP Section

Framework Analysis (Comparative)

Threat Modeling Manifesto
STRIDE
CRF-TT
OCTAVE
PASTA
ISO/SAE 21434
LINDDUN
FAIR
WP Section

Regulatory Analysis

§NIS 2 DIRECTIVE (EU) 2022/2555
§DORA (Digital Operational Resilience Act)
§DORA RTS TLTP - Draft Tech Standards
§Regulation (EU) 2019/881 (CSA) & (CRA)
§ETSI TR 103 331 V2.1.1 (Threat Sharing)

From the TLCTC Blog

Latest insights, analyses, and discussions on the TLCTC framework and its applications.

May 09, 2025

System Risk vs. Data Risk Events

Understanding the TLCTC perspective on how system compromises lead to data breaches...

Read More

TLCTC Radar Explainer

May 04, 2025

Visualizing Threats with TLCTC Radars

An innovative approach to communicate and prioritize diverse cyber threats...

Read More

May 04, 2025

MFA Bypass: Evolving Attacks

Examining MFA bypass techniques and attack paths through the TLCTC framework...

Read More

View All Blog Posts

Join the TLCTC Discussion

Explore, critique, and contribute. The TLCTC framework is an evolving standard. Your insights are valuable.

Ask the TLCTC Explainer GPT Try the CVE 2 TLCTC Mapper

Work in Progress: This page is being updated. For definitive information, please consult the White Paper V1.6.3 [PDF Link].