TLCTC Blog - 2025/09/28
The Tactics Evolve. The 10 Threats Are Constant.
Deconstructing the "Always Changing" Cybersecurity Hype with TLCTC
"The threat landscape is constantly evolving." You've heard this statement countless times. It's become the rallying cry of the cybersecurity industry, justifying endless tool purchases, constant training, and perpetual anxiety. But what if this fundamental assumption is wrong?
Within the Top Level Cyber Threat Clusters (TLCTC) framework, we reveal this statement as a dangerous misunderstanding—one that keeps organizations perpetually reactive, always chasing yesterday's attack while missing tomorrow's strategic opportunity.
The Illusion of Change: Confusing Operational Noise with Strategic Signal
Every morning, your security team reviews dozens of alerts: a new ransomware variant called "DarkNova," a zero-day in Apache Commons, a sophisticated phishing campaign mimicking Microsoft Teams notifications. The landscape feels chaotic, unpredictable, overwhelming.
This perception comes from observing the Operational Security Layer—the endless stream of new tools, specific vulnerabilities (CVEs), and techniques (TTPs) that appear daily. From this viewpoint, threats seem to multiply exponentially.
But the TLCTC framework reveals a profound truth: these are not new threats. They are merely new methods of executing one of ten fundamental, unchanging threats that have existed since the dawn of computing.
The Two-Layer Reality
- Strategic Layer (The Signal):
At this level, there are only 10 Top Level Cyber Threat Clusters. These remain stable because they're derived from generic, fundamental vulnerabilities inherent in all IT systems. As TLCTC's Axiom I states: for every generic vulnerability, there is exactly one threat cluster. New technologies rarely introduce new top-level threats; they mostly surface new contexts that refine how the ten apply.
- Operational Layer (The Noise):
This is where the "evolution" happens—thousands of specific sub-threats, techniques from MITRE ATT&CK, and vulnerabilities cataloged as CVEs. But these are simply different implementations of the same ten strategic threats.
Real-World Evidence: Same Threats, New Clothes
Consider recent "game-changing" attacks:
- SolarWinds (2020): For customers, the path is #10 Supply Chain Attack (updates) ||[updates][@SolarWinds→@ORG]|| → #7 Malware—a trusted update channel delivered the malicious code, which then executed internally. (Alternative modeling for the vendor side can include an initial #2 Exploiting Server before the supply-chain step.)
- Log4Shell (2021): This "unprecedented" vulnerability is an instance of #2 Exploiting Server. Even though Log4j is third-party, the exploit targeted the server’s request-handling path. #10 Supply Chain Attack is reserved for when a trusted third party delivers the malicious step across a trust boundary, not for every flaw in a bundled component.
- ChatGPT Jailbreaks (2024): These "emerging AI threats" are #1 Abuse of Functions—misusing legitimate functionality beyond its intended scope, exactly as TLCTC defines it.
- MFA Bombing (2022): This attack follows #4 → #1 → #9 → #4: initial credential elements are obtained (#4 Identity Theft), the push/MFA request function is abused (#1 Abuse of Functions), the user is socially engineered to approve (#9 Social Engineering), and the attacker completes authentication using the factor (#4 again).
The 10 Constants: A Cause-Oriented Revolution
The TLCTC framework is cause-oriented, not effect-oriented. While the industry obsesses over effects (data breaches, ransomware payments) or techniques (specific exploits), TLCTC focuses on the unchanging causes—the exploitation of generic vulnerabilities.
These ten clusters represent every fundamental way an IT system can be compromised:
- Abuse of Functions: Software will always have functions that can be misused within their designed scope (without exploiting a code flaw).
- Exploiting Server: Server-side code will always have potential implementation flaws.
- Exploiting Client: Client-side code will always have potential implementation flaws.
- Identity Theft: Systems will always use credentials that can be stolen or misused. (Axiom X: credentials are system control elements; their compromise is a system compromise.)
- Man in the Middle: Communications will always traverse paths that can potentially be intercepted or modified by a privileged intermediary.
- Flooding Attack: Systems will always have finite resource capacity that can be overwhelmed.
- Malware: Environments will always have the ability to execute foreign code—including scripts and Living-Off-the-Land Binaries and Scripts (LOLBAS)—and attackers will abuse that capability.
- Physical Attack: Hardware will always be physically accessible at some level and thus susceptible to physical interaction or interference.
- Social Engineering: Systems will always have human users who can be manipulated.
- Supply Chain Attack: Systems will always rely on trusted third-party components and channels that can be compromised.
What changes are the IT system types, technologies, and features—creating new opportunities for attackers to apply these timeless threats. Cloud computing didn’t create new threats; it created new contexts for the same ten threats. AI doesn’t introduce new top-level threats; it provides new methods to execute existing ones.
The Strategic Advantage: Stop Chasing, Start Building
Organizations trapped in the "always changing" mindset exhibit predictable patterns:
- Purchasing the latest security tool for each new attack variant
- Constantly retraining staff on specific attack techniques
- Building reactive controls for yesterday's breach
- Suffering from alert fatigue and tool sprawl
Organizations using the TLCTC framework take a different approach:
- Build once, defend always: Design controls targeting the ten generic vulnerabilities.
- Strategic resource allocation: Invest based on which threat clusters pose the highest risk.
- Clear communication: Use consistent language from boardroom to SOC.
- Proactive defense: Address root causes, not symptoms.
Practical Application: From Chaos to Clarity
When the next "unprecedented" attack makes headlines, apply this simple analysis:
- Identify the generic vulnerability: What fundamental weakness is being exploited?
- Map to threat cluster: Which of the ten clusters does this belong to?
- Document the sequence: If multi-stage, what's the attack path? (e.g., #9 → #3 → #7). If a trusted third party is involved, mark the trust/domain crossing explicitly (e.g., ||[updates][@Vendor→@Org]||).
- Apply existing controls: Your defenses for that cluster already address this "new" threat.
Example: A headline screams about a "Revolutionary AI-Powered Attack." Your analysis:
Generic vulnerability: Human susceptibility to sophisticated deception.
Threat cluster: #9 Social Engineering.
Sequence: Likely #9 → #4 (deception leading to credential theft).
Response: Your existing anti-phishing program, resilient MFA policies, and identity protections already mitigate this.
The Bottom Line: Stability in Supposed Chaos
The cybersecurity industry profits from perpetual panic. Vendors need you to believe that threats are "constantly evolving" to sell their latest solutions. But the TLCTC framework reveals the truth:
The tactics evolve. The ten threats are constant.
By recognizing this fundamental stability, organizations can:
- Build lasting, strategic defenses instead of reactive patches
- Communicate clearly about risk without technical jargon
- Allocate resources based on consistent threat categories
- Achieve genuine cyber resilience rather than perpetual firefighting
Stop chasing shadows. Start addressing root causes. The threat landscape isn’t changing—your perspective is.
The Top Level Cyber Threat Clusters framework provides a stable foundation for understanding cyber risk. While operational details evolve daily, the strategic landscape remains remarkably consistent. Build your defenses accordingly.