TLCTC Framework Glossary

A

Abuse of Functions (Cluster #1)

A threat cluster where an attacker abuses the logic or scope of existing, legitimate software functions, features, or configurations for malicious purposes. This manipulation occurs through standard interfaces using expected input types (data, parameters, configurations, sequence of actions), but in a way that subverts the intended purpose or security controls.

The generic vulnerability exploited is the scope, complexity, or inherent trust placed in legitimate software functions, features, and configurations.

Developer's View: "I must understand and constrain the functional domain of my code. Every feature I implement must have clearly defined boundaries and expected usage patterns. I need to ask: What is the legitimate scope of this functionality, and how could it be misused?"

Characteristic Examples:

• CWE: CWE-15 (External Control of System or Configuration Setting), CWE-306 (Missing Authentication for Critical Function), CWE-352 (Cross-Site Request Forgery).
• MITRE ATT&CK®: T1133 (External Remote Services), T1059 (Command and Scripting Interpreter), T1548 (Abuse Elevation Control Mechanism).

Asset

Components of value to an organization, including software, hardware, data, services, and human resources. In the TLCTC framework, the focus is on generic software and hardware assets rather than specific IT system types (as per Axiom VI).

Attack Path / Attack Sequence

The sequence of applied attack vectors (represented by TLCTC cluster numbers) employed by an attacker to achieve their objective. Properly notated using cluster numbers with arrows (e.g., #9->#3->#7) and plus signs for parallel execution (#1+#7).

Attack Surface

The sum of different points (attack vectors) where an unauthorized user can attempt to enter or extract data. In TLCTC, each generic vulnerability represents a distinct generic attack surface.

Attack Vector

The specific method or pathway used by an attacker to exploit a vulnerability. Each TLCTC cluster represents a category of attack vectors targeting a specific generic vulnerability (as defined by Axiom II).

Attacker's View

A perspective included in each threat cluster definition that articulates how an attacker conceptualizes the exploitation of a particular vulnerability (e.g., for #1 Abuse of Functions: "I abuse a functionality, not a coding issue").

Assumptions / Axioms

The foundational principles accepted as true for the TLCTC framework. Key axioms include:

• 1. For every generic vulnerability, there is ONE threat cluster
• 2. Each attack vector is defined by the generic vulnerability it initially targets
• 3. Threats are on the cause side from a Bow-Tie perspective
• 4. Control failure is distinct from actual risk
• 5. Threats are separated from threat actors
• 6. Generic software and hardware assets are the focus rather than IT system types
• 7. Client-server interaction is fundamental to all networked systems
• 8. Threat clusters can form sequences in attack scenarios
• 9. Top-Level Threat Clusters have Sub-Threats (strategic vs. operational separation)

B

Bow-Tie Model

A risk assessment methodology used in TLCTC that visualizes the relationships between:

• Left side (causes): Threats and preventive controls
• Center: Cyber Risk Event (loss of control/system compromise)
• Right side (effects): Consequences (Data Risk Events and Business Risk Events) and detective/reactive/corrective controls

BxI (Base Level Indicator)

The lowest, meaningful level of operational metrics that aggregate into Key Indicators (KxIs) within the hierarchical indicator framework.

C

Cause-Oriented Categorization

The principle behind TLCTC where threats are categorized based on the fundamental underlying cause (the generic vulnerability exploited) rather than observed events, attacker behaviors, or outcomes.

Client-Server Interaction

A fundamental principle (Axiom VII) assumed by the TLCTC framework, stating that networked systems involve components acting as clients (requesters) and servers (providers). This relationship can be contextual rather than absolute, particularly in vertical stack implementations.

Coder

In the context of secure software development, a Coder has a tactical focus on implementation and craftsmanship. Their responsibilities include writing functional, efficient code that implements specific requirements, following established patterns, implementing security controls at the code level, and ensuring their code does not introduce new vulnerabilities. They operate within the architectural boundaries defined by a Programmer.

Control Design Effectiveness

Evaluates whether a control, as conceived and structured, is capable of achieving its objective if it operates as intended.

Control Failure

A deviation from the control objective, which can allow threats to materialize and impact assets. Distinguished from the risk itself (as per Axiom IV).

Control Objective

The specific aim or purpose that a control is intended to achieve in terms of risk mitigation for a particular threat cluster. Each control is aligned with a single, clear objective.

Control Operational Effectiveness

Focuses on whether the control is actually working as designed in practice, examining if it is being executed correctly and consistently over time.

Control Risk

The risk associated with a control failing to achieve its objective, which is distinct from actual Risk (Threat->Incident/Event->Consequences) per Axiom IV.

Consequences

The negative impacts resulting from a cyber incident, categorized as Data Risk Events (Loss of C/I/A) and subsequent Business Risk Events in the Bow-Tie model.

Cyber Incident

An actual security breach or system compromise that has occurred; the materialization of a Cyber Risk Event.

Cyber Risk

The likelihood of occurrence of a cyber event in which control over IT systems or persons is lost due to one or more of the 10 Top Level Cyber Threat Clusters, leading (via Event-Chains) to consequential damage (impact).

Cyber Risk Event

The central event in the TLCTC Bow-Tie model, representing the compromise of an IT system or human, resulting in a loss of control.

Cyber Threat Radar

A visualization tool based on TLCTC clusters for analyzing and communicating about threat landscapes across organizations or sectors.

D

Data Risk Event

An outcome affecting data, defined specifically as:

• Loss of Confidentiality (C): Data stolen - The attacker gains unauthorized access to data
• Loss of Integrity (I): Data modified - The attacker successfully makes unauthorized changes to data
• Loss of Availability (A): Data inaccessible - The attacker renders data unavailable to legitimate users

Developer

A general term for an individual involved in software creation. In the TLCTC context, it is useful to distinguish between the strategic role of a 'Programmer' and the tactical role of a 'Coder' to clarify responsibilities in secure development.

Developer's View

A perspective included in each threat cluster definition that articulates how a software developer should think about preventing the associated generic vulnerability. It translates the abstract threat into a concrete design or implementation mindset (e.g., for #2 Exploiting Server: "I must apply language-specific secure coding principles...").

Detect (NIST CSF Function)

Within the TLCTC Control Framework used as Control Objective Category for tasks and controls designed to identify the occurrence of a cyber event related to a specific Threat Cluster.

E

Exploit Code

Code designed to target specific vulnerabilities to modify software behavior, distinguished from "Malware Code." Associated with Clusters #2 and #3.

Exploiting Client (Cluster #3)

A threat cluster targeting and leveraging flaws originating directly within the source code implementation of any software acting in a client role.

The generic vulnerability is the presence of exploitable flaws within the code implementation of software acting as a client, stemming from insecure coding practices related to processing external data/responses, rendering UI, or managing client-side state.

Developer's View: "I must apply language-specific secure coding principles for all client-side code, understanding how my language handles external data (e.g., DOM-based XSS in JavaScript, buffer overflows in native clients) and never trusting incoming data."

Characteristic Examples:

• CWE: CWE-79 (DOM-based XSS), CWE-1321 (Prototype Pollution), CWE-120 (Buffer Overflow in a client-side parser).
• MITRE ATT&CK®: T1189 (Drive-by Compromise), T1203 (Exploitation for Client Execution).

Exploiting Server (Cluster #2)

A threat cluster targeting and leveraging flaws originating directly within the server-side application's source code implementation.

The generic vulnerability is the presence of exploitable flaws within the server-side source code implementation, stemming from insecure coding practices.

Developer's View: "I must apply language-specific secure coding principles for all server-side code, understanding the security pitfalls of my chosen language (e.g., SQL injection in PHP, deserialization in Java, buffer overflows in C++) and implementing appropriate safeguards."

Characteristic Examples:

• CWE: CWE-89 (SQL Injection), CWE-78 (OS Command Injection), CWE-502 (Deserialization of Untrusted Data).
• MITRE ATT&CK®: T1190 (Exploit Public-Facing Application), T1210 (Exploitation of Remote Services), T1068 (Exploitation for Privilege Escalation).

F

Flooding Attack (Cluster #6)

A threat cluster where an attacker intentionally overwhelms system resources or exceeds capacity limits through a high volume of requests, data, or operations, leading to disruption, degradation, or denial of service.

The generic vulnerability is finite capacity limitations inherent in any system component (e.g., network bandwidth, CPU, memory, storage, API rate limits).

Developer's View: "I must implement efficient resource management. This includes using appropriate data structures, setting request limits, timing out long-running operations, and releasing resources properly. Every loop and resource allocation must consider abuse scenarios."

Characteristic Examples:

• CWE: CWE-770 (Allocation of Resources Without Limits), CWE-404 (Improper Resource Shutdown or Release), CWE-776 (XML Bomb).
• MITRE ATT&CK®: No direct techniques map here, as this cluster focuses on resource exhaustion (Availability), which is not a primary goal of Initial Access, Execution, or Persistence tactics.

G

Generic Vulnerability

The fundamental attack surface to a generic weakness or characteristic that is exploited by a specific TLCTC threat cluster (Axiom I). Each generic vulnerability is paired with exactly one threat cluster. For example, the "scope, complexity, or inherent trust placed in legitimate software functions" is the generic vulnerability exploited in Abuse of Functions (#1).

GOVERN (NIST CSF Function)

The strategic function focused on establishing the overall cybersecurity risk management framework. Unlike functions addressing specific threats directly, GOVERN controls are "assurance controls" that set risk appetite, define roles and responsibilities, and establish policies.

I

Identify (NIST CSF Function)

Within the TLCTC Control Framework used as Control Objective Category for tasks and controls focused on understanding the context, identifying assets, and discovering weaknesses or threats related to a specific Threat Cluster.

Identity Theft (Cluster #4)

A threat cluster where an attacker targets weaknesses in identity and access management processes or credential protection mechanisms to illegitimately acquire, steal, or misuse authentication credentials.

The generic vulnerability is weak Identity Management Processes and/or inadequate credential protection mechanisms throughout the identity lifecycle (issuance, storage, transmission, validation, revocation).

Developer's View: "I must implement secure credential lifecycle management: proper storage (hashing with salt), secure transmission, session handling (timeout, invalidation), and robust authentication mechanisms (MFA support). Every identity-related function needs defense-in-depth."

Characteristic Examples:

• CWE: CWE-307 (Improper Restriction of Excessive Authentication Attempts), CWE-257 (Storing Passwords in a Recoverable Format), CWE-384 (Session Fixation).
• MITRE ATT&CK®: T1110 (Brute Force), T1003 (OS Credential Dumping), T1555 (Credentials from Password Stores).

Initial Access

A designation for threat vectors that provide the attacker's first entry into a system or network. The TLCTC framework emphasizes analyzing initial access as a critical point for prevention.

K

KCI (Key Control Indicator)

Measures the operational performance of security controls, verifying that the intended actions are taken at the appropriate frequency. These indicators provide insights on the ability to apply the correct controls correctly, and highlight weaknesses in processes.

KPI (Key Performance Indicator)

Measurable values that demonstrate the outcome and performance of security processes in reaching security objectives. KPIs must be time-based and should reflect not only the results but also the effectiveness over time.

KRI (Key Risk Indicator)

Indicators that demonstrate the potential for a future cyber threat. They are primarily leading indicators that show the possible risks before a threat occurs and must be observed in a meaningful timeframe.

KxI Framework

The integrated hierarchy of Key Risk Indicators (KRIs), Key Control Indicators (KCIs), and Key Performance Indicators (KPIs) organized into strategic and operational levels to measure and manage security effectiveness across threat clusters.

L

Local Controls

Specific security measures implemented at the individual system or component level to address particular threat clusters (contrasted with Umbrella Controls).

Loss of Availability (A)

A data risk event where the attacker renders data or services inaccessible to legitimate users.

Loss of Confidentiality (C)

A data risk event where the attacker gains unauthorized access to data.

Loss of Control / System Compromise

The central event in the TLCTC Bow-Tie model, representing the point where a threat successfully materializes, resulting in some form of compromise or unauthorized influence over an IT system or human actor.

Loss of Integrity (I)

A data risk event where the attacker successfully makes unauthorized changes to data.

M

Malware (Cluster #7)

A threat cluster where an attacker abuses the inherent ability of a software environment to execute foreign executable content, including inherently malicious Malware Code or legitimate tools/scripts used for malicious purposes ("dual-use" / LOLBAS).

The generic vulnerability is the software environment's designed capability to execute potentially untrusted 'foreign' code, scripts, or binaries.

Developer's View: "I must control code execution paths. This means validating file types and content, avoiding dynamic code execution (e.g., eval), implementing proper sandboxing, and using Content Security Policies. I will never execute user-controlled input."

Characteristic Examples:

• CWE: CWE-506 (Embedded Malicious Code), CWE-507 (Trojan Horse).
• MITRE ATT&CK®: T1204 (User Execution), T1547 (Boot or Logon Autostart Execution), T1091 (Replication Through Removable Media).

Malware Code

Code that operates within expected execution paths for harmful purposes, distinguished from Exploit Code which targets specific vulnerabilities to modify software behavior.

Man in the Middle (MitM) (Cluster #5)

A threat cluster where an attacker intercepts, eavesdrops on, modifies, or relays communication between two parties without their knowledge or consent, by exploiting a privileged position on the communication path.

The generic vulnerability is the lack of sufficient control, integrity protection, or confidentiality over the communication channel/path.

Developer's View: "I must ensure the confidentiality and integrity of data in transit at all relevant layers. This includes enforcing strong encryption protocols like TLS at the application layer and utilizing secure network architectures (e.g., IPsec). I must ensure proper certificate and path validation, and design for end-to-end protection, assuming any uncontrolled network segment is hostile."

Characteristic Examples:

• CWE: CWE-319 (Cleartext Transmission of Sensitive Information), CWE-295 (Improper Certificate Validation), CWE-757 (Algorithm Downgrade).
• MITRE ATT&CK®: T1557 (Adversary-in-the-Middle), T1659 (Content Injection).

MFA Bombing / MFA Fatigue

An authentication bypass technique with the TLCTC attack path notation of #4 -> #1 -> #9 -> #4, representing: 1) initial credential theft, 2) abuse of the MFA request function, 3) social engineering to trick the user into approving, and 4) successful authentication.

O

Operational Layer / Operational Security

The tactical tier in the TLCTC two-tiered approach focused on implementing specific controls, detailed threat analysis of sub-threats/TTPs, incident response, vulnerability management, and monitoring. This layer works within the strategic framework defined by the Top Level Cyber Threat Clusters.

P

Physical Attack (Cluster #8)

A threat cluster where an attacker gains unauthorized physical interaction with or causes physical interference to hardware, devices, facilities, or data transmission media.

The generic vulnerability is the physical accessibility of hardware, facilities, and communication media, and the exploitability of Layer 1 communications and hardware interfaces.

Developer's View: "I must implement tamper-evident logging, encrypt sensitive data at rest, use secure key storage (HSM/TPM), and design for secure failure modes. I will assume physical access means compromise and plan accordingly."

Characteristic Examples:

• CWE: CWE-1263 (Improper Physical Access Control), CWE-1191 (Improper Access Control for Debug Interface), CWE-1247 (Fault Injection).
• MITRE ATT&CK®: T1200 (Hardware Additions), T1091 (Replication Through Removable Media - delivery step), T1542.002 (Pre-OS Boot: Component Firmware).

Process Injection

A technique that can be classified as either:

• #1 (Abuse of Functions) when using designed features (like debugging APIs and DLL injection) where the injection capability was intentionally designed
• #2/#3 (Exploiting Server/Client) when exploiting code flaws (like buffer overflows) where injection was never intended

Programmer

In the context of secure software development, a Programmer has a strategic focus on architecture and design. Their responsibilities include designing the overall software architecture, making strategic decisions about frameworks and libraries, establishing security requirements, and considering system-wide security implications. They address threat clusters like #1, #4, #5, and #10 at an architectural level, setting the foundation for secure implementation by Coders.

Protect (NIST CSF Function)

Within the TLCTC Control Framework used as Control Objective Category for tasks and controls aimed at implementing safeguards to prevent the successful exploitation related to a specific Threat Cluster.

R

RCE — Remote Code/Command Execution

"RCE" is always a multi-step sequence. Many CVEs conflate the enabling vulnerability with the subsequent execution.

• Enabling step: #2 Exploiting Server (server-side flaw) or #3 Exploiting Client (client-side flaw). Use #1 Abuse of Functions only when a designed execution capability is misused (e.g., "RunCommand", job scheduler).
• Execution step: #7 Malware when attacker-supplied code/scripts or dual-use tools run (e.g., PowerShell, PsExec, ScreenConnect), even if pre-installed. Use #1 only when invoking predefined, non-scripted actions (e.g., enable RDP, change configuration, create account) without executing attacker code.

• #2 → #7 — server-side exploit enables foreign code execution (e.g., Log4Shell → payload).
• #3 → #7 — client-side exploit enables foreign code execution.
• #1 → #7 — misuse of a designed exec feature to run attacker code/scripts.
• #1 → #1 — misuse of legitimate functionality only (no foreign code executed).

Recover (NIST CSF Function)

Within the TLCTC Control Framework used as Control Objective Category for tasks and controls related to restoring capabilities or services impaired due to an incident related to a specific Threat Cluster.

Respond (NIST CSF Function)

Within the TLCTC Control Framework used as Control Objective Category for tasks and controls related to taking action upon detection of an incident related to a specific Threat Cluster.

S

Social Engineering (Cluster #9)

A threat cluster where an attacker psychologically manipulates individuals into performing actions counter to their or their organization's best interests.

The generic vulnerability is human psychological factors: gullibility, trust, ignorance, fear, urgency, authority bias, curiosity, or general compromisability.

Developer's View: "I must design interfaces that promote secure behavior. This means providing clear security indicators, confirmation dialogs for sensitive actions, and making the secure path the easiest path. UI/UX is a security control."

Characteristic Examples:

• CWE: This cluster exploits human psychology, not technical weaknesses. Therefore, no CWEs are directly mapped here. The goal of Social Engineering is to trick a user into an action that creates a technical vulnerability (e.g., enabling #1, #4, or #7).
• MITRE ATT&CK®: T1566 (Phishing) and all its sub-techniques, T1534 (Internal Spearphishing).

SSDLC (Secure Software Development Life Cycle)

A structured process for embedding security throughout all phases of software development, from requirements and design to deployment and maintenance. The TLCTC framework integrates into the SSDLC by providing a threat-informed methodology to guide both strategic (Programmer) and tactical (Coder) security activities.

Standardized Attack Sequence Notation

The formal syntax for describing attack paths using TLCTC cluster numbers:

• Sequential execution indicated with arrows (e.g., #9->#3->#7)
• Parallel execution indicated with plus signs (e.g., #1+#7)
• Comprehensive paths may include both (e.g., #9->#3->#7->#7->#1+#7)

Strategic Layer / Strategic Management

The high-level tier in the TLCTC two-tiered approach focused on overarching risk management, policy, governance, resource allocation, and defining risk appetite based on the 10 Top Level Cyber Threat Clusters.

Sub-Threats

Granular threats or TTPs falling under a Top Level Cyber Threat Cluster (Axiom IX). These are managed at the operational level and provide detailed implementation of the high-level strategic framework.

Supply Chain Attack (Cluster #10)

A threat cluster where an attacker compromises systems by targeting vulnerabilities within an organization's supply chain, involving trusted third-party software components, hardware, services, or distribution mechanisms.

The generic vulnerability is the necessary reliance on, and implicit trust placed in, external suppliers and their development/distribution processes.

Developer's View: "I must maintain strict dependency hygiene. This involves using dependency scanning, verifying package integrity, minimizing the dependency footprint, and implementing SBOM practices. I will trust no external code implicitly."

Characteristic Examples:

• CWE: CWE-494 (Download of Code Without Integrity Check), CWE-1269 (Product Released in Non-Release Configuration), CWE-733 (Compiler Optimization Removal of Security Code).
• MITRE ATT&CK®: T1195 (Supply Chain Compromise) and all its sub-techniques, T1199 (Trusted Relationship).

T

Threat

A set of tactics, techniques and procedures (TTP) that attackers apply to provoke an event or incident, exploiting vulnerabilities in IT systems or human behaviors.

Threat Actor

The individual, group, or entity performing a cyber attack. Distinguished from the Threat (the TTPs used) itself within the TLCTC framework (Axiom V).

Threat Cluster

A grouping of threats that exploit common vulnerabilities related to IT systems and humans. Each of the 10 Top Level Cyber Threat Clusters represents a fundamental way in which systems or humans can be compromised.

Thought Experiment

The logical process used to derive the 10 TLCTC clusters, where the IT landscape is examined systematically to identify distinct attack surfaces or generic vulnerabilities.

TLCTC (Top Level Cyber Threat Clusters)

The framework of 10 cause-oriented threat clusters derived from generic vulnerabilities, designed to bridge strategic and operational security approaches:

1. Abuse of Functions
2. Exploiting Server
3. Exploiting Client
4. Identity Theft
5. Man in the Middle (MitM)
6. Flooding Attack
7. Malware
8. Physical Attack
9. Social Engineering
10. Supply Chain Attack

TLCTC Enumeration

A structured identifier system (TLCTC-XX.YY) where:

• TLCTC- prefix ensures proper attribution to the model
• XX represents the primary cluster number (01-10), zero-padded for consistent formatting
• .YY suffix designed for future refinement (.00 designates current high-level definitions)

This provides machine readability, consistent sorting, and extensibility for sub-categorization.

TTP (Tactics, Techniques, and Procedures)

A detailed description of attacker behavior. In the TLCTC framework, specific TTPs (like those in MITRE ATT&CK) are considered instances or sub-threats that are categorized under the broader, cause-oriented Top Level Cyber Threat Clusters.

Two-Tiered Approach

The TLCTC structure distinguishing between:

• Strategic Management Layer: High-level risk management, policy-making, and governance using the 10 Top Level Cyber Threat Clusters
• Operational Layer: Detailed implementation of controls, specific vulnerability management, and threat intelligence using sub-threats and TTPs

U

Umbrella Controls

Security measures that provide protection for groups of IT systems within their scope, such as firewalls, proxies or network zones or external network filters and so on. These contrast with Local Controls that protect specific systems directly.

V

Vertical Stack Application

The implementation of TLCTC across the layered architecture of IT systems (from application level to hardware), analyzing client/server roles at each protection ring boundary (e.g., Ring 3 to Ring 0) and directional vulnerabilities.

Vulnerability

An attack surface enabled by a weakness that can be exploited by a threat actor. In TLCTC, specific vulnerabilities (like CVEs) map to generic vulnerabilities which define the threat clusters.