"The cybersecurity industry has a measurement problem hiding inside a language problem. Our leading threat intelligence providers are all looking at the same reality—but their reports can't be compared, combined, or translated into consistent control decisions. Until we agree on what we're counting, we can't know if we're winning."
When the industry's most respected threat intelligence teams publish their annual reports, security leaders treat them as ground truth.
- Verizon's DBIR — the industry's longest-running breach dataset
- CrowdStrike's Global Threat Report — frontline visibility from one of the largest EDR deployments
- Mandiant's M-Trends — deep incident response and attribution expertise (now part of Google Cloud)
- ENISA's Threat Landscape — the EU's official cybersecurity agency perspective
These aren't blogs or opinion pieces. They're data. They shape budgets, drive board conversations, and inform control investments across thousands of organizations. But try this exercise: ask each report a simple question.
- Verizon says ransomware is an Action—specifically, a variety of malware.
- Mandiant says ransomware is an Intrusion Type—distinct from "Data Theft Extortion."
- ENISA says ransomware is the Prime Threat—a top-level category unto itself.
- CrowdStrike describes ransomware as a monetization strategy—an objective, not a technique.
Four authoritative sources. Four incompatible answers. And not because they're looking at different data—they're looking at the same attacks and classifying them differently. This isn't a philosophical problem. It's an operational one.
The Trap: Mixing What Happened with How It Happened
The root issue is deceptively simple: these frameworks blur the line between causes and outcomes. To see this clearly, we need a case where all four vendors are unambiguously describing the same thing. Fortunately, 2024 gave us one.
Case Study: The North Korean IT Worker Scheme
North Korea runs a state-sponsored program where operatives pose as remote IT contractors, get hired by Western companies, and funnel salaries (and sometimes stolen data) back to the regime. All four major threat intelligence providers covered this campaign in their 2024/2025 reports. Same actors. Same scheme. Same year. Four completely different descriptions.
- Mandiant calls them UNC5267 and classifies the activity as Insider Threat / Espionage. Their lens is attribution and tradecraft: who these people report to (the "313 General Bureau of the Munitions Industry Department"), what VPN they use (Astrill, in 72% of cases), even the keywords in their email addresses ("panda," "dev," "star").
- CrowdStrike calls them FAMOUS CHOLLIMA and classifies it as Insider Threat Operations. Their lens is operational scale: laptop farms in Illinois, New York, Texas, and Florida; AI tools like "Hacksider" for face-swapping; a 220% year-over-year increase; 320+ companies infiltrated.
- Verizon doesn't name the adversary at all—just "North Korean workers masquerading as workers." They classify it as Privilege Misuse, fitting it into their incident pattern taxonomy. Their lens is risk modeling: this is an insider (technically) acting with external motives.
- ENISA uses Famous Chollima and classifies it as State-aligned Activity. Their lens is geopolitical targeting: EU companies in Belgium, Italy, Germany, France—especially defense and government entities.
| Report | Name Used | Primary Classification | Analytical Lens |
|---|---|---|---|
| Mandiant | UNC5267 | Insider Threat / Espionage | Attribution & Tradecraft |
| CrowdStrike | FAMOUS CHOLLIMA | Insider Threat Operations | Operations & Metrics |
| Verizon | "North Korean workers" | Privilege Misuse | Risk & Patterns |
| ENISA | Famous Chollima | State-aligned Activity | Geopolitics & Targeting |
Now imagine you're a CISO trying to answer: "Are we exposed to this threat?" Which classification do you use? Is this an insider threat problem (HR and access controls)? A privilege misuse problem (monitoring and DLP)? A nation-state espionage problem (threat intel and hunting)? The answer depends entirely on which report you read last. And that's the trap. Each vendor is telling a true story—but they're telling different stories. None of them are wrong. But none of them are compatible.
The Pattern Repeats
The DPRK case isn't unique. It's just the clearest example of a pattern that repeats across every major threat category:
Ransomware
- Verizon: an Action (malware variety)
- Mandiant: an Intrusion Type (separate from "Data Theft Extortion")
- ENISA: the Prime Threat (top-level category)
- CrowdStrike: a monetization strategy (objective, not technique)
Vulnerability Exploitation
- Mandiant: the #1 initial infection vector (33% of intrusions)
- CrowdStrike: linked to initial access (52% of observed vulnerabilities)
- ENISA: a primary intrusion vector (21.3%)
Same underlying reality, different denominators, incomparable percentages.
Social Engineering
- ENISA: phishing is the dominant vector (60% of intrusions)
- CrowdStrike: focuses on vishing (voice phishing) and help desk abuse
- Mandiant: includes employment fraud (the IT worker scheme) under this umbrella
- Verizon: a top-level "Pattern" and an "Action" category
Cloud Attacks
- CrowdStrike and Mandiant treat "Cloud" as a domain—a special environment requiring dedicated categories ("Cloud-Conscious," "Cloud Compromise")
- But is querying the IMDS metadata service a "cloud attack" or just credential theft that happens to occur in a cloud context?
The fundamental confusion is between what happened (outcome) and how it happened (cause). Ransomware is an outcome—loss of availability, often paired with extortion. The cause might be phishing, or exploitation of a vulnerable edge device, or abuse of stolen credentials. But when "Ransomware" becomes a top-level threat category, the cause disappears from view.
The Operational Pain
What does this terminology chaos cost you in practice?
| Problem | What Happens Today | Example |
|---|---|---|
| No Big Picture | Each report gives you data points, but no unified view. You can't see how threats connect or where your gaps cluster. | "Credential attacks are up" — but is that phishing? Brute force? Infostealer malware? Bought from a broker? Each is a different control problem. |
| Case-by-Case Controls | You implement controls reactively—one CVE, one incident, one audit finding at a time. No strategic coverage model. | You deploy MFA after a credential breach, EDR after ransomware, CASB after a cloud incident. Always one step behind. |
| Blind Comparison | You can't benchmark. Not against last year, not against peers, not against vendor claims. | CrowdStrike says identity attacks rose 220%. Verizon says 31% of breaches involved credentials. Are these the same thing? Higher or lower than before? You can't tell. |
| Control Gaps Hide | Without a complete threat map, you don't know what you're not measuring. Gaps stay invisible until exploited. | Your risk register tracks ransomware, phishing, and DDoS. What about supply chain trust failures? Configuration drift? No category = no visibility. |
| Translation Tax | Every conversation between board, CISO, and SOC requires manual translation. Same concepts, different words. | The board asks about "cyber risk," the CISO reports on "threat landscape," the SOC tracks "TTPs." Three meetings to align on one question. |
The Path Forward: Cause-Based Classification
What if you had a common language?
| Current State | With Cause-Based Classification |
|---|---|
| No Big Picture: Data points without structure | Complete Map: 10 threat clusters cover all possible causes. Nothing hides outside the model. |
| Case-by-Case Controls: Reactive, incident-driven | Strategic Coverage: 10 clusters × 5 asset scopes × 2 control types = systematic control mapping. Gaps become visible by design. |
| Blind Comparison: Incompatible metrics across vendors | Apples to Apples: Map any vendor's findings to the same 10 clusters. Compare year-over-year. Benchmark against peers. |
| Hidden Gaps: Unknown unknowns stay unknown | Explicit Risk Appetite: Force a "yes/no/tolerate" decision for each cluster. No silent omissions. |
| Translation Tax: Board / CISO / SOC speak different languages | Shared Grammar: Same 10 clusters from boardroom to SOC. Strategy connects to operations without loss. |
How TLCTC Resolves Each Ambiguity
| Vendor Confusion | TLCTC Resolution |
|---|---|
| "Ransomware" = Action? Intrusion Type? Threat? Strategy? | Ransomware is an outcome (Loss of Availability). The cause is #7 Malware (or the preceding step: #9 Social Engineering → #4 Identity Theft → #7). Classify the path, not the payment demand. |
| "Cloud" = Special domain requiring unique categories? | Cloud is a context, not a threat. Attacks in cloud environments map to the same clusters: #1 Abuse of Functions (control plane misuse), #4 Identity Theft (stolen cloud keys), #2 Exploiting Server (vulnerable cloud workload). |
| "Credential Theft" = Vector? Action? Outcome? | Separate the acquisition from the use. Credentials acquired via #9 Social Engineering or #7 Malware (infostealer). Credentials used = #4 Identity Theft. Two events, two controls, clear sequence. |
| "Third-Party/Supply Chain" = Who to blame? | #10 Supply Chain Attack occurs at the Trust Acceptance Event—the moment your system accepts the malicious input from the trusted source. Not the vendor's breach; your trust boundary failure. |
| "Breakout Time" vs. "Dwell Time" = Different clocks? | Attack Velocity (Δt) measures transition time between specific steps. Enables Detection Coverage Score: can your controls respond faster than the attack moves? |
See this Reports Through the Lens of the TLCTC
M-Trends 2025: TLCTC Analysis
A cause-based analysis of Mandiant's M-Trends 2025 Report. Reframing outcome-based data into root-cause clusters.
ENISA Threat Landscape 2025
Strategic decomposition of 4,900+ incidents revealing the polarization between human manipulation and server exploitation.
2025 DBIR Analysis Through TLCTC
Mapping the Verizon DBIR to TLCTC v2.0. Key findings on Ransomware, Credential Misuse, and Edge Device Exploitation.
CrowdStrike 2025 Threat Hunting Report
Visualizing the shift to 81% malware-free attacks (#1, #4) and mapping adversaries like Scattered Spider.
TLCTC Brief: CrowdStrike Global Report
Confirms a strategic shift to Identity (#4) and Abuse of Functions (#1). 79% malware-free attacks.
Join the Conversation
TLCTC isn't a product. It's not locked behind a paywall or a sales call. The framework is released under CC BY 4.0—free to use, adapt, and build upon. We're not claiming it's complete. We're claiming it's useful—and that the industry needs a common language more than it needs another proprietary taxonomy.
Use it. Map your next incident to the 10 clusters. See if causes become clearer than outcomes. Break it. Find a real-world attack that doesn't fit. Find an edge case the clusters can't handle. That's how frameworks improve. Tell us what's missing. The goal isn't to be right. The goal is to give CISOs, analysts, and executives a shared vocabulary that actually works—from boardroom to SOC.
The measurement problem won't solve itself. But we can stop pretending that "ransomware" means the same thing to everyone.
Sources
- Verizon: 2025 Data Breach Investigations Report (DBIR)
- CrowdStrike: 2025 Global Threat Report
- CrowdStrike: 2025 Threat Hunting Report
- ENISA: ENISA Threat Landscape 2025
- Mandiant (Google Cloud): M-Trends 2025
- TLCTC: Top Level Cyber Threat Clusters (TLCTC) — Version 2.0