// Operational Doctrine

The Threat Domain Model

Nine operational domains orbit a single CORE. The Core is where you see everything — SIEM, SOAR, forensics, telemetry. Each surrounding domain is a place an incident can live, and each has a pivot: the identifier you correlate on. Spin the wheel — every technology, decoded.

◈ 10 domains ◈ 101 technologies ◈ 1 core

TD00

The Core — Detection & Response Fabric

The nervous system every other domain reports into.

The Core is not a place attackers live — it is where defenders see everything. Telemetry from all nine domains flows here to be normalized, correlated, alerted on, and turned into action. Master the Core and every other domain becomes legible; neglect it and you are blind no matter how many sensors you deploy.

◎ Primary Pivot · Key Element

The case / alert

alert ID case # correlation ID detection rule ID

The Core's pivot is the investigation itself. Everything from every domain is stitched to a case so a single timeline can span an email, a login, a host, and a cloud API call.

Technologies & Topics (10)

Go deeper in the Academy BLUE//CITADEL
🌐

TD01

Network

Everything that crosses the wire — and the sensors that watch it.

The network is the connective tissue between every asset, which makes it a superb vantage point: attackers can hide a process but they cannot avoid talking. Network defense is about seeing the conversations — who talked to whom, over what, encrypted or not — and spotting the ones that shouldn't exist.

◎ Primary Pivot · Key Element

IP address (+ port, domain, certificate)

203.0.113.7 :443 evil.example[.]com JA3/JA4 hash ASN 64500

The IP tuple (source, destination, port) is the atomic unit of network evidence. Analysts pivot from a suspicious IP to every host that touched it, then to the domains and TLS fingerprints behind it.

Technologies & Topics (10)

Go deeper in the Academy PACKET//STORM
🖥️

TD02

Endpoint

Where code actually executes — and leaves fingerprints.

Servers, laptops, and workstations are where attacker intent becomes action: processes spawn, files drop, memory changes. The endpoint offers the deepest visibility of any domain, because you can see the actual command line — if you're collecting the right telemetry before the incident, not after.

◎ Primary Pivot · Key Element

Hostname (+ process, file hash, user session)

WIN-DC01 PID 4821 powershell.exe SHA-256 … logon session 0x3e7

The hostname anchors endpoint evidence; from there you pivot into the process tree (parent/child lineage), loaded modules, and the account the process ran as.

Technologies & Topics (10)

Go deeper in the Academy BLUE//CITADEL
✉️

TD03

Communications

The inbox: still the number-one way in.

Email remains the most common initial-access vector on Earth, because it targets people, not machines. This domain covers the authenticity plumbing that proves who sent a message, the scams that slip past it, and the mailbox-level tricks attackers use once they're inside an account.

◎ Primary Pivot · Key Element

Email address / mailbox (+ message-ID, sender domain)

ceo@company.com Message-ID: <…> return-path domain inbox rule

The mailbox is the pivot: from a reported phish you trace the sender domain, authentication results, every other recipient, and any inbox rules the attacker created to hide their tracks.

Technologies & Topics (10)

Go deeper in the Academy HUMAN//ELEMENT
☁️

TD04

Cloud

Someone else's computer — with your data and your API keys.

In the cloud the perimeter dissolves into API calls and IAM policy. The number-one risk isn't a novel exploit — it's misconfiguration: a public bucket, an over-permissioned role, a leaked key. Defense means reading the control-plane logs and knowing exactly who can do what to which resource.

◎ Primary Pivot · Key Element

Account / subscription (+ resource ARN, principal, API key)

AWS acct 1234… arn:aws:s3:::bucket AKIA… access key IAM role session

The cloud pivot is the identity-and-resource pair in the audit log: which principal (user, role, or key) called which API on which resource. CloudTrail/Activity logs make the whole control plane a timeline.

Technologies & Topics (10)

Go deeper in the Academy NEON//ORACLE
🪪

TD05

Identity

The new perimeter. Attackers don't break in — they log in.

When the network perimeter dissolved, identity became the control plane. A valid token is a skeleton key that sails past firewalls and EDR alike. This domain covers how trust is federated across systems, and how attackers steal, forge, and replay the assertions that prove who you are.

◎ Primary Pivot · Key Element

User / principal (+ token, session, service principal)

jdoe@corp OAuth access_token Kerberos TGT session cookie svc-backup

The user (or non-human principal) is the pivot. Investigations follow an identity across every app and domain it touched — logins, token grants, consent, and privilege changes — regardless of which device or IP was used.

Technologies & Topics (10)

Go deeper in the Academy NEON//ORACLE
🧩

TD06

Application

The code you ship is the attack surface you own.

Every app you expose is a promise that its logic can't be twisted against you. From a marketing 'brochureware' site to a sprawling API, applications are attacked through the same recurring flaw classes — and defended by building security into the pipeline, not bolting it on after.

◎ Primary Pivot · Key Element

Application / endpoint URL (+ session, API key, config item)

/api/v2/orders app: payments-web session JWT CMDB CI-4471

The pivot is the application and its request: which endpoint, from which session, hitting which backend. WAF logs and app logs correlate a malicious request to the account and data it touched.

Technologies & Topics (10)

Go deeper in the Academy RED//HORIZON
🏭

TD07

Operational Technology / Manufacturing

Where a bad packet can break a physical machine.

Operational Technology runs the physical world — turbines, pumps, assembly lines. Here safety and availability outrank confidentiality, decades-old protocols have no authentication, and you cannot simply reboot a running furnace. Defending OT means understanding the Purdue model and keeping the corporate network's chaos away from the plant floor.

◎ Primary Pivot · Key Element

Physical asset / controller (+ tag, HMI, process value)

PLC-07 Modbus reg 40001 HMI station 3 setpoint 350°C

The pivot is the controller and the process it governs. Analysts correlate commands to a PLC with the physical setpoints and sensor 'tags' — because the real impact is measured in temperature, pressure, and RPM, not bytes.

Technologies & Topics (10)

Go deeper in the Academy PACKET//STORM
📱

TD08

Mobile

The trusted computer in every pocket — half of it unmanaged.

Phones hold corporate mail, MFA prompts, and a microphone, yet live outside the traditional perimeter and often on personal devices. Mobile security balances managing the device against respecting the user, defends two very different platforms, and contends with app side-loading and the occasional nation-grade zero-click implant.

◎ Primary Pivot · Key Element

Device (+ IMEI/UDID, app package, enrollment)

device UDID IMEI 3591… com.evil.app (APK) MDM enrollment ID

The pivot is the enrolled device and its identifiers. From a flagged device you trace its enrollment, installed apps (by package name), compliance state, and the user and mailbox behind it.

Technologies & Topics (10)

Go deeper in the Academy SIGNAL//ZERO
🤖

TD09

Artificial Intelligence & Machine Learning

The newest domain — a model is now an asset, a target, and an attacker.

AI is the ninth domain because models are now production systems with their own attack surface: they can be tricked, poisoned, extracted, and turned into confused deputies with real permissions. This domain covers securing the models you run — and defending against the AI-accelerated adversary on the other side.

◎ Primary Pivot · Key Element

Model (+ prompt, dataset, agent/tool call)

model: gpt-x-prod system prompt training set v3 tool_call: send_email

The pivot is the model and its context: which model, invoked with which prompt, over which data, and — critically for agents — which tools it was allowed to call. AI observability logs make a model's decisions auditable.

Technologies & Topics (11)

Go deeper in the Academy NEON//ORACLE
ESC
↑↓ navigate jack in