Parent Standards | The Defensible 10 Standards

THREAT PROFILES

Ten Threat Profiles that frame adversary operations through the eight Threat Operations Functions phases, anchored to the Intrusion Vault catalogs.

The Intrusion 8 Threat Profiles define how adversaries commonly succeed across the same 10 domains addressed by the Defensible 10 Standards (D10S). Each profile is written for education and instruction only, emphasizing exposure conditions, compromise pathways, and operational outcomes that defenders can plan against and validate.

Intrusion 8 organizes each profile using the eight Threat Operations Functions phases: Initial Reconnaissance, Initial Compromise, Establish Foothold, Escalate Privileges, Internal Reconnaissance, Move Laterally, Maintain Presence, and Complete Mission. This structure helps Blue Teams connect threat realism to defensible design, detection planning, and verification and validation.

TP01

Coming Soon - 2026

Network Intrusion and Lateral Movement

Focuses on how adversaries gain an initial network foothold, expand access through internal reconnaissance and lateral movement, and reach mission outcomes. Highlights segmentation gaps, permissive pathways, and control failures that enable spread across hybrid environments.

TP02

Coming Soon - 2026

Cloud control plane abuse

Covers how threat actors misuse cloud identities, permissions, and management plane capabilities to gain persistent control and expand access. Emphasizes exposure conditions such as weak identity governance, over-permissioned roles, and insufficient logging across cloud services.

TP03

Coming Soon - 2026

Workload and platform compromise

Addresses how adversaries compromise compute platforms and workloads, then maintain presence through persistence mechanisms and privileged execution. Emphasizes hardened baselines, workload identity, runtime integrity signals, and prevention of internal spread from compromised hosts.

TP04

Coming Soon - 2026

Application trust abuse and injection

Explains how adversaries exploit trust boundaries in applications through injection, insecure authentication flows, and weak authorization. Emphasizes conditions that enable execution, data access, and privilege escalation, as well as outcomes that degrade integrity and business trust.

TP05

Coming Soon - 2026

Data discovery and exfiltration

Covers how adversaries locate high-value data, expand access, and move data to external destinations to complete mission objectives. Emphasizes exposure conditions such as weak classification, excessive access, poor egress controls, and gaps in monitoring across data stores.

TP06

Coming Soon - 2026

Identity takeover and privilege escalation

Focuses on how adversaries obtain credentials, bypass authentication, and escalate privileges to gain durable control of enterprise identities. Emphasizes identity exposure conditions, privileged-access weaknesses, and the operational outcomes of high-assurance account takeover.

TP07

Coming Soon - 2026

Vulnerability exploitation and operationalization

Explains how vulnerabilities are discovered, exploited, and converted into reliable intrusion pathways that support foothold, escalation, and mission completion. Emphasizes exposure conditions such as unmanaged attack surface, weak patch governance, and lack of validation of mitigation effectiveness.

TP08

Coming Soon - 2026

Detection evasion and response degradation

Covers how adversaries reduce defender visibility, weaken telemetry, and interfere with response workflows to maintain presence and complete mission objectives. Emphasizes exposure conditions, including logging gaps, weak correlation, limited containment automation, and fragmented response ownership.

TP09

Coming Soon - 2026

Key theft, misuse, and cryptographic boundary failure

Explains how adversaries obtain or misuse keys, certificates, and cryptographic trust material to bypass protections and impersonate trusted systems. Emphasizes key lifecycle weaknesses, trust boundary misconfiguration, and outcomes that undermine confidentiality and integrity.

TP10

Coming Soon - 2026

Pipeline, dependency, and release compromise

Covers how adversaries compromise build and release processes, poison dependencies, and introduce persistent access through trusted delivery mechanisms. Emphasizes exposure conditions in pipeline permissions, artifact trust, dependency governance, and release validation that enable stealthy mission completion.

D10

ISAUnited's
Red Team
Intelligence

THREAT PROFILES

Network Intrusion and Lateral Movement

Cloud control plane abuse

Workload and platform compromise

Application trust abuse and injection

Data discovery and exfiltration

Identity takeover and privilege escalation

Vulnerability exploitation and operationalization

Detection evasion and response degradation

Key theft, misuse, and cryptographic boundary failure

Pipeline, dependency, and release compromise

Supported by:

Training by:

ISAUnited's Red Team Intelligence

THREAT PROFILES

Network Intrusion and Lateral Movement

Cloud control plane abuse

​Workload and platform compromise

Application trust abuse and injection

Data discovery and exfiltration

Identity takeover and privilege escalation

Vulnerability exploitation and operationalization

Detection evasion and response degradation

Key theft, misuse, and cryptographic boundary failure

Pipeline, dependency, and release compromise

Supported by:

Training by:

ISAUnited's
Red Team
Intelligence

Workload and platform compromise