Skip to content

Releases: jgulyash/THREAT-Matrix

v1.3.0 — Facilities Matrix + Matrix-Wide Scoring

Choose a tag to compare

@jgulyash jgulyash released this 13 Jul 06:01

THREAT Matrix v1.3.0 — content 1.3.0 · schema 1.3.0 · MIT

The Facilities matrix is complete and the scoring layer is now consistent matrix-wide. This is the first release with two fully-authored attack-surface matrices (People + Facilities) and end-to-end reliability-gated scoring.

Highlights

  • Facilities matrix (40 tactics, 200 indicators) across all four lifecycle phases — the first non-person attack-surface matrix authored end-to-end.
  • informs_axes completed matrix-wide on Facilities (200/200) — six-axis type-level threat-picture metadata, extended via a sealed-blind two-rater inter-rater-reliability pass (weighted Cohen κ 0.75–0.90 across eight chunks, gate 0.60).
  • Facility target dimensionfacility_target_scope (breadth of site selection) + within_site_focus (what inside bears the harm), authored under a revealed reading and rendered in the indicator detail.
  • People target_identity re-authored to a revealed reading (190/190) — replaces the near-constant compatibility field with what each behavior actually resolves about victim identity; validated by a sealed-blind spot-IRR (per-value κ 0.80).
  • Scoring reconciliation (B-10)recoverability_inverse is now a clean own-harm axis matrix-wide; intrusion collateral re-authored off the single-victim floor to reflect the population a defeated control exposes.
  • Assessment Guidance rendered on all 74 tactics; instance-conditioning contract (Layer 2) shipped as a schema contract with escalate-only safety invariants.

Methodology

Every judgment-authored field ships behind a reliability gate — sealed-blind two-rater IRR with per-chunk adjudication and documented locked calls. Severity thresholds are calibratable to threat posture; the composite scoring math is swappable with documented rationale.

Live: https://jgulyash.github.io/THREAT-Matrix/
Full changelog: see CHANGELOG.md.

v1.2.2 — People-matrix scope broadening, Detection Mesh, escalation & informs_axes pilots

Choose a tag to compare

@jgulyash jgulyash released this 05 Jul 03:53

Feature release. Broadens the People matrix scope from a single specific
individual to one or more human beings as the primary target, adds the
Detection Mesh cross-referencing layer with an interactive indicator detail
page, and introduces two experimental type-level annotation surfaces —
informs_axes and the escalation-scoring fields — as pilots on the
phase-1 chunk (TM0101–TM0104). Framework content advances to 1.2.2 to
align with the JSON Schema and release; the schema additions are all
additive (existing 1.1.0 content validates unchanged).

Added

  • People-matrix scope broadening. The matrix now covers one or more
    human beings as the primary target, spanning four target-identity
    sub-classes: named_individual, role_or_identity_category,
    affinity_group, and indiscriminate. New per-indicator
    target_identity (multi-select) and per-tactic target_identity_scope
    fields, a canonical matrices.{X}.scope sentence per matrix, and a
    matrices.boundary_rule describing framework-vs-operational placement.
  • Detection Mesh. Per-indicator correlates_with cross-references,
    an inline "Related" surface, and a new /person/indicator/:id detail
    page with click-through navigation. Reference-resolution lint
    (scripts/lint/mesh-refs.py) and CI (.github/workflows/mesh-refs.yml).
  • informs_axes (EXPERIMENTAL — pilot). Type-level categorical
    metadata (six axes, strong/moderate/weak/none) describing which
    axes of the threat picture an indicator class informs. Populated on the
    23 phase-1 chunk indicators (TM0101–TM0104) via a sealed-blind
    inter-rater exercise (weighted Cohen κ 0.66 / Gwet AC2 0.78, substantial
    agreement). Not yet populated on the remaining 167 indicators; treat as
    a pilot, not full coverage.
  • Escalation scoring (EXPERIMENTAL — pilot). Type-level
    escalation_axes, escalation_weight, severity_band, and
    temporal_signature, with an escalation_rubric documenting the
    recommended composite and severity thresholds. Populated on the same 23
    phase-1 indicators. Consumers should calibrate severity_band
    thresholds to their environment and treat the current coverage as a
    pilot.

Changed

  • 34-tactic scope-prose audit. People-matrix tactic notes and
    indicator behavior text extended so that behaviors whose logic
    generalizes are no longer worded to a single named individual: location
    and target references broadened to admit venues, crowds, and cohesive
    groups; force, seizure, captive-control, attribution, and coercive-
    leverage indicators extended to multiple or group targets. Subject
    Profiling remains individual-and-cohesive-group by design (a genuinely
    indiscriminate target has no shared pattern to profile and is addressed
    through Environmental Survey).
  • Plural display labels (People / Facilities / Organizations) across the
    SVG overview and README; systeminfrastructure rename aligned with
    the V1.1 data-side rename.
  • SPA TypeScript types extended to cover all V1.2 fields.

V1.1.1 — SPA bundle rebuild patch

Choose a tag to compare

@jgulyash jgulyash released this 04 May 05:47

Patch release correcting a build-artifact defect in the 1.1.0 viewer
bundle. The framework.json and framework.schema.json artifacts at
1.1.0 were correct (downstream consumers fetching either file directly
were unaffected); the SPA bundle that GitHub Pages served to the viewer
was a stale Session 20-era build that did not include the V1.1 content
authored after 2026-04-29.

The framework.json content version remains 1.1.0. The
framework.schema.json schema version remains 1.1.0. Only the SPA
build artifact and package.json were updated.

Fixed

  • SPA bundle (docs/assets/index-*.js) rebuilt from current source. The
    previously-shipped 1.1.0 bundle was built before the Session 21
    V1.1 content authoring and contained framework data with only TA0101,
    TA0103, and TA0305 populated and 15 bibliography entries. The
    rebuilt bundle includes all 34 Person tactics with full V1.1 mandatory
    fields, indicators, countermeasures, response protocols, and Detection
    Mesh cross-links; both new bibliography entries
    (KIM-JONGNAM-KUL-2017, CHAINALYSIS-CCR-2024); the schema enum
    extensions (rf_detection, anti_drone_systems, weeks_to_months);
    and the GULYASH-FIELD-OPS-2004-2026 source attribution across the
    corpus.
  • package.json version bumped from 1.1.0 to 1.1.1 to reflect the
    build artifact change.

Notes

Root cause: src/App.tsx imports framework.json at build time (Vite
bundles JSON imports), so framework content commits do not reach the
viewer until the SPA bundle is rebuilt. The release ritual for 1.1.0
did not include a pre-tag bundle rebuild step. A pre-release build
verification check should be added to the release process to prevent
recurrence.

V1.1.0 — Open Standard Release

Choose a tag to compare

@jgulyash jgulyash released this 04 May 03:43

The first release under the V1.1 standard contract. Promotes THREAT Matrix
from a framework to an open standard with a published versioning policy,
identifier contract, deprecation discipline, and reference consumer.
Person matrix Detection & Response is complete across all 34 tactics.

Added

Standard contract

  • VERSIONING.md — independent SemVer for content and schema, frozen-published rule, fixed-section CHANGELOG template
  • IDENTIFIERS.md — five operational namespaces (TA####, AP###, IND-, CM-, RP-*), compound-ID anatomy, never-reused guarantee
  • DEPRECATION.md — four-state lifecycle (active / deprecated / superseded / reserved), required fields per state, sunset window
  • NOTICES.md — MIT License, bibliographic sources, related work, attribution format
  • VOICE.md — six locked authoring rules (Rules 1–4 in pre-V1.1; Rules 5 + 6 added this release: canonical actor naming and voice variety palette)
  • examples/python_consumer.py — minimum viable reference consumer (stdlib + jsonschema), demonstrating phase + actor filters
  • examples/README.md — starting-point guide for five common consumer shapes

Architecture

  • schema_version field in framework.json (independent from content version)
  • Top-level phase_mappings cross-walk to NTAC, Calhoun & Weston, CERT, Cyber Kill Chain, MITRE ATT&CK, and MITRE ATLAS
  • Top-level detection_mesh with five axes (cross_phase, cross_matrix, cross_domain, cross_countermeasure, cross_stakeholder)
  • Mandatory tactic fields: field_notes, observed_contexts, evidence_basis, source_refs
  • Formal JSON Schema published at docs/data/framework.schema.json (Draft 2020-12)

Person Detection & Response

  • All 34 Person tactics (TA0101–TA0108, TA0201–TA0209, TA0301–TA0308, TA0401–TA0409) authored to V1.1 quality with full mandatory fields, indicators, countermeasures, response protocols, and Detection Mesh cross-links (correlates_with, compensates_for, coordinates_with) populated across all four phases
  • GULYASH-FIELD-OPS-2004-2026 source attribution applied across the corpus where framework content is observed in operational casework

Schema enum extensions

  • indicator.detection_sources: added rf_detection (RF spectrum monitoring) and anti_drone_systems (acoustic / radar / RF triangulation)
  • countermeasure.time_to_implement: added weeks_to_months (resolves TA0103 CM-0103-04 enum violation)

Bibliography

  • KIM-JONGNAM-KUL-2017 — Lowy Institute (The Interpreter) coverage of the 13 Feb 2017 Kim Jong-nam assassination, sourcing the unwitting-bystander media-production deception archetype in TA0306
  • CHAINALYSIS-CCR-2024 — Chainalysis Crypto Crime Report, sourcing the comparative blockchain-forensics tracing-speed claim in TA0405

SPA + assets

  • Vite / React 18 / TypeScript single-page application; bundle prebuilt at docs/assets/ so GitHub Pages serves without a build step
  • 18 components (HeatMapGrid, TopNav, FilterBar, SplitView, PhasePanel, TacticDetail, ActorDetailView, ActorProfilesView, BibliographyView, StubLanding) plus detection-response subcomponents
  • docs/images/threat-lifecycle-diagram.svg (light-mode SPA tokens, four-phase lifecycle with phase-accent color bars)
  • docs/images/matrix-overview.svg (light-mode tokens, matrix accent color top strips, V1.1 LIVE / V1.3–V1.5 IN PROGRESS pill aesthetic)
  • Sources dropdown UI across IndicatorSection / CountermeasureSection / ResponseProtocolSection

Changed

  • Top-level matrix key: systeminfrastructure (and 9 actor-profile primary_matrices arrays updated accordingly)
  • SPA matrix version labels: V2 / V3 / V4V1.3 / V1.4 / V1.5
  • Bibliography ID: GULYASH-FIELD-OPS-2010-2025GULYASH-FIELD-OPS-2004-2026
  • Phase 4 actor track: FLIGHTEVADE (in SVG and SPA labels)
  • Countermeasure subcategory display label: DetectiveDetection (schema enum value detective retained — display-only)
  • WARDEN positioning removed from README / ROADMAP consumer claims; framework.json.warden_integration retained as status: reserved per DEPRECATION.md "reserved" lifecycle state
  • Authoring voice canonicalization (Rule 5): pre-canonical wording (Subject / subject-target pair) replaced with Threat actor / threat actor — targeted subject pair across all populated tactics; clinical diction (incongruity, practitioner) replaced with palette alternatives in tactic content

Removed

  • Legacy single-file React-via-Babel SPA in docs/index.html (replaced by Vite build)
  • docs/images/kill-chain-diagram.svg (replaced by threat-lifecycle-diagram.svg)

Fixed

  • TA0103 IND-0103-03 typo: targeted sujbecttargeted subject
  • TA0103 CM-0103-04 pre-existing time_to_implement: weeks_to_months enum violation (resolved via schema enum extension)
  • threat-lifecycle-diagram.svg XML parse error (illegal -- in comment)
  • matrix-overview.svg IN PROGRESS pill sizing (text overflow at 108px → widened to 132px → narrowed to 120px for visual balance)
  • ROADMAP.md line 19 extra columns and line 51 double-hash
  • Broken V1.1-Schema-Spec.md link from README

Security

  • None specific to V1.1.0.