Releases: jgulyash/THREAT-Matrix
Release list
v1.3.0 — Facilities Matrix + Matrix-Wide Scoring
THREAT Matrix v1.3.0 — content 1.3.0 · schema 1.3.0 · MIT
The Facilities matrix is complete and the scoring layer is now consistent matrix-wide. This is the first release with two fully-authored attack-surface matrices (People + Facilities) and end-to-end reliability-gated scoring.
Highlights
- Facilities matrix (40 tactics, 200 indicators) across all four lifecycle phases — the first non-person attack-surface matrix authored end-to-end.
informs_axescompleted matrix-wide on Facilities (200/200) — six-axis type-level threat-picture metadata, extended via a sealed-blind two-rater inter-rater-reliability pass (weighted Cohen κ 0.75–0.90 across eight chunks, gate 0.60).- Facility target dimension —
facility_target_scope(breadth of site selection) +within_site_focus(what inside bears the harm), authored under a revealed reading and rendered in the indicator detail. - People
target_identityre-authored to a revealed reading (190/190) — replaces the near-constant compatibility field with what each behavior actually resolves about victim identity; validated by a sealed-blind spot-IRR (per-value κ 0.80). - Scoring reconciliation (B-10) —
recoverability_inverseis now a clean own-harm axis matrix-wide; intrusion collateral re-authored off the single-victim floor to reflect the population a defeated control exposes. - Assessment Guidance rendered on all 74 tactics; instance-conditioning contract (Layer 2) shipped as a schema contract with escalate-only safety invariants.
Methodology
Every judgment-authored field ships behind a reliability gate — sealed-blind two-rater IRR with per-chunk adjudication and documented locked calls. Severity thresholds are calibratable to threat posture; the composite scoring math is swappable with documented rationale.
Live: https://jgulyash.github.io/THREAT-Matrix/
Full changelog: see CHANGELOG.md.
v1.2.2 — People-matrix scope broadening, Detection Mesh, escalation & informs_axes pilots
Feature release. Broadens the People matrix scope from a single specific
individual to one or more human beings as the primary target, adds the
Detection Mesh cross-referencing layer with an interactive indicator detail
page, and introduces two experimental type-level annotation surfaces —
informs_axes and the escalation-scoring fields — as pilots on the
phase-1 chunk (TM0101–TM0104). Framework content advances to 1.2.2 to
align with the JSON Schema and release; the schema additions are all
additive (existing 1.1.0 content validates unchanged).
Added
- People-matrix scope broadening. The matrix now covers one or more
human beings as the primary target, spanning four target-identity
sub-classes:named_individual,role_or_identity_category,
affinity_group, andindiscriminate. New per-indicator
target_identity(multi-select) and per-tactictarget_identity_scope
fields, a canonicalmatrices.{X}.scopesentence per matrix, and a
matrices.boundary_ruledescribing framework-vs-operational placement. - Detection Mesh. Per-indicator
correlates_withcross-references,
an inline "Related" surface, and a new/person/indicator/:iddetail
page with click-through navigation. Reference-resolution lint
(scripts/lint/mesh-refs.py) and CI (.github/workflows/mesh-refs.yml). informs_axes(EXPERIMENTAL — pilot). Type-level categorical
metadata (six axes,strong/moderate/weak/none) describing which
axes of the threat picture an indicator class informs. Populated on the
23 phase-1 chunk indicators (TM0101–TM0104) via a sealed-blind
inter-rater exercise (weighted Cohen κ 0.66 / Gwet AC2 0.78, substantial
agreement). Not yet populated on the remaining 167 indicators; treat as
a pilot, not full coverage.- Escalation scoring (EXPERIMENTAL — pilot). Type-level
escalation_axes,escalation_weight,severity_band, and
temporal_signature, with anescalation_rubricdocumenting the
recommended composite and severity thresholds. Populated on the same 23
phase-1 indicators. Consumers should calibrateseverity_band
thresholds to their environment and treat the current coverage as a
pilot.
Changed
- 34-tactic scope-prose audit. People-matrix tactic notes and
indicator behavior text extended so that behaviors whose logic
generalizes are no longer worded to a single named individual: location
and target references broadened to admit venues, crowds, and cohesive
groups; force, seizure, captive-control, attribution, and coercive-
leverage indicators extended to multiple or group targets. Subject
Profiling remains individual-and-cohesive-group by design (a genuinely
indiscriminate target has no shared pattern to profile and is addressed
through Environmental Survey). - Plural display labels (People / Facilities / Organizations) across the
SVG overview and README;system→infrastructurerename aligned with
the V1.1 data-side rename. - SPA TypeScript types extended to cover all V1.2 fields.
V1.1.1 — SPA bundle rebuild patch
Patch release correcting a build-artifact defect in the 1.1.0 viewer
bundle. The framework.json and framework.schema.json artifacts at
1.1.0 were correct (downstream consumers fetching either file directly
were unaffected); the SPA bundle that GitHub Pages served to the viewer
was a stale Session 20-era build that did not include the V1.1 content
authored after 2026-04-29.
The framework.json content version remains 1.1.0. The
framework.schema.json schema version remains 1.1.0. Only the SPA
build artifact and package.json were updated.
Fixed
- SPA bundle (
docs/assets/index-*.js) rebuilt from current source. The
previously-shipped1.1.0bundle was built before the Session 21
V1.1 content authoring and contained framework data with only TA0101,
TA0103, and TA0305 populated and 15 bibliography entries. The
rebuilt bundle includes all 34 Person tactics with full V1.1 mandatory
fields, indicators, countermeasures, response protocols, and Detection
Mesh cross-links; both new bibliography entries
(KIM-JONGNAM-KUL-2017,CHAINALYSIS-CCR-2024); the schema enum
extensions (rf_detection,anti_drone_systems,weeks_to_months);
and theGULYASH-FIELD-OPS-2004-2026source attribution across the
corpus. package.jsonversion bumped from1.1.0to1.1.1to reflect the
build artifact change.
Notes
Root cause: src/App.tsx imports framework.json at build time (Vite
bundles JSON imports), so framework content commits do not reach the
viewer until the SPA bundle is rebuilt. The release ritual for 1.1.0
did not include a pre-tag bundle rebuild step. A pre-release build
verification check should be added to the release process to prevent
recurrence.
V1.1.0 — Open Standard Release
The first release under the V1.1 standard contract. Promotes THREAT Matrix
from a framework to an open standard with a published versioning policy,
identifier contract, deprecation discipline, and reference consumer.
Person matrix Detection & Response is complete across all 34 tactics.
Added
Standard contract
VERSIONING.md— independent SemVer for content and schema, frozen-published rule, fixed-section CHANGELOG templateIDENTIFIERS.md— five operational namespaces (TA####, AP###, IND-, CM-, RP-*), compound-ID anatomy, never-reused guaranteeDEPRECATION.md— four-state lifecycle (active / deprecated / superseded / reserved), required fields per state, sunset windowNOTICES.md— MIT License, bibliographic sources, related work, attribution formatVOICE.md— six locked authoring rules (Rules 1–4 in pre-V1.1; Rules 5 + 6 added this release: canonical actor naming and voice variety palette)examples/python_consumer.py— minimum viable reference consumer (stdlib + jsonschema), demonstrating phase + actor filtersexamples/README.md— starting-point guide for five common consumer shapes
Architecture
schema_versionfield inframework.json(independent from contentversion)- Top-level
phase_mappingscross-walk to NTAC, Calhoun & Weston, CERT, Cyber Kill Chain, MITRE ATT&CK, and MITRE ATLAS - Top-level
detection_meshwith five axes (cross_phase, cross_matrix, cross_domain, cross_countermeasure, cross_stakeholder) - Mandatory tactic fields:
field_notes,observed_contexts,evidence_basis,source_refs - Formal JSON Schema published at
docs/data/framework.schema.json(Draft 2020-12)
Person Detection & Response
- All 34 Person tactics (TA0101–TA0108, TA0201–TA0209, TA0301–TA0308, TA0401–TA0409) authored to V1.1 quality with full mandatory fields, indicators, countermeasures, response protocols, and Detection Mesh cross-links (
correlates_with,compensates_for,coordinates_with) populated across all four phases GULYASH-FIELD-OPS-2004-2026source attribution applied across the corpus where framework content is observed in operational casework
Schema enum extensions
indicator.detection_sources: addedrf_detection(RF spectrum monitoring) andanti_drone_systems(acoustic / radar / RF triangulation)countermeasure.time_to_implement: addedweeks_to_months(resolves TA0103 CM-0103-04 enum violation)
Bibliography
KIM-JONGNAM-KUL-2017— Lowy Institute (The Interpreter) coverage of the 13 Feb 2017 Kim Jong-nam assassination, sourcing the unwitting-bystander media-production deception archetype in TA0306CHAINALYSIS-CCR-2024— Chainalysis Crypto Crime Report, sourcing the comparative blockchain-forensics tracing-speed claim in TA0405
SPA + assets
- Vite / React 18 / TypeScript single-page application; bundle prebuilt at
docs/assets/so GitHub Pages serves without a build step - 18 components (HeatMapGrid, TopNav, FilterBar, SplitView, PhasePanel, TacticDetail, ActorDetailView, ActorProfilesView, BibliographyView, StubLanding) plus detection-response subcomponents
docs/images/threat-lifecycle-diagram.svg(light-mode SPA tokens, four-phase lifecycle with phase-accent color bars)docs/images/matrix-overview.svg(light-mode tokens, matrix accent color top strips, V1.1 LIVE / V1.3–V1.5 IN PROGRESS pill aesthetic)- Sources dropdown UI across IndicatorSection / CountermeasureSection / ResponseProtocolSection
Changed
- Top-level matrix key:
system→infrastructure(and 9 actor-profileprimary_matricesarrays updated accordingly) - SPA matrix version labels:
V2/V3/V4→V1.3/V1.4/V1.5 - Bibliography ID:
GULYASH-FIELD-OPS-2010-2025→GULYASH-FIELD-OPS-2004-2026 - Phase 4 actor track:
FLIGHT→EVADE(in SVG and SPA labels) - Countermeasure subcategory display label:
Detective→Detection(schema enum valuedetectiveretained — display-only) - WARDEN positioning removed from README / ROADMAP consumer claims;
framework.json.warden_integrationretained asstatus: reservedper DEPRECATION.md "reserved" lifecycle state - Authoring voice canonicalization (Rule 5): pre-canonical wording (
Subject/subject-target pair) replaced withThreat actor/threat actor — targeted subject pairacross all populated tactics; clinical diction (incongruity,practitioner) replaced with palette alternatives in tactic content
Removed
- Legacy single-file React-via-Babel SPA in
docs/index.html(replaced by Vite build) docs/images/kill-chain-diagram.svg(replaced bythreat-lifecycle-diagram.svg)
Fixed
- TA0103 IND-0103-03 typo:
targeted sujbect→targeted subject - TA0103 CM-0103-04 pre-existing
time_to_implement: weeks_to_monthsenum violation (resolved via schema enum extension) threat-lifecycle-diagram.svgXML parse error (illegal--in comment)matrix-overview.svgIN PROGRESS pill sizing (text overflow at 108px → widened to 132px → narrowed to 120px for visual balance)ROADMAP.mdline 19 extra columns and line 51 double-hash- Broken
V1.1-Schema-Spec.mdlink from README
Security
- None specific to V1.1.0.