Module 01 hands-on objectives. Each row maps a LABS component to its KSAT type, (L)EARN to Knowledge, (A)PPLY to Skill, (B)UILD to Ability, (S)IMULATE to Task, so the exam at the end of the module assesses the same competencies the labs build.

Defenders, threat hunters, detection engineers, IR teams, and partner organizations describe the same platform in different vocabularies. The METEORSTORM data model replaces those parallel dialects with a single, machine-readable structure that every function and every community speaks.

▷ THE PARENT TRACE

STRUCTURE. Every element sits in one of four layers: PCE → SEG → SVC → AST.

DETECTION. A finding fires on an AST, the analyst’s starting point.

PARENT TRACE BEGINS. The element names its SVC as PARENT; the trace follows that link outward.

FULL TRACE. The same chain reaches SEG and PCE, anchoring every element to its physical environment.

01 02 03 04

PAUSE

▷ THE FOUR STRUCTURAL LAYERS

OFFICIAL MISP TAXONOMY · meteorstorm

PCE PRIMARY CAPABILITY ENVIRONMENT LAYER

Operational zone in which a capability primarily exists or is exercised.

SEG SEGMENT LAYER

Service and asset enclaves that compose the system across environments.

SVC SERVICE LAYER

Functional planes that organize control and data responsibilities.

AST ASSET LAYER

Asset classes composing the system and its interfaces.

The data model is built from two complementary languages. Taxonomy fixes the vocabulary, the words you are allowed to use. Ontology fixes the relationships between the things named by that vocabulary. The framework needs both.

▷ TAXONOMY · THE WORDS

One controlled vocabulary, shared inside and outside your organisation. Cyber, space ops, engineering, vendors, peer operators, and Space ISAC all use the same words for the same things, no private dialects, no translation tax.

PCE · 5 elements: TE Terrestrial, AQ Aquatic, AE Aerial, OR Orbital, DS Deep Space.

SEG · 10 elements: LA Launch, LI Link, GR Ground, US User, AQ Aquatic, LO Low Altitude, HI High Altitude, NE Near Space, SP Space, DE Deep Space.

SVC · 3 elements: CP Control Plane, DP Data Plane, HY Hybrid.

AST · 6 elements: HW Hardware, FW Firmware, SW Software, DA Data, SI Signal, HY Hybrid.

▷ ONTOLOGY · THE RELATIONSHIPS

Rules for how elements relate. The four structural layers form a strict parent-child chain.

PCE is the root, no PARENT. Every other layer traces back to one or more PCE instances.

SEG’s PARENT is one or more PCE instances.

SVC’s PARENT is one or more SEG instances.

AST’s PARENT is exactly one SVC.

PCE SEG SVC AST

PAUSE

This module covers the four structural layers, the parts of the platform you decompose. The fifth layer, the Analytic Layer, sits on top of those four and carries what defenders observe and build. We introduce it here and use it throughout Modules 02 through 05.

▷ THE FIVE LAYERS

▷ LAYER DETAIL

PCEPrimary Capability Environment

The operational zone where the platform physically lives and works.

The question it answers: Where does the platform physically operate?

Five environments: Terrestrial, Aquatic, Aerial, Orbital, Deep Space.

SEGSegment

A self-contained piece of the platform that plays a specific operational role.

The question it answers: What role does this part of the platform play?

Ten segments: Launch, Link, Ground, User, Aquatic, Low Altitude, High Altitude, Near Space, Space, Deep Space.

SVCService

The functional plane a segment runs on, how it controls things or how it moves data.

The question it answers: What capability does this part deliver?

Three services: Control Plane, Data Plane, Hybrid.

ASTAsset

The concrete things that make a service work, the hardware, code, data, and signals.

The question it answers: Which concrete things implement the capability?

Six asset classes: Hardware, Firmware, Software, Data, Signal, Hybrid.

ANAnalytic (overlay)

A separate layer for what defenders observe and build. It does not describe the platform, it attaches to the four structural layers above.

The question it answers: What do defenders know, see, and do about the platform?

Six categories: indicators (IOC, IOA), adversary behavior (ATT, THR), defenses (DET, RES).

PCE SEG SVC AST AN

PAUSE

An enumerated element is one specific instance on your platform, a particular ground station, a particular service, a particular asset. Every enumerated element, at any layer, uses the same five core fields. Once you know these five, the rest of Module 01 is just variations on this single shape. (The shorter taxonomy element form, the abstract category, is covered next.)

Every element appears in two forms. A taxonomy element names the category, written hyphenated, e.g. PCE-OR (any orbital environment). An enumerated element names one specific instance on your platform, written with all five fields, e.g. PCE: OR: Orbital: 00, “Our LEO constellation orbit.” Use the hyphen form when you mean “any of these”; use the full form when you mean “this exact one.”

An ontology element is the wiring between two enumerated elements, the link that says “this thing belongs to that thing.” In METEORSTORM, the ontology element is the PARENT field. Every enumerated element below the top of the tree names its parent, and together those ontological relationships build one platform tree that any finding can be traced through. There are exactly three structural relationships: PCE → SEG (each segment’s parent is an environment), SEG → SVC (each service’s parent is a segment), and SVC → AST (each asset’s parent is a service). PCE sits at the top and has no parent, it is the root.

▷ THE TRACE IN MOTION

▷ ELEMENT & PARENT

STEP 01 · THE FINDING

AST: HW: Hardware: 03

A specific enumerated element: LAYER: ELEMENT: LABEL: ORDINAL. A detection fires on this asset.

PARENT → SVC: CP: Control Plane: 00

STEP 02 · ONE LAYER UP

SVC: CP: Control Plane: 00

The control-plane service that hosts the asset. The trace follows its PARENT outward.

PARENT → SEG: GR: Ground: 00

STEP 03 · ANOTHER LAYER UP

SEG: GR: Ground: 00

The ground segment hosting that service. One step closer to the physical environment.

PARENT → PCE: TE: Terrestrial: 00

STEP 04 · ROOT REACHED

PCE: TE: Terrestrial: 00

The terrestrial site the platform operates from. PCE is the root: no parent.

PARENT → none (root)

AST SVC SEG PCE

PAUSE

Decompose your platform top-down: enumerate every PCE first, then every SEG, then every SVC, and finally every AST. Each child element needs its parent enumerated first, otherwise the PARENT link has nowhere to point. Within each element, the seven-step procedure below is identical at every layer; only which steps apply changes (PCE has no PARENT; SVC adds DISTRIBUTED; AST adds optional SUBSYSTEM).

Taxonomy gives the element a name. Ontology gives it a position. Annotation, the DESCRIPTION field, is what makes the element useful to downstream functions. A weak description forces the next analyst to re-derive context the original enumerator already knew.

PCE is the root of decomposition. It captures the physical environment in which the platform, or some portion of it, operates. Every other entry in the model, every segment, service, asset, traces back through parent references to one or more PCE instances.

▷ THE FIVE PCE ELEMENTS

▷ ELEMENT DETAIL

OFFICIAL MISP TAXONOMY · meteorstorm:pce

PCE-TE

EXAMPLE INSTANCE: PCE: TE: Terrestrial: 00

TERRESTRIAL

Surface-based operational zones on planetary bodies.

ELEMENT 1 OF 5

PCE-AQ

EXAMPLE INSTANCE: PCE: AQ: Aquatic: 00

AQUATIC

Water-based operational zones, including maritime domains.

ELEMENT 2 OF 5

PCE-AE

EXAMPLE INSTANCE: PCE: AE: Aerial: 00

AERIAL

Atmospheric operational zones spanning low, high, and near-space regions.

ELEMENT 3 OF 5

PCE-OR

EXAMPLE INSTANCE: PCE: OR: Orbital: 00

ORBITAL

Operational zones within planetary or satellite orbits.

ELEMENT 4 OF 5

PCE-DS

EXAMPLE INSTANCE: PCE: DS: Deep Space: 00

DEEP SPACE

Operational zones beyond planetary orbital regimes.

ELEMENT 5 OF 5

TE AQ AE OR DS

PAUSE

Surface-based operational zones on planetary bodies. Captures the physical real estate, regulatory jurisdiction, and terrestrial weather context for any portion of the platform anchored to a planet or moon’s surface.

▷ PCE-TE VIEW

▷ DETAIL

FRAME 1 OF 2 · DECOMPOSE WHEN

Any portion of the platform, control center, antenna farm, data center, manufacturing facility, launch pad, sits on the ground of a planetary body. One PCE-TE-NN per distinct surface site. Geographic separation matters: a primary and a backup ground complex are typically separate ordinals so failover analysis stays clean.

FRAME 2 OF 2 · TYPICAL EXAMPLES

• · Mission operations center site
• · Primary ground station antenna farm
• · Backup ground station (separate region)
• · Launch site / vehicle integration facility
• · Spacecraft manufacturing campus

CONCEPT EXAMPLE

PAUSE

Water-based operational zones, including maritime surface, sub-surface, and littoral environments. Captures the portion of a platform that floats on, sails through, or operates beneath the water column.

▷ PCE-AQ VIEW

▷ DETAIL

FRAME 1 OF 2 · DECOMPOSE WHEN

Elements of the platform sit on, in, or under water as a primary operating zone, not transiting. Subsea cabling, downrange recovery vessels, sea-launch barges, and undersea sensor networks all live here. Maritime jurisdiction, sea-state telemetry, and acoustic environment data attach to PCE-AQ elements.

FRAME 2 OF 2 · TYPICAL EXAMPLES

• · Subsea telemetry / fiber cable run
• · Downrange telemetry recovery ship
• · Sea-launch platform or barge
• · Autonomous maritime surface vehicle
• · Sub-surface acoustic sensor network

CONCEPT EXAMPLE

PAUSE

Atmospheric operational zones spanning low altitude, high altitude, and near-space regions of a planetary atmosphere. Aerial PCE captures the medium; segments later refine the altitude band an asset actually lives in.

▷ PCE-AE VIEW

▷ DETAIL

FRAME 1 OF 2 · DECOMPOSE WHEN

Any portion of the platform operates within an atmosphere but not on or beneath a surface, drones, balloons, HAPS / LAPS, near-space vehicles, transit aircraft. Atmospheric weather, civil aviation jurisdiction, and electromagnetic propagation context all attach to PCE-AE.

FRAME 2 OF 2 · TYPICAL EXAMPLES

• · HAPS communications relay platform
• · Surveillance UAV or drone swarm
• · Stratospheric weather balloon
• · Long-endurance solar UAV
• · Comms / chase aircraft

CONCEPT EXAMPLE

PAUSE

Operational zones within planetary or satellite orbits, from LEO through GEO and lunar orbit. Anything held in orbit by the gravity of a single primary body lives here.

▷ PCE-OR VIEW

▷ DETAIL

FRAME 1 OF 2 · DECOMPOSE WHEN

A portion of the platform is in orbit, satellites, on-orbit servicing vehicles, propellant depots, orbital relays. Space-weather feeds, orbital debris environment data, conjunction risk, and SDA correlate against PCE-OR elements. One ordinal per orbital regime where ops differ materially (e.g. LEO bus vs. GEO relay).

FRAME 2 OF 2 · TYPICAL EXAMPLES

• · LEO satellite constellation
• · GEO communications spacecraft
• · MEO navigation satellite
• · On-orbit servicing vehicle
• · Lunar orbital relay

CONCEPT EXAMPLE

PAUSE

Operational zones beyond planetary orbital regimes, interplanetary cruise, Lagrange points, asteroid encounters, and trans-lunar space. The distinguishing test is gravitational dominance: when no single primary body controls the trajectory, the asset is in deep space.

▷ PCE-DS VIEW

▷ DETAIL

FRAME 1 OF 2 · DECOMPOSE WHEN

A portion of the platform operates outside the gravitational regime of a single planet or moon, deep-space probes, interplanetary transit vehicles, Lagrange-point observatories. Communication latency, DSN scheduling, and cislunar / interplanetary navigation context attach here.

FRAME 2 OF 2 · TYPICAL EXAMPLES

• · Interplanetary science probe
• · Sun-Earth L1 / L2 observatory
• · Cislunar relay beyond lunar orbit
• · Asteroid rendezvous spacecraft
• · Deep-space orbital tug

CONCEPT EXAMPLE

PAUSE

SEG decomposes the platform along the operational lines an adversary would use when selecting a target. Each segment is an enclave of services and assets that play one architectural role, launch, link, ground, user, space, and so on, within one or more PCE environments.

▷ THE TEN SEG ELEMENTS

▷ ELEMENT DETAIL

OFFICIAL MISP TAXONOMY · meteorstorm:seg

SEG-LA

EXAMPLE INSTANCE: SEG: LA: Launch: 00

LAUNCH

Surface-based services and assets for primary launch operations.

ELEMENT 1 OF 10

SEG-LI

EXAMPLE INSTANCE: SEG: LI: Link: 00

LINK

Services and assets enabling platform communications across signal paths.

ELEMENT 2 OF 10

SEG-GR

EXAMPLE INSTANCE: SEG: GR: Ground: 00

GROUND

Surface-based services and assets for primary platform operations, serving as the primary locus of control plane activity.

ELEMENT 3 OF 10

SEG-US

EXAMPLE INSTANCE: SEG: US: User: 00

USER

Services and assets for primary end-user operations.

ELEMENT 4 OF 10

SEG-AQ

EXAMPLE INSTANCE: SEG: AQ: Aquatic: 00

AQUATIC

Water-based services and assets for primary platform operations.

ELEMENT 5 OF 10

SEG-LO

EXAMPLE INSTANCE: SEG: LO: Low Altitude: 00

LOW ALTITUDE

Aerial services and assets in the lower atmosphere.

ELEMENT 6 OF 10

SEG-HI

EXAMPLE INSTANCE: SEG: HI: High Altitude: 00

HIGH ALTITUDE

Aerial services and assets above the lower atmosphere but below near space.

ELEMENT 7 OF 10

SEG-NE

EXAMPLE INSTANCE: SEG: NE: Near Space: 00

NEAR SPACE

Aerial services and assets above high altitude and below orbital regions.

ELEMENT 8 OF 10

SEG-SP

EXAMPLE INSTANCE: SEG: SP: Space: 00

SPACE

Services and assets operating in planetary or satellite orbits.

ELEMENT 9 OF 10

SEG-DE

EXAMPLE INSTANCE: SEG: DE: Deep Space: 00

DEEP SPACE

Services and assets operating beyond planetary orbital regimes.

ELEMENT 10 OF 10

LA LI GR US AQ LO HI NE SP DE

PAUSE

Surface-based services and assets dedicated to primary launch operations, the people, hardware, software, and procedures that put the platform into the air or into orbit.

▷ SEG-LA VIEW

▷ DETAIL

FRAME 1 OF 2 · DECOMPOSE WHEN

Capturing pre-launch and launch-day operations: vehicle integration, range safety, propellant handling, launch control, and the brief but critical window when the platform is most exposed to physical and supply-chain attack. Typically parents to one PCE-TE instance.

FRAME 2 OF 2 · TYPICAL EXAMPLES

• · Launch pad and flame trench
• · Vehicle integration facility
• · Range safety and tracking
• · Propellant storage / fueling
• · Launch control room

CONCEPT EXAMPLE

PAUSE

Services and assets that enable platform communications across signal paths, RF, optical, or hard-wired. Link is the connective tissue of the platform, and one of the adversary’s primary kill-chain choke points.

▷ SEG-LI VIEW

▷ DETAIL

FRAME 1 OF 2 · DECOMPOSE WHEN

Capturing the path that carries telemetry, command, or mission product between segments, TT&C uplink and downlink, inter-satellite links, ground backhaul. Each major path is its own SEG-LI element so jamming, interception, and degradation analysis can target a specific link.

FRAME 2 OF 2 · TYPICAL EXAMPLES

• · TT&C uplink / downlink
• · Optical inter-satellite link
• · Payload data downlink
• · Fiber backhaul between ground stations
• · Cross-link to relay constellation

CONCEPT EXAMPLE

PAUSE

Surface-based services and assets that form the primary control-plane locus for the platform, the operational center of gravity for command, monitoring, and mission planning.

▷ SEG-GR VIEW

▷ DETAIL

FRAME 1 OF 2 · DECOMPOSE WHEN

Capturing the persistent control footprint, the antennas, racks, networks, and operators that fly the platform day-to-day. Primary and backup ground complexes are usually separate ordinals (SEG-GR-00, SEG-GR-01) so failover paths model cleanly.

FRAME 2 OF 2 · TYPICAL EXAMPLES

• · Mission Operations Center (MOC)
• · Network Operations Center (NOC)
• · Primary ground station antennas
• · Backup / contingency ground site
• · Satellite control center

CONCEPT EXAMPLE

PAUSE

Services and assets that serve primary end-user operations, the destination for the platform’s mission product. User segment captures the consumption side of the platform, distinct from the operator-side Ground segment.

▷ SEG-US VIEW

▷ DETAIL

FRAME 1 OF 2 · DECOMPOSE WHEN

Capturing where the mission output is consumed, operator terminals in the field, downstream tasking clients, end-user devices. Users may be internal (warfighter, scientist) or external (commercial subscriber); both attach as SEG-US with their PCE enumerated accordingly.

FRAME 2 OF 2 · TYPICAL EXAMPLES

• · Field user terminal (SATCOM)
• · PNT receiver in a vehicle
• · Downstream tasking client
• · Mobile / handheld user device
• · Integrated operator console

CONCEPT EXAMPLE

PAUSE

Water-based services and assets dedicated to primary platform operations. The segment-level counterpart to PCE-AQ: PCE-AQ is the environment, SEG-AQ is the operational role being played in that environment.

▷ SEG-AQ VIEW

▷ DETAIL

FRAME 1 OF 2 · DECOMPOSE WHEN

Capturing portions of the platform that perform their primary operational role in or under the water, subsea cabling, recovery vessels, ocean-deployed sensors. Treats maritime as a first-class segment type instead of forcing it into a Ground or Link analogue.

FRAME 2 OF 2 · TYPICAL EXAMPLES

• · Subsea telemetry cable
• · Downrange recovery ship
• · Ocean-deployed sensor array
• · Sea-launch barge in operation
• · Autonomous underwater vehicle

CONCEPT EXAMPLE

PAUSE

Aerial services and assets operating in the lower atmosphere, typically below the upper bound of civil aviation. Captures drones, comms aircraft, and chase platforms that share airspace with civilian flight operations.

▷ SEG-LO VIEW

▷ DETAIL

FRAME 1 OF 2 · DECOMPOSE WHEN

Capturing platform elements that fly within civil aviation altitudes and inherit civil aviation jurisdiction (FAA, EASA, etc.). Adversary considerations: GPS denial, cellular interference, ATC deconfliction.

FRAME 2 OF 2 · TYPICAL EXAMPLES

• · Surveillance UAV / drone
• · Comms relay drone
• · Low-altitude relay aircraft
• · Launch chase aircraft
• · Tethered low-altitude platform

CONCEPT EXAMPLE

PAUSE

Aerial services and assets operating above the lower atmosphere but below near space, the regime of stratospheric balloons, U-class observation aircraft, and long-endurance solar UAVs.

▷ SEG-HI VIEW

▷ DETAIL

FRAME 1 OF 2 · DECOMPOSE WHEN

Capturing high-altitude platforms that operate above commercial flight ceilings but still within an atmosphere. Adversary considerations: long persistence, restricted access for kinetic intercept, sensitivity to upper-atmosphere weather.

FRAME 2 OF 2 · TYPICAL EXAMPLES

• · Stratospheric weather balloon
• · U-2 class observation aircraft
• · Long-endurance solar UAV
• · High-altitude RPA
• · Stratospheric science platform

CONCEPT EXAMPLE

PAUSE

Aerial services and assets above high altitude but below orbital regions, the mesosphere and lower thermosphere. Home to HAPS (High-Altitude Platform Stations) and persistent stratospheric relays.

▷ SEG-NE VIEW

▷ DETAIL

FRAME 1 OF 2 · DECOMPOSE WHEN

Capturing near-space platforms that act as quasi-orbital relays without orbital mechanics, persistent station-keeping over a target region, low latency to ground, no need to wait for a satellite pass. Increasingly relevant as commercial HAPS comes online.

FRAME 2 OF 2 · TYPICAL EXAMPLES

• · HAPS communications platform
• · Near-space surveillance vehicle
• · Persistent stratospheric relay
• · Mesosphere science balloon
• · Pseudo-satellite (HAPS / PsuedoSat)

CONCEPT EXAMPLE

PAUSE

Services and assets operating in planetary or satellite orbits, the on-orbit element of the platform. The most familiar segment in classical space-systems decomposition, but here it is one role among ten, not the whole sky.

▷ SEG-SP VIEW

▷ DETAIL

FRAME 1 OF 2 · DECOMPOSE WHEN

Capturing on-orbit platform elements and the services they deliver, satellite buses, payload modules, on-orbit servicing vehicles, formation-flying companions. Distinguish bus, payload, and supporting craft as separate ordinals when their threat exposure differs.

FRAME 2 OF 2 · TYPICAL EXAMPLES

• · Satellite bus
• · Payload module / hosted payload
• · On-orbit servicing vehicle
• · Propellant depot
• · Formation-flying companion

CONCEPT EXAMPLE

PAUSE

Services and assets operating beyond planetary orbital regimes. Captures mission elements that live in interplanetary space, at Lagrange points, or beyond lunar orbit, where communication latency, DSN scheduling, and autonomy dominate the threat model.

▷ SEG-DE VIEW

▷ DETAIL

FRAME 1 OF 2 · DECOMPOSE WHEN

Capturing platform elements operating beyond cislunar orbit. Long round-trip light times mean these segments lean heavily on autonomous decision-making, expanding the attack surface for command-spoofing and onboard-AI manipulation.

FRAME 2 OF 2 · TYPICAL EXAMPLES

• · Interplanetary science probe
• · Lagrange-point observatory
• · Cislunar relay beyond lunar orbit
• · Asteroid rendezvous spacecraft
• · Deep-space orbital tug

CONCEPT EXAMPLE

PAUSE

SVC decomposes the functional capabilities the platform delivers across its segments. The taxonomy is deliberately compact, three values, so the model stays stable while permitting organization-specific nesting beneath. A service that runs across more than one segment stays a single element marked DISTRIBUTED: Y.

▷ THE THREE SVC ELEMENTS

▷ ELEMENT DETAIL

OFFICIAL MISP TAXONOMY · meteorstorm:svc

SVC-CP

EXAMPLE INSTANCE: SVC: CP: Control Plane: 00

CONTROL PLANE

Services for managing and orchestrating platform control functions.

ELEMENT 1 OF 3

SVC-DP

EXAMPLE INSTANCE: SVC: DP: Data Plane: 00

DATA PLANE

Services for managing and orchestrating mission product functions.

ELEMENT 2 OF 3

SVC-HY

EXAMPLE INSTANCE: SVC: HY: Hybrid: 00

HYBRID

Services integrating both control and data plane functionalities.

ELEMENT 3 OF 3

CP DP HY

PAUSE

Services for managing and orchestrating platform control functions, command, monitoring, configuration, telemetry processing, fault detection. Control plane services move command and state, not mission product.

▷ SVC-CP VIEW

▷ DETAIL

FRAME 1 OF 2 · DECOMPOSE WHEN

Capturing capabilities whose purpose is to control, configure, monitor, or recover the platform itself. The control plane is where many adversaries pivot once they reach a foothold, decomposing it cleanly is what makes lateral-movement detection feasible.

FRAME 2 OF 2 · TYPICAL EXAMPLES

• · TT&C command & control
• · Mission planning service
• · Fleet operations / scheduling
• · Ground network orchestration
• · FDIR (fault detection, isolation, recovery)

CONCEPT EXAMPLE

PAUSE

Services for managing and orchestrating mission-product functions, payload processing, data product generation, downstream delivery. Data plane services move what the mission exists to produce.

▷ SVC-DP VIEW

▷ DETAIL

FRAME 1 OF 2 · DECOMPOSE WHEN

Capturing capabilities whose purpose is to process, store, or deliver mission product, not to manage the platform itself. The data plane is the most attractive integrity-attack surface, the same data may underwrite operational decisions worth far more than the spacecraft.

FRAME 2 OF 2 · TYPICAL EXAMPLES

• · Payload data processing pipeline
• · Image archive & dissemination
• · Scientific data reduction service
• · Customer delivery / tasking API
• · PNT signal generation

CONCEPT EXAMPLE

PAUSE

Services that integrate both control-plane and data-plane functionality in a single coherent capability. Reserved for cases where the two planes genuinely cannot be separated without distorting the architecture.

▷ SVC-HY VIEW

▷ DETAIL

FRAME 1 OF 2 · DECOMPOSE WHEN

A service genuinely owns both responsibilities and a forced split would create two phantom elements that re-merge in operations, edge mission processors, integrated tasking + downlink stacks, convergent cloud-native ground segments. Default to CP or DP first; reach for HY only when the integration is real.

FRAME 2 OF 2 · TYPICAL EXAMPLES

• · Cloud-native ground segment (control + processing)
• · Integrated tasking + downlink service
• · Edge mission processor on a satellite
• · Convergent operator + product portal
• · Onboard autonomy that issues commands & products

CONCEPT EXAMPLE

PAUSE

AST decomposes the concrete elements that implement services. Six material categories cover the full surface of a complex platform, hardware, firmware, software, data, signal, and hybrid composites. Optional SUBSYSTEM groups assets that jointly deliver a single service.

▷ THE SIX AST ELEMENTS

▷ ELEMENT DETAIL

OFFICIAL MISP TAXONOMY · meteorstorm:ast

AST-HW

EXAMPLE INSTANCE: AST: HW: Hardware: 00

HARDWARE

Physical elements supporting platform operations.

ELEMENT 1 OF 6

AST-FW

EXAMPLE INSTANCE: AST: FW: Firmware: 00

FIRMWARE

Embedded control code governing hardware functions.

ELEMENT 2 OF 6

AST-SW

EXAMPLE INSTANCE: AST: SW: Software: 00

SOFTWARE

Applications and logic executing operational tasks.

ELEMENT 3 OF 6

AST-DA

EXAMPLE INSTANCE: AST: DA: Data: 00

DATA

Information generated, processed, or consumed by the platform.

ELEMENT 4 OF 6

AST-SI

EXAMPLE INSTANCE: AST: SI: Signal: 00

SIGNAL

Communication channels and transmission frequencies.

ELEMENT 5 OF 6

AST-HY

EXAMPLE INSTANCE: AST: HY: Hybrid: 00

HYBRID

Composite elements combining multiple asset types.

ELEMENT 6 OF 6

HW FW SW DA SI HY

PAUSE

Physical elements supporting platform operations, electronic, mechanical, optical, electromagnetic. The tangible parts of the platform that can be inventoried, photographed, and physically touched.

▷ AST-HW VIEW

▷ DETAIL

FRAME 1 OF 2 · DECOMPOSE WHEN

Capturing physical assets that exist in space or on the ground. Granularity is a judgment call: enumerate at the level where a different make/model or vendor would change the threat picture, not at the level of individual screws.

FRAME 2 OF 2 · TYPICAL EXAMPLES

• · Antenna or antenna array
• · Spacecraft transponder
• · On-board computer (OBC)
• · Ground-station server / switch
• · Environmental / attitude sensor

CONCEPT EXAMPLE

PAUSE

Embedded control code governing hardware functions, code that ships with hardware, runs at boot, and lives below the operating system. Firmware is a frequent supply-chain attack surface and one of the hardest layers to patch in the field.

▷ AST-FW VIEW

▷ DETAIL

FRAME 1 OF 2 · DECOMPOSE WHEN

Capturing code that is installed on or with hardware, BIOS / UEFI, FPGA bitstreams, baseband modems, peripheral controllers. Enumerating firmware separately from the host hardware makes vendor-supplied vulnerabilities (and patch cadence) visible at the data-model level.

FRAME 2 OF 2 · TYPICAL EXAMPLES

• · Spacecraft bus firmware
• · FPGA bitstream / microcode
• · Antenna controller firmware
• · NIC / switch firmware
• · Baseband modem firmware

CONCEPT EXAMPLE

PAUSE

Applications and logic executing operational tasks, user-mode, kernel-mode, container, microservice. Software runs above firmware and delivers service-level capability, the layer where most of the vulnerability disclosures live.

▷ AST-SW VIEW

▷ DETAIL

FRAME 1 OF 2 · DECOMPOSE WHEN

Capturing distinct software elements a defender would patch, monitor, or replace independently, mission planning app, payload processor, telemetry parser, web console. Granularity should map to upgrade boundaries: if it ships and patches separately, it’s its own asset.

FRAME 2 OF 2 · TYPICAL EXAMPLES

• · Mission planning application
• · Ground-segment middleware / bus
• · Payload processing software
• · Telemetry parser / decoder
• · Operator web console

CONCEPT EXAMPLE

PAUSE

Information generated, processed, or consumed by the platform. Data is a first-class asset, not a second-class observable. Mission product, configuration, key material, and ephemeris all enumerate alongside hardware and software.

▷ AST-DA VIEW

▷ DETAIL

FRAME 1 OF 2 · DECOMPOSE WHEN

Capturing the data products themselves and the operational data the platform handles, mission product files, configuration baselines, key material, ephemeris, customer ground truth. Treating data as an asset is what makes integrity-first detection engineering possible.

FRAME 2 OF 2 · TYPICAL EXAMPLES

• · Telemetry archive
• · Payload product file / dataset
• · Mission plan / command schedule
• · Encryption key material
• · Ephemeris / TLE store

CONCEPT EXAMPLE

PAUSE

Communication channels and transmission frequencies used by the platform. Signal is a first-class asset: detection engineering for jamming, spoofing, and signal-level intrusion lives inside the same enumeration as the hardware that emits it.

▷ AST-SI VIEW

▷ DETAIL

FRAME 1 OF 2 · DECOMPOSE WHEN

Capturing the RF, optical, or wired signals that carry command and product, uplink frequencies, downlink bands, optical inter-satellite links, fiber backhaul circuits. Each major signal path is its own asset so signal-level threats correlate cleanly to it.

FRAME 2 OF 2 · TYPICAL EXAMPLES

• · TT&C uplink frequency
• · Payload downlink band
• · Optical inter-satellite link
• · PNT navigation signal
• · Fiber backhaul circuit

CONCEPT EXAMPLE

PAUSE

Composite elements combining multiple asset types, sealed appliances, vendor-delivered subsystems, integrated mission boxes. Reserved for cases where decomposing further would lose architectural meaning or exceed what the supplier exposes.

▷ AST-HY VIEW

▷ DETAIL

FRAME 1 OF 2 · DECOMPOSE WHEN

An asset’s hardware, firmware, software, data, and signal cannot be usefully separated for the purpose at hand, e.g. a sealed crypto module, a delivered ground rack, a black-box payload. Default to the specific asset class first; reach for HY only when the integration genuinely cannot be decomposed.

FRAME 2 OF 2 · TYPICAL EXAMPLES

• · Sealed cryptographic module (HSM)
• · Vendor-delivered ground rack
• · COTS GPS receiver subsystem
• · Integrated mission appliance
• · Black-box payload package

CONCEPT EXAMPLE

PAUSE

Each entry elements its parent, the entry at the layer immediately above. A detection that fires on an asset is automatically traceable to the service it implements, the segment that hosts it, and the environment it sits in.

▷ THE PARENT CHAIN

▷ PARENT RULE

PCEPRIMARY CAPABILITY ENVIRONMENT

PCE is the root of the decomposition. No PARENT field.

EXAMPLE PARENT REFERENCE

(none, PCE is root)

LAYER 1 OF 5

SEGSEGMENT

Every SEG entry elements one or more PCE instances as its PARENT.

EXAMPLE PARENT REFERENCE

PCE: TE: Terrestrial: 00

LAYER 2 OF 5

SVCSERVICE

Every SVC entry elements one or more SEG instances as its PARENT.

EXAMPLE PARENT REFERENCE

SEG: GR: Ground: 00

LAYER 3 OF 5

ASTASSET

Every AST entry elements exactly one SVC instance as its PARENT.

EXAMPLE PARENT REFERENCE

SVC: CP: Control Plane: 00

LAYER 4 OF 5

ANANALYTIC OVERLAY

AN is not in the parent-child chain. It attaches to structural elements via TARGET fields (TOE, TDM, TRE).

EXAMPLE TARGET REFERENCE

TOE = AST: HW: Hardware: 03

LAYER 5 OF 5 · OVERLAY

PCE SEG SVC AST AN

PAUSE

The Analytic Layer (AN) does not describe the platform. It describes what an analyst knows, or needs to know, about the platform’s security posture. Every analytic entry attaches via TARGET fields to one or more structural elements.

▷ THE SIX AN SUB-CATEGORIES

▷ SUB-CATEGORY DETAIL

OFFICIAL MISP TAXONOMY · meteorstorm:an

AN-IOC

EXAMPLE INSTANCE: AN: IOC: Indicator of Compromise: 00

INDICATOR OF COMPROMISE

Verifiable indication that the platform has been compromised.

QUESTION: Has there been a confirmed compromise?

SUB-CATEGORY 1 OF 6 · FUNCTIONS 2–4

AN-IOA

EXAMPLE INSTANCE: AN: IOA: Indicator of Attack: 00

INDICATOR OF ATTACK

Verifiable indication that the platform has been targeted.

QUESTION: Is there a confirmed attack underway?

SUB-CATEGORY 2 OF 6 · FUNCTIONS 2–4

AN-ATT

EXAMPLE INSTANCE: AN: ATT: Attack Path: 00

ATTACK PATH

Known or modeled attack path for a converged space system.

QUESTION: Is there an active attack path?

SUB-CATEGORY 3 OF 6 · FUNCTION 3

AN-THR

EXAMPLE INSTANCE: AN: THR: Threat: 00

THREAT

Known adversarial threat to the platform.

QUESTION: Is there a confirmed active threat?

SUB-CATEGORY 4 OF 6 · FUNCTION 2

AN-DET

EXAMPLE INSTANCE: AN: DET: Detection Signature: 00

DETECTION SIGNATURE

Pattern, signal, or logic that triggers on contextualized threat behavior.

QUESTION: Is there a confirmed detection gap?

SUB-CATEGORY 5 OF 6 · FUNCTION 3

AN-RES

EXAMPLE INSTANCE: AN: RES: Resilience Measure: 00

RESILIENCE MEASURE

Protective capability ensuring resistance or recovery from threats, for either immediate implementation or as feedback for future platform engineering efforts.

QUESTION: What resilience measures should we add?

SUB-CATEGORY 6 OF 6 · FUNCTION 4

IOC IOA ATT THR DET RES

PAUSE