UTC
01
FUNCTION 01 FUNCTION 05 FUNCTION 04 FUNCTION 03 CONTEXTUALIZED THREAT MODELING FUNCTION 02
Function Two
CONTEXTUALIZED
THREAT MODELING

Master Contextualized Threat Modeling.

“The adversary suffers when every strike they imagine is already prepared for.”

Your department is one day old, and it has already given Kestrel Orbital something it never had: yesterday you brought Satellite Operations and Satellite Design & Engineering to the same table, and their two views of the platform reconciled into one CONOPS of fifty-four enumerated elements, the first artifact all three departments read without translation. Today the Space Cybersecurity Operations and Resilience department you are building takes its second step: you convene all three departments, and the Security Operations Center steps forward with the threat picture. You drive the organization to develop an attack-to-defend capability across kinetic, non-kinetic, electronic warfare, cyber warfare, and other key exposure domains, including naturally occurring threats. You model those threats against the same fifty-four elements, and the catalogue the three departments build together feeds the risk analysis NIS2 Article 21(2)(a) requires, anchored to the command-and-control scope Executive Order 14144 protects.

MODULE TWO
01/12
00
DAY 2 · Contextualized Threat Modeling

DAY 2 START

Today you anchor real adversary threats to the fifty-four telecommand elements enumerated on Day 1, so each threat points at the exact part of the command path it would target. Yesterday Satellite Operations and Satellite Design & Engineering built the structural language; today the Security Operations Center starts writing in it, and the shared model grows its first analytic elements. The anchored catalogue feeds the risk analysis NIS2 Article 21(2)(a) requires for the scope Executive Order 14144 protects.

MODULE TWO
00/00
UTC
03
L1 · day 2 opens with a Security Operations Center briefing on intel-source types

INTELLIGENCE-DRIVEN RESILIENCE STARTS WITH FIVE INTEL SOURCES, EVERY THREAT CITED TO ONE

Day 2 opens in the Security Operations Center, and this time the department is presenting, not being sold. Its analysts brief the room, Satellite Operations and Satellite Design & Engineering included, on the five source types threat intelligence lands from: four from outside the organization (a vendor or Space ISAC feed, a government advisory, a peer operator, and open source) and one from the center’s own threat hunting. Sourcing and citing every threat to one of these is what moves the organization off assumption-based defense and onto intelligence-driven, resilient operations, so recognize each source on sight and note where it came from.

Threat-intel provider dashboard
▷ EXTERNAL · 01
TI PROVIDER

A commercial threat-intel vendor feed, or the Space ISAC feed the organization’s own mandate requires. That channel is live; consuming from it starts today.

Cite as: vendor + advisory ID.

Government attribution bulletin
▷ EXTERNAL · 02
GOVERNMENT

A federal advisory or attribution bulletin from a national cyber-defense agency.

Cite as: agency + advisory reference.

Peer satellite operators sharing adversary profiles
▷ EXTERNAL · 03
PEER-SHARED

An adversary profile or incident retrospective shared by another satellite operator.

Cite as: peer org + retro ID.

OSINT, open-source publications and public databases
▷ EXTERNAL · 04
OSINT

An open-source publication, peer-reviewed paper, or public threat database. Today’s working source is a peer-reviewed study of the weaknesses that threaten satellite command and control.

Cite as: publication + URL or DOI.

Internal threat hunter at workstation
▷ INTERNAL · 05
INTERNAL HUNT

A threat your own Security Operations Center surfaced through in-house hunting on this platform.

Cite as: internal hunt ticket + analyst.

MODULE TWO
03/12
UTC
04
L1 · the first intel report has arrived

THREAT INTEL REPORT HAS ARRIVED

  • A credible peer-reviewed research report on command-and-control threats, prepared against the platform you defend. It walks the four operational enclaves (Space, Link, Ground, User), names the potential attacks each one currently faces, and lists the platform subsystems each attack would touch. Open the report (button below) before going further.
  • Read each segment’s narrative for the situational picture, then walk its table of potential attacks. Plausibility is judged with the departments: Satellite Operations weighs each threat against the platform as flown, Satellite Design & Engineering against the platform as built, the same two views that produced the CONOPS. Match each plausible threat to the platform subsystems in the right two columns; set aside threats that have nothing to match.
  • This is the first source of the day; more will arrive (the four external types from the Security Operations Center briefing, and the center’s own internal hunting). The matched threats from this report and the others will become the working list you take into the rest of today’s analytic work.
ⓘ INTEL REPORT
L1 · The First Intel Report Has Arrived

An OSINT Threat Assessment Just Landed from the Security Operations Center

What just arrived. A composite OSINT threat assessment prepared for the platform you defend. It walks the platform’s four operational enclaves (Space, Link, Ground, User), describes the potential attacks each one currently faces, and lists the platform subsystems each attack would touch. Open the report from the button on this slide before going further.

How to read it. For each enclave, read the short narrative for the situational picture, then walk the table of potential attacks. Decide which threats are plausible, with Satellite Operations weighing each against the platform as flown and Satellite Design & Engineering against the platform as built, and match each plausible threat to the subsystems listed in the right two columns. Threats that cannot match anything on this platform get set aside; that disciplined matching is what makes today’s threat picture “contextualized” rather than generic.

The first of several. This report is the first source of the day; more will arrive from the four external types and from the Security Operations Center’s own internal hunting (per its briefing). The matched threats from this report and the others become the working list you take into the rest of today’s analytic work.

Intel report landing on the analyst's desk
INTEL ARRIVES

A credible research report on command-and-control threats lands on your desk: segment-by-segment narrative of potential attacks, with the subsystems each one would touch.

Analyst reviewing the intel against the platform
YOU ASSESS IT

Review each segment’s narrative, decide which potential attacks are plausible against the platform you defend, and match each one to the subsystems on yesterday’s decomposition.

MODULE TWO
04/12
UTC
05
A2 · enumerating threat elements

CONTEXTUALIZED THREAT MODELING PROCESS

Inputs. Yesterday’s decomposition: 54 ETENs of the telecommand path, the command-and-control scope Executive Order 14144 and the NIS2 Directive set. Threat intelligence sources in scope (vendor advisories, MITRE ATT&CK techniques, peer-reviewed research on command-and-control threats, internal red-team output). Output. One AN-THR ETEN per threat you add to the enumerated set, each one anchored to one or more decomposed elements via TOE. Six steps, fixed order. Set LAYER (always AN), identify the source, set TAG (THR), assign the ORDINAL, enumerate the TOE, then write the Description. Constraint. Every AN-THR must name at least one decomposed-layer ETEN in TOE; threats with no anchor stay out of the enumerated set until either the anchor is decomposed or the threat is scoped out.

01
Enumerate the LAYER
LAYER = AN (fixed; identifies this as an Analytic Layer element).
02
Identify the source
Threat-intelligence provider, government attribution statement, peer-shared adversary profile, or Open-Source Intelligence (OSINT). The source is what makes the threat citable and reproducible.
03
Set the TAG to THR
The element identifies this as a Threat element within the Analytic Layer (AN-THR).
04
Assign an ORDINAL
Two-digit ordinal starting at 00 (AN:THR:Threat:00, AN:THR:Threat:01, and so on); one ordinal per distinct threat element.
05
Enumerate the TOE
Target of Exploitation: enumerate the structural elements the threat is directed against. For platform-wide threats, the TOE may name the platform itself; for targeted threats, enumerate the specific PCE, SEG, SVC, or AST elements the threat is aimed at.
06
Write the DESCRIPTION
Identify the threat actor or threat class, describe the assessed capability, and cite the source. This is the line a peer operator will read to act on the element.
Repeat for the next threat. When the enumerated set covers the three departments' priority threat list, the AN-THR enumeration is current.
MODULE TWO
05/12
UTC
06
B1 · threat ETENs for the User segment

USER SEGMENT THREATS

  • Yesterday Satellite Operations and Satellite Design & Engineering reconciled the User segment into the CONOPS: console workstation, console operator software, end-user app, crypto keys, mission product data, plus the user-side services like Satellite Console and User Application. Today's intel report names threats that target users. Each row below is one of those threats anchored via TOE to the User-segment SVC and AST elements from your CONOPS. Threats with no anchor in your CONOPS do not appear: there is nothing on this platform to attack until the CONOPS adds the element.
  • Every TOE on these elements names both the SVC the threat targets and the AST those SVCs depend on. Naming only one or the other breaks the chain: tomorrow Satellite Design & Engineering needs both ends to walk the attack path, and Day 4 detection engineering needs the asset side to write a signature that actually fires.
  • Every element carries a SOURCE. In this set the SOURCE is OSINT because the working reference is today's composite OSINT threat assessment that arrived at the start of the day. In a real program each row would cite per-element provenance from whichever of the five intel-source types named in the Security Operations Center briefing produced it (a threat-intel provider or the Space ISAC feed, government attribution, peer-shared, OSINT, internal threat hunting).
ID AN-THR ETEN TOE · SVC TOE · AST
AN-THR:00 AN:THR:Threat:00:End-user application tampering: degrades operator’s trust in mission product by modifying the consuming application or the displayed data. SVC:DP:Data Plane:02 (end-user app data plane) AST:SW:Software:08 (end-user app SW), AST:DA:Data:04 (mission product data)
AN-THR:01 AN:THR:Threat:01:Operator console credential theft: steals operator or service-account credentials from the console workstation to impersonate the operator. SVC:CP:Control Plane:13 (console ops), SVC:CP:Control Plane:15 (user-side ACA) AST:HW:Hardware:04 (console HW), AST:SW:Software:04 (console SW), AST:DA:Data:03 (HSM keys)
MODULE TWO
06/12
UTC
07
B1 · threat ETENs for the Ground segment

GROUND SEGMENT THREATS

  • Yesterday Satellite Operations and Satellite Design & Engineering reconciled the Ground segment into the CONOPS: ground crypto, ground ACA, launch control, AFSS, patch updates, plus ACA credentials, patch binaries, ground ACA software, patch deployment pipeline. Today's intel report names threats that target ground infrastructure. Each row below is one of those threats anchored via TOE to the Ground-segment SVC and AST elements from your CONOPS. Threats with no anchor in your CONOPS do not appear.
  • Every TOE on these elements names both the SVC the threat targets and the AST those SVCs depend on. Naming only one or the other breaks the chain: tomorrow Satellite Design & Engineering needs both ends to walk the attack path, and Day 4 detection engineering needs the asset side to write a signature that actually fires.
  • Every element carries a SOURCE. In this set the SOURCE is OSINT because the working reference is today's composite OSINT threat assessment that arrived at the start of the day. In a real program each row would cite per-element provenance from whichever of the five intel-source types named in the Security Operations Center briefing produced it (a threat-intel provider or the Space ISAC feed, government attribution, peer-shared, OSINT, internal threat hunting).
ID AN-THR ETEN TOE · SVC TOE · AST
AN-THR:02 AN:THR:Threat:02:Long-dwell network intrusion: nation-state intrusion set pursuing persistent access to ground-side crypto and ACA. SVC:CP:Control Plane:08 (ground crypto), SVC:CP:Control Plane:09 (ground ACA) AST:SW:Software:02 (ground ACA SW), AST:DA:Data:01 (ACA credentials)
AN-THR:03 AN:THR:Threat:03:Operator credential theft: criminal actor pursuing operator and ground-station service-account credentials. SVC:CP:Control Plane:09 (ground ACA), SVC:CP:Control Plane:13 (console ops) AST:DA:Data:01 (ACA credentials)
AN-THR:04 AN:THR:Threat:04:Privileged insider misuse: cleared operator with command authority misuses commanding workstations to issue unauthorized commands. SVC:CP:Control Plane:09 (ground ACA), SVC:CP:Control Plane:13 (console ops) AST:HW:Hardware:04 (console HW), AST:SW:Software:04 (console SW)
AN-THR:05 AN:THR:Threat:05:Lateral movement into mission control: external actor pivots from the operator network onto mission-control hosts. SVC:CP:Control Plane:13 (console ops), SVC:CP:Control Plane:09 (ground ACA) AST:HW:Hardware:04 (console HW), AST:SW:Software:04 (console SW)
AN-THR:06 AN:THR:Threat:06:Ransomware against launch infrastructure: criminal or politically-motivated actor encrypts launch-control and update-pipeline systems. SVC:CP:Control Plane:10 (launch control), SVC:CP:Control Plane:12 (patch pipeline) AST:DA:Data:02 (patch binaries), AST:SW:Software:03 (patch deployment SW)
MODULE TWO
07/12
UTC
08
B1 · threat ETENs for the Link segment

LINK SEGMENT THREATS

  • Yesterday Satellite Operations and Satellite Design & Engineering reconciled the Link segment into the CONOPS: ACA on the link, attack detect and recover, payload command, FEC/ECC error handling, T2 tracking, plus the TC waveform, link auth credentials, payload command encoder. Today's intel report names threats that target the RF and the data on it. Each row below is one of those threats anchored via TOE to the Link-segment SVC and AST elements from your CONOPS. Threats with no anchor in your CONOPS do not appear.
  • Every TOE on these elements names both the SVC the threat targets and the AST those SVCs depend on. Naming only one or the other breaks the chain: tomorrow Satellite Design & Engineering needs both ends to walk the attack path, and Day 4 detection engineering needs the asset side to write a signature that actually fires.
  • Every element carries a SOURCE. In this set the SOURCE is OSINT because the working reference is today's composite OSINT threat assessment that arrived at the start of the day. In a real program each row would cite per-element provenance from whichever of the five intel-source types named in the Security Operations Center briefing produced it (a threat-intel provider or the Space ISAC feed, government attribution, peer-shared, OSINT, internal threat hunting).
ID AN-THR ETEN TOE · SVC TOE · AST
AN-THR:07 AN:THR:Threat:07:Jamming campaign: RF actor sustains noise injection across uplink/downlink bands to deny communications. SVC:CP:Control Plane:05 (link ACA), SVC:HY:Hybrid:01 (FEC/ECC), SVC:HY:Hybrid:02 (T2) AST:SI:Signal:00 (uplink/downlink waveforms)
AN-THR:08 AN:THR:Threat:08:Replay-and-spoof on uplink: RF actor captures and replays or forges command waveforms, bypassing authentication if keys are also compromised. SVC:CP:Control Plane:05 (link ACA), SVC:CP:Control Plane:09 (ground ACA) AST:SI:Signal:00 (uplink waveform), AST:DA:Data:00 (link ACA credentials)
AN-THR:09 AN:THR:Threat:09:Downlink interception: passive collector reads mission product and telemetry off the downlink waveform. SVC:HY:Hybrid:02 (T2) AST:SI:Signal:00 (downlink waveform), AST:SW:Software:01 (payload command encoder)
MODULE TWO
08/12
UTC
09
B1 · threat ETENs for the Space segment

SPACE SEGMENT THREATS

  • Yesterday Satellite Operations and Satellite Design & Engineering reconciled the Space segment into the CONOPS: ADCS, space-side crypto, EPS, FTS, TCS, comms, payload, C&DH, plus the platform's hardware, firmware, and flight software. Today's intel report names threats that target the platform on orbit. Each row below is one of those threats anchored via TOE to the Space-segment SVC and AST elements from your CONOPS. Threats with no anchor in your CONOPS do not appear.
  • Every TOE on these elements names both the SVC the threat targets and the AST those SVCs depend on. Naming only one or the other breaks the chain: tomorrow Satellite Design & Engineering needs both ends to walk the attack path, and Day 4 detection engineering needs the asset side to write a signature that actually fires.
  • Every element carries a SOURCE. In this set the SOURCE is OSINT because the working reference is today's composite OSINT threat assessment that arrived at the start of the day. In a real program each row would cite per-element provenance from whichever of the five intel-source types named in the Security Operations Center briefing produced it (a threat-intel provider or the Space ISAC feed, government attribution, peer-shared, OSINT, internal threat hunting).
ID AN-THR ETEN TOE · SVC TOE · AST
AN-THR:10 AN:THR:Threat:10:Destructive bus attack: state-linked actor targets attitude, power, and flight-termination to render the platform inoperable. SVC:CP:Control Plane:00 (ADCS), SVC:CP:Control Plane:02 (EPS), SVC:CP:Control Plane:03 (FTS) AST:HW:Hardware:00 (ADCS sensors), AST:SW:Software:00 (ADCS FSW), AST:HW:Hardware:01 (power chain), AST:HW:Hardware:02 (FTS receiver), AST:FW:Firmware:00 (FTS firmware)
AN-THR:11 AN:THR:Threat:11:Command-path integrity attack: actor manipulates commands flowing through C&DH and space-side cryptography to trust unauthorized inputs. SVC:HY:Hybrid:00 (C&DH), SVC:CP:Control Plane:01 (space-side crypto) AST:HW:Hardware:06 (OBC/OBDH), AST:FW:Firmware:01 (OBC firmware), AST:SW:Software:06 (C&DH FSW)
AN-THR:12 AN:THR:Threat:12:Pre-launch supply-chain firmware compromise: adversary embeds backdoors in firmware delivered through vendor supply paths before integration. SVC:CP:Control Plane:03 (FTS), SVC:CP:Control Plane:04 (TCS), SVC:CP:Control Plane:02 (EPS) AST:FW:Firmware:00 (FTS firmware), AST:FW:Firmware:01 (OBC firmware), AST:FW:Firmware:02 (payload firmware)
AN-THR:13 AN:THR:Threat:13:Payload-data tampering: on-board manipulation of mission data between the science instrument and the downlink encryptor. SVC:DP:Data Plane:00 (mission data plane), SVC:DP:Data Plane:01 (payload data plane) AST:HW:Hardware:07 (payload electronics), AST:FW:Firmware:02 (payload firmware)
MODULE TWO
09/12
UTC
10
S1 · the day’s full enumerated AN-THR elements

DAY 2 COMPLETE · FOURTEEN THREATS

  • Yesterday's CONOPS gave the three departments the structural model: 54 ETENs across PCE, SEG, SVC, AST. Today you took the Security Operations Center's intel and produced fourteen AN-THR ETENs against that model: User (2), Ground (5), Link (3), Space (4). Every TOE names at least one SVC and at least one AST from yesterday's CONOPS. The two artifacts now line up: the structural model the departments share, and the threats grounded into it.
  • All three departments pick this set up in the same form. The Security Operations Center turns each element into a hunt priority against its TOE elements. Satellite Operations reads TOE to know which active subsystems carry which threats during the pass. Satellite Design & Engineering reads TOE to plan hardening at the exact elements being targeted. And because every element is written in the shared five-field form, the set is ready for the policy-gated contribution to Space ISAC that the organization’s own mandate requires: comparable, citable, and machine-readable.
  • Tomorrow you sit with Satellite Design & Engineering. They take each TOE chain from today's set and walk it as an attack path: starting from the structural element the adversary first touches, through the chain of services and assets that carry them to mission impact. Today's threats become tomorrow's attack paths. The work is contiguous: CONOPS grounds threats, threats ground paths, paths ground signatures and playbooks, paths ground resilience measures. Five days, one story.
ID AN-THR ETEN · LAYER:TAG:LABEL:ORDINAL:Description
AN-THR:00 AN:THR:Threat:00:End-user application tampering: degrades operator’s trust in mission product by modifying the consuming application or the displayed data.
AN-THR:01 AN:THR:Threat:01:Operator console credential theft: steals operator or service-account credentials from the console workstation to impersonate the operator.
AN-THR:02 AN:THR:Threat:02:Long-dwell network intrusion: nation-state intrusion set pursuing persistent access to ground-side crypto and ACA.
AN-THR:03 AN:THR:Threat:03:Operator credential theft: criminal actor pursuing operator and ground-station service-account credentials.
AN-THR:04 AN:THR:Threat:04:Privileged insider misuse: cleared operator with command authority misuses commanding workstations to issue unauthorized commands.
AN-THR:05 AN:THR:Threat:05:Lateral movement into mission control: external actor pivots from the operator network onto mission-control hosts.
AN-THR:06 AN:THR:Threat:06:Ransomware against launch infrastructure: criminal or politically-motivated actor encrypts launch-control and update-pipeline systems.
AN-THR:07 AN:THR:Threat:07:Jamming campaign: RF actor sustains noise injection across uplink/downlink bands to deny communications.
AN-THR:08 AN:THR:Threat:08:Replay-and-spoof on uplink: RF actor captures and replays or forges command waveforms, bypassing authentication if keys are also compromised.
AN-THR:09 AN:THR:Threat:09:Downlink interception: passive collector reads mission product and telemetry off the downlink waveform.
AN-THR:10 AN:THR:Threat:10:Destructive bus attack: state-linked actor targets attitude, power, and flight-termination to render the platform inoperable.
AN-THR:11 AN:THR:Threat:11:Command-path integrity attack: actor manipulates commands flowing through C&DH and space-side cryptography to trust unauthorized inputs.
AN-THR:12 AN:THR:Threat:12:Pre-launch supply-chain firmware compromise: adversary embeds backdoors in firmware delivered through vendor supply paths before integration.
AN-THR:13 AN:THR:Threat:13:Payload-data tampering: on-board manipulation of mission data between the science instrument and the downlink encryptor.
14ETENS
MODULE TWO
10/12
UTC
11
Work role ability confirmation · what you are now able to perform at your work center

DAY 2 COMPLETE

  • Fourteen AN-THR elements against the telecommand path, every one TOE-anchored to specific SVC and AST elements from yesterday’s decomposition. 2 USER, 5 GROUND, 3 LINK, 4 SPACE. No free-floating threats; nothing in the set that the platform isn’t actually exposed to. The anchored set feeds the risk analysis NIS2 Article 21(2)(a) requires for the command-and-control scope Executive Order 14144 protects.
  • You can now stand in front of Security Operations, Satellite Operations, and Satellite Design & Engineering with one shared threat picture. You don’t have to be the threat expert for every domain; you convene them and give them one contextualized picture to act on. The Security Operations Center reads TOE to know what to hunt. Satellite Operations reads TOE to know which active subsystems carry which threats. Satellite Design & Engineering reads TOE to know what to harden. Before this engagement that reading took three translations; now it takes one shared form.
  • You now have your first enumerated threat set. Take the end-of-module exam (10 questions, 90% to pass) to qualify. Tomorrow: Day 3 / Module 03 (Converged Detection Engineering) walks each TOE into the attack paths and detections that catch them.
DAY 2 COMPLETE · THE THREAT PICTURE IS CONTEXTUALIZED
Full Spectrum Space Cybersecurity Professional briefing Security Operations, Satellite Operations, and Satellite Design & Engineering on today’s enumerated threats
Full Spectrum Space Cybersecurity Professional standing in front of a board displaying the METEORSTORM common vocabulary with threat indicators overlaid on specific elements, briefing three audiences representing Security Operations, Satellite Operations, and Satellite Design and Engineering. Red threat markers anchored to specific decomposed elements show that the threat picture is grounded in the platform. Dark operations center setting with cyan task lighting on the board and warm amber ambient lighting on the room.
Day 2 Complete · Full Context

Handing Off to Day 3 (Detection Engineering)

What you built today. Fourteen AN-THR elements enumerated against the telecommand path from the day’s peer-reviewed command-and-control threat research: 2 USER, 5 GROUND, 3 LINK, 4 SPACE. Every element’s TOE field names the specific SVC and AST elements from yesterday’s decomposition that the threat is directed against. No free-floating threats.

The threat picture is contextualized. The three departments now share one description of which threats hit which subsystems. Security Operations reads TOE to know what to hunt. Satellite Operations reads TOE to know which active subsystems carry which threats. Satellite Design & Engineering reads TOE to know what architectural change breaks the most threats at once.

Your role here. Threat modeling is the second of the five functions where a Full Spectrum professional drives change, and you do not have to be the subject-matter expert in kinetic, electronic-warfare, or cyber threats to lead it. Security Operations, Satellite Operations, and Satellite Design & Engineering can sometimes be provided by separate organizations: a spacecraft manufacturer, a satellite operator, a managed security provider, a program office and its contractors, each holding part of the threat knowledge. Your job is to build the cross-functional team and give it one contextualized threat picture, which is how this function becomes a deliberate point of insertion for transforming how those organizations defend the platform together.

Day 3 and the exam. You now have your first enumerated threat set. Take the end-of-module exam (10 questions, 90% to pass) to qualify. Tomorrow: Day 3 / Module 03 (Converged Detection Engineering) walks each TOE into the attack paths it enables and inventories the data and signals needed to detect each step.

MODULE TWO
11/12
00
DAY 2 COMPLETE · Contextualized Threat Modeling

DAY 2 COMPLETE

You anchored fourteen threats to the telecommand decomposition, the documented risk basis the mandates expect, and all three departments read the set in the same form they read the platform. Tomorrow, Day 3 traces how an adversary would move to reach each one.

MODULE TWO
00/00
UTC
END
CONVERGED DETECTION ENGINEERING FUNCTION 03
Function TWO complete · Function Three next

CONVERGED DETECTION
ENGINEERING.

Day 2 done. Tomorrow (Day 3 / Mod 03 · Converged Detection Engineering), you enumerate the attack paths each AN-THR enables and inventory the data and signals needed to detect each step, building toward the detection methods Executive Order 14144 requires on the command path.

STARTING POINT
A complete Concept of Operations structural decomposition (PCE, SEG, SVC, AST). No threats anchored to the platform; threat conversations are still generic and detached from the actual platform elements.
FINISH LINE
A mission-specific enumerated threat set with every AN-THR TOE-anchored to the structural elements it is directed against. Threat modeling is contextualized to this platform’s command path, feeding the risk analysis NIS2 requires and ready for Module 03 to enumerate attack paths.
▷ MODULE 02 ASSESSMENT

End-of-module exam: 10 multiple-choice questions aligned with the threat-modeling discipline’s KSAT areas (Knowledge, Skills, Abilities, Tasks). Score 90% to qualify. Save your results as a PDF when you finish.

END
MODULE TWO
12/12
REFERENCE LIBRARY

Standards, Policies & Sources

The instruments this course aligns to. Each element links to its primary source.

U.S. National Security Space Policy

CNSS Policy No. 12 (CNSSP-12)Information-assurance policy for national security space systems. CNSS Instruction 1200 (CNSSI 1200), Aug 2025Implementing requirements: on-board intrusion detection, hardware root-of-trust, patch management. DoDI 8581.01Information-assurance policy for space systems used by the DoD. Space Policy Directive 5 (SPD-5), 2020First comprehensive U.S. cybersecurity principles for space systems.

Executive Orders

EO 14144 (Jan 16, 2025)Strengthening and Promoting Innovation in the Nation’s Cybersecurity. EO 14306 (Jun 6, 2025)Sustaining select efforts, amending EO 13694 and EO 14144.

NIST Standards & FISMA

NIST SP 800-53 Rev. 5Security and privacy controls; IR-3 incident-response testing. NIST SP 800-37 Rev. 2Risk Management Framework; continuous monitoring and annual control assessment. NIST IR 8270Introduction to Cybersecurity for Commercial Satellite Operations. NIST IR 8401Satellite Ground Segment cybersecurity framework profile. NIST IR 8441Cybersecurity Framework Profile for Hybrid Satellite Networks. NIST SP 800-160 Vol. 2 Rev. 1Cyber resiliency goals: Anticipate, Withstand, Recover, Adapt. FISMAFederal Information Security Modernization Act; annual program review obligation.

Threat Frameworks (analytic layer)

MITRE ATT&CKAdversary tactics and techniques knowledge base. MITRE CAPECCommon Attack Pattern Enumeration and Classification; dictionary of attack patterns that exploit known weaknesses. MITRE D3FENDKnowledge graph of defensive countermeasures and techniques, mapped to ATT&CK (NSA-funded, maintained by MITRE). SPARTASpace Attack Research and Tactic Analysis (The Aerospace Corporation). ESA Space ShieldEuropean Space Agency space-system threat framework.

EU & Global

NIS2 Directive (EU 2022/2555)Risk management and 24h/72h incident reporting; space sector in scope. EU Space Act (proposal, 25 Jun 2025)Space-specific resilience and cybersecurity obligations; extraterritorial scope. ENISA Space Threat LandscapeEuropean threat landscape and recommendations for space operators. Cyber Resilience Act (CRA)Connected hardware/software requirements; applies from December 2027.

Open-Source Vocabulary & Tooling

METEORSTORM MISP taxonomyThe course vocabulary, live and open source in the MISP taxonomy repository. MISP / CIRCLComputer Incident Response Center Luxembourg, maintainers of MISP. RootAPublic-domain open detection language (YAML) used in Module 04 to write portable signatures. (github.com/UncoderIO/Roota) Uncoder.IOOpen-source IDE and translation engine that ports RootA rules across SIEM, EDR, and XDR formats. SpaceCOP & Indicators of BehaviorDHS S&T + Aerospace Corp. on-board intrusion-detection prototype. CROO (Cyber Resilience On-Orbit)Proof Labs on-board IDS for the Space Force.

Community & Reporting

Space ISACSpace Information Sharing and Analysis Center. Air & Space Forces MagazineWaterman, “New Cybersecurity Rules for Pentagon’s Commercial Satellite Vendors,” Nov 19, 2025. Via Satellite“DHS Wants Satellite Volunteers to Test New Cyber Tools,” Nov 17, 2025. Defense Daily“New National Space Cybersecurity Policy Emphasizes Intrusion Detection,” Nov 18, 2025. Mayer Brown legal analysis“Securing the Final Frontier,” Dec 11, 2025 (US and EU regulatory map).