UTC

Function Two

CONTEXTUALIZED

THREAT MODELING

Master Contextualized Threat Modeling.

“The adversary suffers when every strike they imagine is already prepared for.”

Organizations must develop an attack-to-defend capability for their platforms focused on kinetic, non-kinetic, electronic warfare, cyber warfare, and other key exposure domains, including naturally occurring threats.

FUNCTION TWO · MOD 02

01/15

UTC

02

Module 02 · where you start, where you finish

FROM START TO FINISH LINE.

Module 02 covers Function TWO, Contextualized Threat Modeling. Below: where the learner begins (what F01 produced), the work this module performs, and where the learner ends.

STARTING POINT

A complete F01 structural decomposition (PCE, SEG, SVC, AST). No threats anchored to the platform; threat conversations are still generic and detached from the actual platform elements.

FINISH LINE

A mission-specific threat catalogue with every AN-THR enumerated and attached via TOE to the structural elements it threatens. Threat modeling is contextualized to your platform, not the average platform, ready for F03 (Module 03) to enumerate attack paths.

FUNCTION TWO · MOD 02

02/15

UTC

03

Learn, Apply, Build, Simulate · KSAT alignment for Module 02

LABS Learning Objectives.

Module 02 hands-on objectives. Each row maps a LABS component to its KSAT type, (L)EARN to Knowledge, (A)PPLY to Skill, (B)UILD to Ability, (S)IMULATE to Task, so the exam at the end of the module assesses the same competencies the labs build.

LABS Component	KSAT Type	Statement
(L)EARN	Knowledge	Knowledge of the AN-THR taxonomy element and its enumerated form, the TOE (Target of Exploitation) attachment field, and the discipline of real-world validated sourcing.
(L)EARN	Knowledge	Knowledge of credible threat sources (government intel, Space ISAC bulletins, peer-framework catalogues like MITRE ATT&CK / SPARTA, internal incident debriefs, red-team findings).
(A)PPLY	Skill	Skill in filtering threats for mission relevance against the F01 structural model, rejecting threats that cannot affect this platform's actual PCE, SEG, SVC, or AST elements.
(A)PPLY	Skill	Skill in attaching each AN-THR to specific structural elements via TOE references, with a documented sourcing trail.
(B)UILD	Ability	Ability to construct a threat-to-CONOPS coverage map: pivoting to the structural side and listing AN-THR per element, identifying gaps.
(S)IMULATE	Task	Enumerate a complete AN-THR catalogue for a sample LEO platform with sourcing trails, ready for F03 to enumerate attack paths.

FUNCTION TWO · MOD 02

03/15

UTC

02

Module deliverables · what you produce by the end

WHAT THIS MODULE
DELIVERS.

Function Two introduces the Analytic Layer over the four structural layers produced in Module 1. Module 2 covers one element only: AN-THR (Threat). Where Module 1 said what the platform is, Module 2 elements what is likely to be directed at it.

OUTPUT · 01

AN-THR Elements

Each known or modeled adversarial threat against the platform enumerated with TOE attachment to one or more structural elements.

OUTPUT · 02

Threat-to-CONOPS Map

Every AN-THR points at the specific PCE / SEG / SVC / AST elements it is directed against.

OUTPUT · 03

Sourcing Trail

Each AN-THR cites its source, threat intel, attribution, peer profile, or OSINT, preserving traceability.

3OUTPUTS

FUNCTION TWO · MOD 02

04/15

UTC

03

Function Two · the question this function answers

WHO IS LIKELY
TO EXERCISE THE EXPOSURE?

Function Two introduces the Analytic Layer over the four structural layers produced in Module 1. Module 2 covers one element only: AN-THR (Threat). Where Module 1 said what the platform is, Module 2 elements what is likely to be directed at it.

▷ TAKES IN

The 4-layer structural CONOPS from Module 1: PCE, SEG, SVC, AST elements.

▷ PRODUCES

AN-THR entries, threat-actor elements attached via TOE to the platform or its specific structural elements.

FUNCTION TWO · MOD 02

05/15

UTC

05

Module 02 foundations recap · what you inherit

WHAT YOU INHERIT FROM F01.

Function TWO attaches its work to the structural decomposition produced upstream, the CONOPS structural decomposition (PCE, SEG, SVC, AST elements). Every AN-THR you enumerate in this module attaches via TOE to one or more structural elements. Quick recap of the four structural layers and the analytic overlay.

▷ THE FIVE LAYERS

▷ LAYER ROLE

PCEPrimary Capability Environment

Where the platform physically operates. Five environments: Terrestrial, Aquatic, Aerial, Orbital, Deep Space.

SEGSegment

Self-contained piece with a specific operational role. Ten segments including Launch, Link, Ground, User, Space, Deep Space.

SVCService

The functional plane, how a segment controls things or moves data. Three services: Control Plane, Data Plane, Hybrid.

ASTAsset

Concrete things that make a service work. Six asset classes: Hardware, Firmware, Software, Data, Signal, Hybrid.

ANAnalytic (this module's home)

A separate overlay layer. Carries what defenders observe and build. Six categories, AN-THR is the one this module produces.

FUNCTION TWO · MOD 02

06/15

UTC

06

Two ways to write AN-THR · taxonomy element vs. enumerated element

AN-THR, TWO FORMS.

Same AN-THR two ways. The taxonomy element is the abstract category, written hyphenated as AN-THR. The enumerated element is one specific instance on your platform, written with all five fields plus a description, e.g. AN: THR: Threat: 00. Use the hyphenated form when you mean “any Threat”; use the full form when you mean “this exact Threat on our platform.”

▷ TAXONOMY ELEMENT

The category. Written LAYER-ELEMENT (hyphenated). Use it in prose to refer to any Threat.

AN-THR

“Every AN-THR entry must have a documented source.”, talking about threats in general.

AN-THR

“Our AN-THR catalogue is reviewed quarterly against intel updates.”

▷ ENUMERATED ELEMENT

One specific instance. Written LAYER: ELEMENT: LABEL: ORDINAL with description and TOE.

AN: THR: Threat: 00

“AN: THR: 00, APT Group Targeting LEO Constellations”

AN: THR: Threat: 01

A second specific threat on the same platform, same taxonomy code, different ordinal, different description and TOE.

FUNCTION TWO · MOD 02

07/15

UTC

07

How AN-THR attaches to the platform · the TOE field

TOE, TARGET OF EXPLOITATION.

Each AN-THR enumerated element points back at the platform via the TOE (Target of Exploitation) field. TOE names the structural element the threat applies to. Without TOE, threats are free-floating noise, the structural anchor is what makes the threat actionable, queryable, and shareable.

▷ ATTACHMENT VIEW

▷ ATTACHMENT DETAIL

DEFINITION TOE = Target of Exploitation

Each AN-THR element carries a TOE field that lists the structural element(s) the threat structural element the threat applies to. Format: TOE: structural element references.

EXAMPLE Real-world TOE attachment

AN: THR: 00, APT Group Targeting LEO Constellations: TOE: PCE: OR: Orbital: 00, SEG: SP: Space: 00, SVC: CP: Control Plane: 00. Every structural anchor is a real enumerated element on the platform, never a hypothetical, never a sample.

DISCIPLINE No TOE, no entry

An AN-THR with no TOE attachment is free-floating noise. Every entry must point at one or more real structural elements on your platform. This is the discipline that keeps the analytic catalogue queryable, correlatable, and shareable.

FUNCTION TWO · MOD 02

08/15

UTC

08

How to enumerate one AN-THR · the per-element procedure

SIX STEPS, EVERY AN-THR.

Per-element enumeration procedure. The walk is the same for every AN-THR; only the inputs and the structural anchors change. Sources: the CONOPS structural decomposition (PCE, SEG, SVC, AST elements).

▷ THE SIX STEPS

01

Review the CONOPS

02

Gather threat sources

03

Filter for mission relevance

04

Enumerate AN-THR

05

Attach via TOE

06

Build the coverage map

▷ STEP DETAIL

01 · REVIEW THE CONOPS

Walk the F01 tree end-to-end. Every PCE / SEG / SVC / AST element is a candidate target. Confirm the structural decomposition is complete and the team agrees on it before threat work begins.

02 · GATHER THREAT SOURCES

Pull threats from every credible source mapping to your platform: government intel, ISAC bulletins, peer feeds, peer-framework catalogues (MITRE ATT&CK, SPARTA), and operational observation. Document the source for every candidate.

03 · FILTER FOR MISSION RELEVANCE

Keep only threats that can affect this platform. A threat against deep-space cruise is not relevant to a LEO ground site; a threat against an aquatic vessel is not relevant to a ground-only operation.

04 · ENUMERATE AN-THR

Create one AN-THR enumerated element per relevant threat. Five core fields plus a description; use the published METEORSTORM taxonomy, never invent a new threat code.

05 · ATTACH VIA TOE

Populate the TOE field with the specific structural elements the threat applies to. A threat may target one element or many. No TOE = no AN-THR.

06 · BUILD THE COVERAGE MAP

Pivot to structural side: for every PCE / SEG / SVC / AST element, list the AN-THR entries targeting it. Gaps surface as structural elements with no threats, re-examine those.

FUNCTION TWO · MOD 02

09/15

UTC

09

Worked example, quality checklist, hand-off · one complete AN-THR

ONE COMPLETE AN-THR ON A LEO PLATFORM.

A real-world threat for an orbital constellation, end-to-end, the enumerated element, the TOE attachment, the sourcing, and how it hands off to the next function.

▷ THE ENUMERATED ELEMENT

FRAME 1 · THE ENUMERATION AN: THR: 00, APT Group Targeting LEO Constellations

A confirmed APT documented in government brief and Space ISAC bulletin 2026-Q1, targeting LEO commanding paths.

AN: THR: Threat: 00

TOE: PCE: OR: Orbital: 00, SEG: SP: Space: 00, SVC: CP: Control Plane: 00

FRAME 2 · SOURCING Sourcing trail

Government brief 2026-Q1 + Space ISAC bulletin SI-2026-0173

Real-world validated only. No hypotheticals. The sourcing trail makes the entry auditable and lets analysts revisit when intel evolves.

FRAME 3 · HAND-OFF What happens next

F03 enumerates AN-ATT attack paths from this threat.

F03 (Converged Detection Engineering), enumerates AN-ATT attack paths from each AN-THR.

▷ QUALITY CHECKLIST

Before publishing an AN-THR to your TIP or sharing through Space ISAC, verify:

Every AN-THR has at least one TOE attachment to a structural element
Every AN-THR has a documented source (intel brief, ISAC bulletin, peer report, internal observation)
No hypothetical "what-if" threats, only validated observations and credible intel
Every threat traces to one or more mission requirements from F01
Coverage map shows which structural elements have which threat exposure

FUNCTION TWO · MOD 02

10/15

UTC

11

AN-THR field-by-field · what each field carries

EVERY AN-THR, FIELD BY FIELD.

An enumerated AN-THR carries five core fields plus the TOE (Target of Exploitation) attachment that makes it actionable. Cycle through each below to see what the field holds, what a real value looks like, and where learners typically slip.

▷ AN-THR VIEW

▷ FIELD DETAIL

LAYERField 1 of 5

Fixed for every analytic-layer entry. Distinguishes this from PCE / SEG / SVC / AST.

EXAMPLE VALUE

AN

ELEMENTField 2 of 5

Two-letter taxonomy code identifying the threat sub-category.

EXAMPLE VALUE

THR

LABELField 3 of 5

The plain-English name that goes with the THR code.

EXAMPLE VALUE

Threat

ORDINALField 4 of 5

Two-digit serial; first threat catalogued is 00, second is 01.

EXAMPLE VALUE

00

DESCRIPTIONField 5 of 5

Free-text scoping with sourcing trail. Real-world validated only.

EXAMPLE VALUE

"APT group documented in government brief and Space ISAC bulletin 2026-Q1, targeting LEO commanding paths."

TOETOE attachment (AN-specific)

TOE lists the structural entries the threat is directed against. Multiple references for platform-wide threats.

EXAMPLE ATTACHMENT

TOE: PCE: OR: Orbital: 00, SEG: SP: Space: 00, SVC: CP: Control Plane: 00

FUNCTION TWO · MOD 02

11/15

UTC

12

Real-world AN-THR examples · four enumerated elements on a LEO platform

AN-THR IN THE WILD.

Four worked AN-THR enumerations spanning different scenarios on the same LEO platform, nation-state, supply chain, RF, insider. Each one is real-world validated, structurally anchored via TOE, and traceable to its source.

▷ SCENARIO IMAGE

Nation-State APT Targeting LEO Constellations

Supply Chain Compromise Threat (Ground SW)

EXAMPLE 01 OF 04 Nation-State APT Targeting LEO Constellations

Confirmed APT group with demonstrated targeting of orbital constellation commanding paths and ground-to-space link interception.

ENUMERATED ELEMENT

AN: THR: Threat: 00 TOE: PCE: OR: Orbital: 00, SEG: SP: Space: 00, SVC: CP: Control Plane: 00

Sourcing: Government brief 2026-Q1 + Space ISAC bulletin SI-2026-0173

EXAMPLE 02 OF 04 Supply Chain Compromise Threat (Ground SW)

Threat actor compromising upstream open-source dependencies; affects ground-segment flight-software builds.

ENUMERATED ELEMENT

AN: THR: Threat: 01 TOE: AST: SW: Software: 03, SVC: CP: Control Plane: 00

Sourcing: CISA advisory + internal vendor-risk review 2026-Q2

EXAMPLE 03 OF 04 RF Jamming Campaign Against Uplink

Persistent RF jamming targeting command uplink frequencies during contested overflight windows.

ENUMERATED ELEMENT

AN: THR: Threat: 02 TOE: SEG: LI: Link: 00, AST: SI: Signal: 00

Sourcing: Allied SIGINT report + Space ISAC link-integrity bulletin 2026-Q1

EXAMPLE 04 OF 04 Insider-Threat Actor Profile

Privileged-insider risk against ground-station control-plane hardware; documented from a recent investigation.

ENUMERATED ELEMENT

AN: THR: Threat: 03 TOE: SEG: GR: Ground: 00, SVC: CP: Control Plane: 00, AST: HW: Hardware: 03

Sourcing: Internal HR/security investigation + post-incident debrief 2026-Q1

FUNCTION TWO · MOD 02

12/15

UTC

04

Analytic Layer · AN-THR · the targeted statement

AN-THR, THREAT.

Known adversarial threat to the platform, a known or modeled adversary capability or campaign directed at the platform or its class of systems.

DATA MODEL ROW

LAYER	ELEMENT	LABEL	DESCRIPTION
`AN`	`THR`	Threat	Known adversarial threat to the platform, a known or modeled adversary capability or campaign directed at the platform or its class of systems.

▷ TARGET FIELD · TOE

Target of Exploitation, lists the structural entries the threat is directed against. Platform-wide threats may name the platform; targeted threats list specific SEG, SVC, and AST entries.

Sourcing: Threat-intelligence providers, government attribution statements, peer-shared adversary profiles, and open-source intelligence.

▷ KEY INNOVATION

Many frameworks treat threat-actor profiles as separate intelligence products that live alongside, but apart from, the defender's structural understanding of their platform. METEORSTORM keeps the threat-actor element inside the same enumeration as the attack paths, services, and assets the actor targets, so “is this actor relevant to us?” can be answered by querying the structural element rather than by manual cross-walk.

THRELEMENT

FUNCTION TWO · MOD 02

13/15

UTC

05

AN-THR enumeration · walk once per AN-THR instance

AN-THR, ENUMERATION.

01

Element LAYER

LAYER = AN (fixed).

02

Identify the source

Threat-intel provider, government attribution, peer-shared adversary profile, or open-source intelligence.

03

Set ELEMENT to THR

Identifies this as a Threat entry within the Analytic Layer.

04

Assign ORDINAL

Two-digit, starting at 00, AN-THR-00, AN-THR-01, …

05

Element the TOE

List the structural entries the threat is directed against. Platform-wide = name the platform; targeted = list specific SEG / SVC / AST.

06

Write DESCRIPTION

Identify the actor or threat class, describe assessed capability, cite the source.

↺ Repeat for each AN-THR instance 6 STEPS

6STEPS

FUNCTION TWO · MOD 02

14/15

UTC

END

Function TWO complete · Function Three next

CONVERGED DETECTION
ENGINEERING.

Module 03 enumerates attack paths from each AN-THR you produced here.

STARTING POINT

A complete F01 structural decomposition (PCE, SEG, SVC, AST). No threats anchored to the platform; threat conversations are still generic and detached from the actual platform elements.

FINISH LINE

A mission-specific threat catalogue with every AN-THR enumerated and attached via TOE to the structural elements it threatens. Threat modeling is contextualized to your platform, not the average platform, ready for F03 (Module 03) to enumerate attack paths.

▷ MODULE 02 ASSESSMENT

A multiple-choice exam aligned with Module 02 KSAT areas. Drawn at random from a question bank covering Function TWO's taxonomy element (AN-THR), its TARGET attachment (TOE), and the production flow into the next function. Exam scaffolding wired in next iteration.

⌂ COURSE HOME ▶ MODULE 03 →

END

FUNCTION TWO · MOD 02

15/15

Master Contextualized Threat Modeling.

FROM START TO FINISH LINE.

LABS Learning Objectives.

WHAT THIS MODULEDELIVERS.

AN-THR Elements

Threat-to-CONOPS Map

Sourcing Trail

WHO IS LIKELYTO EXERCISE THE EXPOSURE?

WHAT YOU INHERIT FROM F01.

AN-THR, TWO FORMS.

TOE, TARGET OF EXPLOITATION.

SIX STEPS, EVERY AN-THR.

ONE COMPLETE AN-THR ON A LEO PLATFORM.

EVERY AN-THR, FIELD BY FIELD.

AN-THR IN THE WILD.

AN-THR, THREAT.

AN-THR, ENUMERATION.

Element LAYER

Identify the source

Set ELEMENT to THR

Assign ORDINAL

Element the TOE

Write DESCRIPTION

CONVERGED DETECTIONENGINEERING.

WHAT THIS MODULE
DELIVERS.

WHO IS LIKELY
TO EXERCISE THE EXPOSURE?

CONVERGED DETECTION
ENGINEERING.