Master Contextualized Threat Modeling.
“The adversary suffers when every strike they imagine is already prepared for.”
Your department is one day old, and it has already given Kestrel Orbital something it never had: yesterday you brought Satellite Operations and Satellite Design & Engineering to the same table, and their two views of the platform reconciled into one CONOPS of fifty-four enumerated elements, the first artifact all three departments read without translation. Today the Space Cybersecurity Operations and Resilience department you are building takes its second step: you convene all three departments, and the Security Operations Center steps forward with the threat picture. You drive the organization to develop an attack-to-defend capability across kinetic, non-kinetic, electronic warfare, cyber warfare, and other key exposure domains, including naturally occurring threats. You model those threats against the same fifty-four elements, and the catalogue the three departments build together feeds the risk analysis NIS2 Article 21(2)(a) requires, anchored to the command-and-control scope Executive Order 14144 protects.
DAY 2 START
Today you anchor real adversary threats to the fifty-four telecommand elements enumerated on Day 1, so each threat points at the exact part of the command path it would target. Yesterday Satellite Operations and Satellite Design & Engineering built the structural language; today the Security Operations Center starts writing in it, and the shared model grows its first analytic elements. The anchored catalogue feeds the risk analysis NIS2 Article 21(2)(a) requires for the scope Executive Order 14144 protects.
INTELLIGENCE-DRIVEN RESILIENCE STARTS WITH FIVE INTEL SOURCES, EVERY THREAT CITED TO ONE
Day 2 opens in the Security Operations Center, and this time the department is presenting, not being sold. Its analysts brief the room, Satellite Operations and Satellite Design & Engineering included, on the five source types threat intelligence lands from: four from outside the organization (a vendor or Space ISAC feed, a government advisory, a peer operator, and open source) and one from the center’s own threat hunting. Sourcing and citing every threat to one of these is what moves the organization off assumption-based defense and onto intelligence-driven, resilient operations, so recognize each source on sight and note where it came from.
A commercial threat-intel vendor feed, or the Space ISAC feed the organization’s own mandate requires. That channel is live; consuming from it starts today.
Cite as: vendor + advisory ID.
A federal advisory or attribution bulletin from a national cyber-defense agency.
Cite as: agency + advisory reference.
An adversary profile or incident retrospective shared by another satellite operator.
Cite as: peer org + retro ID.
An open-source publication, peer-reviewed paper, or public threat database. Today’s working source is a peer-reviewed study of the weaknesses that threaten satellite command and control.
Cite as: publication + URL or DOI.
A threat your own Security Operations Center surfaced through in-house hunting on this platform.
Cite as: internal hunt ticket + analyst.
THREAT INTEL REPORT HAS ARRIVED
-
A credible peer-reviewed research report on command-and-control threats, prepared against the platform you defend. It walks the four operational enclaves (Space, Link, Ground, User), names the potential attacks each one currently faces, and lists the platform subsystems each attack would touch. Open the report (button below) before going further.
-
Read each segment’s narrative for the situational picture, then walk its table of potential attacks. Plausibility is judged with the departments: Satellite Operations weighs each threat against the platform as flown, Satellite Design & Engineering against the platform as built, the same two views that produced the CONOPS. Match each plausible threat to the platform subsystems in the right two columns; set aside threats that have nothing to match.
-
This is the first source of the day; more will arrive (the four external types from the Security Operations Center briefing, and the center’s own internal hunting). The matched threats from this report and the others will become the working list you take into the rest of today’s analytic work.
A credible research report on command-and-control threats lands on your desk: segment-by-segment narrative of potential attacks, with the subsystems each one would touch.
Review each segment’s narrative, decide which potential attacks are plausible against the platform you defend, and match each one to the subsystems on yesterday’s decomposition.
CONTEXTUALIZED THREAT MODELING PROCESS
Inputs. Yesterday’s decomposition: 54 ETENs of the telecommand path, the command-and-control scope Executive Order 14144 and the NIS2 Directive set. Threat intelligence sources in scope (vendor advisories, MITRE ATT&CK techniques, peer-reviewed research on command-and-control threats, internal red-team output). Output. One AN-THR ETEN per threat you add to the enumerated set, each one anchored to one or more decomposed elements via TOE. Six steps, fixed order. Set LAYER (always AN), identify the source, set TAG (THR), assign the ORDINAL, enumerate the TOE, then write the Description. Constraint. Every AN-THR must name at least one decomposed-layer ETEN in TOE; threats with no anchor stay out of the enumerated set until either the anchor is decomposed or the threat is scoped out.
AN-THR).00 (AN:THR:Threat:00, AN:THR:Threat:01, and so on); one ordinal per distinct threat element.USER SEGMENT THREATS
-
Yesterday Satellite Operations and Satellite Design & Engineering reconciled the User segment into the CONOPS: console workstation, console operator software, end-user app, crypto keys, mission product data, plus the user-side services like Satellite Console and User Application. Today's intel report names threats that target users. Each row below is one of those threats anchored via
TOEto the User-segment SVC and AST elements from your CONOPS. Threats with no anchor in your CONOPS do not appear: there is nothing on this platform to attack until the CONOPS adds the element. -
Every
TOEon these elements names both the SVC the threat targets and the AST those SVCs depend on. Naming only one or the other breaks the chain: tomorrow Satellite Design & Engineering needs both ends to walk the attack path, and Day 4 detection engineering needs the asset side to write a signature that actually fires. -
Every element carries a
SOURCE. In this set the SOURCE isOSINTbecause the working reference is today's composite OSINT threat assessment that arrived at the start of the day. In a real program each row would cite per-element provenance from whichever of the five intel-source types named in the Security Operations Center briefing produced it (a threat-intel provider or the Space ISAC feed, government attribution, peer-shared, OSINT, internal threat hunting).
| ID | AN-THR ETEN | TOE · SVC | TOE · AST |
|---|---|---|---|
AN-THR:00 |
AN:THR:Threat:00:End-user application tampering: degrades operator’s trust in mission product by modifying the consuming application or the displayed data. |
SVC:DP:Data Plane:02 (end-user app data plane) | AST:SW:Software:08 (end-user app SW), AST:DA:Data:04 (mission product data) |
AN-THR:01 |
AN:THR:Threat:01:Operator console credential theft: steals operator or service-account credentials from the console workstation to impersonate the operator. |
SVC:CP:Control Plane:13 (console ops), SVC:CP:Control Plane:15 (user-side ACA) | AST:HW:Hardware:04 (console HW), AST:SW:Software:04 (console SW), AST:DA:Data:03 (HSM keys) |
GROUND SEGMENT THREATS
-
Yesterday Satellite Operations and Satellite Design & Engineering reconciled the Ground segment into the CONOPS: ground crypto, ground ACA, launch control, AFSS, patch updates, plus ACA credentials, patch binaries, ground ACA software, patch deployment pipeline. Today's intel report names threats that target ground infrastructure. Each row below is one of those threats anchored via
TOEto the Ground-segment SVC and AST elements from your CONOPS. Threats with no anchor in your CONOPS do not appear. -
Every
TOEon these elements names both the SVC the threat targets and the AST those SVCs depend on. Naming only one or the other breaks the chain: tomorrow Satellite Design & Engineering needs both ends to walk the attack path, and Day 4 detection engineering needs the asset side to write a signature that actually fires. -
Every element carries a
SOURCE. In this set the SOURCE isOSINTbecause the working reference is today's composite OSINT threat assessment that arrived at the start of the day. In a real program each row would cite per-element provenance from whichever of the five intel-source types named in the Security Operations Center briefing produced it (a threat-intel provider or the Space ISAC feed, government attribution, peer-shared, OSINT, internal threat hunting).
| ID | AN-THR ETEN | TOE · SVC | TOE · AST |
|---|---|---|---|
AN-THR:02 |
AN:THR:Threat:02:Long-dwell network intrusion: nation-state intrusion set pursuing persistent access to ground-side crypto and ACA. |
SVC:CP:Control Plane:08 (ground crypto), SVC:CP:Control Plane:09 (ground ACA) | AST:SW:Software:02 (ground ACA SW), AST:DA:Data:01 (ACA credentials) |
AN-THR:03 |
AN:THR:Threat:03:Operator credential theft: criminal actor pursuing operator and ground-station service-account credentials. |
SVC:CP:Control Plane:09 (ground ACA), SVC:CP:Control Plane:13 (console ops) | AST:DA:Data:01 (ACA credentials) |
AN-THR:04 |
AN:THR:Threat:04:Privileged insider misuse: cleared operator with command authority misuses commanding workstations to issue unauthorized commands. |
SVC:CP:Control Plane:09 (ground ACA), SVC:CP:Control Plane:13 (console ops) | AST:HW:Hardware:04 (console HW), AST:SW:Software:04 (console SW) |
AN-THR:05 |
AN:THR:Threat:05:Lateral movement into mission control: external actor pivots from the operator network onto mission-control hosts. |
SVC:CP:Control Plane:13 (console ops), SVC:CP:Control Plane:09 (ground ACA) | AST:HW:Hardware:04 (console HW), AST:SW:Software:04 (console SW) |
AN-THR:06 |
AN:THR:Threat:06:Ransomware against launch infrastructure: criminal or politically-motivated actor encrypts launch-control and update-pipeline systems. |
SVC:CP:Control Plane:10 (launch control), SVC:CP:Control Plane:12 (patch pipeline) | AST:DA:Data:02 (patch binaries), AST:SW:Software:03 (patch deployment SW) |
LINK SEGMENT THREATS
-
Yesterday Satellite Operations and Satellite Design & Engineering reconciled the Link segment into the CONOPS: ACA on the link, attack detect and recover, payload command, FEC/ECC error handling, T2 tracking, plus the TC waveform, link auth credentials, payload command encoder. Today's intel report names threats that target the RF and the data on it. Each row below is one of those threats anchored via
TOEto the Link-segment SVC and AST elements from your CONOPS. Threats with no anchor in your CONOPS do not appear. -
Every
TOEon these elements names both the SVC the threat targets and the AST those SVCs depend on. Naming only one or the other breaks the chain: tomorrow Satellite Design & Engineering needs both ends to walk the attack path, and Day 4 detection engineering needs the asset side to write a signature that actually fires. -
Every element carries a
SOURCE. In this set the SOURCE isOSINTbecause the working reference is today's composite OSINT threat assessment that arrived at the start of the day. In a real program each row would cite per-element provenance from whichever of the five intel-source types named in the Security Operations Center briefing produced it (a threat-intel provider or the Space ISAC feed, government attribution, peer-shared, OSINT, internal threat hunting).
| ID | AN-THR ETEN | TOE · SVC | TOE · AST |
|---|---|---|---|
AN-THR:07 |
AN:THR:Threat:07:Jamming campaign: RF actor sustains noise injection across uplink/downlink bands to deny communications. |
SVC:CP:Control Plane:05 (link ACA), SVC:HY:Hybrid:01 (FEC/ECC), SVC:HY:Hybrid:02 (T2) | AST:SI:Signal:00 (uplink/downlink waveforms) |
AN-THR:08 |
AN:THR:Threat:08:Replay-and-spoof on uplink: RF actor captures and replays or forges command waveforms, bypassing authentication if keys are also compromised. |
SVC:CP:Control Plane:05 (link ACA), SVC:CP:Control Plane:09 (ground ACA) | AST:SI:Signal:00 (uplink waveform), AST:DA:Data:00 (link ACA credentials) |
AN-THR:09 |
AN:THR:Threat:09:Downlink interception: passive collector reads mission product and telemetry off the downlink waveform. |
SVC:HY:Hybrid:02 (T2) | AST:SI:Signal:00 (downlink waveform), AST:SW:Software:01 (payload command encoder) |
SPACE SEGMENT THREATS
-
Yesterday Satellite Operations and Satellite Design & Engineering reconciled the Space segment into the CONOPS: ADCS, space-side crypto, EPS, FTS, TCS, comms, payload, C&DH, plus the platform's hardware, firmware, and flight software. Today's intel report names threats that target the platform on orbit. Each row below is one of those threats anchored via
TOEto the Space-segment SVC and AST elements from your CONOPS. Threats with no anchor in your CONOPS do not appear. -
Every
TOEon these elements names both the SVC the threat targets and the AST those SVCs depend on. Naming only one or the other breaks the chain: tomorrow Satellite Design & Engineering needs both ends to walk the attack path, and Day 4 detection engineering needs the asset side to write a signature that actually fires. -
Every element carries a
SOURCE. In this set the SOURCE isOSINTbecause the working reference is today's composite OSINT threat assessment that arrived at the start of the day. In a real program each row would cite per-element provenance from whichever of the five intel-source types named in the Security Operations Center briefing produced it (a threat-intel provider or the Space ISAC feed, government attribution, peer-shared, OSINT, internal threat hunting).
| ID | AN-THR ETEN | TOE · SVC | TOE · AST |
|---|---|---|---|
AN-THR:10 |
AN:THR:Threat:10:Destructive bus attack: state-linked actor targets attitude, power, and flight-termination to render the platform inoperable. |
SVC:CP:Control Plane:00 (ADCS), SVC:CP:Control Plane:02 (EPS), SVC:CP:Control Plane:03 (FTS) | AST:HW:Hardware:00 (ADCS sensors), AST:SW:Software:00 (ADCS FSW), AST:HW:Hardware:01 (power chain), AST:HW:Hardware:02 (FTS receiver), AST:FW:Firmware:00 (FTS firmware) |
AN-THR:11 |
AN:THR:Threat:11:Command-path integrity attack: actor manipulates commands flowing through C&DH and space-side cryptography to trust unauthorized inputs. |
SVC:HY:Hybrid:00 (C&DH), SVC:CP:Control Plane:01 (space-side crypto) | AST:HW:Hardware:06 (OBC/OBDH), AST:FW:Firmware:01 (OBC firmware), AST:SW:Software:06 (C&DH FSW) |
AN-THR:12 |
AN:THR:Threat:12:Pre-launch supply-chain firmware compromise: adversary embeds backdoors in firmware delivered through vendor supply paths before integration. |
SVC:CP:Control Plane:03 (FTS), SVC:CP:Control Plane:04 (TCS), SVC:CP:Control Plane:02 (EPS) | AST:FW:Firmware:00 (FTS firmware), AST:FW:Firmware:01 (OBC firmware), AST:FW:Firmware:02 (payload firmware) |
AN-THR:13 |
AN:THR:Threat:13:Payload-data tampering: on-board manipulation of mission data between the science instrument and the downlink encryptor. |
SVC:DP:Data Plane:00 (mission data plane), SVC:DP:Data Plane:01 (payload data plane) | AST:HW:Hardware:07 (payload electronics), AST:FW:Firmware:02 (payload firmware) |
DAY 2 COMPLETE · FOURTEEN THREATS
-
Yesterday's CONOPS gave the three departments the structural model: 54 ETENs across PCE, SEG, SVC, AST. Today you took the Security Operations Center's intel and produced fourteen AN-THR ETENs against that model: User (2), Ground (5), Link (3), Space (4). Every
TOEnames at least one SVC and at least one AST from yesterday's CONOPS. The two artifacts now line up: the structural model the departments share, and the threats grounded into it. -
All three departments pick this set up in the same form. The Security Operations Center turns each element into a hunt priority against its TOE elements. Satellite Operations reads TOE to know which active subsystems carry which threats during the pass. Satellite Design & Engineering reads TOE to plan hardening at the exact elements being targeted. And because every element is written in the shared five-field form, the set is ready for the policy-gated contribution to Space ISAC that the organization’s own mandate requires: comparable, citable, and machine-readable.
-
Tomorrow you sit with Satellite Design & Engineering. They take each TOE chain from today's set and walk it as an attack path: starting from the structural element the adversary first touches, through the chain of services and assets that carry them to mission impact. Today's threats become tomorrow's attack paths. The work is contiguous: CONOPS grounds threats, threats ground paths, paths ground signatures and playbooks, paths ground resilience measures. Five days, one story.
| ID | AN-THR ETEN · LAYER:TAG:LABEL:ORDINAL:Description |
|---|---|
AN-THR:00 |
AN:THR:Threat:00:End-user application tampering: degrades operator’s trust in mission product by modifying the consuming application or the displayed data. |
AN-THR:01 |
AN:THR:Threat:01:Operator console credential theft: steals operator or service-account credentials from the console workstation to impersonate the operator. |
AN-THR:02 |
AN:THR:Threat:02:Long-dwell network intrusion: nation-state intrusion set pursuing persistent access to ground-side crypto and ACA. |
AN-THR:03 |
AN:THR:Threat:03:Operator credential theft: criminal actor pursuing operator and ground-station service-account credentials. |
AN-THR:04 |
AN:THR:Threat:04:Privileged insider misuse: cleared operator with command authority misuses commanding workstations to issue unauthorized commands. |
AN-THR:05 |
AN:THR:Threat:05:Lateral movement into mission control: external actor pivots from the operator network onto mission-control hosts. |
AN-THR:06 |
AN:THR:Threat:06:Ransomware against launch infrastructure: criminal or politically-motivated actor encrypts launch-control and update-pipeline systems. |
AN-THR:07 |
AN:THR:Threat:07:Jamming campaign: RF actor sustains noise injection across uplink/downlink bands to deny communications. |
AN-THR:08 |
AN:THR:Threat:08:Replay-and-spoof on uplink: RF actor captures and replays or forges command waveforms, bypassing authentication if keys are also compromised. |
AN-THR:09 |
AN:THR:Threat:09:Downlink interception: passive collector reads mission product and telemetry off the downlink waveform. |
AN-THR:10 |
AN:THR:Threat:10:Destructive bus attack: state-linked actor targets attitude, power, and flight-termination to render the platform inoperable. |
AN-THR:11 |
AN:THR:Threat:11:Command-path integrity attack: actor manipulates commands flowing through C&DH and space-side cryptography to trust unauthorized inputs. |
AN-THR:12 |
AN:THR:Threat:12:Pre-launch supply-chain firmware compromise: adversary embeds backdoors in firmware delivered through vendor supply paths before integration. |
AN-THR:13 |
AN:THR:Threat:13:Payload-data tampering: on-board manipulation of mission data between the science instrument and the downlink encryptor. |
DAY 2 COMPLETE
-
Fourteen
AN-THRelements against the telecommand path, every one TOE-anchored to specificSVCandASTelements from yesterday’s decomposition. 2 USER, 5 GROUND, 3 LINK, 4 SPACE. No free-floating threats; nothing in the set that the platform isn’t actually exposed to. The anchored set feeds the risk analysis NIS2 Article 21(2)(a) requires for the command-and-control scope Executive Order 14144 protects. -
You can now stand in front of Security Operations, Satellite Operations, and Satellite Design & Engineering with one shared threat picture. You don’t have to be the threat expert for every domain; you convene them and give them one contextualized picture to act on. The Security Operations Center reads TOE to know what to hunt. Satellite Operations reads TOE to know which active subsystems carry which threats. Satellite Design & Engineering reads TOE to know what to harden. Before this engagement that reading took three translations; now it takes one shared form.
-
You now have your first enumerated threat set. Take the end-of-module exam (10 questions, 90% to pass) to qualify. Tomorrow: Day 3 / Module 03 (Converged Detection Engineering) walks each TOE into the attack paths and detections that catch them.

DAY 2 COMPLETE
You anchored fourteen threats to the telecommand decomposition, the documented risk basis the mandates expect, and all three departments read the set in the same form they read the platform. Tomorrow, Day 3 traces how an adversary would move to reach each one.
CONVERGED DETECTION
ENGINEERING.
Day 2 done. Tomorrow (Day 3 / Mod 03 · Converged Detection Engineering), you enumerate the attack paths each AN-THR enables and inventory the data and signals needed to detect each step, building toward the detection methods Executive Order 14144 requires on the command path.
End-of-module exam: 10 multiple-choice questions aligned with the threat-modeling discipline’s KSAT areas (Knowledge, Skills, Abilities, Tasks). Score 90% to qualify. Save your results as a PDF when you finish.