UTC

Function Three

CONVERGED DETECTION

ENGINEERING

Master Converged Detection Engineering.

“The adversary suffers when they cannot hide, and every move is seen.”

Organizations must evolve into a converged data and signals approach to illuminate complex attack patterns and reduce adversary dwell time.

FUNCTION THREE · MOD 03

01/17

UTC

02

Module 03 · where you start, where you finish

FROM START TO FINISH LINE.

Module 03 covers Function THREE, Converged Detection Engineering. Below: where the learner begins (what F02 and earlier produced), the work this module performs, and where the learner ends.

STARTING POINT

A complete F01 structural decomposition and an F02 mission-specific threat catalogue. No attack paths enumerated yet; you know what threats apply but not how an adversary would traverse the platform to realise them.

FINISH LINE

A complete map of attack paths (AN-ATT) drawn from the F02 threat catalogue, each spanning the chain of structural elements an adversary would touch from initial access to objective. Ready for F04 (Module 04) to enumerate the data and signal sources needed to detect each path step.

FUNCTION THREE · MOD 03

02/17

UTC

03

Learn, Apply, Build, Simulate · KSAT alignment for Module 03

LABS Learning Objectives.

Module 03 hands-on objectives. Each row maps a LABS component to its KSAT type, (L)EARN to Knowledge, (A)PPLY to Skill, (B)UILD to Ability, (S)IMULATE to Task, so the exam at the end of the module assesses the same competencies the labs build.

LABS Component	KSAT Type	Statement
(L)EARN	Knowledge	Knowledge of the AN-ATT taxonomy element, its TOE chain across multiple structural elements, and the distinction between AN-ATT (modeled or validated path) and AN-IOA (observed indicator of attack).
(L)EARN	Knowledge	Knowledge of how an AN-THR drives one or more AN-ATT enumerations, and how reachability across structural elements constrains valid path geometry.
(A)PPLY	Skill	Skill in mapping attack paths from each AN-THR through the platform's structural elements, identifying entry point, traversal sequence, and objective.
(A)PPLY	Skill	Skill in validating reachability between TOE steps and using red-team exercise findings to raise path confidence from modeled to validated.
(B)UILD	Ability	Ability to design multi-element attack paths and capture them as AN-ATT enumerated elements with full TOE chains.
(S)IMULATE	Task	Enumerate the AN-ATT map for a sample LEO platform covering every AN-THR from F02, ready for F04 to drive detection engineering.

FUNCTION THREE · MOD 03

03/17

UTC

02

Module deliverables · what you produce by the end

WHAT THIS MODULE
DELIVERS.

Function Three elements two distinct analytic statements: AN-ATT, what the platform exposes, conditionally, and AN-IOA, what an adversary is doing against the platform right now. Same TOE field, two different tenses; together they bracket the past (AN-IOC) and the future (AN-THR).

OUTPUT · 01

AN-ATT Elements

Modeled or known attack paths through the platform, with TOEs spanning every structural layer the path traverses.

OUTPUT · 02

AN-IOA Elements

In-progress attack indicators tied to live telemetry, with TOEs naming the structural entries currently exposed.

OUTPUT · 03

Two-Tense Coverage

The framework elements both what could happen (AN-ATT) and what is happening (AN-IOA) without collapsing them.

3OUTPUTS

FUNCTION THREE · MOD 03

04/17

UTC

03

Function Three · the question this function answers

WHAT CAN HAPPEN,
AND WHAT IS HAPPENING?

Function Three elements two distinct analytic statements: AN-ATT, what the platform exposes, conditionally, and AN-IOA, what an adversary is doing against the platform right now. Same TOE field, two different tenses; together they bracket the past (AN-IOC) and the future (AN-THR).

▷ TAKES IN

Module 1 structural CONOPS + Module 2 AN-THR elements.

▷ PRODUCES

AN-ATT entries (modeled exposure paths) and AN-IOA entries (verifiable in-progress attack indicators), both attached via TOE.

FUNCTION THREE · MOD 03

05/17

UTC

05

Module 03 foundations recap · what you inherit

WHAT YOU INHERIT FROM F02.

Function THREE attaches its work to the structural decomposition produced upstream, the AN-THR threat catalogue and the CONOPS structural model. Every AN-ATT you enumerate in this module attaches via TOE to one or more structural elements. Quick recap of the four structural layers and the analytic overlay.

▷ THE FIVE LAYERS

▷ LAYER ROLE

PCEPrimary Capability Environment

Where the platform physically operates. Five environments: Terrestrial, Aquatic, Aerial, Orbital, Deep Space.

SEGSegment

Self-contained piece with a specific operational role. Ten segments including Launch, Link, Ground, User, Space, Deep Space.

SVCService

The functional plane, how a segment controls things or moves data. Three services: Control Plane, Data Plane, Hybrid.

ASTAsset

Concrete things that make a service work. Six asset classes: Hardware, Firmware, Software, Data, Signal, Hybrid.

ANAnalytic (this module's home)

A separate overlay layer. Carries what defenders observe and build. Six categories, AN-ATT is the one this module produces.

FUNCTION THREE · MOD 03

06/17

UTC

06

Two ways to write AN-ATT · taxonomy element vs. enumerated element

AN-ATT, TWO FORMS.

Same AN-ATT two ways. The taxonomy element is the abstract category, written hyphenated as AN-ATT. The enumerated element is one specific instance on your platform, written with all five fields plus a description, e.g. AN: ATT: Attack Path: 00. Use the hyphenated form when you mean “any Attack Path”; use the full form when you mean “this exact Attack Path on our platform.”

▷ TAXONOMY ELEMENT

The category. Written LAYER-ELEMENT (hyphenated). Use it in prose to refer to any Attack Path.

AN-ATT

“Every AN-ATT entry must have a documented source.”, talking about attack paths in general.

AN-ATT

“Our AN-ATT catalogue is reviewed quarterly against intel updates.”

▷ ENUMERATED ELEMENT

One specific instance. Written LAYER: ELEMENT: LABEL: ORDINAL with description and TOE.

AN: ATT: Attack Path: 00

“AN: ATT: 00, Ground-to-Space Command Injection Path”

AN: ATT: Attack Path: 01

A second specific attack path on the same platform, same taxonomy code, different ordinal, different description and TOE.

FUNCTION THREE · MOD 03

07/17

UTC

07

How AN-ATT attaches to the platform · the TOE field

TOE, TARGET OF EXPLOITATION.

Each AN-ATT enumerated element points back at the platform via the TOE (Target of Exploitation) field. TOE names the chain of structural elements the adversary touches. Without TOE, attack paths are free-floating noise, the structural anchor is what makes the attack path actionable, queryable, and shareable.

▷ ATTACHMENT VIEW

▷ ATTACHMENT DETAIL

DEFINITION TOE = Target of Exploitation

Each AN-ATT element carries a TOE field that lists the structural element(s) the attack path chain of structural elements the adversary touches. Format: TOE: structural element references.

EXAMPLE Real-world TOE attachment

AN: ATT: 00, Ground-to-Space Command Injection Path: TOE: AST: SW: Software: 03 (entry), SVC: CP: Control Plane: 00 (traversal), SEG: SP: Space: 00 (objective). Every structural anchor is a real enumerated element on the platform, never a hypothetical, never a sample.

DISCIPLINE No TOE, no entry

An AN-ATT with no TOE attachment is free-floating noise. Every entry must point at one or more real structural elements on your platform. This is the discipline that keeps the analytic catalogue queryable, correlatable, and shareable.

FUNCTION THREE · MOD 03

08/17

UTC

08

How to enumerate one AN-ATT · the per-element procedure

SIX STEPS, EVERY AN-ATT.

Per-element enumeration procedure. The walk is the same for every AN-ATT; only the inputs and the structural anchors change. Sources: the AN-THR threat catalogue and the CONOPS structural model.

▷ THE SIX STEPS

01

Pick an AN-THR

02

Identify entry point

03

Map the chain

04

Validate against architecture

05

Enumerate AN-ATT

06

Coverage analysis

▷ STEP DETAIL

01 · PICK AN AN-THR

Start from the F02 catalogue. Each AN-THR may yield one or more attack paths.

02 · IDENTIFY ENTRY POINT

Where does the adversary first touch the platform to realize this threat? Pick the structural element (PCE / SEG / SVC / AST) of initial access.

03 · MAP THE CHAIN

List the structural elements the adversary must traverse from initial access to objective. The chain becomes the TOE list.

04 · VALIDATE AGAINST ARCHITECTURE

Each step must be reachable from the previous. If a TOE element is unreachable, the path is invalid, revise.

05 · ENUMERATE AN-ATT

Create the AN-ATT enumerated element with the full TOE chain and a description.

06 · COVERAGE ANALYSIS

For each AN-THR, count the AN-ATT paths. Threats with no path: untraversable on this platform, or path missing, investigate.

FUNCTION THREE · MOD 03

09/17

UTC

09

Worked example, quality checklist, hand-off · one complete AN-ATT

ONE COMPLETE AN-ATT ON A LEO PLATFORM.

A real-world attack path for an orbital constellation, end-to-end, the enumerated element, the TOE attachment, the sourcing, and how it hands off to the next function.

▷ THE ENUMERATED ELEMENT

FRAME 1 · THE ENUMERATION AN: ATT: 00, Ground-to-Space Command Injection Path

A validated path from AN: THR: 00 (the LEO-targeting APT). Adversary gains foothold on a ground software asset, traverses to the control plane, sends commands to the space segment.

AN: ATT: Attack Path: 00

TOE: AST: SW: Software: 03 (entry), SVC: CP: Control Plane: 00 (traversal), SEG: SP: Space: 00 (objective)

FRAME 2 · SOURCING Sourcing trail

Driven by AN: THR: 00; path validated in red-team exercise 2026-Q1

Real-world validated only. No hypotheticals. The sourcing trail makes the entry auditable and lets analysts revisit when intel evolves.

FRAME 3 · HAND-OFF What happens next

F04 enumerates data and signal sources for each step, then writes RootA.io detection signatures.

F04 (Incident Response Preparation), enumerates AN-DET data sources and detection signatures for each AN-ATT.

▷ QUALITY CHECKLIST

Before publishing an AN-ATT to your TIP or sharing through Space ISAC, verify:

Every AN-ATT is driven by one or more AN-THR entries from F02
Every AN-ATT spans multiple structural elements via TOE, the chain from initial access to objective
No orphan paths, every AN-ATT traces back to a confirmed threat
Path validates against architecture: each TOE step is reachable from the previous
Coverage analysis: which AN-THR entries have AN-ATT paths and which do not

FUNCTION THREE · MOD 03

10/17

UTC

11

AN-ATT field-by-field · what each field carries

EVERY AN-ATT, FIELD BY FIELD.

An enumerated AN-ATT carries five core fields plus the TOE (Target of Exploitation) attachment that makes it actionable. Cycle through each below to see what the field holds, what a real value looks like, and where learners typically slip.

▷ AN-ATT VIEW

▷ FIELD DETAIL

LAYERField 1 of 5

Fixed for every analytic-layer entry.

EXAMPLE VALUE

AN

ELEMENTField 2 of 5

Two-letter taxonomy code identifying the path sub-category.

EXAMPLE VALUE

ATT

LABELField 3 of 5

Plain-English name for the ATT code.

EXAMPLE VALUE

Attack Path

ORDINALField 4 of 5

Two-digit serial; first attack path mapped is 00.

EXAMPLE VALUE

00

DESCRIPTIONField 5 of 5

Free-text scoping with the realistic narrative the path describes.

EXAMPLE VALUE

"Phishing → ground software → control-plane traversal → command issuance to space segment, validated in red-team exercise 2026-Q1."

TOETOE attachment (AN-specific)

TOE on AN-ATT spans multiple structural elements, the chain the adversary touches from initial access to objective.

EXAMPLE ATTACHMENT

TOE: AST: SW: Software: 03, SVC: CP: Control Plane: 00, SEG: SP: Space: 00

FUNCTION THREE · MOD 03

11/17

UTC

12

Real-world AN-ATT examples · four enumerated elements on a LEO platform

AN-ATT IN THE WILD.

Four worked AN-ATT enumerations spanning different scenarios on the same LEO platform, nation-state, supply chain, RF, insider. Each one is real-world validated, structurally anchored via TOE, and traceable to its source.

▷ SCENARIO IMAGE

Phishing → Ground SW → Control Plane → Space

Privileged Insider → Hardware Subversion

EXAMPLE 01 OF 04 Phishing → Ground SW → Control Plane → Space

Initial access via phishing on ground-station SW; lateral movement to control-plane service; command issuance to space segment.

ENUMERATED ELEMENT

AN: ATT: Attack Path: 00 TOE: AST: SW: Software: 03, SVC: CP: Control Plane: 00, SEG: SP: Space: 00

Sourcing: Driven by AN: THR: 00 (LEO-targeting APT); validated in red-team 2026-Q1

EXAMPLE 02 OF 04 Supply Chain → Firmware → Bus

Compromised SW build → firmware payload → onboard bus hardware. Not yet observed; modeled from architecture review.

ENUMERATED ELEMENT

AN: ATT: Attack Path: 01 TOE: AST: SW: Software: 03 → AST: FW: Firmware: 00 → AST: HW: Hardware: 00

Sourcing: Driven by AN: THR: 01 (supply-chain compromise); modeled against architecture

EXAMPLE 03 OF 04 RF Jam → Link Loss → Mission Outage

Adversary jams uplink signal → link layer failure → data-plane mission outage. Cross-segment chain.

ENUMERATED ELEMENT

AN: ATT: Attack Path: 02 TOE: AST: SI: Signal: 00, SEG: LI: Link: 00, SVC: DP: Data Plane: 00

Sourcing: Driven by AN: THR: 02 (RF jamming campaign); observed during contested ops

EXAMPLE 04 OF 04 Privileged Insider → Hardware Subversion

Privileged insider physically tampers with ground hardware; uses elevated access to inject control-plane commands.

ENUMERATED ELEMENT

AN: ATT: Attack Path: 03 TOE: SEG: GR: Ground: 00, AST: HW: Hardware: 03, SVC: CP: Control Plane: 00

Sourcing: Driven by AN: THR: 03 (insider profile); validated in post-incident debrief

FUNCTION THREE · MOD 03

12/17

UTC

04

Analytic Layer · AN-ATT · the conditional statement

AN-ATT, ATTACK PATH.

Known or modeled attack path for a converged space system, a sequence of adversary actions that could traverse the platform from entry to impact.

DATA MODEL ROW

LAYER	ELEMENT	LABEL	DESCRIPTION
`AN`	`ATT`	Attack Path	Known or modeled attack path for a converged space system, a sequence of adversary actions that could traverse the platform from entry to impact.

▷ TARGET FIELD · TOE

Target of Exploitation, lists every structural entry the path traverses end-to-end. AN-ATT TOEs are typically longer than AN-IOC or AN-IOA TOEs because the path itself spans multiple layers.

Sourcing: Adversary-behavior catalogs (ATT&CK, ATLAS, SPARTA), red-team reports, internal architecture reviews, and peer-shared attack-path documentation.

▷ KEY INNOVATION

By giving Attack Paths their own analytic category distinct from indicators, METEORSTORM lets the same defender reason about exposures that have been modeled but never exercised, exposures exercised by red teams, and exposures exploited in the wild, all in the same enumeration. The structural answer to “what could happen here?” is enumerated as cleanly as the answer to “what is happening here?”

ATTELEMENT

FUNCTION THREE · MOD 03

13/17

UTC

05

AN-ATT enumeration · walk once per AN-ATT instance

AN-ATT, ENUMERATION.

01

Element LAYER

LAYER = AN (fixed).

02

Identify the source

Adversary-behavior catalog (ATT&CK, ATLAS, SPARTA), red-team report, architecture review, or peer-shared documentation.

03

Set ELEMENT to ATT

Identifies this as an Attack-Path entry within the Analytic Layer.

04

Assign ORDINAL

Two-digit, AN-ATT-00, AN-ATT-01, …

05

Element the TOE

List every structural entry the path traverses, end-to-end. AN-ATT TOEs are typically longer because the path spans multiple layers.

06

Write DESCRIPTION

Describe the path in enough detail for another analyst to evaluate it against their own platform. Cite the source framework or report.

↺ Repeat for each AN-ATT instance 6 STEPS

6STEPS

FUNCTION THREE · MOD 03

14/17

UTC

06

Analytic Layer · AN-IOA · the present-tense statement

AN-IOA, INDICATOR OF ATTACK.

Verifiable indication that the platform has been targeted, adversary activity in progress against the platform, observable right now.

DATA MODEL ROW

LAYER	ELEMENT	LABEL	DESCRIPTION
`AN`	`IOA`	Indicator of Attack	Verifiable indication that the platform has been targeted, adversary activity in progress against the platform, observable right now.

▷ TARGET FIELD · TOE

Target of Exploitation, lists the structural entries currently exposed to the in-progress attack, typically the SVC and SEG involved, plus any AST in scope.

Sourcing: Operator telemetry, confirmed alerts, or incident reports from trusted partners. Modeled behavior without a current observation belongs in AN-ATT, not AN-IOA.

▷ KEY INNOVATION

Most defensive frameworks collapse the present and the past into a single “detection” or “alert” concept. METEORSTORM keeps them separate so the analyst can answer two distinct questions independently: did something already happen, and is something happening right now? Two questions, two analytic categories, two decision paths.

IOAELEMENT

FUNCTION THREE · MOD 03

15/17

UTC

07

AN-IOA enumeration · walk once per AN-IOA instance

AN-IOA, ENUMERATION.

01

Element LAYER

LAYER = AN (fixed).

02

Confirm the source

Live telemetry, confirmed alert, or trusted-partner incident report. If not currently observed, the entry belongs in AN-ATT.

03

Set ELEMENT to IOA

Identifies this as an Indicator-of-Attack entry within the Analytic Layer.

04

Assign ORDINAL

Two-digit, AN-IOA-00, AN-IOA-01, …

05

Element the TOE

List the structural entries currently exposed to the in-progress attack: typically the SVC and SEG involved, plus any AST in scope.

06

Write DESCRIPTION

Describe the in-progress activity (pattern, cadence, source where applicable) and cite the observation source.

↺ Repeat for each AN-IOA instance 6 STEPS

6STEPS

FUNCTION THREE · MOD 03

16/17

UTC

END

Function THREE complete · Function Four next

INCIDENT RESPONSE
PREPAREDNESS.

Module 04 enumerates the data and signal sources needed to detect each AN-ATT path, then writes detection signatures in RootA.io format.

STARTING POINT

A complete F01 structural decomposition and an F02 mission-specific threat catalogue. No attack paths enumerated yet; you know what threats apply but not how an adversary would traverse the platform to realise them.

FINISH LINE

A complete map of attack paths (AN-ATT) drawn from the F02 threat catalogue, each spanning the chain of structural elements an adversary would touch from initial access to objective. Ready for F04 (Module 04) to enumerate the data and signal sources needed to detect each path step.

▷ MODULE 03 ASSESSMENT

A multiple-choice exam aligned with Module 03 KSAT areas. Drawn at random from a question bank covering Function THREE's taxonomy element (AN-ATT), its TARGET attachment (TOE), and the production flow into the next function. Exam scaffolding wired in next iteration.

⌂ COURSE HOME ▶ MODULE 04 →

END

FUNCTION THREE · MOD 03

17/17

Master Converged Detection Engineering.

FROM START TO FINISH LINE.

LABS Learning Objectives.

WHAT THIS MODULEDELIVERS.

AN-ATT Elements

AN-IOA Elements

Two-Tense Coverage

WHAT CAN HAPPEN, AND WHAT IS HAPPENING?

WHAT YOU INHERIT FROM F02.

AN-ATT, TWO FORMS.

TOE, TARGET OF EXPLOITATION.

SIX STEPS, EVERY AN-ATT.

ONE COMPLETE AN-ATT ON A LEO PLATFORM.

EVERY AN-ATT, FIELD BY FIELD.

AN-ATT IN THE WILD.

AN-ATT, ATTACK PATH.

AN-ATT, ENUMERATION.

Element LAYER

Identify the source

Set ELEMENT to ATT

Assign ORDINAL

Element the TOE

Write DESCRIPTION

AN-IOA, INDICATOR OF ATTACK.

AN-IOA, ENUMERATION.

Element LAYER

Confirm the source

Set ELEMENT to IOA

Assign ORDINAL

Element the TOE

Write DESCRIPTION

INCIDENT RESPONSEPREPAREDNESS.

WHAT THIS MODULE
DELIVERS.

WHAT CAN HAPPEN,
AND WHAT IS HAPPENING?

INCIDENT RESPONSE
PREPAREDNESS.