UTC

Function Four

INCIDENT RESPONSE

PREPAREDNESS

Master Exposure Management.

“The adversary suffers when every path they take ends in a trap.”

Organizations must continually enumerate the attack paths created by both exposed and isolated platform elements, and work towards platform deception techniques.

FUNCTION FOUR · MOD 04

01/15

UTC

02

Module 04 · where you start, where you finish

FROM START TO FINISH LINE.

Module 04 covers Function FOUR, Incident Response Preparation. Below: where the learner begins (what F03 and earlier produced), the work this module performs, and where the learner ends.

STARTING POINT

A complete F01 CONOPS, F02 threat catalogue, and F03 attack-path map. No detection signatures or validated data sources yet; coverage of the attack-path map is unknown.

FINISH LINE

Enumerated data and signal sources for every step of every attack path, plus a complete portfolio of detection signatures in RootA.io format. Each AN-DET attaches via TDM to the structural element it observes and back-references the AN-ATT it covers. Ready for F05 (Module 05) to enumerate resilience measures that remove adversary attack surface.

FUNCTION FOUR · MOD 04

02/15

UTC

03

Learn, Apply, Build, Simulate · KSAT alignment for Module 04

LABS Learning Objectives.

Module 04 hands-on objectives. Each row maps a LABS component to its KSAT type, (L)EARN to Knowledge, (A)PPLY to Skill, (B)UILD to Ability, (S)IMULATE to Task, so the exam at the end of the module assesses the same competencies the labs build.

LABS Component	KSAT Type	Statement
(L)EARN	Knowledge	Knowledge of RootA.io as the open, vendor-neutral detection language; the TDM (Target of Detection Method) attachment field; and the discipline that no orphan signatures are accepted.
(L)EARN	Knowledge	Knowledge of detection-gap elements as first-class analytic products that drive engineering work to close telemetry gaps before signature publication.
(A)PPLY	Skill	Skill in inventorying available telemetry per structural element, logs, traces, RF, signal feeds, mission product feeds, and validating that data sources are reachable and have acceptable quality.
(A)PPLY	Skill	Skill in writing AN-DET signatures in RootA.io format with TDM attachments and back-references to the AN-ATT, AN-IOA, or AN-THR each detects.
(B)UILD	Ability	Ability to validate every required data source BEFORE signature publication, capturing detection-gap elements where telemetry does not exist.
(S)IMULATE	Task	Produce a complete AN-DET portfolio for a sample LEO platform with measurable coverage of the F03 attack-path map and a documented detection-gap backlog.

FUNCTION FOUR · MOD 04

03/15

UTC

02

Module deliverables · what you produce by the end

WHAT THIS MODULE
DELIVERS.

Function Four elements detection coverage: AN-DET signatures expressed in RootA. Every AN-DET entry attaches via TDM (not TOE) to the structural elements it observes. A threat or attack path with no matching AN-DET becomes a first-class detection-gap element, an analytic product in its own right.

OUTPUT · 01

AN-DET Elements

RootA-wrapped detection signatures, each citing the AN-IOC/IOA/ATT/THR entries it provides coverage for.

OUTPUT · 02

TDM Attachments

Every AN-DET names the structural entries (AST, SVC, SEG) the signature observes.

OUTPUT · 03

Detection Gaps

Each threat or attack path without an AN-DET becomes a queryable gap element, a first-class output of the framework.

3OUTPUTS

FUNCTION FOUR · MOD 04

04/15

UTC

03

Function Four · the question this function answers

WHAT CAN
THE PLATFORM SEE?

Function Four elements detection coverage: AN-DET signatures expressed in RootA. Every AN-DET entry attaches via TDM (not TOE) to the structural elements it observes. A threat or attack path with no matching AN-DET becomes a first-class detection-gap element, an analytic product in its own right.

▷ TAKES IN

AN-IOC, AN-IOA, AN-ATT, and AN-THR elements from Modules 2 and 3.

▷ PRODUCES

AN-DET entries, RootA-wrapped detection signatures attached via TDM to the structural entries they observe.

FUNCTION FOUR · MOD 04

05/15

UTC

05

Module 04 foundations recap · what you inherit

WHAT YOU INHERIT FROM F03.

Function FOUR attaches its work to the structural decomposition produced upstream, the AN-ATT attack-path map. Every AN-DET you enumerate in this module attaches via TDM to one or more structural elements. Quick recap of the four structural layers and the analytic overlay.

▷ THE FIVE LAYERS

▷ LAYER ROLE

PCEPrimary Capability Environment

Where the platform physically operates. Five environments: Terrestrial, Aquatic, Aerial, Orbital, Deep Space.

SEGSegment

Self-contained piece with a specific operational role. Ten segments including Launch, Link, Ground, User, Space, Deep Space.

SVCService

The functional plane, how a segment controls things or moves data. Three services: Control Plane, Data Plane, Hybrid.

ASTAsset

Concrete things that make a service work. Six asset classes: Hardware, Firmware, Software, Data, Signal, Hybrid.

ANAnalytic (this module's home)

A separate overlay layer. Carries what defenders observe and build. Six categories, AN-DET is the one this module produces.

FUNCTION FOUR · MOD 04

06/15

UTC

06

Two ways to write AN-DET · taxonomy element vs. enumerated element

AN-DET, TWO FORMS.

Same AN-DET two ways. The taxonomy element is the abstract category, written hyphenated as AN-DET. The enumerated element is one specific instance on your platform, written with all five fields plus a description, e.g. AN: DET: Detection Signature: 00. Use the hyphenated form when you mean “any Detection Signature”; use the full form when you mean “this exact Detection Signature on our platform.”

▷ TAXONOMY ELEMENT

The category. Written LAYER-ELEMENT (hyphenated). Use it in prose to refer to any Detection Signature.

AN-DET

“Every AN-DET entry must have a documented source.”, talking about detection signatures in general.

AN-DET

“Our AN-DET catalogue is reviewed quarterly against intel updates.”

▷ ENUMERATED ELEMENT

One specific instance. Written LAYER: ELEMENT: LABEL: ORDINAL with description and TDM.

AN: DET: Detection Signature: 00

“AN: DET: 00, RootA.io Signature for Anomalous Command Pattern”

AN: DET: Detection Signature: 01

A second specific detection signature on the same platform, same taxonomy code, different ordinal, different description and TDM.

FUNCTION FOUR · MOD 04

07/15

UTC

07

How AN-DET attaches to the platform · the TDM field

TDM, TARGET OF DETECTION METHOD.

Each AN-DET enumerated element points back at the platform via the TDM (Target of Detection Method) field. TDM names the structural element the detection observes. Without TDM, detection signatures are free-floating noise, the structural anchor is what makes the detection signature actionable, queryable, and shareable.

▷ ATTACHMENT VIEW

▷ ATTACHMENT DETAIL

DEFINITION TDM = Target of Detection Method

Each AN-DET element carries a TDM field that lists the structural element(s) the detection signature structural element the detection observes. Format: TDM: structural element references.

EXAMPLE Real-world TDM attachment

AN: DET: 00, RootA.io Signature for Anomalous Command Pattern: TDM: TDM: AST: SW: Software: 03. Every structural anchor is a real enumerated element on the platform, never a hypothetical, never a sample.

DISCIPLINE No TDM, no entry

An AN-DET with no TDM attachment is free-floating noise. Every entry must point at one or more real structural elements on your platform. This is the discipline that keeps the analytic catalogue queryable, correlatable, and shareable.

FUNCTION FOUR · MOD 04

08/15

UTC

08

How to enumerate one AN-DET · the per-element procedure

SIX STEPS, EVERY AN-DET.

Per-element enumeration procedure. The walk is the same for every AN-DET; only the inputs and the structural anchors change. Sources: the AN-ATT attack-path map.

▷ THE SIX STEPS

01

Pick an AN-ATT step

02

Inventory required telemetry

03

Validate the source exists

04

Write the RootA.io rule

05

Attach via TDM

06

Measure coverage

▷ STEP DETAIL

01 · PICK AN AN-ATT STEP

Walk the F03 attack-path map. Each step (TOE element) is a candidate detection point.

02 · INVENTORY REQUIRED TELEMETRY

What data or signal source would surface adversary activity at this step? Logs, traces, RF telemetry, signal feeds, mission product feeds.

03 · VALIDATE THE SOURCE EXISTS

Confirm the data is reaching the SOC, has acceptable quality, is queryable. If not, capture as a detection-gap element, engineering work.

04 · WRITE THE ROOTA.IO RULE

Express the detection logic in RootA.io format. Vendor-specific queries without RootA.io wrapper are not accepted as AN-DET.

05 · ATTACH VIA TDM

AN-DET attaches via TDM (Target of Detection Method, not TOE) to the structural element it observes. Back-reference the AN-ATT it covers.

06 · MEASURE COVERAGE

For every AN-ATT, count the AN-DET signatures detecting it. Identify gaps and consolidate redundant signatures.

FUNCTION FOUR · MOD 04

09/15

UTC

09

Worked example, quality checklist, hand-off · one complete AN-DET

ONE COMPLETE AN-DET ON A LEO PLATFORM.

A real-world detection signature for an orbital constellation, end-to-end, the enumerated element, the TDM attachment, the sourcing, and how it hands off to the next function.

▷ THE ENUMERATED ELEMENT

FRAME 1 · THE ENUMERATION AN: DET: 00, RootA.io Signature for Anomalous Command Pattern

Detection signature back-referencing AN: ATT: 00. Watches AST: SW: Software: 03 for anomalous command injection patterns. Tested with FP rate < 1%.

AN: DET: Detection Signature: 00

TDM: TDM: AST: SW: Software: 03

FRAME 2 · SOURCING Sourcing trail

Driven by AN: ATT: 00; data source onboarded and validated 2026-Q2; RootA.io rule reviewed by detection engineering

Real-world validated only. No hypotheticals. The sourcing trail makes the entry auditable and lets analysts revisit when intel evolves.

FRAME 3 · HAND-OFF What happens next

F05 enumerates AN-RES resilience measures to remove adversary attack surface.

F05 (Adversary Management), enumerates AN-RES resilience measures targeting structural elements that recur across F02 threats and F03 attack paths.

▷ QUALITY CHECKLIST

Before publishing an AN-DET to your TIP or sharing through Space ISAC, verify:

Every AN-DET attaches via TDM (not TOE) to the structural element it observes
Every AN-DET back-references the AN-ATT (and/or AN-IOA, AN-THR) it covers, no orphan signatures
Every AN-DET is expressed in RootA.io format, vendor-specific queries without RootA.io wrapper are not accepted
Data source for the TDM was enumerated and onboarded BEFORE the rule was published
Detection-gap elements captured where a step in an AN-ATT has no available telemetry

FUNCTION FOUR · MOD 04

10/15

UTC

11

AN-DET field-by-field · what each field carries

EVERY AN-DET, FIELD BY FIELD.

An enumerated AN-DET carries five core fields plus the TDM (Target of Detection Method) attachment that makes it actionable. Cycle through each below to see what the field holds, what a real value looks like, and where learners typically slip.

▷ AN-DET VIEW

▷ FIELD DETAIL

LAYERField 1 of 5

Fixed for every analytic-layer entry.

EXAMPLE VALUE

AN

ELEMENTField 2 of 5

Two-letter taxonomy code identifying the signature sub-category.

EXAMPLE VALUE

DET

LABELField 3 of 5

Plain-English name for the DET code.

EXAMPLE VALUE

Detection Signature

ORDINALField 4 of 5

Two-digit serial; first signature published is 00.

EXAMPLE VALUE

00

DESCRIPTIONField 5 of 5

Free-text scoping with the rule's purpose, back-reference, and operational metrics.

EXAMPLE VALUE

"RootA.io rule for anomalous command-injection pattern; back-references AN: ATT: 00; FP rate < 1%."

TDMTDM attachment (AN-specific)

TDM (Target of Detection Method), the structural element the signature observes. Distinct from TOE (what adversaries exploit).

EXAMPLE ATTACHMENT

TDM: AST: SW: Software: 03

FUNCTION FOUR · MOD 04

11/15

UTC

12

Real-world AN-DET examples · four enumerated elements on a LEO platform

AN-DET IN THE WILD.

Four worked AN-DET enumerations spanning different scenarios on the same LEO platform, nation-state, supply chain, RF, insider. Each one is real-world validated, structurally anchored via TDM, and traceable to its source.

▷ SCENARIO IMAGE

EXAMPLE 01 OF 04 Anomalous Command Pattern (RootA.io)

Detects anomalous command-injection patterns on the ground software. Tested under operational load.

ENUMERATED ELEMENT

AN: DET: Detection Signature: 00 TDM: AST: SW: Software: 03

Sourcing: Back-references AN: ATT: 00; data source onboarded 2026-Q2; FP < 1%

EXAMPLE 02 OF 04 Firmware Integrity Drift Detection

Watches for unexpected firmware checksum changes mid-mission. Pairs with offline attestation review.

ENUMERATED ELEMENT

AN: DET: Detection Signature: 01 TDM: AST: FW: Firmware: 00

Sourcing: Back-references AN: ATT: 01; firmware-attestation feed validated 2026-Q2

EXAMPLE 03 OF 04 Uplink RF Anomaly Detector

Detects deviation from baseline uplink RF spectrum during nominal commanding windows.

ENUMERATED ELEMENT

AN: DET: Detection Signature: 02 TDM: AST: SI: Signal: 00

Sourcing: Back-references AN: ATT: 02; SDR feed validated 2026-Q1

EXAMPLE 04 OF 04 Privileged Access Out-of-Hours

Watches for privileged operator authentications outside scheduled mission ops windows.

ENUMERATED ELEMENT

AN: DET: Detection Signature: 03 TDM: SVC: CP: Control Plane: 00

Sourcing: Back-references AN: ATT: 03; SIEM feed validated 2026-Q1

FUNCTION FOUR · MOD 04

12/15

UTC

04

Analytic Layer · AN-DET · the coverage statement

AN-DET, DETECTION SIGNATURE.

Pattern, signal, or logic that triggers on contextualized threat behavior, expressed in RootA format.

DATA MODEL ROW

LAYER	ELEMENT	LABEL	DESCRIPTION
`AN`	`DET`	Detection Signature	Pattern, signal, or logic that triggers on contextualized threat behavior, expressed in RootA format.

▷ TARGET FIELD · TDM

Target of Detection Method, lists the structural entries the signature is designed to observe. AN-DET is unique, it uses TDM, not TOE.

Sourcing: Internal detection engineering, vendor-published rules wrapped into RootA, and peer-shared detections. Vendor-specific queries without a RootA wrapper are not accepted.

▷ KEY INNOVATION

A threat or attack path with no matching detection signature is not an oversight, it is an enumerated analytic product. The absence becomes a first-class element in the taxonomy, turning detection-gap identification from ad-hoc review into a structured, queryable output of the framework. Every AN-DET entry must be wrapped in RootA so it translates to any participating SOC’s native query language.

DETELEMENT

FUNCTION FOUR · MOD 04

13/15

UTC

05

AN-DET enumeration · walk once per AN-DET instance

AN-DET, ENUMERATION.

01

Element LAYER

LAYER = AN (fixed).

02

Verify the format

The signature must be expressed in RootA. A vendor-specific query without a RootA wrapper is not accepted as an AN-DET entry.

03

Set ELEMENT to DET

Identifies this as a Detection-Signature entry within the Analytic Layer.

04

Assign ORDINAL

Two-digit, AN-DET-00, AN-DET-01, …

05

Element the TDM

List the structural entries the signature is designed to observe. AN-DET uses TDM (Target of Detection Method), not TOE.

06

Write DESCRIPTION

Identify what the signature looks for and the AN-IOC, AN-IOA, AN-ATT, or AN-THR entries it covers. Cite the RootA rule and source.

↺ Repeat for each AN-DET instance 6 STEPS

6STEPS

FUNCTION FOUR · MOD 04

14/15

UTC

END

Function FOUR complete · Function Five next

ADVERSARY
MANAGEMENT.

Module 05 enumerates AN-RES resilience measures that remove adversary attack surface across the structural elements where threats and attack paths recur.

STARTING POINT

A complete F01 CONOPS, F02 threat catalogue, and F03 attack-path map. No detection signatures or validated data sources yet; coverage of the attack-path map is unknown.

FINISH LINE

Enumerated data and signal sources for every step of every attack path, plus a complete portfolio of detection signatures in RootA.io format. Each AN-DET attaches via TDM to the structural element it observes and back-references the AN-ATT it covers. Ready for F05 (Module 05) to enumerate resilience measures that remove adversary attack surface.

▷ MODULE 04 ASSESSMENT

A multiple-choice exam aligned with Module 04 KSAT areas. Drawn at random from a question bank covering Function FOUR's taxonomy element (AN-DET), its TARGET attachment (TDM), and the production flow into the next function. Exam scaffolding wired in next iteration.

⌂ COURSE HOME ▶ MODULE 05 →

END

FUNCTION FOUR · MOD 04

15/15

Master Exposure Management.

FROM START TO FINISH LINE.

LABS Learning Objectives.

WHAT THIS MODULEDELIVERS.

AN-DET Elements

TDM Attachments

Detection Gaps

WHAT CANTHE PLATFORM SEE?

WHAT YOU INHERIT FROM F03.

AN-DET, TWO FORMS.

TDM, TARGET OF DETECTION METHOD.

SIX STEPS, EVERY AN-DET.

ONE COMPLETE AN-DET ON A LEO PLATFORM.

EVERY AN-DET, FIELD BY FIELD.

AN-DET IN THE WILD.

AN-DET, DETECTION SIGNATURE.

AN-DET, ENUMERATION.

Element LAYER

Verify the format

Set ELEMENT to DET

Assign ORDINAL

Element the TDM

Write DESCRIPTION

ADVERSARYMANAGEMENT.

WHAT THIS MODULE
DELIVERS.

WHAT CAN
THE PLATFORM SEE?

ADVERSARY
MANAGEMENT.