UTC

Function Five

ADVERSARY

MANAGEMENT

Master Adversary Management.

“The adversary suffers when their plans are known, broken, and turned against them.”

Organizations must align decomposition, contextualized threat modeling, converged detection engineering, and exposure management with real-world adversary profiles to detect, disrupt, and deter adversaries targeting their platforms.

FUNCTION FIVE · MOD 05

01/15

UTC

02

Module 05 · where you start, where you finish

FROM START TO FINISH LINE.

Module 05 covers Function FIVE, Adversary Management. Below: where the learner begins (what F04 and earlier produced), the work this module performs, and where the learner ends.

STARTING POINT

F01–F04 outputs in place. No resilience measures yet; the structural elements where the adversary keeps finding leverage remain exposed.

FINISH LINE

A resilience-measure catalogue (AN-RES) that systematically removes adversary attack surface, each measure shrinks, hardens, or eliminates the structural elements that recurred across F02 threats and F03 attack paths. Each AN-RES attaches via TRE to the structural element it removes from play, mapped to one of the four NIST 800-160 v2 goals: Anticipate, Withstand, Recover, Adapt. Course complete.

FUNCTION FIVE · MOD 05

02/15

UTC

03

Learn, Apply, Build, Simulate · KSAT alignment for Module 05

LABS Learning Objectives.

Module 05 hands-on objectives. Each row maps a LABS component to its KSAT type, (L)EARN to Knowledge, (A)PPLY to Skill, (B)UILD to Ability, (S)IMULATE to Task, so the exam at the end of the module assesses the same competencies the labs build.

LABS Component	KSAT Type	Statement
(L)EARN	Knowledge	Knowledge of the four NIST 800-160 v2 resilience goals (Anticipate, Withstand, Recover, Adapt), the TRE (Target of Resilience Enhancement) attachment field, and the AN-DET vs AN-RES distinction (observe vs protect).
(L)EARN	Knowledge	Knowledge of the continuous (not incident-driven) discipline of adversary management, where AN-RES measures evolve as adversary TTPs evolve.
(A)PPLY	Skill	Skill in identifying structural elements that recur across F02 (AN-THR) and F03 (AN-ATT) catalogues, the elements where the adversary keeps finding leverage.
(A)PPLY	Skill	Skill in mapping AN-RES enumerated elements to one of four NIST 800-160 v2 goals and attaching them via TRE to the structural element each protects or removes from play.
(B)UILD	Ability	Ability to prioritize AN-RES by adversary leverage (recurrence in F02 / F03) rather than by compliance calendars, and to compute a removed-attack-surface metric per measure.
(S)IMULATE	Task	Design and document a resilience-measure portfolio for a sample LEO platform that systematically removes adversary attack surface, closing the loop back to F01 for the next iteration.

FUNCTION FIVE · MOD 05

03/15

UTC

02

Module deliverables · what you produce by the end

WHAT THIS MODULE
DELIVERS.

Function Five elements the only forward-looking analytic category: AN-RES. Each entry is a protective capability, enumerated prospectively, against one of the four NIST 800-160 v2 goals, Anticipate, Withstand, Recover, Adapt. AN-RES uses TRE (not TOE or TDM) and bridges operational defense and future engineering.

OUTPUT · 01

AN-RES Elements

Each prospective protective capability enumerated against Anticipate / Withstand / Recover / Adapt.

OUTPUT · 02

TRE Attachments

Every AN-RES names the structural entries (AST, SVC, SEG, PCE) it protects.

OUTPUT · 03

Engineering Feedback Loop

Measures that cannot be applied in place become input to next-generation platform design.

3OUTPUTS

FUNCTION FIVE · MOD 05

04/15

UTC

03

Function Five · the question this function answers

WHAT WILL THE ORG
CHANGE?

Function Five elements the only forward-looking analytic category: AN-RES. Each entry is a protective capability, enumerated prospectively, against one of the four NIST 800-160 v2 goals, Anticipate, Withstand, Recover, Adapt. AN-RES uses TRE (not TOE or TDM) and bridges operational defense and future engineering.

▷ TAKES IN

AN-ATT, AN-THR, AN-DET elements and post-incident lessons.

▷ PRODUCES

AN-RES entries, protective capabilities attached via TRE, each tagged to one of the four resiliency goals.

FUNCTION FIVE · MOD 05

05/15

UTC

05

Module 05 foundations recap · what you inherit

WHAT YOU INHERIT FROM F02–F04.

Function FIVE attaches its work to the structural decomposition produced upstream, the AN-THR catalogue (F02), AN-ATT attack-path map (F03), and AN-DET coverage (F04). Every AN-RES you enumerate in this module attaches via TRE to one or more structural elements. Quick recap of the four structural layers and the analytic overlay.

▷ THE FIVE LAYERS

▷ LAYER ROLE

PCEPrimary Capability Environment

Where the platform physically operates. Five environments: Terrestrial, Aquatic, Aerial, Orbital, Deep Space.

SEGSegment

Self-contained piece with a specific operational role. Ten segments including Launch, Link, Ground, User, Space, Deep Space.

SVCService

The functional plane, how a segment controls things or moves data. Three services: Control Plane, Data Plane, Hybrid.

ASTAsset

Concrete things that make a service work. Six asset classes: Hardware, Firmware, Software, Data, Signal, Hybrid.

ANAnalytic (this module's home)

A separate overlay layer. Carries what defenders observe and build. Six categories, AN-RES is the one this module produces.

FUNCTION FIVE · MOD 05

06/15

UTC

06

Two ways to write AN-RES · taxonomy element vs. enumerated element

AN-RES, TWO FORMS.

Same AN-RES two ways. The taxonomy element is the abstract category, written hyphenated as AN-RES. The enumerated element is one specific instance on your platform, written with all five fields plus a description, e.g. AN: RES: Resilience Measure: 00. Use the hyphenated form when you mean “any Resilience Measure”; use the full form when you mean “this exact Resilience Measure on our platform.”

▷ TAXONOMY ELEMENT

The category. Written LAYER-ELEMENT (hyphenated). Use it in prose to refer to any Resilience Measure.

AN-RES

“Every AN-RES entry must have a documented source.”, talking about resilience measures in general.

AN-RES

“Our AN-RES catalogue is reviewed quarterly against intel updates.”

▷ ENUMERATED ELEMENT

One specific instance. Written LAYER: ELEMENT: LABEL: ORDINAL with description and TRE.

AN: RES: Resilience Measure: 00

“AN: RES: 00, Hardened Boot for LEO Ground Software”

AN: RES: Resilience Measure: 01

A second specific resilience measure on the same platform, same taxonomy code, different ordinal, different description and TRE.

FUNCTION FIVE · MOD 05

07/15

UTC

07

How AN-RES attaches to the platform · the TRE field

TRE, TARGET OF RESILIENCE ENHANCEMENT.

Each AN-RES enumerated element points back at the platform via the TRE (Target of Resilience Enhancement) field. TRE names the structural element the measure protects (or removes from play). Without TRE, resilience measures are free-floating noise, the structural anchor is what makes the resilience measure actionable, queryable, and shareable.

▷ ATTACHMENT VIEW

▷ ATTACHMENT DETAIL

DEFINITION TRE = Target of Resilience Enhancement

Each AN-RES element carries a TRE field that lists the structural element(s) the resilience measure structural element the measure protects (or removes from play). Format: TRE: structural element references.

EXAMPLE Real-world TRE attachment

AN: RES: 00, Hardened Boot for LEO Ground Software: TRE: TRE: AST: SW: Software: 03. Every structural anchor is a real enumerated element on the platform, never a hypothetical, never a sample.

DISCIPLINE No TRE, no entry

An AN-RES with no TRE attachment is free-floating noise. Every entry must point at one or more real structural elements on your platform. This is the discipline that keeps the analytic catalogue queryable, correlatable, and shareable.

FUNCTION FIVE · MOD 05

08/15

UTC

08

How to enumerate one AN-RES · the per-element procedure

SIX STEPS, EVERY AN-RES.

Per-element enumeration procedure. The walk is the same for every AN-RES; only the inputs and the structural anchors change. Sources: the AN-THR catalogue (F02), AN-ATT attack-path map (F03), and AN-DET coverage (F04).

▷ THE SIX STEPS

01

Identify recurrence

02

Pick a NIST goal

03

Design the measure

04

Enumerate AN-RES

05

Attach via TRE

06

Removed-attack-surface metric

▷ STEP DETAIL

01 · IDENTIFY RECURRENCE

Walk F02 (AN-THR) and F03 (AN-ATT) catalogues. Find structural elements that recur across multiple threats and paths, those are where the adversary keeps finding leverage.

02 · PICK A NIST GOAL

For each candidate AN-RES, pick one NIST 800-160 v2 goal: Anticipate, Withstand, Recover, or Adapt. Goals are not exclusive but pick the primary.

03 · DESIGN THE MEASURE

What change to the structural element will shrink, harden, or eliminate it from the adversary attack surface? Failover, defence-in-depth, hot-standby, hardened boot, mission-continuity workflow.

04 · ENUMERATE AN-RES

Create the AN-RES enumerated element with goal, rationale, and a description.

05 · ATTACH VIA TRE

AN-RES attaches via TRE (Target of Resilience Enhancement, not TOE or TDM) to the structural element it protects. Reference the recurring AN-THR / AN-ATT it mitigates.

06 · REMOVED-ATTACK-SURFACE METRIC

For each AN-RES, count how many AN-THR threats and AN-ATT paths are mitigated. Priority is driven by adversary leverage, not compliance calendars.

FUNCTION FIVE · MOD 05

09/15

UTC

09

Worked example, quality checklist, hand-off · one complete AN-RES

ONE COMPLETE AN-RES ON A LEO PLATFORM.

A real-world resilience measure for an orbital constellation, end-to-end, the enumerated element, the TRE attachment, the sourcing, and how it hands off to the next function.

▷ THE ENUMERATED ELEMENT

FRAME 1 · THE ENUMERATION AN: RES: 00, Hardened Boot for LEO Ground Software

A resilience measure targeting AST: SW: Software: 03, the same asset adversaries entered through in AN: ATT: 00. Goal: Withstand. Removes a recurring entry point from the adversary attack surface.

AN: RES: Resilience Measure: 00

TRE: TRE: AST: SW: Software: 03

FRAME 2 · SOURCING Sourcing trail

Justified by AN: ATT: 00 recurrence in F03 map; tested 2026-Q2; mapped to NIST 800-160 v2 "Withstand"

Real-world validated only. No hypotheticals. The sourcing trail makes the entry auditable and lets analysts revisit when intel evolves.

FRAME 3 · HAND-OFF What happens next

Loop back to F01: as the platform evolves, F05 lessons drive new structural elements and the cycle continues.

Course complete. F05 closes the loop back to F01: lessons from this cycle refine the structural model for the next iteration.

▷ QUALITY CHECKLIST

Before publishing an AN-RES to your TIP or sharing through Space ISAC, verify:

Every AN-RES attaches via TRE (not TOE or TDM) to the structural element it protects or removes
Every AN-RES is mapped to one of four NIST 800-160 v2 goals: Anticipate, Withstand, Recover, Adapt
Priority is driven by recurrence across F02 threats and F03 attack paths, not by compliance calendars
Each AN-RES has a tested rationale documented (incident lesson, red-team finding, NIST pattern)
Removed-attack-surface metric: how many AN-ATT paths or AN-THR threats are mitigated by each AN-RES

FUNCTION FIVE · MOD 05

10/15

UTC

11

AN-RES field-by-field · what each field carries

EVERY AN-RES, FIELD BY FIELD.

An enumerated AN-RES carries five core fields plus the TRE (Target of Resilience Enhancement) attachment that makes it actionable. Cycle through each below to see what the field holds, what a real value looks like, and where learners typically slip.

▷ AN-RES VIEW

▷ FIELD DETAIL

LAYERField 1 of 5

Fixed for every analytic-layer entry.

EXAMPLE VALUE

AN

ELEMENTField 2 of 5

Two-letter taxonomy code identifying the resilience sub-category.

EXAMPLE VALUE

RES

LABELField 3 of 5

Plain-English name for the RES code.

EXAMPLE VALUE

Resilience Measure

ORDINALField 4 of 5

Two-digit serial; first measure designed is 00.

EXAMPLE VALUE

00

DESCRIPTIONField 5 of 5

Free-text scoping with NIST 800-160 v2 goal mapping and the threats / paths it mitigates.

EXAMPLE VALUE

"Hardened-boot + measured-launch on ground software; goal: Withstand; mitigates AN: ATT: 00 + AN: ATT: 01 entry vectors."

TRETRE attachment (AN-specific)

TRE (Target of Resilience Enhancement), the structural element the measure protects or removes from play. Distinct from TOE / TDM.

EXAMPLE ATTACHMENT

TRE: AST: SW: Software: 03

FUNCTION FIVE · MOD 05

11/15

UTC

12

Real-world AN-RES examples · four enumerated elements on a LEO platform

AN-RES IN THE WILD.

Four worked AN-RES enumerations spanning different scenarios on the same LEO platform, nation-state, supply chain, RF, insider. Each one is real-world validated, structurally anchored via TRE, and traceable to its source.

▷ SCENARIO IMAGE

Hardened Boot for Ground Software (Withstand)

RF Anti-Jam Polarization Diversity (Withstand)

EXAMPLE 01 OF 04 Hardened Boot for Ground Software (Withstand)

Hardened-boot + measured-launch removes the recurring entry point used by phishing and supply-chain attack paths.

ENUMERATED ELEMENT

AN: RES: Resilience Measure: 00 TRE: AST: SW: Software: 03

Sourcing: Justified by AN: ATT: 00 + AN: ATT: 01 recurrence; tested 2026-Q2

EXAMPLE 02 OF 04 Hot-Standby Ground Station (Recover)

Failover to geographically-separate ground site within RTO; restores command-and-control under physical or cyber denial.

ENUMERATED ELEMENT

AN: RES: Resilience Measure: 01 TRE: SEG: GR: Ground: 00

Sourcing: Justified by AN: ATT: 03 + denial-of-service threat profile; tested 2026-Q2

EXAMPLE 03 OF 04 RF Anti-Jam Polarization Diversity (Withstand)

Polarization-diverse uplink protects mission commanding from narrowband jamming during contested overflight.

ENUMERATED ELEMENT

AN: RES: Resilience Measure: 02 TRE: AST: SI: Signal: 00

Sourcing: Justified by AN: ATT: 02 (RF jamming chain); engineering review 2026-Q3

EXAMPLE 04 OF 04 Adaptive Trust Re-evaluation (Adapt)

Continuous re-evaluation of operator trust scores during sessions; auto-revokes elevated rights on anomaly.

ENUMERATED ELEMENT

AN: RES: Resilience Measure: 03 TRE: SVC: CP: Control Plane: 00

Sourcing: Justified by AN: ATT: 03 (insider path); inspired by NIST 800-160 v2 Adapt patterns

FUNCTION FIVE · MOD 05

12/15

UTC

04

Analytic Layer · AN-RES · the forward-looking statement

AN-RES, RESILIENCE MEASURE.

Protective capability ensuring resistance or recovery from threats, for either immediate implementation or as feedback for future platform engineering efforts.

DATA MODEL ROW

LAYER	ELEMENT	LABEL	DESCRIPTION
`AN`	`RES`	Resilience Measure	Protective capability ensuring resistance or recovery from threats, for either immediate implementation or as feedback for future platform engineering efforts.

▷ TARGET FIELD · TRE

Target of Resilience Enhancement, names the structural entries the measure is intended to protect. AN-RES is unique, it uses TRE, not TOE or TDM.

Sourcing: Internal engineering, control-framework guidance, peer-shared resilience patterns, and post-incident lessons learned.

▷ KEY INNOVATION

AN-RES sits alongside indicators, attack paths, threats, and detections. Grounded in NIST SP 800-160 Volume 2, resilience measures are enumerated prospectively, before they are exercised, and against all four resiliency goals: Anticipate, Withstand, Recover, Adapt. Defensive posture becomes a queryable property of the enumeration rather than a parallel document that drifts out of date.

RESELEMENT

FUNCTION FIVE · MOD 05

13/15

UTC

05

AN-RES enumeration · walk once per AN-RES instance

AN-RES, ENUMERATION.

01

Element LAYER

LAYER = AN (fixed).

02

Identify resiliency goal

Anticipate · Withstand · Recover · Adapt (NIST SP 800-160 v2). Captured in DESCRIPTION; informs how the entry is reviewed.

03

Set ELEMENT to RES

Identifies this as a Resilience-Measure entry within the Analytic Layer.

04

Assign ORDINAL

Two-digit, AN-RES-00, AN-RES-01, …

05

Element the TRE

List the structural entries the measure protects. AN-RES uses TRE (Target of Resilience Enhancement), not TOE or TDM.

06

Write DESCRIPTION

Describe the measure, the resiliency goal it addresses, and the AN-ATT or AN-THR entries it counters. Cite the source.

↺ Repeat for each AN-RES instance 6 STEPS

6STEPS

FUNCTION FIVE · MOD 05

14/15

UTC

END

Function FIVE complete

COURSE
COMPLETE.

Course complete.

STARTING POINT

F01–F04 outputs in place. No resilience measures yet; the structural elements where the adversary keeps finding leverage remain exposed.

FINISH LINE

A resilience-measure catalogue (AN-RES) that systematically removes adversary attack surface, each measure shrinks, hardens, or eliminates the structural elements that recurred across F02 threats and F03 attack paths. Each AN-RES attaches via TRE to the structural element it removes from play, mapped to one of the four NIST 800-160 v2 goals: Anticipate, Withstand, Recover, Adapt. Course complete.

▷ MODULE 05 ASSESSMENT

A multiple-choice exam aligned with Module 05 KSAT areas. Drawn at random from a question bank covering Function FIVE's taxonomy element (AN-RES), its TARGET attachment (TRE), and the production flow into the next function. Exam scaffolding wired in next iteration.

⌂ COURSE HOME ◆ MID-COURSE EXAM (M1-5) ▶ MODULE 06 →

END

FUNCTION FIVE · MOD 05

15/15

Master Adversary Management.

FROM START TO FINISH LINE.

LABS Learning Objectives.

WHAT THIS MODULEDELIVERS.

AN-RES Elements

TRE Attachments

Engineering Feedback Loop

WHAT WILL THE ORGCHANGE?

WHAT YOU INHERIT FROM F02–F04.

AN-RES, TWO FORMS.

TRE, TARGET OF RESILIENCE ENHANCEMENT.

SIX STEPS, EVERY AN-RES.

ONE COMPLETE AN-RES ON A LEO PLATFORM.

EVERY AN-RES, FIELD BY FIELD.

AN-RES IN THE WILD.

AN-RES, RESILIENCE MEASURE.

AN-RES, ENUMERATION.

Element LAYER

Identify resiliency goal

Set ELEMENT to RES

Assign ORDINAL

Element the TRE

Write DESCRIPTION

COURSECOMPLETE.

WHAT THIS MODULE
DELIVERS.

WHAT WILL THE ORG
CHANGE?

COURSE
COMPLETE.