MODULES
01
ANALYTICS ASSETS SERVICES SEGMENTS ENVIRONMENTS METEORSTORM FRAMEWORK
SPACE IS NO
LONGER A SANCTUARY

For decades, the systems orbiting our planet operated in an environment that was challenging to reach, expensive to access, and relatively safe from deliberate interference.

That era has ended.

This course is the response. The Multiple Environment Threat Evaluation of Resources, Space Threats, and Operational Risk to Missions (METEORSTORM) is the framework that makes government, academic, and commercial space missions a harder target.

The Full Spectrum Space Cybersecurity Professional is the person who ties the Security Operations Center, the Satellite Operations Center, and Satellite Development & Engineering functions together. Right now those three teams don’t describe the platform the same way, and that’s the gap you are being trained to close. METEORSTORM is what makes the shared language work.

Organizations can then evolve internal resilient cyber operations, explore membership, and contribute their confirmed findings to #SpaceCollectiveDefense, the community initiative for sharing space-system threat intelligence across operators.

METEORSTORM OVERVIEW
01/15
MODULES
02
The context problem · why intelligence stops at the team boundary

INTELLIGENCE WITHOUT CONTEXT IS NOISE

  • Without a shared vocabulary, intelligence stops at the team boundary and degrades to noise.
  • METEORSTORM publishes the structural taxonomy and ontology the industry adopts as one shared model, published in the open as a MISP taxonomy.
  • The Full-Spectrum Space Cybersecurity Professional carries that intelligence intact across Security Operations, Satellite Operations, and Satellite Design & Engineering. One vocabulary, three rooms, no translation.
▷ BEFORE / AFTER
Before / after split-screen showing the impact of a shared taxonomy on a space-cybersecurity team: chaotic mismatched labels and confused analysts on the left transition through a glowing cyan divider to a unified team using one shared vocabulary on the right Before / after split-screen showing the impact of structural ontology on traceability: scattered disconnected finding cards on the left transition through a cyan divider to the same findings now organized into clear parent-child chains with bright connecting lines on the right
STRUCTURAL TAXONOMY

A controlled, published vocabulary names every part of a space platform. Four structural categories cover the whole platform, from the environment it operates in down to the concrete elements that implement its capabilities. The real-world implementation lives at machinetag.json, distributed as an open-source MISP taxonomy. You will learn each element and how to name your own platform with it in the next modules.

Diverse ops-center team all using the same shared structural vocabulary on a unified video wall, with the four-layer hierarchy mirrored on every workstation

A controlled, published vocabulary names every part of a space platform. Four structural categories cover the whole platform, from the environment it operates in down to the concrete elements that implement its capabilities. Each name is fixed, machine-readable, and carries a stable identifier so two operators describing the same kind of thing always write the same words.

The real-world implementation lives at meteorstorm/machinetag.json, distributed as an open-source MISP taxonomy. Point your Threat Intel Platform at the namespace and the vocabulary is available immediately, identical across every operator that does the same.

You will learn each structural category and how to enumerate your own platform’s elements against it in the next modules. The point of this overview is the pattern: a single open vocabulary, published and machine-readable, that every operator and partner can read without translation.

STRUCTURAL ONTOLOGY

Every name in the vocabulary points up to its parent in the layer above, forming a single chain from the most concrete asset back to the environment the platform operates in. A finding on any small part traces back through the chain to the larger part it concerns, so every defender inherits structural context for free. You will walk the chain and write your own in the next modules.

Diverse ops-center team tracing a finding from a leaf asset back through service, segment, and environment via parent-child links, with the trace mirrored on workstation monitors
The four layers form a strict parent-child hierarchy. The Primary Capability Environment (PCE) layer is the root. Every Segment element names one or more Primary Capability Environment instances as its PARENT. Every Service element names its parent Segment. Every Asset element names its parent Service. This chain is what makes a finding traceable: a detection that fires on the asset element AST : HW : Hardware : 03 follows the parent chain back to its Service, then its Segment, and finally its Primary Capability Environment. Top-down, the model decomposes a complex platform; bottom-up, the same model gives every defender automatic structural context for any observation.
METEORSTORM OVERVIEW
02/15
MODULES
03
The analytics problem · converging platforms, evolving frameworks

WITHOUT NORMALIZED ANALYTICS, CONTEXT DOES NOT TRAVEL

  • Platforms converge while analytic frameworks (NIST CSF, MITRE ATT&CK, SPARTA, vendor catalogs) evolve apart. Every finding requires two passes of normalization (once per platform, once per framework) before it can be shared or acted on, and observations stay stuck inside individual organizations.
  • METEORSTORM adds a fifth analytic layer over the four structural layers. Six fixed observation categories, each anchored to the structural element it concerns, so context travels with the data.
  • The Full-Spectrum Space Cybersecurity Professional uses these six categories as the working language so findings travel intact across Security Operations, Satellite Operations, and Satellite Design & Engineering without rewording.
▷ BEFORE / AFTER
Before / after split-screen showing the impact of a shared analytic taxonomy: chaotic mismatched finding labels and frustrated analysts on the left transition to a unified team using six clean glowing pink-magenta category bands on the right Before / after split-screen showing the impact of analytic ontology: pink-magenta finding cards floating disconnected on the left transition to the same findings now anchored by three colored target-field connector lines (amber, cyan, green) down to specific structural nodes on the right
ANALYTIC TAXONOMY

A controlled, published vocabulary names every kind of analytic finding defenders produce. Six fixed categories cover the entire analytic surface, from what the adversary leaves behind through the response that holds. The real-world implementation lives in the same machinetag.json file as the structural vocabulary. You will walk this example and learn each category in the next modules.

Diverse ops-center team using the same shared six-category analytic vocabulary on a unified video wall with six pink-magenta horizontal category lanes mirrored on every workstation
On top of the four structural layers, METEORSTORM adds a fifth layer called the Analytic Layer (abbreviated AN). The Analytic Layer does not describe the platform; it describes what defenders observe and what defenders are building to protect the platform. Six sub-categories cover the full analytic surface. AN-IOC enumerates an Indicator of Compromise, AN-IOA enumerates an Indicator of Attack, AN-ATT enumerates an Attack Path, and AN-THR enumerates a Threat. AN-DET enumerates a Detection Signature, and AN-RES enumerates a Resilience Measure. Six analytic verbs that every function in the framework speaks fluently.
ANALYTIC ONTOLOGY

Each analytic finding attaches to the structural elements it concerns through a target field, so every analytic claim has structural ground to stand on. A finding without a target attachment is a free-floating note; with one, the finding belongs to a specific part of the platform every defender can locate. You will learn the target fields and how to attach your own findings in the next modules.

Diverse ops-center team anchoring pink-magenta finding cards to specific structural nodes via three different colored target-field connector lines (amber for exploitation target, cyan for detection target, green for resilience target)
Analytic elements do not have a PARENT. They attach to the structural layers through one of three TARGET fields, depending on which analytic verb the element is using. The four threat-side categories (Indicator of Compromise, Indicator of Attack, Attack Path, and Threat) all use the TOE field, the Target of Exploitation, enumerating the structural elements the analytic element was observed on or applies against. Detection Signature elements use the TDM field, the Target of Detection Method, enumerating the structural elements the signature observes. Resilience Measure elements use the TRE field, the Target of Resilience Enhancement, enumerating the structural elements the measure protects. An analytic tag without a target reference is free-floating noise; the Concept of Operations exists so every analytic claim has structural ground to stand on.
METEORSTORM OVERVIEW
03/15
MODULES
04
The mastery map · five places to impose adversary cost

WITHOUT FOCUS, DEFENSE FAVORS THE ATTACKER

  • Security programs spread budget across every vendor pitch and compliance checkbox. The defensive surface stretches so long the team can barely keep it covered, while the adversary only needs to find one path.
  • The Pentagon of Pain names five organizational mastery areas where investment provably imposes adversary cost. Detect, disrupt, and deter become measurable outcomes instead of slogans.
  • The Full-Spectrum Space Cybersecurity Professional invests effort across all five mastery areas with Security Operations, Satellite Operations, and Satellite Design & Engineering so the adversary stops finding cheap paths to objectives.
Pentagon of Pain hero composition: a glowing amber pentagon hovering in deep space with five energy nodes at its vertices, deflecting wireframe adversary silhouettes that fragment into amber and cyan particles
01

Master Decomposition

"The adversary suffers when you know your platform better than they ever can."

Organizations must have a deeper understanding of their platforms than the adversaries targeting them, from development to decommissioning.

02

Master Contextualized Threat Modeling

"The adversary suffers when every strike they imagine is already prepared for."

Develop attack-to-defend capability across kinetic, non-kinetic, electronic warfare, cyber warfare, and natural-threat domains.

03

Master Converged Detection Engineering

"The adversary suffers when they cannot hide, and every move is seen."

Evolve into a converged data and signals approach to illuminate complex attack patterns and reduce adversary dwell time.

04

Master Exposure Management

"The adversary suffers when every path they take ends in a trap."

Continually enumerate the attack paths created by both exposed and isolated platform elements and work toward platform deception techniques.

05

Master Adversary Management

"The adversary suffers when their plans are known, broken, and turned against them."

Align the prior four masteries with real-world adversary profiles to detect, disrupt, and deter adversaries targeting the platform.

METEORSTORM OVERVIEW
04/15
MODULES
05
Three entry points · choose where you start

ONE ENTRY POINT STALLS MOST TEAMS

  • No two organizations sit at the same starting capability. A rollout that forces every team through the same first step rejects most of them at the door, and the methodology stays an island.
  • METEORSTORM offers three entry points: Activate, Integrate, Engage. The organization picks the one that matches its current state. Start where you are; the framework adapts.
  • The Full-Spectrum Space Cybersecurity Professional starts wherever the team actually is, then brings Security Operations, Satellite Operations, and Satellite Design & Engineering onto the same methodology from there.
▷ ENTRY POINT VIEW
Activate entry point: Threat Intel Platform deployment with Space ISAC sharing Integrate entry point: a five-node pipeline diagram representing METEORSTORM's five functions in sequence: Concept of Operations, Contextualized Threat Modeling, Converged Detection Engineering, Incident Response Preparation, and Adversary Management Engage entry point: Exercise with synthetic inputs producing real-world outputs
ENTRY POINT · ACTIVATE Best fit when ops already run, vocabulary does not
  • Adopt the shared vocabulary inside your existing Threat Intel Platform so every confirmed finding reads the same way for every analyst, vendor, and partner. Federating with Space ISAC peers is a recommended next step, not a prerequisite.
Most teams should start here. METEORSTORM is a shared vocabulary that drops into your existing Threat Intel Platform (TIP), the system your team already uses to track adversary activity. Once adopted, your team catalogues confirmed analytic findings in the controlled vocabulary every operator and partner can read. The framework’s analytic categories and how to write findings against them are walked in the next modules. Recommended next step: federate selected findings with peer operators through the open-source Space Information Sharing and Analysis Center (Space ISAC), which provides the community sharing layer. Federation is recommended, not required; the value of the shared vocabulary is realized the moment it lands inside your own TIP. Federation work is guided by the eHs Space Collective Defense initiative, which defines minimum baselines for the space cybersecurity community across Priority Intelligence Requirements, Converged Detection Engineering, and Telemetry Instrumentation.
ENTRY POINT · INTEGRATE Best fit when the platform is being designed or rebuilt
  • Align Security Operations, Satellite Operations, and Satellite Design & Engineering on the five-function process while the platform is being designed or rebuilt, so each team runs the framework as part of daily work rather than alongside it.
INTEGRATE aligns three teams on the same five-function process while the platform is still being designed or rebuilt: Security Operations, Satellite Operations, and Satellite Design & Engineering. The three teams share one backlog and contribute to it from their own work surface. Satellite Design & Engineering decomposes the platform during development; threats are modeled against that decomposition before the spacecraft is built; the attack-path catalogue and the data and signal source inventory inform what telemetry the platform must emit; detection signatures and response playbooks are written for those threats before launch. By the first operational day, Security Operations and Satellite Operations inherit a current detection portfolio and rehearsed playbooks, and the platform has already exercised all five framework functions with the three teams aligned rather than stitched together after launch.
ENTRY POINT · ENGAGE Best fit when the three teams need to build production work product together
  • Run exercises in an environment fully separate from production with Security Operations, Satellite Operations, and Satellite Design & Engineering, using synthetic adversary data, so the detection signatures, response playbooks, and resilience measures the three teams build during the exercise graduate straight into production the moment it closes.
ENGAGE runs exercises across the three teams (Security Operations, Satellite Operations, and Satellite Design & Engineering) in an environment fully separate from production, using synthetic adversary inputs so the work the teams produce during the exercise is real production-grade material. The exercise environment is isolated from operational telemetry by design. Exercise designers script the indicators and threats that drive each scenario and contain them inside the exercise stack, so they never touch the live stream. What the three teams build in response is real work product: detection signatures, response playbooks, and resilience measures, written against the same shared vocabulary the operational environment already uses. When the exercise closes, those artifacts graduate from the exercise environment directly into production, and the three teams leave more aligned on the platform’s exposure than when they started.
METEORSTORM OVERVIEW
05/15
MODULES
06
Activate · operational deployment, organizational and community sharing

ACTIVATE

If you are already operational, activate the framework taxonomy in your current Cybersecurity Threat Intelligence (CTI) platform.

▷ STEP-BY-STEP
01
Validate your CTI foundation
Update policy, procedure, platform, and PIR for space threat intel
02
Activate the METEORSTORM taxonomy
Bring the shared vocabulary into your CTI platform, in line with policy and procedure
03
Establish sharing
Internal first; external through Space ISAC if your policy supports it
STEP 01 · VALIDATE YOUR CTI FOUNDATION Make sure your team's setup is ready for space threat intel
  • Review the policy, procedure, and platform that govern how your team handles cyber threat intel today.
  • Update each so they reflect the framework's vocabulary for space threat intel.
  • Update your Priority Intelligence Requirements (PIR), the questions the team is meant to answer, to cover space threats.
Diverse cyber threat intelligence team in a conference room reviewing policy, procedure, and PIR documents to validate the CTI foundation
Cyber threat intelligence (CTI) work is governed by four things: a written policy that defines what your team does and why, the procedures the policy turns into, the CTI platform that holds the work, and the Priority Intelligence Requirements (PIR) that define the questions intelligence is meant to answer. Before activating METEORSTORM, validate each of these against space-threat-intel needs and update them. This means adding the METEORSTORM taxonomy and ontology into your policy, your procedures, and your CTI platform, not just the platform alone. The taxonomy file by itself does not change team behavior; the policy and procedures that govern its use do.
STEP 02 · ACTIVATE THE METEORSTORM TAXONOMY Bring the shared vocabulary into the platform your team already uses
  • Load the framework's shared vocabulary file into the CTI platform your team already runs.
  • Make sure activation follows the policy and procedure you just validated.
  • From this moment, every analyst dropdown shows the same labels and every team speaks the same words.
Diverse threat intelligence team activating the METEORSTORM taxonomy in their CTI platform, loading the vocabulary file with policy and procedure alignment
Load the METEORSTORM taxonomy file into your CTI platform once. Activation follows the validated policy and procedure: who can edit, who can publish, what review the work goes through. From that moment, every dropdown an analyst sees, layer, element, label, ordinal, target field, is the published controlled vocabulary. Cyber, space ops, engineering, risk, and vendors all classify the same finding the same way. No private dialects, no translation between teams, no spreadsheet reconciliation at the end of every quarter.
STEP 03 · ESTABLISH SHARING Inside the organization first, then consider sharing with the wider community
  • Establish internal sharing so every team that touches the platform reads from the same single source.
  • Consider external sharing to the established space-sector channel, Space ISAC, when policy supports it.
  • All sharing stays in alignment with the CTI policy, procedure, and platform you validated in step one.
Diverse threat intelligence team establishing internal sharing across teams and pushing high-confidence findings outward to peer organizations through Space ISAC
Internal sharing comes first. Every team that touches the platform, cyber, space operations, engineering, risk, vendors, and auditors, reads the same CTI platform. The cyber team's detection signature is keyed to the same hardware element the risk team is tracking and the engineering team is patching. External sharing is a separate decision, controlled by policy. When policy supports it, push high-confidence findings to Space ISAC, the established sector ISAC for space cybersecurity, and to any bilateral peer feeds you maintain. The work itself can align with the eHs Space Collective Defense initiative, which defines community minimum baselines across Priority Intelligence Requirements, Converged Detection Engineering, and Telemetry Instrumentation. METEORSTORM is the shared vocabulary that makes those baselines measurable in the same CTI platform your team already uses.
METEORSTORM OVERVIEW
06/15
MODULES
07
Integrate · designing with Resilient Cyber Operations in mind

INTEGRATE

If your platform is still being designed, walk through the full five-step process before launch. Each step produces a specific kind of cataloged finding that feeds the next. Tap any step to expand.

▷ THE FIVE FUNCTIONS
F01
Concept of Operations
Decompose the platform tailored to your requirements
F02
Contextualized Threat Modeling
Enumerate the threats that apply to each part
F03
Converged Detection Engineering
Map attack paths and the data and signal sources needed to detect each step
F04
Incident Response Preparation
Write the detection signatures and response playbooks
F05
Adversary Management
Shrink the attack surface the threats keep using
Concept of Operations · CONCEPT OF OPERATIONS Decompose the platform tailored to your requirements
  • Decompose only what your mission scope requires; you do not have to model the entire platform.
  • Capture the parent of each part you enumerate so any later finding traces back through the chain you decomposed.
  • Output: a scoped tree where every part you enumerated has a name, a parent, and a place in the design.
Tailoring · The decomposition is scoped to mission objective, not exhaustive by default. You can also reuse existing artifacts (architecture diagrams, system-design documents, mission CONOPS, asset inventories) and label them directly with the framework taxonomy rather than start from a blank page.
Diverse team of space systems engineers gathered around a four-layer hierarchical decomposition display, walking the platform through environments, segments, services, and assets tailored to the mission scope
Contextualized Threat Modeling · CONTEXTUALIZED THREAT MODELING Anchor every threat to the platform you just decomposed
  • For every part of the platform, ask which threats actually apply to that specific part.
  • Anchor each threat to the part it would target, not in the abstract; an orbital threat is not the same as a ground-site threat.
  • Output: a threat catalogue where every entry points back at a real piece of your design.
Diverse team of threat-modeling analysts pinning threat-actor profile cards onto a platform-decomposition diagram with connecting lines down to specific structural nodes
Converged Detection Engineering · CONVERGED DETECTION ENGINEERING Enumerate attack paths and the data and signals needed to detect each step
  • For each cataloged threat, trace how an adversary could move through the platform to make it real.
  • For each step on each path, enumerate the data and signal sources needed to observe it; where no source exists yet, the gap is itself a finding the team must close before launch.
  • Output: a map of every path plus the data and signal source inventory Incident Response Preparation will use to write signatures and playbooks.
Diverse team of detection engineers tracing a green attack-path arrow across a four-lane horizontal platform diagram on a wall display, marking cross-domain transitions
Incident Response Preparation · INCIDENT RESPONSE PREPARATION Write the detection signatures and the response playbooks
  • For every step on every attack path, write the detection signature that fires on the data/signal source CDE delivered.
  • For every signature, write the response playbook the Security Operations runs the moment the signature fires.
  • Output: tested detection signatures in an open format and the playbooks they trigger, each tied back to the attack path it covers.
Diverse team of detection engineers building data-source catalogues and writing detection signatures, with the rule deploying to multiple platform target icons with green checkmarks
Adversary Management · ADVERSARY MANAGEMENT Shrink the attack surface the threats keep using
  • Identify the parts of the platform that show up across many threats and many attack paths.
  • Build resilience measures that shrink, harden, or eliminate those parts before launch.
  • Output: a portfolio of measures, each tied to one of four resilience goals: anticipate, withstand, recover, adapt.
Diverse team reviewing a structural-exposure heat map, four resilience-goal icons, a closed framework loop diagram on tablet, and a pink adversary profile card with hooded silhouette
METEORSTORM OVERVIEW
07/15
MODULES
08
Engage · exercise and workforce development

ENGAGE

Tabletops, red-team engagements, and training exercises run in an environment fully separate from production and use the same framework with one change: the adversary inputs are synthetic. Exercise designers script the inputs that drive each scenario and tag them as exercise data; what participants build in response is real production-grade work that graduates from the exercise environment into operations when the exercise closes. Tap any step to expand.

▷ STEP-BY-STEP
01
Define the platform through CONOPS
Walk Concept of Operations to capture the structural model the exercise will operate on
02
Define adversary profiles
Pick the adversaries the exercise will simulate, with full profiles
03
Align analytic elements to the CONOPS
Pre-position the framework's analytic vocabulary, anchored to step 01
04
Deploy the exercise platform
Custom VM, container, or partner ecosystem; synthetic data, signals, and CTI
05
Capture team outputs and validate
Real detection rules and resilience measures, validated against adversary actions
STEP 01 · DEFINE THE PLATFORM THROUGH CONOPS Anchor the exercise to a real platform decomposition
  • Walk the Concept of Operations process to enumerate the structural elements the exercise will operate on.
  • Pull the platform decomposition from an existing platform’s CONOPS records, or model an in-design platform from scratch. The exercise environment runs on this structural model only, never on the live system.
  • Output: the structural model that every synthetic adversary input will attach back to.
Diverse exercise design team walking the Concept of Operations platform-decomposition process on a glass whiteboard, drawing four-layer hierarchical nodes that the exercise will operate on
The exercise must have a structural ground truth or it teaches nothing repeatable. Pull the decomposition from your operational platform’s CONOPS records, a planned mission still in design review, or a reference architecture published by a peer, and run the Concept of Operations decomposition first: PCESEGSVCAST, with parents and labels, exactly as the framework requires. The decomposition becomes the structural model the exercise environment runs against; the live operational platform never participates in the exercise. The adversary inputs in step 04 will attach via TOE, TDM, and TRE back to these structural elements; without that anchor, exercise findings cannot be reasoned about.
STEP 02 · DEFINE ADVERSARY PROFILES Pick the adversaries, with full profiles
  • Choose one or more adversary archetypes the scenario will pit against the platform.
  • Profile each adversary using the framework's adversary profile template: capabilities, motivation, demonstrated TTPs, source.
  • Output: a small adversary catalogue the participants will recognize and respond to in step 05.
Diverse exercise design team building adversary profiles, pinning hooded silhouette adversary cards to a corkboard wall, reviewing threat intel feeds and structured profile sheets
Each adversary on the exercise roster gets a complete profile: primary name and aliases, attribution if any, motivation, capabilities, target sectors, known operations, signatures left behind, source citations. Where possible, draw the adversary from a real AN-THR your operations team already tracks; the exercise then tests muscle memory against an actual adversary the platform faces. Where the adversary is invented for training, mark the profile clearly as a teaching archetype so it never contaminates the operational threat catalogue.
STEP 03 · ALIGN ANALYTIC ELEMENTS TO THE CONOPS Map the analytic vocabulary the exercise will use
  • For each adversary profile from step 02, decide which analytic categories the exercise will exercise.
  • Pre-position the framework's controlled vocabulary so participants speak the same words operations does.
  • Output: a normalized analytic catalogue, anchored to the step 01 structural model, ready to populate in real time.
Diverse exercise design team configuring the analytic vocabulary in the CTI platform, dragging a structured-data file icon onto the platform interface and reviewing the six analytic-category icon grid
The METEORSTORM analytic vocabulary is the same in exercise as in production: Indicator of Compromise (AN-IOC), Indicator of Attack (AN-IOA), Attack Path (AN-ATT), Threat (AN-THR), Detection Signature (AN-DET), Resilience Measure (AN-RES). Pre-position the controlled vocabulary in the exercise platform so the team enumerates findings using the same labels and the same target fields (TOE, TDM, TRE) they would in operations. Decide ahead of time which analytic categories the scenario covers, and whether participants will produce findings across all six or focus on a subset.
STEP 04 · DEPLOY THE EXERCISE PLATFORM Stand up an isolated platform with synthetic data, signals, and CTI
  • Deploy the exercise on a custom virtual machine, container stack, or partner ecosystem; never on production infrastructure.
  • Pre-load synthetic telemetry data, synthetic signals, and a METEORSTORM-tagged CTI catalogue so the platform behaves like operations from day one.
  • Output: an exercise environment isolated from production but identical in vocabulary and tooling.
Diverse engineering team deploying an isolated exercise platform on virtual machines and containers, connecting hardware racks and configuring synthetic data and signal feeds
The exercise platform is purpose-built and isolated: a custom virtual machine, a container stack, or a partner ecosystem standing in for the operational platform. Inside the exercise platform, every input is synthetic and clearly tagged: synthetic telemetry data feeds, synthetic RF and other signals, and a METEORSTORM CTI catalogue pre-populated with synthetic AN-IOC, AN-IOA, AN-ATT, and AN-THR entries that drive the scenario. The CTI platform itself is a real instance of the same platform operations runs (OpenCTI, ThreatConnect, Anomali ThreatStream, or whichever TIP the team runs), pointed at the synthetic catalogue. Participants experience the same tools and the same vocabulary they use every day.
STEP 05 · CAPTURE TEAM OUTPUTS AND VALIDATE Real detection rules and resilience measures, validated against adversary actions
  • Participants build detection rules and resilience measures in response to the adversary's actions.
  • Validate every team-crafted output against the actual adversary actions the exercise scripted: did the rule fire, did the measure hold?
  • Output: production-grade detection and resilience that graduate to the operational catalogue once the exercise closes.
Diverse exercise team running an active red-team blue-team exercise session, with blue-team analysts writing detection rules and resilience measures while a controller observes the green-checkmark validation grid and a red-team driver pushes adversary inputs
The defender side of the exercise is never synthetic. Detection signatures the team writes are real RootA-format AN-DET rules, validated against the synthetic adversary inputs from step 04. Resilience measures the team designs are real engineering work captured as AN-RES elements, validated against the path the adversary actually traversed in the scenario. Every team-crafted output is scored against adversary actions: did the AN-DET signature fire on the synthetic AN-IOC and AN-IOA the scenario produced; did the AN-RES measure prevent or recover from the AN-ATT path the adversary took. Outputs that pass validation graduate to the operational catalogue when the exercise closes; outputs that fail validation become the next exercise's training material.
METEORSTORM OVERVIEW
08/15
MODULES
09
Second look · the five framework functions

A SECOND PASS THROUGH THE FIVE FUNCTIONS

You saw the five framework functions on the Integrate deep dive: short bullets per function plus the worked-example PDF for each. Now we walk each function on its own page, with the problem it solves and how the framework solves it, then close each page by repeating the same compact view from the Integrate deep dive. Two passes, same five functions, deeper each time. The intentional repetition is the point.

F01
Concept of Operations
Problem: fragmented dashboards and inconsistent labels in an ops center with no shared structural vocabulary

Problem No shared structural vocabulary across the operational stack.

Solution: unified ops center using one shared structural vocabulary, parent-child layers visible on every workstation

Solution Decompose the platform tailored to your requirements.

F02
Contextualized Threat Modeling
Problem: unanchored threat-actor cards floating with no lines attaching them to platform elements

Problem Threats tracked as actor names with no link to the platform elements they target.

Solution: threats anchored by connecting lines to specific structural elements on the platform decomposition

Solution Enumerate the threats that apply to each part.

F03
Converged Detection Engineering
Problem: detection rules scattered as floating cards with no attack-path graph beneath them

Problem Detection rules written before attack paths and source inventory exist.

Solution: clear attack-path graph laid out across the four structural layers with the TOE chain highlighted

Solution Map attack paths and the data and signal sources needed to detect each step.

F04
Incident Response Preparation
Problem: vendor-locked detection silos with no portability and no link back to attack-path steps

Problem Vendor-locked signatures with no paired response playbook for the SOC.

Solution: portable RootA signatures linked to attack-path steps, paired with response playbooks

Solution Write the detection signatures and response playbooks.

F05
Adversary Management
Problem: defender team scrambling reactively with no rolling adversary profiles, same adversary returns without context

Problem The same adversary returns; the same flaw stays exposed; no shared posture.

Solution: closed framework loop with structural-exposure heat map, adversary profiles, and resilience measures across SOC, SatOps, SatDev-Eng

Solution Shrink the attack surface the threats keep using.

How to read the next five slides · Each function page leads with the problem and the framework’s answer, then closes by repeating the at-a-glance card you saw on the Integrate deep dive for that function. Same five functions, walked once at altitude and once on the ground.
METEORSTORM OVERVIEW
09/15
MODULES
10
Function 01 of 05 · Master Decomposition

CONCEPT OF OPERATIONS

Capture any part of the platform you care about across four layers: the Primary Capability Environment (where it operates), the Segment (its operational role), the Service (the capability delivered), and the Asset (the elements that implement it).

▷ OPS CENTER
People struggling without METEORSTORM in an ops center: fragmented dashboards, inconsistent labels, isolated aquatic / aerial / deep-space workspaces with no shared vocabulary Team succeeding with METEORSTORM in an ops center: a single shared platform lexicon connecting aquatic, aerial, and deep-space domains under one taxonomy
PROBLEM · WHAT IS WRONG Three gaps in the space sector's structural vocabulary

Three operating domains have no published structural vocabulary in the space sector. Aquatic operations, sea-launched, sea-recovered, and submarine endpoints, get invented names per operator. Aerial platforms in the high-altitude, near-space, and stratospheric regimes sit between ground and orbital frameworks with no agreed parent-child relationships. And lunar, cislunar, and Mars-class deep-space missions have no formal decomposition at all, so findings on those platforms cannot be compared across missions or operators.

SOLUTION · HOW METEORSTORM SOLVES IT One framework that names the entire operational stack

METEORSTORM gives every part of the platform a published name across four layers: where it operates, the operational role of each enclave, the capability delivered, and the concrete elements that implement it. The water, atmosphere, and beyond-orbit gaps from earlier vocabularies are all named; every domain decomposes the same way under one parent-child rule. Tap More for the full layer-by-layer map.

AT A GLANCE · F01 · CONCEPT OF OPERATIONS
Decompose the platform tailored to your requirements
  • Decompose only what your mission scope requires; you do not have to model the entire platform.
  • Capture the parent of each part you enumerate so any later finding traces back through the chain you decomposed.
  • Output: a scoped tree where every part you enumerated has a name, a parent, and a place in the design.
Tailoring · The decomposition is scoped to mission objective, not exhaustive by default. You can also reuse existing artifacts (architecture diagrams, system-design documents, mission CONOPS, asset inventories) and label them directly with the framework taxonomy rather than start from a blank page.
Concept of Operations
Contextualized Threat Modeling
Converged Detection Engineering
Incident Response Preparation
Adversary Management
METEORSTORM OVERVIEW
10/15
MODULES
11
Function 02 of 05 · Master Contextualized Threat Modeling

CONTEXTUALIZED THREAT MODELING

Identify threats anchored to your specific structural decomposition, not generic adversary catalogs.

▷ THREAT MODEL
Defender wall of unanchored threat-actor cards floating in isolation, with no lines attaching them to specific platform elements The same threat actors now pulled into the platform structural model, each with TOE attachments lighting up specific PCE, SEG, SVC, and AST elements
PROBLEM · WHAT IS WRONG Three gaps in space-sector threat modeling

Space-sector threat modeling has three structural gaps. Teams import generic threat catalogues, IT lists or unmapped actor profiles, that do not anchor to specific orbital, aerial, or aquatic platforms. Threats are tracked as actor names without naming the structural elements they actually target, so an orbital threat looks identical to a ground-site threat. And risk decisions cannot cite the platform model, so “we accept this threat” comes from intuition rather than from which structural elements are actually exposed.

SOLUTION · HOW METEORSTORM SOLVES IT Threats attach to your platform, not to a generic average

Every threat is enumerated against your own platform decomposition; the threat names the real structural elements it targets, not generic categories. Each threat enumerates its target chain explicitly, so an orbital threat and a ground-site threat carry distinct attachments and are prioritized accordingly. Prioritization follows from structural exposure, how many services and assets the threat touches, weighted by criticality, with a traceable rationale leadership can read.

AT A GLANCE · F02 · CONTEXTUALIZED THREAT MODELING
Anchor every threat to the platform you just decomposed
  • For every part of the platform, ask which threats actually apply to that specific part.
  • Anchor each threat to the part it would target, not in the abstract; an orbital threat is not the same as a ground-site threat.
  • Output: a threat catalogue where every entry points back at a real piece of your design.
Concept of Operations
Contextualized Threat Modeling
Converged Detection Engineering
Incident Response Preparation
Adversary Management
METEORSTORM OVERVIEW
11/15
MODULES
12
Function 03 of 05 · Master Converged Detection Engineering

CONVERGED DETECTION ENGINEERING

Trace how an adversary would move through your platform to realize each Contextualized Threat Modeling threat, capturing every step as a chain of structural elements the adversary touches from initial access to objective. For each step, enumerate the data and signal sources needed to detect it. Incident Response Preparation uses the attack-path map and the source inventory to write detection signatures and response playbooks.

▷ ATTACK PATH
Detection rules scattered as floating cards on a dark canvas with no path graph beneath them, broken arrows going nowhere, and attack-path-blind labels indicating no structural traversal is captured A clear attack-path graph laid out across PCE, SEG, SVC, and AST layers with the TOE chain highlighted, showing a cross-domain path from ground initial access to orbital objective
PROBLEM · WHAT IS WRONG Four gaps in space-sector detection groundwork

Most teams jump from threat directly to detection rules without mapping how the adversary would actually traverse the platform, so attack paths are never enumerated. Adversary movement that crosses ground, link, space, and user boundaries is rarely modeled because the structural ontology does not connect domains, leaving cross-domain paths as blind spots. Even when paths exist, the data and signal sources needed to detect each step are never inventoried, so signatures get written against sources the platform may not even produce. And when the platform evolves, nobody re-walks either the paths or the source inventory, so both go stale together.

SOLUTION · HOW METEORSTORM SOLVES IT Every adversary move chained, every data and signal source inventoried

Every attack path enumerates the ordered chain of structural elements the adversary touches from initial access to objective. For each step on that chain, the data and signal sources required to observe it are inventoried alongside the path. The same parent-child rule applies in every domain, so paths that cross ground, link, space, user, or deep-space boundaries enumerate naturally. Paths and source inventory are versioned and re-walked when their cited structural elements change, and the combined map drives detection-engineering work directly.

AT A GLANCE · F03 · CONVERGED DETECTION ENGINEERING
Enumerate attack paths and the data and signals needed to detect each step
  • For each cataloged threat, trace how an adversary could move through the platform to make it real.
  • For each step on each path, enumerate the data and signal sources needed to observe it; where no source exists yet, the gap is itself a finding the team must close before launch.
  • Output: a map of every path plus the data and signal source inventory Incident Response Preparation will use to write signatures and playbooks.
Concept of Operations
Contextualized Threat Modeling
Converged Detection Engineering
Incident Response Preparation
Adversary Management
METEORSTORM OVERVIEW
12/15
MODULES
13
Function 04 of 05 · Master Exposure Management

INCIDENT RESPONSE PREPARATION

For every Converged Detection Engineering attack path and its data/signal source inventory, write the detection signatures that fire on each step in RootA.io format (the open vendor-neutral detection language), then write the response playbook the Security Operations runs the moment each signature fires.

▷ DETECTION
Vendor-locked detection silos: separate platforms each holding rules in proprietary formats with no portability, no source enumeration, and no link back to attack-path steps One central data-source catalogue feeding RootA-format signatures that distribute identically to every CTI platform, with a coverage matrix mapping each detection to the AN-ATT step it covers
PROBLEM · WHAT IS WRONG Three gaps in space-sector signature and playbook authoring

Detection signatures sit in proprietary vendor rule languages, so a signature written for one platform must be re-implemented for the next and community sharing breaks at the format boundary. Signatures ship as a flat catalogue with no back-reference to the attack-path step they cover or the data and signal source they observe, so coverage gaps per attack path are invisible. And signatures ship without paired response playbooks, so the Security Operations fires the alert and improvises the response, stretching adversary dwell time while responders rebuild the playbook from scratch.

SOLUTION · HOW METEORSTORM SOLVES IT Signatures in RootA, paired with response playbooks, every one linked to an attack path

Detection signatures are written in RootA.io, the open vendor-neutral language, so the same signature moves across OpenCTI, ThreatConnect, Anomali ThreatStream, and the major SIEM platforms without rewrite. Every signature back-references the attack-path step it covers and the data or signal source it observes (both inherited from Converged Detection Engineering’s catalogue), making coverage measurable per attack path. Every signature ships paired with a response playbook so the Security Operations has a documented action the moment the signature fires.

AT A GLANCE · F04 · INCIDENT RESPONSE PREPARATION
Write the detection signatures and the response playbooks
  • For every step on every attack path, write the detection signature that fires on the data/signal source Converged Detection Engineering delivered.
  • For every signature, write the response playbook the Security Operations Center runs the moment the signature fires.
  • Output: tested detection signatures in an open format and the playbooks they trigger, each tied back to the attack path it covers.
Concept of Operations
Contextualized Threat Modeling
Converged Detection Engineering
Incident Response Preparation
Adversary Management
METEORSTORM OVERVIEW
13/15
MODULES
14
Function 05 of 05 · Master Adversary Management

ADVERSARY MANAGEMENT

Enumerate AN-RES resilience measures against the structural elements that recur across Contextualized Threat Modeling threats and Converged Detection Engineering attack paths, prioritized by where the adversary keeps finding leverage, mapped to the four TRE objectives (per NIST SP 800-160 v2): Anticipate, Withstand, Recover, Adapt.

▷ POSTURE
A defender team scrambling reactively, audit-checklist driving priority over actual exposure, scattered point-in-time fixes with no rolling adversary profiles, log entries showing the same adversary returning without the team having profile context A closed F05 to F01 loop with a structural recurrence heat map highlighting the most-targeted elements, live adversary profile cards next to each AN-THR, and resilience measures mapped to the four TRE objectives (per NIST SP 800-160 v2)
PROBLEM · WHAT IS WRONG Three gaps in space-sector adversary management

Top-tier adversaries are tracked as point incidents, not as durable profiles, so when the same actor returns with new tooling the team has no rolling picture of who they are or what techniques are currently succeeding. The structural weaknesses adversaries are successfully exploiting are never connected across incidents, so the same flaw stays exposed while resilience work chases the latest finding. And nobody coordinates short-term compensating controls with long-term engineering remediation, so the platform is either exposed for years waiting for re-engineering or accumulates compensating controls as permanent technical debt with no path to a real fix.

SOLUTION · HOW METEORSTORM SOLVES IT Profile the adversary, locate the leverage, coordinate the fix across three teams

Each cataloged threat carries a durable top-tier adversary profile (aliases, TTPs, target sectors, what is currently succeeding) updated in place rather than rebuilt per incident. Structural elements with the highest TOE recurrence across AN-THR and AN-ATT are surfaced as the weaknesses the adversary keeps finding leverage on, and those go to the front of the resilience queue. Each AN-RES splits into two timelines: immediate compensating controls Security Operations and Satellite Operations deploy in days or weeks, and engineering remediation Satellite Design and Engineering owns over months or years. Both reference the same target structural element so the bridging control retires the moment the long-term fix lands.

AT A GLANCE · F05 · ADVERSARY MANAGEMENT
Shrink the attack surface the threats keep using
  • Identify the parts of the platform that show up across many threats and many attack paths.
  • Build resilience measures that shrink, harden, or eliminate those parts before launch.
  • Output: a portfolio of measures, each tied to one of four resilience goals: anticipate, withstand, recover, adapt.
Concept of Operations
Contextualized Threat Modeling
Converged Detection Engineering
Incident Response Preparation
Adversary Management
METEORSTORM OVERVIEW
14/15
MODULES
15
ANALYTICS ASSETS SERVICES SEGMENTS ENVIRONMENTS METEORSTORM FRAMEWORK
Your starting point

ENTER
THE METEORSTORM

Module 01 starts with Concept of Operations (CONOPS): decompose a platform into its Primary Capability Environment (PCE), Segment (SEG), Service (SVC), and Asset (AST) elements. Every later function attaches to what you produce here.

▶ ENTER THE METEORSTORM ⌂ COURSE HOME
Validate your understanding
10 questions · drawn from 50 · ~5 min
METEORSTORM OVERVIEW
15/15