Concentric Defense Analysis Framework

Bidirectional security that speaks business.

CDAF is a modern, standards‑aligned methodology that analyzes ingress and egress paths, applies asymmetric value (so data exfil risk isn’t under‑weighted), and produces an actionable remediation scorecard.

Ingress ↔ Egress Asymmetric Impact ATT&CK‑mapped FAIR‑aware Audit‑friendly

Start with the Scorecard See the Standards Lineage

What makes CDAF different?

Most frameworks skew inbound. CDAF treats both directions as first‑class citizens and weights egress paths higher when data loss would be catastrophic. The result is a ranked, defensible backlog that accelerates remediation where it matters.

Principle

Bidirectional Path Analysis

Enumerate ingress and egress routes per segment, asset, and data class. Capture trust, visibility, and control points for each communication channel.

Principle

Asymmetric Value

Exfiltration isn’t equal to exploitation. CDAF lets you up‑weight egress exposure using dollarized impact so you don’t under‑prioritize data loss risk.

Outcome

Actionable Scorecards

Technique‑mapped, evidence‑backed scores produce a credible, auditable remediation queue for engineering teams and leadership.

How CDAF works

Enumerate paths. Build a path register per zone: Internet→DMZ, Vendor→Core, Endpoint→SaaS, Enclave→Cloud, etc. Record ingress and egress for each.

Map techniques. Attach MITRE ATT&CK techniques (Initial Access, Command & Control, Exfiltration) and expected countermeasures (D3FEND).

Validate controls. Use testing (NIST SP 800‑115 style) and BAS to measure prevent/detect efficacy and detection latency. Store evidence.

Quantify impact. For top paths to crown jewels, apply FAIR inputs for loss magnitude and event frequency.

Score & rank. Compute exposure using control efficacy × path criticality × loss magnitude × egress weight.

Remediate & retest. Turn findings into changes, re‑test continuously, and watch the score drop as controls improve.

CDAF scoring model

A transparent formula you can explain to auditors and executives. Tune weights to your risk appetite and regulatory context.

ExposureScore = (1 − ControlEfficacy) × PathCriticality × AssetLossMagnitude × EgressWeight

where
  ControlEfficacy     = BAS pass rate adjusted by detection latency
  PathCriticality     = attack‑path proximity to crown jewels (CTEM‑style)
  AssetLossMagnitude  = dollarized impact (FAIR inputs)
  EgressWeight        = multiplier for exfil‑prone routes (OSSTMM channel factors)

Why it works

It blends technique coverage with business impact, preventing false equivalence between a loud port exposure and a quiet data‑exfil path.

What it yields

A sorted remediation queue with owners, dependencies, and an expected score drop after each change request lands.

Evidence‑ready

Every score references test artifacts and standards mappings for quick audit traceability.

Aligned with the standards you already use

CDAF is a house methodology that integrates established frameworks for common language and auditability.

MITRE ATT&CK

MITRE D3FEND

NIST SP 800‑115

FAIR

OSSTMM

BAS Platforms

Start with the CDAF Scorecard

Includes: path register, technique→control matrix, test evidence log, and an executive view.

Request the template Read the FAQ

Single‑file workbook (no macros)
Tunable weights and thresholds
ATT&CK/D3FEND mapping baked in
Evidence and audit notes columns

FAQ

Is CDAF a replacement for NIST/ISO/ATT&CK?

No. CDAF is a methodology that orchestrates these standards. It tells you how to combine path analysis, technique mapping, testing, and impact to prioritize work.

How do we handle egress weighting?

Use a multiplier based on data class and route (e.g., endpoint→Internet gets a higher weight than DMZ→Core). Tie it to loss magnitude so data‑heavy paths rise to the top.

What evidence do we capture?

Test run IDs, BAS scenario names, detection timestamps, control configurations, and links to change records. Keep artifacts with each score to stay audit‑ready.

Who owns remediation?

Each finding maps to a control owner and a change request. The executive view shows expected score reduction per change so leaders can sequence work.

Privacy

What we collect: This site uses Plausible Analytics, a privacy‑friendly, cookie‑free analytics tool. It records anonymous usage metrics (pageviews, referrers, device types) with no personal data, fingerprinting, or cross‑site tracking.

What we don’t collect: No cookies, no advertising identifiers, no IP‑address profiling, and no sale of data. We don’t use third‑party trackers.

Where data lives: Plausible aggregates analytics and provides us with high‑level trends only. For details, see Plausible’s public data policy.

Contact: Questions or requests? Email privacy@cda-framework.com.