Proprietary Frameworks

Our Frameworks

Built and refined in live deployments where a wrong model means an operational failure, a regulatory penalty, or a mission compromise.

These frameworks came out of live deployments at MISO Energy, U.S. Cyber Command, and across Bastion client engagements. Other advisory firms reach for NIST profiles, vendor methodologies, or best-practice documents written for different sectors. We publish the thinking behind each framework. Anyone can read how they work. No one else built them.
ATLAS

Enterprise Technology Risk & Decision Support

The Problem

Organisations running large, complex environments with multiple systems, competing vulnerabilities, constrained budgets, and regulatory obligations collect more risk findings than they can sequence. The prioritisation gap is where exposure accumulates.

What It Does

Structures technical, operational, regulatory, and investment risk into tiered outputs: executive-ready priority sets, remediation sequences, investment justification, and governance reporting. Designed for environments where decisions have regulatory and financial consequence.

Where It Has Been Used

Developed at Bastion and deployed operationally at MISO Energy, a Tier 1 grid operator where regulatory penalties reach $1M per day. Embedded in operational risk and prioritisation processes.

CCTM

Cyber Cognitive Threat Modelling

The Problem

Standard threat models track adversary progression through technical vulnerabilities. Adversaries also exploit attention, trust, and the decision shortcuts that govern behaviour under pressure. CCTM models the human layer as an attack surface.

What It Does

Models how threat actors exploit cognitive vulnerabilities: perception, authority, urgency, and trust in specific organisational and operational contexts. Draws on performance psychology and human factors to produce threat assessments that treat the human layer as a primary attack surface.

Where It Has Been Used

Developed at Bastion and refined across live client engagements. Applied in critical infrastructure, federal, and regulated enterprise environments.

CCKC

Cognitive Kill Chain

The Problem

The traditional kill chain models adversary technical progression. It leaves out how adversaries exploit human cognition to achieve access, persistence, and impact.

What It Does

Maps adversarial exploitation of human cognitive processes across the attack lifecycle: from initial targeting through manipulation, decision subversion, and impact. Used for training, red team planning, control design, and organisational resilience assessment.

Where It Has Been Used

Developed at Bastion. Published as Cognitive Kill Chain: Shadow Directive. Applied in national security, critical infrastructure, and enterprise contexts. Deployed as adversarial doctrine within MISO's purple team operations.

SENTINEL

Executive Risk Reporting

The Problem

Executives act on financial exposure, operational consequence, and strategic implication. Vulnerability counts and severity ratings don't give them that. Boards need a different reporting architecture.

What It Does

Converts adversary signals, vulnerability context, operational exposure, and financial impact into tiered executive and board-level reporting. Designed for CISOs, risk committees, and boards who need to make investment and governance decisions from a security risk baseline.

Where It Has Been Used

Deployed across MISO Energy's executive and board risk reporting processes. Applied in regulated enterprise and critical infrastructure contexts.