Threat

slug: threat element_type: TERM mutability: MUTABLE inline: true current_version: 0 status: seed-draft contentURI: null

A threat is any actor, condition, or sequence of events with the intent and capacity to cause harm to an asset under federation protection. Threats are classified by source (external actor, insider, automated agent, environmental), by target (asset class), and by stage in the attack lifecycle (reconnaissance, exploitation, persistence, exfiltration, impact). A threat that has not yet materialized into an incident is still a threat; the absence of harm does not negate the classification.

Status

Seed-draft, no personal attribution. This element is one of the first elements authored when the Cyber Security Sub-Leviathan was opened (2026-05-16). The framing here is deliberately minimal — it carves out the term's boundaries without committing to any specific threat model. A domain-author (or community of domain-authors) is expected to expand this with concrete threat taxonomies, attribution conventions, and stage definitions appropriate to the federation's actual exposure.

Why this matters

Without a federation-wide definition of "threat," every instance under Cyber Security would define it differently. One instance's "threat" is another's "background noise." The dialectic + evidence rules (inherited from meta) require shared vocabulary to even begin a discussion. This term is the foundation.

Reasoning trail

Three properties chosen deliberately:

1. Intent OR capacity is sufficient — a competent actor without intent today may have intent tomorrow; an intent without current capacity may acquire it. Treating both as threats reduces blind spots.
2. Classified by lifecycle stage — mapping to standard frameworks (MITRE ATT&CK lifecycle, Lockheed Kill Chain) without endorsing any single one. Sub-Leviathans inheriting Cyber Security can pick a framework in their domain rules.
3. A non-materialized threat is still a threat — prevents "no incident yet" rhetoric from suppressing recognition of a known risk. Compare: principle:defensive-only requires recognition before action.

Open questions for domain authors

• Should threat classification include attribution (nation-state, criminal, hacktivist, etc.) at the term level, or should attribution be a separate term?
• How are threats versioned? A threat actor whose capabilities evolve — does this change the threat's version, or generate a new threat?
• Should "automated agent" (AI/LLM-driven threats) be a first-class category alongside human-driven? The federation includes AI agents as legitimate participants — when does an AI agent become a threat?

Related elements

• principle:defensive-only — threats trigger defense, never offense
• term:vulnerability — a threat exploits a vulnerability
• term:incident — a materialized threat becomes an incident
• principle:human-approval-for-destructive — even threat response gated through human approval

Awaiting domain author

This term will be amended once a domain author proposes a richer taxonomy via the standard proposal lifecycle (per leviathan-protocol/meta trio rules). See /forum/cyber-security for the canonical thread.