Missed systemic risk: Organizations secure individual components but miss how vulnerabilities propagate through dependencies (e.g., Log4j embedded in third-party apps).Ineffective prioritization: Without a linkage structure, teams patch high-severity CVEs on isolated systems while leaving lower-scored flaws on critical trust pathways.Slow incident response: When a zero-day emerges, teams scramble to locate vulnerable components. Without pre-existing linkage models, impact analysis becomes a matter of guesswork.
The unified linkage model: While the NIST Zero Trust Architecture and MITRE ATT&CK frameworks have a great deal of utility, ULM provides a structural modeling layer. Traditional network diagrams focus on topology; attack graphs, on the other hand, model exploitation steps. ULM focuses on the linkages, the connective tissue.It’s not a simple topology map or an attack graph; instead, ULM serves as a conceptual backbone to determine both how vulnerabilities propagate and how adversaries move.
Adjacency
Adjacency describes what is connected or reachable:
Network adjacency (e.g., VLANs, VPNs, cloud peering)API connections between servicesFederated identity relationships (e.g., Okta to SaaS)Inter-organizational data sharing or third-party integrationsAdjacency determines how attackers or vulnerabilities can traverse systems. For example, a misconfigured identity provider can act as a high-trust adjacency between external and internal domains.
Inheritance
Inheritance describes what properties, vulnerabilities or behaviors are passed along chains of dependency or control. For example:
Software dependencies: a vulnerable library that affects every application that depends on it.Identity systems: a compromised credential grants downstream access.CI/CD pipelines: a malicious build step is inherited by all artifacts produced.Inheritance explains how a single flaw can cascade through layers, even into domains that didn’t create or deploy the vulnerability.
Trustworthiness
Trustworthiness represents the quality, confidence and resilience of a linkage:
High-trust internal SSO connections differ from loosely monitored vendor VPNs.Implicit trust relationships can be exploited more easily than explicitly verified ones.Over-trusted adjacencies amplify the impact of both vulnerabilities and adversaries.Trustworthiness determines the extent of damage that can be caused when a linkage is exploited. A vulnerability in a low-trust, segmented environment may be contained; the same flaw in a high-trust linkage can trigger systemic failure.Unlike traditional network models that rely on static topology or IP-based reachability, ULM abstracts the network as a system of heterogeneous linkages, logical, organizational and functional, not just physical. This allows defenders to model paths that adversaries actually use, such as identity trust chains, software dependencies or implicit API adjacencies.
ULM vs. existing models: There are many common cybersecurity modeling approaches between ULM and existing security models. Each contributes to a better understanding of the threat environment while generally addressing a specific aspect, software components, attacker goals, network reachability or vulnerability spread. However, no other model offers a unified structural view. The ULM integrates adjacency, inheritance and trustworthiness, bridging threat intelligence and vulnerability analysis to reveal systemic risk pathways.
Model
Focus
Primary Use
SBOM Dependency Graphs
Static component structure
Software inventory, license compliance, vulnerability scanning
Attack Trees
Logical attacker goals and sub-goals
Threat modeling
Attack Graphs
State transitions and network reachability
Penetration testing, lateral movement analysis
Vulnerability Propagation Models
How flaws spread through dependencies
Blast radius analysis, patch prioritization
ULM
Structural linkages: adjacency, inheritance, trustworthiness
Integrating threat and vulnerability views; systemic risk analysis
ULM is not dependent upon a single phenomenon. It can describe software supply chains, network topologies, identity infrastructures and organizational relationships using a common vocabulary of linkages. This flexibility makes it a robust foundation for integrating threat assessments, vulnerability analyses and architectural models.The novelty of ULM is not in listing vulnerabilities or threats, those are known concepts. The novelty is in modeling the enterprise through linkages that integrate functional, inherited and trust relationships. This sits between network topology (routers, VLANs, IPs) and attack graphs (threat paths), and that’s exactly what most organizations lack.
A simple example: Okta and beyond: Most enterprises are hybrid, with numerous internal and external dependencies. The Okta breach began with stolen support credentials, allowing attackers to access the identity provider’s high-trust connections. In that instance, the hybrid enterprise environment included the following key elements:
An external identity provider (IdP), in this instance, Okta, for authentication.Several SaaS applications integrated via SSO.Internal legacy applications that trust assertions from the IdP without extra validation.A development pipeline pulling open-source libraries into both internal and SaaS extensions.An attacker compromised the IdP through stolen credentials. Through those adjacencies, they reached SaaS and internal applications. Inheritance extended the compromise downstream, amplifying impact without exploiting individual vulnerabilities, illustrating how structural linkages, not isolated flaws, can drive widespread organizational exposure. Because the IdP operated in a high-trust zone, its compromise had a multiplying effect.Analyzed from a vulnerability perspective, none of the internal apps may have had critical CVEs. From a threat intel perspective, the attacker profile was known. A linkage perspective could have been useful.
Strategic benefits of ULM: A linkage perspective exposes how attackers move along trusted connections, chaining adjacencies and inherited dependencies to bypass hardened perimeters. By mapping structural relationships, identity trust, software supply chains and implicit integrations, defenders can see hidden pathways that static vulnerability lists or isolated threat intelligence miss, revealing true systemic exposure.ULM provides a structural foundation for:
Better prioritization: Focus defenses where vulnerabilities and attacker pathways intersect.Faster impact analysis: Overlay new vulnerabilities on existing linkage maps to find exposures quickly.Threatvulnerability integration: Link threat TTPs to adjacency and trust pathways; map vulnerabilities onto inherited components.Cross-domain insight: Describe IT, OT, identity and supply chains in one framework.A new lens on network structure: Reframe networks as linkage graphs, not just nodes and edges.
Getting started: Getting started with the ULM involves shifting perspective from isolated assets to the relationships that bind systems together. Before mapping, organizations should understand that linkages, adjacency, inheritance and trustworthiness, form the backbone of systemic risk analysis, enabling more strategic, integrated and anticipatory cybersecurity decision-making.
Inventory linkages, not just assets. Map adjacencies (network connections, API integrations) and inheritance paths (identity, software dependencies).Assess trustworthiness explicitly. Identify which linkages are implicitly trusted versus explicitly verified.Overlay vulnerability and threat data. Use scans, SBOMs and intel to find intersections.Prioritize and scenario-plan. Ask: Which inherited vulnerabilities sit on high-trust adjacencies? Which adversaries can exploit them?Iterate and integrate. Over time, fold ULM maps into dashboards, incident response and tabletop exercises.
A more thorough systemic approach: Attackers exploit the spaces between, not just the endpoints. The unified linkage model offers a systematic approach to analyzing the structural spaces where threats intersect vulnerabilities. By modeling networks through linkages rather than infrastructure, ULM offers CISOs a fundamentally new way to understand how digital systems behave under stress, whether from vulnerabilities, adversaries or both.This story was adapted from my longer article in the fall 2025 edition of “United States Cybersecurity Magazine,” Unified Linkage Models: Recontextualizing Cybersecurity. Additional details are available in the original article.This article is published as part of the Foundry Expert Contributor Network.Want to join?
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4082062/the-unified-linkage-model-a-new-lens-for-understanding-cyber-risk.html
| Model | Focus | Primary Use |
| SBOM Dependency Graphs | Static component structure | Software inventory, license compliance, vulnerability scanning |
| Attack Trees | Logical attacker goals and sub-goals | Threat modeling |
| Attack Graphs | State transitions and network reachability | Penetration testing, lateral movement analysis |
| Vulnerability Propagation Models | How flaws spread through dependencies | Blast radius analysis, patch prioritization |
| ULM | Structural linkages: adjacency, inheritance, trustworthiness | Integrating threat and vulnerability views; systemic risk analysis |
ULM is not dependent upon a single phenomenon. It can describe software supply chains, network topologies, identity infrastructures and organizational relationships using a common vocabulary of linkages. This flexibility makes it a robust foundation for integrating threat assessments, vulnerability analyses and architectural models.The novelty of ULM is not in listing vulnerabilities or threats, those are known concepts. The novelty is in modeling the enterprise through linkages that integrate functional, inherited and trust relationships. This sits between network topology (routers, VLANs, IPs) and attack graphs (threat paths), and that’s exactly what most organizations lack.
A simple example: Okta and beyond: Most enterprises are hybrid, with numerous internal and external dependencies. The Okta breach began with stolen support credentials, allowing attackers to access the identity provider’s high-trust connections. In that instance, the hybrid enterprise environment included the following key elements:
An external identity provider (IdP), in this instance, Okta, for authentication.Several SaaS applications integrated via SSO.Internal legacy applications that trust assertions from the IdP without extra validation.A development pipeline pulling open-source libraries into both internal and SaaS extensions.An attacker compromised the IdP through stolen credentials. Through those adjacencies, they reached SaaS and internal applications. Inheritance extended the compromise downstream, amplifying impact without exploiting individual vulnerabilities, illustrating how structural linkages, not isolated flaws, can drive widespread organizational exposure. Because the IdP operated in a high-trust zone, its compromise had a multiplying effect.Analyzed from a vulnerability perspective, none of the internal apps may have had critical CVEs. From a threat intel perspective, the attacker profile was known. A linkage perspective could have been useful.
Strategic benefits of ULM: A linkage perspective exposes how attackers move along trusted connections, chaining adjacencies and inherited dependencies to bypass hardened perimeters. By mapping structural relationships, identity trust, software supply chains and implicit integrations, defenders can see hidden pathways that static vulnerability lists or isolated threat intelligence miss, revealing true systemic exposure.ULM provides a structural foundation for:
Better prioritization: Focus defenses where vulnerabilities and attacker pathways intersect.Faster impact analysis: Overlay new vulnerabilities on existing linkage maps to find exposures quickly.Threatvulnerability integration: Link threat TTPs to adjacency and trust pathways; map vulnerabilities onto inherited components.Cross-domain insight: Describe IT, OT, identity and supply chains in one framework.A new lens on network structure: Reframe networks as linkage graphs, not just nodes and edges.
Getting started: Getting started with the ULM involves shifting perspective from isolated assets to the relationships that bind systems together. Before mapping, organizations should understand that linkages, adjacency, inheritance and trustworthiness, form the backbone of systemic risk analysis, enabling more strategic, integrated and anticipatory cybersecurity decision-making.
Inventory linkages, not just assets. Map adjacencies (network connections, API integrations) and inheritance paths (identity, software dependencies).Assess trustworthiness explicitly. Identify which linkages are implicitly trusted versus explicitly verified.Overlay vulnerability and threat data. Use scans, SBOMs and intel to find intersections.Prioritize and scenario-plan. Ask: Which inherited vulnerabilities sit on high-trust adjacencies? Which adversaries can exploit them?Iterate and integrate. Over time, fold ULM maps into dashboards, incident response and tabletop exercises.
A more thorough systemic approach: Attackers exploit the spaces between, not just the endpoints. The unified linkage model offers a systematic approach to analyzing the structural spaces where threats intersect vulnerabilities. By modeling networks through linkages rather than infrastructure, ULM offers CISOs a fundamentally new way to understand how digital systems behave under stress, whether from vulnerabilities, adversaries or both.This story was adapted from my longer article in the fall 2025 edition of “United States Cybersecurity Magazine,” Unified Linkage Models: Recontextualizing Cybersecurity. Additional details are available in the original article.This article is published as part of the Foundry Expert Contributor Network.Want to join?
Better prioritization: Focus defenses where vulnerabilities and attacker pathways intersect.Faster impact analysis: Overlay new vulnerabilities on existing linkage maps to find exposures quickly.Threatvulnerability integration: Link threat TTPs to adjacency and trust pathways; map vulnerabilities onto inherited components.Cross-domain insight: Describe IT, OT, identity and supply chains in one framework.A new lens on network structure: Reframe networks as linkage graphs, not just nodes and edges.
Getting started: Getting started with the ULM involves shifting perspective from isolated assets to the relationships that bind systems together. Before mapping, organizations should understand that linkages, adjacency, inheritance and trustworthiness, form the backbone of systemic risk analysis, enabling more strategic, integrated and anticipatory cybersecurity decision-making.
Inventory linkages, not just assets. Map adjacencies (network connections, API integrations) and inheritance paths (identity, software dependencies).Assess trustworthiness explicitly. Identify which linkages are implicitly trusted versus explicitly verified.Overlay vulnerability and threat data. Use scans, SBOMs and intel to find intersections.Prioritize and scenario-plan. Ask: Which inherited vulnerabilities sit on high-trust adjacencies? Which adversaries can exploit them?Iterate and integrate. Over time, fold ULM maps into dashboards, incident response and tabletop exercises.
A more thorough systemic approach: Attackers exploit the spaces between, not just the endpoints. The unified linkage model offers a systematic approach to analyzing the structural spaces where threats intersect vulnerabilities. By modeling networks through linkages rather than infrastructure, ULM offers CISOs a fundamentally new way to understand how digital systems behave under stress, whether from vulnerabilities, adversaries or both.This story was adapted from my longer article in the fall 2025 edition of “United States Cybersecurity Magazine,” Unified Linkage Models: Recontextualizing Cybersecurity. Additional details are available in the original article.This article is published as part of the Foundry Expert Contributor Network.Want to join?
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4082062/the-unified-linkage-model-a-new-lens-for-understanding-cyber-risk.html