● DOCTRINE PAPER 313SEC // GHOSTLINE DIVISION FILED CARDIFF SOURCE STYRAN, V. (2026)

WE DO NOT REACT. WE DENY THE GROUND.

How 313SEC defends businesses inside a worldwide cyber war. Our doctrine. Our reasoning. The work we are building. Written for the people whose name is on the door, not for security committees.

● DOCTRINE V1.0 PROACTIVE ENV CONTROL CARDIFF · WALES CE / CE+ CERTIFIED

// SECTOR SME · UK GEO LOCK

// DOCTRINE COHESION 0.94

Ukraine state networks · continuous offensive ops · 2014–present UK retail sector · ransomware impacts · M&S · Co-op · 2025 NHS supply chain · Synnovis incident · 2024 MOVEit zero-day · 2300+ orgs · cl0p SolarWinds supply-chain compromise · 2020 NotPetya · $10bn global damages · 2017 Volt Typhoon · prepositioning in CNI · 2023 Sandworm · sustained campaigns · GRU Unit 74455 Ukraine state networks · continuous offensive ops · 2014–present UK retail sector · ransomware impacts · M&S · Co-op · 2025 NHS supply chain · Synnovis incident · 2024 MOVEit zero-day · 2300+ orgs · cl0p SolarWinds supply-chain compromise · 2020 NotPetya · $10bn global damages · 2017 Volt Typhoon · prepositioning in CNI · 2023 Sandworm · sustained campaigns · GRU Unit 74455

01 // The War

The cyber war is not coming. You are already in it.

The world is in active conflict. Ukraine has been under continuous offensive cyber operations since 2014, which makes it the most active cyber battlefield on the planet. Russia, China, Iran and North Korea run state-aligned programmes that explicitly target Western businesses, not just governments. Around them sits a multi-billion pound criminal industry running ransomware as a service. None of this is theoretical. The UK has been hit, repeatedly, at scale, across sectors that previously assumed they were not on the target list.

For a Welsh manufacturer, a London law firm, an English logistics business, the difference between "geopolitics" and "your problem" has collapsed. Marks & Spencer. The Co-op. NHS supply chain. The MOVEit cascade. The British Library. The pattern is consistent. The pattern is industrial. The pattern is going to get worse.

Most cybersecurity products sold to your business are built around a 1995 assumption: that an attack is a discrete event, and your job is to detect it and respond. That was a reasonable assumption when attacks were rare. They are not rare anymore. They are the weather.

The trap is not in the tools. The trap is in the posture. Reactive defence positions you downstream of the attacker's initiative every time. They choose when. They choose how. You wait, you alert, you triage, you rebuild. Then you wait again. The economics of that posture favour the attacker by design. 313SEC was built on the assumption that this is not good enough.

// POSTURE A · REACTIVE

Detect — Respond — Rebuild — Wait

You buy tools. The tools alert. Your team responds. You contain what you can. You rebuild. You wait. Every cycle of this dance starts with the attacker choosing the moment.

This is what most of the industry sells. It is the floor. It is not the ceiling.

ALERT → TRIAGE → CONTAIN → RESTORE → WAIT

// POSTURE B · OUR POSTURE

Map — Disrupt — Watch — Sharpen

We map what the attacker needs from your business. We alter those conditions, deliberately. We watch them try to adapt. We sharpen the map. We do it again. Every cycle takes ground.

This is what we do. The whole document explains it.

INTEL → FRICTION → ANTICIPATION ↻

The defender's job is not to detect attacks and respond to them.
It is to shape the conditions under which attacks happen.

02 // The Enemy

Strip away the hoodies. The attacker is a business.

Forget the imagery the industry has sold you for twenty years. Hooded silhouettes. Green-on-black terminals. Lone wolves in basements. None of it is real. The people on the other side of the keyboard are professionals. They have managers. They have payroll. They have suppliers. They have working hours, holiday schedules and quarterly targets. State-aligned operators take their parade days off.

Two researchers, Matthew Monte and Max Smeets, formalised this view of the adversary. We use their model because it is the most operationally useful thing in the academic literature on offensive cyber. The attacker's operation runs on five things. Click each one.

// 01

People

Operators, handlers, the chain of command behind every keystroke.

// 02

Exploits

The bugs and the techniques that turn presence into power.

// 03

Tools

Their malware, their agents, the kit they bring with them.

// 04

Infrastructure

Staging servers, command channels, anything they need to dial home.

// 05

Organization

Schedules, working hours, the rhythm they assume you keep.

// Select a component above

Every one of those five is a dependency. Every dependency lives, at least partly, inside your business. Every dependency is therefore something we can move.

They have margins. Their margins depend on you behaving predictably. The moment you stop behaving predictably, their unit economics break.

You own the terrain. That is not nothing.

The popular conception of cybersecurity is that the attacker is omniscient and you are scrambling. The honest version is that the attacker is a bureaucracy with deadlines, working against a target they do not own. Defenders have something attackers never will. Total potential awareness of the network, total control of posture, and the ability to reconfigure, segment, patch, replace or shut down systems at will.

Most businesses never use that advantage. They buy expensive tools and then refuse to move the furniture in case it upsets the cleaning staff. We argue, with respect, that the furniture is the weapon.

03 // The Doctrine

The Offense Death Cycle. Our operating doctrine.

We adopted the Offense Death Cycle after evaluating every credible defensive framework in active research. The framework was articulated by Volodymyr Styran, who works on Ukraine's State Service of Special Communications and Information Protection. The provenance matters to us. He wrote it from inside the most active cyber conflict on Earth, not from a conference room.

It is a three-phase loop. We run it on our clients' environments continuously. Every week, every month, every quarter. Click each phase.

PHASE 01 // OF 03

Intelligence

MapProfileCRV AnalysisDependency Lock

We do not start with detection rules. We start with a question: what does an attacker actually need from this business to operate inside it? Which credentials. Which servers. Which working hours. Which suppliers. We build a living map of those dependencies and we keep it current. It is the most valuable artefact in the engagement.

Conventional intel asks “what is the attacker doing?”. We ask what does the attacker need from your environment to keep doing it?

04 // The Levers

Five levers. Pulled in the right order.

For every attacker dependency we map, there is a corresponding environmental change available to us. We can pull every one of these without breaking your business. We do not pull them randomly. We pull them based on the intelligence map and your risk tolerance. Click each row.

Lever

What they need

What we change

PPeople

Consistent operator access, stable credentials, predictable behaviour.

Rotate privileges and passwords, enforce MFA, shorten session lifetimes, shift telemetry.

▸

FRICTION PROFILE Low cost to your business, high cost to mature tradecraft. Credential rotation alone often kills long-haul access. Pair with shortened session windows and shifted log collection schedules so the attacker's quiet hours stop being quiet. This is usually our first lever.

EExploits

Stable, unpatched, unchanging software versions.

Apply patches off-schedule. Move version cadence. Replace components that aged into stability.

▸

FRICTION PROFILE The attacker has paid in time and money to weaponise a specific version of something you run. Predictable patch cycles let them plan around it. Unscheduled upgrades, even minor ones, force their tooling to re-verify and re-test. Their bureaucracy shows up on our sensors.

TTools

Stable host fingerprints, standing rule exceptions, predictable telemetry.

Reset EDR exclusions, normalise configurations, rebuild golden images, shift logging.

▸

FRICTION PROFILE Almost invisible to users. Severe to mature implants. Cycle every standing exception. Reset every "temporary" allow rule. Implants designed to look like legitimate components suddenly stop blending in.

IInfrastructure

Fixed network routes, persistent jump hosts, predictable external service patterns.

Re-segment networks, change DNS, introduce ephemeral hosts, shape traffic.

▸

FRICTION PROFILE The heaviest lever. The highest yield. We sequence it carefully, with rollback and your team in the loop. Re-segmentation is hard. So is the attacker's lateral movement plan. Short-lived hostnames and ephemeral compute turn the network into a moving target without the noise of full automation.

OOrganization

Predictable change windows, announced maintenance, observable communications.

Unannounced upgrades, simulated audits, irregular windows, fabricated oversight events.

▸

FRICTION PROFILE Targets the attacker's calendar, not their code. Most APTs run on schedules and on the assumption that announced changes mean predictable changes. Pull this lever and they move faster than their tradecraft allows. That is when they make mistakes.

// HOW WE WORK. We never pull a lever without a written rollback plan, change-management sign-off, and an agreed escalation path with your team. Friction is not chaos. Friction is engineered. We start with the lowest-impact, highest-yield options and escalate only when the intelligence supports it.

05 // Tactics

How a cycle runs in practice.

Four patterns from our operational playbook. They are not exotic. They do not need exotic tooling. They need disciplined intelligence about the attacker and a willingness to use it. Each one starts with a hypothesis we developed in the Intelligence phase. Each one ends with new data feeding the next cycle.

Trigger Overwatch

We fabricate the appearance of imminent scrutiny. The internal announcement of a new managed security provider. A deep third-party audit. A new external compliance review. Anything that telegraphs heightened organisational attention. The attacker, watching, sees it.

// MECHANISM

Stage internal comms, calendar entries and vendor paperwork. Real-looking, internally visible, deliberately observable.

// LEVERS · PETIO

People & Organization. Their risk tolerance. Their willingness to act before access is lost.

// OUTCOME

The attacker rushes to broaden access before the audit. Error rates climb. Detectable activity surges. We harvest the panic.

Simulate Red-on-Red

We plant controlled artefacts resembling rival APT activity. Operators of long-running campaigns actively watch for competitors in their kill zone. They do not share well.

// MECHANISM

Credible breadcrumbs of a competitor in places we know the attacker is looking.

// LEVERS · PETIO

Tools & Organization. Their assumption of exclusive access. Their territorial instincts.

// OUTCOME

Premature, noisy action. New tooling deployed. Persistence mechanisms reinforced in observable ways. Their reaction becomes our intelligence.

Sudden Change Management

Unannounced reconfigurations. Emergency patching. Unscheduled software upgrades. All inside controlled parameters with rollbacks ready and your IT team carried through the cost with us.

// MECHANISM

Compress the change window. Skip the public calendar. Move maintenance to a non-standard day. Real change, off-rhythm.

// LEVERS · PETIO

Infrastructure & Exploits. Their persistence routes. Their unpatched footholds.

// OUTCOME

Persistent access breaks. Exfiltration routines fail. Re-entry attempts surface previously invisible access vectors.

Bad Luck Injection

Benign, contained instability. Short controlled restarts. Intermittent throttling. Randomised rescheduling of admin tasks. The kind of small chaos a real environment occasionally produces anyway.

// MECHANISM

We make the environment slightly unreliable in ways that mimic real drift, so the attacker cannot tell deliberate from accidental.

// LEVERS · PETIO

Tools & Organization. Their reliance on operational rhythm and automation timing.

// OUTCOME

Automation falters. Manual intervention required. Operational cost rises. Error rates rise. Visibility rises.

06 // The Proof

The mechanism is real. Here is the receipt.

We did not invent this approach. We adopted it because the historical record kept producing the same shape: long-running intrusions terminate when the environment changes. The change is usually accidental. When it is deliberate, the result is far more controlled and far more powerful. The four cases below are well-documented, public, and demonstrate the same mechanism every time.

// ACCIDENTAL · VISIBILITY TRANSITION

Equifax · 2017

76 days dwell · ended by a routine cert renewal

Attackers exploited an Apache Struts flaw in mid-May 2017 and lived inside Equifax's dispute-resolution app for over two months. Encrypted exfiltration ran continuously. The network sensor's SSL inspection certificate had expired the previous November, so outbound traffic was opaque to defenders by default.

MAY 13JUL 29 · CERT RENEWED

76 DAYS · BLIND

INTRUSIONROUTINE MAINTALERTS · JUL 30

On 29 July an administrator renewed the certificate. A routine action with no defensive intent. The opacity lifted. Within hours, alerts. Containment began the next day. A benign action imposed friction severe enough to terminate an ongoing operation.

// ACCIDENTAL · NEW TELEMETRY

Marriott / Starwood · 2018

~4 years dwell · ended by acquisition integration

Starwood's reservation network had been compromised since 2014. The breach surfaced in late 2018 after Marriott's internal monitoring tools, introduced during post-acquisition integration, flagged the persistent access.

Detection did not come from a smarter detection rule. It came from an environmental change. New telemetry, new systems, new baseline. The intruder's stable cover stopped being stable.

Four years of detection programmes failed. Six weeks of new telemetry succeeded. That is not a coincidence.

// ACCIDENTAL · EDR DEPLOYMENT

DNC & OPM · 2015–16

visibility transition · the same mechanism, twice

At the DNC, the deployment of CrowdStrike's Falcon EDR in May 2016 immediately surfaced live command-and-control traffic from two threat groups. At OPM, newly deployed commercial detection software exposed beaconing activity that had been masquerading as a legitimate antivirus component.

In both cases the trigger was an environmental change, not a better analyst. The new instrument altered the conditions the attacker had built their persistence around.

// DELIBERATE · ENVIRONMENTAL CONTROL

PrivatBank vs NotPetya · 2017

unaffected by Ukraine's largest cyber event

This is the case we point to most often. NotPetya tore through Ukraine in June 2017. PrivatBank, the country's largest bank, kept running. Not because of heroics in the moment. Because, years earlier, they had built an environment NotPetya could not adapt to.

[ + ]

PRIVATBANK STACK

PrivatLinux core. Strict segmentation. Incompatible authentication. Minimal trust across domain boundaries.

[ × ]

NOTPETYA WORM

Built for Windows domains, credential reuse, SMB. Built for homogeneous, trusting networks. Stopped at every boundary.

The defender did not detect the worm. The defender did not block the worm. The defender had pre-shaped the environment so the worm's automation could not adapt to it. That is the playbook. Not heroics. Deliberate terrain shaping over time.

07 // Why This, Not the Others

We chose this for specific reasons.

We evaluated the alternatives seriously. None of them are wrong. All of them have a place. None of them are sufficient on their own to defend a business that is being continuously contested. Here is our reasoning, written plainly.

Approach	What it does	Shapes your env	Learns each cycle	Fits a normal business
Kill Chain	Models attacks as linear phases	✕ No	~ Post-detection	High (analysis)
ATT&CK / D3FEND	Catalogues attacker techniques and defences	✕ No	✕ No	High (reference)
Moving Target Defence	Randomises configurations to confuse attackers	✓ Technical only	✕ No	Moderate
Active Cyber Defence	Proactive, sometimes reaches outside your network	~ Partial	~ Partial	Variable · legal risk
Cyber Deception	Plants decoys to lure attackers	✓ Synthetic only	~ Only on contact	Moderate
Resilience	Plans for breach + faster recovery	~ Indirect	✓ Adaptive	Moderate
JP 3-12 (military)	US joint defensive cyber doctrine	✓ Yes	✓ Yes	Limited · military only
ODC · OUR DOCTRINE	Shape your real environment, contest initiative, learn every cycle	✓ Real env	✓ 3-phase loop	High · designed for business

// On Moving Target Defence

It works at a technical level but it does not learn. Randomisation is not strategy. We use elements of MTD inside the wider cycle, not as a substitute for it.

// On Active Cyber Defence

It sanctions reaching into the attacker's infrastructure. We do not work that way. The legal risk lands on you, not the framework. Our cycle stays inside your administrative domain.

// On Deception

Useful, but it only works when the attacker engages with the decoys. Mature operators discard them. We use deception as one class of friction, not as the foundation of the defence.

// On Resilience

Resilience plans for the day after breach. We agree breach is likely. We disagree that recovery is the ceiling. The cycle is the difference between bouncing back and taking ground.

// On Military Doctrine

JP 3-12 assumes joint force commanders and intelligence support. A Welsh manufacturer has neither. The ODC is the translation of that strategic logic into civilian operations a SOC can actually run.

// Why we picked the ODC

It is the only approach we found that combines real environmental shaping, an intelligence feedback loop, and a form a normal business can actually adopt. That is why we run it. That is why we are building on it.

08 // The Tempo Question

The whole game comes down to cycle speed.

The single most important measurement of whether the doctrine is working is this: are we resetting the environment faster than the attacker can adapt to it?

When our cycle is faster, every cycle the attacker spends rebuilding access is a cycle we have already moved past. Their costs compound. Their morale degrades. Their leadership starts asking why this target is so expensive. Eventually their business case fails and they go elsewhere. When their cycle is faster, they pull ahead. Their persistence stabilises. Their visibility into your operations grows. Move the sliders. Watch the threshold flip.

Time to Reset vs Time to Adapt

STATUS · WE HOLD INITIATIVE

313SEC · Time to Reset3.0d

Attacker · Time to Adapt7.0d

Our Reset (days) 3.0

Attacker Adapt (days) 7.0

// WHAT WE MEASURE WITH YOU. MTTD and MTTR stay in our reports because the industry expects them. We treat them as floor metrics. The number that matters is reset velocity. How fast we cycle your environment. How fast the attacker adapts. The ratio is the score.

3phases

// THE LOOP

5levers

// PETIO LEVERS

4tactics

// OPERATIONAL PATTERNS

1question

// THE REFRAME

09 // What We Are Building

GHOSTLINE. The doctrine, engineered.

313SEC is the operation that delivers cybersecurity to clients. GHOSTLINE is the engineering division behind it. The doctrine on this page is the why. GHOSTLINE is the how. We are building the doctrine into deployable systems, week by week. Some of what we are working on is below.

// MODULE 01 LIVE

Continuous Environment Mapping

We map what attackers need from your business and watch those dependencies evolve in real time. The map is alive. It sharpens every week. It is the artefact that drives every other phase of the cycle.

PHASE · INTELLIGENCE

// MODULE 02 LIVE

Friction Engineering

The tooling and playbooks that let us pull every lever in the CRV map without breaking your operation. Engineered change. Never chaos. Rollbacks always loaded.

PHASE · FRICTION

// MODULE 03 BUILDING

Adaptation Telemetry

Sensors that do more than look for attackers. They watch for the signatures of attackers adapting to the friction we just applied. That signature is the most valuable intelligence in the cycle.

PHASE · ANTICIPATION

// MODULE 04 LIVE

GHOSTLINE RECON

Outside-in mapping. What an attacker sees of your business before they engage. We see it first. We close it first. Continuous, not annual.

SURFACE · EXTERNAL

// MODULE 05 BUILDING

Cycle Velocity Reporting

The infrastructure that produces reset-velocity scores. Our clients see whether the doctrine is winning in numbers, not narrative. Boardroom-ready.

MEASUREMENT · CLIENT-FACING

// MODULE 06 RESEARCH

Machine Reasoning Layer

Our work on AI for cyber operations. Designed to amplify a small expert team running a continuous cycle, not to replace them. Built carefully, deployed carefully.

RESEARCH · ORACLE

We are a Wales-based MSSP. We are not the largest team. We compensate by being a research-led one. The doctrine is not a marketing position for us. It is the architecture we build against.

10 // Engage

If your defence stops at ‘we got an alert’, talk to us.

The premise of this paper is simple. The cyber war is on. It is on for your business whether you signed up for it or not. The way most security is sold treats it as a series of incidents to react to. That posture loses by design. We chose a different one.

We chose the Offense Death Cycle because the historical record supports it, the strategic theory supports it, and what we have seen on the ground supports it. We do not claim it is the only valid approach. We claim it is the one that gives our clients the best chance of being too expensive to attack. Which, in the war we are in, is what victory looks like.

The question stops being “how do we stop the attacker?”
and becomes “how do we make their job impossible?”

Get the briefing.

A 30-minute call. No sales script. We walk you through what an Offense Death Cycle engagement would look like for your business, and we tell you honestly whether we are the right team for the job. If we are not, we will tell you who is.

Book a briefing Read the academic paper

// This paper is based on Styran (2026), “The Offense Death Cycle: Proactive Environmental Control as a Method of Persistent Cyber Defense”, The Cyber Defense Review 11(1), 57–78. Read the original. Then decide.