DOCTRINE PAPER 313SEC // GHOSTLINE DIVISION FILED CARDIFF SOURCE STYRAN, V. (2026)

WE DO NOT REACT. WE DENY THE GROUND.

How GHOSTLINE defends businesses inside a worldwide cyber war. Our doctrine. Our reasoning. The work we are building. Written for the people whose name is on the door, not for security committees.

DOCTRINE V1.0 PROACTIVE ENV CONTROL CARDIFF · WALES CE / CE+ CERTIFIED
// SECTOR SME · UK GEO LOCK
// DOCTRINE COHESION 0.94
01 // The War

The cyber war is not coming. You are already in it.

The world is in active conflict. Ukraine has been under continuous offensive cyber operations since 2014, which makes it the most active cyber battlefield on the planet. Russia, China, Iran and North Korea run state-aligned programmes that explicitly target Western businesses, not just governments. Around them sits a multi-billion pound criminal industry running ransomware as a service. None of this is theoretical. The UK has been hit, repeatedly, at scale, across sectors that previously assumed they were not on the target list.

For a Welsh manufacturer, a London law firm, an English logistics business, the difference between "geopolitics" and "your problem" has collapsed. Marks & Spencer. The Co-op. NHS supply chain. The MOVEit cascade. The British Library. The pattern is consistent. The pattern is industrial. The pattern is going to get worse.

This paper is for the owners and directors.

It is not a sales document, although we are a security business. It is a doctrine paper. It is the worldview the team operates from. We publish it because clients deserve to understand the reasoning behind what we do before they spend money on it, and because the industry is overdue an honest one. We borrow this approach from the doctrine of Volodymyr Styran, who articulates the model from inside the most active cyber theatre on Earth, and we apply it to a British SME context.

02 // The Enemy

Strip away the hoodies. The attacker is a business.

Forget the imagery the industry has sold you for twenty years. Hooded silhouettes. Green-on-black terminals. Lone wolves in basements. None of it is real. The people on the other side of the keyboard are professionals. They have managers. They have payroll. They have suppliers. They have working hours, holiday schedules and quarterly targets. State-aligned operators take their parade days off.

Two researchers, Matthew Monte and Max Smeets, formalised this view of the adversary. We use their model because it is the most operationally useful thing in the academic literature on offensive cyber. The attacker's operation runs on five things. Click each one.

P
// 01
People
Operators, handlers, the chain of command behind every keystroke.
E
// 02
Exploits
The bugs and the techniques that turn presence into power.
T
// 03
Tools
Their malware, their agents, the kit they bring with them.
I
// 04
Infrastructure
Staging servers, command channels, anything they need to dial home.
O
// 05
Organization
Schedules, working hours, the rhythm they assume you keep.

// PEOPLE

Every one of those five is a dependency. Every dependency lives, at least partly, inside your business. Every dependency is therefore something we can move.

They have margins. Their margins depend on you behaving predictably. The moment you stop behaving predictably, their unit economics break.

You own the terrain. That is not nothing.

The popular conception of cybersecurity is that the attacker is omniscient and you are scrambling. The honest version is that the attacker is a bureaucracy with deadlines, working against a target they do not own. Defenders have something attackers never will. Total potential awareness of the network, total control of posture, and the ability to reconfigure, segment, patch, replace or shut down systems at will.

Most businesses never use that advantage. They buy expensive tools and then refuse to move the furniture in case it upsets the cleaning staff. We argue, with respect, that the furniture is the weapon.

03 // The Doctrine

The Offense Death Cycle. Our operating doctrine.

We adopted the Offense Death Cycle after evaluating every credible defensive framework in active research. The framework was articulated by Volodymyr Styran, who works on Ukraine's State Service of Special Communications and Information Protection. The provenance matters to us. He wrote it from inside the most active cyber conflict on Earth, not from a conference room.

It is a three-phase loop. We run it on our clients' environments continuously. Every week, every month, every quarter. Click each phase.

GHOSTLINE OPERATING LOOP map disrupt watch 01 INTELLIGENCE 02 FRICTION 03 ANTICIPATION
PHASE 01 // OF 03

Intelligence

MapProfileCRV AnalysisDependency Lock

We do not start with detection rules. We start with a question: what does an attacker actually need from this business to operate inside it? Which credentials. Which servers. Which working hours. Which suppliers. We build a living map of those dependencies and we keep it current. It is the most valuable artefact in the engagement.

Conventional intel asks "what is the attacker doing?". We ask what does the attacker need from your environment to keep doing it?
04 // The Levers

Five levers. Pulled in the right order.

For every attacker dependency we map, there is a corresponding environmental change available to us. We can pull every one of these without breaking your business. We do not pull them randomly. We pull them based on the intelligence map and your risk tolerance. Click each row.

Lever
What they need
What we change
PPeople
Consistent operator access, stable credentials, predictable behaviour.
Rotate privileges and passwords, enforce MFA, shorten session lifetimes, shift telemetry.
FRICTION PROFILE Low cost to your business, high cost to mature tradecraft. Credential rotation alone often kills long-haul access. Pair with shortened session windows and shifted log collection schedules so the attacker's quiet hours stop being quiet. This is usually our first lever.
EExploits
Stable, unpatched, unchanging software versions.
Apply patches off-schedule. Move version cadence. Replace components that aged into stability.
FRICTION PROFILE The attacker has paid in time and money to weaponise a specific version of something you run. Predictable patch cycles let them plan around it. Unscheduled upgrades, even minor ones, force their tooling to re-verify and re-test. Their bureaucracy shows up on our sensors.
TTools
Stable host fingerprints, standing rule exceptions, predictable telemetry.
Reset EDR exclusions, normalise configurations, rebuild golden images, shift logging.
FRICTION PROFILE Almost invisible to users. Severe to mature implants. Cycle every standing exception. Reset every "temporary" allow rule. Implants designed to look like legitimate components suddenly stop blending in.
IInfrastructure
Fixed network routes, persistent jump hosts, predictable external service patterns.
Re-segment networks, change DNS, introduce ephemeral hosts, shape traffic.
FRICTION PROFILE The heaviest lever. The highest yield. We sequence it carefully, with rollback and your team in the loop. Re-segmentation is hard. So is the attacker's lateral movement plan. Short-lived hostnames and ephemeral compute turn the network into a moving target without the noise of full automation.
OOrganization
Predictable change windows, announced maintenance, observable communications.
Unannounced upgrades, simulated audits, irregular windows, fabricated oversight events.
FRICTION PROFILE Targets the attacker's calendar, not their code. Most APTs run on schedules and on the assumption that announced changes mean predictable changes. Pull this lever and they move faster than their tradecraft allows. That is when they make mistakes.

// HOW WE WORK. We never pull a lever without a written rollback plan, change-management sign-off, and an agreed escalation path with your team. Friction is not chaos. Friction is engineered. We start with the lowest-impact, highest-yield options and escalate only when the intelligence supports it.

05 // Tactics

How a cycle runs in practice.

Four patterns from our operational playbook. They are not exotic. They do not need exotic tooling. They need disciplined intelligence about the attacker and a willingness to use it. Each one starts with a hypothesis we developed in the Intelligence phase. Each one ends with new data feeding the next cycle.

// TACTIC 01

Credential Reset Pulse

Targeted rotation of high-value credentials at unpredictable intervals, combined with shifted log-collection windows. The attacker's most reliable access path becomes their riskiest.

SEQUENCE
Map exposed credentials → Identify candidates with operational quietness → Schedule rotations off-cycle → Watch for adaptation
// TACTIC 02

Patch Cadence Disruption

We change patch deployment patterns deliberately. Skip a window. Apply unscheduled. Move from quarterly to weekly on specific components. The attacker plans against your cycle. We change the cycle.

SEQUENCE
Identify components with attacker investment → Pull cadence off-schedule → Force tooling re-test → Observe re-engagement signals
// TACTIC 03

EDR Exception Sweep

Every standing exception is a small piece of trust the attacker can lean on. We sweep, validate, and reset. Most are legitimate. The illegitimate ones surface immediately.

SEQUENCE
Inventory all exclusions → Validate business owner → Reset stale ones → Force baseline re-verification
// TACTIC 04

Network Re-segmentation

The heaviest lever and the highest yield. We re-segment with a written rollback, your team in the loop, and a clear escalation path. Lateral movement assumptions break.

SEQUENCE
Map lateral pathways → Identify quiet segments → Apply boundaries gradually → Watch attacker re-route
06 // The Receipts

The mechanism is real. Here is the receipt.

We did not invent this approach. We adopted it because the historical record kept producing the same shape: long-running intrusions terminate when the environment changes. The change is usually accidental. When it is deliberate, the result is far more controlled and far more powerful. The four cases below are well-documented, public, and demonstrate the same mechanism every time.

// ACCIDENTAL · VISIBILITY TRANSITION

Equifax · 2017

76 days dwell · ended by a routine cert renewal

Attackers exploited an Apache Struts flaw in mid-May 2017 and lived inside Equifax's dispute-resolution app for over two months. Encrypted exfiltration ran continuously. The network sensor's SSL inspection certificate had expired the previous November, so outbound traffic was opaque to defenders by default.

MAY 13JUL 29 · CERT RENEWED
76 DAYS · BLIND
INTRUSIONROUTINE MAINTALERTS · JUL 30

On 29 July an administrator renewed the certificate. A routine action with no defensive intent. The opacity lifted. Within hours, alerts. Containment began the next day. A benign action imposed friction severe enough to terminate an ongoing operation.

// ACCIDENTAL · NEW TELEMETRY

Marriott / Starwood · 2018

~4 years dwell · ended by acquisition integration

Starwood's reservation network had been compromised since 2014. The breach surfaced in late 2018 after Marriott's internal monitoring tools, introduced during post-acquisition integration, flagged the persistent access.

Detection did not come from a smarter detection rule. It came from an environmental change. New telemetry, new systems, new baseline. The intruder's stable cover stopped being stable.

Four years of detection programmes failed. Six weeks of new telemetry succeeded. That is not a coincidence.

// ACCIDENTAL · EDR DEPLOYMENT

DNC & OPM · 2015-16

visibility transition · same mechanism, twice

At the DNC, the deployment of CrowdStrike's Falcon EDR in May 2016 immediately surfaced live command-and-control traffic from two threat groups. At OPM, newly deployed commercial detection software exposed beaconing activity that had been masquerading as a legitimate antivirus component.

In both cases the trigger was an environmental change, not a better analyst. The new instrument altered the conditions the attacker had built their persistence around.

// DELIBERATE · ENVIRONMENTAL CONTROL

PrivatBank vs NotPetya · 2017

unaffected by Ukraine's largest cyber event

This is the case we point to most often. NotPetya tore through Ukraine in June 2017. PrivatBank, the country's largest bank, kept running. Not because of heroics in the moment. Because, years earlier, they had built an environment NotPetya could not adapt to.

[ + ]
PRIVATBANK STACK
PrivatLinux core. Strict segmentation. Incompatible authentication. Minimal trust across boundaries.
[ × ]
NOTPETYA WORM
Built for Windows domains, credential reuse, SMB. Built for homogeneous, trusting networks. Stopped at every boundary.

The defender did not detect the worm. The defender did not block the worm. The defender had pre-shaped the environment so the worm's automation could not adapt to it. That is the playbook. Not heroics. Deliberate terrain shaping over time.

07 // Why This, Not the Others

We chose this for specific reasons.

We evaluated the alternatives seriously. None of them are wrong. All of them have a place. None of them are sufficient on their own to defend a business that is being continuously contested. Here is our reasoning, written plainly.

ApproachWhat it doesShapes envLearns each cycleVerdict
Cyber Kill ChainMaps attacker stages from reconnaissance to action on objectives.NOPARTIALUseful taxonomy. Treats the attacker as a phenomenon, not an organisation. We use it as language, not strategy.
MITRE ATT&CKCatalogue of attacker techniques observed in the wild.NOPARTIALIndispensable reference library. Built for tactical operations, not strategic posture. We use every chance we get.
Zero TrustArchitectural principle: never trust, always verify.YESNOSound architecture. Designed for a steady-state environment, not a continuous contest. We adopt it as a baseline, then we move beyond it.
Threat HuntingProactive search for adversary activity using hypothesis-driven analysis.NOYESThe right reflex. Often constrained by tooling and time. We use it inside the cycle, not as the cycle.
Detection EngineeringBuilding telemetry and rules to surface attacker behaviour.PARTIALYESEssential discipline. Insufficient on its own. Detection assumes the attacker can be observed. The doctrine reshapes what they have to do.
Offense Death CycleContinuous environmental reshaping informed by attacker dependencies.YESYESOur choice. It treats security as an ongoing contest. It uses the defender's structural advantages. It feeds itself. It is the architecture we build against.
08 // Cycle Velocity

The whole game comes down to cycle speed.

Every doctrine reduces to a measurable. Ours is cycle velocity. How fast can we move from intelligence, to friction, to anticipation, and back to intelligence? The faster we cycle, the more often we change the environment the attacker has invested in. The more we change, the more they have to pay to maintain access. At some point, we are too expensive. That is the win condition.

We track reset velocity per client. It is the headline number on every monthly report. It is the number we are paid to grow.

09 // What We Are Building

GHOSTLINE. The doctrine, engineered.

313SEC is the operation that delivers cybersecurity to clients. GHOSTLINE is the engineering division behind it. The doctrine on this page is the why. GHOSTLINE is the how. We are building the doctrine into deployable systems, week by week. Some of what we are working on is below.

// MODULE 01LIVE

Continuous Environment Mapping

We map what attackers need from your business and watch those dependencies evolve in real time. The map is alive. It sharpens every week.

PHASE · INTELLIGENCE
// MODULE 02LIVE

Friction Engineering

The tooling and playbooks that let us pull every lever in the CRV map without breaking your operation. Engineered change. Never chaos.

PHASE · FRICTION
// MODULE 03BUILDING

Adaptation Telemetry

Sensors that watch for the signatures of attackers adapting to the friction we just applied. That signature is the most valuable intelligence in the cycle.

PHASE · ANTICIPATION
// MODULE 04LIVE

GHOSTLINE RECON

Outside-in mapping. What an attacker sees of your business before they engage. We see it first. We close it first. Continuous, not annual.

SURFACE · EXTERNAL
// MODULE 05BUILDING

Cycle Velocity Reporting

The infrastructure that produces reset-velocity scores. Our clients see whether the doctrine is winning in numbers, not narrative.

MEASUREMENT · CLIENT-FACING
// MODULE 06RESEARCH

ORACLE Reasoning Layer

Our work on AI for cyber operations. Designed to amplify a small expert team running a continuous cycle, not to replace them.

RESEARCH · ORACLE

We are a Wales-based MSSP. We are not the largest team. We compensate by being a research-led one. The doctrine is not a marketing position for us. It is the architecture we build against.

10 // Engage

If your defence stops at "we got an alert", talk to us.

The premise of this paper is simple. The cyber war is on. It is on for your business whether you signed up for it or not. The way most security is sold treats it as a series of incidents to react to. That posture loses by design. We chose a different one.

We chose the Offense Death Cycle because the historical record supports it, the strategic theory supports it, and what we have seen on the ground supports it. We do not claim it is the only valid approach. We claim it is the one that gives our clients the best chance of being too expensive to attack. Which, in the war we are in, is what victory looks like.

The question stops being "how do we stop the attacker?"
and becomes "how do we make their job impossible?"

Get the briefing.

A 30-minute call. No sales script. We walk you through what an Offense Death Cycle engagement would look like for your business, and we tell you honestly whether we are the right team for the job. If we are not, we will tell you who is.

Book the briefing Explore the platform