The Security Context map

Schema → defense → offense → controls, one chain — and every joint colored by how cheap its proxy is. Hover a flow for the hop's honesty note; hover a legend swatch for what that joint actually rests on.

documentation linkOCSF↔D3FEND reciprocal hyperlinks (seeAlso/references) — not axioms, not per-record fields; a design-time map.ontology axiomD3FEND event-class restriction tying the event to its digital-artifact participant.ontology (curated)D3FEND technique hand-tagged to the artifact it observes.shared-artifact inferenceINTENT-BLIND (D3FEND #520): a defense and an attack touch the same artifact, so the defense COULD observe it — a possibility of coverage, not a guarantee.CTID re-routeSCF→ATT&CK is CTID's NIST 800-53→ATT&CK mapping re-routed through SCF's own 800-53 crosswalk (uniform Intersects-With/strength-3); no independent SCF signal.

9 OCSF classes → 28 D3FEND base techniques → 12 ATT&CK tactics → 23 SCF domains. The amber band (defense→offense) is the cheapest joint: a shared digital artifact says a defense could observe an attack, not that it counters it. SCF shown at domain-grain (derived counts, CC-BY-ND). Built from the Security Context Graph; numbers reconcile to the controls-layer essay.