Original analysis · Crosswalk map · Tier A/B

The whole chain, and where it gets cheap.

The controls-layer essay walks the chain from an OCSF telemetry class out to a governance control, hop by hop. This is that chain as one figure, built from the same measured graph — and colored by the part everyone else leaves out: how cheap each joint's proxy actually is. The links you can compute from a shipped artifact look one way; the link inferred from a shared digital artifact, which says a defense could see an attack rather than that it does, looks another. The honesty is the point.

OCSF class → D3FEND base technique → ATT&CK tactic → SCF control domain. Flow width is the count of underlying edges; flow color is the hop's proxy quality. Hover any flow for what that joint rests on, and a legend swatch for the honesty note. The amber band is the cheapest joint.

Four columns, one object

Every column is a different framework describing the same artifact.

Read left to right. The first column is the OCSF event classes — the schema your telemetry lands in. Each class is a normalized statement about a digital artifact: a DNS lookup, a process, a file. The second column is the D3FEND base techniques, each defined by the artifact it observes, and an OCSF class reaches a defense because D3FEND models the event and the defense around the same artifact. The third column is the ATT&CK tactics those defenses counter, inferred from where an offensive technique produces an artifact a defensive technique watches. The fourth is the SCF control domains, reached because each ATT&CK technique that a control framework addresses ties back to the defense that counters it.

None of this is a new mapping. Every edge traces to a shipped artifact — the D3FEND v1.4.0 ontology, the OCSF 1.8.0 schema, the Center for Threat-Informed Defense's control mappings, the Secure Controls Framework workbook. What the figure adds is the one thing those sources don't carry: a label, per edge, for how much the join can actually bear.

Proxy quality

A documentation link and a measured field are not the same fact.

Most crosswalk diagrams draw every connection as a plain line, which quietly tells you the whole chain is equally solid. It isn't, and pretending otherwise is how a confident wrong answer gets built on a weak join. So each hop carries its proxy quality as a color. The OCSF↔D3FEND links are documentation hyperlinks, reciprocal but not machine-checkable axioms and not per-record fields, so they're a design-time map and colored as one. The event-to-artifact link is a real ontology restriction. The defense-to-control link is D3FEND's own SKOS-typed analysis against 800-53.

The amber band, defense to offense, is the cheapest joint in the chain, and the figure colors it to stand out rather than hide it. It's inferred from a shared digital artifact: an attack produces an artifact, a defense observes the same one, so the defense could see the attack. That's a possibility of coverage, not a guarantee that any deployment tuned a rule to catch it — the inference is blind to intent, which is the open D3FEND modeling question (#520). Naming that out loud, in the same picture that draws the link, is the discipline the map is for. The contribution here isn't a tidier graph, since this overlaps MITRE and CTID's own mappings by design; it's the refusal to launder a cheap join into a confident one.

Reading it, and where it stops short

The thin left edge is a finding, not a rendering bug.

Only a handful of OCSF classes reach a defense through the artifact path, and that sparseness is real. Most telemetry classes describe an artifact that none of the thirty wall-level defensive techniques is modeled to observe, so the schema-to-defense hop is the weakest-connected part of the whole chain — exactly the gap the crosswalk work keeps surfacing, shown here rather than smoothed over. The dense middle and right, by contrast, are where the offense-defense inference and the control mappings actually carry weight.

Two honest boundaries. The defenses and tactics are rolled to their base grain so the figure stays legible, which trades the per-technique detail for a readable shape. And the controls column is shown at SCF domain grain as derived counts, not the raw per-control mapping cells, because the SCF workbook is CC-BY-ND; for the weighted control consensus itself, the control-consensus map is the deeper view. This figure is the spine that connects it back to the telemetry. The figure shows the chain in aggregate, with flow width and color standing in for many edges at once, but the same graph — 1,442 concept nodes and 7,618 deduped edges, no telemetry-event nodes — is also navigable edge by edge through a small read-only MCP server, scg, that ships the public spine (OCSF, D3FEND, ATT&CK, 800-53, CCI) and carries the discipline the colors stand for: every edge keeps its proxy_quality, and a multi-hop answer is reported as no more trustworthy than its weakest edge, with a flag raised when the path leans on one of the roughly 6,000 intent-blind shared-artifact inferences. It's navigation with its provenance attached, not a way to make a model more accurate, since in our own lab test the graph's structure changed a retrieval answer on only one of nine incident-reconstruction queries, so the honest claim is that the server lets you see what each link rests on rather than that grounding the model on the graph makes it right.