Declarative Structural State

Declarative Structural State

An organisation can be represented as a structured state before it is tested, scanned, or disrupted.

WHY THIS MATTERS

Most cyber assessments begin with:

  • Scanning
  • Testing
  • Enumeration
  • Tool-driven analysis

These approaches are valuable — but they are not the starting point.

They assume:

  • access to systems
  • operational disruption is acceptable
  • technical depth is immediately required

For many organisations — especially at board or pre-engagement level — this is neither practical nor necessary.

Before any of that, a more fundamental question exists:

“What is the structure of this organisation’s security — as it exists today?”

THE CORE IDEA

DSCR begins by translating organisational reality into a declarative structural state.

This is not opinion.
It is not narrative.
It is not free text.

It is a bounded representation of how the organisation is constructed across key dimensions.

This allows:

  • measurement before intrusion
  • reasoning before testing
  • clarity before complexity

STRUCTURAL STATE MODEL

At the core of DSCR is a formal representation of organisational structure:

x = (S, P, M, I, B)

Where:

  • S | Segmentation
    How systems, networks, and environments are separated
  • P | Privilege Structure
    How access and control are distributed and constrained
  • M | Monitoring & Visibility
    The organisation’s ability to detect and observe activity
  • I | Identity Integrity
    Strength and governance of identity and authentication
  • B | Boundedness / Resilience
    The ability to contain, isolate, and prevent uncontrolled spread

Each dimension is:

  • structured
  • normalised
  • measurable
  • comparable over time

WHAT ORGANISATIONS GET WRONG

Many organisations believe that without technical testing, nothing meaningful can be measured.

This leads to:

  • Over-reliance on tooling
  • Delayed understanding until late-stage engagement
  • Unnecessary complexity early in the process

In reality:

  • Structure determines behaviour
  • Architecture defines exposure conditions
  • Control interaction is rooted in design, not just implementation

Without understanding structure, testing becomes noise without context.

OUR POSITION

DSCR establishes a deterministic starting point.

Before any adversarial validation or technical depth:

  • The organisation is represented as a state
  • That state is bounded and measurable
  • That state becomes the foundation for all further analysis

This enables:

  • Non-intrusive assessment
  • Rapid executive understanding
  • Consistent measurement across organisations
  • Repeatable comparison over time

PRACTICAL CONSEQUENCE

With a declarative structural state:

  • Organisations can understand exposure without disruption
  • Boards receive a clear, structured position
  • Technical teams gain context before testing
  • Future assessments become comparable and trackable

Without it:

  • Assessments begin blind
  • Outputs are fragmented
  • Improvement cannot be measured consistently

TRANSITION

Once structure is defined, the next question is not:

“Are we secure?”

But:

“Is anything improving?”

Delta-Trackable Defence