Delta-Trackable Defence

Delta-Trackable Defence

Cyber defence is only meaningful when change can be measured.

WHY THIS MATTERS

Most organisations invest heavily in security:

  • New tools
  • New controls
  • New policies
  • New audits

But struggle to answer a simple question:

“Has anything actually improved?”

Reports describe activity.
Dashboards show volume.
Audits confirm presence.

None of these reliably demonstrate directional improvement.

THE CORE IDEA

DSCR treats cyber defence as a state that can move.

If an organisation can be represented as a structural state:

x(t)

Then improvement must be expressed as a change between states:

Δx = x(t₂) − x(t₁)

This is the difference between:

  • Activity vs progress
  • Implementation vs effect
  • Effort vs outcome

WHAT ORGANISATIONS GET WRONG

Organisations often assume that doing more equals becoming more secure.

This leads to:

  • Control accumulation without clarity
  • Overlapping tools with unclear value
  • Reporting focused on outputs, not outcomes

As a result:

  • Investment increases
  • Complexity increases
  • … but exposure may remain unchanged

Without measuring change, improvement is assumed, not proven.

OUR POSITION

DSCR defines defence in terms of observable structural movement.

Each engagement establishes:

  • An initial structural state
  • A measurable position across key dimensions
  • A baseline for comparison

Subsequent changes are then evaluated as:

  • Positive movement (reduced exposure)
  • Neutral movement (no meaningful change)
  • Negative movement (increased complexity or risk)

This allows organisations to understand:

  • Whether interventions worked
  • Where effort is ineffective
  • How resilience evolves over time

PRACTICAL CONSEQUENCE

With delta-trackable defence:

  • Boards see direction, not noise
  • Technical teams prioritise impact, not activity
  • Insurers receive evidence of improvement over time
  • Investment decisions become justifiable and defensible

Without it:

  • Progress cannot be proven
  • Reporting becomes performative
  • Organisations optimise for audits, not outcomes

TRANSITION

Once change can be measured, the next question becomes:

“What does this structure allow an attacker to do?”

Bounded Propagation Modelling