Methodology · Pillar

Cyber Defense Matrix 2.0

A 7×9 visual framework for security tools coverage. By Arien Seghetti · Updated April 2026.

The Cyber Defense Matrix 2.0 is a 7×9 grid that maps seven security functions (GOVERN, ANTICIPATE, IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER) against nine asset classes (Devices, Applications, Networks, Data, Users, Cloud, OT/IoT, AI/ML, Supply Chain). It extends Sounil Yu's original Cyber Defense Matrix and NIST CSF 2.0, adding an ANTICIPATE function and four new asset rows to reflect how modern enterprises actually operate.

The 63-cell Cyber Defense Matrix 2.0 (7 functions × 9 asset rows)
Asset ↓ / Function →
GOVERN
GV
ANTICIPATE
AN
IDENTIFY
ID
PROTECT
PR
DETECT
DE
RESPOND
RS
RECOVER
RC
DevicesGV×DevAN×DevID×DevPR×DevDE×DevRS×DevRC×Dev
ApplicationsGV×AppAN×AppID×AppPR×AppDE×AppRS×AppRC×App
NetworksGV×NetAN×NetID×NetPR×NetDE×NetRS×NetRC×Net
DataGV×DatAN×DatID×DatPR×DatDE×DatRS×DatRC×Dat
UsersGV×UseAN×UseID×UsePR×UseDE×UseRS×UseRC×Use
CloudGV×CloAN×CloID×CloPR×CloDE×CloRS×CloRC×Clo
OT/IoTGV×OTIAN×OTIID×OTIPR×OTIDE×OTIRS×OTIRC×OTI
AI/MLGV×AIMAN×AIMID×AIMPR×AIMDE×AIMRS×AIMRC×AIM
Supply ChainGV×SupAN×SupID×SupPR×SupDE×SupRS×SupRC×Sup

Each cell holds zero or more security tools. Cell color in the live platform encodes coverage status (No Coverage, Flagged, Covered, Overlap, or Not Applicable).

Origins and provenance

The original Cyber Defense Matrix was developed by Sounil Yu at Bank of America in the 2010s and formalized in his book Cyber Defense Matrix: The Essential Guide to Navigating the Cybersecurity Landscape. Yu's contribution was a 5×5 grid — five NIST CSF 1.x functions against five asset classes (Devices, Applications, Networks, Data, Users) — that made coverage gaps visible at a glance. It became the lingua franca for vendor evaluation at large enterprises.

NIST CSF 2.0 added GOVERN as a sixth function in 2024, elevating the policy and risk-management discipline that had been implicit in CSF 1.x. CDM 2.0 picks up both changes and adds two more that field practice has forced.

First, a seventh function — ANTICIPATE — for the proactive capabilities that live upstream of IDENTIFY. Threat intelligence, attack surface management, and threat exposure are not detection (the threat has not occurred) and not identification (the asset may not yet be inventoried). Forcing them into either column has always been a lossy compression. Giving them their own column is a modest but material improvement.

Second, four new asset rows — Cloud, OT/IoT, AI/ML, and Supply Chain — because the 2010s-era assumption that five rows cover an enterprise no longer holds.

The seven functions

GOVERN (GV)

From NIST CSF 2.0. Policies, risk management, compliance attestations, third-party risk, security awareness, and the governance surface for the supply chain. Tools here include GRC platforms, policy management, risk registers, board-level dashboards, and compliance crosswalks. A mature program with a thin GOVERN column tends to ship controls that nobody owns.

ANTICIPATE (AN)SS Extension

Not part of NIST CSF 2.0. ANTICIPATE is a SecurityStack addition. Three subcategories: AN.TI (Threat Intelligence) — external context about adversaries, campaigns, and indicators; AN.ASM (Attack Surface Management) — continuous discovery of externally-visible assets, including shadow deployments; and AN.TE (Threat Exposure) — continuous assessment of which exposures a known threat could actually reach. Vendors that sit here include threat intel platforms, external attack surface scanners, continuous threat exposure management (CTEM) platforms, and breach and attack simulation where it's used proactively rather than as a post-incident tool.

IDENTIFY (ID)

From NIST CSF 2.0. Asset inventory, vulnerability management, configuration baselines, and risk assessment. Tools here include CAASM platforms, vulnerability scanners, configuration management databases, and cloud security posture management where it's used to map assets rather than remediate them. IDENTIFY is where most programs have the most tools and often the least coverage — because the sprawl is real.

PROTECT (PR)

From NIST CSF 2.0. Access control, identity management, data security, platform hardening, encryption, and resilience engineering. This is the column with the largest absolute number of vendors — identity providers, privileged access management, data loss prevention, endpoint protection platforms, network access control, email security, and so on. Overlap is common and often intentional. The interesting signal is coverage depth, not tool count.

DETECT (DE)

From NIST CSF 2.0. Continuous monitoring, anomaly detection, security information and event management, extended detection and response. Tools here include SIEM platforms, XDR suites, user and entity behavior analytics, network detection and response, and deception technology. The DETECT column tends to have the most vendor overlap because organizations accumulate tools here during incidents and rarely retire them.

RESPOND (RS)

From NIST CSF 2.0. Incident management, analysis, containment, mitigation, and communication. Tools here include SOAR platforms, incident response retainer integrations, case management, threat hunting platforms, and forensics. RESPOND is process-heavy; a tool-only view of this column is always incomplete without runbooks and on-call ownership.

RECOVER (RC)

From NIST CSF 2.0. Recovery planning, restoration, backup integrity, and lessons-learned. Tools here include backup and recovery platforms with immutability controls, disaster recovery orchestration, and business continuity management. RECOVER is chronically underfunded — most programs do not discover they have a gap here until a ransomware event forces the discovery.

The nine asset rows

Five rows carry forward from Sounil Yu's original CDM. Four are SecurityStack additions.

  • Devices. Endpoints, servers, bare-metal hardware, mobile, and embedded compute under enterprise control. The most mature row in most programs.
  • Applications. Internally-developed and third-party software, SaaS and on-prem. The row where shadow IT first shows up.
  • Networks. Network infrastructure, traffic, and network-layer controls.
  • Data. Structured and unstructured data, at rest and in transit. Where DLP, data classification, and encryption-at-rest controls land.
  • Users. Identity, workforce, and the privilege model. Where IAM, PAM, and IGA tooling sits.
  • Cloud. SecurityStack extension. Cloud workloads, control planes, and SaaS that live outside the traditional perimeter. Covers IaaS, PaaS, and cloud-native workloads. Distinct from Networks because the control plane is the attack surface, not the traffic. Not applicable for strictly on-premises organizations.
  • OT/IoT. SecurityStack extension. Operational technology, industrial control systems, building management, and IoT. Availability constraints dominate; controls that are standard for IT (patching windows, agent installation) frequently cannot be used here. Not applicable for organizations without OT in scope.
  • AI/ML. SecurityStack extension. AI and ML systems — training data pipelines, model registries, deployed inference endpoints, and agent frameworks. Novel attack surfaces include prompt injection, training data poisoning, model theft, and agent-tool abuse. Not applicable for organizations with no AI/ML workloads outside of a non-technology industry.
  • Supply Chain. SecurityStack extension. Third-party dependencies, vendor risk, software bill of materials, and build-chain integrity. An explicit row rather than a GOVERN-only concern because the operational tooling (SBOM scanners, build attestation, third-party risk platforms) deserves visibility separate from the governance layer above it.

Coverage status model

Every cell in the matrix carries one of five coverage statuses. Four are counted in the overall coverage percentage; one (Not Applicable) is excluded.

No Coverage
— no tool mapped. Confirmed gap. Counts in the denominator.
Flagged
— a tool exists but is end-of-life, end-of-support, partially deployed, or planned-only. Counts in the denominator; treated as partial coverage in recommendations.
Covered
— one or more active tools provide coverage.
Overlap
— two or more different vendors cover the same cell. Signals potential consolidation. Same-vendor suites do not count as Overlap.
Not Applicable
— the asset row is not relevant to this organization. Excluded from the coverage denominator.

The headline coverage number is:

coverage_pct = (covered + overlap) / (63 − na_cells) × 100

The CAN vs. IS distinction

CDM 2.0 is rendered twice. Once for what a customer's tools can do — the capability layer, sourced from the vendor database. Once for what those tools are doing — the deployment layer, captured during the questionnaire.

A customer may own an endpoint platform that is capable of covering Cloud workloads, but only have it deployed on Devices. Their CAN matrix shows green on DETECT × Cloud; their IS matrix shows red. The gap between those two renderings is where You Already Own the Fix recommendations come from — closable coverage without new spend.

How SecurityStack operationalizes CDM 2.0

The methodology only matters if it produces decisions. SecurityStack turns the matrix into three tangible outputs:

  1. A live matrix view that updates as the customer answers the five-phase questionnaire — not a static snapshot.
  2. A gap analysis that ranks the 63 cells by severity, filters by function or asset row, and excludes N/A cells automatically.
  3. An executive report with 30/60/90 day recommendations, lead with "You Already Own the Fix" moves before any new purchase is suggested.

The vendor database behind the CAN layer is where 27 years of field experience is encoded. Competitors can copy the framework. They cannot copy the data.

Frequently asked questions

What is the Cyber Defense Matrix 2.0?

The Cyber Defense Matrix 2.0 is a 7×9 visual framework that maps seven security functions (GOVERN, ANTICIPATE, IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER) to nine asset classes (Devices, Applications, Networks, Data, Users, Cloud, OT/IoT, AI/ML, Supply Chain). It extends Sounil Yu's original 5×5 Cyber Defense Matrix and NIST CSF 2.0.

How is CDM 2.0 different from NIST CSF 2.0?

NIST CSF 2.0 defines six functions (GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER) but does not prescribe asset classes. CDM 2.0 adds an ANTICIPATE function for proactive capabilities (threat intelligence, attack surface management, threat exposure) and pairs all seven functions with nine explicit asset rows. ANTICIPATE is a SecurityStack extension and is not part of NIST CSF 2.0.

Why add an ANTICIPATE function?

NIST CSF 2.0 begins at IDENTIFY — after an asset exists on the network. Threat intelligence, attack surface management, and threat exposure operate upstream of that. They are not detection (the threat has not occurred) and not identification (the asset may not yet be inventoried). ANTICIPATE gives these proactive disciplines a dedicated column so tools that live there are no longer forced into IDENTIFY or DETECT, where they don't fit.

Why add Cloud, OT/IoT, AI/ML, and Supply Chain as asset rows?

Sounil Yu's original CDM was authored when Devices, Applications, Networks, Data, and Users covered most enterprise assets. Modern stacks include cloud workloads with different control planes, operational technology with availability requirements that trump confidentiality, AI/ML systems with novel attack surfaces (prompt injection, model theft, training data poisoning), and supply chain dependencies that are a first-class attack vector. Treating them as their own rows surfaces coverage gaps that a 5×5 grid hides.

What are the three ANTICIPATE subcategories?

AN.TI (Threat Intelligence) — external context about adversaries, campaigns, and indicators. AN.ASM (Attack Surface Management) — continuous discovery of externally-visible assets. AN.TE (Threat Exposure) — continuous assessment of which exposures a known threat could actually reach. The subcategory set is additive; future disciplines can be appended without breaking existing cell mappings.

What do the coverage status colors mean?

No Coverage (red) — no tool mapped to this cell. Flagged (amber) — a tool exists but is EOL, EOS, partially deployed, or planned-only. Covered (green) — one or more active tools provide coverage. Overlap (purple) — two or more different vendors cover the same cell. Not Applicable (slate) — the asset row is not relevant to this organization. Coverage percentage = (Covered + Overlap) ÷ (63 − N/A cells) × 100.

What is the CAN vs. IS distinction?

CAN is what a product is capable of — stored in the vendor database and reflected in marketing materials. IS is what a customer's specific deployment is actually doing. A customer may own CrowdStrike Falcon, which CAN cover Cloud, but only have it deployed on Devices, so their IS coverage shows DETECT × Cloud as No Coverage. CDM 2.0 renders both layers; the gap between them is where 'You Already Own the Fix' recommendations come from.

Can two tools from the same vendor count as Overlap?

No. A same-vendor suite (for example, CrowdStrike Falcon Insight plus CrowdStrike Falcon Prevent) deployed on the same cell is a single covered cell, not Overlap. Overlap is reserved for two distinct vendors covering the same cell — that is the pattern that signals consolidation or spend reduction opportunity.

How does a row get marked Not Applicable?

Four rules: (1) if the organization is strictly on-premises, Cloud is N/A; (2) if no operational technology is in scope, OT/IoT is N/A; (3) if the organization has no AI/ML workloads and is not in a technology industry, AI/ML is N/A; (4) if every question tied to a row is skipped, the row is N/A. Exception: a single answered question is sufficient to keep the row in scope.

Where can I read the original Cyber Defense Matrix by Sounil Yu?

Sounil Yu's original Cyber Defense Matrix is documented at cyberdefensematrix.com and in his book of the same name. CDM 2.0 extends his 5×5 grid and uses compatible semantics; the additions are clearly labeled as SecurityStack extensions so practitioners can trace provenance.

References

  • Sounil Yu. Cyber Defense Matrix: The Essential Guide to Navigating the Cybersecurity Landscape. Original 5×5 CDM and concept origin.
  • NIST. Cybersecurity Framework (CSF) 2.0. Source of the GOVERN, IDENTIFY, PROTECT, DETECT, RESPOND, and RECOVER functions used in CDM 2.0.
  • MITRE. ATT&CK and D3FEND. Reference for threat-informed control mappings in the ANTICIPATE and DETECT columns.

Try it

See your stack on the matrix in 30 minutes

Start with the free tier. Add up to 20 tools, answer the questionnaire, and watch the matrix render in real time. No credit card required.

Start Free Assessment →Read: You Already Own the Fix