When Okta’s support credentials were stolen in 2023, the breach didn’t stop at the identity provider. It rippled outward — through SaaS integrations, internal legacy applications and downstream development pipelines. Okta’s systems were not directly exploited. Instead, the attack propagated through the quiet linkages that bound those systems together.
Most security programs don’t model those linkages. The unified linkage model (ULM) shows why that is a problem.
Cybersecurity teams are faced with a considerable volume of data, including asset inventories, vulnerability scans, threat intelligence feeds, SBOMs, configuration alerts and risk dashboards. However, major incidents continue to take organizations by surprise.
The issue at hand is not one of visibility, but of structure. Traditional tools concentrate on three main areas: hosts, vulnerabilities and adversaries. Often, the linkages that determine how quickly a vulnerability spreads, how far an attack can extend or how deeply trust can be compromised are not examined.
ULM shifts the analytical lens from individual components to the relationships that bind digital systems together. The modeling of adjacency, inheritance and trustworthiness provides a structural framework that integrates threat modeling, vulnerability analysis and governance.
Why current models fall short
Most cybersecurity frameworks, including the NIST and MITRE frameworks, implicitly treat systems as collections of assets and controls. Risk registers list vulnerabilities and their severities. Threat reports describe attacker TTPs. Architecture diagrams show components and networks. But linkages — how these elements actually interact — are often undocumented, unmodeled and unanalyzed.
This blind spot leads to three major problems:
- Missed systemic risk: Organizations secure individual components but miss how vulnerabilities propagate through dependencies (e.g., Log4j embedded in third-party apps).
- Ineffective prioritization: Without a linkage structure, teams patch high-severity CVEs on isolated systems while leaving lower-scored flaws on critical trust pathways.
- Slow incident response: When a zero-day emerges, teams scramble to locate vulnerable components. Without pre-existing linkage models, impact analysis becomes a matter of guesswork.
The unified linkage model
While the NIST Zero Trust Architecture and MITRE ATT&CK frameworks have a great deal of utility, ULM provides a structural modeling layer. Traditional network diagrams focus on topology; attack graphs, on the other hand, model exploitation steps. ULM focuses on the linkages, the connective tissue.
It’s not a simple topology map or an attack graph; instead, ULM serves as a conceptual backbone to determine both how vulnerabilities propagate and how adversaries move.
Adjacency
Adjacency describes what is connected or reachable:
- Network adjacency (e.g., VLANs, VPNs, cloud peering)
- API connections between services
- Federated identity relationships (e.g., Okta to SaaS)
- Inter-organizational data sharing or third-party integrations
Adjacency determines how attackers or vulnerabilities can traverse systems. For example, a misconfigured identity provider can act as a high-trust adjacency between external and internal domains.
Inheritance
Inheritance describes what properties, vulnerabilities or behaviors are passed along chains of dependency or control. For example:
- Software dependencies: a vulnerable library that affects every application that depends on it.
- Identity systems: a compromised credential grants downstream access.
- CI/CD pipelines: a malicious build step is inherited by all artifacts produced.
Inheritance explains how a single flaw can cascade through layers — even into domains that didn’t create or deploy the vulnerability.
Trustworthiness
Trustworthiness represents the quality, confidence and resilience of a linkage:
- High-trust internal SSO connections differ from loosely monitored vendor VPNs.
- Implicit trust relationships can be exploited more easily than explicitly verified ones.
- Over-trusted adjacencies amplify the impact of both vulnerabilities and adversaries.
Trustworthiness determines the extent of damage that can be caused when a linkage is exploited. A vulnerability in a low-trust, segmented environment may be contained; the same flaw in a high-trust linkage can trigger systemic failure.
Unlike traditional network models that rely on static topology or IP-based reachability, ULM abstracts the network as a system of heterogeneous linkages — logical, organizational and functional — not just physical. This allows defenders to model paths that adversaries actually use, such as identity trust chains, software dependencies or implicit API adjacencies.
ULM vs. existing models
There are many common cybersecurity modeling approaches between ULM and existing security models. Each contributes to a better understanding of the threat environment while generally addressing a specific aspect — software components, attacker goals, network reachability or vulnerability spread. However, no other model offers a unified structural view. The ULM integrates adjacency, inheritance and trustworthiness, bridging threat intelligence and vulnerability analysis to reveal systemic risk pathways.
| Model | Focus | Primary Use |
| SBOM Dependency Graphs | Static component structure | Software inventory, license compliance, vulnerability scanning |
| Attack Trees | Logical attacker goals and sub-goals | Threat modeling |
| Attack Graphs | State transitions and network reachability | Penetration testing, lateral movement analysis |
| Vulnerability Propagation Models | How flaws spread through dependencies | Blast radius analysis, patch prioritization |
| ULM | Structural linkages: adjacency, inheritance, trustworthiness | Integrating threat and vulnerability views; systemic risk analysis |
ULM is not dependent upon a single phenomenon. It can describe software supply chains, network topologies, identity infrastructures and organizational relationships using a common vocabulary of linkages. This flexibility makes it a robust foundation for integrating threat assessments, vulnerability analyses and architectural models.
The novelty of ULM is not in listing vulnerabilities or threats — those are known concepts. The novelty is in modeling the enterprise through linkages that integrate functional, inherited and trust relationships. This sits between network topology (routers, VLANs, IPs) and attack graphs (threat paths) — and that’s exactly what most organizations lack.
A simple example: Okta and beyond
Most enterprises are hybrid, with numerous internal and external dependencies. The Okta breach began with stolen support credentials, allowing attackers to access the identity provider’s high-trust connections. In that instance, the hybrid enterprise environment included the following key elements:
- An external identity provider (IdP), in this instance, Okta, for authentication.
- Several SaaS applications integrated via SSO.
- Internal legacy applications that trust assertions from the IdP without extra validation.
- A development pipeline pulling open-source libraries into both internal and SaaS extensions.
An attacker compromised the IdP through stolen credentials. Through those adjacencies, they reached SaaS and internal applications. Inheritance extended the compromise downstream, amplifying impact without exploiting individual vulnerabilities — illustrating how structural linkages, not isolated flaws, can drive widespread organizational exposure. Because the IdP operated in a high-trust zone, its compromise had a multiplying effect.
Analyzed from a vulnerability perspective, none of the internal apps may have had critical CVEs. From a threat intel perspective, the attacker profile was known. A linkage perspective could have been useful.
Strategic benefits of ULM
A linkage perspective exposes how attackers move along trusted connections, chaining adjacencies and inherited dependencies to bypass hardened perimeters. By mapping structural relationships — identity trust, software supply chains and implicit integrations — defenders can see hidden pathways that static vulnerability lists or isolated threat intelligence miss, revealing true systemic exposure.
ULM provides a structural foundation for:
- Better prioritization: Focus defenses where vulnerabilities and attacker pathways intersect.
- Faster impact analysis: Overlay new vulnerabilities on existing linkage maps to find exposures quickly.
- Threat–vulnerability integration: Link threat TTPs to adjacency and trust pathways; map vulnerabilities onto inherited components.
- Cross-domain insight: Describe IT, OT, identity and supply chains in one framework.
- A new lens on network structure: Reframe networks as linkage graphs, not just nodes and edges.
Getting started
Getting started with the ULM involves shifting perspective from isolated assets to the relationships that bind systems together. Before mapping, organizations should understand that linkages — adjacency, inheritance and trustworthiness — form the backbone of systemic risk analysis, enabling more strategic, integrated and anticipatory cybersecurity decision-making.
- Inventory linkages, not just assets. Map adjacencies (network connections, API integrations) and inheritance paths (identity, software dependencies).
- Assess trustworthiness explicitly. Identify which linkages are implicitly trusted versus explicitly verified.
- Overlay vulnerability and threat data. Use scans, SBOMs and intel to find intersections.
- Prioritize and scenario-plan. Ask: Which inherited vulnerabilities sit on high-trust adjacencies? Which adversaries can exploit them?
- Iterate and integrate. Over time, fold ULM maps into dashboards, incident response and tabletop exercises.
A more thorough systemic approach
Attackers exploit the spaces between — not just the endpoints. The unified linkage model offers a systematic approach to analyzing the structural spaces where threats intersect vulnerabilities. By modeling networks through linkages rather than infrastructure, ULM offers CISOs a fundamentally new way to understand how digital systems behave under stress — whether from vulnerabilities, adversaries or both.
This story was adapted from my longer article in the fall 2025 edition of “United States Cybersecurity Magazine,” Unified Linkage Models: Recontextualizing Cybersecurity. Additional details are available in the original article.
This article is published as part of the Foundry Expert Contributor Network.
Want to join?