top of page
ABOUT THE PROJECT

The Defensible 10 Standards project defines the first engineering-driven cybersecurity framework, uniting architects and engineers worldwide to design security that is measurable, defensible, and resilient.

FAILURE_Patterns.png
ENG_Patterns.png
The Idea

In 2023, a small group of cybersecurity architects and engineers convened for a workshop with a narrow goal: study the last decade of major cyber incidents, focusing on intrusions and data leaks, and treat them as engineering failures rather than isolated events.

We approached the review the way engineers investigate disasters. We did not start with tools, vendors, or media narratives. We began with sequences: what was assumed, what was built, what changed, what was observed, what actions were possible under pressure, and what proof existed after the fact. Across industries and architectures, the same failure patterns kept resurfacing.

6 patterns repeated with uncomfortable consistency. Teams could not clearly define their scope and exposure. Security intent was not translated into explicit design decisions. Change moved into production without disciplined control. Telemetry was incomplete, delayed, or untrusted. Containment was slow, manual, or improvised. Finally, teams could not demonstrate that defenses were working, leaving leadership and practitioners relying on confidence rather than evidence.

We captured those patterns, named them, and reverse-engineered them into 6 defensible elements. We then organized them into a repeatable engineering loop that drives work from definition through demonstration. The loop is intentionally simple because it must be executed under real operational conditions, not only during audits or major incidents. The end state is not a claim of security. The end state is evidence.

That loop became the 6 Defensible Loop model. The Defensible 10 Standards became the coverage. We mapped the enterprise security surface to 10 cybersecurity domains and required the same 6 Defensible Loop (D-Loop) to be executed within each domain standard. Each standard runs the loop. Each standard ends in proof via evidence.

Image by Albert Stoynov
The Purpose

Cybersecurity has long relied on policy frameworks and vendor tools rather than structured engineering. The D10S changes that paradigm by introducing standards that are actionable, testable, and verifiable, enabling architects and engineers to practice cybersecurity as a true engineering discipline.

Our goal is simple: to advance global cybersecurity maturity through clarity, discipline, and practicality—creating architectures that are measurable, auditable, and built to withstand real-world adversarial conditions.

Wall of ideas
How the Standards Are Built

Each Defensible 10 Standard is authored, peer-reviewed, and validated through ISAUnited’s formal Defensible Standards Schema Function (D-SSF).  These standards are developed, authored, and submitted by architects and engineers from across the world, representing diverse disciplines in IT, cloud, cybersecurity, and software engineering. They are vetted through ISAUnited’s open technical standards process.

This collaborative model ensures that every standard reflects global expertise, technical rigor, and defensible design validated by practitioners themselves.

Image by Mushvig Niftaliyev
The Team

The original team was later launched under Task Group 39 (TG39) in early 2024.
At the time, the initiative operated under the working title “Project Defensible Blueprint” - an experimental effort to determine whether cybersecurity could be structured, documented, and validated with the same rigor as in traditional engineering disciplines.

TG39, composed of architects, engineers, and technical practitioners across IT, cloud, and cybersecurity, was tasked with answering a fundamental question:
 

“What would a true engineering standard for cybersecurity look like?”

 

TG39 explored this through collaborative workshops, peer research, and cross-domain mapping of principles from civil, systems, and mechanical engineering.


This foundational work produced the prototype structure for what would become the Defensible Standards Schema Function (D-SSF)—the submission model now used to author and validate all ISAUnited technical standards.

Project Defensible Blueprint had matured into a formalized standardization effort, officially renamed the Defensible 10 Standards (D10S) to represent the 10 core parent domains of cybersecurity architecture and engineering.


Under the program leadership of Chief Cybersecurity Architect Art Chavez and the ISAUnited Standards Committee, TG39’s early framework evolved into today’s global, open technical standards program — a framework written by architects and engineers for cybersecurity engineers.

 

 

Key Milestones

  • Late 2023 - Submission for a Project and Task Group formation (Phase 1 Strategy).

  • Early 2024 - Formation of Task Group 39 (TG39) – Engineering Standards Initiative (Phase 2 Planning).

  • Mid 2024 - Launch of Project Defensible – defining measurable cybersecurity engineering models. (Phase 3 Execution)

  • Late 2024 - Development of the Defensible Standards Schema Function (D-SSF) for standard submission and renamed to The Defensible 10 Standards (D10S) to reflect ten parent domains.

  • March 2025 - Publication of the Defensible 10 Standards – Draft Edition, governed by ISAUnited.

  • Fall 2025 - First Open Season for public submission of sub-standards by global practitioners.

Supported by:

Research Center Main Logo-02.png

Training by:

new-1-blue-background_v2.png

Practitioner and Organizational Use

The Defensible 10 Standards (D10S) are published under a Creative Commons Attribution–NonCommercial 4.0 International License (CC BY-NC 4.0).


This license permits free use, adaptation, and internal implementation of the D10S by individual practitioners, educational institutions, and organizations for the purpose of research, training, architecture design, or internal security engineering.


Attribution to ISAUnited.org must be maintained in all uses, reproductions, or derivative works.

Commercial, Vendor, and Integration Use

The use, reproduction, or incorporation of the Defensible 10 Standards (D10S) or their content within commercial products, software, tooling, managed services, or for-profit offerings requires a separate commercial integration or redistribution license issued by the Institute of Security Architecture United (ISAUnited.org).


This includes but is not limited to:

  • Integration into commercial or subscription-based platforms or software tools

  • Use in vendor-branded frameworks or automated compliance products

  • Redistribution of modified or adapted versions for resale or commercial benefit

 

Requests for commercial licensing or integration agreements should be directed to:  info@isaunited.org

© 2026 The Defensible 10 Standards (D10S). Owned, operated, and maintained by the Institute of Security Architecture United (ISAUnited.org).

bottom of page