CCMM-AILAlert Intelligence Layer · v1.0Operational

Your SIEM
fires alerts.
CCMM tells
you what
they mean.

Standard SIEM triage scores alert severity. It does not score consequence — what the alert is connected to, what operational damage a true positive would create, or whether it is converging with other signals into something far more serious. CCMM-AIL closes that gap.

Run a live analysis → Read the methodology
5
Conditional gates applied per alert
6
Environment types supported
3
Verdict outputs: Escalate · Investigate · Log
CCMM — Conditional Consequence Mapping Methodology
SSRN Abstract ID 6364078
Published preprint — peer review
Zenodo DOI 10.5281/zenodo.19382186
Citable · versioned · open access
GABEY Consulting Pty Ltd
ACN 121 511 055 · Australia

CCMM tells
you what
they mean.

What is CCMM-AIL

SIEM tells you what fired.
CCMM-AIL tells you what it means.

The Conditional Consequence Mapping Methodology — Alert Intelligence Layer applies five conditional gates to every SIEM alert. Not to replace your SIEM. To answer the questions your SIEM was never designed to ask — specifically, what is this alert connected to, and what happens if it is a true positive.

// What SIEM triage gives you
Alert severity.
Rule match confidence.
  • Alert scores tell you how technically significant the event is. They do not tell you what the alert is connected to.
  • The same alert firing against an IT workstation and a SCADA HMI gets the same severity score. The consequences are not remotely the same.
  • Alert volume overwhelms triage capacity. Analysts escalate on noise. Real convergence patterns are missed under load.
  • Sector-specific regulatory reporting obligations — SOCI Act, NERC CIP, NIS2 — are not flagged at the alert layer.
  • OT, SCADA, and critical infrastructure context is absent from standard L1 and L2 triage workflows.
// What CCMM-AIL adds
Consequence context.
Convergence intelligence.
  • Every alert is assessed against the environment it touches — IT, OT, SCADA, utility, industrial IoT, or aviation and maritime OT.
  • Consequence is scored on a 0–100 scale calibrated to sector — population-scale impact, safety system proximity, and environmental exposure weighted accordingly.
  • Signal convergence is assessed across the full log — temporal clustering, technique progression, and multi-asset correlation detected as a pattern, not individual events.
  • Mandatory reporting obligations are flagged where triggered — with the specific instrument cited (SOCI, NERC CIP, NIS2, CASA, AMSA).
  • Verdict output is one of three: Escalate Immediately, Investigate and Hold, or Log and Close — the same logic applied at 2 am as at 2 pm.
// The three analytical questions CCMM-AIL answers
Pillar 01
What is this alert connected to?
Before any scoring, CCMM-AIL classifies the environment — IT-only, OT/SCADA, hybrid boundary, utility, industrial IoT, or aviation and maritime. This determines which consequence multipliers are active and which regulatory frameworks apply.
Pillar 02
What is the operational consequence?
Consequence is not the same as severity. A low-CVSS alert touching a safety instrumented system carries a higher consequence score than a high-CVSS alert in an isolated IT segment. CCMM-AIL scores what matters operationally, not just technically.
Pillar 03
Does it converge with other signals?
Multi-stage attacks do not arrive as a single alert. CCMM-AIL assesses temporal clustering, MITRE ATT&CK technique progression, and multi-asset correlation across the full log — identifying convergence patterns before they reach critical stage.
// Same alert — different environments — different verdicts
[WARN] authentication_failure count=12 within=60s
target=SCADA_HMI_[REDACTED] zone=OT_FLOOR_B
Environment: OT / SCADAEscalate
Gate B triggered — OT adjacency confirmed. Gate C scores HIGH — HMI access represents direct control-plane exposure. Reporting obligation: SOCI Act s30BC 12-hour window flagged.
[WARN] authentication_failure count=12 within=60s
target=CORP_MAIL_SRV_[REDACTED] zone=IT_CORP
Environment: IT NetworkInvestigate
Gate B clear — no OT adjacency. Gate C scores MODERATE — credential attack on mail server has data exposure risk. No immediate escalation, but monitor for lateral movement indicators.
[CRIT] lateral_movement + process_spawn + data_exfil
src→SCADA_SERVER dst=203.X.X.X threat_intel=KNOWN_C2
Environment: Hybrid IT/OTEscalate
Gates A, B, C, and D all triggered. Multi-stage pattern confirmed — lateral movement to SCADA server, encoded execution, confirmed C2 exfiltration. Maximum consequence score. Immediate response required.
[INFO] port_scan detected src=10.X.X.X
dst=10.X.X.0/24 tool_signature=nmap confidence=LOW
Environment: IT NetworkLog and Close
All five gates clear. No OT adjacency. No exploitation signal. No convergence with other events. Low confidence tool signature. Standard logging. No analyst time required.

SIEM tells you what fired.

The Five Gates

Five conditions.
Applied to every alert.
Every time.

CCMM-AIL does not score in isolation. Each gate is a conditional question — the answer determines whether the next gate escalates or closes. Together, the five gates produce a verdict no SIEM severity score can replicate — because they account for what the alert is connected to, not just what it detected.

A
Gate A · First conditionActive Exploitation
Signal

Is there evidence of confirmed or probable active exploitation — not merely a rule match or detection signature, but indicators consistent with an attacker executing within the environment?

Result values
TriggeredPartialClear
// Trigger conditions
TriggeredSuccessful authentication following repeated failures, encoded command execution (e.g. Base64 PowerShell), confirmed C2 beacon or data exfiltration, or process spawning from an unexpected parent process.
TriggeredTwo or more MITRE ATT&CK technique indicators present in the execution or impact phases within the same log window.
PartialSingle exploitation indicator present but unconfirmed — for example, a high-confidence tool signature without corroborating execution evidence.
ClearDetection is a rule match, scan, or reconnaissance signal only. No execution-phase indicators present.
Sector modifiers:OT / SCADAUtilityHybrid IT/OTIndustrial IoT
B
Gate B · Second conditionOT / Critical Process
Adjacency

Does the alert involve, touch, or traverse network segments containing operational technology, SCADA, ICS, PLCs, RTUs, HMIs, DCS, or safety instrumented systems — or is it moving toward an OT boundary?

Result values
TriggeredPartialClear
// Trigger conditions
TriggeredAlert directly involves a PLC, RTU, HMI, DCS, or SIS asset, or any device within a designated OT zone or network segment.
TriggeredLateral movement detected toward an OT segment boundary, SCADA server, or engineering workstation from an IT-origin source.
TriggeredIndustrial protocol activity detected — Modbus, DNP3, EtherNet/IP, PROFINET, or IEC 61850 — outside expected operational parameters.
PartialAlert originates in an IT segment adjacent to an OT boundary — e.g. a jump server, historian, or SCADA data gateway — without confirmed OT traversal.
ClearAlert is entirely within an IT-only environment with no OT segment adjacency confirmed or declared.
Sector modifiers:Water / Energy UtilityAviation OTMaritime OTIndustrial IoT
C
Gate C · Third conditionConsequence
Severity (CPS-C)

What is the operational consequence score if this alert is a true positive? Scored 0–100 on the CPS-C scale — calibrated to environment type, sector multipliers, and potential for physical, population-scale, or safety system impact.

Result values
High ≥70Moderate 40–69Low <40
// Scoring thresholds
High ≥70Potential for physical consequence, critical service disruption, safety system compromise, or population-scale harm. OT adjacency confirmed. Utility, aviation, or maritime environment active. Sector consequence multiplier applied.
Moderate 40–69Significant operational impact — data loss, recoverable service disruption, or credential exposure in a sensitive system. No confirmed physical consequence pathway but meaningful business impact if realised.
Low <40Contained IT impact. No OT adjacency. Recoverable. Limited operational exposure if the event is a true positive. Standard logging and monitoring response.
Multipliers active for:Safety systemsPopulation scaleEnvironmental exposureCritical service
D
Gate D · Fourth conditionSignal Convergence
(TCI)

Do two or more distinct signals in the log form a pattern consistent with a coordinated or multi-stage attack? A single isolated alert does not converge — convergence requires temporal clustering, technique progression, or multi-asset correlation.

Result values
TriggeredPartialClear
// Trigger conditions
Triggered Technique progression confirmed — MITRE ATT&CK stages advance across events in the log (e.g. Initial Access → Lateral Movement → Execution → Exfiltration). Multi-stage pattern is the strongest convergence signal.
Triggered Temporal clustering — multiple distinct alerts across separate assets or techniques occurring within a compressed time window inconsistent with normal operational patterns.
Triggered Multi-asset involvement — three or more assets appear across correlated events, suggesting coordinated actor activity rather than isolated misfire.
PartialTwo correlated signals present but technique progression incomplete or temporal gap is too wide to confirm coordination. Monitor for additional convergence.
ClearSingle isolated event. No correlated signals, no temporal clustering, no multi-asset pattern. Assess as a standalone alert.
Feeds into:TCI score 0–100ACI attribution confidence
E
Gate E · Fifth conditionReporting
Obligation

Based on environment type, sector, and alert nature — does this event trigger a mandatory regulatory reporting obligation? Gate E identifies the specific instrument and applicable timeframe.

Result values
TriggeredPartialClear
// Regulatory instruments assessed
AU Critical Infra SOCI Act s30BC — 12-hour reporting obligation for significant cyber incidents affecting critical infrastructure assets declared under the Security of Critical Infrastructure Act 2018 (Cth).
North America NERC CIP-008-6 — reportable cyber security incident applicable to bulk electric systems. AWIA / EPA reporting for water and wastewater systems.
European Union NIS2 Article 23 — 24-hour early warning followed by 72-hour formal notification for significant incidents affecting essential entities.
AviationConcurrent CASA / FAA / EASA notification required for incidents affecting operational systems, navigation, or safety-critical avionics environments.
Maritime AMSA / USCG / EMSA reporting for incidents involving vessel traffic management systems, port operational technology, or safety systems.
ClearEnvironment or alert severity does not reach the reporting threshold for any applicable instrument. No mandatory notification required.
Jurisdictions:AustraliaNorth AmericaEuropean UnionAviationMaritime
// How the gates combine to produce a verdict
Escalate Immediately
Gate A = Triggered AND (Gate B = Triggered ORGate C = High)  —  OR  —  Gate A = Triggered ANDGate D = Triggered (confirmed multi-stage attack in progress). Immediate response, containment, and sector reporting obligation assessment required.
Immediate
response
required
Investigate and Hold
One or more gates Triggered or Partial but full Escalate threshold not met.  —  OR  —  Gate D = Triggered without confirmed exploitation in Gate A (convergence pattern present, exploitation not yet confirmed). Monitor for additional signals that would elevate to Escalate.
Analyst
review
required
Log and Close
No meaningful gate conditions met across all five gates. No active exploitation signal. No OT adjacency. Low consequence score. No signal convergence. No reporting obligation triggered. Standard logging. No analyst time required.
Standard
log only
TCI — Threat Convergence Index
0–100. Weighted measure of Gate D convergence strength, temporal clustering density, and technique progression completeness across the alert log.
CPS-C — Consequence Score
0–100. Gate C numeric output. Calibrated to environment type and sector multipliers. Determines HIGH / MODERATE / LOW consequence classification.
ACI — Attribution Confidence Index
0–100. Confidence that the alert pattern represents real threat actor activity versus a false positive, misconfiguration, or noise event. Based on technique specificity and indicator quality.

We'll show you
what CCMM sees.

CCMM-AIL · Scenario demonstration

Your SIEM has the alert.
CCMM-AIL has the answer.

Six real-world alert patterns. Six environments. Select a scenario, declare the environment, and CCMM-AIL returns a full five-gate verdict — consequence scored, convergence assessed, reporting obligations flagged. No login required.

Curated scenario demonstration. Pre-built alert patterns · no upload required · private log analysis available on request.
Alert log — scenario viewCCMM-AIL · Scenario mode 
Select a scenario and run the demonstration.
Environment classified
Conditional gate assessment — five gates shown
Threat Convergence Index
TCI / 100
Consequence Score
CPS-C / 100
Attribution Confidence
ACI / 100
CCMM-AIL demonstration verdict
Sector intelligence note
Need private analysis of your own logs? Request activation.
Submit your organisation's details and we will provision a private analysis session — your logs, your environment, full five-gate output.
Request activation key

We just showed you

The operational decision

We just showed you
what CCMM can do.
Integrate CCMM-AIL
or hire more SOC staff.

Both options cost money. Only one of them applies the same analytical rigour to every alert, every time, regardless of shift, analyst experience, or alert volume. The other one goes home at 5pm.

// Option A
Hire more
SOC staff
Alert triage at human speed
L1 analysts process alerts sequentially. At volume, dwell time grows. The alerts that matter most often wait the longest.
Escalation depends on the analyst
An L1 analyst on night shift makes a different call than a senior analyst on day shift. Inconsistency is built into the model.
No consequence weighting
Standard SIEM triage does not score what the alert is connected to. A SCADA HMI and a workstation look the same in a severity queue.
OT context typically absent
Most L1 and L2 analysts are IT-trained. OT, SCADA, and critical infrastructure threat context is not standard SOC curriculum.
Reporting obligations missed under load
SOCI Act, NERC CIP, NIS2 — sector reporting windows are short. Under alert load, regulatory obligations are the first thing missed.
Fixed cost regardless of threat level
Salaries, benefits, training, and attrition are constant costs. Quiet periods cost the same as active incident response.
OR
// Option B
Integrate
CCMM-AIL
Five gates applied to every alert
Every alert receives the full conditional pipeline — active exploitation, OT adjacency, consequence, convergence, and reporting obligation — every time, without exception.
Consistent verdict logic
The same gate conditions produce the same verdict regardless of time of day, alert volume, or analyst availability. No shift variation. No experience gap.
Consequence scored to your environment
CPS-C scoring is calibrated to the environment type declared — IT, OT, SCADA, utility, industrial IoT, or aviation and maritime. The score reflects what failure actually means in your sector.
OT and critical infrastructure native
Industrial protocols, SCADA adjacency, safety system proximity, and sector consequence multipliers are built into the model — not added as an afterthought.
Reporting obligations flagged automatically
Gate E identifies the specific regulatory instrument — SOCI Act, NERC CIP-008-6, NIS2 Article 23 — and the applicable timeframe. Flagged at the alert layer, not discovered after the window closes.
Published, auditable, and citable
Built on CCMM — published at SSRN (Abstract ID 6364078) and Zenodo (DOI 10.5281/zenodo.19382186). Defensible to regulators, auditors, and boards.
01
The 0.001% Problem — applied to your alert queue
Most alerts are noise. The one that matters is buried in it. Standard triage treats them uniformly — same queue, same process, same analyst. CCMM-AIL exists because even a near-zero-probability catastrophic event deserves a rigorous analytical framework. The cost of having no consequence model is borne by the organisation — and the people — inside the event. Not by the vendor that sold you the SIEM.
// The numbers that frame the decision
277 days
Mean time to identify a breach
IBM Cost of a Data Breach 2023. Consequence-blind triage extends dwell time.
$4.45M
Global average cost of a data breach
IBM 2023. OT and critical infrastructure incidents carry multipliers above the global average.
12 hrs
SOCI Act mandatory reporting window
s30BC — significant cyber incidents affecting Australian critical infrastructure assets. Gate E flags this at the alert layer.
~70%
Of ICS/OT incidents originate via IT network
Dragos ICS/OT Cybersecurity Year in Review. The IT/OT boundary is the most consequential gap in standard SIEM triage.

Your call.
Make it an informed one.

CCMM-AIL is a standalone intelligence layer — it works above your existing SIEM, not instead of it. You keep Log360, Splunk, Microsoft Sentinel, or whatever you run. CCMM-AIL adds the consequence and convergence layer your SIEM was never designed to provide. Enquire below and we will scope what integration looks like for your environment.

Enquire about CCMM-AIL → Read the published methodology
IP Protection NoticeApplies to all content on this page
Proprietary methodology — protected works
CCMM, its acronyms, methods, concepts, analytical structures, scoring approaches, terminology, scenario logic, model architecture, presentation logic, derivative formulations, explanatory frameworks, and associated proprietary materials are protected works of GABEY Consulting Pty Ltd, Australia. All rights reserved.
Creative Commons scope — published works only
Publications released by GABEY Consulting Pty Ltd under Creative Commons Attribution 4.0 International licence (CC BY 4.0) remain subject to the terms of that licence with respect to the specific published text only. This notice governs the CCMM methodology, scoring architecture, proprietary implementation, and all materials not released under an open licence.
Restricted use — no part of the proprietary CCMM implementation may be used without prior written permission
No part of the proprietary CCMM implementation, in whole or in part, may be extracted, copied, reproduced, adapted, reverse engineered, translated, republished, stored, incorporated, reformulated, transmitted, embedded, deployed or otherwise used in or for any software, algorithm, model, artificial intelligence system, machine learning workflow, corporate tool, operational process, consulting method, document, report, presentation, assessment framework, internal program, commercial service or derivative method without the prior express written permission of GABEY Consulting Pty Ltd. Unauthorised use, imitation, abstraction, derivation or repurposing of proprietary CCMM materials is strictly prohibited.
Third-party trademarks. IBM and all related names, logos, and marks referenced on this page may be trademarks or registered trademarks of International Business Machines Corporation or its affiliates. Dragos and all related names and marks may be trademarks or registered trademarks of Dragos, Inc. All other product names, company names, marks, logos, and symbols referenced on this page are the property of their respective owners. Reference to any third-party organisation, product, or publication does not imply endorsement.
Non-affiliation. CCMM-AIL and GABEY Consulting Pty Ltd are not affiliated with, endorsed by, or associated with IBM, Dragos, ManageEngine, Splunk, Microsoft, or any other organisation referenced on this page. Statistical figures are cited for contextual reference only and are subject to the terms and update schedules of their respective publishers.

GABEY Consulting Pty Ltd · ACN 121 511 055 · Australia
NOMATEQ · CCMM™ · CCMM-AIL™