PRISM-APT: A Model-First Synthesis for APT Defence

Abstract

We present PRISM-APT, a practical APT defence model for smaller organisations that integrates governed CTI, behaviour-centric rules, and sovereignty-by-operation thresholds (S-CAP). Advanced Persistent Threats (APTs) routinely exploit the gap between widely used theoretical frameworks and day-to-day operational practice, leaving Security Operations Centres (SOCs) with fragmented, vendor-locked, or jurisdictionally misaligned defences. To address this problem, we introduce PRISM-APT, a model-first synthesis for governed APT defence developed through a multi-year research programme. PRISM-APT operationalises defence as a cyclical, five-phase model; Preparation, Recognition, Intelligence, Synthesis, and Mitigation & Measurement, designed for heterogeneous SOC environments, governable via reciprocity contracts and explicit human-in-the-loop decision gates, and auditable through sovereignty-by- operation (SoO) metrics and evidence-centred traceability maps. In practice, the model treats ATT&CK as a shared language rather than a process, complements governance frames such as NIST CSF with operational hooks, and replaces purely linear threat models with an auditable loop that surfaces bias, provenance, and accountability at each gate. The paper makes four contributions. First, it specifies the PRISM-APT model and its governance hooks for bias-aware, explainable, human-in-the-loop defence in SOCs operating under legal and organisational constraints. Second, it provides an explicit evidence-to-model derivation, linking nine empirical studies to concrete operational artefacts . Third, it offers an evaluation plan with measurable criteria for coverage, auditability, and SoO, including adoption and audit pathways for single organisations and federated consortia. Fourth, it distils implementation guidance for phased roll-out in resource-constrained environments, with emphasis on rules portability, minimal viable telemetry, and governance-by-contract to reduce lock-in while maintaining compliance.