CFSE.ai

ID Syntax Specification

RawEdit on GitHub

Overview

Every CFSE artifact is assigned a unique identifier following strict syntactic rules. These identifiers enable:

  • Unambiguous reference across documentation and tooling
  • Automated validation via regex patterns
  • Hierarchical organization through component structure
  • Traceability from concepts through explorations to findings

CFSE core defines the identifier patterns in this document. CFSE extensions MAY introduce additional artifact types and identifier patterns; extension ID rules are defined by the extension and apply only when that extension is declared (see foundations/extensions.md).

General Rules

Character Set

CategoryAllowed Characters
System codesA-Z, 0-9
Names/ThemesA-Z, 0-9, - (hyphen as separator)
Sequence numbers0-9

Naming Conventions

  1. UPPERCASE only - All alphabetic characters must be uppercase
  2. No leading/trailing hyphens - Hyphens only between words
  3. No consecutive hyphens - Use single hyphen as separator
  4. Meaningful abbreviations - Use domain-standard abbreviations

Artifact ID Patterns

Entry Point ID (EntryPointID)

Entry Points represent concrete system operations (API endpoints, UI actions, CLI commands, events) and are first-class artifacts (EP-*).

Pattern Description

code
EP-<SYSTEM>-<CONCEPT>-<CHANNEL>-<ACTION>[-<NN>]

Notes

  • The regex allows flexibility; the convention above is RECOMMENDED for traceability.
  • The convention is compatible with multiple channels (API/WEB/GRAPHQL/CLI/EVENT) and multiple variants via the optional -<NN> suffix.

Regex

regex
^EP-[A-Z0-9-]{1,128}$

Examples

IDValidReason
EP-SHOP-USER-API-CREATEYesStandard concept entry point
EP-SHOP-ITEM-API-DELETEYesStandard concept entry point
EP-I-SHOP-ITEM-DELETE-APIYesInteraction-scoped entry point ID
EP-shop-user-api-createNoLowercase not allowed
EP--USER-API-CREATENoMalformed hyphens

Projection ID (ProjectionID)

Projections describe what a viewer-context sees across one or more surfaces.

Pattern Description

code
PRJ-<SYSTEM>-<NAME>

Regex

regex
^PRJ-[A-Z0-9-]{1,128}$

Examples

IDValidReason
PRJ-SHOP-PUBLIC-VIEWERYesStandard PRJ ID
PRJ-GL-ANON-RSSYesStandard PRJ ID
PRJ_gl_anonNoUnderscores not allowed

1. Concept ID (ConceptID)

Concepts represent the foundational security-relevant entities in a system.

Pattern Description

code
C-<SYSTEM>-<NAME>

Component Rules

ComponentRuleLengthDescription
PrefixC-2Fixed concept identifier prefix
SYSTEM[A-Z0-9]+2-8System or domain abbreviation
NAME[A-Z0-9-]+1-32Descriptive name with optional hyphens

Regex

regex
^C-[A-Z0-9]{2,8}-[A-Z0-9-]{1,32}$

Examples

IDValidReason
C-AWS-IAM-ROLEYesStandard concept identifier
C-K8S-PODYesShort system code, short name
C-OAUTH2-ACCESS-TOKENYesHyphenated name
C-GCP-SERVICE-ACCOUNT-KEYYesMultiple hyphens in name
c-aws-iam-roleNoLowercase not allowed
C-A-ROLENoSystem code too short (min 2)
C-AWS-NoTrailing hyphen
C--IAM-ROLENoMissing system code
CONCEPT-AWS-ROLENoWrong prefix

2. Interaction ID (InteractionID)

Interactions capture security-relevant operations between concepts.

Pattern Description

code
I-<SYSTEM>-<VERB>-<NOUN>-<SEQ>

Component Rules

ComponentRuleLengthDescription
PrefixI-2Fixed interaction identifier prefix
SYSTEM[A-Z0-9]+2-8System or domain abbreviation
VERB[A-Z]+1-16Action verb (e.g., CREATE, INVOKE, ATTACH)
NOUN[A-Z]+1-16Target entity (e.g., ROLE, TOKEN, KEY)
SEQ[0-9]+3Three-digit sequence number

Regex

regex
^I-[A-Z0-9]{2,8}-[A-Z]{1,16}-[A-Z]{1,16}-[0-9]{3}$

Examples

IDValidReason
I-AWS-ASSUME-ROLE-001YesStandard interaction
I-K8S-CREATE-POD-042YesKubernetes pod creation
I-OAUTH2-REFRESH-TOKEN-003YesOAuth token refresh
I-GCP-INVOKE-FUNCTION-100YesGCP function invocation
I-AWS-ASSUME-ROLE-1NoSequence must be 3 digits
I-AWS-assume-ROLE-001NoLowercase not allowed
I-AWS-ASSUME-ROLENoMissing sequence number
I-AWS-ASSUME_ROLE-001NoUnderscore not allowed
I-A-ASSUME-ROLE-001NoSystem code too short

3. Flow ID (FlowID)

Flows represent ordered sequences of interactions forming complete operations.

Pattern Description

code
F-<SYSTEM>-<NAME>

Component Rules

ComponentRuleLengthDescription
PrefixF-2Fixed flow identifier prefix
SYSTEM[A-Z0-9]+2-8System or domain abbreviation
NAME[A-Z0-9-]+1-32Descriptive flow name

Regex

regex
^F-[A-Z0-9]{2,8}-[A-Z0-9-]{1,32}$

Examples

IDValidReason
F-AWS-CROSS-ACCOUNT-ACCESSYesMulti-word flow name
F-K8S-POD-SCHEDULINGYesKubernetes scheduling flow
F-OAUTH2-AUTHORIZATION-CODEYesOAuth flow
F-GCP-WORKLOAD-IDENTITYYesGCP identity flow
f-aws-role-chainNoLowercase not allowed
F-A-ACCESSNoSystem code too short
F-AWS--ACCESSNoConsecutive hyphens
FLOW-AWS-ACCESSNoWrong prefix

4. Scenario ID (ScenarioID)

Scenarios define themed security test cases grouped by attack patterns or vulnerability classes.

Pattern Description

code
S-<SYSTEM>-<THEME>-<SEQ>

Component Rules

ComponentRuleLengthDescription
PrefixS-2Fixed scenario identifier prefix
SYSTEM[A-Z0-9]+2-8System or domain abbreviation
THEME[A-Z0-9-]+1-24Attack theme or vulnerability class
SEQ[0-9]+3Three-digit sequence number

Regex

regex
^S-[A-Z0-9]{2,8}-[A-Z0-9-]{1,24}-[0-9]{3}$

Examples

IDValidReason
S-AWS-PRIVILEGE-ESCALATION-001YesPrivilege escalation scenario
S-K8S-CONTAINER-ESCAPE-003YesContainer security scenario
S-OAUTH2-TOKEN-THEFT-010YesToken security scenario
S-GCP-LATERAL-MOVEMENT-005YesLateral movement scenario
S-AWS-PRIVESC-1NoSequence must be 3 digits
S-AWS-PRIVILEGE-ESCALATIONNoMissing sequence number
s-aws-privesc-001NoLowercase not allowed
S-A-PRIVESC-001NoSystem code too short

5. Exploration ID (ExplorationID)

Explorations document detailed security testing sessions derived from scenarios.

Pattern Description

code
E-<SYSTEM>-<THEME>-<SCENARIO-SEQ>-<VERSION>

Component Rules

ComponentRuleLengthDescription
PrefixE-2Fixed exploration identifier prefix
SYSTEM[A-Z0-9]+2-8System or domain abbreviation
THEME[A-Z0-9-]+1-24Theme from parent scenario
SCENARIO-SEQ[0-9]+3Parent scenario sequence
VERSION[0-9]+2Two-digit exploration version

Regex

regex
^E-[A-Z0-9]{2,8}-[A-Z0-9-]{1,24}-[0-9]{3}-[0-9]{2}$

Examples

IDValidReason
E-AWS-PRIVILEGE-ESCALATION-001-01YesFirst exploration of scenario 001
E-K8S-CONTAINER-ESCAPE-003-05YesFifth version
E-OAUTH2-TOKEN-THEFT-010-12YesTwelfth exploration
E-GCP-LATERAL-MOVEMENT-005-01YesStandard format
E-AWS-PRIVESC-001-1NoVersion must be 2 digits
E-AWS-PRIVESC-01-01NoScenario sequence must be 3 digits
E-AWS-PRIVESC-001NoMissing version
e-aws-privesc-001-01NoLowercase not allowed

Relationship to Scenario

The exploration ID embeds its parent scenario reference:

code
E-AWS-PRIVILEGE-ESCALATION-001-01
  |_______________________________|
         Derived from S-AWS-PRIVILEGE-ESCALATION-001

6. Trace ID (TraceID)

Traces capture ordered evidence (events and state facts) that support temporal and event-sequence claims. Traces are typically produced as part of an Exploration run (baseline and/or attack paths).

Pattern Description

code
T-<SYSTEM>-<THEME>-<SCENARIO-SEQ>-<VERSION>-<SEQ>

Component Rules

ComponentRuleLengthDescription
PrefixT-2Fixed trace identifier prefix
SYSTEM[A-Z0-9]+2-8System or domain abbreviation
THEME[A-Z0-9-]+1-24Theme from parent scenario/exploration
SCENARIO-SEQ[0-9]+3Parent scenario sequence
VERSION[0-9]+2Parent exploration version
SEQ[0-9]+2Trace sequence for that exploration version (e.g., baseline vs attack)

Regex

regex
^T-[A-Z0-9]{2,8}-[A-Z0-9-]{1,24}-[0-9]{3}-[0-9]{2}-[0-9]{2}$

Examples

IDValidReason
T-AWS-PRIVILEGE-ESCALATION-001-01-01YesFirst trace for exploration 001-01
T-AWS-PRIVILEGE-ESCALATION-001-01-02YesSecond trace (e.g., attack path)
T-K8S-CONTAINER-ESCAPE-003-05-01YesTrace for exploration 003-05
T-AWS-PRIVESC-001-1-01NoVersion must be 2 digits
T-AWS-PRIVESC-01-01-01NoScenario sequence must be 3 digits
T-AWS-PRIVESC-001-01-1NoTrace sequence must be 2 digits

Relationship to Exploration

Trace IDs embed their parent exploration reference:

code
T-AWS-PRIVILEGE-ESCALATION-001-01-01
  |_________________________________|
         Derived from E-AWS-PRIVILEGE-ESCALATION-001-01

7. Finding ID (FindingID)

Findings document security issues discovered during explorations.

Pattern Description

code
FD-<SYSTEM>-<CATEGORY>-<SEQ>

Component Rules

ComponentRuleLengthDescription
PrefixFD-3Fixed finding identifier prefix
SYSTEM[A-Z0-9]+2-8System or domain abbreviation
CATEGORY[A-Z]+1-16Finding category (e.g., AUTHZ, CRYPTO)
SEQ[0-9]+3Three-digit sequence number

Category Values

CategoryDescription
AUTHZAuthorization/access control issues
AUTHNAuthentication issues
CRYPTOCryptographic weaknesses
CONFIGConfiguration vulnerabilities
INJECTInjection vulnerabilities
LEAKInformation disclosure
LOGICBusiness logic flaws
RACERace conditions

Regex

regex
^FD-[A-Z0-9]{2,8}-[A-Z]{1,16}-[0-9]{3}$

Examples

IDValidReason
FD-AWS-AUTHZ-001YesAuthorization finding
FD-K8S-CONFIG-023YesConfiguration issue
FD-OAUTH2-CRYPTO-005YesCryptographic weakness
FD-GCP-LEAK-012YesInformation disclosure
FD-AWS-AUTHZ-1NoSequence must be 3 digits
FD-AWS-auth-001NoLowercase not allowed
FD-A-AUTHZ-001NoSystem code too short
FINDING-AWS-AUTHZ-001NoWrong prefix

8. Predicate ID (PredicateID)

Predicates are reusable boolean conditions for invariant composition.

Pattern Description

code
P-<SYSTEM>-<NAME>

Component Rules

ComponentRuleLengthDescription
PrefixP-2Fixed predicate identifier prefix
SYSTEM[A-Z0-9]+2-8System or domain abbreviation
NAME[A-Z0-9-]+1-32Descriptive predicate name

Regex

regex
^P-[A-Z0-9]{2,8}-[A-Z0-9-]{1,32}$

Examples

IDValidReason
P-AWS-HAS-MFAYesMFA verification predicate
P-K8S-IS-PRIVILEGEDYesPrivilege check
P-OAUTH2-TOKEN-VALIDYesToken validation
P-GCP-IN-VPCYesNetwork location check
p-aws-has-mfaNoLowercase not allowed
P-A-MFANoSystem code too short
PRED-AWS-MFANoWrong prefix
P-AWS-NoTrailing hyphen

9. Invariant ID (InvariantID)

Invariants express security properties that must always hold.

Pattern Description

code
INV-<SYSTEM>-<NAME>

Component Rules

ComponentRuleLengthDescription
PrefixINV-4Fixed invariant identifier prefix
SYSTEM[A-Z0-9]+2-8System or domain abbreviation
NAME[A-Z0-9-]+1-32Descriptive invariant name

Regex

regex
^INV-[A-Z0-9]{2,8}-[A-Z0-9-]{1,32}$

Examples

IDValidReason
INV-AWS-NO-PUBLIC-S3YesS3 bucket visibility
INV-K8S-POD-SECURITYYesPod security policy
INV-OAUTH2-TOKEN-EXPIRYYesToken lifecycle
INV-GCP-IAM-LEAST-PRIVILEGEYesIAM principle
inv-aws-no-public-s3NoLowercase not allowed
INV-A-S3NoSystem code too short
INVARIANT-AWS-S3NoWrong prefix
INV-AWS--S3NoConsecutive hyphens

10. Generator ID (GeneratorID)

Generators create scenario variations through systematic exploration strategies.

Pattern Description

code
GEN-<STRATEGY>-<SEQ>

Component Rules

ComponentRuleLengthDescription
PrefixGEN-4Fixed generator identifier prefix
STRATEGY[A-Z0-9-]+1-24Generation strategy name
SEQ[0-9]+3Three-digit sequence number

Strategy Values

StrategyDescription
BOUNDARYBoundary value analysis
MUTATIONInput mutation testing
COMBINATORIALPairwise/combinatorial testing
FUZZFuzzing-based generation
TEMPORALTime-based variations
PRIVILEGEPrivilege level variations

Regex

regex
^GEN-[A-Z0-9-]{1,24}-[0-9]{3}$

Examples

IDValidReason
GEN-BOUNDARY-001YesBoundary testing generator
GEN-MUTATION-FUZZ-042YesMutation fuzzing
GEN-PRIVILEGE-ESCALATION-003YesPrivilege testing
GEN-TEMPORAL-RACE-010YesRace condition testing
GEN-BOUNDARY-1NoSequence must be 3 digits
gen-boundary-001NoLowercase not allowed
GEN-BOUNDARYNoMissing sequence number
GENERATOR-BOUNDARY-001NoWrong prefix

11. Patch ID (PatchID)

Patches document remediation changes applied to address findings.

Pattern Description

code
PATCH-<SYSTEM>-<SEQ>

Component Rules

ComponentRuleLengthDescription
PrefixPATCH-6Fixed patch identifier prefix
SYSTEM[A-Z0-9]+2-8System or domain abbreviation
SEQ[0-9]+3Three-digit sequence number

Regex

regex
^PATCH-[A-Z0-9]{2,8}-[0-9]{3}$

Examples

IDValidReason
PATCH-AWS-001YesAWS system patch
PATCH-K8S-042YesKubernetes patch
PATCH-OAUTH2-003YesOAuth implementation patch
PATCH-GCP-100YesGCP configuration patch
PATCH-AWS-1NoSequence must be 3 digits
patch-aws-001NoLowercase not allowed
PATCH-A-001NoSystem code too short
FIX-AWS-001NoWrong prefix

Quick Reference Table

ArtifactPatternRegex
ConceptC-<SYS>-<NAME>^C-[A-Z0-9]{2,8}-[A-Z0-9-]{1,32}$
InteractionI-<SYS>-<VERB>-<NOUN>-<SEQ>^I-[A-Z0-9]{2,8}-[A-Z]{1,16}-[A-Z]{1,16}-[0-9]{3}$
FlowF-<SYS>-<NAME>^F-[A-Z0-9]{2,8}-[A-Z0-9-]{1,32}$
ScenarioS-<SYS>-<THEME>-<SEQ>^S-[A-Z0-9]{2,8}-[A-Z0-9-]{1,24}-[0-9]{3}$
ExplorationE-<SYS>-<THEME>-<SEQ>-<VER>^E-[A-Z0-9]{2,8}-[A-Z0-9-]{1,24}-[0-9]{3}-[0-9]{2}$
TraceT-<SYS>-<THEME>-<SEQ>-<VER>-<NN>^T-[A-Z0-9]{2,8}-[A-Z0-9-]{1,24}-[0-9]{3}-[0-9]{2}-[0-9]{2}$
FindingFD-<SYS>-<CAT>-<SEQ>^FD-[A-Z0-9]{2,8}-[A-Z]{1,16}-[0-9]{3}$
PredicateP-<SYS>-<NAME>^P-[A-Z0-9]{2,8}-[A-Z0-9-]{1,32}$
InvariantINV-<SYS>-<NAME>^INV-[A-Z0-9]{2,8}-[A-Z0-9-]{1,32}$
Entry PointEP-<SYS>-<NAME>^EP-[A-Z0-9-]{1,128}$
ProjectionPRJ-<SYS>-<NAME>^PRJ-[A-Z0-9-]{1,128}$
GeneratorGEN-<STRATEGY>-<SEQ>^GEN-[A-Z0-9-]{1,24}-[0-9]{3}$
PatchPATCH-<SYS>-<SEQ>^PATCH-[A-Z0-9]{2,8}-[0-9]{3}$
  • [[02-reference-syntax]] - How to reference artifacts in documentation
  • [[03-formal-logic]] - Logical operators for invariant expressions
  • [[04-field-types]] - Reusable field type definitions
Previous
Extensions
Next
Reference Syntax Specification