A new framework explains why attackers and defenders operate in incompatible knowledge systems. Offense seeks partial truth to act, while defense demands stable truth to trust. This divergence creates a gap where traditional tools fail, as they map the intended system, not the latent one where actual risk lives.

The model contrasts exploration with enumeration, fluid configurations with static assumptions, and consequence with compliance. Attackers map what a system *can* do; defenders map what it *should* do. This epistemic mismatch explains why detection tools optimized for alerts often miss narrative-based attacks and why security fails for SMBs with resource constraints.

For security engineers, this means treating documentation as a hypothesis and validating through real-world outcomes, not just policy alignment. The framework argues effective defense requires seeing the environment like an attacker while maintaining operational responsibility. It's a sociotechnical approach, acknowledging that human shortcuts and configuration drift are predictable, not failures.