Map each control to an attack or recovery stage
Phishing, stolen credentials, exposed services, lateral movement, data theft, encryption, and backup disruption require different controls. A page should identify the stage and evidence behind each defense claim.