Cryptographic material — algorithm choice, key lifecycle, secret storage, transport, certificate validation, and randomness.
The material layer: the cryptographic primitives, keys, and secrets that other defenses depend on.
In scope. Algorithm choice (broken ciphers, weak hashes, deprecated modes), key generation / rotation / storage, TLS configuration (protocol versions, cipher suites, certificate validation), secrets in source code, secrets in logs, hardcoded credentials, insecure randomness for security-sensitive purposes, certificate pinning, secret-rotation hygiene.
Not in scope. Deciding who may use a key — that's access-control. Encryption-at-rest choice when the primary concern is data loss/correctness rather than exposure — that's data-integrity. Vulnerable crypto library version shipped via a dependency — supply-chain primary with this taxon secondary.
Distinct because. Every defense that builds on crypto collapses if the math or key-handling is wrong. A leaked S3 key is a cryptography-and-secrets defect regardless of who had authorization to use it. A pattern about "MD5 used for password hashing" lives here; a pattern about "password reset flow skipped rate limiting" is access-control.
Conceptual sub-structure. Algorithm choice, key management, transport (TLS), secret exposure.