If you want to move from finding vulnerabilities to constructing exploit paths, you need a layer between weakness labels and final outcomes.
Not just bug classes. Not just end states. A working middle layer.
That layer includes capability families such as disclosure, reference control, data influence, state corruption, execution influence, authorization bypass, sphere crossing, and sequencing manipulation.
These are not final taxonomic truths. They are working operational categories.
They matter because they let you move from 'there is a weakness here' to 'this changes the reachable state space in these ways.'
That still is not the whole model. Primitive family is not the same as path role, and neither is the same as outcome class.
Apache HTTP Server makes that distinction clearer: reference control and disclosure describe the primitive families, foothold and leverage gain describe the path role, and execution is the higher-value outcome class if the route survives validation.
Patterns help propose routes, but patterns alone are not enough. Validation is what tells you whether the route survives reality.
That is why the real loop is not primitives, patterns, done. It is primitives, candidate paths, validation, pruning, and refinement.
The middle layer is where exploit-path thinking stops being a metaphor and starts becoming a system.