Index

References are by chapter and section number.

802.11w (Protected Management Frames, PMF) — 8.4, 8.6
802.1X — 7.4, 8.3, 8.6

A

A record (DNS) — 9.1
AAL (authenticator assurance level) — 16.1, 16.7
access certification — 18.5, 18.6
access control list (ACL) — 7.1, 7.2, 17.6
access control list (ACL, S3 bucket) — 15.4
access control matrix — 17.6
access control model — 17.2
access recertification — 17.4, 17.6
access review — 17.4, 17.6, 18.5, 18.6
account recovery (as attack surface) — 16.7
account takeover (ATO) — 16.6
accounting (AAA) — 3.2, 17.1
ACME protocol (automated certificate management) — 20.4
acquisition (forensic) — 25.2
Actions on Objectives (kill-chain stage) — 2.3, 2.5
Active Directory (AD) — 18.2
advanced persistent threat (APT) — 2.1, 2.5
adversarial machine learning — 34.4
adversary-in-the-middle (AITM) — 16.3, 16.4
AEAD (authenticated encryption) — 5.3
AES (Advanced Encryption Standard) — 4.2, 4.3
AES-CCMP — 8.2
AES-GCM (authenticated encryption) — 4.2, 4.7
AI-enabled attack — 34.5
air gap (myth and reality) — 33.2, 33.6
alert fatigue — 21.5
alignment (DMARC) — 9.4
allowlisting (positive validation) — 12.3
analyst burnout (organizational) — 37.4, 37.6
annualized loss expectancy (ALE) — 27.3
annualized rate of occurrence (ARO) — 27.3
anomaly detection — 7.3, 7.6, 34.1, 34.2, 34.6
anomaly-detection pipeline — 34.2
anti-CSRF token (synchronizer token) — 13.4
anti-forensics — 25.6
API key — 20.1, 20.5, 20.6
AppArmor — 11.3
application allowlisting — 11.5
application security — 12.1
AppLocker — 11.5
AppSec (application/product security) — 39.2
Argon2id — 16.2, 16.7
ARP spoofing — 6.3, 6.5
artifact — 28.4, 28.5
artifact signing — 31.4, 31.5
asset — 1.2, 1.6
asset value (AV) — 27.3
assume breach — 3.5
asymmetric encryption — 4.3, 4.5
attack surface — 1.3
attack surface (network) — 6.1, 6.3
attack surface management — 23.1
attack surface reduction — 11.1
attack technique (ATT&CK) mapping — 22.4, 22.6
attack vector — 2.3, 2.5
attestation — 28.2
attestation (access) — 18.5
attribute-based access control (ABAC) — 17.2, 17.5
audience restriction (SAML/OIDC) — 18.3
audit — 28.5
audit-readiness workflow — 28.5
authenticated encryption (AEAD) — 4.2
authenticated scan (credentialed) — 23.2
authentication — 3.2
authentication (vs. identification/authorization) — 16.1
authentication factor — 16.1
authentication server (802.1X) — 7.4
authentication vs. authorization — 17.1
authenticator (802.1X) — 7.4
authenticity (guarantee) — 4.1, 4.5
authorization — 3.2, 17.1
authorization (the ethical/legal line) — 39.5
automation (SOC) — 37.2, 37.4
availability — 3.1
awareness.py (bluekit) — 30.7

B

B = MAP (Fogg behavior model) — 30.2
base rate (false positives) — 34.3
base-rate problem — 7.6
baseline (network) — 10.4, 10.5
baseline (per-entity) — 34.2, 34.6
baseline (security findings) — 31.3
baseline configuration — 11.1, 11.7
bash_history (artifact) — 25.4
bastion host — 7.5
bcrypt — 16.2
beacon_score (bluekit) — 10.5, 10.7
beaconing — 10.1, 10.4, 10.5
beaconing (C2), hunting for — 22.4, 22.5
BEC (business email compromise) — 9.3, 9.6
behavior vs. knowledge — 30.1, 30.2
behavioral detection — 2.4, 2.5, 21.3, 22.2, 22.4
behavioral detection (vs. indicators, case application) — 40.2, 40.4
benchmark — 36.1, 36.5
biometrics — 16.5
birthright access — 18.4
blameless postmortem — 24.6
block cipher — 4.2
blue team (defensive operations) — 39.1, 39.2
BlueBorne — 8.5
Bluetooth — 8.5
board oversight — 26.4
board presentation — 38.5, 38.7
board reporting / board metrics pack — 36.5, 36.6
breach analysis (how to read a breach) — 40.1
breach shapes (weaponized trust / forgotten door / invisible dependency) — 40.5
breach stress-test (Meridian readiness) — 40.7 (Project Checkpoint)
breached-password screening — 16.2, 16.6, 16.7
break-glass account — 19.2, 19.6
broken access control (OWASP A01) — 12.2
budget justification — 38.4
build compromise vs source compromise — 31.4
build vs buy (SOC) — 37.2
building management system (BMS) — 33.1
business case — 38.4, 38.7
business email compromise (BEC) — 30.6, case-study-02
BYOD — 14.3

C

cache poisoning — 9.1
capability — 17.6
capability (of a threat actor) — 2.1
capstone tracks (SOC/Engineer/GRC) — 38.6
captive portal — 8.6
capture the flag (CTF) — 39.4
cardholder data environment (CDE) — 6.4, 6.6, 28.3, 28.5
career changer (path into security) — 39.1
career ladder — 39.6
career ladder (SOC) — 37.3
CBC mode — 4.2
centralized vs distributed security — 37.1
certificate authority (CA) — 4.6
certificate authority (CA, internal) — 20.4
certificate lifecycle — 5.6
certificate lifecycle management — 20.4
certificate pinning — 5.6
certificate revocation list (CRL) — 20.4
Certificate Transparency — 20.4
Certificate Transparency (CT) — 5.6
certification — 28.2
chain of command — 24.2
chain of custody — 25.3
chain of trust — 4.6
CI/CD pipeline — 31.1, 31.2
CIA triad — 1.5, 3.1
cipher suite — 5.3
ciphertext — 4.1
CIS Benchmark — 11.1
CIS Benchmark levels (Level 1 / Level 2) — 11.1
CISA Zero Trust Maturity Model — 32.6
CISO (path to) — 39.6
CISO reporting line — 37.1
click rate — 30.4
clock skew — 25.5
cloud IAM — 15.3
cloud misconfiguration — 15.4
cloud security (specialization) — 39.2
cloud security baseline — 15.7
cloud security posture management (CSPM) — 15.5
cloud workload protection (CWPP) — 15.5
CloudTrail — 15.6
CNAME record — 9.1
COBO (Corporate-Owned, Business-Only) — 14.3
coefficient of variation (beacon detection) — 10.5, 10.7
collection (log) — 21.2
collision (hash) — 4.4, 4.5
Colonial Pipeline (DarkSide) — case study — 40.3
Colonial Pipeline (IT/OT boundary) — 33.0, 33.6
Colonial Pipeline (ransomware) — 2.5
command and control (C2) — 2.3, 2.5
command injection — 13.2
command-and-control (C2) — 10.1, 10.5
commoditization (threat evolution) — 35.1
Common Information Model (CIM) — 21.2
common schema — 21.2
communications plan (incident) — 24.2
compensating control — 3.3, 23.4, 23.5
compensating control (for unpatchable systems) — 11.6
compensating control (OT) — 33.4
compliance (as a floor) — 1.6
compliance (definition) — 28.1
compliance is the floor (not the ceiling) — 28.6
compliance.py (bluekit) — 26.7
Computer Fraud and Abuse Act (CFAA) — 39.5
concentration risk — 29.1, 29.6
conditional access — 14.2
Conditional Access (Entra ID) — 18.2
confidentiality — 3.1
confidentiality (guarantee) — 4.1
conn.log (Zeek) — 10.3, 10.5
container (cloud, introduced) — 15.1, 15.5
container image scanning — 31.3
containerization — 14.3
containment — 24.4
containment, long-term — 24.4
containment, short-term — 24.4
content security policy (CSP) — 13.3, 13.6
Content-Security-Policy (CSP) — 9.5
context-aware access — 32.3
continuing professional education (CPE) — 39.5
continuous improvement (SOC) — 37.5
continuous integration / continuous delivery (CI/CD) — 31.2
continuous vendor monitoring — 29.2, 29.5
continuous verification — 32.2, 32.3
contractual security requirements — 29.4
control (security control) — 1.2
control coverage — 36.3, 36.6
control failure modes (absent / misconfigured / working-but-unwatched) — 40.1
control framework — 3.7
control mapping — 28.4
control owner — 26.4
control plane / data plane (zero trust) — 32.4
control prioritization — 38.3
control types (function × nature) — 3.3
cookie attributes (Secure/HttpOnly/SameSite) — 9.5
COPE (Corporate-Owned, Personally Enabled) — 14.3
corrective control — 3.3
correlation (detection) — 7.6
correlation ladder — 21.3
correlation rule — 21.3
cost of doing nothing — 38.4
cost-benefit of a safeguard — 27.3
coverage (awareness) — 30.4
coverage (framework, policy_coverage) — 26.3, 26.7
coverage (scan) — 23.6
coverage map (ATT&CK heatmap) — 22.6
credential harvesting — 19.1, 19.4
credential stuffing — 16.6
credential vaulting — 19.2
critical infrastructure — 33.1
CRL (certificate revocation list) — 4.6, 5.6
cross-case lessons matrix — 40.5
cross-site request forgery (CSRF) — 13.4
cross-site scripting (XSS) — 13.3
cross-source correlation — 21.3
crossover error rate (CER) — 16.5
crosswalk — 28.4
crosswalk (preview) — 26.3
crypto-agility — 35.5
crypto-inventory — 35.5
cryptographic failures (OWASP A02) — 12.2
CTAP (client to authenticator protocol) — 16.4
CVE (Common Vulnerabilities and Exposures) — 23.3
CVSS (Common Vulnerability Scoring System) — 23.3
CWE (Common Weakness Enumeration) — 12.2
cyber kill chain — 2.3
cybercriminal — 2.1
cybersecurity (definition) — 1.1, 1.2
CycloneDX (SBOM format) — 29.3
CYOD (Choose Your Own Device) — 14.3

D

dashboard (executive vs. operational) — 36.2
dashboard (operational vs. executive) — 21.6
DAST (dynamic application security testing) — 12.5
data at rest — 5.1, 5.5
data exfiltration (network) — 10.4, 10.5
data exhaust — 36.1
data in transit — 5.1, 5.2
data lake — 21.6
data poisoning — 34.4
data residency — 29.4
data-versus-code boundary — 13.1, 13.2, 13.3
database encryption — 5.5
deauthentication attack — 8.4
deepfake — 35.4
deepfake (voice/video fraud) — 34.5
default credentials — 14.4
default install (risks of) — 11.1
default-allow — 7.2
default-deny — 3.4, 6.4, 6.6, 7.2
default-deny (east-west) — 32.5
Defender (Microsoft) — 11.2
Defender Attack Surface Reduction (ASR) rules — 11.2
defender's mission (closing) — 40.6, 40.7
defense in depth — 1.3, 1.6, 3.5
defense in depth (assembled) — 38.2
demilitarized zone (DMZ) — 6.4, 6.6
denial of service (DoS) — 6.3, 6.5
denylisting — 12.3
dependency confusion — 35.3
dependency risk — 12.4
deployment rings (patching) — 11.6
deprovisioning — 18.4, 18.6
detection and analysis (IR phase) — 24.3
detection coverage — 22.6
detection coverage (as management metric) — 37.5, 37.7
detection coverage (ATT&CK) — 36.3
detection engineering — 22.1, 22.4
detection-as-code — 21.3, 22.4
detective control — 3.3
development plan (personal) — 39.7
device explosion — 14.1
device posture — 32.3
device segmentation — 14.5, 14.6
DevSecOps — 31.1
DGA (domain generation algorithm) — 9.1, 9.6
digital forensics (DFIR) — 25.1
digital signature — 4.5, 4.6
direct dependency — 12.4
directory service — 18.2
discretionary access control (DAC) — 17.2
disk image / imaging — 25.2
distributed control system (DCS) — 33.2
distributed denial of service (DDoS) — 6.5
DKIM (DomainKeys Identified Mail) — 9.4
DMARC (Domain-based Message Authentication, Reporting, and Conformance) — 9.4
DMARC aggregate report — 9.4, 9.6
DNS (Domain Name System) — 9.1
DNS exfiltration — 9.1, 9.6
DNS over HTTPS (DoH) / DNS over TLS (DoT) — 9.2
DNS poisoning — 9.1
DNS resolution — 9.1
DNS sinkhole — 9.2
DNS tunneling — 9.1, 9.6
DNS tunneling (detection) — 10.5
DNSSEC (DNS Security Extensions) — 9.2
document hierarchy — 26.2
DOM-based XSS — 13.3
domain admin (escalation to) — 19.1
domain controller — 18.2
door-opener (certification as) — 39.3
double extortion — 2.5, 24.5, 35.2
downgrade attack — 5.2, 5.3
Dragonblood (WPA3 implementation flaws) — 8.2
drift (configuration) — 11.1, 11.7
drift (model) — 34.1
DS / DNSKEY / RRSIG records — 9.2
dual control — 3.4
duty of care — 27.6
dwell time — 25.6
dynamic secret — 20.2

E

EAP (Extensible Authentication Protocol) — 8.3
EAP-TLS — 8.3, 8.6
east-west traffic — 6.4, 7.5
east-west traffic (monitoring) — 10.5, 10.6
ECB mode — 4.2, 4.7
ECDSA — 4.5
EDR vs. antivirus — 11.5
ego (motivation) — 2.2
egress filtering (SSRF defense) — 13.4
Elastic Common Schema (ECS) — 21.2
elliptic-curve cryptography (ECC) — 4.3
embedded device — 14.1
emerging-threat watch — 35.6
encapsulation — 6.1
encryption at rest (cloud, shared responsibility) — 15.2
endpoint detection and response (EDR) — 11.5
engineer-to-architect transition — 39.6
Enhanced Open (Opportunistic Wireless Encryption, OWE) — 8.2, 8.6
enterprise access model — 19.4
Entra ID (Azure AD) — 18.2
entropy (key) — 4.7, 4.8
entropy (password) — 16.2
envelope sender (MAIL FROM / Return-Path) — 9.4
EPSS (Exploit Prediction Scoring System) — 23.3
Equifax (CVE-2017-5638) — case study — case-study-01
eradication — 24.4
escalation ladder (foothold to domain admin) — 19.1
escalation runbook — 37.4
espionage (motivation) — 2.2
event vs. incident — 24.1
evidence (audit) — 28.5
evidence integrity (hashing) — 25.2
evil twin — 8.4
exception (risk acceptance) — 23.4, 23.5
exception drift (permanent "temporary" exception) — 23.4, 23.5
exception process (policy) — 26.5
executive metrics — 36.2
Executive Order 14028 — 29.3
experience paradox — 39.4
expired certificate (detection blinded) — case-study-01
expired-certificate outage — 20.4
explainability — 34.1, 34.2
exploit — 1.2
exposure factor (EF) — 27.3

F

fail-closed (fail-safe authorization) — 17.5
fail-open — 3.4
fail-safe default — 3.4
fail-safe default (on the wire) — 7.2
FAIR (Factor Analysis of Information Risk) — 27.2
false negative — 7.6, 21.5, 22.6, 34.3
false positive — 7.6, 21.5
false-positive tradeoff — 34.3
FAR (false acceptance rate) — 16.5
federation — 18.3
fidelity (vs. coverage) — 21.5
FIDO2 — 16.4
field device (sensor/actuator) — 33.2
FileVault — 11.4
FIPS 203 (ML-KEM) — 35.5
FIPS 204 (ML-DSA) — 35.5
FIPS 205 (SLH-DSA) — 35.5
firewall — 7.1
firewall (perimeter/internal) — 6.4, 6.6
firewall rule ordering (first match wins) — 7.2
firmware — 14.1, 14.4
five recurring themes (revisited / synthesis) — 40.6
flow data — 10.4
forensic artifact — 25.4
forensic readiness — 25.1, 25.6
forgetting curve — 30.1
forward secrecy — 5.3
four board questions — 36.5, 36.6
four-way handshake — 8.2
fourth-party risk — 29.1
FRR (false rejection rate) — 16.5
full packet capture vs flow — 10.1, 10.4
full-disk encryption (BitLocker/LUKS) — 5.5

G

gap analysis (control-driven identification) — 27.2
gap assessment — 28.5
Gatekeeper — 11.4
GDPR — 28.3
GLBA Safeguards Rule (third-party oversight) — 29.6
Goodhart's law (metric gaming) — 36.3
governance framework — 26.3
governance vs. management — 26.1
governance, risk, and compliance (GRC) track — 39.1, 39.2
Group Policy — 11.2
guardrail (vs. gate) — 15.4, 15.5
guardrails vs gates — 31.5
guideline — 26.2

H

hacktivist — 2.1
hardening — 11.1
hardware security key — 16.4
harvest-now-decrypt-later — 5.3, 35.5
hash function — 4.4
HIPAA — 28.3
HIPAA Security Rule — 28.3
HMAC — 4.5
HMI (human-machine interface) — 33.2
home lab — 39.4
horizon scanning — 35.1, 35.6
host-based firewall — 11.1, 11.7
HSM (applied to vaults and CA keys) — 20.2, 20.4
HSM (hardware security module) — 5.6
HSTS — 5.2, 5.7
HSTS (HTTP Strict Transport Security) — 9.5
HTTP security headers — 9.5
HttpOnly (cookie flag) — 13.5
human firewall — 30.0 (Overview), 30.5
hunt loop (six steps) — 22.5
hybrid (co-managed) SOC model — 37.2
hybrid encryption — 4.3
hybrid identity (AD/Entra sync) — 18.2, 18.6
hypothesis-driven hunting — 22.5

I

IaaS (Infrastructure as a Service) — 15.1
IaC scanning — 31.3
IAM policy (cloud) — 15.3
IAM role — 15.3
IAM role (workload identity) — 20.3
ICS (industrial control system) — 33.2
ID token (JWT) — 18.3
identity and access management (IAM) program — 18.1
identity as the perimeter — 32.3
identity governance and administration (IGA) — 18.1, 18.6
identity lifecycle (joiner-mover-leaver, JML) — 18.4
identity provider (IdP) — 18.3
identity-based segmentation — 32.5
IDMZ (industrial demilitarized zone) — 33.3
IDS (intrusion detection system) — 7.3
IMDSv2 (instance metadata hardening) — 15.4
impact — 1.4
implicit trust zone — 32.1
impossible travel (detection) — 16.6
in-line vs out-of-band placement — 7.3
incident commander — 24.2
incident commander (as leadership) — 37.6
incident response (IR) — 24.1
incident-response plan — 24.2
indicator of compromise (IoC) — 2.5
indicator of compromise (IoC), in detection — 22.2
indicator scoping — 25.6
indicator-based detection — 22.2
influence principles (Cialdini) — 30.2
information security management system (ISMS) — 26.3
infrastructure as code (IaC) — 31.3
inherent risk — 27.4
initial access broker — 2.1, 35.1, 35.2
initialization vector (IV) — 4.2, 4.7
initialization vector (IV) reuse (WEP) — 8.2
injection (OWASP A03) — 12.2, 12.3
input validation — 12.3
insecure design (OWASP A04) — 12.2, 12.6
insecure direct object reference (IDOR) — 12.2, 12.6
insider (threat actor) — 2.1
insider threat — 30.5
instance metadata endpoint (cloud, SSRF target) — 13.4
instance metadata service (169.254.169.254) — 15.4
integrity — 3.1
integrity (guarantee) — 4.1, 4.4
inter-arrival time (beaconing) — 10.5
ioc_match (bluekit) — 22.7
IoT (Internet of Things) — 14.1
IP spoofing — 6.3, 6.5
IPS (intrusion prevention system) — 7.3
IPsec — 5.4
ISO/IEC 27001 — 26.3, 28.2
ISO/IEC 27005 — 27.1
IT/OT boundary (incident decision-making) — 40.3

J

jailbreak — 14.2
jitter (beacon evasion) — 10.5
joiner — 18.4
jump host — 7.5
just-in-time (JIT) access — 19.3
just-in-time training — 30.2

K

k-anonymity (breach check) — 16.7
Kerberos — 18.2
Kerckhoffs's principle — 4.1
KEV (Known Exploited Vulnerabilities catalog) — 23.3
key (cryptographic) — 4.1
key management — 4.7, 4.8, 5.5, 5.6
key performance indicator (KPI) — 36.1
key risk indicator (board KRI) — 38.5
key risk indicator (KRI) — 36.1
key-distribution problem — 4.2, 4.3
knowledge factor (something you know) — 16.1
KQL (Kusto Query Language) — 21.4
KRACK (key reinstallation attack) — 8.2
krbtgt reset — 24.4, 24.5

L

LAPS (Local Administrator Password Solution) — 11.2, 19.2
lateral move (career) — 39.2
lateral movement — 6.4, 6.6, 7.5, 19.1
lateral movement (and zero trust) — 32.1, 32.5
lateral movement (detection) — 10.5
LDAP — 18.2
learning culture — 37.5, 37.6
least functionality — 11.3
least privilege — 3.4
least privilege (applied to access) — 17.4
least privilege (cloud IAM) — 15.3
least privilege (in the time dimension) — 19.3
least privilege on the wire — 7.2
least-privilege session — 32.2, 32.3
leaver — 18.4
legal hold — 25.3
legal soundness / admissibility — 25.3
lessons learned — 24.6
likelihood — 1.4
live capture vs. power-off — 25.2
living off the land — 2.2, 2.5, 11.2
living-off-the-land — 35.1, 35.2, 35.3
LLM in the SOC — 34.5
LLM security — 34.5
log clearing (detection) — 21.1, 21.3
log clearing (Event ID 1102) — 25.4, 25.6
log retention — 21.1, 21.6
log source — 21.1, 21.2
log source priority — 21.2
Log4Shell (CVE-2021-44228) — 12.4, 23.1, 23.3, 29.3, case study — 40.4
logon restrictions (tier enforcement) — 19.4
logs as ground truth — 21.1
loss avoided (framing) — 38.4

M

MAC Authentication Bypass (MAB) — 7.4
MAC flooding — 6.3, 6.5
machine identity — 20.1
machine-generated phishing — 34.5
macOS hardening (enterprise) — 11.4
maker-checker workflow — 17.6
man-in-the-middle (MITM) — 6.5
managed service account (gMSA) — 20.3
mandatory access control (MAC) — 11.3, 17.2
mandatory regime — 28.1, 28.3
master file table ($MFT) — 25.4
maturity model (security) — 36.4
MD5 (deprecated) — 4.4, 4.7
MDM (for macOS hardening) — 11.4
MDR (Managed Detection and Response) — 37.2
mean time to detect (MTTD) — 21.6, 24.6, 36.3
mean time to remediate (MTTR) — 23.6
mean time to respond (MTTR) — 21.6, 36.3
mean time to respond/recover (MTTR) — 24.6
median (vs. mean, in metrics) — 36.3
memory imaging / capture — 25.2
metrics pyramid — 36.2
microsegmentation — 7.5
microsegmentation (revisited) — 32.5
Mirai botnet — (case study 2)
mitigation (vs. patching) — 23.1, 23.4, 23.5
MITRE ATLAS — 34.4
MITRE ATT&CK — 2.4
MITRE ATT&CK for ICS — 33.5
mobile app sandboxing — 14.2
mobile device management (MDM) — 14.2
mode of operation — 4.2
model evasion — 34.4
motivation (of a threat actor) — 2.1, 2.2
mover — 18.4
MSSP (Managed Security Service Provider) — 37.2
mTLS (applied, workload-to-workload) — 20.3
multi-factor authentication (MFA) — 16.1, 16.3
mutual TLS (mTLS) — 5.6
MX record — 9.1

N

NAT (network address translation) — 6.4
nation-state — 2.1
NetFlow/IPFIX — 10.4
network access control (NAC) — 7.4
network baseline — 10.4
network detection and response (NDR) — 10.6
network security monitoring (NSM) — 10.3
network tap — 33.5
never-fixed vulnerability — 23.5
next-generation firewall (NGFW) — 7.1
NFC (Near Field Communication) — 8.5
NIST 800-63B — 16.1, 16.2
NIST AI Risk Management Framework — 34.7
NIST CSF — 28.2
NIST CSF functions (as program structure) — 38.2
NIST CSF Implementation Tiers — 36.4
NIST Cybersecurity Framework (CSF) 2.0 — 26.3
NIST SP 800-207 — 32.2
NIST SP 800-30 — 27.1
NIST SP 800-37 (Risk Management Framework) — 27.1
NIST SP 800-39 — 27.1
NIST SP 800-61 lifecycle — 24.2
no-blame / just culture — 30.5
non-human identity problem — 20.1
non-repudiation — 3.2, 4.1, 4.5
nonce — 4.2, 4.7
normalization — 21.2
north-south traffic — 6.4
NTP (time synchronization) — 21.1, 21.2
nudge — 30.2
number matching — 16.3
NXDOMAIN — 9.1, 9.6

O

OAuth 2.0 — 18.3
OCSF (Open Cybersecurity Schema Framework) — 21.2
OCSP — 5.6
OCSP (online certificate status protocol) — 4.6
OCSP (Online Certificate Status Protocol) — 20.4
OCSP stapling — 5.6
offboarding (vendor) — 29.2
offense/defense asymmetry — 1.3
on-call and escalation — 37.4
OpenID Connect (OIDC) — 18.3
operational metrics — 36.2
operational threat intelligence — 22.3
order of volatility — 25.2
org design (security) — 37.1
origin binding — 16.4
orphaned account — 18.5, 18.6
OSI model — 6.1
OT (operational technology) — 33.1, 33.2
OT priority inversion (safety/availability first) — 33.1
OT/IT convergence — 33.1, 33.6
out-of-band communications — 24.2
out-of-band privileged logon (detection) — 19.6
out-of-band verification — 34.5
output encoding — 12.3
output encoding (output escaping) — 13.3
OWASP Top 10 — 12.2
OWASP Top 10 for LLM Applications — 34.5
ownership models (BYOD/COPE/CYOD/COBO) — 14.3

P

PaaS (Platform as a Service) — 15.1
packet — 6.1
packet capture (PCAP) — 10.2
parameterized query — 12.3
parameterized query (prepared statement) — 13.2
parsing — 21.2
pass-the-hash — 19.1
passive OT monitoring — 33.5
passive scanning / discovery — 23.2
passkey (device-bound vs. synced) — 16.4
password hashing — 16.2
password rotation — 19.2
password spraying — 16.6
password storage — 4.4
patch management (host) — 11.6
patch management (vs. vulnerability management) — 23.1
patch SLA — 23.4
patched vs. hardened — 11.1
patching — 11.6
payload — 2.3
PCI-DSS — 28.3
PEAP — 8.3
people, process, and technology — 1.7
perimeter model — 3.6
permission — 17.2, 17.3
phishing — 9.3
phishing funnel — 30.4
phishing simulation — 30.3
phishing-resistant MFA — 16.4
pipeline integrity — 31.4
pivot (scoping) — 25.6
pktflow.py (bluekit) — 10.7
plaintext — 4.1
playbook — 24.2
PLC (programmable logic controller) — 33.2
policy — 26.2
policy (access) — 17.2
policy administration point (PAP) — 17.5
policy administrator (PA) — 32.4
policy as code — 31.5
policy decision point (PDP) — 17.5
policy decision point (PDP, in zero trust) — 32.4
policy enforcement point (PEP) — 17.5
policy enforcement point (PEP, in zero trust) — 32.4
policy engine (PE) — 32.4
policy information point (PIP) — 17.5
policy lifecycle — 26.5
policy set (coherent) — 26.6
port — 6.2
port mirroring (SPAN) — 10.6
port scan — 6.2, 6.3
portfolio (security) — 39.4
possession factor (something you have) — 16.1
post-incident activity — 24.6
post-quantum cryptography (PQC) — 35.5
PowerShell logging (script-block) — 11.2
pre-commit hook — 31.2, 31.3
pre-shared key (PSK) — 8.2, 8.3
precision (positive predictive value) — 34.3
Prefetch — 25.4
preventive control — 3.3
privilege creep — 3.4, 17.4
privilege creep (identity) — 18.4, 18.5
privilege escalation (local) — 19.1
privileged access management (PAM) — 19.1
privileged access workstation (PAW) — 19.4
privileged account — 19.1
privileged group (detection on changes) — 19.6
Privileged Identity Management (PIM) — 19.3
procedure — 26.2
procedure (ATT&CK) — 2.4
professional ethics (security) — 39.5
program governance (synthesis) — 38.1, 38.6
program-on-a-page — 38.2
program_dashboard (bluekit) — 38.7 (Project Checkpoint)
prompt injection — 34.5
provenance (software) — 29.3
provenance (verified at deploy) — 31.4, 31.5
provisioning — 18.4
public bucket / public object storage — 15.4
public key infrastructure (PKI) — 4.6
public/private key pair — 4.3
Purdue model (levels 0–5) — 33.3
purple teaming — 37.5
push fatigue (MFA fatigue) — 16.3
pyramid of pain — 22.2

Q

qualitative risk analysis — 27.2
quantitative risk analysis — 27.2, 27.3
quantum threat (to cryptography) — 35.5
quarantine VLAN — 7.4

R

RACI — 26.4
RADIUS — 7.4, 8.3
rainbow table — 4.4
rainbow table (precomputation) — 16.2
randomness (CSPRNG) — 4.7
ransom-payment decision — 24.5
ransomware — 2.5
ransomware / critical infrastructure (case payoff) — 40.3
ransomware resilience — 35.2
ransomware-as-a-service (RaaS) — 35.2
reachability equals control — 33.2, 33.3
recall — 34.3
reconnaissance (kill-chain stage) — 2.3
recovery — 24.4
recursive resolver — 9.1
red team (offensive security) — 39.1, 39.2
reference monitor — 17.5
Referrer-Policy — 9.5
reflected XSS — 13.3
registry (forensic) — 25.4
regulatory notification (36-hour banking) — 24.2, 24.5
reopen rate — 36.3
report phishing button — 30.2, 30.5
report rate — 30.4
reporting culture — 30.5
reproducible builds — 31.4
residual risk — 1.2
residual risk (formalized) — 27.4
residual risk vs appetite — 38.4, 38.5
responsible disclosure — 39.5
retention (flow/Zeek/PCAP) — 10.4, 10.6
retention (security talent) — 37.3
review cadence (review date) — 26.5
revocation (certificate) — 4.6
right to audit — 29.4
risk — 1.2, 1.4
risk acceptance — 27.4
risk appetite — 27.5
risk appetite (intro) — 26.4
risk appetite (metrics vs.) — 36.5
risk assessment — 27.1
risk avoidance — 27.4
risk burn-down — 36.5, 36.6
risk management — 27.1
risk matrix (heat map) — 27.2
risk mitigation — 27.4
risk owner — 27.5
risk register — 1.6, 27.5
risk tolerance — 27.5
risk transfer — 27.4
risk treatment — 27.4
risk × cost (prioritization) — 38.3
risk-based alerting — 21.5
risk-based patch timelines — 11.6
risk-based prioritization — 1.4, 23.3
risk-reduction per cost (ratio) — 38.3
roadmap phasing — 38.3
robust statistics (median/MAD) — 34.2, 34.4
rogue access point — 8.4
role — 17.2, 17.3
role engineering — 17.3
role explosion — 17.3
role hierarchy — 17.3
role-based access control (RBAC) — 17.2, 17.3
role-based awareness tailoring — 30.6
root (rooting) — 14.2
root-cause analysis — 24.6, 25.6
RSA — 4.3, 4.5
RTU (remote terminal unit) — 33.2
rule justification register — 7.2
runbook — 24.2
runbook-driven operations — 37.4

S

S3 Block Public Access — 15.4, 15.5
SaaS (Software as a Service) — 15.1
SAE (Simultaneous Authentication of Equals, Dragonfly) — 8.2
safety instrumented system (SIS) — 33.4, 33.6
salt — 4.4
salt (password) — 16.2
same-origin policy (SOP) — 13.4
SameSite (cookie attribute) — 13.4, 13.5
SAML — 18.3
SAML assertion — 18.3
SAST (static application security testing) — 12.5
SBOM (software bill of materials) — 23.1, 23.6, 29.3
SBOM (software bill of materials, introduced) — 12.4
SCA (software composition analysis) — 12.4, 12.5
SCADA — 33.2
scanning safely (throttle, schedule) — 23.2
SCIM — 18.4, 18.6
scope (compliance) — 28.3, 28.5
scope reduction — 28.3, 28.5
scoping (incident) — 24.3
script kiddie — 2.1
scrypt — 16.2
seccomp — 11.3
secret — 20.1
secret leak — 20.2, 20.5
secret scanning — 20.5
secret sprawl — 20.2
secrets in code — 12.4
secrets management — 20.2
secrets management standard (Meridian) — 20.6
secrets scanning (in CI) — 31.3
secrets vault — 20.2
Secure (cookie flag) — 13.5
Secure Boot — 11.6
secure coding — 12.3
secure email gateway (SEG) — 9.3
secure software development lifecycle (SSDLC) — 12.1
security awareness — 30.1
security baseline (Microsoft GPO) — 11.2
security certification — 39.3
security champions — 30.5
security champions (as org-design lever) — 37.1
security charter — 26.4
security culture — 30.1, 30.5
security gate — 31.2
security governance — 26.1
security group — 15.4
security maturity model — 36.4
security metric — 36.1
security misconfiguration (OWASP A05) — 12.2
security operations center (SOC) — 37.2
security program (complete) — 38.1, 38.2
security program (governance sense) — 26.1, 26.6
security requirement — 12.6
security roadmap — 38.3
security staffing gap — 37.3
security strategy — 38.1
segmentation (as an OT safety control) — 33.1, 33.3
segmentation (network) — 6.4, 6.6
segregation of duties (access) — 17.4, 17.6
segregation of duties (in access review) — 18.4, 18.5
selective wipe — 14.3
selector (DKIM) — 9.4
SELinux — 11.3
SELinux modes (enforcing/permissive/disabled) — 11.3
sensor placement — 10.6
separation of duties — 3.4, 17.4, 17.6
separation of duties (governance use) — 26.4
separation of duties (JIT approval) — 19.3
sequence correlation — 21.3
server-side request forgery (OWASP A10) — 12.2
server-side request forgery (SSRF) — 13.4
serverless — 15.1, 15.5
service account — 19.1, 20.3, 20.6
service control policy (SCP) — 15.5, 15.7
service provider (SP) — 18.3
session fixation — 13.5
session management (web) — 13.5
session recording / monitoring — 19.5
seven tenets (zero trust) — 32.2
severity classification — 24.2
SHA-1 (deprecated) — 4.4, 4.7
SHA-2 / SHA-256 — 4.4
SHA-3 — 4.4
shadow IoT — 14.5
shared responsibility model — 15.1, 15.2
shift left — 12.1, 31.1
shift-left economics — 31.1
short-lived credentials — 20.2, 20.3, 20.4
SIEM — 21.1, 21.2, 21.6
SIEM pipeline (diagram) — 21.6
Sigma — 21.3
Sigma rule — 22.4
signature (detection) — 7.3
signature detection — 7.3
silent acceptance — 27.4
SIM swap — 16.3
single loss expectancy (SLE) — 27.3
single sign-on (SSO) — 18.1, 18.3
SLA compliance rate — 23.6
SLSA — 29.3
SMBv1 (disabling) — 11.1, 11.2
SMTP (sender spoofing) — 9.3
SNI (metadata in encrypted traffic) — 10.2
SOAR — 21.6
SOAR (org/automation context) — 37.2, 37.4
SOC 2 — 28.2
SOC 2 Type I vs Type II — 28.2
SOC operating model — 37.2, 37.7
SOC tiers — 37.2
social engineering — 2.1, 2.3
social engineering (defense) — 30.2
socket — 6.2
software bill of materials (SBOM) (case application) — 40.4
software bill of materials (SBOM, applied) — 35.3
software development lifecycle (SDLC) — 31.2
software provenance / SLSA (case application) — 40.2
software supply chain — 12.4
software-defined perimeter (SDP) — 32.4
SolarWinds (build-pipeline compromise) — 31.4
SolarWinds (Sunburst) — 2.5, case study — 40.2
SolarWinds (Sunburst) supply chain attack — 29.3, 29.5
source of truth (identity) — 18.2, 18.4
SPAN / mirror port — 33.5
SPAN port — 10.6
SPAN/mirror port (IDS tap) — 7.3
SPDX (SBOM format) — 29.3
spear-phishing — 9.3
specialization (threat evolution) — 35.1
specialization track — 39.2
SPF (Sender Policy Framework) — 9.4
SPIFFE/SPIRE (SVID) — 20.3
SQL injection — 13.2
SSID (Service Set Identifier) — 8.1
SSL stripping / protocol downgrade — 9.5
SSRF against the metadata service — 20.3
SSRF-to-metadata escalation — 15.4
staffing math (24/7 coverage) — 37.2, 37.7
standard — 26.2
standing access (vs. JIT) — 19.3
stateful firewall — 7.1
stateless firewall — 7.1
STIG — 11.1
STIX / TAXII — 22.3
stored XSS (persistent XSS) — 13.3
strategic threat intelligence — 22.3
STRIDE — 2.6, 12.6
Stuxnet (air gap lesson) — 33.6
sub-processor flow-down — 29.4
subnet — 6.4
summarize_flows (bluekit) — 10.7
supervised detection — 34.1
supplicant (802.1X) — 7.4
supply chain risk (software) — 29.1, 29.3
supply-chain attack — 2.5
supply-chain attack (case payoff) — 40.2
supply-chain attack (next generation) — 35.3
Suricata/Snort signature — 7.3
symmetric encryption — 4.2
SYN flood — 6.2, 6.5
synthetic media — 35.4
Sysmon — 11.2
System Integrity Protection (SIP) — 11.4
system of record (HR/contractor roster) — 18.4, 18.6

T

tabletop exercise — 24.5
tactic (ATT&CK) — 2.4
tactical threat intelligence — 22.3
taint tracking (illustrative) — 13.7 (Project Checkpoint)
talent gap (cybersecurity) — 39.1
tamper protection (Defender) — 11.2
tap (network tap) — 10.6
TCP/IP model — 6.1
TDE (transparent data encryption) — 5.5
teachable-moment landing page — 30.3
technique (ATT&CK) — 2.4
the ask (board decision) — 38.5
third-party risk — 29.1
third-party risk management (TPRM) lifecycle — 29.2
threat — 1.2
threat actor — 1.2, 2.1
threat detection — 22.1
threat hunting — 22.1, 22.5
threat intelligence — 2.5
threat intelligence platform (TIP) — 22.3
threat model / threat modeling — 2.6
threat modeling (application) — 12.6
three signals (identity/device/context) — 32.3
three-way handshake — 6.2
threshold correlation — 21.3
tiered administration — 19.4
tiered SOC model — 37.2
time-to-report — 30.4
timeline analysis — 25.5
timestomping — 25.4, 25.6
TKIP — 8.2
TLS — 5.2
TLS 1.3 handshake — 5.2
TLS scanning (defensive) — 5.7
tokenization — 4.8, 5.5
top_talkers (bluekit) — 10.5, 10.7
TOTP — 16.3
toxic combination — 17.4, 17.6
TPM (trusted platform module) — 5.5
TPM (Trusted Platform Module) — 11.6
Traffic Light Protocol (TLP) — 22.3
transitive dependency — 12.4, 29.3
transitive dependency (case payoff) — 40.4
triage — 24.1, 24.3
triple extortion — 35.2
Triton / Trisis (SIS attack) — 33.6
trust boundary — 12.6
Trust Services Criteria — 28.2
trust zone — 6.4, 6.6
TTL (time to live, DNS) — 9.1
TTP (tactics, techniques, procedures) — 2.4
TTP-level detection — 22.2
tuning (alert) — 21.5
tuning (detection) — 7.6
TXT record — 9.1, 9.4
typosquatting — 35.3
typosquatting / look-alike domain — 9.1

U

uid (Zeek pivoting) — 10.3
Ukraine power-grid attacks — 33.6
unauthenticated scan — 23.2
under-scoping — 24.3
Unified Endpoint Management (UEM) — 14.2
unsupervised detection — 34.1
use case (detection) — 21.3
user and entity behavior analytics (UEBA) — 34.2
UTC (timestamps) — 21.1, 21.2
UTC normalization — 25.5

V

vanity metric — 30.4, 36.1
vendor breach response — 29.5
vendor security assessment — 29.2, 29.4
vendor tiering — 29.2
verify (re-scan) — 23.1
virtual patching (WAF) — 13.6
visibility (network) — 10.1, 10.6
VLAN — 6.4
voluntary framework — 28.1, 28.2
VPN — 5.4
vulnerability — 1.2
vulnerability feed matching (NVD/KEV/OSV) — 29.3, 29.5
vulnerability management — 23.1
vulnerability scanner — 23.2
vulnerability-management lifecycle — 23.1
vulnerable and outdated components (OWASP A06) — 12.2, 12.4

W

WAF (mention only; owned Ch.13) — 7.1
web application firewall (WAF) — 13.6
WebAuthn — 16.4
weighted questionnaire scoring (critical-control override) — 29.4
WEP (Wired Equivalent Privacy) — 8.2
window of opportunity (attacker) — 36.3
Windows Event IDs (4624/4625/4688/7045/1102) — 25.4
WireGuard — 5.4
wireless IDS (WIDS) — 8.4, 8.6
wireless segmentation (SSID-to-VLAN) — 8.6
Wireshark — 10.2
workload identity — 20.1, 20.3
WPA — 8.2
WPA-Enterprise — 8.3
WPA2 — 8.2
WPA3 — 8.2
write blocker — 25.2

X

X-Content-Type-Options — 9.5
X-Frame-Options — 9.5
X.509 certificate — 4.6
XProtect — 11.4

Y

YARA — 22.4

Z

z-score (anomaly) — 34.2, 34.7
Zeek — 10.3
zero trust (principle) — 3.6
zero trust architecture (ZTA) — 32.2
zero-day — 2.1
zero-trust maturity pillars — 32.6
zero-trust roadmap (phased) — 32.6
ZTNA (zero-trust network access) — 32.4
ZTNA vs VPN — 32.4