Bibliography

Sources are grouped by confidence tier, following the book's citation-honesty policy (see _style-bible.md §7). Tier 1 are works we are confident exist — NIST publications, MITRE ATT&CK, CIS Controls, OWASP, RFCs, vendor and government reports; Tier 2 are real ideas whose exact publication we have not pinned down; Tier 3 are constructed teaching examples, labeled where they appear.

Tier 1 — Verified canonical sources (standards, frameworks, primary docs)

(ISC)², CISSP, SSCP, and CCSP certification information and the (ISC)² Code of Ethics (isc2.org).
SLSA (Supply-chain Levels for Software Artifacts) framework (slsa.dev).
AICPA, Trust Services Criteria for SOC 2 (Security, Availability, Processing Integrity, Confidentiality, Privacy).
Anderson, R., Security Engineering, 3rd ed., Wiley.
Anderson, R., Security Engineering: A Guide to Building Dependable Distributed Systems, 3rd ed., Wiley (access-control chapter: DAC/MAC, reference monitor, ACLs vs. capabilities).
Apache Software Foundation / NVD, CVE-2021-44228 (Log4Shell) advisory; and CISA guidance issued in response (December 2021).
Apache Software Foundation, security advisory for CVE-2021-44228 (Apache Log4j 2 JNDI remote code execution).
AppArmor project / Ubuntu Server hardening documentation.
Apple, Apple Platform Security guide (SIP, Gatekeeper, FileVault, XProtect, secure boot).
Aumasson, J.-P., Serious Cryptography, No Starch Press.
Aumasson, J.-P., Serious Cryptography: A Practical Introduction to Modern Encryption, 2nd ed., No Starch Press.
AWS documentation — Secrets Manager, Key Management Service (KMS), IAM roles, and IAM Roles Anywhere / workload identity federation (Amazon Web Services).
AWS, Shared Responsibility Model, Amazon Web Services documentation.
AWS, Well-Architected Framework — Security Pillar, Amazon Web Services.
Bejtlich, R., The Practice of Network Security Monitoring, No Starch Press.
Brown, R., & Roberts, S., Intelligence-Driven Incident Response, O'Reilly.
Center for Internet Security, CIS Amazon Web Services Foundations Benchmark.
Center for Internet Security, CIS Benchmarks (platform-specific secure-configuration guides; Level 1 / Level 2 profiles), cisecurity.org.
Center for Internet Security, CIS Controls v8 (esp. Control 1 — Inventory of Enterprise Assets; Control 12 — Network Infrastructure Management) and CIS Benchmarks.
Center for Internet Security, CIS Critical Security Controls, Version 8.
Center for Internet Security, CIS Google Cloud Platform Foundation Benchmark.
Center for Internet Security, CIS Microsoft Azure Foundations Benchmark.
Certificate Transparency project documentation (certificate.transparency.dev).
Chantzis, F., Stais, I., et al., Practical IoT Hacking, No Starch Press (read as a defender's threat model).
Chapple, M., & Seidl, D., CompTIA Security+ Study Guide, Sybex.
Chapple, M., Stewart, J., & Gibson, D., (ISC)² CISSP Certified Information Systems Security Professional Official Study Guide, Sybex.
Chio, C., & Freeman, D., Machine Learning and Security, O'Reilly Media.
Chris Sanders & Jason Smith, Applied Network Security Monitoring, Syngress.
Cialdini, R., Influence: The Psychology of Persuasion.
CIS Controls v8 — Control 5 (Account Management) and Control 6 (Access Control Management), Center for Internet Security.
CIS Controls v8, Center for Internet Security — Control 5 (Account Management) and Control 6 (Access Control Management).
CIS Controls v8, Control 13 (Network Monitoring and Defense), Center for Internet Security.
CIS Controls v8, Control 6 (Access Control Management), Center for Internet Security.
CIS Controls v8, Control 7, Continuous Vulnerability Management, Center for Internet Security.
CIS Critical Security Controls v8, Control 8 (Audit Log Management) and Control 17 (Incident Response Management), Center for Internet Security.
CIS Critical Security Controls, Version 8, Center for Internet Security.
CISA & MS-ISAC, #StopRansomware Guide, Cybersecurity and Infrastructure Security Agency.
CISA (Cybersecurity and Infrastructure Security Agency), advisories, emergency directives, and mitigation guidance on the SolarWinds/Orion supply-chain compromise (2020–2021).
CISA (Cybersecurity and Infrastructure Security Agency), advisories, the Known Exploited Vulnerabilities (KEV) catalog, and coordinated vulnerability-disclosure guidance (cisa.gov).
CISA / FBI joint advisories on DarkSide ransomware (the family behind the Colonial Pipeline incident).
CISA / federal, Cybersecurity Incident & Vulnerability Response Playbooks.
CISA / NSA, identity and access management guidance, and CISA Cross-Sector Cybersecurity Performance Goals (CPGs).
CISA and U.S. government joint advisories on the SolarWinds Orion (Sunburst / Solorigate) supply chain compromise, December 2020 onward.
CISA, Avoiding Social Engineering and Phishing Attacks and related phishing guidance, Cybersecurity and Infrastructure Security Agency.
CISA, Binding Operational Directive 22-01 (Reducing the Significant Risk of Known Exploited Vulnerabilities), the directive establishing the KEV catalog.
CISA, Cybersecurity Advisories (cisa.gov) — operational, ATT&CK-mapped advisories (model for Case Study 2).
CISA, Implementing Phishing-Resistant MFA and More Than a Password guidance, Cybersecurity and Infrastructure Security Agency.
CISA, Incident Response resources and the joint #StopRansomware guide, Cybersecurity and Infrastructure Security Agency.
CISA, Industrial Control Systems advisories, alerts, and resources, Cybersecurity and Infrastructure Security Agency (cisa.gov/topics/industrial-control-systems).
CISA, Known Exploited Vulnerabilities (KEV) Catalog, Cybersecurity and Infrastructure Security Agency.
CISA, Protective DNS guidance and related advisories, Cybersecurity and Infrastructure Security Agency.
CISA, Secure Cloud Business Applications (SCuBA) project and cloud security guidance.
CISA, Securing the Software Supply Chain guidance and SBOM resources, Cybersecurity and Infrastructure Security Agency.
CISA, Software Bill of Materials (SBOM) resources, Cybersecurity and Infrastructure Security Agency.
CISA, Tabletop Exercise Packages (CTEPs).
CISA, Zero Trust Maturity Model, Cybersecurity and Infrastructure Security Agency.
CISA, advisories and alerts on the SolarWinds / Orion supply-chain compromise, Cybersecurity and Infrastructure Security Agency.
CISA, advisories and guidance on phishing-resistant MFA and privileged-access hardening, Cybersecurity and Infrastructure Security Agency.
CISA, advisories and guidance on securing IoT and network devices, Cybersecurity and Infrastructure Security Agency.
CISA, advisories and secure-configuration / known-exploited-vulnerability guidance, Cybersecurity and Infrastructure Security Agency.
CISA, advisories and the Known Exploited Vulnerabilities (KEV) Catalog.
CISA, guidance and alerts on Apache Log4j (CVE-2021-44228), and the Known Exploited Vulnerabilities (KEV) Catalog entry.
CISA, network segmentation and secure remote access guidance, Cybersecurity and Infrastructure Security Agency.
Cloud Security Alliance, Consensus Assessments Initiative Questionnaire (CAIQ) and Cloud Controls Matrix (CCM).
Cloud-provider zero-trust reference architectures (AWS, Microsoft, Google Cloud security documentation).
Collins, M., Network Security Through Data Analysis, O'Reilly.
CompTIA, official certification objectives for Security+, Network+, and CySA+ (comptia.org); confirm current exam codes and requirements with the issuing body.
DISA, Security Technical Implementation Guides (STIGs), Defense Information Systems Agency, public.cyber.mil.
Elastic, Elastic Common Schema (ECS) documentation, https://www.elastic.co.
European Union, General Data Protection Regulation (GDPR), Regulation (EU) 2016/679.
Executive Order 14028, Improving the Nation's Cybersecurity (2021), software-supply-chain provisions — U.S. Federal Register.
FBI Internet Crime Complaint Center (IC3), Business Email Compromise public service announcements and annual reports.
Federal Financial Institutions Examination Council (FFIEC), IT Examination Handbook.
Ferguson, N., Schneier, B., & Kohno, T., Cryptography Engineering: Design Principles and Practical Applications, Wiley.
FFIEC, IT Examination Handbook — Outsourcing Technology Services / Architecture, Infrastructure, and Operations booklets.
FIDO Alliance, FIDO2 / CTAP specifications and passkeys resources, fidoalliance.org.
FIRST, Common Vulnerability Scoring System (CVSS) specification, Forum of Incident Response and Security Teams.
FIRST, Exploit Prediction Scoring System (EPSS) model documentation, Forum of Incident Response and Security Teams.
FIRST, Traffic Light Protocol (TLP) version 2.0 (first.org/tlp) — handling markings for shared intelligence.
Freund, J., & Jones, J., Measuring and Managing Information Risk: A FAIR Approach, Butterworth-Heinemann.
FTC, Standards for Safeguarding Customer Information (GLBA Safeguards Rule), 16 CFR Part 314.
Garfinkel, S., Spafford, G., & Schwartz, A., Practical UNIX and Internet Security, O'Reilly.
GIAC/SANS, GSEC/GCIH/GCIA and related certification information (giac.org).
Goodfellow, I., Bengio, Y., & Courville, A., Deep Learning, MIT Press.
Google Cloud documentation — Secret Manager, Cloud KMS, and Workload Identity Federation (Google).
Google Cloud, Shared responsibility and shared fate on Google Cloud, GCP documentation.
Google, BeyondCorp: A New Approach to Enterprise Security (and subsequent BeyondCorp papers), Google, 2014 onward.
Google, Site Reliability Engineering (freely available) — postmortem-culture chapter on blameless postmortems.
Harris, S., & Maymí, F., CISSP All-in-One Exam Guide, McGraw-Hill.
HashiCorp Vault documentation — concepts, leases, and dynamic secrets (HashiCorp).
Hoffman, A., Web Application Security, O'Reilly.
Hu, V. C., et al. (NIST), Attribute-Based Access Control, Artech House (book-length ABAC treatment).
Hutchins, E. M., Cloppert, M. J., & Amin, R. M., Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains, Lockheed Martin.
Hutchins, E., Cloppert, M., & Amin, R., Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains, Lockheed Martin.
IEC 62443 series, Security for Industrial Automation and Control Systems, International Electrotechnical Commission.
IEEE 802.11i (RSN/WPA2) and IEEE 802.11w (Protected Management Frames), IEEE 802.11 standard amendments.
IEEE 802.1X, Port-Based Network Access Control, Institute of Electrical and Electronics Engineers.
IEEE Standard 802.1X-2020, IEEE Standard for Local and Metropolitan Area Networks — Port-Based Network Access Control, IEEE.
IETF BCP 38 / RFC 2827, Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing.
IETF RFC 3227, Guidelines for Evidence Collection and Archiving, Internet Engineering Task Force.
IETF RFC 6749, The OAuth 2.0 Authorization Framework; and IETF RFC 6750, OAuth 2.0 Bearer Token Usage.
IETF RFC 7011, Specification of the IP Flow Information Export (IPFIX) Protocol for the Exchange of Flow Information.
IETF RFC 7644, System for Cross-domain Identity Management (SCIM): Protocol; and IETF RFC 7643, SCIM: Core Schema.
IETF, RFC 5280 — Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile.
IETF, RFC 6960 — X.509 Internet Public Key Infrastructure Online Certificate Status Protocol (OCSP).
IETF, RFC 6962 — Certificate Transparency.
IETF, RFC 8446 — The Transport Layer Security (TLS) Protocol Version 1.3, Internet Engineering Task Force, 2018.
IETF, RFC 8659 — DNS Certification Authority Authorization (CAA) Resource Record.
International Organization for Standardization, ISO/IEC 27001 (Information Security Management Systems — Requirements) and ISO/IEC 27002 (control catalog).
ISACA, COBIT (Control Objectives for Information and Related Technologies) — enterprise governance of IT; the governance-vs-management distinction.
ISACA, Risk IT Framework, ISACA.
ISACA, CISA, CRISC, and CISM certification information and the ISACA Code of Professional Ethics (isaca.org).
ISO/IEC 27001, Information security management systems — Requirements, and ISO/IEC 27002, Information security controls. (The certifiable ISMS view of a program and its control catalog.)
ISO/IEC 27001, Information security, cybersecurity and privacy protection — Information security management systems — Requirements, International Organization for Standardization.
ISO/IEC 27002, Information security controls (the control catalog companion to 27001).
ISO/IEC 27002, Information security, cybersecurity and privacy protection — Information security controls.
ISO/IEC 27005, Information security, cybersecurity and privacy protection — Guidance on managing information security risks, International Organization for Standardization.
Katz, J., & Lindell, Y., Introduction to Modern Cryptography, CRC Press.
Kim, D., & Solomon, M., Fundamentals of Information Systems Security, Jones & Bartlett.
Kim, G., Humble, J., Debois, P., & Willis, J., The DevOps Handbook, IT Revolution Press.
Knapp, E., & Langill, J., Industrial Network Security, Syngress.
Kozierok, C., The TCP/IP Guide, No Starch Press.
Kurose, J., & Ross, K., Computer Networking: A Top-Down Approach, Pearson.
Liska, A., & Stowe, G., DNS Security: Defending the Domain Name System, Syngress.
Macaulay, T., & Singer, B., Cybersecurity for Industrial Control Systems, CRC Press.
Microsoft documentation — Azure Key Vault and Microsoft Entra Workload ID (Microsoft).
Microsoft, Kusto Query Language (KQL) documentation, https://learn.microsoft.com.
Microsoft, Local Administrator Password Solution (LAPS) / Windows LAPS documentation.
Microsoft, Microsoft Defender for Endpoint — Attack Surface Reduction (ASR) rules documentation.
Microsoft, Privileged Identity Management (PIM), Microsoft Entra documentation.
Microsoft, Securing privileged access and the Enterprise Access Model (formerly the Active Directory administrative tier model), Microsoft Learn documentation.
Microsoft, Security baselines and the Security Compliance Toolkit documentation.
Microsoft, Shared responsibility in the cloud, Azure documentation.
Microsoft, Entra ID (Azure AD) documentation — Conditional Access, hybrid identity (Entra Connect / directory synchronization), and application provisioning.
Microsoft, guidance on credential theft, pass-the-hash, and Credential Guard, Microsoft Learn documentation.
MITRE / NIST, CVE-2021-44228 (Apache Log4j "Log4Shell"), CVSS 10.0 (Critical); and CVE-2022-42889 (Apache Commons Text "Text4Shell").
MITRE / NVD, CVE record for CVE-2021-44228 (Log4Shell), CVSS base score 10.0.
MITRE ATT&CK (attack.mitre.org) and its coverage-mapping tooling — the basis for detection-coverage metrics (the fraction of relevant adversary techniques for which a working detection exists).
MITRE ATT&CK (attack.mitre.org) — Execution, Lateral Movement, Defense Evasion, and Persistence tactics, used to map hardening controls to the techniques they defeat/record.
MITRE ATT&CK (used for technique mapping during triage and scoping, e.g., "Inhibit System Recovery").
MITRE ATT&CK for Cloud (IaaS / SaaS / Identity Provider matrices), MITRE Corporation.
MITRE ATT&CK for ICS, MITRE Corporation (attack.mitre.org/matrices/ics).
MITRE ATT&CK knowledge base (attack.mitre.org), for living-off-the-land and exfiltration techniques.
MITRE ATT&CK knowledge base, The MITRE Corporation, attack.mitre.org (Enterprise matrix; Tactics, Techniques, and Groups).
MITRE ATT&CK Navigator, The MITRE Corporation, mitre-attack.github.io/attack-navigator.
MITRE ATT&CK — Command and Control (TA0011) and Exfiltration (TA0010) tactics and techniques, MITRE Corporation.
MITRE ATT&CK — Lateral Movement (TA0008) and Command and Control (TA0011) tactics, MITRE Corporation.
MITRE ATT&CK — tactics TA0006 (Credential Access) and TA0008 (Lateral Movement); techniques T1003 (OS Credential Dumping), T1550.002 (Pass-the-Hash), T1078 (Valid Accounts).
MITRE ATT&CK — technique taxonomy used for the kill-chain mapping (T1190 exploit public-facing app; T1078 valid accounts; T1071 application-layer C2).
MITRE ATT&CK — techniques T1078 (Valid Accounts) and T1098 (Account Manipulation).
MITRE ATT&CK, Enterprise Matrix — Discovery and Lateral Movement tactics (attack.mitre.org).
MITRE ATT&CK, Indicator Removal (T1070), including sub-techniques for Clear Windows Event Logs and Timestomp; Defense Evasion tactic.
MITRE ATT&CK, https://attack.mitre.org — adversary tactics and techniques (cited: T1110 Brute Force, T1078 Valid Accounts, T1070.001 Indicator Removal: Clear Windows Event Logs, T1556 Modify Authentication Process, T1098 Account Manipulation, T1071 Application Layer Protocol, T1486 Data Encrypted for Impact).
MITRE ATT&CK, Lateral Movement tactic (TA0008), MITRE Corporation.
MITRE ATT&CK, techniques for rogue/evil-twin access points and network sniffing, attack.mitre.org.
MITRE, ATLAS (Adversarial Threat Landscape for Artificial-Intelligence Systems), MITRE Corporation.
MITRE, ATT&CK Navigator (mitre-attack.github.io/attack-navigator) — tool for building coverage heatmaps.
MITRE, ATT&CK framework (attack.mitre.org) — the adversary-behavior taxonomy underpinning purple teaming and detection-coverage measurement.
MITRE, ATT&CK knowledge base (attack.mitre.org) — tactics, techniques, and the Detection/Data Sources fields used throughout the chapter. Technique IDs cited (T1003.001, T1018, T1021.002, T1053, T1059.001, T1059.003, T1071.001, T1195.002, T1218.011, T1486, T1547.001, T1548.002, T1562.001, T1566.001, T1573) are real ATT&CK identifiers.
MITRE, ATT&CK, MITRE Corporation (behavioral techniques for mapping anomalies; see also Chapter 22).
MITRE, Common Attack Pattern Enumeration and Classification (CAPEC) and Common Weakness Enumeration (CWE), The MITRE Corporation.
MITRE, Common Weakness Enumeration (CWE) (cwe.mitre.org), including the CWE Top 25 Most Dangerous Software Weaknesses.
MITRE, Common Weakness Enumeration (CWE): CWE-89 (SQL Injection), CWE-79 (Cross-site Scripting), CWE-352 (CSRF), CWE-918 (SSRF), CWE-384 (Session Fixation), CWE-78 (OS Command Injection).
MITRE, D3FEND (d3fend.mitre.org) — defensive technique knowledge graph mapped to ATT&CK.
MITRE, Eleven Strategies of a World-Class Cybersecurity Operations Center — comprehensive freely available reference on building and running a SOC.
Mozilla, MDN Web Docs — Content Security Policy; Same-origin policy; HTTP cookies (SameSite, HttpOnly, Secure).
Mozilla, Server Side TLS configuration guidance (Modern/Intermediate/Old profiles), Mozilla wiki.
NIST Computer Forensics Tool Testing (CFTT) program (validation of forensic tools, including write blockers).
NIST National Cybersecurity Center of Excellence (NCCoE), Migration to Post-Quantum Cryptography project.
NIST National Vulnerability Database (NVD) — CVE-2021-44228 (Log4Shell) and CVE-2017-5638 (Apache Struts 2 / Equifax) records.
NIST SP 800-161, Cybersecurity Supply Chain Risk Management Practices — supply-chain guidance relevant to the SolarWinds lesson.
NIST SP 800-61, Computer Security Incident Handling Guide — IR lifecycle framing for the response/disclosure phases.
NIST Special Publication 1800-16, Securing Web Transactions: TLS Server Certificate Management, National Institute of Standards and Technology.
NIST Special Publication 1800-35, Implementing a Zero Trust Architecture, NIST National Cybersecurity Center of Excellence.
NIST Special Publication 800-101 Rev. 1, Guidelines on Mobile Device Forensics, National Institute of Standards and Technology.
NIST Special Publication 800-111, Guide to Storage Encryption Technologies for End User Devices.
NIST Special Publication 800-123, Guide to General Server Security, National Institute of Standards and Technology.
NIST Special Publication 800-124, Guidelines for Managing the Security of Mobile Devices in the Enterprise.
NIST Special Publication 800-144, Guidelines on Security and Privacy in Public Cloud Computing.
NIST Special Publication 800-153, Guidelines for Securing Wireless Local Area Networks (WLANs).
NIST Special Publication 800-161 Rev. 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations, National Institute of Standards and Technology.
NIST Special Publication 800-162, Guide to Attribute Based Access Control (ABAC) Definition and Considerations, National Institute of Standards and Technology.
NIST Special Publication 800-167, Guide to Application Whitelisting (application allowlisting).
NIST Special Publication 800-177 Rev. 1, Trustworthy Email.
NIST Special Publication 800-207, Zero Trust Architecture, 2020.
NIST Special Publication 800-210, General Access Control Guidance for Cloud Systems.
NIST Special Publication 800-213 and the NISTIR 8259 family, IoT Device Cybersecurity guidance (device cybersecurity capabilities; baseline for federal and enterprise IoT).
NIST Special Publication 800-218, Secure Software Development Framework (SSDF) Version 1.1, National Institute of Standards and Technology.
NIST Special Publication 800-30 Rev. 1, Guide for Conducting Risk Assessments.
NIST Special Publication 800-30, Guide for Conducting Risk Assessments, and the broader NIST risk-management materials — underpin the risk-vs-appetite framing carried over from Chapter 27.
NIST Special Publication 800-37 Rev. 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, National Institute of Standards and Technology.
NIST Special Publication 800-39, Managing Information Security Risk: Organization, Mission, and Information System View, National Institute of Standards and Technology.
NIST Special Publication 800-40 Rev. 4, Guide to Enterprise Patch Management Planning: Preventive Maintenance for Technology.
NIST Special Publication 800-41 Rev. 1, Guidelines on Firewalls and Firewall Policy, National Institute of Standards and Technology.
NIST Special Publication 800-50, Building an Information Technology Security Awareness and Training Program (and its current modernized revision), National Institute of Standards and Technology.
NIST Special Publication 800-52 Rev. 2, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations.
NIST Special Publication 800-53 (security and privacy controls; CM-7 Least Functionality, AC-3 Access Enforcement) — referenced for the control families behind hardening.
NIST Special Publication 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations.
NIST Special Publication 800-53 Rev. 5, control families SI (System and Information Integrity, incl. SI-10 input validation) and SC (System and Communications Protection).
NIST Special Publication 800-53, Security and Privacy Controls (CM, AC, SC control families relevant to inventory, access, and segmentation).
NIST Special Publication 800-55, Measurement Guide for Information Security (the Performance Measurement Guide for Information Security) — the authoritative U.S. government treatment of selecting, defining, and using security measures so they inform decisions; the conceptual basis of §36.1's "useful vs. vanity" distinction.
NIST Special Publication 800-57 Part 1 Rev. 5, Recommendation for Key Management: Part 1 — General.
NIST Special Publication 800-57, Recommendation for Key Management (Part 1, General).
NIST Special Publication 800-61, Computer Security Incident Handling Guide, National Institute of Standards and Technology.
NIST Special Publication 800-63 (suite), Digital Identity Guidelines (overview; 63A identity proofing, 63C federation).
NIST Special Publication 800-63 series, Digital Identity Guidelines (800-63A Identity Proofing; 800-63B Authentication and Lifecycle Management; 800-63C Federation and Assertions), National Institute of Standards and Technology.
NIST Special Publication 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management.
NIST Special Publication 800-77 Rev. 1, Guide to IPsec VPNs.
NIST Special Publication 800-81-2, Secure Domain Name System (DNS) Deployment Guide.
NIST Special Publication 800-82, Guide to Operational Technology (OT) Security, National Institute of Standards and Technology.
NIST Special Publication 800-86, Guide to Integrating Forensic Techniques into Incident Response, National Institute of Standards and Technology.
NIST Special Publication 800-92, Guide to Computer Security Log Management, National Institute of Standards and Technology.
NIST Special Publication 800-94, Guide to Intrusion Detection and Prevention Systems (IDPS), National Institute of Standards and Technology.
NIST, Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations, NIST AI 100-2.
NIST, Artificial Intelligence Risk Management Framework (AI RMF 1.0), NIST AI 100-1, National Institute of Standards and Technology, 2023.
NIST, Cybersecurity Framework (CSF) 2.0 — the Detect function (continuous monitoring, adverse event analysis), National Institute of Standards and Technology, 2024.
NIST, Cybersecurity Framework (CSF) 2.0, 2024 — "Govern" function and supply chain risk management category.
NIST, Cybersecurity Framework (CSF) 2.0, 2024 — DETECT (DE) function (DE.CM continuous monitoring, DE.AE adverse event analysis).
NIST, Cybersecurity Framework (CSF) 2.0, 2024 — Functions used to classify which failed in each case.
NIST, Cybersecurity Framework (CSF) 2.0, 2024 — the DETECT function (continuous monitoring; adverse event analysis).
NIST, Cybersecurity Framework (CSF) 2.0, 2024 — the six Functions (Govern, Identify, Protect, Detect, Respond, Recover) used to structure a board scorecard, and the four Implementation Tiers (Partial, Risk Informed, Repeatable, Adaptive) used as a maturity scale.
NIST, Cybersecurity Framework (CSF) 2.0, 2024.
NIST, Cybersecurity Framework (CSF) 2.0, Govern (GV) and Respond (RS) Functions, National Institute of Standards and Technology, 2024.
NIST, Cybersecurity Framework (CSF) 2.0, National Institute of Standards and Technology, 2024.
NIST, Cybersecurity Framework (CSF) 2.0, the Protect (PR) Function — awareness and training.
NIST, FIPS 180-4: Secure Hash Standard (SHS), National Institute of Standards and Technology.
NIST, FIPS 186: Digital Signature Standard (DSS), National Institute of Standards and Technology.
NIST, FIPS 197: Advanced Encryption Standard (AES), National Institute of Standards and Technology.
NIST, FIPS 198-1: The Keyed-Hash Message Authentication Code (HMAC), NIST.
NIST, FIPS 202: SHA-3 Standard: Permutation-Based Hash and Extendable-Output Functions, NIST.
NIST, National Vulnerability Database (NVD) (nvd.nist.gov).
NIST, Post-Quantum Cryptography standardization project, National Institute of Standards and Technology.
NIST, FIPS 203, Module-Lattice-Based Key-Encapsulation Mechanism Standard (ML-KEM), 2024.
NIST, FIPS 204, Module-Lattice-Based Digital Signature Standard (ML-DSA), 2024.
NIST, FIPS 205, Stateless Hash-Based Digital Signature Standard (SLH-DSA), 2024.
NIST, Role-Based Access Control (RBAC) model — Ferraiolo, D. F., & Kuhn, D. R., and the formal standard ANSI/INCITS 359 (American National Standard for Role-Based Access Control).
NTIA, The Minimum Elements For a Software Bill of Materials (SBOM), U.S. National Telecommunications and Information Administration, 2021.
OASIS / CISA, Vulnerability Exploitability eXchange (VEX) — minimum requirements and use cases.
OASIS, Security Assertion Markup Language (SAML) v2.0 — Assertions and Protocols, and the SAML 2.0 Technical Overview.
OASIS, STIX and TAXII specifications (oasis-open.org/committees/cti) — structured threat-intel language and transport.
OCSF, Open Cybersecurity Schema Framework, https://ocsf.io.
OffSec, OSCP certification information (offsec.com).
Open Policy Agent (OPA) and the Rego policy language, official documentation, openpolicyagent.org (Cloud Native Computing Foundation).
OpenID Foundation, OpenID Connect Core 1.0.
OpenSSF, Supply-chain Levels for Software Artifacts (SLSA) framework.
OWASP Cheat Sheet Series — Authentication, SAML Security, and Access Control cheat sheets.
OWASP Cheat Sheet Series, Content Security Policy and Session Management cheat sheets.
OWASP CycloneDX specification, cyclonedx.org.
OWASP Foundation, OWASP IoT Top 10 (Internet of Things Project) — the canonical list of critical IoT weaknesses; weak/default/hardcoded passwords rank first.
OWASP Foundation, OWASP Mobile Top 10 and Mobile Application Security Verification Standard (MASVS).
OWASP Secrets Management Cheat Sheet (OWASP Cheat Sheet Series).
OWASP Secure Headers Project, Open Worldwide Application Security Project.
OWASP Top 10 (current edition), category A06 Vulnerable and Outdated Components, Open Worldwide Application Security Project.
OWASP Top 10 CI/CD Security Risks (OWASP).
OWASP Top 10 — "Broken Access Control" (A01) and the OWASP Access Control Cheat Sheet.
OWASP, Application Security Verification Standard (ASVS), Open Worldwide Application Security Project.
OWASP, Authentication Cheat Sheet, OWASP Cheat Sheet Series.
OWASP, Cheat Sheet Series (cheatsheetseries.owasp.org) — incl. Input Validation, Cross-Site Scripting Prevention, SQL Injection Prevention, and Secrets Management cheat sheets.
OWASP, Cheat Sheet Series (cheatsheetseries.owasp.org): SQL Injection Prevention; Query Parameterization; Cross Site Scripting Prevention; DOM based XSS Prevention; Content Security Policy; Cross-Site Request Forgery Prevention; Server Side Request Forgery Prevention; Session Management.
OWASP, Core Rule Set (CRS), coreruleset.org — the managed WAF rule set (ModSecurity).
OWASP, Credential Stuffing Prevention Cheat Sheet, OWASP Cheat Sheet Series.
OWASP, Cryptographic Storage Cheat Sheet, Open Worldwide Application Security Project.
OWASP, Dependency-Track and Dependency-Check (open-source software composition analysis tools).
OWASP, DevSecOps Guideline and DevSecOps Maturity Model (DSOMM), Open Worldwide Application Security Project.
OWASP, OWASP Top 10 (current edition), Open Worldwide Application Security Project — injection, XSS, CSRF/SSRF, and identification/authentication failures categories.
OWASP, OWASP Top 10: The Ten Most Critical Web Application Security Risks, Open Worldwide Application Security Project (owasp.org/Top10).
OWASP, Password Storage Cheat Sheet, Open Worldwide Application Security Project.
OWASP, Password Storage Cheat Sheet, OWASP Cheat Sheet Series.
OWASP, Top 10 for Large Language Model (LLM) Applications, Open Worldwide Application Security Project.
OWASP, Vulnerability Management Guide and OWASP Dependency-Check project.
OWASP, WebGoat and Juice Shop (deliberately vulnerable training applications; for authorized lab use only).
PCI Security Standards Council, Payment Card Industry Data Security Standard (PCI-DSS) v4.0 (Requirements 3 and 4, protection of stored and transmitted cardholder data).
PCI Security Standards Council, PCI-DSS v4.0 (network segmentation of the cardholder data environment; device security).
PCI Security Standards Council, PCI-DSS v4.0, Requirement 6 (secure development; protection of public-facing web applications).
PCI-DSS v4.0, network-monitoring requirements, PCI Security Standards Council.
PCI-DSS v4.0, Requirement 7 ("Restrict access to system components and cardholder data by business need to know").
Purdue Enterprise Reference Architecture (PERA) — the origin of the level 0–5 model adopted into ICS security practice.
Reason, J., Human Error (and the "Swiss cheese" model); Dekker, S., Just Culture — the aviation/medicine basis for no-blame reporting.
RFC 4033, DNS Security Introduction and Requirements, IETF (with RFC 4034 and RFC 4035).
RFC 6238, TOTP: Time-Based One-Time Password Algorithm, IETF.
RFC 6376, DomainKeys Identified Mail (DKIM) Signatures, IETF.
RFC 6797, HTTP Strict Transport Security (HSTS), IETF.
RFC 7208, Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1, IETF.
RFC 7489, Domain-based Message Authentication, Reporting, and Conformance (DMARC), IETF.
RFC 8555, Automatic Certificate Management Environment (ACME), Internet Engineering Task Force.
Richard Bejtlich, The Practice of Network Security Monitoring, No Starch Press.
Ristić, I., Bulletproof TLS and PKI, 2nd ed., Feisty Duck.
Roberts, S. J., & Brown, R., Intelligence-Driven Incident Response, O'Reilly.
Saltzer, J. H., & Schroeder, M. D., "The Protection of Information in Computer Systems," Proceedings of the IEEE, vol. 63, no. 9, 1975 (origin of least privilege, fail-safe defaults, separation of privilege).
Sanders, C., & Smith, J., Applied Network Security Monitoring, Syngress.
Sanders, C., Practical Packet Analysis, No Starch Press.
SANS, Incident Handler's Handbook (PICERL: Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned).
Schneier, B., Secrets and Lies: Digital Security in a Networked World, Wiley.
Seacord, R., Secure Coding in C and C++ (and the CERT Secure Coding Standards), Addison-Wesley / SEI.
Shared Assessments, Standardized Information Gathering (SIG) Questionnaire.
Shostack, A., Threat Modeling: Designing for Security, Wiley.
SigmaHQ, Sigma — Generic Signature Format for SIEM Systems, https://github.com/SigmaHQ/sigma.
Sigstore project documentation (cosign artifact signing and provenance), sigstore.dev.
SLSA (Supply-chain Levels for Software Artifacts) Specification, slsa.dev (Open Source Security Foundation / OpenSSF).
SLSA (Supply-chain Levels for Software Artifacts) framework documentation, slsa.dev (Open Source Security Foundation / OpenSSF).
SPDX (Software Package Data Exchange) specification, ISO/IEC 5962, spdx.dev.
SPIFFE/SPIRE project documentation, including the SPIFFE Verifiable Identity Document (SVID) specification (spiffe.io).
Splunk, Search Reference and Common Information Model (CIM) documentation, https://docs.splunk.com.
Stallings, W., Network Security Essentials: Applications and Standards, Pearson.
Stuttard, D., & Pinto, M., The Web Application Hacker's Handbook, 2nd ed., Wiley (offensive reference, read for defensive understanding).
Thaler, R., & Sunstein, C., Nudge: Improving Decisions About Health, Wealth, and Happiness.
The Open Group, Open FAIR Body of Knowledge (Risk Taxonomy and Risk Analysis standards).
The SELinux Project documentation; Red Hat SELinux User's and Administrator's Guide.
The Sigma Project (github.com/SigmaHQ/sigma) — the vendor-agnostic detection-rule specification and rule library.
The Snort IDS/IPS engine documentation and rule-writing guide, Cisco/Snort project.
The Suricata IDS/IPS engine documentation, Open Information Security Foundation (OISF).
The White House, Executive Order 14028: Improving the Nation's Cybersecurity, May 12, 2021.
The Wireshark Project, documentation and sample captures (wireshark.org).
The Zeek Network Security Monitor project documentation.
The Zeek Project, Zeek Documentation (log reference: conn.log, dns.log, ssl.log), zeek.org.
U.S. Computer Fraud and Abuse Act (CFAA), 18 U.S.C. § 1030 (named in general terms; described, not interpreted as legal advice).
U.S. congressional committee report(s) on the 2017 Equifax breach (e.g., House Oversight Committee majority staff report).
U.S. Cyber Safety Review Board (CSRB), Review of the December 2021 Log4j Event, 2022 — the flagship official post-incident review; concluded Log4j is an "endemic vulnerability."
U.S. Department of Energy, Cybersecurity Capability Maturity Model (C2M2) — a detailed domain-by-domain maturity model with concrete practice statements at each level; scaffolding for an evidence-based maturity self-assessment.
U.S. Department of Health and Human Services, HIPAA Breach Notification Rule (45 CFR §§ 164.400–414).
U.S. Federal Trade Commission / federal banking regulators, GLBA Safeguards Rule.
U.S. Government Accountability Office (GAO), report(s) on the 2017 Equifax data breach (basic-control-failure findings).
U.S. interagency Computer-Security Incident Notification rule for banking organizations (source of the 36-hour regulator-notification requirement).
U.S. Office of Management and Budget, Moving the U.S. Government Toward Zero Trust Cybersecurity Principles (OMB Memorandum M-22-09), 2022.
Vanhoef, M., & Piessens, F., "Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2" (KRACK), ACM CCS 2017.
Verizon, Data Breach Investigations Report (DBIR), annual — evidence that the patterns (credentials, vuln exploitation, human element) generalize.
Verizon, Data Breach Investigations Report (DBIR), published annually.
VirusTotal / YARA, YARA documentation (yara.readthedocs.io) — file/memory pattern-matching rule language.
W3C, Web Authentication: An API for accessing Public Key Credentials (WebAuthn), World Wide Web Consortium Recommendation.
Wi-Fi Alliance, WPA3 Specification and Discover Wi-Fi: Security overview, Wi-Fi Alliance.
Wireshark Foundation, Wireshark User's Guide, wireshark.org.
Zalewski, M., The Tangled Web: A Guide to Securing Modern Web Applications, No Starch Press.

Tier 2 — Attributed (specifics unverified)

(ISC)² / ISC2, Cybersecurity Workforce Study (published annually) — most-cited source for the security staffing gap; precise figures vary by year/methodology and are used here only as a range.
Altheide, C., & Carvey, H., Digital Forensics with Open Source Tools, Syngress.
Anderson, R., Security Engineering, 3rd ed., Wiley (book is verifiable; specific claims about under-patching economics should be checked against the text).
Anti-Phishing Working Group (APWG) trend reports — phishing-volume and technique data (exact figures Tier 2).
Bianco, D. J., "The Pyramid of Pain" (Enterprise Detection & Response blog, ~2013) — the canonical articulation of the pyramid-of-pain model; widely cited, exact figures/wording attributed to the blog post.
Bird, J., DevSecOps and related O'Reilly reports on integrating security into CI/CD (practitioner guidance; specifics and tool recommendations vary by edition).
BlueBorne Bluetooth vulnerability class (2017) — vendor and research retrospectives vary; treat exact details as attributed, not pinned.
Brotby, W. K., Information Security Governance: A Practical Development and Implementation Approach. (Practitioner text on aligning and governing a security program; treated as guidance, not authority.)
Carrier, B., File System Forensic Analysis, Addison-Wesley (filesystem internals, NTFS $MFT, deleted-file recovery).
Carvey, H., Windows Forensic Analysis and Windows Registry Forensics, Syngress (Windows artifacts: registry, event logs).
CISA/NCSC and partners, Guidelines for Secure AI System Development and related joint AI-security guidance (issuer/title pattern; verify the current document before citing).
Colonial Pipeline ~75 bitcoin ransom and partial DOJ recovery — widely reported; stated as reported, exact figures not over-specified.
Community Sysmon configuration files (widely used open configurations) for endpoint telemetry — referenced as a category; vet any specific config before deployment.
Conference talks and engineering retrospectives on the December 2021 Log4Shell response (timelines and specifics vary by account; cite reputable, well-sourced sessions).
Conference talks and write-ups on SAML service-provider validation flaws (signature/audience bypass class); specific talks vary by source — choose a reputable, well-sourced account.
Cross-industry MTTD/MTTR/coverage "benchmark" figures circulated by vendors and surveys — used in the chapter only as illustrative, directional comparisons (e.g., "~8-hour peer MTTD"). These are soft numbers; the chapter explicitly flags them as approximate and they should be verified against a named source before being presented as fact.
Current cloud-native security references (e.g., books on Kubernetes security) for workload-identity and service-account-token handling (pick a current, well-reviewed edition; the platform evolves quickly).
Davidoff, S., & Ham, J., Network Forensics: Tracking Hackers through Cyberspace, Prentice Hall.
Director-level cyber-oversight guidance of the kind issued by board associations (e.g., NACD/ISA cyber-risk handbooks for directors). (Attributed generally; the audience-side view of a board presentation. Emphases evolve by edition — not pinned to a specific figure.)
Discovering-firm public technical analyses of SUNBURST (the behavioral-detection / anomalous-MFA-enrollment discovery narrative) — read for the lesson; specific technical figures attributed, not pinned.
Ebbinghaus, H., foundational work on the forgetting curve and spaced repetition (1885); cited as the established memory-decay principle.
Eric Zimmerman's forensic tools and documentation (Windows artifact parsing) — widely used in the community.
Established CTF and hands-on practice platforms, and deliberately vulnerable practice VMs/applications published by security-training projects (specific platforms come and go; choose a reputable, currently active one that provides the targets).
Fogg, B. J., Tiny Habits and the Fogg Behavior Model (B = MAP); Tier 1 for the model itself, Tier 2 for its security-awareness application.
Freund, J., & Jones, J., Measuring and Managing Information Risk: A FAIR Approach, Butterworth-Heinemann — the book-length treatment of the FAIR model for quantifying risk; the rigorous version of the risk-vs-appetite / burn-down story. The FAIR Institute (fairinstitute.org) hosts related free material (vendor-adjacent community; read critically).
General business/product-analytics literature on "actionable vs. vanity metrics" (the distinction predates and is broader than security) — sharpens §36.1's core discriminator; the principle transfers cleanly though the sources are outside security.
General explanations of the base-rate fallacy as it applies to rare-event detection (standard probability result; many sources).
General industry observation that boards fund risk-and-return narratives over technical detail, and that security leaders commonly fail at executive translation (widely reported in CISO practitioner literature and conference talks; not a single citable statistic).
General industry reporting that financial motivation dominates breaches and that credential theft/phishing are leading vectors (as summarized in successive DBIR editions).
General industry reporting that weak or unsalted password hashing (MD5/SHA-1) has amplified the impact of several large credential breaches (pattern summarized across multiple public post-mortems, not attributed to a single named incident here).
General pattern of large healthcare data breaches over the past decade (months-long undetected access, external discovery, logging gaps inflating notification scope, HHS "wall of shame" listings) — informs Case Study 2; not a single named event.
General project-management / GRC references on the RACI matrix and its anti-patterns (the concept is standard; exact source varies).
General reporting that open-source components constitute the large majority of code in typical applications and that transitive dependencies dominate dependency trees (widely cited in software-composition surveys; specifics vary).
Gilman, E., & Barth, D., Zero Trust Networks: Building Secure Systems in Untrusted Networks, O'Reilly (practitioner build reference; specifics vary by edition).
Google, CSP Evaluator (csp-evaluator.withgoogle.com) — tool that flags weak CSP directives such as 'unsafe-inline'.
Google/USENIX Site Reliability Engineering literature on blameless postmortems and sustainable on-call rotations — cross-disciplinary practice transferred to the SOC.
Hadnagy, C., Social Engineering: The Science of Human Hacking — defender-relevant treatment of human manipulation.
Hardy, N., "The Confused Deputy" — the classic articulation that a service must check the caller's authority, not its own (widely cited; multiple accessible retellings exist).
Have I Been Pwned (haveibeenpwned.com) as a public index illustrating the scale of leaked credentials and credential-stuffing exposure.
Hayden, L., IT Security Metrics. (Choosing and presenting metrics for an executive audience; supports the board-metrics slide.)
Hubbard, D., & Seiersen, R., How to Measure Anything in Cybersecurity Risk, Wiley (a widely cited argument for quantitative over qualitative risk; treat its specific claims as the authors' position).
Independent retrospectives and timelines of the SolarWinds campaign from major incident-response firms and the affected vendor; specifics vary by retelling, so anchored on the CISA account above.
Industry and press retrospectives on publicly exposed cloud storage ("open S3 bucket") data-exposure incidents (the general pattern behind Case Study 2; specifics vary by source and should be verified against the primary report before citing a figure).
Industry phishing-simulation benchmark reports (click-rate-by-sector studies) — used only for RANGES of realistic click/report rates; methodologies vary widely, so all specific percentages are treated as Tier 2 and never invented.
Industry reporting (as summarized in successive DBIR editions and similar surveys) that leaked credentials, misconfiguration, and exposed secrets are among the most common breach causes — described qualitatively; no precise figure invented here.
Industry reporting and incident analyses describing privilege escalation from a low-privilege foothold to domain admin via credential harvesting and lateral movement as a common ransomware pattern (specific efficacy and frequency figures vary by source; treat platform-mitigation efficacy claims as unverified specifics).
Industry reporting and successive DBIR editions indicating that exploitation of known, unpatched vulnerabilities on internet-facing assets remains a leading breach pattern (general finding; exact figures vary by year and source).
Industry reporting and vendor analyses that business email compromise produces greater aggregate financial losses than ransomware (as summarized in successive IC3 reports and industry surveys); do not cite a precise figure without the primary report.
Industry reporting on the 2022 MFA-fatigue ("push bombing") breaches of large technology firms (specifics vary by account; used to motivate number matching and phishing-resistant MFA).
Industry reporting that command-and-control beaconing and slow ("low-and-slow") exfiltration are common across major intrusions, and that DNS is a frequently abused covert channel (as summarized across vendor threat reports and ATT&CK technique documentation).
Industry reporting that default/weak credentials and unpatched edge devices are among the most common footholds for compromise (as summarized across successive DBIR editions and CISA advisories).
Industry reporting that expired certificates and TLS misconfigurations (not algorithm breaks) cause most real-world TLS outages and findings.
Industry reporting that high-impact intrusions increasingly involve "living off the land" — stolen credentials and built-in tools rather than malware — and so evade signature-only detection (as summarized across vendor and incident-response reports).
Industry reporting that injection and XSS classes have remained on successive OWASP Top 10 editions for ~two decades (general, as summarized across OWASP releases; no single precise statistic claimed).
Industry reporting that insider-driven financial fraud commonly exploits weak separation of duties and accumulated (creeping) privileges (general pattern, as summarized across fraud and audit literature).
Industry reporting that known, patchable vulnerabilities and default/weak configurations (rather than zero-days) account for a large share of real intrusions (as summarized across successive Verizon DBIR editions and CISA advisories) — no precise figure asserted.
Industry reporting that leaked credentials in source repositories and misconfigured cloud infrastructure are among the leading causes of cloud breaches (as summarized across successive DBIR editions and cloud-security reports).
Industry reporting that modern applications are predominantly assembled from third-party and transitive dependencies, making software composition analysis essential (as summarized across vendor and OWASP guidance).
Industry reporting that rogue access points and evil twins remain common physical-access vectors in retail and enterprise environments (as summarized in successive security reports).
Industry reporting that stolen credentials and phishing are among the most common breach causes (as summarized in successive DBIR editions).
Industry reporting that the majority of significant breaches involve lateral movement from an initial foothold (as summarized across successive incident-investigation reports such as the Verizon DBIR).
Industry reporting that the SolarWinds Orion compromise affected on the order of thousands of organizations and a number of U.S. agencies (exact counts vary by source).
Industry reporting that third-party/vendor access and stale credentials are recurring root causes of healthcare and enterprise ransomware (pattern summarized across public breach reporting; no single figure pinned).
Industry surveys reporting that non-human/machine identities outnumber human identities by roughly 10:1 to 50:1 in cloud-heavy environments (the exact multiple varies by source; the order of magnitude is consistent).
Industry workforce studies repeatedly reporting a persistent cybersecurity talent gap (more open roles than qualified people); direction is durable across years, but specific figures vary by source and should not be pinned to a single number.
Industry/practitioner literature on risk-based alerting (RBA) and detection engineering as a remedy for alert fatigue (widely discussed in vendor and SOC writing; treat specific figures as illustrative).
Jaquith, A., Security Metrics: Replacing Fear, Uncertainty, and Doubt, Addison-Wesley — the classic professional argument for measuring outcomes over activity and against vanity metrics; foundational to the modern discipline. A well-known practitioner text; treat specific figures as illustrative.
Kindervag, J., No More Chewy Centers: Introducing the Zero Trust Model of Information Security (originating analyst research, 2010 onward; exact publication details vary).
Luttgens, J. T., Pepe, M., & Mandia, K., Incident Response & Computer Forensics, McGraw-Hill.
Major-provider security "Learning Center" educational articles on DDoS, SYN floods, and reflection/amplification (e.g., Cloudflare/Akamai) — accurate on fundamentals; vendor educational material, read for concepts not product claims.
Malware-Traffic-Analysis.net — a community library of constructed/teaching PCAPs and exercises (excellent for lab skill-building; not a formal citation).
Mandiant / Google Cloud threat-intelligence reporting (e.g., the M-Trends annual report); named reputable source, but treat specific year-over-year figures as reported, not independently verified here.
Maslach, C., & Leiter, M. P., burnout research (e.g., The Truth About Burnout and the Areas of Worklife model) — the established framing of burnout as an organizational phenomenon; the SOC-specific application is the author's.
Microsoft Sysinternals Sysmon documentation — confident it exists; cited at the level of capability (process/network/image-load logging) without pinning a version.
MITRE, Caldera and the adversary-emulation/purple-teaming tooling ecosystem — open-source operationalization of the purple-team loop (use only in authorized environments).
MITRE, TTP-Based Hunting and ATT&CK-driven detection guidance (behavior-over-indicator detection; specifics vary by publication).
Murdoch, D., Blue Team Handbook: Incident Response Edition — a practitioner field reference.
Murdoch, D., Blue Team Handbook: SOC, SIEM, and Threat Hunting — widely used practical SOC field guide.
NIST and academic work on synthetic/AI-generated content detection and provenance (a fast-moving area; detailed claims should be treated as Tier 2 pending verification of the specific publication).
NIST guidance on network security and segmentation/zero-trust networking (e.g., the SP 800-series on virtualization/network security and SP 800-207 on zero trust) — cited for framing internal trust boundaries; specific document numbers to be confirmed before final compile.
Open FAIR / FAIR (Factor Analysis of Information Risk) as a named method for quantifying risk in dollars (Freund, J., & Jones, J., Measuring and Managing Information Risk: A FAIR Approach). (Cited as a real, named quantification approach that strengthens an ALE-based business case; specific figures not relied upon.)
Open-source PAM and secrets-management project documentation (e.g., HashiCorp Vault) as illustrations of vaulting, brokering, and short-lived credentials (one vendor's model among several).
OWASP, Security by Design Principles (community-maintained restatement of least privilege, fail-safe defaults, defense in depth; exact wording varies).
PortSwigger, Web Security Academy (portswigger.net/web-security) — free interactive labs on injection, XSS, CSRF, SSRF (teaches attacks for defensive understanding; use only in its sandbox).
Post-incident technical analyses of the SolarWinds / Sunburst compromise from multiple vendor and government sources (the public facts are well established; technical details and attribution specifics vary by report). The control-by-control "what would have prevented/detected it" framing in Case Study 2 is this chapter's defensive interpretation, not a claim about SolarWinds' internal decisions.
Public DMARC-report analyzers and "spoofability" checkers (reputable, well-reviewed services) used for hands-on practice on owned domains.
Public reporting of the first practical SHA-1 collision ("SHAttered", 2017) demonstrating that SHA-1 is unsafe for collision-dependent uses such as signatures (specifics per the published research and reputable accounts).
Public retrospectives on SaaS support-account / over-privileged-access breaches in which one compromised internal or support credential exposed many customers' data (the pattern behind Case Study 2; specifics vary by incident and reporting — attribute carefully and treat figures cautiously).
Public technical reporting on the Triton/Trisis malware targeting a safety instrumented system (2017) — vendor and researcher analyses; specifics treated carefully and at public-fact level only.
Published post-incident retrospectives of CI/CD secret-harvesting and leaked-cloud-key breaches, illustrating the secret-harvesting cascade pattern (the class of incident is well documented; specifics vary by retelling — favor primary vendor/CISA post-mortems).
Published regulatory enforcement actions and breach post-mortems (HHS OCR resolution summaries; EU data-protection-authority decisions; FTC actions) as sources of "compliant but breached" lessons — read the specific published case before citing any detail.
Red Canary, Atomic Red Team (github.com/redcanaryco/atomic-red-team) — ATT&CK-mapped safe test library.
Reference-monitor concept (always-invoked, tamper-proof, verifiable) — originating in the Anderson report on computer security (1972) and standard in security-architecture texts (used here at the level of the concept, not a specific edition/figure).
Regulatory moves to ban universal default passwords on consumer connected devices and require basic security properties before sale (several jurisdictions; specifics vary — attribute carefully and verify the regime before citing a particular law).
Reporting and retrospectives on the 2021 Colonial Pipeline ransomware incident, used as the generalized model behind the Meridian tabletop (specifics vary by source; the recovered-ransom detail and the single-credential initial access are widely reported).
Reporting on real deepfake-enabled fraud incidents, including the synthetic-CFO video-call wire-fraud cases (the mechanism is well established; specific amounts and companies vary by retelling — treat as illustrative unless independently verified).
Reporting on real deepfake-fraud incidents (2023–2024) in which finance employees were tricked by deepfaked voice/video calls into authorizing multi-million-dollar transfers (well-sourced press coverage; specifics vary by retelling).
Reporting on SIM-swap account-takeover cases against banking and cryptocurrency accounts (illustrates the weakness of phone-number-based possession).
Reporting that cloud-security and detection/blue-team skills are among the most in-demand in the field (durable industry direction, not a precise statistic).
Reputable post-incident analyses of identity-provider token-theft / token-forgery breaches illustrating that SSO concentrates risk at the IdP (treat single-source specifics cautiously; do not cite precise unverified figures).
Reputable retrospectives of the Target (2013, HVAC-vendor + flat-network) and NotPetya (2017, supply-chain + destructive blast radius) incidents — used as optional "Your Turn" cases.
Retrospective accounts of the 1988 Morris Worm as the first internet-scale security incident (specifics vary by source).
Retrospective accounts of the 2008 Kaminsky DNS cache-poisoning vulnerability disclosure and the resulting industry response (source-port randomization; accelerated DNSSEC adoption); specifics vary by source.
Retrospective accounts of the WannaCry and NotPetya (2017) outbreaks spreading via SMBv1 (specifics and attribution vary by source); used to motivate disabling SMBv1 / attack-surface reduction.
Retrospective accounts of TLS/SSL downgrade and padding-oracle attacks (POODLE, BEAST, FREAK, Logjam, Sweet32, ROBOT, Lucky 13) — read well-sourced write-ups; technical specifics vary by retelling.
SANS / E-ISAC analysis of the December 2015 Ukraine power-grid attack (widely cited public post-incident report; specifics summarized consistently across reputable accounts).
SANS DFIR posters and cheat sheets (Windows Forensic Analysis; Hunt Evil) — widely used quick references for artifacts and event IDs.
SANS Institute, annual SOC survey and SOC-management resources — practitioner data on SOC staffing, automation, tooling, and burnout (framework Tier 1; specific figures Tier 2).
SANS reading-room papers and SOC survey material on alert fatigue, false-positive rates, and SOC staffing (attributed; exact statistics vary by edition and year).
SANS Security Awareness, Security Awareness Maturity Model and the annual Security Awareness Report — framework Tier 1; specific benchmark figures Tier 2 (directional, not precise).
SANS security policy templates / policy library (useful as structural templates; some samples are mislabeled across tiers, which is itself instructive).
Sector information-sharing (ISAC) and vendor threat reports for financial services; quality varies by source, used as illustrative of sector-specific threat intelligence.
Sector ISAC threat-sharing reporting (e.g., a financial-services ISAC), membership-dependent.
Security Onion and SiLK/nfdump as widely used open-source NSM/flow tooling (project documentation; specifics vary by version).
Security-operations adage "two kinds of organizations: those that patch and those that get patched" (widely repeated; origin uncertain — used as an epigraph only, not a sourced claim).
Sommer, R., & Paxson, V., "Outside the Closed World: On Using Machine Learning for Network Intrusion Detection," IEEE Symposium on Security and Privacy, 2010 (venue/year as commonly cited; confirm before formal citation).
Sqrrl, "A Framework for Cyber Threat Hunting" and the associated Hunting Maturity Model — industry white paper popularizing hypothesis-driven hunting; specific maturity levels widely reproduced.
Stillions, R., "The DML (Detection Maturity Level) Model" (blog) — complementary model on the abstraction level of detections.
SwiftOnSecurity, sysmon-config (github.com/SwiftOnSecurity/sysmon-config) — widely used Sysmon configuration baseline.
The "diceware" passphrase method and its entropy rationale (widely described; word-list and per-word entropy figures referenced approximately).
The broader SANS 504/508 incident-handling and digital-forensics course body of knowledge (attributed; specific materials vary).
The Cryptopals Crypto Challenges (cryptopals.com) as a hands-on resource for understanding cryptographic misuse (ECB detection, bad randomness, missing integrity); community-maintained, technically sound.
The DFIR Report (thedfirreport.com) — public, ATT&CK-mapped intrusion analyses with detection guidance.
The Emerging Threats (ET) open Suricata/Snort ruleset (community-maintained; specific rules evolve over time).
The FAIR Institute (fairinstitute.org) — community articles and reference material on quantitative risk analysis.
The Mirai botnet (2016) and its record-setting DDoS attacks built from default-credentialed IoT devices — widely reported; the academic measurement study "Understanding the Mirai Botnet" (USENIX Security 2017) is the primary technical source. Treat any specific device-count or bandwidth figure as approximate and cite the study.
The Volatility Foundation documentation (memory forensics framework).
The widely repeated maxim "amateurs hack systems, professionals hack people" (used as the epigraph); attribution is uncertain and contested — treated as folklore, not a sourced quotation.
The ~76-day Equifax undetected-exfiltration window and the expired-certificate detail — from official investigations and reporting; stated at public-fact level.
U.S. CISA/FBI joint advisories and congressional testimony on the May 2021 Colonial Pipeline ransomware incident and the DarkSide ransomware-as-a-service operation (initial access via a VPN account lacking MFA; ransom paid, partially recovered; pipeline shut ~5 days). Public-record facts; some operational internals not public and flagged as such.
Vanhoef, M., & Ronen, E., "Dragonblood: Analyzing the Dragonfly Handshake of WPA3 and EAP-pwd" (2019) — read a well-sourced summary; implementation flaws were subsequently patched.
Vendor and CERT threat-intelligence reporting on ransomware-as-a-service affiliate models and initial access broker markets (ecosystem details vary by source; attribute carefully, do not treat one report's figures as canonical).
Vendor next-generation-firewall and NAC architecture guides (capabilities described generically; specific product claims vary and should be verified against NIST guidance).
Vendor security-blog guidance on specific cloud features (S3 Block Public Access, service control policies, IMDSv2); cloud features change, so any specific feature detail should be confirmed against current provider documentation.
Vendor WAF and web-security engineering blogs (e.g., Cloudflare, major cloud providers) — current web-attack and WAF-tuning writeups; vendor perspective, read critically.
Verizon, Data Breach Investigations Report (DBIR) — third-party and supply chain breach patterns (cite the pattern, not a precise figure that shifts year to year).
Widely reported figure of ~18,000 organizations downloading the trojanized SolarWinds Orion update (reported by SolarWinds) — stated as reported.
Widely reported observation that secrets pushed to public code repositories are scraped and abused by automated tooling within minutes (as summarized across security-vendor and platform reporting).
WireGuard protocol whitepaper and documentation (wireguard.com) — specific performance/design claims attributed to the project's own materials.
Zetter, K., Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon, Crown — a journalistic reconstruction of the Stuxnet operation (well-sourced narrative, not a primary technical document).

Tier 3 — Illustrative / constructed (labeled in text)

"BorderTrust Financial" (Exercise 32) — a constructed org for the CTF challenge.
"Folio" social platform and its 120-million-account password-dump analysis (Case Study 2) — a constructed composite, assembled from the documented general pattern of real megabreaches rather than any single named company.
Aldridge Robotics, "R. Vance," "Marcus Webb," and the insider data-theft investigation (Case Study 2) — a constructed teaching scenario, informed by the general pattern of reported insider/trade-secret cases.
All artifact excerpts, log lines, hashes (labeled illustrative placeholders), and timelines in this chapter — constructed for teaching.
All bluekit code outputs in this chapter (defender_checkpoint.py, example-01..03, exercise-solutions.py) — hand-traced, illustrative, never executed.
All configuration excerpts, audit outputs, IP addresses (documentation ranges only), and .example domains — illustrative.
All hashes, keys, certificates, IVs, nonces, and identifiers shown in code and figures — illustrative documentation placeholders, never real values or real computed digests.
All illustrative scan outputs, exception registers, CVSS/EPSS values in example tables (except the real CVE-2021-44228 figures), and SLA numbers — constructed for teaching.
All illustrative scanner findings, pipeline YAML, policy-as-code rules, CVE-in-context examples, and metrics in this chapter — constructed for teaching and labeled as illustrative (real CVE IDs such as CVE-2021-44228 / Log4Shell are cited only where confidently known and used illustratively in policy examples).
All in-chapter campaign numbers (e.g., the 400-recipient retail-division simulation: 48 clicked, 96 reported) — illustrative figures for teaching the metrics.
All policy-decision logs, access requests, and microsegmentation flows shown in code and exercises — illustrative, using documentation IP ranges and example identities.
All sample authentication logs, hashes, IP addresses (documentation ranges), and the illustrative SHA-1 prefix ABF0F — constructed for teaching; the hash digest is fake and not verified.
All sample BSSIDs, SSIDs, passphrases, IP ranges (documentation/RFC1918/TEST-NET), and the wifiaudit.py output — constructed/illustrative, never real credentials or live targets.
All sample flow records, Zeek log lines, beacon timestamps, and storage figures throughout the chapter — illustrative values, hand-traced, not measured.
All sample IP addresses, log lines, signature IDs (9000xxx), and numeric figures throughout the chapter — illustrative values using documentation ranges only.
All sample logs, alerts, certificate inventories, and placeholder secret values (AKIA...EXAMPLE, ghp_EXAMPLE...) — illustrative and constructed; never real credentials.
All sample logs, detection rules, account inventories, and the bluekit/pam.py output — constructed and hand-traced; documentation values only.
All sample logs, IP addresses (documentation/RFC 1918 ranges), firewall rulesets, and traffic figures — illustrative and constructed.
All sample logs, the crypto-inventory tables, and the resilience-score figures throughout the chapter — illustrative, with documentation-range IPs (192.0.2.0/24, 198.51.100.0/24, 203.0.113.0/24).
All sample/illustrative log lines, alert volumes, false-positive rates, and query results in this chapter — constructed for teaching.
All SBOM excerpts, questionnaire scores, log lines, and contract-clause text in the chapter — illustrative, using documentation values only.
All staffing/SLA, escalation-routing, build-vs-buy scoring, and purple-team coverage figures in the code/ examples — illustrative and hand-traced; never executed.
Brightwater Health Systems and the eighteen-day double-extortion campaign, all logs, timelines, and the deepfake-CFO call (Case Study 2) — a constructed teaching scenario whose patterns mirror widely reported real-world ransomware tradecraft.
Brightwater Logistics and the deepfake-CFO incident (Case Study 2) — a constructed teaching scenario, grounded in the general pattern of widely reported deepfake-fraud cases.
Cedar Hollow Water District (Case Study 2) — a constructed teaching scenario, informed by the general pattern of reported small-utility incidents.
CIS Controls v8 control NUMBERS (4, 7, 2, 10, 8) are mapped from memory of the v8 control set — high confidence but spot-check the exact numbering before publishing the crosswalk in key-takeaways.md.
Colonial Pipeline initial access via a single legacy VPN account without MFA, password in a breach dataset; ransomware affected IT (not OT) and Colonial proactively shut the pipeline — stated per public reporting; confirm phrasing against CISA/company statements.
CorePoint Systems (Case Study 1) — a constructed core-banking vendor for teaching.
CVE-2017-5638 is the Apache Struts 2 RCE associated with the Equifax breach (CONFIDENT at public-fact level); confirm the exact disclosure month (March 2017) against NVD.
CVE-2021-44228 (Log4Shell): CVSS 10.0 Critical, disclosed December 2021 (CONFIDENT). The CSRB report title/year ("Review of the December 2021 Log4j Event", 2022) should be confirmed.
Eastfield State University (Case Study 2) — a constructed teaching scenario; the breach shape (stale federated account plus loose SAML assertion validation) reflects a real, recurring class of incident, but all specifics, logs, names, and figures are invented for teaching.
Equifax exposure figure (~147 million people) and the ~76-day undetected window: widely reported and in official reports; confirm exact numbers against the GAO/congressional reports.
Harborview Construction and Coastal Steel, the $1.2M BEC wire-fraud incident, and all associated figures and headers — a constructed teaching scenario informed by the general pattern of reported BEC incidents (Case Study 2).
HelixCare (Case Study 2) — a constructed health-tech SaaS teaching scenario; the tenant counts, log excerpts, and figures are illustrative, informed by the general pattern of reported over-privileged-access breaches but tied to no specific real company.
Lakeshore Regional Health (Case Study 2) and its 600,000-patient data breach — a constructed teaching scenario, informed by the general pattern of reported healthcare breaches.
Lakeshore Regional Health (Case Study 2) and its account-takeover incident — a constructed teaching scenario, informed by the general pattern of reported healthcare account-takeover incidents.
Lakeshore Regional Health and its full-disk-encryption rollout, device counts, wave metrics, and incidents (Case Study 2) — a constructed teaching scenario, informed by the general pattern of reported lost-device health-data breaches.
Lakeshore Regional Health System (Case Study 2) — a constructed teaching scenario depicting a silent risk-acceptance failure, informed by the general pattern of reported healthcare PHI breaches; no real institution or incident is depicted.
Lakeside Health Network (Case Study 2) — a constructed teaching scenario informed by the general, widely-reported pattern of healthcare ransomware via unowned/stale vendor access; all figures (9-day outage, costs) are illustrative.
Lakeside Regional Health (Case Study 2) — a constructed teaching scenario, informed by the general pattern of reported insider accounts-payable fraud.
Lakeside State University (Case Study 2) and its credential-based intrusion, anomaly alert, and detection telemetry — a constructed teaching scenario, informed by the general pattern of reported research-network intrusions.
Lumadyn Health (Case Study 2) and its public-bucket exposure, escalation chain, and figures — a constructed teaching scenario informed by the general pattern of reported public-storage incidents.
Lumen Forge and its 200 GB exfiltration via cloud bucket and DNS tunneling, all hosts, baselines, and figures (Case Study 2) — a constructed teaching scenario, informed by the general pattern of reported IP-theft and low-and-slow exfiltration incidents.
Meridian Regional Bank and all its personnel, figures, and incidents — a constructed teaching scenario.
Meridian Regional Bank branch-wireless redesign (Case Study 1) — a constructed teaching scenario; all configurations, branch counts, and figures are illustrative.
Meridian Regional Bank online-banking portal review and all its findings, code, logs, and personnel — a constructed teaching scenario.
Meridian Regional Bank — its AD/Entra hybrid environment, the orphaned-contractor finding, the eight-week identity-governance cleanup, and all account names, counts, and access-review reports — a constructed teaching scenario.
Meridian Regional Bank — its enterprise risk assessment, register, appetite statement, personnel, and all SLE/ARO/ALE figures (DDoS, credential attack, etc.) are constructed teaching scenarios with illustrative numbers.
Meridian Regional Bank — its network, addresses, firewall rulesets, IDS signatures, the branch-jack penetration-test finding, and all personnel — a constructed teaching scenario.
Meridian Regional Bank — the hard-coded AWS backup key discovered on a contractor's laptop, the svc-statements over-privileged service account, the secrets-management discovery scan, and the nine-rule secrets-management standard — all a constructed teaching scenario.
Meridian Regional Bank's AWS footprint, the posture review, all CSPM figures, ACLs, IAM policies, security-group rules, and CloudTrail events in this chapter and Case Study 1 — a constructed teaching scenario.
Meridian Regional Bank's network-monitoring deployment, the C2 beaconing hunt, all addresses, beacon scores, and the cdn-sync.example C2 (Case Study 1) — a constructed teaching scenario.
Meridian Regional Bank's security awareness program, personnel, simulation results, and all figures (Case Study 1) — a constructed teaching scenario.
Meridian Regional Bank's TLS estate, the forgotten marketing microsite, the audit, and all figures/grades (Case Study 1) — a constructed teaching scenario.
Meridian Regional Bank, its board Audit Committee, the Q1 metrics pack, the four named incidents (phishing/creds, malware, data egress, admin login) with their timestamps, the coverage counts (220 servers / 48 admin accounts / 60 critical systems), the maturity table, and all figures in this chapter and Case Study 1 — a constructed teaching scenario; the MTTD/MTTR/coverage/maturity numbers are illustrative.
Meridian Regional Bank, its branch IoT, its ~200 ATMs, the lobby-camera incident, and all per-device logs, IP addresses, and figures in this chapter and Case Study 1 — a constructed teaching scenario.
Meridian Regional Bank, its building management system (BuildControl controllers, the facilities HMI/SCADA, the vendor remote-access path), Sam Whitfield's engagement, and all associated figures — a constructed teaching scenario.
Meridian Regional Bank, its encryption standard, cardholder-data-environment design, and all personnel and figures (Case Study 1) — a constructed teaching scenario.
Meridian Regional Bank, its loan-origination pipeline, security team (Okafor/Whitfield/Vasquez et al.), figures, and the secure-pipeline build narrative (Case Study 1) — a constructed teaching scenario.
Meridian Regional Bank, its personnel (Okafor, Vasquez, Whitfield, Reyes, etc.), and all its vendor scenarios, figures, and findings — a constructed teaching scenario.
Meridian Regional Bank, its team, documents, policy set, RACI, and the examination scenario — a constructed teaching scenario.
Meridian Regional Bank, the "LoanFlow" loan-origination application, and all associated personnel, code, figures, and findings — a constructed teaching scenario.
MidStream Credit Union (Exercise 12) — a constructed organization for the build-vs-buy analysis exercise.
No CVE IDs asserted in this chapter (WannaCry/NotPetya referenced by name/behavior, not by CVE). All standard document numbers above are real to the best of the author's knowledge; where uncertain, the chapter text describes them generically.
No precise dollar amounts, exact victim lists, or exploit details fabricated. Where a number is approximate it is labeled "~" / "reported".
Northbridge State University and the graduate-student "Dani" server compromise (Case Study 2) — a constructed teaching scenario, informed by the general pattern of reported unhardened-host/internet-exposed-SSH compromises; no real institution depicted.
NorthField Outfitters retail rogue-AP incident (Case Study 2) — a constructed teaching scenario, informed by the documented pattern of real retail wireless intrusions; all logs, addresses, and figures are illustrative.
NorthFlow Analytics (Case Study 2) and its Log4Shell incident specifics — a constructed teaching scenario built on the real, widely-documented shape of the global Log4Shell response.
Northgate Industrial and its breach timeline (Case Study 2) — a constructed teaching scenario whose pattern (a known, KEV-listed, internet-facing vulnerability left unpatched under a drifted exception) mirrors several well-documented real breaches, but whose specific figures and entities are invented.
NorthLine Commerce (Case Study 2) and all its facts, certificates, and the 4.2-million-record breach — a constructed teaching scenario, informed by the general pattern of reported compliant-but-breached incidents and leaked-API-key breaches.
NorthRiver Logistics, its all-green pre-breach dashboard, its breach narrative, and the reconstructed "honest scorecard" in Case Study 2 — a fully constructed teaching scenario; the company is fictional, while the failure mode (activity-only dashboards hiding real risk) is a real, recurring pattern.
Northvale Health System (Case Study 2), its SOC, advisory AA-2026-HC-09, and all indicators/figures — a constructed teaching scenario informed by the general pattern of reported healthcare ransomware intrusions.
Northwind Analytics (Case Study 2) — a constructed SaaS company and CI/CD secret-harvesting incident, a composite informed by the general (well-documented) pattern of pipeline/secret breaches.
Northwind Health Systems (Case Study 2), CISO Ravi Desai, the two board presentations, and the ransomware outcome — a constructed teaching scenario, informed by the general pattern of reported healthcare ransomware incidents and unsegmented medical-device risk; not a specific real organization or breach.
Northwind Logistics (Case Study 2) and its breach timeline — a constructed teaching scenario, informed by the general pattern of reported lateral-movement breaches.
Northwind Logistics (Case Study 2) — a constructed Orion-customer defender for analyzing SolarWinds from the blue-team seat; all internal telemetry, scores, and timelines are illustrative.
Pinewood Regional Medical Center (Case Study 2) — a constructed teaching scenario, informed by the general pattern of reported healthcare/flat-network intrusions; no specific real incident is depicted.
Pinnacle Ridge Construction and the $312,000 BEC/vishing incident (Case Study 2) — a constructed teaching scenario, informed by the general pattern of widely reported BEC losses; no specific real incident.
Renata Cabrera and her career-change path (Case Study 2) — a constructed teaching scenario informed by the general pattern of reported career-changer entries into GRC.
ShopVerse (Case Study 2) e-commerce SQL-injection breach — a constructed teaching scenario, informed by the general pattern of reported web-application breaches; no real company, data, or exploit reproduced.
SolarWinds attribution to a Russian state-sponsored group (publicly associated with the SVR) and the ~18,000 download figure — stated as publicly reported/attributed, not as independently verified here.
SP 800-167 title is given as "Guide to Application Whitelisting" — confident the SP number and topic are correct; the historical title uses "whitelisting." Verify exact current title/revision.
SP 800-40 cited as Rev. 4 with the patch-management-planning title — confident; confirm the revision number at compile.
StreamHarbor (Case Study 2) — a constructed consumer-streaming-service scenario, informed by the general pattern of reported credential-stuffing/account-takeover waves.
Tellaro Components (Case Study 2) — a constructed teaching scenario, informed by the general pattern of reported manufacturing-sector ransomware intrusions; all hosts, accounts, timestamps, and events are illustrative.
The "misattributed intrusion" CTF scenario (Exercise 29) — constructed for teaching.
The "two intrusions at a manufacturer" War Story (§2.2) — a constructed composite illustrating how motivation shapes behavior.
The "war story" of the CISO whose all-green deck collapsed after a third-party breach (§36.5) — a constructed, representative vignette, labeled illustrative.
The CISSP_MIN_YEARS = 5 threshold and all CPE credit values in the code examples — illustrative numbers, not official requirements; confirm with the issuing body.
The constructed war stories in §40.2 and §40.4 (the vendor-agent telemetry near-miss; the "stop trying to fix it, tell me where we have it" Log4Shell moment) — illustrative, labeled.
The defender's reading of SolarWinds in Case Study 2 presents the campaign analytically; the high-level facts are from public reporting (Tier 1/2 above), but the framing, tables, and any rounded characterizations are constructed for teaching and avoid claiming non-public detail.
The insurer war story in §10.3 — a constructed, representative vignette.
The peer-institution breach referenced in Case Study 1 — a constructed composite.
The reconstructed Mirai per-device egress logs and target/edge telemetry in Case Study 2 — illustrative reconstructions for teaching; the underlying event is real (see Tier 1/2), the specific log lines are not.
The SolarWinds/Sunburst behavioral details used in worked examples are described generically and at a defensive level; specific Meridian instantiations are constructed.
The water-utility scan/RTU-crash "War Story" (§33.4) and the small-utility flat-network scenario (Exercise 23) — constructed composites informed by the general pattern of reported small-utility OT incidents.
Theo Brandt, Marcus Reyes, and all Meridian Regional Bank personnel, dialogue, and figures (Case Study 1) — a constructed teaching scenario.
Vantage Logistics (Case Study 2) — a constructed analytical failure case; the burnout-to-breach pattern reflects a common reported failure mode but the company, people, and incident are invented for teaching.