Cybersecurity: Defending the Digital World — Master Outline

From Network Security to Incident Response to Security Architecture.

This is the structural map of the book and the per-chapter assignment for authors. Read your chapter's block together with _style-bible.md (how to write) and _continuity.md (term ownership, cross-reference map, spaced-review schedule). The book has 40 chapters in 8 parts, written to exhaustive depth (each index.md 8,000–12,000 words). Learning-path tags: 🛡️ soc, 🏗️ engineer, 📋 grc, 📜 cert.

Reader-facing tracks (documented in 00-frontmatter/how-to-use-this-book.md): - 🛡️ SOC Analyst: Ch. 6, 9, 10, 21, 22, 24, 25, 34 - 🏗️ Security Engineer: Ch. 3, 5, 7, 11, 15, 16–20, 31, 32, 33 - 📋 GRC: Ch. 1, 26, 27, 28, 29, 30, 36, 37 - 📜 Certification Prep (Security+/CISSP): mapped per chapter in key-takeaways.md

Part I — Security Foundations (Ch. 1–5)

Chapter 1 — What Is Cybersecurity? Threats, Vulnerabilities, Risk, and Why Everything Is Under Attack

Meta: Part I · beginner · 5–6 h · tracks: soc, grc, cert · Prerequisites: none
Objectives: Define cybersecurity and distinguish threat, vulnerability, exploit, and risk; explain why attack surface has exploded; describe the defender's value proposition; compute a simple risk score; situate the book's learning paths and the Meridian project.
Reserved terms: cybersecurity, threat, vulnerability, exploit, risk, attack surface, asset, threat actor, likelihood, impact, control (security control), residual risk.
Section outline: 1.1 The phishing email that nearly broke a bank (Meridian cold open) · 1.2 Threats, vulnerabilities, exploits, and risk — the core vocabulary · 1.3 The expanding attack surface (cloud, mobile, IoT, supply chain, remote work) · 1.4 Thinking like a defender: risk = likelihood × impact · 1.5 The CIA triad in one page (preview of Ch.3) · 1.6 Who this book is for and how to read it (the four tracks) · 1.7 Project Checkpoint.
Anchor duty: introduce Meridian Regional Bank and the team; seed SolarWinds/ransomware/Log4Shell as "why this matters." Program increment: scope + asset inventory + first risk register row. bluekit: riskcalc.py — risk_score(likelihood, impact).
Cross-refs: forward → 3 (principles), 27 (risk), 38 (capstone). Spaced review: n/a (first). Themes: all five introduced, esp. 1 & 2.

Chapter 2 — The Threat Landscape: Who Attacks, Why They Attack, and How Attacks Actually Work

Meta: Part I · beginner · 5–6 h · tracks: soc, grc, cert · Prerequisites: 1
Objectives: Categorize threat actors by motivation/capability; explain the cyber kill chain and MITRE ATT&CK; trace a real intrusion end-to-end; map an attack to defensive opportunities; build a basic threat model for Meridian.
Reserved terms: threat actor (taxonomy: nation-state/APT, cybercriminal, hacktivist, insider, script kiddie), motivation, capability, cyber kill chain, MITRE ATT&CK, tactic, technique, procedure (TTP), indicator of compromise (IoC), threat intelligence, APT, attack vector, payload.
Section outline: 2.1 The cast of attackers (with real campaigns named) · 2.2 Motivations: money, espionage, ideology, ego · 2.3 The cyber kill chain · 2.4 MITRE ATT&CK as a shared language · 2.5 Anatomy of an intrusion (initial access → impact) · 2.6 Threat modeling Meridian (STRIDE-lite) · 2.7 Project Checkpoint.
Anchor duty: SolarWinds + ransomware as actor case studies. Program increment: Meridian threat model + actor profile. bluekit: threatmodel.py — kill_chain_stage(event).
Cross-refs: back → 1; forward → 22 (detection), 35 (emerging). Spaced review: Ch.1. Themes: 2, 4.

Chapter 3 — Security Principles: CIA Triad, Defense in Depth, Least Privilege, and Zero Trust

Meta: Part I · beginner · 5–6 h · tracks: engineer, grc, cert · Prerequisites: 1, 2
Objectives: Apply the CIA triad (and AAA, non-repudiation) to design decisions; classify controls by type and function; apply least privilege, separation of duties, fail-safe defaults, and defense in depth; explain the zero-trust mindset (detailed in Ch.32).
Reserved terms: confidentiality, integrity, availability, authentication, authorization, accounting (AAA), non-repudiation, defense in depth, least privilege, separation of duties, fail-safe default, control types (preventive/detective/corrective/compensating; administrative/technical/ physical), zero trust (principle).
Section outline: 3.1 CIA triad (and why availability is security) · 3.2 AAA and non-repudiation · 3.3 Control taxonomy: type × function · 3.4 Least privilege & separation of duties · 3.5 Defense in depth and "assume breach" · 3.6 Zero trust in one principle · 3.7 Project Checkpoint.
Anchor duty: classify the controls that stopped the Meridian phishing attempt. Program increment: control framework skeleton. bluekit: controls.py — classify(control).
Cross-refs: back → 1, 2; forward → 16, 17, 32. Spaced review: Ch.1, 2. Themes: 1, 4, 5.

Chapter 4 — Cryptography Fundamentals: Encryption, Hashing, Digital Signatures, and PKI

Meta: Part I · intermediate · 6–7 h · tracks: engineer, cert · Prerequisites: 1
Objectives: Distinguish symmetric vs asymmetric encryption; choose hashing vs encryption appropriately; explain digital signatures and how PKI binds identity to keys; reason about key sizes and entropy; avoid common crypto mistakes.
Reserved terms: plaintext/ciphertext, symmetric encryption, asymmetric encryption, key, AES, RSA, elliptic-curve cryptography (ECC), hash function, SHA-2/3, collision, salt, HMAC, digital signature, public key infrastructure (PKI), certificate authority (CA), X.509 certificate, key entropy, nonce/IV.
Section outline: 4.1 What cryptography guarantees (and doesn't) · 4.2 Symmetric encryption & modes · 4.3 Asymmetric encryption (RSA/ECC) & the key-distribution problem · 4.4 Hashing, salting, password storage · 4.5 HMAC & digital signatures · 4.6 PKI, CAs, and certificates · 4.7 Crypto failures to avoid · 4.8 Project Checkpoint.
Anchor duty: how Meridian protects card data at rest (PCI-DSS preview). Program increment: encryption standard (algorithms/key sizes). bluekit: cryptutil.py — sha256_hex, hmac_sign, entropy_bits.
Cross-refs: back → 1; forward → 5, 16 (password hashing), 20, 28 (PCI). Spaced review: Ch.2, 3. Themes: 1, 4.

Chapter 5 — Applied Cryptography: TLS, VPNs, Disk Encryption, and Securing Data in Transit and at Rest

Meta: Part I · intermediate · 6–7 h · tracks: engineer, cert · Prerequisites: 4
Objectives: Walk through the TLS 1.3 handshake; choose VPN/encryption technologies for transit; apply full-disk and database encryption; manage certificates and their lifecycle; spot weak TLS configurations.
Reserved terms: TLS (and the handshake), cipher suite, forward secrecy, VPN, IPsec, WireGuard, full-disk encryption (BitLocker/LUKS), data at rest vs in transit, certificate lifecycle, certificate pinning, mutual TLS (mTLS), key management, HSM (introduced), tokenization.
Section outline: 5.1 Data in transit vs at rest · 5.2 The TLS 1.3 handshake (diagram) · 5.3 Cipher suites & forward secrecy · 5.4 VPNs and IPsec/WireGuard · 5.5 Disk and database encryption · 5.6 Certificate & key lifecycle (and HSMs) · 5.7 Finding weak TLS in the wild (defensive scanning) · 5.8 Project Checkpoint.
Anchor duty: Meridian's online-banking TLS posture. Program increment: data-protection standard (in-transit/at-rest). bluekit: extend cryptutil.py — tls_config_grade(params).
Cross-refs: back → 4; forward → 9, 15, 20. Spaced review: Ch.4, 1. Themes: 1, 5.

Part II — Network Security (Ch. 6–10)

Chapter 6 — Network Security Fundamentals: TCP/IP, Ports, Protocols, and Where Attacks Live

Meta: Part II · beginner · 6 h · tracks: soc, engineer, cert · Prerequisites: 1, 3
Objectives: Map the TCP/IP and OSI layers to attack/defense opportunities; read packets and ports; explain segmentation, VLANs, and the death of the perimeter; identify common network attacks (spoofing, MITM, DDoS) and their defenses.
Reserved terms: OSI model, TCP/IP, packet, port, socket, three-way handshake, network segmentation, VLAN, subnet, DMZ, NAT, ARP spoofing, man-in-the-middle (MITM), denial of service (DoS/DDoS), east-west vs north-south traffic.
Section outline: 6.1 The stack, layer by layer (attacker's & defender's view) · 6.2 Ports, sockets, and the handshake · 6.3 Where attacks live at each layer · 6.4 Segmentation, VLANs, subnets, DMZs · 6.5 Spoofing, MITM, and DoS/DDoS — and defenses · 6.6 Designing Meridian's network zones · 6.7 Project Checkpoint.
Anchor duty: Meridian network segmentation (branch/core/cardholder zones). Program increment: network architecture diagram v1. bluekit: netfilter.py — parse_fw_log(line).
Cross-refs: back → 1, 3; forward → 7, 10, 33. Spaced review: Ch.3, 1. Themes: 4, 1.

Chapter 7 — Firewalls, IDS/IPS, and Network Access Control: The Perimeter That Doesn't Exist Anymore

Meta: Part II · intermediate · 6 h · tracks: engineer, soc, cert · Prerequisites: 6
Objectives: Configure stateful/next-gen firewall rules with default-deny; distinguish IDS vs IPS and signature vs anomaly detection; deploy NAC and microsegmentation; place controls in a defense-in- depth network design.
Reserved terms: firewall (stateless/stateful/next-gen/WAF), default-deny, access control list (ACL), intrusion detection system (IDS), intrusion prevention system (IPS), signature vs anomaly detection, network access control (NAC), 802.1X, microsegmentation, jump host/bastion.
Section outline: 7.1 Firewalls from packet filters to NGFW/WAF · 7.2 Writing rules: default-deny and least privilege on the wire · 7.3 IDS vs IPS; signatures vs anomalies · 7.4 NAC and 802.1X · 7.5 Microsegmentation and the vanishing perimeter · 7.6 Tuning to reduce false positives · 7.7 Project Checkpoint.
Anchor duty: Meridian firewall ruleset + IDS deployment. Program increment: perimeter & seg controls. bluekit: extend netfilter.py — rule_matches(pkt, rule), default_deny(rules).
Cross-refs: back → 6; forward → 10, 21, 32. Spaced review: Ch.6, 3. Themes: 4, 1.

Chapter 8 — Wireless Security: WiFi, Bluetooth, and the Invisible Attack Surface

Meta: Part II · intermediate · 5 h · tracks: engineer, cert · Prerequisites: 6
Objectives: Compare WiFi security protocols (WEP→WPA3) and their weaknesses; defend enterprise wireless (802.1X/EAP); assess Bluetooth/NFC and rogue-AP risks; design segmented guest/branch WiFi.
Reserved terms: WEP/WPA/WPA2/WPA3, pre-shared key (PSK), WPA-Enterprise/EAP, evil twin, rogue access point, deauthentication attack, Bluetooth (BlueBorne-class), NFC, SSID, wireless IDS (WIDS).
Section outline: 8.1 Why wireless is special · 8.2 WEP→WPA3 evolution · 8.3 Enterprise wireless (802.1X/EAP) · 8.4 Rogue APs and evil twins — detection · 8.5 Bluetooth/NFC exposure · 8.6 Securing Meridian's branch and guest WiFi · 8.7 Project Checkpoint.
Anchor duty: Meridian branch WiFi segmentation. Program increment: wireless policy. bluekit: wifiaudit.py — assess_wifi(cfg).
Cross-refs: back → 6; forward → 14. Spaced review: Ch.6, 4. Themes: 3, 4.

Chapter 9 — DNS, Email, and Web Security: Securing the Protocols Everyone Uses Every Day

Meta: Part II · intermediate · 6 h · tracks: soc, engineer, cert · Prerequisites: 6, 7
Objectives: Harden DNS (DNSSEC, sinkholing, monitoring); deploy SPF/DKIM/DMARC to stop spoofing; defend against phishing and web threats; recognize DNS/email as detection goldmines.
Reserved terms: DNS, DNS poisoning, DNSSEC, DNS tunneling/exfiltration, DNS sinkhole, SPF, DKIM, DMARC, BEC (business email compromise), phishing/spear-phishing, secure email gateway, HTTP security headers, HSTS.
Section outline: 9.1 DNS: the phone book attackers love · 9.2 DNSSEC, sinkholes, and DNS monitoring · 9.3 Email threats: phishing, BEC, spoofing · 9.4 SPF/DKIM/DMARC, step by step · 9.5 Web protocol hardening (headers, HSTS, cookies) · 9.6 Catching DNS/email abuse in telemetry · 9.7 Project Checkpoint.
Anchor duty: the Meridian phishing near-miss, dissected; SPF/DMARC rollout. Program increment: email & DNS controls. bluekit: dnsguard.py — check_spf, check_dmarc, dga_score.
Cross-refs: back → 6, 7; forward → 13, 30. Spaced review: Ch.7, 2. Themes: 3, 1.

Chapter 10 — Network Monitoring and Traffic Analysis: Seeing the Invisible with Wireshark, Zeek, and Flow Data

Meta: Part II · intermediate · 6 h · tracks: soc, engineer · Prerequisites: 6, 7
Objectives: Capture and read packets (Wireshark); use Zeek logs and NetFlow for scale; detect beaconing, exfiltration, and lateral movement; build the network-visibility layer that feeds the SIEM.
Reserved terms: packet capture (PCAP), Wireshark, Zeek, NetFlow/IPFIX, full packet capture vs flow, network detection and response (NDR), beaconing, data exfiltration (network), baseline (network), span/tap.
Section outline: 10.1 You can't defend what you can't see · 10.2 Packet capture with Wireshark · 10.3 Zeek: turning packets into logs · 10.4 Flow data at scale (NetFlow/IPFIX) · 10.5 Detecting beaconing, exfil, lateral movement · 10.6 Feeding the SIEM (bridge to Ch.21) · 10.7 Project Checkpoint.
Anchor duty: spotting C2 beaconing in Meridian flow data. Program increment: network monitoring design. bluekit: pktflow.py — summarize_flows, top_talkers, beacon_score.
Cross-refs: back → 6, 7; forward → 21, 22, 24. Spaced review: Ch.7, 6. Themes: 2, 4.

Part III — System and Application Security (Ch. 11–15)

Chapter 11 — Operating System Security: Hardening Windows, Linux, and macOS

Meta: Part III · intermediate · 6–7 h · tracks: engineer, cert · Prerequisites: 3, 6
Objectives: Apply CIS-benchmark hardening to Windows/Linux/macOS; manage patching, services, and least-privilege accounts; deploy endpoint protections (EDR, app control, host firewall); use SELinux/ AppArmor and Windows security features.
Reserved terms: hardening, attack surface reduction, CIS Benchmark, baseline configuration, patching/patch management (host), endpoint detection and response (EDR), application allowlisting, SELinux/AppArmor, seccomp, Group Policy, host-based firewall, secure boot/TPM.
Section outline: 11.1 Why default installs are dangerous · 11.2 Hardening Windows (GPO, LAPS, Defender) · 11.3 Hardening Linux (services, SELinux/AppArmor, seccomp) · 11.4 macOS in the enterprise · 11.5 EDR and application control · 11.6 Patch management that actually happens · 11.7 Project Checkpoint.
Anchor duty: Meridian server/endpoint baselines. Program increment: hardening standards. bluekit: harden.py — audit_baseline(settings, baseline).
Cross-refs: back → 3, 6; forward → 14, 15, 23. Spaced review: Ch.6, 3. Themes: 4, 1.

Chapter 12 — Application Security: OWASP Top 10, Secure Coding, and Why Developers Are the First Line of Defense

Meta: Part III · intermediate · 6–7 h · tracks: engineer, cert · Prerequisites: 1, 3
Objectives: Explain the OWASP Top 10 and how to prevent each; apply secure-coding and input- validation patterns; integrate SAST/DAST/SCA; reason about the software supply chain (sets up Ch.29/31).
Reserved terms: OWASP Top 10, secure software development lifecycle (SSDLC), input validation, output encoding, SAST, DAST, SCA (software composition analysis), dependency/supply-chain risk, threat modeling (app), security requirement, CWE.
Section outline: 12.1 Developers as defenders · 12.2 The OWASP Top 10 tour · 12.3 Input validation & output encoding · 12.4 Secrets, dependencies, and the supply chain · 12.5 SAST/DAST/SCA in practice · 12.6 Threat modeling a feature · 12.7 Project Checkpoint.
Anchor duty: Log4Shell as a dependency-risk story; Meridian's loan-app code review. Program increment: secure-SDLC policy. bluekit: appsec.py — scan_dependencies(reqs).
Cross-refs: back → 1, 3; forward → 13, 23, 29, 31. Spaced review: Ch.3, 1. Themes: 3, 1.

Chapter 13 — Web Application Security: SQL Injection, XSS, CSRF, and the Attacks That Never Get Old

Meta: Part III · intermediate · 6–7 h · tracks: engineer, soc, cert · Prerequisites: 12
Objectives: Explain and prevent injection, XSS, CSRF, SSRF, and auth flaws; deploy WAF and security headers as defense in depth; review code for web vulns; detect exploitation attempts in logs.
Reserved terms: SQL injection, cross-site scripting (XSS: stored/reflected/DOM), cross-site request forgery (CSRF), server-side request forgery (SSRF), parameterized query, content security policy (CSP), same-origin policy, session fixation, web application firewall (WAF).
Section outline: 13.1 Why web attacks endure · 13.2 Injection (SQL/command) and parameterization · 13.3 XSS and CSP · 13.4 CSRF and SSRF · 13.5 Session & auth flaws · 13.6 WAFs and detecting attacks in logs · 13.7 Project Checkpoint.
Anchor duty: Meridian online-banking portal review. Program increment: web-app security controls. bluekit: extend appsec.py — taint_demo(src, sink) (illustrative, defensive).
Cross-refs: back → 12; forward → 21, 31. Spaced review: Ch.12, 9. Themes: 3, 4.

Chapter 14 — Mobile and IoT Security: Securing the Devices That Outnumber Humans

Meta: Part III · intermediate · 5–6 h · tracks: engineer, grc · Prerequisites: 11, 15
Objectives: Secure mobile devices via MDM and app vetting; assess IoT/embedded weaknesses (default creds, firmware, no patching); segment and monitor device fleets; set a BYOD policy.
Reserved terms: mobile device management (MDM)/UEM, BYOD, mobile app sandboxing, jailbreak/root, IoT, embedded device, firmware, default credentials, device segmentation, shadow IoT.
Section outline: 14.1 The device explosion · 14.2 Mobile threats and MDM/UEM · 14.3 BYOD policy and containerization · 14.4 IoT weaknesses and why they persist · 14.5 Segmenting and monitoring devices · 14.6 Meridian's ATMs and branch IoT · 14.7 Project Checkpoint.
Anchor duty: Meridian ATM/branch-IoT inventory & segmentation. Program increment: mobile/IoT policy. bluekit: iotinv.py — inventory(devices), default_cred_flag(dev).
Cross-refs: back → 11, 15; forward → 33. Spaced review: Ch.11, 8. Themes: 4, 3.

Chapter 15 — Cloud Security: AWS, Azure, GCP — Shared Responsibility and the New Attack Surface

Meta: Part III · intermediate · 7 h · tracks: engineer, soc, cert · Prerequisites: 6, 11
Objectives: Apply the shared-responsibility model; prevent the top cloud misconfigurations (public storage, over-broad IAM); use CSPM/CWPP and cloud-native logging; secure IaaS/PaaS/SaaS and containers (intro).
Reserved terms: shared responsibility model, IaaS/PaaS/SaaS, cloud misconfiguration, identity and access management (cloud IAM), security groups, cloud security posture management (CSPM), cloud workload protection (CWPP), CloudTrail/audit logs, container (intro), serverless.
Section outline: 15.1 The cloud changes the boundary · 15.2 Shared responsibility, concretely · 15.3 Identity is the new perimeter (cloud IAM) · 15.4 The misconfiguration epidemic (storage, SGs) · 15.5 CSPM/CWPP and guardrails · 15.6 Cloud logging & detection · 15.7 Project Checkpoint.
Anchor duty: Meridian's AWS footprint posture review. Program increment: cloud security baseline. bluekit: cloudpost.py — s3_public(acl), iam_overbroad(policy).
Cross-refs: back → 6, 11; forward → 20, 31, 32. Spaced review: Ch.11, 5. Themes: 5, 4.

Part IV — Identity and Access Management (Ch. 16–20)

Chapter 16 — Authentication: Passwords, MFA, Biometrics, Passkeys, and Why Passwords Won't Die

Meta: Part IV · beginner–intermediate · 6 h · tracks: engineer, soc, cert · Prerequisites: 3
Objectives: Explain authentication factors and assurance levels (NIST 800-63); deploy phishing- resistant MFA and passkeys/FIDO2; store passwords correctly; defend against credential attacks.
Reserved terms: authentication factor (knowledge/possession/inherence), multi-factor authentication (MFA), TOTP, push fatigue, phishing-resistant MFA, FIDO2/WebAuthn, passkey, biometrics, password hashing (bcrypt/argon2), credential stuffing, password spraying, NIST 800-63 (AAL).
Section outline: 16.1 Proving who you are · 16.2 Passwords: storage, policy, and why they persist · 16.3 MFA and its failure modes (push fatigue, SIM swap) · 16.4 Phishing-resistant MFA: FIDO2/passkeys · 16.5 Biometrics · 16.6 Defending against credential attacks · 16.7 Project Checkpoint.
Anchor duty: the security key that saved Meridian (callback to Ch.1). Program increment: authentication standard. bluekit: authn.py — password_strength, breached_prefix.
Cross-refs: back → 3, 4; forward → 17, 18, 32. Spaced review: Ch.4, 3. Themes: 3, 4.

Chapter 17 — Authorization and Access Control: RBAC, ABAC, and Who Gets Access to What

Meta: Part IV · intermediate · 5–6 h · tracks: engineer, grc, cert · Prerequisites: 16
Objectives: Distinguish authentication from authorization; design RBAC/ABAC and the access-control models (DAC/MAC); apply least privilege at scale; prevent privilege creep and toxic combinations.
Reserved terms: authorization, access control model (DAC/MAC/RBAC/ABAC), role, permission, policy, principle of least privilege (applied), privilege creep, segregation of duties (access), access control matrix, policy decision/enforcement point (PDP/PEP).
Section outline: 17.1 AuthN vs AuthZ · 17.2 DAC, MAC, RBAC, ABAC · 17.3 Designing roles that scale · 17.4 Least privilege and privilege creep · 17.5 Policy decision vs enforcement (sets up zero trust) · 17.6 Reviewing Meridian's access matrix · 17.7 Project Checkpoint.
Anchor duty: Meridian teller vs admin entitlements; SoD for wire transfers. Program increment: access-control policy. bluekit: authz.py — rbac_check, abac_eval.
Cross-refs: back → 16; forward → 18, 19, 32. Spaced review: Ch.16, 3. Themes: 4, 5.

Chapter 18 — Identity Governance: SSO, Federation, Directory Services, and Managing a Million Accounts

Meta: Part IV · intermediate · 5–6 h · tracks: engineer, grc, cert · Prerequisites: 16, 17
Objectives: Explain SSO, federation (SAML/OIDC), and directory services; run the joiner-mover-leaver lifecycle and access reviews; find orphaned/over-privileged accounts; reduce identity sprawl.
Reserved terms: identity and access management (IAM) program, single sign-on (SSO), federation, SAML, OAuth 2.0, OpenID Connect (OIDC), directory service (LDAP/Active Directory/Entra ID), identity lifecycle (JML), provisioning/SCIM, access certification/review, orphaned account.
Section outline: 18.1 Identity at scale · 18.2 Directories: AD, LDAP, Entra ID · 18.3 SSO and federation (SAML/OIDC/OAuth) · 18.4 Joiner-Mover-Leaver and provisioning · 18.5 Access reviews and orphaned accounts · 18.6 Meridian's identity cleanup · 18.7 Project Checkpoint.
Anchor duty: Meridian AD/Entra hygiene; contractor offboarding gap. Program increment: IGA process. bluekit: idgov.py — orphan_accounts, access_review.
Cross-refs: back → 16, 17; forward → 19, 20, 32. Spaced review: Ch.17, 16. Themes: 3, 5.

Chapter 19 — Privileged Access Management: Protecting the Keys to the Kingdom

Meta: Part IV · intermediate · 5 h · tracks: engineer, soc, cert · Prerequisites: 17, 18
Objectives: Inventory and vault privileged accounts; implement just-in-time access, session recording, and credential rotation; defend admin paths (tiering, PAW); detect privileged-account abuse.
Reserved terms: privileged access management (PAM), privileged account, credential vaulting, just-in-time (JIT) access, session recording/monitoring, password rotation, privileged access workstation (PAW), tiered administration, break-glass account, service account (intro).
Section outline: 19.1 Why admins are the target · 19.2 Vaulting and rotation · 19.3 JIT and approval workflows · 19.4 Tiering and PAWs · 19.5 Session recording & monitoring · 19.6 Detecting privilege abuse · 19.7 Project Checkpoint.
Anchor duty: Meridian domain-admin lockdown. Program increment: PAM standard. bluekit: pam.py — privileged_inventory, jit_window.
Cross-refs: back → 17, 18; forward → 20, 24. Spaced review: Ch.18, 11. Themes: 2, 4.

Chapter 20 — Secrets and Machine Identity: Service Accounts, API Keys, Certificates, and Securing Non-Human Access

Meta: Part IV · intermediate · 5–6 h · tracks: engineer, soc · Prerequisites: 18, 19, 4
Objectives: Manage secrets (vaults, dynamic secrets, rotation); secure machine/workload identity and service accounts; run certificate lifecycle at scale; detect leaked secrets in code and logs.
Reserved terms: secret, secrets management, secrets vault (e.g., HashiCorp Vault/cloud KMS), machine identity, workload identity, service account, API key, certificate lifecycle management, secret sprawl/leak, mTLS (applied), HSM (applied), short-lived credentials.
Section outline: 20.1 The non-human identity problem · 20.2 Secrets vaults and dynamic secrets · 20.3 Service accounts & workload identity · 20.4 Certificate lifecycle at scale · 20.5 Finding leaked secrets (scanning) · 20.6 Meridian's API keys and service accounts · 20.7 Project Checkpoint.
Anchor duty: Meridian's hard-coded key in a repo (constructed). Program increment: secrets- management standard. bluekit: secrets.py — scan_secrets(text), cert_days_left.
Cross-refs: back → 18, 19, 4, 5; forward → 31, 32. Spaced review: Ch.19, 4. Themes: 4, 1.

Part V — Security Operations (Ch. 21–25)

Chapter 21 — Security Information and Event Management (SIEM): Centralized Logging and Correlation

Meta: Part V · intermediate · 6–7 h · tracks: soc, engineer, cert · Prerequisites: 10
Objectives: Design log collection and normalization; write correlation/detection rules; tune to cut alert fatigue; reason about SIEM vs data lake vs SOAR; query logs with SQL/SPL/KQL.
Reserved terms: SIEM, log source, normalization/parsing, correlation rule, use case (detection), alert fatigue/false positive, log retention, data lake, SOAR (intro), detection-as-code, dashboard.
Section outline: 21.1 Logs are the ground truth · 21.2 Collecting and normalizing at scale · 21.3 Correlation rules and detection use cases · 21.4 Querying (SQL/SPL/KQL) · 21.5 Taming alert fatigue · 21.6 Dashboards and metrics (bridge to Ch.36) · 21.7 Project Checkpoint.
Anchor duty: standing up Meridian's SIEM and first 10 use cases. Program increment: logging & monitoring standard. bluekit: siem.py — normalize(raw, source), correlate(events, rule).
Cross-refs: back → 10, 7; forward → 22, 24, 36. Spaced review: Ch.10, 6. Themes: 1, 4.

Chapter 22 — Threat Detection and Hunting: Indicators of Compromise, Threat Intelligence, and Hunting for Adversaries

Meta: Part V · intermediate–advanced · 6–7 h · tracks: soc · Prerequisites: 21, 2
Objectives: Turn threat intel and ATT&CK into detections; run hypothesis-driven threat hunts; distinguish IoCs from behavior-based detection; measure and improve detection coverage.
Reserved terms: threat detection, detection engineering, threat hunting, hypothesis-driven hunting, pyramid of pain, behavioral detection, Sigma rule, YARA (intro), threat intelligence platform (TIP), detection coverage (ATT&CK mapping), false negative.
Section outline: 22.1 From alerts to hunting · 22.2 IoCs and the pyramid of pain · 22.3 Threat intel that drives detections · 22.4 Detection engineering with Sigma/ATT&CK · 22.5 Hypothesis-driven hunts · 22.6 Measuring coverage · 22.7 Project Checkpoint.
Anchor duty: hunting for SolarWinds-style beaconing at Meridian. Program increment: detection & hunting program. bluekit: detect.py — ioc_match, attack_technique.
Cross-refs: back → 21, 2, 10; forward → 24, 34. Spaced review: Ch.21, 2. Themes: 2, 4.

Chapter 23 — Vulnerability Management: Scanning, Prioritizing, Patching, and the Vulnerability That Never Gets Fixed

Meta: Part V · intermediate · 6 h · tracks: soc, grc, engineer, cert · Prerequisites: 12, 2
Objectives: Run the vuln-management lifecycle; prioritize with CVSS + EPSS + KEV + asset context; set risk-based patch SLAs; manage exceptions and report trend metrics.
Reserved terms: vulnerability management, vulnerability scanner (authenticated/unauthenticated), CVE, CVSS, EPSS, KEV (Known Exploited Vulnerabilities), risk-based prioritization, patch SLA, exception/ risk acceptance, attack surface management, SBOM (intro).
Section outline: 23.1 The lifecycle · 23.2 Scanning without breaking things · 23.3 Why CVSS isn't priority (EPSS/KEV/context) · 23.4 Patch SLAs and exceptions · 23.5 The vuln that never gets fixed · 23.6 Reporting and trends · 23.7 Project Checkpoint.
Anchor duty: Log4Shell triage at Meridian (prioritization under pressure). Program increment: vuln-management policy + SLAs. bluekit: vulnmgmt.py — priority(cvss, kev, epss), patch_sla.
Cross-refs: back → 12, 2; forward → 29, 36. Spaced review: Ch.12, 2. Themes: 5, 2.

Chapter 24 — Incident Response: Preparation, Detection, Containment, Eradication, Recovery, and Lessons Learned

Meta: Part V · intermediate–advanced · 7 h · tracks: soc, grc, cert · Prerequisites: 22
Objectives: Run the NIST IR lifecycle; build an IR plan, playbooks, and comms; make containment decisions under uncertainty; run a tabletop; conduct a blameless post-incident review.
Reserved terms: incident response (IR), NIST SP 800-61 lifecycle (prep/detect&analyze/contain/ eradicate/recover/post-incident), playbook, runbook, severity classification, containment (short/long), eradication, recovery, tabletop exercise, blameless postmortem, chain of command (incident commander).
Section outline: 24.1 It's not if, it's when · 24.2 Preparation: plan, roles, comms · 24.3 Detection & analysis (triage) · 24.4 Containment, eradication, recovery · 24.5 The ransomware tabletop (Meridian) · 24.6 Lessons learned without blame · 24.7 Project Checkpoint.
Anchor duty: the ransomware tabletop at Meridian (full walkthrough). Program increment: IR plan + playbooks. bluekit: ir.py — triage(alert), containment(incident_type).
Cross-refs: back → 22, 19; forward → 25, 37. Spaced review: Ch.22, 21. Themes: 2, 3.

Chapter 25 — Digital Forensics for Defenders: Preserving Evidence, Timeline Analysis, and Post-Breach Investigation

Meta: Part V · advanced · 6 h · tracks: soc · Prerequisites: 24
Objectives: Preserve evidence and maintain chain of custody; acquire disk/memory soundly; build timelines from artifacts; scope a breach (what/when/how far); know forensics' legal limits.
Reserved terms: digital forensics (DFIR), order of volatility, chain of custody, disk/memory imaging, write blocker, forensic artifact (registry/$MFT/logs), timeline analysis, indicator scoping, root-cause analysis, anti-forensics.
Section outline: 25.1 Forensics in defense (DFIR) · 25.2 Order of volatility & acquisition · 25.3 Chain of custody and legal soundness · 25.4 Key artifacts (Windows/Linux) · 25.5 Building the timeline · 25.6 Scoping the breach · 25.7 Project Checkpoint.
Anchor duty: post-incident forensics on the Meridian ransomware case. Program increment: forensics readiness. bluekit: forensics.py — evidence_hash, merge_timeline.
Cross-refs: back → 24; forward → 37, 40. Spaced review: Ch.24, 11. Themes: 2, 4.

Part VI — Governance, Risk, and Compliance (Ch. 26–30)

Chapter 26 — Security Governance: Policies, Standards, Procedures, and Building a Security Program

Meta: Part VI · beginner–intermediate · 5–6 h · tracks: grc, cert · Prerequisites: 3
Objectives: Distinguish policy/standard/procedure/guideline; build a governance structure and document hierarchy; align security to business via a framework; define roles (RACI) and metrics for governance.
Reserved terms: security governance, policy, standard, procedure, guideline, security program, governance framework (NIST CSF/ISO 27001 as governance), RACI, security charter, control owner, board oversight, risk appetite (intro).
Section outline: 26.1 Governance is how security scales · 26.2 The document hierarchy · 26.3 Frameworks as scaffolding (CSF/27001) · 26.4 Roles, RACI, and the security charter · 26.5 Policy lifecycle · 26.6 Meridian's policy set · 26.7 Project Checkpoint.
Anchor duty: drafting Meridian's information-security policy. Program increment: governance structure + policy index. bluekit: compliance.py (start) — policy_coverage(controls, framework).
Cross-refs: back → 3, 1; forward → 27, 28, 36. Spaced review: Ch.3, 1. Themes: 1, 5.

Chapter 27 — Risk Management: Identifying, Assessing, Mitigating, and Accepting Risk

Meta: Part VI · intermediate · 6 h · tracks: grc, cert · Prerequisites: 1, 26
Objectives: Run a risk-management process (NIST 800-30/ISO 27005); do qualitative and quantitative risk analysis (ALE); choose treatment (mitigate/transfer/avoid/accept); maintain a risk register and communicate risk.
Reserved terms: risk management, risk assessment, qualitative vs quantitative risk, single loss expectancy (SLE), annual rate of occurrence (ARO), annualized loss expectancy (ALE), risk treatment, risk acceptance/transfer/avoidance/mitigation, risk register, risk appetite/tolerance, inherent vs residual risk.
Section outline: 27.1 Risk, formally · 27.2 Identifying & assessing (qual/quant) · 27.3 SLE, ARO, ALE · 27.4 Treatment options · 27.5 The risk register and risk appetite · 27.6 Communicating risk up · 27.7 Project Checkpoint.
Anchor duty: Meridian's enterprise risk assessment. Program increment: risk register + appetite statement. bluekit: extend riskcalc.py — ale(sle, aro), prioritize(risks).
Cross-refs: back → 1, 26; forward → 28, 29, 36. Spaced review: Ch.26, 1. Themes: 5, 1.

Meta: Part VI · intermediate · 6–7 h · tracks: grc, cert · Prerequisites: 26, 27
Objectives: Compare the major frameworks/regulations and their scope; map controls across frameworks (crosswalk); prepare for audits and evidence; explain "compliance ≠ security."
Reserved terms: compliance, NIST CSF, ISO/IEC 27001, SOC 2, PCI-DSS, HIPAA, GDPR, control mapping/ crosswalk, audit, evidence/artifact, scope (compliance), attestation/certification, gap assessment.
Section outline: 28.1 The alphabet soup, organized · 28.2 Voluntary frameworks (CSF, 27001, SOC 2) · 28.3 Mandatory regimes (PCI-DSS, HIPAA, GDPR) · 28.4 Crosswalking controls · 28.5 Surviving an audit · 28.6 Compliance is the floor · 28.7 Project Checkpoint.
Anchor duty: Meridian's PCI-DSS + GLBA obligations. Program increment: compliance mapping. bluekit: extend compliance.py — crosswalk(framework_a, framework_b).
Cross-refs: back → 26, 27; forward → 29, 36. Spaced review: Ch.27, 26. Themes: 5, 1.

Chapter 29 — Third-Party and Supply Chain Risk Management: Vendor Risk, SBOMs, and Trusting What You Didn't Build

Meta: Part VI · intermediate · 5–6 h · tracks: grc, engineer · Prerequisites: 27, 28
Objectives: Run a third-party risk lifecycle (assess/contract/monitor/offboard); manage software supply-chain risk with SBOMs and provenance; set vendor security requirements; respond to a vendor breach.
Reserved terms: third-party/vendor risk management (TPRM), supply chain risk, software bill of materials (SBOM), fourth-party risk, vendor security assessment, contractual security requirements, continuous vendor monitoring, software provenance/SLSA, concentration risk.
Section outline: 29.1 Your risk includes their risk · 29.2 The TPRM lifecycle · 29.3 Software supply chain & SBOM · 29.4 Setting vendor requirements · 29.5 Monitoring & vendor-breach response · 29.6 Meridian's core-banking vendor · 29.7 Project Checkpoint.
Anchor duty: SolarWinds + Log4Shell as supply-chain lessons; Meridian vendor review. Program increment: TPRM process + SBOM requirement. bluekit: extend compliance.py — vendor_risk(answers).
Cross-refs: back → 27, 28, 12, 23; forward → 31, 35. Spaced review: Ch.28, 23. Themes: 5, 2.

Chapter 30 — Security Awareness Training: The Human Firewall (and Why Phishing Still Works)

Meta: Part VI · beginner–intermediate · 5 h · tracks: grc · Prerequisites: 2, 26
Objectives: Design an awareness program that changes behavior; run phishing simulations ethically and measure them; build a security culture and reporting habit; tailor training by role.
Reserved terms: security awareness, security culture, phishing simulation, click rate/report rate, social engineering (defense), just-in-time training, nudge, security champions, insider threat (intro), human firewall.
Section outline: 30.1 Why training fails (and how to fix it) · 30.2 Behavior over knowledge · 30.3 Phishing simulations done right · 30.4 Measuring what matters · 30.5 Building a reporting culture · 30.6 Meridian's program · 30.7 Project Checkpoint.
Anchor duty: turning the Ch.1 near-miss into a program. Program increment: awareness program + metrics. bluekit: awareness.py — click_rate(results).
Cross-refs: back → 2, 26, 9; forward → 37. Spaced review: Ch.26, 2. Themes: 3, 1.

Part VII — Advanced and Emerging Topics (Ch. 31–35)

Chapter 31 — DevSecOps: Integrating Security into CI/CD Pipelines and the Software Development Lifecycle

Meta: Part VII · intermediate–advanced · 6 h · tracks: engineer · Prerequisites: 12, 15
Objectives: Shift security left across the SDLC; build security gates into CI/CD (SAST/DAST/SCA/ secrets/IaC scanning); secure the pipeline itself; balance speed and assurance with policy-as-code.
Reserved terms: DevSecOps, shift left, CI/CD pipeline, security gate, infrastructure as code (IaC) scanning, secrets scanning (CI), policy as code, artifact signing, pipeline integrity, container image scanning, guardrails vs gates.
Section outline: 31.1 Security at the speed of delivery · 31.2 Gates across the SDLC · 31.3 Scanning code, deps, IaC, secrets · 31.4 Securing the pipeline (the SolarWinds lesson) · 31.5 Policy as code · 31.6 Meridian's pipeline · 31.7 Project Checkpoint.
Anchor duty: build-pipeline integrity (SolarWinds). Program increment: secure-pipeline standard. bluekit: pipeline.py — ci_gate(findings, threshold).
Cross-refs: back → 12, 13, 15, 20, 29; forward → 32. Spaced review: Ch.15, 12. Themes: 1, 4.

Chapter 32 — Zero Trust Architecture: Never Trust, Always Verify — Designing for the Post-Perimeter World

Meta: Part VII · advanced · 6 h · tracks: engineer, cert · Prerequisites: 3, 16, 17
Objectives: Explain zero-trust tenets (NIST 800-207); design around identity, device, and context; implement policy decision/enforcement and microsegmentation; build a pragmatic ZT migration roadmap.
Reserved terms: zero trust architecture (ZTA), NIST SP 800-207, implicit trust zone, policy engine/ administrator, ZTNA, software-defined perimeter, continuous verification, device posture, context-aware access, least-privilege session.
Section outline: 32.1 Why the perimeter failed · 32.2 The tenets (800-207) · 32.3 Identity + device
context · 32.4 PDP/PEP and ZTNA · 32.5 Microsegmentation revisited · 32.6 A realistic ZT roadmap for Meridian · 32.7 Project Checkpoint.
Anchor duty: Meridian's ZT roadmap. Program increment: zero-trust target architecture. bluekit: zerotrust.py — policy_decision(subject, resource, context).
Cross-refs: back → 3, 6, 7, 16, 17, 18; forward → 33. Spaced review: Ch.17, 7. Themes: 4, 1.

Chapter 33 — Securing Operational Technology: ICS, SCADA, and Critical Infrastructure Defense

Meta: Part VII · advanced · 6 h · tracks: engineer, grc · Prerequisites: 6, 11
Objectives: Contrast OT vs IT priorities (safety/availability first); explain ICS/SCADA components and the Purdue model; apply OT-appropriate controls (segmentation, monitoring, no-patch realities); learn from real OT incidents.
Reserved terms: operational technology (OT), industrial control system (ICS), SCADA, PLC/RTU/HMI, Purdue model (levels 0–5), OT/IT convergence, safety instrumented system (SIS), passive OT monitoring, air gap (myth/reality), critical infrastructure.
Section outline: 33.1 When downtime can kill · 33.2 ICS/SCADA components · 33.3 The Purdue model & segmentation · 33.4 Why you can't just patch · 33.5 Monitoring OT passively · 33.6 Lessons from real OT attacks · 33.7 Project Checkpoint.
Anchor duty: Colonial Pipeline (IT/OT boundary); Meridian facilities/physical-OT angle. Program increment: OT segmentation plan. bluekit: otsec.py — purdue_zone(asset).
Cross-refs: back → 6, 11, 14; forward → 35. Spaced review: Ch.6, 11. Themes: 4, 2.

Chapter 34 — AI and Machine Learning in Security: Anomaly Detection, Threat Prediction, and Adversarial AI

Meta: Part VII · advanced · 6 h · tracks: soc, engineer · Prerequisites: 22
Objectives: Apply ML to detection (anomaly/UEBA) and know its limits; defend ML systems from adversarial/poisoning attacks; assess AI-enabled attacks (deepfakes, LLM-aided phishing); use LLMs safely in the SOC.
Reserved terms: anomaly detection, user and entity behavior analytics (UEBA), supervised vs unsupervised detection, false-positive tradeoff, adversarial machine learning, data poisoning, model evasion, AI-enabled attack, LLM security (prompt injection, intro), explainability.
Section outline: 34.1 What ML can and can't do for defense · 34.2 Anomaly detection & UEBA · 34.3 The false-positive economics · 34.4 Attacking ML (adversarial/poisoning) · 34.5 AI-enabled attacks & LLMs in the SOC · 34.6 Meridian's anomaly-detection pilot · 34.7 Project Checkpoint.
Anchor duty: anomaly detection on Meridian auth logs. Program increment: analytics/UEBA plan. bluekit: mlsec.py — zscore_anomaly(series).
Cross-refs: back → 22, 21; forward → 35. Spaced review: Ch.22, 21. Themes: 2, 3.

Chapter 35 — Emerging Threats: Supply Chain Attacks, Ransomware Evolution, Deepfakes, and Post-Quantum Cryptography

Meta: Part VII · intermediate–advanced · 5–6 h · tracks: soc, grc, cert · Prerequisites: 2, 29
Objectives: Track how threats evolve (RaaS, double extortion, supply chain); explain the quantum threat and post-quantum migration (crypto-agility); assess deepfake/synthetic-media risk; build a horizon-scanning habit.
Reserved terms: ransomware-as-a-service (RaaS), double/triple extortion, supply-chain attack (evolution), deepfake/synthetic media, post-quantum cryptography (PQC), harvest-now-decrypt-later, crypto-agility, initial access broker, living-off-the-land (LOLBins).
Section outline: 35.1 How threats evolve · 35.2 Ransomware's business model · 35.3 Supply chain, next generation · 35.4 Deepfakes & synthetic identity · 35.5 The quantum clock & PQC migration · 35.6 Horizon scanning at Meridian · 35.7 Project Checkpoint.
Anchor duty: all three anchors as "what's next." Program increment: emerging-threat watch + crypto-agility note. bluekit: extend cryptutil.py — crypto_inventory(systems) (PQC readiness).
Cross-refs: back → 2, 4, 29, 33; forward → 40. Spaced review: Ch.29, 2. Themes: 2, 5.

Part VIII — Synthesis (Ch. 36–40)

Chapter 36 — Security Metrics, Measurement, and Reporting to the Board

Meta: Part VIII · intermediate · 5 h · tracks: grc, soc · Prerequisites: 27, 21
Objectives: Choose meaningful security metrics and KRIs (vs vanity metrics); measure program effectiveness (MTTD/MTTR, coverage, risk burn-down); build dashboards for different audiences; tell the board a risk story.
Reserved terms: security metric, key risk indicator (KRI)/KPI, mean time to detect/respond (MTTD/ MTTR), control coverage, security maturity model, dashboard (executive vs operational), vanity metric, risk burn-down, benchmark.
Section outline: 36.1 What gets measured · 36.2 Operational vs executive metrics · 36.3 MTTD/MTTR and coverage · 36.4 Maturity models · 36.5 The board conversation · 36.6 Meridian's metrics pack · 36.7 Project Checkpoint.
Anchor duty: Meridian's first board metrics deck. Program increment: metrics & reporting pack. bluekit: metrics.py — mttd, mttr, coverage.
Cross-refs: back → 27, 21, 23; forward → 38. Spaced review: Ch.27, 21. Themes: 1, 5.

Chapter 37 — Building and Leading the Security Function: Teams, Culture, and the Modern SOC

Meta: Part VIII · intermediate · 5 h · tracks: grc, soc · Prerequisites: 26, 24
Objectives: Structure a security org and SOC (build vs outsource/MSSP); hire and retain scarce talent; design SOC workflows and reduce burnout; lead through an incident and build a learning culture.
Reserved terms: security operations center (SOC), SOC tiers/analyst roles, MSSP/MDR, build vs buy (SOC), runbook-driven operations, analyst burnout/alert fatigue (org), purple teaming, security staffing/skills gap, on-call/escalation.
Section outline: 37.1 Org design for security · 37.2 The modern SOC (tiers, MDR, automation) · 37.3 Hiring & retaining in a talent shortage · 37.4 Workflows, runbooks, and burnout · 37.5 Purple teaming & continuous improvement · 37.6 Leading Meridian's team · 37.7 Project Checkpoint.
Anchor duty: scaling Meridian's SOC. Program increment: org chart + SOC operating model. bluekit: integrate (no new module; metrics.py for staffing/SLA).
Cross-refs: back → 26, 24, 30; forward → 38, 39. Spaced review: Ch.24, 26. Themes: 3, 1.

Chapter 38 — Capstone: Building a Complete Security Program from Risk Assessment to Board Presentation

Meta: Part VIII · advanced · 7–8 h · tracks: all · Prerequisites: broad (esp. 1, 3, 26, 27, 36)
Objectives: Assemble the full Meridian security program from prior checkpoints; prioritize a roadmap against budget and risk; produce the board-ready deliverable; defend tradeoffs.
Reserved terms: security program (complete), security roadmap, security strategy, control prioritization, budget justification/business case, program governance (synthesis), board presentation.
Section outline: 38.1 From components to a program · 38.2 Assembling the document · 38.3 Prioritizing the roadmap (risk × cost) · 38.4 Building the business case · 38.5 The board presentation · 38.6 Three capstone tracks (SOC/Engineer/GRC) · 38.7 Deliverable & rubric.
Anchor duty: the entire Meridian program, integrated. Program increment: assemble everything. bluekit: program_dashboard(state) (integrates modules).
Cross-refs: back → broad (I–VII); forward → 39. Spaced review: broad recall. Themes: all.

Chapter 39 — The Cybersecurity Career: Certifications, Specializations, and the Path from Analyst to CISO

Meta: Part VIII · beginner · 4–5 h · tracks: all · Prerequisites: broad
Objectives: Map the security career landscape and specializations; choose certifications by goal (Security+/CISSP/etc.); build skills, a portfolio, and a home lab; navigate ethics and continuous learning.
Reserved terms: security certification (Security+/CySA+/CISSP/CISM/OSCP/cloud), specialization track, home lab, capture the flag (CTF), professional ethics (security), continuing education (CPE), career ladder (analyst→engineer→architect→CISO).
Section outline: 39.1 The field's many doors · 39.2 Specializations (blue/red/GRC/cloud/AppSec) · 39.3 Certifications, decoded · 39.4 Building skills & a home lab · 39.5 Ethics & lifelong learning · 39.6 The path to CISO · 39.7 Project Checkpoint (your plan).
Anchor duty: Theo's growth arc at Meridian. Program increment: the reader's own development plan. bluekit: n/a (portfolio guidance). Cross-refs: back → broad; forward → 40. Spaced review: broad. Themes: 3, 1.

Chapter 40 — Case Studies: SolarWinds, Colonial Pipeline, Log4Shell, and the Breaches That Changed the Industry

Meta: Part VIII · intermediate · 6 h · tracks: all · Prerequisites: broad
Objectives: Analyze landmark breaches end-to-end using the book's full toolkit; extract transferable lessons; connect each case to the controls that would have changed the outcome; synthesize the book's themes.
Reserved terms: (synthesis chapter — no new reserved terms; reuse and integrate). Key case anchors: SolarWinds/Sunburst, Colonial Pipeline, Log4Shell/Log4j, plus one breach-of-the-reader's-choice frame.
Section outline: 40.1 How to read a breach · 40.2 SolarWinds: trust weaponized · 40.3 Colonial Pipeline: IT/OT and ransomware · 40.4 Log4Shell: the dependency you forgot · 40.5 Cross-case lessons · 40.6 What you've become (the five themes, revisited) · 40.7 Where to go next.
Anchor duty: full payoff of all three anchors. Program increment: apply lessons to Meridian. bluekit: n/a (capstone reflection). Cross-refs: back → broad (esp. 2, 22, 23, 24, 29, 31, 33). Spaced review: thematic recall. Themes: all five, explicitly.

Authors: your reserved terms above are the ONLY terms you first-define. Pull all cross-reference numbers from _continuity.md §2. Respect the depth target (8,000–12,000 words for index.md).