Every term, one tab away.
Open this while you read the primer.

A vendor's published notice that a flaw exists in one of their products, usually with affected versions, severity, fix version, and a recommended workaround. Microsoft, Cisco, Siemens, Wabtec, and every other major vendor publishes them. Our Threat Intel agent polls them all.

A widely deployed configuration-management tool that uses SSH and declarative YAML "playbooks" to push state changes to Linux servers. Our Executor agent drives it when remediating Linux assets.

The policy gate decision that allows the Executor agent to ship a fix without waiting for human approval. Reserved for IT assets at Low or Medium criticality with patch reliability ≥ 0.85, a canary peer in the change ring, an open maintenance window, and a validated rollback. Defined by rule SG-POL-003.

How many other systems are affected if this asset goes down. Computed by the Impact Analyst agent from the asset dependency graph. Drives Change Risk scoring.

A period during which the company forbids any change to production — usually around major operational events (peak holiday traffic, regulatory filing dates, election week for utilities). Honored by rule SG-POL-007.

A small subset of comparable assets that receive the patch first. If they survive a soak period (usually 30–120 minutes), the patch promotes to the next ring. Critical for risk-managed auto-apply.

TSA-defined classification (per TSA SD 1580-21-01 §3.B) for systems whose failure would cause severe and immediate operational impact. PTC wayside units, substation RTUs, dispatch centers. Subject to the strictest policy rules: dual approval, open maintenance window, validated rollback, OT Safety Officer sign-off — all four required.

A pre-approved time slot during which changes to a system are permitted. For IT, often nightly 02:00–06:00. For OT, usually weeks or months apart and 2–4 hours long. Patching outside an approved window is a violation for most operators.

US federal agency under DHS. Publishes the KEV catalog, issues directives, runs ICS-CERT. The primary US-government voice on critical infrastructure cybersecurity.

The authoritative inventory of every device, application, service, and dependency in a company. ServiceNow CMDB is the dominant commercial product. Our Impact Analyst agent joins findings to the CMDB to compute business impact.

A defensive measure that mitigates a vulnerability without actually patching it. Industrial firewall ACL tightening, IPS signatures that "virtually patch" the bug at the network layer, monitored isolation. The OT Safety Officer's primary output when direct patching isn't safe.

Globally unique identifier for a security flaw, format CVE-YEAR-NUMBER. Assigned by MITRE. The atomic unit our entire pipeline is built around.

A 0.0–10.0 severity score capturing how bad a CVE is in theory. v3.1 is the current standard; v4.0 is rolling out. 9.0+ is "critical," 7.0–8.9 is "high." Tells you worst-case impact; doesn't tell you how likely exploitation is — that's EPSS.

A network segment that sits between the corporate network and the internet (or between IT and OT). Internet-facing web servers and VPN concentrators usually live here. The "industrial DMZ" between corporate IT and the OT zone is the standard segmentation pattern for ICS networks.

Policy gate outcome requiring two distinct human approvers, typically Security and OT Operations. Mandatory for OT-zone and CCS changes. Each approval is recorded with HMAC signature in the audit ledger.

Software running on every endpoint that watches for malicious behavior. CrowdStrike Falcon, Microsoft Defender for Endpoint, SentinelOne. Adjacent to our problem space; our Inventory Insights agent could ingest EDR telemetry in production.

The point past which a vendor no longer ships security patches for a product version. Running EOL software is a top-tier audit finding. The Inventory Insights agent's eol recommendation kind flags these proactively.

A 0.0–1.0 probability that a CVE will be exploited in the next 30 days, computed by FIRST.org from real-world signals. Most CVEs score below 0.10; KEV-listed CVEs typically score above 0.50. Our Threat Intel agent attaches it to every finding.

A structured record produced by the Compliance Reporter agent for every closed remediation. Tagged to one or more compliance control IDs. Used to build auditor-ready PDF packages.

The software baked into a hardware device — switches, routers, RTUs, PLCs, locomotive on-board computers. Updating firmware is far riskier than updating an application, especially on OT, where a failed firmware update may brick the device.

The pattern the Supervisor agent uses to drive each finding through its lifecycle. States: DISCOVERED → ENRICHED → PRIORITIZED → PLANNED → AWAITING_APPROVAL → EXECUTING → VERIFIED → CLOSED, with ROLLED_BACK and ESCALATED as alternate terminals.

A vulnerability disclosure published through GitHub, typically for open-source projects. Our Threat Intel agent ingests them alongside vendor PSIRTs.

A pre-disclosure feed available to entitled tenants — flaws that are coordinated with vendors but not yet public on NVD. Allows the Patch Hunter agent to act before competitors would even know a CVE exists.

The graphical operator console in OT environments — the screen a train dispatcher or a substation operator looks at. Always tagged as a CCS.

The signature algorithm we apply to every inter-agent message. Detects tampering with the audit ledger. Same primitive used by JWS, AWS Signature v4, and most enterprise auth flows.

The systems controlling who can do what — Microsoft Entra ID (formerly Azure AD), Okta, Ping. Adjacent to our problem space; on the roadmap for identity-aware remediation.

Umbrella term for OT. Covers PLCs, RTUs, SCADA, HMIs, DCS. NIST 800-82r3 is "the ICS security standard."

A specialized advisory feed under CISA focused on industrial control system vulnerabilities. Our Threat Intel agent polls it for OT-relevant CVEs.

The international standard for industrial automation and control system security. Parts 2-1 (program management), 2-3 (patch management), 2-4 (service-provider requirements), 3-2 (risk), 3-3 (system security). Our Compliance Reporter maps to all five.

A network device that inspects traffic and blocks known attack patterns. Cisco Firepower and Palo Alto Networks are the dominant enterprise products. "IPS signature" = a rule that detects a specific exploit attempt; deploying one is a common OT compensating control.

The category of GRC products (governance/risk/compliance) that consume our evidence bundles. ServiceNow IRM, Archer, MetricStream.

A CISA-maintained list of CVEs actively exploited in the wild. Federal civilian agencies are required to remediate KEV-listed CVEs within tight deadlines (often 21 days). Being on KEV is the strongest signal in the platform.

Average wall-clock time from CVE detection to verified fix. The headline KPI. Class I rail baseline: 22 days. Our pilot target: 5 days. Visible in the Command Center.

Internal shorthand for the wave of AI-assisted vulnerability discovery that started with Anthropic's Claude Mythos generation and contemporary OpenAI reasoning models. The reason our platform exists: discovery and exploitation went machine-speed, response stayed human-speed.

The US National Institute of Standards and Technology Cybersecurity Framework, version 2.0. Five functions: Identify, Protect, Detect, Respond, Recover. Most enterprise security programs map their controls to it. Our evidence units tag to its categories.

NIST Special Publication 800-82, revision 3. The US government's playbook for ICS security. Defines the zone/conduit model, patch management requirements for control systems, and the safety controls the OT Safety Officer agent enforces.

The US-government database where every CVE eventually gets a structured entry with CVSS score, affected products, and references. Primary intel source for our Threat Intel agent.

An open-source policy engine using the Rego language. Our policy gate is OPA-shaped — we evaluate the same kind of structured rules ("when X then Y") that OPA does, with the same deterministic guarantees. In production we'd delegate to OPA over HTTP.

The software and hardware that physically runs the world — track switches, substation RTUs, water pumps, pipeline valves. The opposite of IT. The reason the OT Safety Officer agent exists.

A newer version of software that fixes a security flaw. Sometimes a "hotfix" (single CVE), sometimes a "cumulative update" (months of fixes bundled). Patching the wrong asset class without testing is one of the most common causes of self-inflicted outages.

A 0.0–1.0 score our Patch Hunter agent assigns to every located fix. Blends source authority (vendor > community > ad-hoc), deployment population evidence, and rollback feasibility. ≥ 0.85 is the threshold for auto-apply.

Industry mandate for any system that handles payment cards. v4.0 is current. Our Compliance Reporter maps to it for tenants in payment-processing environments (rail ticketing systems, for example).

A small industrial computer that runs a specific control loop — opens and closes a valve, switches a track, regulates a temperature. Rockwell ControlLogix and Siemens SIMATIC are the dominant brands. Almost always CCS.

A vendor's internal security team responsible for handling security flaws in their own products and issuing advisories. Cisco PSIRT, Microsoft MSRC, Siemens ProductCERT, Wabtec PSIRT, Red Hat PSIRT — every major vendor has one.

A rail-specific safety system that automatically prevents train collisions and over-speed derailments. Wayside hardware (track-side cabinets) + on-board locomotive computers. Always CCS, always under TSA SD 1580 oversight.

The chronological, human-readable narrative of what every agent thought and did for a single finding. Stored in the reasoning_traces table. Read by the console, by the Compliance Reporter, and (in the demo) by the audience. "The reasoning trace is the product."

The declarative policy language used by OPA. Looks like a cousin of Datalog. Our seven default policy rules would be Rego in a production OPA deployment.

The concrete output of the Remediation Planner agent: exact steps, exact systems, exact order, exact approvals required, exact rollback procedure, exact verification checks. Both a human runbook and a machine-executable workflow.

The procedure to undo a remediation if it fails. Mandatory and pre-tested for every plan the policy gate approves. Without a validated rollback, rule SG-POL-006 denies the change.

An OT computer at a remote site (substation, wayside cabinet, pump station) that gathers sensor data and executes control commands from a SCADA master. Siemens RUGGEDCOM is the brand you'll see most in our rail demo.

The umbrella OT software that gathers telemetry from RTUs/PLCs and lets operators send commands. The "control plane" of an industrial site.

A structured manifest of every dependency inside a piece of software. Critical for fast triage when a CVE drops in a transitive dependency (the lesson of Log4Shell). On our roadmap.

Microsoft's Configuration Manager and Intune — the dominant tools for pushing Windows patches and configurations to endpoints in the enterprise. The Executor agent drives them.

The aggregation/correlation layer for security logs and events. Splunk Enterprise Security, Microsoft Sentinel, Elastic Security. Adjacent — we send agent reasoning traces to SIEM in production.

US financial-controls mandate. Section 404 covers IT general controls. Our evidence bundles satisfy the change-management testing scope.

An enterprise endpoint management platform — fast inventory + control of large Windows + Linux estates. Our Executor agent drives it as an alternative to SCCM.

A ULID that groups every inter-agent message and reasoning trace entry for one finding's lifecycle. Equivalent to a distributed-tracing trace ID. Surfaced in the console for filtering.

Transportation Security Administration Security Directive, October 2021. Mandates timely vulnerability remediation, network segmentation, and access control for US Class I freight railroads. The regulatory backbone of our rail go-to-market.

The agent that closes the loop. After Executor runs, Verifier rescans, runs a health probe, and (where possible) re-runs an exploit-safety check. Triggers rollback and escalation on failure.

Mitigating a vulnerability at the network layer (with an IPS signature) instead of by patching the asset. Common OT compensating control: keeps the device unchanged but blocks the attack pattern in transit.

Qualys's branded name for their scanner + workflow platform. The most common scanner you'll meet in the IT estate.

Rail term for equipment located alongside the track, off the train. PTC wayside units, hot-box detectors, dragging-equipment detectors. Almost always CCS, almost always in an OT zone.

A specific class of PTC wayside hardware made by Wabtec. The asset class in Scenario C of our demo.

IEC 62443 vocabulary. A zone is a logical grouping of assets with the same security requirements (e.g. "PTC wayside"); a conduit is the controlled network path between zones. Every asset in our platform carries a zone tag, and the policy gate enforces conduit rules.