Learning Graph¶
What is a Learning Graph?
A Learning Graph is a Directed Acyclic Graph (DAG) where every node represents a learning concept and every directed edge represents a prerequisite relationship — "you must understand A before you can meaningfully learn B." This structure, pioneered by Dan McCreary in his Intelligent Textbooks framework, makes Nexus SecOps's 170 concepts explicitly navigable so learners can build knowledge in the right order, identify gaps, and receive AI-personalized learning paths.
Interactive Concept Dependency Graph¶
The viewer below renders all 170 Nexus SecOps concepts as an interactive force-directed graph. Color encodes the 10 taxonomy categories. Shape encodes structural role:
| Shape | Meaning | Count |
|---|---|---|
| Box | Foundation concept — no prerequisites; starting points | 5 |
| Star | Goal concept — advanced terminal outcome | 9 |
| Circle | Intermediate concept — has prerequisites and dependents | 156 |
How to use the viewer
- Click a node to highlight its direct neighbors and see the concept description + prerequisite list.
- Filter by category using the left-panel legend — click a color to show that domain and its neighbors.
- Search for any concept by name using the search box.
- Drag and scroll to explore — or click ⊙ Fit All to reset the view.
- Toggle Physics to freeze the layout once you have the arrangement you want.
The Two-Plane Model¶
Dan McCreary's methodology distinguishes two planes that work together:
graph LR
subgraph CONCEPT["Concept Plane (green)"]
direction TB
C1[CIA Triad] --> C2[Defense in Depth]
C2 --> C3[SOC]
C1 --> C4[Security Event]
end
subgraph CONTENT["Content Plane (blue)"]
direction TB
CH1[Chapter 1]
SIM1[MicroSim: Alert Triage]
LAB1[Lab 1: Triage]
end
C3 -->|taught_by| CH1
C4 -->|taught_by| SIM1
C3 -->|practiced_in| LAB1- Concept Plane — the 170 nodes in this learning graph (pure knowledge structure)
- Content Plane — the 15 chapters, 10 MicroSims, 5 labs, and 220 controls
- Linking Layer — each content item maps to one or more concepts; each concept appears across multiple resources
Taxonomy Categories¶
The 10 categories were chosen to evenly distribute the 170 concepts across the Nexus SecOps domain:
| ID | Category | Concepts | Key Starting Point | Key Goal |
|---|---|---|---|---|
| T01 | Foundations & Frameworks | 18 | CIA Triad | Exfiltration detection |
| T02 | Telemetry & Data Sources | 32 | Log Source | PowerShell Logging |
| T03 | Detection Engineering | 26 | Detection Rule | Detection Engineering (discipline) |
| T04 | Triage & Investigation | 20 | Alert Triage | Investigation Hypothesis |
| T05 | Threat Intelligence | 16 | Threat Intelligence | Attribution |
| T06 | Automation & Response | 15 | Automation | SOAR |
| T07 | Metrics & Evaluation | 18 | Security Event | Evaluation Framework |
| T08 | Machine Learning in Security | 20 | Machine Learning | A/B Testing |
| T09 | LLM & AI Guardrails | 11 | Large Language Model | Guardrail |
| T10 | Governance, Privacy & Risk | 7 | Explainability | Differential Privacy |
Foundation Concepts¶
These 5 concepts have no prerequisites — they are the starting points for all learning paths. Every learner begins here regardless of experience level.
| Concept | ID | Why foundational |
|---|---|---|
| CIA Triad | C001 | Core security principle underpinning all other controls |
| Security Event | C017 | Observable occurrence — base unit of all detection |
| Log Source | C019 | Origin of all telemetry; prerequisite for everything data-related |
| Automation | C117 | Base concept for all orchestration and SOAR work |
| Machine Learning | C131 | Base concept for all ML, LLM, and AI-related topics |
Goal Concepts¶
These 9 concepts represent advanced synthesis outcomes — learners who master these have integrated knowledge across multiple prerequisite chains.
| Concept | ID | Prerequisites (direct) | Chapter |
|---|---|---|---|
| Detection Engineering (discipline) | C078 | Detection Rule, Testing, Tuning | Ch 5 |
| Purple Teaming | C071 | Atomic Red Team, ATT&CK | Ch 5 |
| SOAR | C116 | Automation, Orchestration | Ch 8 |
| Attribution | C100 | Threat Intelligence, Threat Actor | Ch 7 |
| ATT&CK Navigator | C077 | ATT&CK, Mapping | Ch 7 |
| Differential Privacy | C170 | Privacy-Preserving ML | Ch 13 |
| Evaluation Framework | C166 | Precision, Recall, F1 | Ch 12 |
| Confusion Matrix | C150 | TP, FP, TN, FN | Ch 10 |
| Playbook | C084 | Runbook, SOAR | Ch 8 |
AI-Generated Learning Paths¶
The learning graph enables three role-specific curricula derived from shortest-path traversal between foundation and goal concepts:
Target goal concepts: Alert Triage (C081), Runbook (C083), Escalation Criteria (C082)
Minimum path (12 concepts):
CIA Triad → Security Event → Security Incident → Log Source → Telemetry →
SIEM → Log Normalization → Detection Rule → Alert Prioritization →
Severity Scoring → Alert Triage → Runbook
Estimated mastery time: 40–60 hours
Target goal concepts: Detection Engineering (C078), Sigma Rule (C062), ATT&CK Navigator (C077)
Minimum path (18 concepts):
CIA Triad → Security Event → Log Source → Telemetry → SIEM →
Detection Rule → MITRE ATT&CK Framework → TTP → Use Case →
Sigma Rule Format → Detection Logic → Time Window → Correlation Rule →
Baseline → Anomaly Detection → Detection Coverage → Detection Testing →
Detection Engineering
Estimated mastery time: 80–120 hours
Target goal concepts: Confusion Matrix (C150), Evaluation Framework (C166), Model Drift (C163)
Minimum path (16 concepts):
Machine Learning → Training Data → Test Data → Supervised Learning →
Classification → True Positive → False Positive → True Negative →
False Negative → Confusion Matrix → Precision → Recall → F1 Score →
ROC Curve → AUC → Evaluation Framework
Estimated mastery time: 60–90 hours
Data Files¶
The learning graph is stored in three machine-readable formats for downstream use:
| File | Format | Purpose |
|---|---|---|
concepts.csv | CSV | ConceptID, Label, Short description |
dependencies.csv | CSV | ConceptID → pipe-delimited prerequisite IDs |
taxonomy.csv | CSV | ConceptID → TaxonomyCategory → CategoryID |
graph.json | JSON | vis.js-compatible nodes + edges (auto-generated) |
CSV Interchange Format¶
Following McCreary's standard, the dependency file uses pipe-delimited prerequisite IDs in the third column. Foundation concepts have an empty third column:
ConceptID,DependsOnConceptIDs,DependencyRationale
C001,,Foundational security principle - no prerequisites
C002,C001,Defense in depth applies CIA triad across layers
C004,C003,ATT&CK expands on kill chain with detailed TTPs
C059,C017|C060,Correlation combines multiple detection rules
Validation Rules¶
A valid Nexus SecOps Learning Graph must satisfy all of the following:
- [x] All non-foundational concepts have ≥ 1 dependency
- [x] No self-dependencies (a concept cannot depend on itself)
- [x] Graph is acyclic (no circular prerequisite chains)
- [x] No orphaned nodes (every node connects to at least one other)
- [x] The graph is fully connected (no disconnected subgraphs)
- [x] No category exceeds 30% of total concepts (T02 is largest at 18.8%)
Using This Graph with AI¶
The learning graph serves as context for AI-assisted personalization. The recommended pattern (GraphRAG) is to load the concept nodes and edges into the LLM context window, then query:
# Example: find the shortest learning path to a goal concept
prompt = """
Given this Nexus SecOps concept dependency graph in JSON format:
{graph_json}
I want to learn 'Detection Engineering' (C078).
I already know: CIA Triad, Security Event, Log Source, SIEM.
What is the shortest ordered list of concepts I need to learn next?
Return as a numbered list with a one-sentence rationale for each concept.
"""
This technique is implemented in scripts/alpha_discovery.py of the companion Ironclad Growth project and can be adapted for personalized Nexus SecOps curriculum generation.
Concept Graph MicroSim¶
Explore how prerequisite chains form in a small sub-graph using the interactive p5.js simulation:
Learning graph generated from McCreary's Concept Dependency Graph methodology. Data files are version-controlled and auto-regenerated on each release.