Skip to content

Nexus SecOps Concept Taxonomy

10-Class Classification System

This document defines the taxonomy used to classify the 170 concepts in the Nexus SecOps learning graph. Each concept belongs to exactly one primary category, enabling learners to navigate by topic area.

Taxonomy Categories

1. Foundations & Frameworks

Description: Core security principles, industry frameworks, and foundational SOC concepts

Purpose: Establish baseline knowledge required for all other categories

Key Topics: - Security principles (CIA, defense in depth) - Industry frameworks (MITRE ATT&CK, Cyber Kill Chain) - SOC organizational structure - Core security terminology

Concept Count: 18

2. Telemetry & Data Sources

Description: Log sources, data collection, normalization, and schema standards

Purpose: Understand what data is available and how to prepare it for analysis

Key Topics: - Endpoint, network, cloud, and identity log sources - Log formats and schemas (Syslog, JSON, CEF, ECS) - Data normalization and enrichment - Data retention and compliance

Concept Count: 30

3. Detection Engineering

Description: Building, testing, and maintaining detection rules and logic

Purpose: Learn to identify threats through signatures, heuristics, and behavioral analytics

Key Topics: - Detection logic types (signature, heuristic, behavioral, anomaly) - Rule formats (Sigma, YARA, Snort/Suricata) - Baselines, thresholds, and correlation - Detection coverage and gap analysis - Tuning and testing methodologies

Concept Count: 30

4. Triage & Investigation

Description: Alert handling, enrichment, investigation workflows, and decisioning

Purpose: Master the analyst workflow from alert receipt to incident classification

Key Topics: - Alert triage and prioritization - Enrichment and contextualization - Timeline analysis and pivoting - Runbooks and SOPs - Escalation criteria

Concept Count: 20

5. Threat Intelligence

Description: Collection, analysis, and operationalization of threat intelligence

Purpose: Understand how to leverage external intelligence to improve detection and response

Key Topics: - Intelligence types (strategic, tactical, operational, technical) - Indicators and threat actors - STIX/TAXII standards - Confidence scoring and indicator freshness - Feed integration

Concept Count: 15

6. Automation & Response

Description: SOAR platforms, playbooks, incident response lifecycle, and automation patterns

Purpose: Learn to automate response while maintaining safety and control

Key Topics: - SOAR capabilities and workflows - Playbook design with decision trees - Incident response phases (containment, eradication, recovery) - Safety mechanisms (approval gates, rollbacks, rate limits)

Concept Count: 15

7. Metrics & Evaluation

Description: Performance measurement, KPIs, and model evaluation techniques

Purpose: Quantify SOC effectiveness and AI/ML model performance

Key Topics: - Time-based metrics (MTTD, MTTA, MTTR, MTTC) - Detection quality metrics (precision, recall, F1) - Alert metrics (true/false positives, fatigue) - Model evaluation (ROC, AUC, confusion matrix)

Concept Count: 12

8. Machine Learning in Security

Description: Supervised and unsupervised ML techniques applied to security data

Purpose: Apply traditional ML for classification, clustering, and anomaly detection

Key Topics: - Learning types (supervised, unsupervised, semi-supervised) - Classification and regression - Clustering and outlier detection - Feature engineering - Overfitting, underfitting, and model drift - Training, validation, and test data

Concept Count: 20

9. LLM & AI Guardrails

Description: Large language models, prompt engineering, grounding, and safety controls

Purpose: Safely deploy LLM-based security copilots with appropriate guardrails

Key Topics: - LLM fundamentals and capabilities - Prompt engineering techniques - Retrieval-Augmented Generation (RAG) - Guardrails (input validation, output filtering) - Hallucination and prompt injection awareness - Evaluation frameworks for LLMs

Concept Count: 15

10. Governance, Privacy & Risk

Description: AI governance, bias, privacy-preserving techniques, and risk management

Purpose: Deploy AI responsibly with privacy protections and risk awareness

Key Topics: - Bias in ML and fairness - Explainability and transparency - Privacy-preserving ML techniques - Differential privacy - Adversarial robustness - Evaluation and A/B testing

Concept Count: 10

Category Relationships

graph TD
    A[1. Foundations & Frameworks] --> B[2. Telemetry & Data Sources]
    A --> C[3. Detection Engineering]
    B --> C
    B --> D[4. Triage & Investigation]
    C --> D
    D --> E[5. Threat Intelligence]
    E --> D
    D --> F[6. Automation & Response]
    A --> G[7. Metrics & Evaluation]
    C --> G
    D --> G
    B --> H[8. Machine Learning in Security]
    H --> C
    H --> G
    H --> I[9. LLM & AI Guardrails]
    I --> F
    H --> J[10. Governance Privacy & Risk]
    I --> J

Learning Pathways by Taxonomy

Foundational Path

For learners new to SOC operations: 1. Foundations & Frameworks 2. Telemetry & Data Sources 3. Metrics & Evaluation

Analyst Path

For SOC analysts focusing on triage and investigation: 1. Foundations & Frameworks 2. Detection Engineering 3. Triage & Investigation 4. Threat Intelligence

Detection Engineer Path

For building and maintaining detection capabilities: 1. Foundations & Frameworks 2. Telemetry & Data Sources 3. Detection Engineering 4. Metrics & Evaluation

Automation Path

For SOAR and automation engineers: 1. Foundations & Frameworks 2. Triage & Investigation 3. Automation & Response 4. Governance, Privacy & Risk

AI/ML Path

For applying artificial intelligence to security operations: 1. Foundations & Frameworks 2. Metrics & Evaluation 3. Machine Learning in Security 4. LLM & AI Guardrails 5. Governance, Privacy & Risk

Concept Distribution

Category Count Percentage
1. Foundations & Frameworks 18 10.6%
2. Telemetry & Data Sources 30 17.6%
3. Detection Engineering 30 17.6%
4. Triage & Investigation 20 11.8%
5. Threat Intelligence 15 8.8%
6. Automation & Response 15 8.8%
7. Metrics & Evaluation 12 7.1%
8. Machine Learning in Security 20 11.8%
9. LLM & AI Guardrails 15 8.8%
10. Governance, Privacy & Risk 10 5.9%
Total 170 100%

Usage in Learning Materials

Chapter Mapping — All 40 Chapters

Chapter Title Primary Taxonomy
1 Introduction to AI-Powered SecOps Foundations & Frameworks
2 Telemetry & Logging Telemetry & Data Sources
3 Data Modeling & Normalization Telemetry & Data Sources
4 SIEM, Data Lake & Correlation Telemetry & Data Sources, Detection Engineering
5 Detection Engineering at Scale Detection Engineering
6 Triage, Investigation & Enrichment Triage & Investigation
7 Threat Intelligence & Context Threat Intelligence
8 SOAR, Automation & Playbooks Automation & Response
9 Incident Response Lifecycle Automation & Response
10 AI/ML for SOC Machine Learning in Security
11 LLM Copilots & Guardrails LLM & AI Guardrails
12 Evaluation, Metrics & KPIs Metrics & Evaluation
13 Security Governance, Privacy & Risk Governance & Risk
14 Operating Model, Staffing & SLAs Foundations & Frameworks
15 Resilience, Tabletops & Learning Automation & Response
16 Penetration Testing Methodology Foundations & Frameworks
17 Red Team Operations Detection Engineering, Automation & Response
18 Malware Analysis Triage & Investigation
19 OSINT & Reconnaissance Threat Intelligence
20 Cloud Attack & Defense Telemetry & Data Sources, Governance & Risk
21 OT/ICS/SCADA Security Foundations & Frameworks
22 Threat Actor Encyclopedia Threat Intelligence
23 Ransomware Deep Dive Automation & Response, Detection Engineering
24 Supply Chain Attacks Governance & Risk, Threat Intelligence
25 Social Engineering Threat Intelligence, Foundations & Frameworks
26 Insider Threats Machine Learning in Security, Governance & Risk
27 Digital Forensics Triage & Investigation
28 Advanced Incident Response Automation & Response
29 Vulnerability Management Metrics & Evaluation, Governance & Risk
30 Application Security Detection Engineering, Governance & Risk
31 Network Security Architecture Telemetry & Data Sources, Foundations & Frameworks
32 Cryptography Applied Foundations & Frameworks
33 Identity & Access Security Triage & Investigation, Detection Engineering
34 Mobile & IoT Security Telemetry & Data Sources
35 DevSecOps Pipeline Detection Engineering, Governance & Risk
36 Purple Team Operations Detection Engineering, Automation & Response
37 AI & Machine Learning Security Machine Learning in Security, LLM & AI Guardrails
38 Advanced Threat Hunting Detection Engineering, Triage & Investigation
39 Zero Trust Implementation Foundations & Frameworks, Governance & Risk
40 Security Program Leadership Governance & Risk, Metrics & Evaluation

MicroSim Mapping

Interactive simulations focus on specific taxonomies:

Sim Title Primary Taxonomy
1 Alert Triage Triage & Investigation, Metrics & Evaluation
2 Correlation Tuning Detection Engineering
3 Anomaly Thresholds Detection Engineering, Machine Learning
4 SOAR Playbook Designer Automation & Response
5 TI Enrichment Threat Intelligence
6 Data Normalization Telemetry & Data Sources
7 LLM Prompt Injection LLM & AI Guardrails
8 SOC Metrics Dashboard Metrics & Evaluation
9 Detection Coverage Mapper Detection Engineering
10 Incident Timeline Builder Automation & Response
11 Concept Graph Explorer Foundations & Frameworks
12 Attack Path Visualizer Detection Engineering, Threat Intelligence
13 Ransomware Kill Chain Automation & Response
14 Threat Actor TTP Matrix Threat Intelligence
15 Sigma Rule Builder Detection Engineering
16 Zero Trust Designer Foundations & Frameworks, Governance & Risk

Glossary Organization

The glossary can be browsed by taxonomy category for targeted learning.

Complete Concept-to-Category Mapping

See taxonomy.csv for the complete mapping of all 170 concepts to their primary taxonomy category.

Document Version: 1.0.0 Last Updated: February 2026