Security Learning Glossary

Every enterprise has 60+ security tools - SIEMs, EDRs, firewalls, IAM systems. These are the muscles. The SLCP is the nervous system that connects what each tool learns. Without it, security teams respond to incidents but never institutionalize the lesson.

KTLYST is the first Security Learning Control Plane. The term draws from infrastructure concepts (like Kubernetes' control plane for containers) applied to security knowledge management.

Learning Artifacts are the primary object in a Security Learning Control Plane. Unlike traditional IOCs or detection rules, a Learning Artifact carries its entire lineage: what source produced it, who approved it, which validation gates it passed, and where it's currently enforced.

Detection rules are the first Learning Artifact type. Future types include playbook updates, control tightenings, policy changes, and compliance evidence.

Most organizations have hundreds or thousands of detection rules with no clear ownership. When a rule fires, nobody knows who wrote it, why, or whether it's still relevant. Detection governance solves this by treating detections as governed artifacts rather than fire-and-forget configurations.

Without detection governance, organizations accumulate unmaintained rules that create noise, miss real threats, and can't be audited for compliance. SEC cyber disclosure rules and DORA now require organizations to demonstrate this kind of systematic improvement.

In most organizations, security knowledge is additive at best and decaying at worst. A postmortem produces findings, but those findings die in a wiki. An intel report gets read, but the TTPs never become detections. When a senior engineer leaves, their knowledge walks out the door.

Knowledge compounding requires infrastructure that captures each learning event, connects it to previous knowledge, and enforces it across the stack. Over time, the system accumulates a security knowledge graph that makes every new response faster and more complete.

Traditional intel-to-detection translation is manual, unstructured, and ungoverned. An analyst reads a PDF, mentally extracts TTPs, and writes rules by hand. There's no provenance linking the output to the source, no validation gates, and no audit trail.

Governed translation automates the extraction and structuring while preserving the human judgment layer. Analysts review and approve. The system handles the deterministic conversion, provenance tracking, and multi-platform compilation (Splunk SPL, Snowflake SQL, Elastic KQL).

Provenance chains are essential for audit, compliance, and trust. When a detection rule fires in Splunk, the analyst can trace it back through the governed translation pipeline to the original CISA advisory, incident report, or red team finding that triggered it. This is critical for SEC cyber disclosure requirements and DORA compliance.

Public re-breach cases include LastPass ($150M+ crypto theft), Okta (~$8B market cap loss), T-Mobile ($550M+ costs), MGM ($100M revenue impact), and Rackspace - totaling $900M+ in combined damages. In every case, the organization responded to Breach 1 but failed to institutionalize the lesson.

Re-breaches are the strongest evidence that the security industry has a learning problem, not a tooling problem.

Learning decay is the root cause of re-breaches. Organizations document lessons in postmortems, wikis, and tickets, but these formats don't persist as operational defense. When people leave, the learning leaves with them. When tools change, the context is lost.

The opposite of learning decay is knowledge compounding, which requires infrastructure purpose-built for security knowledge management.

Detection engineering focuses on finding attacks after they begin. Prevention engineering goes further: every incident, intelligence report, and red team exercise systematically reduces the attack surface for the next attempt. The category progression is: Detection Engineering -> Learning Engineering -> Prevention Engineering.

In security, false positives are costly and false data is dangerous. Zero-inference extraction means the system never guesses, infers, or generates indicators that aren't explicitly present in the source material. Same input produces the same output every time.

Detection engineering emerged as organizations recognized that writing detection rules requires dedicated expertise. However, most detection engineering teams still lack governance infrastructure - rules are written without provenance, deployed without approval workflows, and abandoned without lifecycle management.

KTLYST provides the governance layer that detection engineering teams need but don't have: detection governance as infrastructure rather than process.

The security knowledge graph is the long-term moat. Each time a team uses KTLYST, institutional knowledge gets captured, versioned, and connected. Over years, this produces an organizational memory that knows which adversaries have targeted the company, what techniques worked, which controls were effective, and where gaps remain.

A knowledge graph that learns is a moat that deepens with every incident.