Where every claim in SecProve
comes from.

NATO-accredited research center on strategic communications, information warfare, and influence operations. Publishes detailed case studies on hybrid-warfare campaigns from a defense perspective.

Top 10 security risks for APIs. Covers broken object-level authorization, authentication failures, excessive data exposure, and more.

International standard for establishing, implementing, maintaining, and continually improving an information security management system (ISMS).

Cataloged threat groups with associated TTPs. Good for questions on attribution, TTP overlap, and intelligence-driven detection.

Open-source project for signing, verifying, and protecting software supply chains. Keyless signing for artifacts.

Open-source investigations of disinformation campaigns and information warfare. Methodology-forward — they publish their workflows, not just findings.

AWS best practices for designing and operating secure workloads in the cloud. Covers IAM, detection, infrastructure protection, and incident response.

Conference presentations covering novel attack techniques and defensive research. Essential for cutting-edge offensive/defensive questions. AI Village talks particularly relevant for Pillars B and C.

Open-source digital forensics tools for disk image analysis. Industry standard for incident investigation and evidence collection.

Four vertices: Adversary, Capability, Infrastructure, Victim. Complements the Kill Chain and ATT&CK. Questions on analytical frameworks and when to apply each model.

18 prioritized security controls organized into Implementation Groups (IG1, IG2, IG3). Practical and prescriptive — good for questions about prioritization and which controls matter most for different organization sizes.

Consensus-based security configuration guides for 100+ technologies. The industry standard for hardening systems.

Federal hub for ransomware prevention, mitigation, and recovery guidance. Joint advisories with FBI/MS-ISAC, no-cost CISA services, and the ransomware-specific recovery checklist.

No-cost CISA assessment of operational resilience and cybersecurity practices for critical infrastructure operators. Maps to NIST CSF for gap analysis.

Annual federal campaign with current-year themes, free materials, and partner toolkits. Reflects the public-facing federal stance on awareness messaging.

Federal hub for cybersecurity training resources, career development pathways, and free CISA-developed training programs. Companion to NICE for workforce-readiness questions.

Federal hub for U.S. perspective on foreign influence ops, election integrity, and counter-disinformation guidance. Includes "rumor vs. reality" public briefings.

Authoritative feed of ICS-CERT advisories covering vulnerabilities in PLCs, HMIs, SCADA platforms, and OT vendors. The primary source for tracking active threats to industrial systems.

Federal guidance on protecting GPS/GNSS-dependent infrastructure from spoofing and jamming. Resilient PNT executive order context, sector-specific resilience profiles.

Framework for transitioning to zero trust architecture across five pillars: identity, devices, networks, applications, and data.

Network traffic trends, DDoS statistics, protocol adoption. Useful for questions about scale and real-world network security challenges, not Cisco product-specific.

Open-source network intrusion detection and prevention system. Industry standard for real-time traffic analysis and packet logging.

Cloud-specific control framework with 197 controls across 17 domains. Mapped to NIST 800-53, ISO 27001, PCI DSS, GDPR. The reference for cloud-architecture control questions.

Peer-ranked cloud threats. The shift from infra issues to identity/access/misconfiguration reflects cloud maturity. Good for questions testing threat prioritization understanding.

Set of practical cryptography exercises. Learn by breaking real-world crypto systems — the best way to understand cryptographic vulnerabilities.

Curated newsletter covering detection engineering practices, tools, and techniques. Practical resource for SOC and detection teams.

Mature, widely deployed medium-interaction SSH and Telnet honeypot. Logs attacker commands, captures malware, proxies sessions. The standard reference implementation for SSH-honeypot questions.

Comprehensive CISO leadership reference. Covers building programs, board communication, metrics, and team development.

UK/international pen test certification body. Their guides cover methodology, reporting standards, and ethics. Useful for questions on professional standards in offensive security.

Comprehensive guidance for cloud security best practices. Covers architecture, governance, compliance, and operations.

Annual OT/ICS threat landscape report. Tracks threat groups (Chernovite, Bentonite, etc.) targeting industrial systems. Original research, not marketing.

EU-focused annual threat assessment. Covers ransomware, supply chain, disinformation, state-sponsored threats. Useful counterpoint to US-centric sources.

13 provisions for consumer IoT security. No default passwords, vulnerability disclosure policy, secure update mechanisms. The emerging regulatory baseline for IoT.

EU-operated database of pro-Kremlin disinformation cases and analysis. The reference dataset for pro-Russia narrative tracking, with 17,000+ cataloged cases and weekly trend reports.

EU's annual reports on Foreign Information Manipulation and Interference. Codifies the FIMI taxonomy increasingly used in EU policy discussions.

Data subject rights, lawful bases for processing, DPO requirements, breach notification (72 hours), cross-border transfers. The global privacy benchmark.

Full text of the General Data Protection Regulation. The EU's comprehensive data protection law that applies globally to EU residents' data.

Quantitative risk analysis framework. Provides a model for understanding, analyzing, and quantifying information risk in financial terms.

Specifications for passwordless authentication using public key cryptography. The future of secure authentication.

The push toward passwordless authentication. Questions on how FIDO2/WebAuthn works, passkey lifecycle, and comparison to traditional MFA.

The standardized vulnerability severity scoring system referenced by virtually every vuln management program. v3.1 widely deployed; v4.0 introduces threat and environmental refinements.

Forrester originated the Zero Trust concept (John Kindervag, 2010). Their extended model includes workloads, data, networks, devices, people, visibility/analytics, automation/orchestration.

Originating Gartner article that defined CTEM as a five-stage program: scoping, discovery, prioritization, validation, mobilization. The reference for the CTEM acronym and process model.

The original enterprise ZTA implementation case study. Six published papers covering architecture, migration, and lessons learned. Vendor-specific but pioneered the practical approach to zero trust.

The TLS 1.3 specification. Removes legacy cipher suites, adds 0-RTT, mandates forward secrecy. Required reading for any TLS/PKI question.

Indicator hierarchy from hash values (trivial) to TTPs (tough). Foundational concept for detection engineering and threat intelligence questions.

Investigative journalism on cybercrime, breaches, and network security incidents. Good for real-world scenario questions grounded in actual events.

Multi-part standard covering security levels, zones and conduits, component requirements. International standard for industrial cybersecurity.

Annual workforce gap analysis. The "3.4 million shortfall" and similar stats. Good for questions on workforce development, hiring challenges, and security program building.

Peer-reviewed methodology for performing security tests. Provides a scientific approach to security testing with measurable results.

International standard for business continuity management systems. Defines requirements for establishing, implementing, and maintaining a BCMS. Often paired with ISO 27001 for combined audits.

Seven phases from Reconnaissance to Actions on Objectives. Widely adopted but also widely critiqued (assumes perimeter-centric model). Good for compare/contrast with ATT&CK and Unified Kill Chain.

Detailed campaign analyses with TTPs mapped to ATT&CK. APT1, APT28/29, UNC groups. Primary source for threat-actor-specific IR questions. Not marketing — these are original threat research.

Annual IR data: dwell time trends, initial access vectors, detection sources. Empirical data from thousands of engagements. One of the few sources for real-world detection/response metrics.

Mandiant's FLARE team publishes capa, FLOSS, and other widely-used reversing tools alongside in-depth malware deep-dive blog posts. The reference for vendor-published reversing primitives.

Business strategy perspective on cyber risk. Useful for questions about communicating security value to executives and boards, ROI of security investments.

Open-source threat intelligence platform for sharing, storing, and correlating indicators of compromise and threat data.

Adversary engagement framework. Maps deception and denial operations to ATT&CK adversary behaviors. The defensive complement to ATT&CK for planning deception operations.

Independent evaluations of security products against real-world attack scenarios. Good for questions about detection coverage, visibility gaps, and evaluation methodology.

The two defining supply chain incidents of recent years. CISA's postmortem reports are primary sources for scenario-based questions about detection, response, and prevention.

Expert analysis of how international law applies to cyber operations. Sovereignty, use of force, law of armed conflict in cyberspace. The primary reference for legal/policy questions in cyber warfare.

Foundational capabilities IoT manufacturers should provide: device identification, configuration, data protection, logical access, software update, cybersecurity state awareness. The baseline US regulators cite.

NIST's selected post-quantum cryptographic algorithms: ML-KEM, ML-DSA, and SLH-DSA. The future of cryptography in the quantum era.

Guide for applying the RMF to information systems and organizations. Covers categorization, control selection, implementation, assessment, authorization, and monitoring.

Federal methodology for security assessments: target identification, vulnerability analysis, validation. Underpins both penetration testing and exposure management programs.

Guide to protecting the confidentiality of personally identifiable information. Covers PII identification, impact assessment, and safeguards.

The systems-security-engineering doctrine: lifecycle processes, design principles, and assurance for trustworthy systems. The most rigorous federal reference for security architecture.

Cyber-resiliency engineering framework. Covers deception, diversity, dynamic positioning, and other techniques for systems designed to operate through compromise. The systems-engineering view of active defense.

Practices for identifying, assessing, and mitigating cyber supply chain risks. Covers acquisition, development, and operations.

Cybersecurity Supply Chain Risk Management. Integrates C-SCRM into the RMF. Covers acquisition, supplier assessment, and ongoing monitoring.

Practical guidance on selecting and implementing cryptographic algorithms. Covers symmetric, asymmetric, hashing, and key management.

Standard taxonomy of cybersecurity work roles, tasks, KSAs. Used for role-based training design and human-risk targeting.

Primitives for IoT: sensor, aggregator, communication channel, eUtility, decision trigger. Framework for thinking about IoT security architectures.

The federal recovery playbook. Covers recovery planning, validation of restored services, post-event improvement. Pairs with NIST CSF Recover function.

Definitive guide to zero trust architecture. Defines ZTA concepts, deployment models, and implementation approaches for enterprise environments.

Risk assessment methodology: threat sources, vulnerabilities, likelihood, impact. Complements 800-37. Good for questions comparing quantitative vs. qualitative risk assessment.

Comprehensive contingency planning: BIA, recovery strategies, plan testing, training, and maintenance. The reference for RTO/RPO and recovery tier questions.

The 7-step RMF (Prepare, Categorize, Select, Implement, Assess, Authorize, Monitor). Questions should test understanding of step sequencing, roles (AO, ISSO, ISSM), and continuous monitoring vs. point-in-time assessment.

Guidelines on firewalls and firewall policy. Covers types of firewall technologies, deployment architectures, and policy management.

The federal model for awareness program design — needs assessment, scoping, content design, evaluation. The default reference for "what does an awareness program look like."

Four phases: Preparation, Detection & Analysis, Containment/Eradication/Recovery, Post-Incident Activity. The canonical IR reference. Questions should test decision-making within phases, not just naming them.

Comprehensive guidelines for digital identity services. Covers enrollment, authentication, and federation at three assurance levels.

Identity Assurance Levels (IAL), Authenticator Assurance Levels (AAL), and Federation Assurance Levels (FAL). The 2024 revision is significant. Questions on appropriate assurance level selection for different risk scenarios.

Updated terminology from ICS to OT. Covers Purdue Model, network segmentation, patching challenges in OT environments. The primary OT security reference.

Guide to integrating forensic techniques into incident response. Covers data collection, examination, analysis, and reporting.

Guide to computer security log management. Covers log generation, storage, analysis, and the role of logs in incident response.

The standard textbook used in most university and SANS courses. Covers static, dynamic, behavioral analysis with hands-on labs. Cite for any "how do you analyze X" pedagogical question.

Practitioner-oriented cryptography textbook. Covers modern symmetric/asymmetric algorithms, protocols, and implementation pitfalls. Good for applied crypto questions vs. pure theory.

NSA technical guidance on nation-state TTPs, hardening guidance for high-value targets, and joint advisories with CISA/FBI. Useful for advanced cyber-EW and military-adjacent questions.

NSA's open-source software reverse-engineering framework. Disassembler, decompiler, scripting. The free standard for malware analysis training and most public reversing work.

Based on real red/blue team assessments. Includes default configurations, improper privilege separation, lack of network segmentation. Excellent for practical scenario questions.

Structured Threat Information Expression (STIX) and Trusted Automated Exchange of Intelligence Information (TAXII). The standard for sharing cyber threat intelligence.

High-performance network IDS/IPS and security monitoring engine. Supports multi-threading, protocol identification, and file extraction.

Automated security health checks for open source projects. Checks branch protection, dependency pinning, fuzzing, SAST. Good for practical supply chain assessment questions.

Framework of security requirements for designing, developing, and testing secure web applications. Three verification levels.

Practical methodology for identifying and reducing attack surface in applications. Covers entry points, data flows, and trust boundaries. The application-layer complement to network EASM.

OWASP IoT Top 10 (weak passwords, insecure network services, etc.) plus testing guides. The IoT analog to the OWASP Top 10 for web apps.

MASVS (verification standard) and MASTG (testing guide). The primary mobile security testing reference. L1 and L2 verification levels.

Five business functions (Governance, Design, Implementation, Verification, Operations) for measuring and improving AppSec programs. Good for maturity model questions.

The most widely referenced web application security awareness document. Covers injection, broken auth, XSS, and more.

Open-source detection engineering methodology. Goal, categorization, strategy abstract, technical context, blind spots. Well-regarded community resource despite vendor origin.

Web application security testing tool. Industry standard for manual and automated web vulnerability assessment.

The world's most used penetration testing framework. Provides exploit development, payload generation, and post-exploitation capabilities.

Open-source and dark web intelligence trends. Useful for questions about intelligence sources, collection methods, and the intelligence lifecycle.

Curated Linux distribution preloaded with hundreds of reverse-engineering and malware-analysis tools. Maintained by Lenny Zeltser. The default sandbox VM in most malware-analysis training courses.

Business-driven security architecture framework. Six-layer model (contextual → operational) widely used in enterprise security architecture programs. Vendor-neutral; common in EA practice.

Practitioner-oriented IR methodology. Six steps (Preparation, Identification, Containment, Eradication, Recovery, Lessons Learned). Compare/contrast with NIST for methodology questions.

Practical, defender-focused control framework: ICS Incident Response, Defensible Architecture, ICS Network Visibility, Secure Remote Access, Risk-Based Vulnerability Management. The de-facto starter list.

Five-stage maturity model (Non-Existent → Compliance → Promoting → Long-Term Sustainment → Metrics) widely used to benchmark awareness programs. Practitioner-tested.

Free and open-source Linux distribution for threat hunting, enterprise security monitoring, and log management.

Fast, open-source static analysis tool for finding bugs and enforcing code standards. Supports 30+ languages with custom rules.

Industry-standard tool for external attack surface discovery. Scans the public internet, exposes service banners, supports queries for specific exposures. The reference for EASM tooling questions.

Generic signature format for SIEM detection rules. Platform-agnostic detection logic. Questions on detection rule writing, tuning, and false positive management.

Annual SOC operations survey: alert volumes, MTTD/MTTR, staffing challenges, tool sprawl. Vendor but based on broad survey data across SOC teams.

Consumer rights (know, delete, opt-out of sale), CPRA additions (correct, limit sensitive data). Compare/contrast with GDPR for jurisdiction-specific questions.

Annual analysis of open source usage and vulnerability data. Key stats on open source in commercial codebases (typically 70-80%+). Grounds supply chain and AppSec questions in real data.

Long-running international research community focused on honeypots and deception research. Source of many open-source honeypot tools (Cowrie, Conpot for ICS).

Quantitative risk analysis framework. Decomposes risk into Loss Event Frequency and Loss Magnitude. Questions on translating risk into business terms and comparing to qualitative methods.

Free, lightweight tripwire tokens (DNS, AWS keys, Word docs, Kubeconfig). Trivial to deploy, high signal — any access is suspicious by definition. The standard reference for canary-style deception.

Authored by Adam Shostack and other practitioners. Defines values, principles, and patterns for effective threat modeling. The reference for "what is good threat modeling."

Defend forward, persistent engagement, building partner capacity. Context for military cyber operations questions.

Joint doctrine for cyberspace operations: offensive/defensive cyberspace operations, DoDIN ops, command relationships. The U.S. military's authoritative cyber doctrine.

Five top-level principles (establish context, make compromise difficult, make disruption difficult, make compromise detection easier, reduce the impact of compromise) with sub-principles. Concise, vendor-neutral, widely cited in architecture practice.

Annual report with empirical data on flaw prevalence by language, fix rates, and security debt. Useful for data-driven AppSec questions. Vendor but based on scan data across thousands of orgs.

Annual analysis of real breach data. The gold standard for empirical questions about attack patterns, threat actor motivations, and time-to-detection. Updated annually.

Rule language for identifying malware families by binary patterns and metadata. Foundational for both detection engineering and malware classification.

Pattern matching tool for malware researchers. Create rules to identify and classify malware based on textual or binary patterns.

Open-source memory forensics framework. Extracts digital artifacts from volatile memory (RAM) dumps.

Annual survey of cyber leaders on resilience, workforce, geopolitics, and emerging tech including AI. Excellent for leadership and strategy questions.