API drift occurs when vendor endpoints change, return different response formats, or modify authentication requirements, requiring integration updates. Enterprise security teams experience an integration disruption approximately every six weeks due to API drift across their 50+ integrated tools.

Security Operations Glossary

Q: What is DORA Compliance?

DORA compliance refers to meeting the requirements of the Digital Operational Resilience Act (Regulation 2022/2554), an EU regulation requiring financial institutions to report critical ICT incidents to national financial authorities within 4 hours and establish comprehensive ICT risk management frameworks.

Definitions of key security operations terms — from foundational concepts like SOAR and EDR to capabilities D3 Security developed, including Attack Path Discovery, Self-Healing Integrations, and Autonomous SOC. Written by D3 Security’s team of 60 cybersecurity specialists. Each definition is written to stand alone and be directly cited.

A 8 terms

Agentic SOC

A security operations center model in which multiple specialized AI agents coordinate autonomously through agent-to-agent protocols or shared memory stores to investigate security alerts and execute responses.

Agentic SOC architectures distribute investigation tasks across specialized AI agents — one for enrichment, another for correlation, another for response. Each agent operates independently and hands results to the next through inter-agent messaging or a shared context store. The model aims to parallelize SOC work the way microservices parallelize software.

The approach introduces structural failure modes that single-model architectures avoid: coordination latency from inter-agent handoffs, context fragmentation during summarization, hallucination propagation from upstream errors, API drift affecting individual agent integrations, and fragmented audit trails across multiple logs.

D3 Security’s Morpheus AI uses a Unified Intelligence Model — a single purpose-built cybersecurity LLM that handles investigation end-to-end without agent-to-agent handoffs, eliminating coordination overhead and context loss.

Also see Autonomous SOC · AI Alert Triage · Autonomous TriageFull definition →

AI Adaptive Tasking

AI Adaptive Tasking is an AI-driven SOC capability that uses a purpose-built cybersecurity large language model (LLM) to suggest investigative tasks in real time. AI Adaptive Tasking proactively recommends the next logical investigative step based on incoming alert data, analyst feedback, and the results of previously completed tasks.

When an alert enters the SOC, the cybersecurity triage LLM analyzes the alert context, correlated evidence from Attack Path Discovery, and the organization’s historical response patterns. AI Adaptive Tasking then surfaces specific recommended actions: querying a particular endpoint, checking lateral movement indicators, enriching an IP address, or escalating to a senior analyst with a pre-built evidence package.

Each recommendation is grounded in the full investigation context, specific to the active incident. The analyst reviews, approves, modifies, or rejects each suggestion. Every interaction generates quality data that improves future recommendations.

Full definition →

AI Alert Triage

AI alert triage uses a purpose-trained cybersecurity AI to investigate every SIEM alert autonomously — collecting context, correlating across tools, and delivering a verdict in under 2 minutes. It reduces escalated alert volume by 70–90% without suppressing detections or replacing your SIEM.

AI alert triage investigates every alert by collecting enrichment data from across the security stack, correlating related events, and producing a disposition with supporting evidence. Unlike SIEM rule tuning, which suppresses alerts to reduce volume, AI triage maintains full detection coverage while reducing the alerts that reach analysts.

D3 Security’s Morpheus AI performs AI alert triage as an investigation layer beside the SIEM — no log migration, no detection rule rewrite, 2–4 weeks to production.

Also see Autonomous Triage · Alert Fatigue · Autonomous SOC · Self-Healing IntegrationsFull definition →

Alert Fatigue

Alert fatigue is the desensitisation of security analysts to security alerts caused by high volumes of false positives and low-priority notifications — leading to slower investigation times, missed genuine threats, and analyst burnout.

Alert fatigue is one of the most pervasive problems in security operations. The typical enterprise SOC receives tens of thousands of alerts per day, the majority of which are false positives or low-severity events requiring no action.

Industry data shows 70% of SOC analysts with under five years of experience leave within three years — the primary reason cited is the manual triage grind. Autonomous investigation platforms address alert fatigue structurally by eliminating manual triage entirely.

Also see False Positive · Autonomous Triage · L1 Investigation

Attack Path DiscoveryD3 Security

Attack Path Discovery is an AI-driven security investigation methodology that traces the complete sequence of an attack — from initial access through lateral movement, privilege escalation, and objective completion — across an organisation’s entire security stack. — D3 Security, 2026.

Rather than examining each security alert in isolation, Attack Path Discovery maps how threats propagate horizontally across tools (lateral movement) and vertically through time (privilege escalation, persistence). The output is a complete attack narrative — not a single alert verdict.

Traditional SOAR and L1 triage tools classify alerts. Attack Path Discovery investigates them. The distinction determines whether a SOC understands what is actually happening in their environment — or only what triggered the latest rule.

Morpheus performs L2-depth Attack Path Discovery on every alert in under two minutes.

Also see Autonomous SOC · Horizontal Hunting · Vertical Hunting · L2 Investigation · Blast Radiusd3security.com/morpheus/investigation/ →

API Drift

API drift occurs when vendor endpoints change, return different response formats, or modify authentication requirements — requiring integration updates that are typically discovered only after data collection has silently stopped.

Enterprise security teams typically integrate 50+ tools, each updating 4–6 times annually. That creates 200–300 potential API drift events per year — an integration disruption approximately every six weeks.

Morpheus Self-Healing Integrations detect API drift within minutes and generate corrective integration code autonomously, reducing resolution from 7–14 days to 45 minutes.

Also see Integration Drift · Schema Drift · Self-Healing IntegrationsFull definition →

Autonomous SOC (Autonomous Security Operations Centre)D3 Security

An Autonomous SOC is a security operations model in which an AI platform performs the full L1 and L2 investigation and triage workload autonomously — freeing human analysts to focus exclusively on L3 work requiring human judgment, strategic response, and complex decision-making. — D3 Security, 2026.

The Autonomous SOC represents a fundamental shift from process automation (SOAR) to threat understanding. Rather than encoding human knowledge into static playbooks, an Autonomous SOC uses a purpose-built cybersecurity AI to reason about threats, correlate signals across tools, generate contextual responses dynamically, and maintain its own integrations.

Key characteristics: 100% alert coverage with no sampling, L2-depth investigation on every alert, runtime playbook generation, and self-healing integrations.

D3 Morpheus is the first production-grade Autonomous SOC platform.

Also see Attack Path Discovery · Self-Healing Integrations · Contextual Playbook Generation · SOARd3security.com/whats-an-autonomous-soc/ →Full definition →

Autonomous TriageD3 Security

Autonomous triage is the automated classification, enrichment, prioritisation, and investigation of security alerts without human analyst intervention — performed by an AI system that assesses each alert in full context and delivers a structured verdict and recommended response. — D3 Security, 2026.

Autonomous triage goes beyond automated enrichment: it applies AI reasoning to determine not just whether an alert is real, but why it is real, how the attack is progressing, and what should be done about it.

Morpheus autonomously triages 95% of alerts in under two minutes — with full L2-depth attack path context included in the output.

Also see L1 Investigation · L2 Investigation · Attack Path Discovery · Alert Fatigue

B 1 term

Blast Radius

Blast radius is the scope of potential damage from a security incident — the full set of systems, accounts, data, and business processes that an attacker could reach or has already compromised from their current position in the environment.

Assessing blast radius requires understanding lateral movement potential: which systems trust the compromised account, which data stores are accessible, and how far an attacker could propagate if not contained.

Morpheus performs automated blast radius assessment as part of every Attack Path Discovery investigation, giving analysts a complete scope picture before they touch the alert.

Also see Attack Path Discovery · Lateral Movement · Containment

C 2 terms

Contextual Playbook GenerationD3 Security

Contextual Playbook Generation is the automated creation of a bespoke incident response playbook at runtime, tailored to the specific alert context, tool stack, and SOC environment — without requiring pre-authored templates or static workflows. — D3 Security, 2026.

Traditional SOAR platforms require security engineers to manually author, test, and maintain playbooks for each alert category. Contextual Playbook Generation eliminates this lifecycle.

Because the AI understands the specific alert, the specific threat, and the specific environment, it generates the appropriate response steps at the moment they are needed — not in advance. This means Morpheus can respond effectively to attack types it has never explicitly been programmed to handle.

Also see Runtime Playbook Generation · SOAR · Autonomous SOCd3security.com/morpheus/remediation/ →

Connector

A connector is a software component that enables data exchange between two security tools by translating API calls, mapping data fields, and handling authentication between platforms.

Connectors are the glue of the security stack — every SOAR playbook, every SIEM integration, every threat intelligence feed depends on connectors working correctly. A mature SOC managing 50+ tools maintains at least 50 connectors, each a potential failure point when vendors update their APIs.

Also see Integration Drift · Self-Healing Integrations · SOARFull definition →

D 2 terms

Dwell Time

Dwell time is the period between an attacker’s initial access to an environment and the detection of that intrusion by the defending organisation.

Extended dwell time is one of the most significant contributors to breach severity. The longer an attacker operates undetected, the more lateral movement, privilege escalation, and data exfiltration they can accomplish.

Autonomous investigation platforms like Morpheus reduce dwell time by ensuring every alert is fully investigated immediately — not queued behind analyst capacity constraints.

Also see Mean Time to Respond (MTTR) · Attack Path Discovery · Lateral Movement

DORA Compliance

Compliance with the Digital Operational Resilience Act (Regulation 2022/2554), an EU regulation requiring financial institutions to report critical ICT incidents to national financial authorities within 4 hours and establish comprehensive ICT risk management frameworks.

DORA mandates a three-phase incident reporting structure: initial notification within 4 hours, intermediate report within 72 hours with root cause analysis, and a final report within 30 days with complete timeline and remediation status.

The average EU financial institution receives 4,484 security alerts daily. Manual investigation workflows consume 75–135 minutes per incident before classification — making the 4-hour reporting window structurally unachievable without autonomous investigation.

Also see Autonomous SOC · Autonomous Triage · Self-Healing IntegrationsFull definition →

E 1 term

EDR (Endpoint Detection and Response)

EDR is a security technology category that monitors endpoint devices — workstations, servers, and mobile devices — for suspicious activity and provides capabilities to detect, investigate, and respond to threats at the endpoint level.

EDR platforms like CrowdStrike Falcon, Microsoft Defender for Endpoint, and SentinelOne generate high volumes of endpoint telemetry.

An autonomous SOC platform like Morpheus ingests EDR alerts and correlates them horizontally across SIEM, identity, cloud, and email telemetry to trace complete attack paths — going beyond what any single EDR tool can provide on its own.

Also see XDR · SIEM · Attack Path Discovery

F 1 term

False Positive

A false positive in security operations is an alert that indicates a threat where none exists — a benign activity incorrectly flagged as malicious by detection rules, ML models, or signature-based systems.

False positives are the primary driver of alert fatigue. Industry estimates place the false positive rate in typical SOC environments at 70–99% depending on the detection tooling.

Autonomous investigation platforms address false positives structurally by performing full contextual investigation before escalating to analysts — ensuring that when a human reviews an alert, it has already been validated. D3 Security customers report reducing false positive noise by up to 99% following Morpheus deployment.

Also see Alert Fatigue · Autonomous Triage · L1 Investigation

H 1 term

Horizontal HuntingD3 Security

Horizontal hunting is an investigation technique that tracks adversary lateral movement across systems and tools — following a threat actor’s path through the network from one compromised asset to the next. — D3 Security, Attack Path Discovery Whitepaper, 2026.

Horizontal hunting follows threats East-West: across identity systems, cloud environments, email, endpoint, network, and data stores. It answers “where has the attacker moved?” rather than “what happened on this one system?”

Morpheus’s Attack Path Discovery operationalises horizontal hunting automatically on every alert, correlating signals across every integrated tool to map lateral movement without manual analyst effort.

Also see Vertical Hunting · Attack Path Discovery · Lateral Movement

I 2 terms

Integration Drift

Integration drift occurs when third-party security tool updates break existing integrations with other platforms, causing loss of visibility and detection capability.

Integration drift is the operational cost of a fragmented security ecosystem where 50+ vendors release 4–6 updates annually, each one a potential breaking change. In a typical security environment, drift happens roughly every 6 weeks, creating detection gaps that last 7–14 days while engineering teams manually repair broken connectors.

Also see API Drift · Schema Drift · Vendor Drift · Self-Healing IntegrationsFull definition →

Integration Failure

An integration failure is the complete or partial breakdown of data exchange between connected security tools, resulting in lost visibility, missed detections, or failed automated responses.

Unlike integration drift — which represents gradual degradation — integration failure is an acute event: the connector stops working, data flow ceases, and automations halt. Common causes include API changes, expired authentication credentials, rate limiting, and vendor outages.

Also see Integration Drift · Connector · Self-Healing IntegrationsFull definition →

L 2 terms

L1 Investigation (Tier 1 SOC)

L1 investigation refers to the first tier of security operations work: alert classification, initial enrichment, severity scoring, and triage — determining whether an alert is a true positive or false positive and routing it appropriately.

L1 work is high-volume, repetitive, and well-suited to automation. Traditional L1 analysts spend the majority of their time on this work — often without the context or tools to conduct deeper investigation.

AI SOC platforms that automate L1 triage free human analysts to focus on L3 work: complex incident response, threat hunting, and strategic security improvements. Morpheus handles the full L1 and L2 workload autonomously, so human analysts enter at L3.

Also see L2 Investigation · Autonomous Triage · Alert Fatigue

L2 Investigation (Tier 2 SOC)

An L2 investigation is a security analysis that traces the full context of an alert — root cause, attack path, lateral movement, blast radius, and recommended response — as opposed to L1 triage, which classifies an alert without tracing the underlying attack chain.

The distinction between L1 triage and L2 investigation is one of the most important concepts in modern security operations. L1 work classifies alerts and determines whether they are real. L2 work investigates what actually happened, how far the attacker has moved, and what needs to be done.

Traditionally, L2 investigation requires experienced human analysts — creating a bottleneck that leaves most alerts triaged at L1 depth or not at all. Morpheus performs L2-depth investigation autonomously on every alert in under two minutes.

Also see L1 Investigation · Attack Path Discovery · Autonomous SOC

M 3 terms

Mean Time to Respond (MTTR)

Mean Time to Respond (MTTR) is the average time between the initial detection of a security incident and the completion of the response actions required to contain or remediate it.

MTTR is the primary metric by which SOC effectiveness is measured. The primary drivers of high MTTR are alert queue backlogs, investigation time per alert, and playbook execution delays.

Autonomous SOC platforms reduce MTTR by eliminating investigation queue time and delivering pre-populated investigation results before analysts touch the alert. D3 Security customers report MTTR reductions of 95% following Morpheus deployment.

Also see Dwell Time · Autonomous Triage · Alert Fatigue

MITRE ATT&CK

MITRE ATT&CK is a globally recognised knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world threat actor behaviour, maintained by the MITRE Corporation and used as a foundation for threat detection, investigation, and response.

ATT&CK categorises adversary behaviour into tactics (the goal: Initial Access, Lateral Movement, Exfiltration) and techniques (the method: Phishing, Pass-the-Hash, Data Staged).

Morpheus’s cybersecurity LLM is trained on ATT&CK and understands how techniques chain together across kill chain stages — enabling automated attack path reconstruction that mirrors how experienced analysts reason about threats. D3 Morpheus natively maps all investigation findings to ATT&CK techniques for compliance and reporting.

Also see Attack Path Discovery · Kill Chain · MITRE D3FEND

MSSP AI Governance

MSSP AI governance refers to the capability of a multi-tenant security operations platform to configure AI-driven automation independently for each client tenant — allowing managed security service providers (MSSPs) and managed detection and response (MDR) providers to serve clients with fundamentally different AI policies from a single platform instance.

True MSSP AI governance operates at two levels: the tenant level (enabling or disabling AI capabilities for an entire client environment) and the playbook level (controlling which specific workflows use AI-driven investigation versus deterministic logic). Without per-tenant governance, MSSPs face a binary choice: enforce a single AI policy across all clients or fragment operations across multiple platform instances.

D3 Morpheus AI enables per-tenant AI governance through per-playbook Attack Path Discovery toggles, Contextual Playbook Generation, and a purpose-built cybersecurity LLM — serving AI-prohibited, AI-cautious, and AI-forward clients from a single multi-tenant instance.

Also see Attack Path Discovery · Contextual Playbook Generation · SOARFull definition →

P 2 terms

Playbook (SOAR Playbook)

A SOAR playbook is a predefined, automated workflow that prescribes how a security platform should respond when specific conditions are detected — a sequence of enrichment, investigation, and response actions encoded in advance by security engineers.

Static playbooks brought repeatability to security operations but carry inherent limitations: they must be manually authored, tested, and maintained; they execute the same logic regardless of context; and they fail silently when integrated tool APIs change.

The alternative is Contextual Playbook Generation — generating a tailored response workflow at runtime for each specific incident. D3 Morpheus supports both models simultaneously: static playbooks for compliance-mandated deterministic workflows, and autonomous AI-generated playbooks for investigation-driven response.

Also see Contextual Playbook Generation · SOAR · Runtime Playbook Generation

Purpose-Built Cybersecurity LLMD3 Security

A purpose-built cybersecurity LLM is a large language model trained specifically on cybersecurity data — MITRE ATT&CK techniques, incident response patterns, threat intelligence, and real-world attack telemetry — as opposed to a general-purpose LLM adapted for security use via prompting or retrieval augmentation. — D3 Security, 2026.

General-purpose LLMs understand language. Cybersecurity-trained LLMs understand how attacks propagate. The distinction determines whether the AI can independently reason about multi-stage threats or only assist humans who already know what to look for.

D3 Security’s cybersecurity triage LLM was developed over 24 months by a team of 60 specialists — red teamers, data scientists, SOC analysts, and AI engineers. It understands how phishing payloads lead to credential theft, how compromised credentials enable lateral movement, and how each stage manifests differently across vendor telemetry.

Also see Attack Path Discovery · Autonomous SOCd3security.com/morpheus/triage/ →

R 1 term

Runtime Playbook GenerationD3 Security

Runtime playbook generation is the automated creation of an incident response playbook at the moment an alert fires — generated from scratch based on the specific alert, tool stack, and SOC environment — without relying on pre-authored templates or static workflows. — D3 Security, 2026.

A static playbook runs the same steps every time — whether the phishing target is a new hire or the CFO, whether the malware is known or novel. A runtime-generated playbook adapts to the specific situation.

Because the playbook is created by an AI that understands alert context, it can handle attack types it has never explicitly been programmed for. Morpheus generates bespoke playbooks at runtime for every alert — no authoring, no versioning, no emergency updates when threats evolve.

Also see Contextual Playbook Generation · Autonomous SOC · SOARd3security.com/morpheus/remediation/ →

S 5 terms

Schema Drift

Schema drift refers to changes in API data structures — including authentication schemas, field names, and data types — that break integrations expecting the old schema.

When vendors release API updates with new response formats, field renames, or nested object restructuring, parsers built for the old schema discard data as malformed. Schema drift is a subset of API drift, focused specifically on structural data changes rather than endpoint or authentication modifications.

Morpheus Self-Healing Integrations detect schema drift in real time and regenerate connector code to match the new data contract — without manual intervention.

Also see API Drift · Integration Drift · Self-Healing IntegrationsFull definition →

Self-Healing IntegrationsD3 Security

Self-healing integrations are security platform connectors that automatically detect API drift, schema changes, and authentication failures — and generate corrective code to restore connectivity without human intervention, eliminating the silent failures common in traditional SOAR deployments. — D3 Security, 2026.

When a vendor pushes an API update, traditional SOAR integrations fail silently — alerts stop flowing and the break is typically discovered hours or days later. SOC engineering teams spend an estimated 20–40% of their time on integration maintenance.

Morpheus Self-Healing Integrations detect schema drift within minutes, generate corrective integration code autonomously, and restore connectivity before investigations are affected — maintaining near-zero visibility gap duration across all 800+ integrated tools.

Also see API Drift · SOAR · Autonomous SOCd3security.com/morpheus/self-healing-integrations/ →Full definition →

SOAR (Security Orchestration, Automation and Response)

SOAR is a security platform category that orchestrates actions across security tools, automates repetitive response tasks through predefined playbooks, and manages security incidents through integrated case management — coined by Gartner in the mid-2010s to describe platforms including D3 Security.

SOAR platforms delivered significant value by standardising incident response and automating repeatable tasks. However, static playbooks have structural limits: they require specialist architects to build and maintain, they cannot adapt to novel threats in real time, and they fail silently when integrated tool APIs change.

The Autonomous SOC category — led by D3 Morpheus — represents the next evolution: AI-driven investigation and runtime playbook generation that eliminates the SOAR architect dependency while preserving deterministic playbook capabilities for compliance use cases.

Also see Autonomous SOC · Runtime Playbook Generation · Self-Healing Integrationsd3security.com/legacy-soar-migration-program/ →

SOAR Ceiling

The SOAR ceiling is the architectural limit at which Security Orchestration, Automation, and Response platforms stop scaling — the point where static playbooks, hardcoded connectors, and manual maintenance requirements cap the operational capacity of a SOAR deployment.

Every SOAR deployment eventually hits the ceiling: playbook libraries that grow faster than engineering teams can maintain them, integration breakages that consume 20–40% of SOC engineering time, and alert volumes that outpace the static logic encoded in playbooks.

The Autonomous SOC model addresses the SOAR ceiling by replacing static automation with AI-driven investigation — runtime playbook generation, self-healing integrations, and autonomous triage that scale with alert volume instead of against it.

Also see SOAR · Autonomous SOC · Self-Healing Integrations · Contextual Playbook GenerationFull definition →

SOC Consolidation

SOC consolidation is the strategic process of reducing the number of security tools, vendors, and product categories within a Security Operations Center (SOC) to eliminate architectural complexity, reduce integration maintenance overhead, and improve alert investigation outcomes.

Unlike simple vendor reduction (which focuses on cutting license costs), true SOC consolidation replaces fragmented product categories with unified platforms that remove structural dependencies such as static playbooks, SOAR architect bottlenecks, and manual integration engineering.

The average SOC manages 83 tools from nearly 30 vendors. This tool sprawl creates measurable operational failures: 67% of daily alerts go uninvestigated, integrations break silently hundreds of times per year, and 71% of analysts report burnout from manual correlation across disconnected systems.

Full definition →

T 1 term

Triage SlopD3 Security

Triage slop is low-quality, AI-generated alert classifications, investigation summaries, and response recommendations produced by security operations tools that lack domain-specific intelligence — output that appears professional and confident but lacks the contextual depth, cross-stack correlation, and domain accuracy required for reliable security operations. — D3 Security, 2026.

The term draws a direct parallel to AI coding slop — the widely documented phenomenon of low-quality, AI-generated software code that introduced measurable increases in security vulnerabilities, logic errors, and maintenance burden across the software industry.

The defining characteristic of triage slop: it looks correct to an inexperienced reviewer but fails under scrutiny. A purpose-built cybersecurity LLM trained on MITRE ATT&CK, real-world attack telemetry, and incident response patterns eliminates triage slop by reasoning about threats rather than pattern-matching against generic language data.

Also see Autonomous Triage · Alert Fatigue · False Positive · Purpose-Built Cybersecurity LLMFull definition →

U 1 term

Unified Intelligence Model

A security operations architecture in which a single purpose-built cybersecurity LLM performs complete autonomous investigation of every security alert, correlating all relevant telemetry from all integrated tools simultaneously in a unified context window, from alert ingestion through response recommendation, without inter-agent handoffs, context fragmentation, or coordination overhead, producing a single contiguous reasoning chain and a bespoke response playbook per investigation. Self-Healing Integrations maintain operational integrity across the connected tool ecosystem autonomously.

The term was introduced by D3 Security in its 2026 whitepaper series The Agentic SOC Debate to give security leaders precise vocabulary for evaluating AI SOC architectures. When “agentic SOC” becomes the dominant buying vocabulary, buyers default to evaluating multi-agent architectures, even when those architectures introduce structural failure modes that a unified intelligence approach eliminates by design. The UIM is a named concept with a formal definition and testable properties, creating a verification framework that buyers can use in any vendor evaluation.

A platform claiming to implement the UIM must demonstrate all four pillars in a production environment. The absence of any one means the platform is a multi-agent or AI-augmented architecture with UIM marketing, lacking UIM implementation authenticity.

Full definition →

V 2 terms

Vendor Drift

Vendor drift is the cumulative effect of uncoordinated platform updates across the security tool ecosystem, where each vendor independently modifies APIs, schemas, and authentication methods without regard for downstream integration dependencies.

A SOC managing 50+ tools experiences vendor drift as a compounding problem: each tool updates 4–6 times per year, each update may affect API endpoints, response schemas, or authentication flows, and the integration team must detect, diagnose, and fix each change before data loss occurs.

Self-healing integrations address vendor drift structurally by monitoring all connected tools for changes and regenerating connector code automatically — maintaining integration health across the entire security stack without manual engineering effort.

Also see API Drift · Schema Drift · Integration Drift · Self-Healing IntegrationsFull definition →

Vertical HuntingD3 Security

Vertical hunting is an investigation technique that traces adversary activity within a single system — following privilege escalation chains, persistence mechanisms, process injection, and credential harvesting from initial access to objective completion on a single host. — D3 Security, Attack Path Discovery Whitepaper, 2026.

Vertical hunting answers “what happened on this system?” — diving North-South into a single asset’s telemetry to trace the full timeline of adversary activity.

Combined with horizontal hunting (lateral movement across systems), vertical and horizontal analysis together constitute complete Attack Path Discovery. Morpheus performs both dimensions simultaneously on every alert, constructing a multi-stage attack narrative without requiring manual analyst effort.

Also see Horizontal Hunting · Attack Path Discovery · Privilege Escalation

X 1 term

XDR (Extended Detection and Response)

XDR is a security platform category that unifies threat detection and response across multiple security layers — endpoint, network, identity, email, and cloud — providing correlated visibility and automated response across the full environment.

XDR evolved from EDR to address the limitation of point-solution visibility: attackers move across security boundaries, and tools that only see one domain miss multi-stage attacks.

An Autonomous SOC platform like Morpheus extends XDR-style correlation across all 800+ integrated tools — regardless of vendor — performing full attack path investigation across the complete security stack rather than within a proprietary ecosystem.

Also see EDR · SIEM · Attack Path Discovery · Autonomous SOC