Security Operations
The day to day work of running a security programme. This shelf covers risk scoring frameworks, patch management, the difference between red teaming and pen testing, and how to structure incident response.
About this shelf
Security operations is the day-to-day work of running a programme: prioritising what matters, detecting what gets in, responding when things go wrong, and continuously improving the controls. It is the discipline that ties together attack surface, threat intelligence, vulnerability management, identity, and incident response into something coherent enough to defend an organisation.
Articles in this shelf cover the operational frameworks and practices that show up in real programmes: Continuous Threat Exposure Management (CTEM) as the Gartner-coined evolution of vulnerability management, threat hunting as a proactive complement to alert-driven SOC work, MITRE ATT&CK as the common language for detection engineering and adversary emulation, DevSecOps and shift-left as the integration of security into the development lifecycle, risk scoring approaches that move beyond raw CVSS into business-context prioritisation, and the structure of effective incident response programmes from preparation through lessons-learned.
The bias throughout is toward what actually works in resource-constrained environments. Most organisations are not running a 24x7 SOC with deep specialisation; they are running a small team that has to make sensible tradeoffs about what to monitor, what to automate, what to outsource, and what to accept. The articles are written with that constraint in mind, with explicit notes on where managed services (MDR, MSSP) genuinely add value and where they tend to disappoint.
Articles in this shelf6 articles
CTEM Explained
What Continuous Threat Exposure Management actually is, why Gartner introduced it, and how the five-stage cycle differs from traditional vulnerability management.
7 min read · Updated 2026-04-20DevSecOps and Shift-Left Security
What "shift-left" actually means, the difference between SAST, DAST, SCA and IAST, and the patterns that make a DevSecOps programme work rather than just generating alerts nobody reads.
9 min read · Updated 2026-04-26Incident Response Basics
How the NIST incident response cycle works in practice, the common mistakes that turn a containable incident into a crisis, and when to bring in external help.
9 min read · Updated 2026-04-26MITRE ATT&CK Explained
What MITRE ATT&CK is, where it came from, how the matrices and tactics-techniques-procedures structure works, and how security teams actually use it day to day.
8 min read · Updated 2026-04-26Risk Scoring and Vulnerability Prioritisation
Why CVSS alone is not enough, how EPSS and CISA KEV change the picture, and what a realistic composite scoring approach looks like for vulnerability prioritisation.
8 min read · Updated 2026-04-26Threat Hunting Basics
What hypothesis-driven threat hunting actually is, how the hunting cycle works, and how to tell real hunting apart from "looking at SIEM alerts and calling it hunting".
8 min read · Updated 2026-04-26