From 7ab190c4d51fdea7ce681b35910067fd90a26f91 Mon Sep 17 00:00:00 2001
From: DJBsec <77978186+DJBsec@users.noreply.github.com>
Date: Thu, 12 Mar 2026 21:53:05 -0500
Subject: [PATCH] new updates
Change up the Cyber Explained sections and added new items
---
_explained/1_project.md | 2 +
_explained/antivirus-edr.md | 30 ++
_explained/attack-surface.md | 30 ++
_explained/backups.md | 38 ++
_explained/business-email-compromise.md | 30 ++
_explained/cia-triad.md | 30 ++
_explained/credential-stuffing.md | 30 ++
_explained/cve-cvss.md | 30 ++
_explained/dark-web-monitoring.md | 30 ++
_explained/deepfakes.md | 30 ++
_explained/emailspoofing.md | 2 +
_explained/encryption.md | 33 ++
_explained/epss.md | 34 ++
_explained/firewalls.md | 2 +
_explained/incident-response.md | 34 ++
_explained/insider-threats.md | 30 ++
_explained/least-privilege.md | 34 ++
_explained/malware.md | 30 ++
_explained/man-in-the-middle.md | 30 ++
_explained/mfa-apps.md | 30 ++
_explained/network-segmentation.md | 34 ++
_explained/osint.md | 30 ++
_explained/password-managers.md | 34 ++
_explained/patch-management.md | 34 ++
_explained/ransomware.md | 2 +
_explained/red-blue-team.md | 30 ++
_explained/social-engineering.md | 2 +
_explained/strong-passwords.md | 2 +
_explained/supply-chain-attacks.md | 30 ++
_explained/two-factor-authentication.md | 2 +
_explained/vpn.md | 2 +
_explained/zero-trust.md | 2 +
_includes/header.liquid | 6 +-
_layouts/page.liquid | 6 +
_pages/explained.md | 181 ++++++---
_sass/_layout.scss | 264 +++++++++++++
preview-explained.html | 474 ++++++++++++++++++++++++
37 files changed, 1621 insertions(+), 53 deletions(-)
create mode 100644 _explained/antivirus-edr.md
create mode 100644 _explained/attack-surface.md
create mode 100644 _explained/backups.md
create mode 100644 _explained/business-email-compromise.md
create mode 100644 _explained/cia-triad.md
create mode 100644 _explained/credential-stuffing.md
create mode 100644 _explained/cve-cvss.md
create mode 100644 _explained/dark-web-monitoring.md
create mode 100644 _explained/deepfakes.md
create mode 100644 _explained/encryption.md
create mode 100644 _explained/epss.md
create mode 100644 _explained/incident-response.md
create mode 100644 _explained/insider-threats.md
create mode 100644 _explained/least-privilege.md
create mode 100644 _explained/malware.md
create mode 100644 _explained/man-in-the-middle.md
create mode 100644 _explained/mfa-apps.md
create mode 100644 _explained/network-segmentation.md
create mode 100644 _explained/osint.md
create mode 100644 _explained/password-managers.md
create mode 100644 _explained/patch-management.md
create mode 100644 _explained/red-blue-team.md
create mode 100644 _explained/supply-chain-attacks.md
create mode 100644 preview-explained.html
diff --git a/_explained/1_project.md b/_explained/1_project.md
index 29094fdf..b459b869 100644
--- a/_explained/1_project.md
+++ b/_explained/1_project.md
@@ -5,6 +5,8 @@ description: what is phishing?
img: assets/img/projects/phishing.webp
#importance: 1
category: phishing
+topic_type: threat
+icon: mail-exclamation
related_publications: true
---
diff --git a/_explained/antivirus-edr.md b/_explained/antivirus-edr.md
new file mode 100644
index 00000000..864690d5
--- /dev/null
+++ b/_explained/antivirus-edr.md
@@ -0,0 +1,30 @@
+---
+layout: page
+title: Antivirus vs EDR
+description: What is the difference between antivirus and EDR?
+img: assets/img/projects/antivirus-edr.png
+category: explained
+topic_type: tools
+icon: shield-search
+---
+
+## π‘οΈ What Is the Difference Between Antivirus and EDR?
+
+Antivirus (AV) software is the traditional approach to endpoint protection. It works primarily by comparing files on your device against a database of known malware signatures. If a file matches a known threat, it is blocked or quarantined. Endpoint Detection and Response (EDR) is a newer, more advanced approach. Rather than just checking files against a known list, EDR continuously monitors behavior on the device β watching for suspicious patterns, unusual processes, or anomalous activity that might indicate an attack, even if the threat has never been seen before. Think of antivirus as a wanted poster and EDR as a security camera watching for suspicious behavior.
+
+---
+
+### π§ͺ Real-World Example
+
+A ransomware attacker uses a brand-new variant that no antivirus vendor has seen yet. Because the signature is not in any database, traditional antivirus lets it through. An EDR solution, however, notices that the process is rapidly encrypting files across the disk β behavior that looks exactly like ransomware β and automatically kills the process and alerts the security team before major damage occurs.
+
+---
+
+### β Key Takeaways
+
+- Antivirus uses signature matching against known threats; EDR monitors behavior in real time.
+- EDR can detect zero-day attacks and fileless malware that antivirus often misses.
+- EDR provides detailed forensic logs, helping security teams investigate how an attack happened.
+- Most enterprise environments use EDR; antivirus remains common for personal and small-business use.
+- Many modern tools combine both approaches, often called "next-generation antivirus" (NGAV).
+- EDR typically requires more resources and expertise to manage than traditional antivirus.
diff --git a/_explained/attack-surface.md b/_explained/attack-surface.md
new file mode 100644
index 00000000..c94b7d30
--- /dev/null
+++ b/_explained/attack-surface.md
@@ -0,0 +1,30 @@
+---
+layout: page
+title: Attack Surface
+description: What is an attack surface?
+img: assets/img/projects/attack-surface.png
+category: explained
+topic_type: concepts
+icon: target
+---
+
+## π― What Is an Attack Surface?
+
+An attack surface is the total collection of points where an unauthorized user could try to enter, extract data from, or cause damage to a system or organization. Every device, application, user account, open port, API, third-party vendor, and even employee is a potential entry point. The larger the attack surface, the more opportunities an attacker has to find a weakness. Attack surface management is the practice of identifying, cataloging, and reducing these exposure points. A key principle in security is attack surface reduction β removing or hardening anything that does not need to be publicly exposed or that is not essential to operations.
+
+---
+
+### π§ͺ Real-World Example
+
+A small company has a web server, a remote desktop port left open from an old project, ten employee laptops, and a file-sharing account managed by a vendor. Each of those is part of the attack surface. An attacker scanning the internet finds the open remote desktop port, brute-forces a weak password, and is inside the network β all through one overlooked exposure point that the company forgot existed.
+
+---
+
+### β Key Takeaways
+
+- The attack surface includes everything an attacker could potentially target: software, hardware, people, and processes.
+- A larger attack surface means more risk; reducing it is a core security strategy.
+- Attack surface reduction includes closing unused ports, disabling unnecessary services, and revoking unused accounts.
+- External attack surface refers to what is visible from the internet; internal attack surface covers what an attacker inside the network can reach.
+- Third-party vendors and supply chain partners extend your attack surface beyond your own systems.
+- Regular scanning and asset inventory are essential for understanding what your attack surface actually looks like.
diff --git a/_explained/backups.md b/_explained/backups.md
new file mode 100644
index 00000000..fd79bba8
--- /dev/null
+++ b/_explained/backups.md
@@ -0,0 +1,38 @@
+---
+layout: page
+title: Backups & the 3-2-1 Rule
+description: What is the 3-2-1 backup rule?
+img: assets/img/projects/backups.png
+category: explained
+topic_type: defense
+icon: cloud-upload
+---
+
+## πΎ What Is the 3-2-1 Backup Rule?
+
+**Backups** are copies of your data stored separately from the original, so you can recover if data is lost, corrupted, or held hostage by ransomware. The **3-2-1 rule** is the simplest and most widely recommended framework for doing backups reliably:
+
+- **3** β Keep at least three copies of your data (the original plus two backups).
+- **2** β Store copies on at least two different types of media (e.g., an internal drive and an external drive, or a local NAS and cloud storage).
+- **1** β Keep at least one copy **offsite** β physically or geographically separate from the others.
+
+The logic is straightforward: a single backup stored next to the original fails if the building burns down or ransomware encrypts everything connected to the same network. Offsite and offline copies survive those scenarios.
+
+A backup that has never been tested is not a real backup. Regularly restore files from your backups to confirm they actually work.
+
+---
+
+### π§ͺ Real-World Example
+
+> A small business is hit by ransomware on a Monday morning. Every file on the network is encrypted, and attackers demand $50,000. The IT team checks their backups β they have a cloud backup from the previous night and an offline external drive updated weekly. Within four hours, systems are restored from the cloud backup. They pay nothing.
+
+---
+
+### β Key Takeaways
+
+- Follow the **3-2-1 rule**: three copies, two media types, one offsite.
+- Ensure at least one backup is **offline or air-gapped** so ransomware cannot reach it.
+- **Automate** your backups β manual processes get skipped.
+- **Test restores** on a schedule; a backup you have never restored from may be corrupted or incomplete.
+- Back up **all critical data**: documents, databases, email, configuration files, and system images.
+- Know your **recovery time objective (RTO)** β how fast you need to be back up β and ensure your backup solution can meet it.
diff --git a/_explained/business-email-compromise.md b/_explained/business-email-compromise.md
new file mode 100644
index 00000000..82397fd9
--- /dev/null
+++ b/_explained/business-email-compromise.md
@@ -0,0 +1,30 @@
+---
+layout: page
+title: Business Email Compromise
+description: What is business email compromise?
+img: assets/img/projects/business-email-compromise.png
+category: explained
+topic_type: threat
+icon: mail-dollar
+---
+
+## π§ What Is Business Email Compromise?
+
+**Business Email Compromise (BEC)** is a targeted scam in which an attacker impersonates a trusted person β such as a company executive, vendor, or colleague β to manipulate employees into transferring money or sensitive data. Unlike broad phishing campaigns, BEC attacks are carefully researched and highly personalized. Attackers may hijack a real email account, create a look-alike domain, or simply spoof the sender's display name. The goal is usually financial fraud: convincing an accounts payable employee to wire funds to an attacker-controlled account, or tricking HR into redirecting payroll deposits. BEC is one of the costliest cyber threats in the world, responsible for billions of dollars in losses each year.
+
+---
+
+### π§ͺ Real-World Example
+
+An employee in the finance department receives an email that appears to come from the company's CEO, asking for an urgent wire transfer to close a confidential deal before end of day. The email tone is authoritative, references real internal details, and asks the employee not to discuss it with others. The employee complies β but the CEO never sent the email, and the money goes to a fraudster overseas.
+
+---
+
+### π‘οΈ How to Protect Yourself
+
+- Always verify wire transfer or payment requests by calling the requester directly using a known phone number
+- Look carefully at sender email addresses for subtle misspellings or domain differences
+- Enable multi-factor authentication on all business email accounts
+- Establish a written policy requiring dual approval for financial transactions above a set threshold
+- Train employees to recognize urgency and secrecy as common BEC red flags
+- Use email authentication standards (SPF, DKIM, DMARC) to reduce spoofed emails reaching inboxes
diff --git a/_explained/cia-triad.md b/_explained/cia-triad.md
new file mode 100644
index 00000000..1d9f6dcc
--- /dev/null
+++ b/_explained/cia-triad.md
@@ -0,0 +1,30 @@
+---
+layout: page
+title: The CIA Triad
+description: What is the CIA Triad in cybersecurity?
+img: assets/img/projects/cia-triad.png
+category: explained
+topic_type: concepts
+icon: triangle
+---
+
+## πΊ What Is the CIA Triad?
+
+The CIA Triad is the foundational model of cybersecurity, built around three core principles: Confidentiality, Integrity, and Availability. Confidentiality means keeping information private and accessible only to those who are authorized to see it. Integrity means ensuring that data is accurate and has not been tampered with or altered without authorization. Availability means making sure that systems and data are accessible and functional when legitimate users need them. Nearly every security control, policy, or tool in existence is designed to protect one or more of these three properties.
+
+---
+
+### π§ͺ Real-World Example
+
+A hospital's patient records system must be confidential β only authorized staff can view patient data. It must have integrity β a nurse needs to trust that a medication dosage in the record has not been changed by anyone unauthorized. And it must be available β if a ransomware attack locks the system down during an emergency, lives could be at risk. A security breach can attack any or all three of these properties at once.
+
+---
+
+### β Key Takeaways
+
+- Confidentiality protects data from unauthorized access β enforced through encryption and access controls.
+- Integrity ensures data is accurate and unaltered β enforced through hashing, audit logs, and checksums.
+- Availability ensures systems are up and accessible β protected by backups, redundancy, and DDoS mitigation.
+- Most cyberattacks target at least one leg of the triad: data theft breaks confidentiality, tampering breaks integrity, ransomware breaks availability.
+- The CIA Triad is used to evaluate risks, design systems, and assess the impact of security incidents.
+- Understanding the triad helps organizations prioritize what they are protecting and why.
diff --git a/_explained/credential-stuffing.md b/_explained/credential-stuffing.md
new file mode 100644
index 00000000..60a49843
--- /dev/null
+++ b/_explained/credential-stuffing.md
@@ -0,0 +1,30 @@
+---
+layout: page
+title: Credential Stuffing
+description: What is credential stuffing?
+img: assets/img/projects/credential-stuffing.png
+category: explained
+topic_type: threat
+icon: lock-open
+---
+
+## π What Is Credential Stuffing?
+
+**Credential stuffing** is an automated attack in which criminals use large lists of stolen usernames and passwords β obtained from previous data breaches β to try logging into other websites and services. Because many people reuse the same password across multiple accounts, attackers rely on the fact that credentials leaked from one site will also work on others. Automated tools can test millions of username-password pairs against hundreds of websites in a very short time. If even a small percentage of attempts succeed, the attacker gains access to banking, email, shopping, or social media accounts. Credential stuffing is distinct from brute-force attacks: instead of guessing random passwords, attackers use real credentials that are already known to work somewhere.
+
+---
+
+### π§ͺ Real-World Example
+
+> A large gaming platform suffers a data breach, and the stolen logins are posted on a hacking forum. Attackers run those same email-and-password combinations against a popular online retailer. Thousands of accounts are compromised within hours β not because the retailer was hacked, but because users had reused the same passwords.
+
+---
+
+### π‘οΈ How to Protect Yourself
+
+- Use a unique, strong password for every account β never reuse passwords across sites
+- Use a password manager to generate and store complex passwords without needing to memorize them
+- Enable multi-factor authentication (MFA) on every account that supports it
+- Check sites like HaveIBeenPwned.com to find out if your credentials have appeared in a known breach
+- Change passwords immediately for any account associated with a breached service
+- Watch for unexpected login notifications or activity alerts from your accounts
diff --git a/_explained/cve-cvss.md b/_explained/cve-cvss.md
new file mode 100644
index 00000000..c3e908a9
--- /dev/null
+++ b/_explained/cve-cvss.md
@@ -0,0 +1,30 @@
+---
+layout: page
+title: CVE & CVSS Scoring
+description: What are CVEs and CVSS scores?
+img: assets/img/projects/cve-cvss.png
+category: explained
+topic_type: concepts
+icon: bug
+---
+
+## π What Are CVEs and CVSS Scores?
+
+A CVE (Common Vulnerabilities and Exposures) is a standardized identifier assigned to a publicly known security vulnerability in software or hardware. Each CVE gets a unique ID β like CVE-2021-44228 (the critical Log4Shell vulnerability) β so that security researchers, vendors, and defenders can all reference the same flaw without confusion. A CVSS (Common Vulnerability Scoring System) score is a numerical rating, from 0.0 to 10.0, that measures how severe a vulnerability is. The score takes into account factors like how easy the flaw is to exploit, whether it requires authentication, and how much damage it can cause. Together, CVEs and CVSS scores help organizations prioritize which vulnerabilities to fix first.
+
+---
+
+### π§ͺ Real-World Example
+
+A security researcher discovers a bug in a popular web server software that allows remote code execution without any login. It gets assigned a CVE ID and a CVSS score of 9.8 out of 10 β critical. Your security team sees the alert, searches your environment for the affected software, and patches it within hours. Without this standardized system, the same vulnerability might be described a dozen different ways across different reports, causing dangerous delays.
+
+---
+
+### β Key Takeaways
+
+- CVEs are unique identifiers for known vulnerabilities, managed by MITRE and published in the National Vulnerability Database (NVD).
+- CVSS scores range from 0.0 (none) to 10.0 (critical) and help teams prioritize patching.
+- A score of 7.0 or higher is generally considered high or critical severity.
+- CVSS scores measure exploitability, impact on confidentiality, integrity, and availability, and other factors.
+- Not every high-scoring CVE is equally dangerous in your environment β context and exposure matter.
+- Tools like EPSS (Exploit Prediction Scoring System) complement CVSS by estimating the likelihood a vulnerability will actually be exploited.
diff --git a/_explained/dark-web-monitoring.md b/_explained/dark-web-monitoring.md
new file mode 100644
index 00000000..6a4b6c8c
--- /dev/null
+++ b/_explained/dark-web-monitoring.md
@@ -0,0 +1,30 @@
+---
+layout: page
+title: Dark Web Monitoring
+description: What is dark web monitoring?
+img: assets/img/projects/dark-web-monitoring.png
+category: explained
+topic_type: tools
+icon: eye
+---
+
+## πΆοΈ What Is Dark Web Monitoring?
+
+The dark web is a part of the internet that is not indexed by standard search engines and requires special software β like the Tor browser β to access. It is frequently used by cybercriminals to buy and sell stolen data, including email addresses, passwords, credit card numbers, and Social Security numbers. Dark web monitoring is a service that continuously scans these hidden forums, marketplaces, and data dumps for your personal information. When a match is found, you receive an alert so you can take action β like changing a compromised password β before serious damage is done.
+
+---
+
+### π§ͺ Real-World Example
+
+A company suffers a data breach and millions of customer credentials are stolen. Within days, those credentials appear for sale on a dark web marketplace. A dark web monitoring service detects your email address and password in that dump and immediately notifies you, giving you the chance to change your password and lock down your accounts before an attacker can use them.
+
+---
+
+### β Key Takeaways
+
+- Dark web monitoring scans hidden online markets and forums for your personal data.
+- It does not remove your data from the dark web β it only alerts you that it has been found.
+- Common data found includes email/password pairs, credit card numbers, and identity information.
+- Many password managers and credit monitoring services now include dark web monitoring.
+- Receiving an alert means you should immediately change the affected password and enable MFA on that account.
+- Proactive monitoring gives you a head start before attackers can exploit stolen credentials.
diff --git a/_explained/deepfakes.md b/_explained/deepfakes.md
new file mode 100644
index 00000000..53b22769
--- /dev/null
+++ b/_explained/deepfakes.md
@@ -0,0 +1,30 @@
+---
+layout: page
+title: Deepfakes & AI-Driven Attacks
+description: What are deepfakes and AI-driven attacks?
+img: assets/img/projects/deepfakes.png
+category: explained
+topic_type: threat
+icon: brain
+---
+
+## π€ What Are Deepfakes & AI-Driven Attacks?
+
+**Deepfakes** are hyper-realistic synthetic media β video, audio, or images β generated by artificial intelligence to make it appear that someone said or did something they never actually did. Beyond faked videos, AI is increasingly used to power a broader class of attacks: generating convincing phishing emails with perfect grammar, cloning someone's voice from just a few seconds of audio, and automating highly personalized social engineering at massive scale. These AI-driven techniques lower the barrier for attackers significantly β what once required skilled actors and expensive equipment can now be done in minutes with free or cheap tools. As the technology improves, distinguishing real from fake becomes harder for both humans and automated detection systems.
+
+---
+
+### π§ͺ Real-World Example
+
+A company's CFO receives a video call from what appears to be the CEO, asking for an emergency wire transfer. The face and voice are convincing. The CFO approves the transfer β but the "CEO" was a deepfake generated by attackers who had studied publicly available videos and audio recordings. This type of attack has already resulted in multi-million dollar losses at real organizations.
+
+---
+
+### π‘οΈ How to Protect Yourself
+
+- Establish out-of-band verification procedures for high-stakes requests β always confirm via a separate, known channel
+- Be skeptical of urgent video or voice requests involving money or sensitive data, even from familiar faces
+- Look for subtle signs of deepfake artifacts: unnatural blinking, lip-sync issues, or odd lighting around the face
+- Use a pre-agreed code word with colleagues or family for verifying identity in sensitive situations
+- Stay informed about AI-generated content and train your team to recognize new threat techniques
+- Report suspected deepfake fraud to your security team and relevant authorities immediately
diff --git a/_explained/emailspoofing.md b/_explained/emailspoofing.md
index 095944c2..40cd5695 100644
--- a/_explained/emailspoofing.md
+++ b/_explained/emailspoofing.md
@@ -4,6 +4,8 @@ title: Email Spoofing
description: What is email spoofing?
img: assets/img/projects/emailspoofing.png
category: explained
+topic_type: threat
+icon: mail-off
---
## βοΈ What Is Email Spoofing?
diff --git a/_explained/encryption.md b/_explained/encryption.md
new file mode 100644
index 00000000..7aa9b1b6
--- /dev/null
+++ b/_explained/encryption.md
@@ -0,0 +1,33 @@
+---
+layout: page
+title: Encryption
+description: What is encryption?
+img: assets/img/projects/encryption.png
+category: explained
+topic_type: defense
+icon: lock
+---
+
+## π What Is Encryption?
+
+**Encryption** is the process of scrambling data into an unreadable format so that only someone with the correct key can read it. Think of it like a combination lock on your information β the data is still there, but it looks like gibberish to anyone who doesn't have the right code to unlock it.
+
+Encryption protects data both **in transit** (moving across the internet) and **at rest** (stored on a device or server). When you see "HTTPS" in your browser's address bar, that padlock icon means your connection is encrypted using TLS. When your phone asks you to set a passcode, that passcode helps encrypt the files stored on the device.
+
+Modern encryption relies on complex mathematics. Common standards like AES-256 (used for storing data) and RSA (used for exchanging keys) are so strong that breaking them by brute force would take longer than the age of the universe with today's computers.
+
+---
+
+### π§ͺ Real-World Example
+
+You log in to your bank's website. Before your username and password travel from your browser to the bank's server, encryption scrambles them into ciphertext. Even if an attacker intercepted that traffic on a public Wi-Fi network, they would see only random characters β not your credentials.
+
+---
+
+### β Key Takeaways
+
+- Always use websites and services that show **HTTPS** in the URL bar.
+- Enable **full-disk encryption** on laptops and phones (FileVault on macOS, BitLocker on Windows, built-in on modern iOS/Android).
+- Use **end-to-end encrypted** messaging apps (like Signal) for sensitive conversations.
+- Strong encryption is only useful if you protect your **keys and passwords** β a great lock means nothing if you hand out the key.
+- Encryption does not prevent all attacks β it protects data confidentiality, but you still need other controls for integrity and access.
diff --git a/_explained/epss.md b/_explained/epss.md
new file mode 100644
index 00000000..2d14c322
--- /dev/null
+++ b/_explained/epss.md
@@ -0,0 +1,34 @@
+---
+layout: page
+title: EPSS
+description: What is the Exploit Prediction Scoring System?
+img: assets/img/projects/epss.png
+category: explained
+topic_type: concepts
+icon: chart-bar
+---
+
+## π What Is EPSS?
+
+The **Exploit Prediction Scoring System (EPSS)** is a free, data-driven model that estimates the probability a published CVE will be exploited in the wild **within the next 30 days**. Scores range from 0 to 1 (0% β 100%) and are refreshed daily for every known CVE.
+
+Where **CVSS** measures the *severity* of a vulnerability based on its characteristics, EPSS measures *likelihood of exploitation* based on real-world signals. A vulnerability can be critical by CVSS but have a near-zero EPSS score β meaning attackers are not actively targeting it.
+
+EPSS is maintained by [FIRST](https://www.first.org/epss/) and powered by a machine-learning model trained on inputs including CVSS metrics, CWE weakness type, exploit code availability (Exploit-DB, GitHub, Metasploit), presence on CISA KEV, and live exploitation telemetry from honeypots and IDS/IPS sensors.
+
+---
+
+### π§ͺ Real-World Example
+
+As of October 2023, the NVD contained over 139,000 CVEs with CVSS 3.x scores. In any given 30-day window, only about **2.7%** of those CVEs showed active exploitation. Using CVSS β₯7 to prioritize would capture 82% of exploited CVEs β but require patching **57%** of all vulnerabilities. Using EPSS β₯10% captures 63% of exploited CVEs while targeting only **2.7%** of the total β making remediation far more efficient.
+
+---
+
+### β Key Takeaways
+
+- EPSS scores are probabilities (0β1), not severity ratings β a score of 0.94 means a 94% chance of exploitation in the next 30 days
+- Pair EPSS with CVSS: high severity + high EPSS = patch immediately; high severity + low EPSS = monitor and schedule
+- CISA KEV entries tend to have high EPSS scores β if a CVE is on KEV, treat it as urgent regardless
+- EPSS data is free and available via CSV download or API at `api.first.org/data/v1/epss`
+- There is no single "right" threshold β organizations with limited resources should optimize for efficiency; mission-critical environments should optimize for coverage
+- EPSS is not a guarantee: it predicts likelihood, not certainty β unknown exploits and targeted attacks can still affect low-scoring CVEs
diff --git a/_explained/firewalls.md b/_explained/firewalls.md
index 1225f35f..66db56a5 100644
--- a/_explained/firewalls.md
+++ b/_explained/firewalls.md
@@ -4,6 +4,8 @@ title: Firewalls
description: What is a firewall?
img: assets/img/projects/firewall.png
category: explained
+topic_type: defense
+icon: wall
---
## π₯ What Is a Firewall?
diff --git a/_explained/incident-response.md b/_explained/incident-response.md
new file mode 100644
index 00000000..18827d2d
--- /dev/null
+++ b/_explained/incident-response.md
@@ -0,0 +1,34 @@
+---
+layout: page
+title: Incident Response
+description: What is incident response?
+img: assets/img/projects/incident-response.png
+category: explained
+topic_type: defense
+icon: ambulance
+---
+
+## π¨ What Is Incident Response?
+
+**Incident response (IR)** is the structured process an organization follows when a security breach or cyberattack occurs. Just as hospitals have triage protocols and fire departments have response plans, cybersecurity teams have IR plans that define exactly who does what, in what order, when something goes wrong.
+
+A well-defined IR process typically follows six phases: **Preparation** (building the plan and tools before an incident), **Identification** (detecting that something is wrong), **Containment** (limiting the damage), **Eradication** (removing the threat), **Recovery** (restoring normal operations), and **Lessons Learned** (improving defenses afterward). This framework is commonly known as the PICERL model.
+
+Without a plan, organizations often make costly mistakes under pressure β like wiping a compromised server before preserving forensic evidence, or failing to notify customers within legally required timeframes.
+
+---
+
+### π§ͺ Real-World Example
+
+A company's security monitoring system flags unusual outbound traffic at 2 a.m. The IR plan kicks in: an analyst confirms it is a data exfiltration attempt, the network team isolates the affected segment within minutes, and forensics preserves logs for investigation β all without anyone having to improvise. Compare this to a company with no plan, where hours pass while employees debate who is responsible.
+
+---
+
+### β Key Takeaways
+
+- **Have a written IR plan** before an incident happens β not during one.
+- Define clear **roles and responsibilities** so everyone knows their job when things go wrong.
+- Practice the plan with **tabletop exercises** β talk through realistic attack scenarios as a team.
+- **Preserve evidence** before cleaning up; logs and memory dumps are critical for understanding what happened.
+- Know your **legal and regulatory obligations** for breach notification (GDPR, HIPAA, state laws).
+- After every incident, conduct a **post-mortem** to improve detection and response for next time.
diff --git a/_explained/insider-threats.md b/_explained/insider-threats.md
new file mode 100644
index 00000000..a966f5fb
--- /dev/null
+++ b/_explained/insider-threats.md
@@ -0,0 +1,30 @@
+---
+layout: page
+title: Insider Threats
+description: What is an insider threat?
+img: assets/img/projects/insider-threats.png
+category: explained
+topic_type: threat
+icon: user-exclamation
+---
+
+## π€ What Is an Insider Threat?
+
+An **insider threat** is a security risk that originates from within an organization β typically a current or former employee, contractor, or business partner who has authorized access to systems and data. Not all insider threats are malicious; some are the result of careless or negligent behavior, such as an employee accidentally emailing sensitive data to the wrong person or misconfiguring a cloud storage bucket. Malicious insiders, however, intentionally misuse their access for personal gain, revenge, or at the direction of an outside party. Because insiders already have legitimate credentials and knowledge of internal systems, they are significantly harder to detect than external attackers. The damage can range from stolen intellectual property and leaked customer data to sabotage of critical infrastructure.
+
+---
+
+### π§ͺ Real-World Example
+
+A network administrator who has just been informed of their upcoming layoff downloads a large archive of proprietary source code and customer records to a personal USB drive before their last day. The data is later found for sale on a dark web forum, and the company faces regulatory fines and reputational damage.
+
+---
+
+### π‘οΈ How to Protect Yourself
+
+- Apply the principle of least privilege: give employees access only to what they need for their role
+- Monitor and log access to sensitive systems, especially for unusual patterns like large data downloads
+- Revoke access immediately when an employee resigns, is terminated, or changes roles
+- Conduct regular access reviews to audit who has access to critical systems and data
+- Foster a positive workplace culture and clear reporting channels to reduce motivation for malicious acts
+- Use data loss prevention (DLP) tools to detect and block unauthorized transfers of sensitive information
diff --git a/_explained/least-privilege.md b/_explained/least-privilege.md
new file mode 100644
index 00000000..7df015e6
--- /dev/null
+++ b/_explained/least-privilege.md
@@ -0,0 +1,34 @@
+---
+layout: page
+title: Principle of Least Privilege
+description: What is the principle of least privilege?
+img: assets/img/projects/least-privilege.png
+category: explained
+topic_type: defense
+icon: user-check
+---
+
+## π What Is the Principle of Least Privilege?
+
+The **principle of least privilege (PoLP)** means giving every user, application, and system only the minimum level of access needed to do its job β nothing more. An accountant needs access to financial records but not to the engineering code repository. A web server needs to read files but not to install new software. Limiting access by default dramatically reduces the damage that can result from an error, a compromised account, or a malicious insider.
+
+Least privilege applies everywhere: user accounts, service accounts, database permissions, cloud IAM roles, and even what code can do at runtime. The complementary concept of **just-in-time access** takes this further β granting elevated permissions only for the duration of a specific task, then revoking them automatically.
+
+The failure to apply least privilege is behind a huge proportion of serious breaches. When attackers or malware gain access to an account, they inherit that account's permissions. A low-privilege account limits the blast radius; an over-privileged one can lead to full network compromise.
+
+---
+
+### π§ͺ Real-World Example
+
+A marketing intern is given a company login. With no least-privilege controls, their account has the same broad access as a senior engineer β including production databases. The intern clicks a phishing link, and the attacker now has access to customer records. Had the account been scoped to only the tools the intern actually needs, the breach would have been contained.
+
+---
+
+### β Key Takeaways
+
+- **Audit existing accounts** regularly and remove permissions that are no longer needed.
+- Avoid using **administrator or root accounts** for everyday tasks β use them only when required.
+- Apply least privilege to **service accounts and APIs** β they are frequent targets and often over-permissioned.
+- Use **role-based access control (RBAC)** to assign permissions to roles, then assign roles to users, rather than granting individual permissions ad hoc.
+- Implement **just-in-time access** for sensitive operations so elevated rights expire automatically.
+- Log and alert on **privilege escalation events** β legitimate users rarely need to suddenly access things outside their role.
diff --git a/_explained/malware.md b/_explained/malware.md
new file mode 100644
index 00000000..c1a0b147
--- /dev/null
+++ b/_explained/malware.md
@@ -0,0 +1,30 @@
+---
+layout: page
+title: Malware
+description: What is malware?
+img: assets/img/projects/malware.png
+category: explained
+topic_type: threat
+icon: virus
+---
+
+## π¦ What Is Malware?
+
+**Malware** (short for "malicious software") is any program or file intentionally designed to harm a computer, steal data, or disrupt normal operations. It is an umbrella term that covers a wide range of threats, including viruses, trojans, spyware, adware, worms, and ransomware. Malware can arrive through infected email attachments, malicious websites, compromised software downloads, USB drives, or even legitimate-looking apps. Once installed, it can run silently in the background β logging your keystrokes, stealing passwords, encrypting your files, or turning your device into part of a larger botnet used to attack other systems. Unlike a simple bug or software crash, malware is deliberate: someone wrote it with harmful intent.
+
+---
+
+### π§ͺ Real-World Example
+
+You download what looks like a free version of a popular video editing app from an unofficial website. The installer runs fine, but in the background it silently installs a keylogger that captures everything you type β including your banking credentials and email passwords. Days later, you notice unauthorized transactions on your bank account.
+
+---
+
+### π‘οΈ How to Protect Yourself
+
+- Only download software from official sources and trusted app stores
+- Keep your operating system and all applications updated to patch known vulnerabilities
+- Use reputable antivirus or endpoint security software and keep its definitions current
+- Be cautious with email attachments and links, even from people you know
+- Avoid plugging in unknown USB drives or storage devices
+- Enable automatic backups so you can recover your data if malware strikes
diff --git a/_explained/man-in-the-middle.md b/_explained/man-in-the-middle.md
new file mode 100644
index 00000000..5f7e2c47
--- /dev/null
+++ b/_explained/man-in-the-middle.md
@@ -0,0 +1,30 @@
+---
+layout: page
+title: Man-in-the-Middle Attacks
+description: What is a man-in-the-middle attack?
+img: assets/img/projects/man-in-the-middle.png
+category: explained
+topic_type: threat
+icon: arrows-exchange
+---
+
+## π΅οΈ What Is a Man-in-the-Middle Attack?
+
+A **man-in-the-middle (MitM) attack** occurs when an attacker secretly intercepts and potentially alters communication between two parties who believe they are communicating directly with each other. Think of it like a postal worker opening your letters, reading or changing the contents, resealing them, and sending them on β with neither the sender nor recipient ever knowing. MitM attacks can target web browsing, email, messaging apps, and even financial transactions. Common techniques include rogue Wi-Fi hotspots, ARP spoofing on local networks, and SSL stripping (downgrading a secure HTTPS connection to unencrypted HTTP). The attacker can passively eavesdrop to harvest credentials or actively modify data in transit.
+
+---
+
+### π§ͺ Real-World Example
+
+You connect to a free Wi-Fi network at an airport called "AirportFreeWifi." Unknown to you, the hotspot is run by an attacker. When you visit your bank's website, the attacker intercepts the traffic, captures your login credentials, and relays your session normally so you never notice anything is wrong.
+
+---
+
+### π‘οΈ How to Protect Yourself
+
+- Always verify that websites use HTTPS (padlock icon) before entering any sensitive information
+- Avoid using public or unsecured Wi-Fi for banking, email, or any sensitive activity
+- Use a VPN on public networks to encrypt your traffic end-to-end
+- Pay attention to browser warnings about invalid or untrusted certificates
+- Keep your device's operating system and browser updated to protect against known vulnerabilities
+- Use MFA so that stolen credentials alone are not enough to access your accounts
diff --git a/_explained/mfa-apps.md b/_explained/mfa-apps.md
new file mode 100644
index 00000000..a257be3d
--- /dev/null
+++ b/_explained/mfa-apps.md
@@ -0,0 +1,30 @@
+---
+layout: page
+title: MFA Apps
+description: What are MFA authenticator apps?
+img: assets/img/projects/mfa-apps.png
+category: explained
+topic_type: tools
+icon: device-mobile-check
+---
+
+## π± What Is an MFA Authenticator App?
+
+An MFA authenticator app is a smartphone application that generates a short, time-sensitive code β usually six digits β that you enter alongside your password when logging into an account. This is a form of multi-factor authentication (MFA), which means you need more than just a password to get in. The code changes every 30 seconds and is unique to your device, making it much harder for an attacker to access your account even if they have stolen your password. Popular examples include Google Authenticator, Microsoft Authenticator, and Authy.
+
+---
+
+### π§ͺ Real-World Example
+
+You log into your work email and enter your password. The site then asks for a six-digit code. You open your authenticator app, see the code for that account, type it in, and you're in. Even if a hacker had grabbed your password in a data breach, they still cannot log in without physically having your phone.
+
+---
+
+### β Key Takeaways
+
+- Authenticator apps generate time-based one-time passwords (TOTP) that expire every 30 seconds.
+- They are more secure than SMS-based codes, which can be intercepted through SIM-swapping attacks.
+- The codes are generated locally on your device, so they work even without an internet connection.
+- Setting up an app requires scanning a QR code from the site during initial enrollment.
+- If you lose your device, recovery depends on backup codes or re-enrollment β save your backup codes when setting up.
+- Common apps include Google Authenticator, Microsoft Authenticator, Authy, and 1Password.
diff --git a/_explained/network-segmentation.md b/_explained/network-segmentation.md
new file mode 100644
index 00000000..30b4d9c3
--- /dev/null
+++ b/_explained/network-segmentation.md
@@ -0,0 +1,34 @@
+---
+layout: page
+title: Network Segmentation
+description: What is network segmentation?
+img: assets/img/projects/network-segmentation.png
+category: explained
+topic_type: defense
+icon: topology-ring
+---
+
+## π What Is Network Segmentation?
+
+**Network segmentation** is the practice of dividing a computer network into smaller, isolated sections called segments or zones. Each segment has its own access rules, so a device or user in one zone cannot freely communicate with devices in another zone without explicit permission.
+
+The security goal is **containment**. If an attacker compromises one part of your network β say, a guest Wi-Fi laptop or a vulnerable IoT thermostat β segmentation prevents them from moving freely to sensitive systems like servers, payment databases, or industrial controls. This lateral movement is how attackers often go from a minor foothold to a catastrophic breach.
+
+Common segmentation approaches include VLANs (Virtual Local Area Networks), firewalls between zones, and micro-segmentation in cloud and virtualized environments where controls apply at the individual workload level.
+
+---
+
+### π§ͺ Real-World Example
+
+The 2013 Target breach began when attackers compromised a third-party HVAC vendor's credentials. Because Target's network allowed that vendor access to reach point-of-sale systems, 40 million credit card numbers were stolen. Proper segmentation β isolating vendor access from payment systems β would have contained the breach to the HVAC management network only.
+
+---
+
+### β Key Takeaways
+
+- Separate **guest Wi-Fi** from your internal corporate or home network so visitors cannot reach internal devices.
+- Isolate **IoT devices** (smart TVs, cameras, thermostats) on their own network segment.
+- Place **servers and databases** in a dedicated zone with strict inbound rules β only the applications that need them should reach them.
+- Apply the **principle of least privilege** to network access, not just user accounts.
+- Use a **firewall or access control list** between each segment to enforce the boundaries.
+- Regularly **audit** what can talk to what β network access rules accumulate and drift over time.
diff --git a/_explained/osint.md b/_explained/osint.md
new file mode 100644
index 00000000..053cb98c
--- /dev/null
+++ b/_explained/osint.md
@@ -0,0 +1,30 @@
+---
+layout: page
+title: OSINT
+description: What is OSINT (Open Source Intelligence)?
+img: assets/img/projects/osint.png
+category: explained
+topic_type: concepts
+icon: search
+---
+
+## π What Is OSINT?
+
+OSINT stands for Open Source Intelligence β the practice of collecting and analyzing information from publicly available sources to build a picture of a target, whether that is a person, organization, or system. "Open source" here does not mean open-source software; it means information that is openly accessible to anyone: social media profiles, public company records, domain registration data, job postings, news articles, government databases, and more. OSINT is used by both attackers and defenders. Security teams use it to understand what information about their organization is publicly exposed. Attackers use it to research targets before launching an attack β a process called reconnaissance.
+
+---
+
+### π§ͺ Real-World Example
+
+Before launching a phishing attack against a company, an attacker searches LinkedIn to find employee names and job titles. They look up the company's domain registration to find IT contact names, check job postings to learn what software the company uses, and browse social media to find personal details that make a fake email more convincing. All of this information was publicly available β no hacking required. Security teams use the same techniques to identify what an attacker could learn about them and reduce that exposure.
+
+---
+
+### β Key Takeaways
+
+- OSINT uses only publicly available information β no hacking or unauthorized access involved.
+- Sources include social media, WHOIS records, search engines, public databases, and job listings.
+- Attackers use OSINT for reconnaissance; defenders use it to find and reduce their own exposure.
+- Common OSINT tools include Shodan (for internet-connected devices), Maltego, and theHarvester.
+- Oversharing on social media and company websites can significantly increase an organization's OSINT footprint.
+- Regularly auditing your own public presence is a key part of attack surface management.
diff --git a/_explained/password-managers.md b/_explained/password-managers.md
new file mode 100644
index 00000000..8ad67cba
--- /dev/null
+++ b/_explained/password-managers.md
@@ -0,0 +1,34 @@
+---
+layout: page
+title: Password Managers
+description: What is a password manager?
+img: assets/img/projects/password-managers.png
+category: explained
+topic_type: defense
+icon: password
+---
+
+## π What Is a Password Manager?
+
+A **password manager** is an application that securely stores and organizes your passwords in an encrypted vault. Instead of remembering dozens of unique passwords, you only need to remember one strong **master password** to unlock the vault. The manager then fills in your credentials automatically when you visit a website or open an app.
+
+The core benefit is that a password manager makes it practical to use a **long, unique, random password for every account**. Without a tool to remember them, most people reuse the same password across multiple sites β a practice called credential reuse. When one site is breached and passwords leak, attackers test those credentials on hundreds of other services (called a credential stuffing attack), and reused passwords give them instant access.
+
+Good password managers also generate strong passwords for you, alert you when a saved password appears in a known data breach, and sync securely across your devices.
+
+---
+
+### π§ͺ Real-World Example
+
+> A database from a shopping website you used in 2019 is leaked online. Your email and password from that breach are now in an attacker's list. They try that combination on Gmail, your bank, and your work email. Because you use a password manager and every account has a different password, none of those attempts succeed.
+
+---
+
+### β Key Takeaways
+
+- Use a reputable password manager (Bitwarden, 1Password, and Dashlane are well-regarded options).
+- Create a **long, memorable master password** β a passphrase of four or more random words works well.
+- Enable **two-factor authentication** on the password manager account itself.
+- Let the manager **generate** passwords β aim for at least 16 random characters.
+- Never reuse passwords across accounts, even for "unimportant" sites.
+- Check if your saved passwords have appeared in **known breaches** using the manager's built-in alerts or HaveIBeenPwned.
diff --git a/_explained/patch-management.md b/_explained/patch-management.md
new file mode 100644
index 00000000..e3283255
--- /dev/null
+++ b/_explained/patch-management.md
@@ -0,0 +1,34 @@
+---
+layout: page
+title: Patch Management
+description: What is patch management?
+img: assets/img/projects/patch-management.png
+category: explained
+topic_type: defense
+icon: tool
+---
+
+## π§ What Is Patch Management?
+
+**Patch management** is the practice of regularly updating software, operating systems, and firmware to fix security vulnerabilities and bugs. When developers discover a flaw in their software, they release a **patch** β a small update that closes the hole. Patch management is the process of identifying, testing, and applying those patches in a timely and organized way.
+
+Unpatched software is one of the most common ways attackers gain access to systems. Many major breaches β including the 2017 Equifax breach that exposed 147 million people's data β exploited vulnerabilities that had patches available for months before the attack. Applying updates promptly is one of the highest-impact, lowest-cost defensive actions any organization or individual can take.
+
+Patch management also applies to devices you might overlook: routers, printers, smart TVs, and IoT devices all run firmware that needs updates.
+
+---
+
+### π§ͺ Real-World Example
+
+A company runs an older version of its web server software. A security researcher publishes details of a critical vulnerability in that version. Attackers scan the internet for unpatched servers and exploit the flaw within hours. A company that had already applied the vendor's patch is unaffected; one that delayed it for "testing" is breached.
+
+---
+
+### β Key Takeaways
+
+- Enable **automatic updates** on operating systems, browsers, and common applications whenever possible.
+- Patch **third-party software** (Adobe, Java, browser plugins) β not just the OS β since these are frequent attack targets.
+- Prioritize patches rated **Critical or High** severity; aim to apply them within 24-72 hours of release.
+- Keep an **inventory** of all software and devices so nothing is forgotten.
+- Test patches in a staging environment before deploying to production systems in high-availability environments.
+- Decommission software that is **end-of-life** and no longer receives patches.
diff --git a/_explained/ransomware.md b/_explained/ransomware.md
index 87478128..84fde2b6 100644
--- a/_explained/ransomware.md
+++ b/_explained/ransomware.md
@@ -4,6 +4,8 @@ title: Ransomware
description: What is ransomware?
img: assets/img/projects/ransomware.png
category: explained
+topic_type: threat
+icon: lock-exclamation
---
## π° What Is Ransomware?
diff --git a/_explained/red-blue-team.md b/_explained/red-blue-team.md
new file mode 100644
index 00000000..8caeb3f2
--- /dev/null
+++ b/_explained/red-blue-team.md
@@ -0,0 +1,30 @@
+---
+layout: page
+title: Red Team vs Blue Team
+description: What are red teams and blue teams?
+img: assets/img/projects/red-blue-team.png
+category: explained
+topic_type: concepts
+icon: swords
+---
+
+## βοΈ What Are Red Teams and Blue Teams?
+
+In cybersecurity, red teams and blue teams represent two opposing sides that organizations use to test and strengthen their defenses. The red team plays the role of the attacker. Their job is to think and act like a malicious hacker β probing systems, exploiting vulnerabilities, and attempting to breach defenses using real-world techniques. The blue team plays the role of the defender. Their job is to detect, respond to, and recover from those attacks. The goal of running both is to find weaknesses before real attackers do, and to improve the organization's ability to detect and respond to threats. When both teams collaborate and share findings, it is sometimes called a purple team exercise.
+
+---
+
+### π§ͺ Real-World Example
+
+A financial institution hires a red team to simulate an attack on their network. The red team successfully phishes an employee, gains access to an internal system, and moves laterally toward sensitive data β all without triggering any alerts. The blue team reviews the logs afterward and realizes their detection tools missed key indicators. They update their rules, train staff on phishing awareness, and run another exercise three months later to measure improvement.
+
+---
+
+### β Key Takeaways
+
+- Red teams simulate real-world attackers to expose security gaps before malicious actors do.
+- Blue teams defend, monitor, and respond to threats in real time or during exercises.
+- Red team activities include phishing simulations, penetration testing, and social engineering.
+- Blue team activities include monitoring security alerts, incident response, and threat hunting.
+- Purple teaming is when red and blue teams work together openly to maximize learning.
+- These exercises reveal gaps in both technology (tools not detecting threats) and process (teams not responding correctly).
diff --git a/_explained/social-engineering.md b/_explained/social-engineering.md
index 976504d1..31b9963e 100644
--- a/_explained/social-engineering.md
+++ b/_explained/social-engineering.md
@@ -4,6 +4,8 @@ title: Social Engineering
description: What is social engineering?
img: assets/img/projects/social-engineering.png
category: explained
+topic_type: threat
+icon: user-question
---
## π What Is Social Engineering?
diff --git a/_explained/strong-passwords.md b/_explained/strong-passwords.md
index 5a4f3bef..3c90aa44 100644
--- a/_explained/strong-passwords.md
+++ b/_explained/strong-passwords.md
@@ -4,6 +4,8 @@ title: Strong Passwords
description: What is a strong password?
img: assets/img/projects/passwords.png
category: explained
+topic_type: defense
+icon: key
---
## π What Is a Strong Password?
diff --git a/_explained/supply-chain-attacks.md b/_explained/supply-chain-attacks.md
new file mode 100644
index 00000000..b2cf84a5
--- /dev/null
+++ b/_explained/supply-chain-attacks.md
@@ -0,0 +1,30 @@
+---
+layout: page
+title: Supply Chain Attacks
+description: What is a supply chain attack?
+img: assets/img/projects/supply-chain-attacks.png
+category: explained
+topic_type: threat
+icon: package
+---
+
+## π¦ What Is a Supply Chain Attack?
+
+A **supply chain attack** targets an organization not by attacking it directly, but by compromising a third-party vendor, software library, or service provider that the organization trusts and relies upon. Rather than breaking through a well-defended front door, attackers find a weaker link in the chain β a software update mechanism, an open-source dependency, or a managed service provider β and use it as a stealthy entry point into thousands of downstream targets at once. Because the malicious code or access arrives through a trusted channel (a legitimate software update, for example), it often bypasses traditional security controls entirely. Supply chain attacks are particularly dangerous because a single successful compromise can cascade to hundreds or even thousands of organizations simultaneously.
+
+---
+
+### π§ͺ Real-World Example
+
+In the SolarWinds attack of 2020, attackers inserted malicious code into a routine software update for a widely used IT monitoring product. When roughly 18,000 organizations installed the update β including government agencies and Fortune 500 companies β they unknowingly gave the attackers a persistent backdoor into their networks. The breach went undetected for months.
+
+---
+
+### π‘οΈ How to Protect Yourself
+
+- Vet third-party vendors and software providers carefully, including their security practices and incident history
+- Keep an accurate inventory of all third-party software, libraries, and services your organization uses
+- Apply software updates from verified, official sources and monitor vendor security advisories
+- Use tools that detect anomalous behavior in software already running in your environment
+- Segment your network so that a compromised vendor connection cannot reach your most sensitive systems
+- Require vendors with privileged access to meet minimum security standards and conduct periodic reviews
diff --git a/_explained/two-factor-authentication.md b/_explained/two-factor-authentication.md
index f75580be..b22b02b3 100644
--- a/_explained/two-factor-authentication.md
+++ b/_explained/two-factor-authentication.md
@@ -4,6 +4,8 @@ title: Two-Factor Authentication
description: What is 2FA?
img: assets/img/projects/2fa.png
category: explained
+topic_type: defense
+icon: shield-check
---
## π What Is Two-Factor Authentication (2FA)?
diff --git a/_explained/vpn.md b/_explained/vpn.md
index 610a5e93..b5495446 100644
--- a/_explained/vpn.md
+++ b/_explained/vpn.md
@@ -4,6 +4,8 @@ title: VPN
description: What is a VPN?
img: assets/img/projects/vpn.png
category: explained
+topic_type: tools
+icon: network
---
## π What Is a VPN?
diff --git a/_explained/zero-trust.md b/_explained/zero-trust.md
index a3eb7d92..6df3c68d 100644
--- a/_explained/zero-trust.md
+++ b/_explained/zero-trust.md
@@ -4,6 +4,8 @@ title: Zero Trust
description: What is Zero Trust security?
img: assets/img/projects/zero-trust.png
category: explained
+topic_type: defense
+icon: eye-off
---
## π« What Is Zero Trust?
diff --git a/_includes/header.liquid b/_includes/header.liquid
index a211e730..6ee40fbb 100644
--- a/_includes/header.liquid
+++ b/_includes/header.liquid
@@ -115,11 +115,13 @@
{% else %}
{% assign parent_link = p.permalink | remove: 'index.html' %}
-
+ {% if page.collection == 'explained' %}
+
+ Back to Cybersecurity Explained
+
+ {% endif %}
+
{{ content }}
diff --git a/_pages/explained.md b/_pages/explained.md
index 0c4d29d3..0045ffc8 100644
--- a/_pages/explained.md
+++ b/_pages/explained.md
@@ -2,68 +2,147 @@
layout: page
title: Cybersecurity Explained
permalink: /explained/
-description: Understanding Cybersecurity by DJBSEC
+description: Breaking down complex security topics into plain language β no technical background required.
nav: true
nav_order: 2
-display_categories:
-horizontal: false
---
-
-Here, you'll find projects designed to break down complex cybersecurity topics into simple, easy-to-understand explanations. Our goal is to make cybersecurity accessible to everyoneβno technical background required!
-
-
-
-
-{% if site.enable_project_categories and page.display_categories %}
-
- {% for category in page.display_categories %}
-
-