AI Act
Regulation (EU) 2024/1689 — the EU's horizontal AI regulation. Art. 15 codifies the cybersecurity-of-high-risk-AI obligation. cs-graph maps every ATLAS technique to the relevant AI Act article.
→ AI Act Art. 15Glossary
Acronyms and frameworks used across the cs-graph, with cross-links.
A
ATLAS
MITRE Adversarial Threat Landscape for AI Systems. The ATT&CK-style knowledge base for adversarial-ML techniques — 170 techniques across 16 tactics covering prompt injection, model poisoning, model evasion, model theft, and supply-chain compromise.
ATT&CK
MITRE Adversarial Tactics, Techniques, and Common Knowledge. The canonical catalogue of adversary behaviour — 14 tactics, ~200 techniques and ~400 sub-techniques in the Enterprise matrix. cs-graph mirrors the v14.1 STIX bundle.
C
CAPEC
MITRE Common Attack Pattern Enumeration and Classification. The offensive counterpart to CWE — 615 attack patterns with cross-walks to CWE (via Related_Weaknesses) and ATT&CK (via Taxonomy_Mappings).
CIS Controls
Center for Internet Security Critical Security Controls — 18 controls and 153 safeguards across v8. cs-graph maps Controls 1–8, 13, 16 and 18 in full.
Corroborator
The ODKE+ pipeline stage that converts evidence count into a confidence score. Deterministic curve: 1 → 0.65 · 2 → 0.80 · 3 → 0.95 · 4+ → 1.0. Primary catalogues bypass the curve at 1.0.
→ ODKE+ methodologyCRA
EU Cyber Resilience Act — Regulation (EU) 2024/2847. Imposes essential cybersecurity properties on products with digital elements, with reporting obligations within 24h for actively-exploited vulnerabilities.
→ CRA Art. 13CVE
Common Vulnerabilities and Exposures. The canonical ID format for publicly known vulnerabilities. cs-graph ingests CVE entries from the NVD year feeds filtered to CVSS ≥ 8 or KEV-listed.
→ Vulnerability indexCVSS
Common Vulnerability Scoring System. The 0–10 severity score attached to CVEs. cs-graph uses CVSS v3.x baseScore + vector + exploitability/impact components.
CWE
MITRE Common Weakness Enumeration. The canonical catalogue of software weakness classes — 969 entries in CWE 4.20. cs-graph mirrors the full catalogue and maps each weakness to the techniques that exploit it.
→ Weakness indexD
D3FEND
MITRE Defensive ontology. The defensive counterpart to ATT&CK — 271 defensive techniques across 6 tactics (Model, Harden, Detect, Isolate, Deceive, Evict, Restore) with cross-walks to the techniques they counter.
→ Defense indexDORA
EU Digital Operational Resilience Act — Regulation (EU) 2022/2554, in force 2025-01-17. Mandates ICT risk management, incident reporting, and annual penetration testing (Art. 24) plus threat-led pen testing (Art. 25) for EU financial entities.
→ DORA Art. 24E
EPSS
Exploit Prediction Scoring System. A daily-updated probability (0.00–1.00) that a CVE will be exploited in the wild within the next 30 days. Published by FIRST.org. cs-graph enriches every Vulnerability node with the current score and percentile.
F
FIRST
Forum of Incident Response and Security Teams. Publisher of EPSS and the CVSS specification.
G
GDPR
General Data Protection Regulation — Regulation (EU) 2016/679. cs-graph maps Arts 5, 6, 25, 32, 33, 34 and 35 — the security-relevant subset.
→ GDPR Art. 32Grounder
The ODKE+ pipeline stage that validates every edge's `from` and `to` slug resolve in the canonical node collection before promotion. Catches LLM hallucinated IDs at the schema boundary.
GTFOBins
Curated catalogue of Unix binaries that can be abused to bypass local security restrictions — sudo, suid, file-read/write, shell escape, privilege escalation. 478 entries in the cs-graph mirror.
→ LOLbins indexH
HIBP
Have I Been Pwned. Troy Hunt's catalogue of disclosed data breaches. cs-graph mirrors 978 entries (filtered to exclude fabricated and spam-list) with pwn_count, data_classes, and breach metadata. No PII surfaced.
→ Breach indexI
IAP
Google Cloud Identity-Aware Proxy. The auth gate in front of kb.squr.ai — only `jorian@squr.ai` and `adam@squr.ai` reach the IAP-gated Cloud Run preview. The public kb.squr.ai launches once content review completes.
ISO 27001
ISO/IEC 27001:2022 — Information Security Management Systems. Annex A controls A.5.7, A.5.23 and the A.8 (Technological) subset are mega-mapped in cs-graph.
ISO 27701
ISO/IEC 27701:2019 — Privacy Information Management extensions to ISO 27001. cs-graph maps the controller-side controls (A.7.x) and processor-side controls (A.8.x).
J
Jaccard
Jaccard similarity. Set-overlap metric used on the framework crosswalk page (`/explore/crosswalk`): `|A ∩ B| / |A ∪ B|` over the ATT&CK technique sets each framework tests.
→ CrosswalkK
KEV
CISA Known Exploited Vulnerabilities catalogue. The federally-maintained list of CVEs that have been actively exploited in the wild — 1,606 entries in the cs-graph mirror, refreshed weekly.
→ KEV explorerL
LOLBAS
Living Off The Land Binaries, Scripts and Libraries. Catalogue of Windows binaries shipped with the OS that attackers abuse for stealth execution, persistence, and defence evasion. 234 entries in the cs-graph mirror.
→ LOLbins indexM
MISP
Open-source threat-intelligence platform. cs-graph imports the MISP-Galaxy Threat Actor cluster (CC-0) — 994 actors with vendor-naming reconciliation (APT28 ↔ Fancy Bear ↔ STRONTIUM etc.).
→ Threat actor indexMITRE
MITRE Corporation — federally-funded research and development centre. Publishes ATT&CK, ATLAS, CAPEC, CWE, D3FEND, the STIX format, and the underlying methodologies cs-graph builds on.
N
NIS2
Network and Information Security Directive 2 — Directive (EU) 2022/2555. cs-graph maps the full Art. 21(2)(a)–(j) cybersecurity risk-management measure set.
NIST CSF
NIST Cybersecurity Framework 2.0. Six Functions (GOVERN · IDENTIFY · PROTECT · DETECT · RESPOND · RECOVER) with 22 Categories and ~106 Subcategories. cs-graph maps the Function level today.
NVD
NIST National Vulnerability Database. Authoritative CVE registry with CVSS scoring. cs-graph ingests the 2.0 year feeds for 2024–2026 filtered to CVSS ≥ 8 or KEV-listed.
O
ODKE+
Open-source Distillation of Knowledge graph Extraction — the pipeline architecture cs-graph borrows for its corroboration stages. Reference paper: arXiv 2509.04696. Stages: Initiator → Extractor → Grounder → Corroborator → Router.
→ MethodologyOWASP
Open Web Application Security Project. Publishes the Top 10 family (Web, API, LLM, ML, Mobile), the ASVS verification standard, the WSTG testing guide, and the LLM Application Security project. cs-graph maps OWASP Top 10 2021, LLM Top 10 2025, and API Top 10 2023.
P
PCI DSS
Payment Card Industry Data Security Standard, current v4.0. Twelve high-level requirements covering network security, access control, vulnerability management and pen testing. cs-graph maps all 12 requirements.
Predicate
The verb of a graph edge — `uses`, `mitigates`, `defends_against`, `exploits`, `compliance_tests_technique`, etc. cs-graph enforces a from-type → predicate → to-type invariant at the schema layer to catch mis-typed edges before they enter the graph.
S
SQUR
SQUR.ai — autonomous AI pentesting platform. €1,995 per scan, 24-hour turnaround, EU-only data. cs-graph is the corroborated knowledge base behind the SQUR.ai pentest agent.
→ squr.aiSTIX
Structured Threat Information eXpression. The JSON serialisation MITRE uses to distribute ATT&CK + ATLAS catalogues. cs-graph's import scripts parse the v2.1 STIX bundles.
T
TIBER-EU
Threat Intelligence-based Ethical Red Teaming — the ECB-mandated framework for advanced testing of EU financial entities. Aligns with DORA Art. 25 advanced testing requirements. Phases: Preparation · Testing · Closure.
V
Vertex AI
Google Cloud's AI platform. cs-graph uses Vertex Gemini 2.5 Flash for mega-mapping and grounded search, plus Vertex Vector Search for semantic similarity (when F6 ships).