Glossary
Every domain term we use in the UI, defined in plain English. If you see a term in the app that's not here, that's a docs bug — file it.
- Blast radius
- The set of resources that would be impacted (directly or transitively) by a change or failure of a given resource. VinTekh computes 1-hop (immediate dependents) and 2-hop (cascade) blast radii from the topology graph.
- CAASM
- Cyber Asset Attack Surface Management. A unified inventory of every cloud asset, normalised across providers.
- CIEM
- Cloud Infrastructure Entitlement Management. Continuous monitoring of effective permissions across cloud roles to find over-privileged identities.
- CNAPP
- Cloud-Native App Protection Platform. Umbrella analyst category covering CSPM + CWPP + CIEM + DSPM + KSPM. VinTekh marks CNAPP as 'correlate' — we ingest Wiz/Prisma, never replace them.
- CSPM
- Cloud Security Posture Management. Continuous evaluation of cloud configuration against compliance and best practice.
- Confidence score
- 0-100 number attached to every AI recommendation. Below 60 the orchestrator hedges harder and surfaces more 'unknowns' explicitly.
- Container App
- Azure Container Apps — the serverless container hosting service VinTekh runs on. One Container App = one of our microservices (web, worker).
- Coverage level
- Per-capability grade for a service: native | partial | inferred | roadmap | unavailable. See /help/service-coverage.
- Defender for Cloud
- Microsoft's CSPM/CWPP product. VinTekh reads its assessments + secure score natively.
- DSPM
- Data Security Posture Management. Discover + classify + protect data at rest. VinTekh treats DSPM as 'correlate' — full classification is via Wiz.
- Entra ID
- Microsoft's cloud identity service (formerly Azure AD). VinTekh's sole IdP today; pluggable IdP framework is roadmap.
- Evidence ref
- Every fact in an AI summary carries a clickable evidence_ref pointing back to the raw data (KQL query, log line, finding ID) we read.
- Findings
- Security alerts / misconfigs from Defender, Wiz, or other security sources, normalised into one schema with framework mappings.
- Guardrail (Gx)
- Deterministic contract rule the LLM output must satisfy. G1: every recommendation declares ≥1 impact. G2: LLM cannot override the orchestrator's NSG tier. G3: SAFE_TO_REMOVE requires sufficient evidence. G4: Terraform snippets only at confidence ≥ 80. G5: every fact cites a real evidence_ref.
- IaC drift
- Difference between what your Infrastructure-as-Code says exists and what's actually deployed. Three kinds: missing-from-live, missing-from-iac, attribute-drift.
- IGA
- Identity Governance & Administration. Entitlement reviews + certifications. SailPoint / Saviynt own this; VinTekh ingests.
- Investigation
- Full evidence trail behind a single finding: topology pulled, AI reasoning, recommendations, comments, handoffs. Always anchored to a context (finding or resource).
- NSG
- Network Security Group. Azure's stateful firewall, attached at subnet or NIC level. Direction of evaluation: ingress flows hit the subnet NSG then the NIC NSG; allowed packets reach the resource.
- PAM
- Privileged Access Management. Session vaulting + audit for admin credentials. CyberArk / Delinea own this; VinTekh ingests session metadata.
- Playbook
- Specialised investigation routine for a specific resource kind or finding shape. VinTekh ships 12+ today: NSG broad source, AKS networking, App Service dependencies, Private Endpoint impact, Hybrid Worker, …
- Private Endpoint
- Azure construct giving a private IP inside your VNet that fronts a PaaS service (Storage, SQL, KV, etc.). VinTekh's privateEndpointImpact playbook validates the DNS chain end-to-end.
- Read-only model
- Constitutional rule that VinTekh never writes to a connected cloud. Enforced by CI guard + minimum-role credentials. See /help/read-only-model.
- Recommendation lifecycle
- open → acknowledged → in_progress → verified → resolved → suppressed. Every transition writes a status event row + fires webhooks.
- Resource Graph
- Azure's KQL-queryable inventory of every ARM resource. VinTekh's primary native discovery source for Azure.
- Source
- A connected cloud / identity / SaaS system VinTekh reads from. Examples: Azure, AWS, GCP, Kubernetes, Wiz, Defender, ServiceNow, Sentinel, Slack.
- Tenant
- A VinTekh-internal scope corresponding to a customer organisation. Tenant boundary enforcement (data isolation) is roadmap.
- Topology
- The graph of resource-to-resource relationships: NIC → Subnet, NSG protects Subnet, VNet peers VNet, PE depends on target, etc. Powers blast-radius computation.
- Wiz
- Cross-cloud CNAPP platform. VinTekh ingests Wiz findings + adds correlation across our own graph.
Browse docs
- Help home
- Getting started
- How VinTekh works
- Read-only model
- Connect a source
- Azure Reader SP
- AWS cross-account role
- GCP Workload Identity
- External ID & MAU
- SCIM 2.0 provisioning
- Investigate a finding
- Recommendations
- Service coverage
- Platform capabilities
- Troubleshooting
- Glossary
- REST API
- Admin guide
- Release notes
- Support