Key Concepts and Glossary

A

Artifact response action

A single-click or automated step within a case or workflow. Actions execute a response measure such as blocking access or isolating a device.

Account Notifications

Per-user settings that control which platform events trigger a notification. Configurable events include new alerts, case assignments, investigation completions, and scheduled activity reports.

Account Settings

The section of Settings where individual users configure personal preferences, including account notification subscriptions.

Action Connector

A connector that sends commands from Radiant back to a connected security tool. Action connectors are required to execute response actions from within a case.

AI Triage

The end-to-end pipeline process by which Radiant receives and evaluates alerts and assigns a verdict.

AI Verdict

A machine-generated assessment of an alert displayed as a color-coded badge, such as Recommended Malicious or Recommended Benign. The verdict appears when the alert is opened.

Alert

A security alert generated by an external tool and ingested into Radiant. Each alert passes through the Radiant data pipeline - filtered, deduplicated, and triaged by AI - before appearing on the Alerts page.

Alert at a Glance

A structured summary panel on each alert that displays five fields: Focus, Source, Action, Target, and Vendor Response. The format is consistent across all connected tools regardless of the originating vendor.

Alert List

A list view of processed alerts that displays status, verdict, severity, and detection time. You can filter and search the feed by event type, time range, and other criteria.

Alert Filter

A rule that suppresses non-actionable or low value alerts before they reach the triage pipeline. Alert filters are applied after ingestion and are defined using Quickwit syntax.

Allow List

A customer-managed list of entities that the platform treats as known and trusted. Categories include Trusted Domains, Trusted IPs, Trusted Senders, Shared Accounts, Public Object Storage, and Trusted Applications.

Anomaly Detection

The identification of activity that deviates significantly from an established baseline. The platform uses anomaly detection to flag unusual behavior and influence triage verdicts.

Artifact

A specific piece of evidence extracted from an alert, such as a URL, file, IP address, email attachment, or user identity. Artifacts are enriched and organized into named categories on each alert and case.

Assignment

The association of a specific analyst with a case. Assigning ownership prevents duplicate work and ensures every active threat has a named owner.

Audit Log

A specialized index within Log Management that records operations performed within the Radiant platform, such as response actions, configuration changes, and user management events. Audit logs are distinct from security alerts, which track detected external threats.

Auto Execute

A setting on an response action that removes the manual intervention and allows the action to run automatically when triggered from a workflow.

B

Benign

A verdict classification confirmed by the user indicating that an alert represents non-threatening activity. No response action is required for alerts classified as benign.

Bring Your Own Bucket (BYOB)

A storage configuration in which log data is stored in the customer's own AWS S3 bucket rather than Radiant-managed infrastructure. BYOB gives the customer full data ownership, custom retention control, and compliance flexibility. It is recommended for all production environments.

Business Email Compromise (BEC)

An attack type in which a malicious actor compromises or impersonates a business email account to commit fraud, steal data, or manipulate employees. Radiant includes dedicated triage workflows for BEC alerts.

C

Case

A centralized workspace that groups related alerts, artifacts, notes, and response actions for a single investigation. Cases are used for threats that require formal ownership, long-term tracking, and coordinated response.

Case Severity

A rating that indicates the potential impact of an alert or case. Valid severity levels are Critical, High, Medium, Low, and None. Severity can be assigned to cases manually to support prioritization.

Case Status

The lifecycle state of a case. Valid statuses are Open, Pending, False Positive, and Closed. Status is updated manually by the analyst as the investigation progresses.

Case Notes

Free-text and image entries added to a case by analysts to record findings, hypotheses, or hand-off context. Notes persist for the life of the case and are visible to all assigned team members.

Communication Tools

Integrations with Microsoft Teams and Slack that route workflow notifications and interactive approval requests to external collaboration platforms. Email notifications are enabled by default for all workflows and require no additional setup.

Conclusion

A paragraph written by the AI triage pipeline that summarizes what happened, what was investigated, and whether the alert represents a real threat. It appears at the top of the alert Overview tab.

Connector

An integration that links Radiant to a third-party security tool such as an EDR, SIEM, email gateway, firewall, or identity provider.

Context List

A collective term for customer-managed allow lists, deny lists, and other custom lists that modify triage logic to fit the specific environment. Context lists reduce false positives and ensure relevant threats are surfaced.

Custom Filter Rule

A customer-defined alert filter rule scoped to a specific Default Filter Rule. It is applied on top of the parent rule using an AND NOT operator to exclude specific alerts from the triage pipeline.

D

Data Connector

A connector that ingests security telemetry, alerts, event logs, and contextual data from a security vendor into Radiant for storage, correlation, enrichment, and triage.

Data Source

Any system or tool that sends security event data to Radiant. Common data sources include endpoint detection tools, firewalls, email security gateways, and identity platforms.

Drawer

A side panel that slides in from the right side of the screen to display detail for a selected alert, entity, artifact, or duplicate alert group. The drawer does not navigate away from the current page.

Deduplication

The process of grouping repeated or near-identical alerts under a single parent alert. The parent alert displays a tag showing the total number of grouped duplicates. You can review the full deduplication activity in the Duplicate Alerts Panel.

Deduplication Window

The time period during which incoming alerts that match defined criteria are grouped under an initial alert rather than surfaced as separate events. The default window is 3 days. You can contact your Customer Success representative to configure custom window durations.

Default Filter Rule

The base alert filter query created and maintained by Radiant that defines which alerts from a given connector are eligible for triage. Default rules cannot be modified or deleted. You can narrow their scope by adding a Custom Filter Rule.

Deny List

A customer-managed list of entities known to be malicious. Entries are flagged as bad during artifact enrichment and triage. Categories include Malicious Domains, Malicious IPs, and Malicious Senders. Deny list rules override allow list rules when both match the same entity.

Domain Monitoring

A configuration that enables Radiant to triage phishing emails targeting specific organizational domains. Domains are synchronized from the connected email provider and enabled individually.

Duplicate Alerts Panel

A side panel that displays the deduplication logic applied to a parent alert, a visual timeline of when duplicates were received, and the raw body of each grouped alert. You open it by clicking the duplicate count tag on an alert.

E

Email Forwarding

A method of delivering phishing reports and suspicious emails directly to Radiant for automated triage by routing them from a connected email platform. Supported sources include Microsoft 365, Google Workspace, Darktrace, KnowBe4, and Proofpoint.

Enrichment

The automatic retrieval of additional context about an artifact from threat intelligence, context lists and other log sources. Examples include resolving whether an IP address is associated with malicious activity, a known proxy, or a specific geographic location.

Escalation

The act of promoting an alert to a case for formal investigation and response tracking. Escalation is used when an alert involves a confirmed threat or requires analysis beyond the initial triage.

F

False Positive

An alert that was flagged as suspicious but represents normal, expected activity. You can mark an alert as benign to record the correct verdict and provide feedback for future triage accuracy.

FQDN (Fully Qualified Domain Name)

A complete domain name that uniquely identifies a host, such as malware.badactor.com. FQDNs are extracted as artifacts from alerts and tracked across case investigations.

Filter Query

The exclusion query at the core of a Custom Rule, written in Quickwit syntax, that defines which alerts within a connector's ingestion scope are suppressed from triage. You can test a Filter Query against historical data using the Test Rule button before applying it to the live pipeline.

Focus

The attacker's core goal or intent, giving analysts the "why" behind the alert immediately (e.g. Exploit a public-facing application to gain unauthorized system access).

G

Geolocation

The resolution of an IP address to a geographic location, including city and country. Geolocation is applied automatically during artifact enrichment and displayed in the artifact detail panel.

Grafana Plug-in

An optional integration that connects Radiant log data to Grafana dashboards. It lets you query and visualize log data outside the native Log Management interface.

I

Indicator of Compromise (IOC)

A piece of evidence - such as a file hash, IP address, or domain name - that indicates a system may have been attacked or breached. The platform checks artifacts against known IOC databases during enrichment.

Insights Dashboard

The main overview screen in Radiant. It displays a summary of recent alert activity, open cases, and key security metrics.

Interactive Action

A workflow step that presents a response action to an analyst as an approval button. Interactive actions require one-click interactions by a user. You can configure them to execute automatically using the Auto Execute setting in Workflows.

K

Key Findings

A scannable list of bullet points identifying the specific facts most directly supporting the AI verdict. Key Findings appear in the center panel of the alert Overview tab.

L

Likely Benign

A verdict classification assigned when insufficient evidence exists to make a definitive determination. Inconclusive alerts may be escalated for human review.

Log

A recorded entry of activity from a system or application. Radiant ingests, stores, and indexes logs from connected sources so they can be stored, searched and queried during investigations.

Log Management

The platform module for storing, searching, and querying raw log data from connected sources. Log Management supports investigations, alert filter validation, and compliance reporting.

Log Search and Query

The capability to run structured queries against ingested log data. Log Management uses Quickwit syntax, which supports keyword search, field-specific filtering, Boolean logic, range queries, wildcards, and proximity searches.

M

Malicious

A verdict indicating that an alert represents a confirmed security threat. Malicious alerts are candidates for escalation to a case or immediate response action.

Multi-Factor Authentication (MFA)

An authentication requirement that users verify their identity using two or more methods at login. MFA enforcement is configured in Settings and can be applied to all users in a tenant.

N

Notification

An automated message sent to a user when a platform event occurs. Notification channels include email, Slack, and Microsoft Teams. Notification preferences are configured per user in User Settings.

Notification Template

A predefined message format used by workflows to generate consistent notifications for recurring event types, such as new alerts, case assignments, or investigation completions.

O

Organization Settings

The section of Settings that covers phishing configuration, security policies such as SSO and MFA enforcement, and user management.

Outgoing Webhook

A mechanism that delivers alert data, enrichment results, AI conclusions, and key findings from Radiant to an external system in real time.

Overview Tab

The default view when opening an alert. It displays the Alert at a Glance panel, Conclusion and Key Findings, and the Artifacts panel side by side. It is designed for rapid orientation and first-line verdict assessment.

P

Parsed Logs Index

The searchable index within Log Management that retains all ingested alerts regardless of their filtering status. Filtered alerts are stored here and remain available for forensic and compliance review.

Phishing

An attack type in which a deceptive email or link is used to trick a user into revealing credentials or installing malware. The phishing use case in Radiant requires an email connector and domain monitoring configuration.

Phishing Simulation

A controlled exercise in which fake phishing emails are sent to employees to test security awareness. You can configure Radiant to exclude known simulation vendors from triage so their test emails do not generate real alerts.

Pipeline

The ordered sequence of automated stages an alert passes through from initial ingestion to final verdict and response. See also: Radiant Data Pipeline.

Q

Quickwit Syntax

The query language used in Radiant's Log Management interface and alert filter rule definitions. It is similar to Lucene and supports field-specific searches, Boolean operators (AND, OR, NOT), range queries, and wildcard expressions.

R

Radiant Security Agent

A docker-based collector installed on a host or VM. Listens on connector ports and sends compressed logs to Radiant’s S3 environment.

Radiant Data Pipeline

The end-to-end automated sequence by which security data is ingested, filtered, deduplicated, enriched, and triaged before appearing on the Alerts page. See the Radiant Data Pipeline documentation for a full overview.

Radiant-Managed Storage

A storage configuration in which Radiant hosts and manages log data on the customer's behalf. Radiant-Managed Storage is intended for proof-of-concept and testing environments only.

Raw Alert

The unprocessed alert body as received from the vendor tool. It is accessible from within any triaged alert regardless of the originating source.

Recommended Benign

The benign outcome assigned to an alert after AI triage. This recommended state can be manually confirmed or denied by users of the platform.

Recommended Malicious

The malicious outcome assigned to an alert after AI triage. This recommended state can be manually confirmed or denied by users of the platform.

Response Action

A discrete remediation step taken to contain or resolve a threat. Examples include blocking an IP address, quarantining a device, disabling a user account, and deleting a malicious email. Response actions are executed from the case view and recorded in the audit log.

Retention

A setting that defines how long data in a specific Log Management index is kept. BYOB customers retain full ownership of their data, control their own retention policies, and are not dependent on Radiant's storage infrastructure.

Role

A set of permissions assigned to a user that governs which features and data they can access. All users invited to Radiant are assigned the Admin role by default.

Root Cause Analysis (RCA)

An investigation that identifies the original source or entry point of a security incident - for example, the process or user action that initiated a chain of malicious events.

S

Search

The query interface for locating alerts, and cases. You can filter results by date, severity, verdict, entity type, and additional criteria.

Settings

The configuration area of the platform. From Settings, administrators manage users, configure connectors, define alert filters, create workflows, manage allow and deny lists, and control security policies including MFA, SSO, and phishing domain monitoring.

Shared Account

An email or account entry on an Allow List recognized as a legitimate shared or service account. Activity from shared accounts does not trigger impossible travel alerts.

Single Sign-On (SSO)

An authentication method that allows users to log in to Radiant using credentials from an external identity provider such as Microsoft Entra ID, Google, or Okta.

T

Target

An asset or resource that was affected or accessed - the "where" of the alert (e.g. AWS Security Group sg-3349180977d3f5545)

Task

An individual action item within a case or workflow. Tasks can be assigned to team members, set to require manual approval, or configured to execute automatically.

Telemetry

Raw event and activity data streamed from connected security tools such as EDRs, firewalls, identity platforms, and cloud services.

Tenant

A distinct organizational account within the platform. Each tenant has its own isolated data, users, connectors, settings, and configuration.

Threat Intelligence

Curated information about known threats, malicious actors, and attack techniques. The platform applies threat intelligence during artifact enrichment to assess the reputation of IPs, URLs, domains, and file hashes.

Triage

The automated process of evaluating an alert to determine whether it represents a real threat, benign activity, or an inconclusive result. Radiant performs triage using AI on every ingested alert.

Triage Outline

The complete set of tasks and questions that structured the AI investigation for a specific alert. It is viewable from the Triage Results tab and identifies every area the AI chose to investigate and why.

Triage Results Tab

The alert detail tab that displays every task executed, every finding produced, and every query run during an AI investigation. It is designed for L2 and L3 analysts who want to validate the reasoning behind a verdict.

Trusted Domain

A domain entry on an Allow List recognized as belonging to or approved by the organization. Emails and traffic from trusted domains bypass certain phishing detection checks.

Trusted IP

An IP address entry on an Allow List recognized as known or internal. Network connections from trusted IPs may be excluded from threat analysis.

Trusted Sender

An email address entry on an Allow List recognized as a legitimate sender. Emails from trusted senders bypass email security screening.

U

User Management

The Settings area for creating, editing, disabling, enabling, and deleting user accounts. You can disable a user to prevent login while preserving their account history and settings.

V

Verdict

The outcome assigned to an alert after AI triage. Verdicts are classified as Recommended Malicious, Recommended Benign, or Likely Benign (Inconclusive). Users can modify a verdict manually.

VIP User

A user designation that flags an account for enhanced monitoring and prioritized incident response. VIP status is assigned in Settings and all changes to VIP designations are recorded in the audit log.

W

Workflow

A configurable sequence of steps that automates how the platform handles notifications, and response actions. A workflow consists of a trigger and one or more steps, which can be interactive tasks or directly executed.

Workflow Trigger

The event or condition that initiates a workflow, such as an alert reaching a specific verdict or a case being created. Each workflow has exactly one trigger.