Concepts and glossary
The vocabulary Aether AI uses, from the adversary spectrum and validation to monitoring tiers and risk scoring, defined so any role can dip in.
Aether AI attacks a customer's own attack surface the way a real adversary would, then defends it continuously. That work leans on a small, precise vocabulary. This page defines the terms that recur across the product, so a security leader, a risk owner, an application security engineer, and a platform engineer can all read the same finding and mean the same thing.
The entries are short and definition-style. Skim to what you need. The most load-bearing ideas (the adversary spectrum, validation, and the monitoring tiers) come first, because most of the rest hangs off them.
The adversary spectrum
The core model. Every attack is not equal, so Aether AI measures a surface against two ends of a spectrum and is always explicit about which is which.
Conventional adversary
A commodity attacker working with generally-available tooling. This is the baseline threat that everyone faces. Aether AI validates it with the Conventional Attack Surface capability, which checks what such an attacker could exploit without brute force, state change, or data exfiltration.
Frontier adversary
An advanced, AI-driven attacker that chains weaknesses together, works through authentication, and finds novel and business-logic flaws that commodity tooling cannot reach. Aether AI validates this end with the Autonomous AI Pentest, where offensive AI reasoning is the differentiator. It is far heavier and slower than the conventional check and runs only against explicitly authorised scope.
Why the spectrum matters to leadership
"Are we exposed?" has two answers. The conventional baseline tells you what a commodity attacker can already do today. The frontier result tells you what a determined, well-resourced adversary can do. Reporting both, and labelling which is which, keeps a board conversation honest about risk instead of collapsing it into a single number.
Surface and exposure terms
Attack surface
Everything an attacker could reach. Aether AI discovers it from seeds (domains, subdomains, IPs, CIDRs, and keywords) and tracks asset types including domain, subdomain, IP, cloud resource, and person or identity. Provenance (the provider plus the account or scope id) is captured at ingest, so every asset carries where it came from.
Exposure
Something an attacker could see or use: an open port, an outdated technology version, a leaked credential, a reachable service. Exposure is a fact about the surface. It is not yet a judgement about whether it can be used against you. That judgement is validation.
Exploitability
Whether an exposure can actually be turned into an attack. A weakness that is present but not reachable, or reachable but not usable, is lower exploitability than one an attacker could act on now. Aether AI's job is to move findings from "this exists" to "this is exploitable, and here is by whom".
Validation
The act of confirming exploitability rather than assuming it. Aether AI validates continuously against the conventional end (Conventional Attack Surface) and, for authorised scope, against the frontier end (Autonomous AI Pentest). Validation is what separates a real finding from a theoretical one, and re-validation is what later confirms a fix or reopens a regression.
Relationship graph
A factual lens over the discovered surface that shows how assets connect. It is a way to read what has been found, not a separate source of truth.
Monitoring tiers
Aether AI meters cost per asset through a small, closed set of monitoring statuses. These are the only valid statuses, in order of depth.
Discovered
Aether AI has found the asset but nothing further has been decided about it.
Confirmed
The asset is acknowledged as in scope and belonging to the organisation.
Monitor
Passive monitoring. Aether AI runs Port Analysis (an open-ports inventory via a port sweep) and Technology Detection (a technology and version fingerprint). Both alert on change and feed the validation layer. Monitor watches, it does not attack.
Monitor Plus
Active exploitability validation on top of passive monitoring. This tier turns on Conventional Attack Surface for the asset, continuously checking what a commodity adversary could exploit. It is the tier where validation happens.
Ignored
The asset is set aside and no monitoring or validation runs against it.
Tiers control cost and depth
Tiers meter cost per asset, so the depth of work is a deliberate choice. Downgrading an asset (for example from Monitor Plus back to Monitor) stops the deeper work immediately. Nothing heavier than the current tier runs.
Offensive and intelligence terms
Conventional Attack Surface (CAS)
The Monitor Plus capability. Continuous, non-destructive validation of what a commodity adversary could exploit, using generally-available tooling (nuclei). It checks, it does not exploit: no brute force, no state change, no data exfiltration. Findings split into two bands, one for directly exploitable issues and one for weaknesses that ease an attack. A finding auto-resolves once re-validation no longer observes it. This is the commodity baseline, not the ceiling. See Conventional Attack Surface.
Autonomous AI Pentest
The frontier engine. Autonomous offensive agents that chain weaknesses, work through authentication, and find novel and business-logic flaws that commodity tooling cannot. It is heavier and slower than CAS and runs against explicitly authorised scope. See Autonomous AI Pentest.
Threat Radar
Continuous intelligence plugins correlated to the customer's surface, each producing a verdict card. Plugins include the Infostealer Monitor (compromised credentials from infostealer and stealer-log feeds) and CISA KEV Watch (known-exploited vulnerabilities), plus breach, ransomware, dark-web, and supply-chain monitors. See Threat Radar.
Shared intelligence
The observation that attackers succeed largely by reusing and sharing information: leaked credentials, breach data, infostealer logs, and known-exploited vulnerabilities. Aether AI's threat intelligence feeds are two-way. They surface exposure for defence (alerting) and are designed to enrich the offensive agents (ROADMAP), so validation reflects what an attacker already holds, not only technical weaknesses.
Risk and findings terms
Risk score
A 0 to 100 score for an asset, computed as a noisy-OR of per-finding severity probability over that asset's confirmed, live findings. It is source-agnostic across ASM and pentest. There is no confidence term and no blast-radius weighting, so Aether AI does not guess which assets are crown jewels. The score is explainable and drops back to nothing when findings are resolved. See Risk scoring.
Noisy-OR
The way Aether AI combines multiple findings into one asset score. Rather than adding severities, it treats each confirmed live finding as an independent chance of compromise and combines those chances. More findings, or more severe ones, raise the score, but a single asset does not run away past 100.
Risk Inbox
A single queue of findings across ASM and pentest, filterable by severity, source, and updated date. Source labels include "Aether ASM", "Plugin (Infostealer)", and "Plugin (Conventional Attack Surface)". See Risk Inbox.
Finding lifecycle
Findings move through a resolve, retest, and regression lifecycle. Each finding points at its source with evidence and a fix. Re-validation confirms a fix or reopens the finding on regression. @Aether is an in-finding assistant that walks a user through remediation. Automated remediation is a coming-soon affordance (ROADMAP). See Remediation.
Lineage vocabulary
These are older industry terms. Aether AI references them so its work maps onto language customers already use, but they are vocabulary, not the frame. The frame is the adversary spectrum.
ASM (Attack Surface Management)
The practice of discovering and tracking an organisation's assets, external and internal. Aether AI does this (discovery from seeds, asset types, provenance, the relationship graph), and "Aether ASM" appears as a source label on findings. It is a foundation, not the whole product.
CTEM (Continuous Threat Exposure Management)
An industry framing for continuously discovering, validating, and prioritising exposure. Aether AI's continuous discovery, validation across the adversary spectrum, and risk-scored prioritisation cover the same ground, so CTEM is a useful reference point when mapping Aether AI onto an existing programme.