From e905fcae7f8f171812387ba61cd38140682fc8d3 Mon Sep 17 00:00:00 2001
From: DeForest Richards <deforest.richards@datadoghq.com>
Date: Thu, 11 Jun 2026 16:15:19 -0600
Subject: [PATCH 1/2] Initial commit

---
 config/_default/menus/main.en.yaml            | 31 ++++++++++-------
 .../threat_protection/_index.md               | 34 +++++++++++++++++++
 layouts/partials/nav/left-nav.html            |  2 +-
 3 files changed, 53 insertions(+), 14 deletions(-)
 create mode 100644 content/en/security/application_security/threat_protection/_index.md

diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml
index 1331c833030..1e3330dee04 100644
--- a/config/_default/menus/main.en.yaml
+++ b/config/_default/menus/main.en.yaml
@@ -8185,11 +8185,16 @@ menu:
       parent: application_security
       identifier: application_security_overview
       weight: 4
+    - name: Threat Protection
+      url: security/application_security/threat_protection/
+      parent: application_security
+      identifier: application_security_threat_protection
+      weight: 5
     - name: Security Signals
       url: security/application_security/security_signals
-      parent: application_security
+      parent: application_security_threat_protection
       identifier: application_security_security_signals
-      weight: 5
+      weight: 1
     - name: Attackers Explorer
       url: security/application_security/security_signals/attacker-explorer/
       parent: application_security_security_signals
@@ -8212,9 +8217,9 @@ menu:
       weight: 4
     - name: Policies
       url: security/application_security/policies/
-      parent: application_security
+      parent: application_security_threat_protection
       identifier: application_security_policies
-      weight: 6
+      weight: 2
     - name: Custom Rules
       url: security/application_security/policies/custom_rules/
       parent: application_security_policies
@@ -8237,24 +8242,24 @@ menu:
       weight: 4
     - name: Exploit Prevention
       url: security/application_security/exploit-prevention/
-      parent: application_security
+      parent: application_security_threat_protection
       identifier: exploit_prevention
-      weight: 7
+      weight: 3
     - name: WAF Integrations
       url: security/application_security/waf-integration/
-      parent: application_security
+      parent: application_security_threat_protection
       identifier: aws_waf_int
-      weight: 8
+      weight: 4
     - name: Account Takeover Protection
       url: security/application_security/account_takeover_protection/
-      parent: application_security
+      parent: application_security_threat_protection
       identifier: security_ato_protection
-      weight: 9
+      weight: 5
     - name: API Posture
       url: security/application_security/api_posture/
       parent: application_security
       identifier: application_security_api_security
-      weight: 10
+      weight: 6
     - name: API Inventory
       url: security/application_security/api_posture/api_inventory/
       parent: application_security_api_security
@@ -8289,12 +8294,12 @@ menu:
       url: security/application_security/guide/
       parent: application_security
       identifier: appsec_guides
-      weight: 11
+      weight: 7
     - name: Troubleshooting
       url: security/application_security/troubleshooting/
       parent: application_security
       identifier: appsec_troubleshooting
-      weight: 12
+      weight: 8
     - name: AI Guard
       url: /security/ai_guard/
       pre: siem
diff --git a/content/en/security/application_security/threat_protection/_index.md b/content/en/security/application_security/threat_protection/_index.md
new file mode 100644
index 00000000000..a5de9688b6e
--- /dev/null
+++ b/content/en/security/application_security/threat_protection/_index.md
@@ -0,0 +1,34 @@
+---
+title: Threat Protection
+description: Detect, investigate, and block application and API attacks in real time with Threat Protection in App and API Protection.
+further_reading:
+- link: "https://www.datadoghq.com/blog/datadog-exploit-prevention/"
+  tag: "Blog"
+  text: "Protect your applications from zero-day attacks with Datadog Exploit Prevention"
+---
+
+Use Threat Protection in [App and API Protection][1] (AAP) to detect attacks against your applications and APIs, investigate them, and block malicious traffic in real time.
+
+To get started, [set up AAP][2] on your services so they report security traces. AAP then detects threats from your live application traffic and lets you respond to them.
+
+## How Threat Protection works
+
+Threat Protection brings together several capabilities, all built on the same live application data. With them, you can:
+
+- Detect and investigate threats with [Security Signals][3]. Datadog creates a security signal when it detects a threat from a detection rule, so you can triage, filter, and investigate attacks in the Signals Explorer.
+- Block attacks and attackers with [Policies][4]. Block malicious IP addresses and users in real time from the Datadog UI, manually or through automated rules.
+- Stop exploit attempts in code with [Exploit Prevention][5]. Detect and block attempts to exploit vulnerabilities, including zero-day attacks, from within the running application.
+- Extend protection to the perimeter with [WAF Integrations][6]. Combine in-app protection with edge defenses such as AWS WAF for a defense-in-depth approach.
+- Defend user accounts with [Account Takeover Protection][7]. Detect and mitigate account takeover attacks, such as credential stuffing, and disable compromised users.
+
+## Further reading
+
+{{< partial name="whats-next/whats-next.html" >}}
+
+[1]: /security/application_security/
+[2]: /security/application_security/setup/
+[3]: /security/application_security/security_signals/
+[4]: /security/application_security/policies/
+[5]: /security/application_security/exploit-prevention/
+[6]: /security/application_security/waf-integration/
+[7]: /security/application_security/account_takeover_protection/
diff --git a/layouts/partials/nav/left-nav.html b/layouts/partials/nav/left-nav.html
index d82babd2756..99bc259e1e9 100644
--- a/layouts/partials/nav/left-nav.html
+++ b/layouts/partials/nav/left-nav.html
@@ -69,7 +69,7 @@
                                             <ul class="list-unstyled sub-menu {{ if not (in (slice "automatic_instrumentation" "custom_instrumentation" "dyninst" "single_step_apm" "auto_dd_libraries" "observability_pipelines_reference_processing_language" "observability_pipelines_vector_configuration" "cloud_cost_container_cost_allocation" "cloud_cost_saas_cost_integrations" "csm_setup_enterprise" "csm_setup_pro" "csm_setup_cloud_workload_security" "cspm_frameworks_benchmarks" "cspm_findings_explorer" "cws_workload_security_rules" "otel_integrations" "otel_collector_configuration" "rum_dashboards"
                                             "rum_browser_setup" "rum_browser" "rum_session_replay_browser" "rum_session_replay_mobile" "rum_mobile_android" "rum_mobile_ios" "rum_mobile_flutter" "rum_mobile_kotlin" "rum_mobile_react_native" "rum_mobile_roku" "rum_mobile_unity" "rum_correlate_with_other_telemetry_profiling" "pa_session_replay_mobile" "pa_session_replay_browser" "cloudcraft_api_aws_accounts" "cloudcraft_api_azure_accounts" "cloudcraft_api_blueprints" "cloudcraft_api_budgets" "cloudcraft_api_users" "appsec_enabling_single_step" "appsec_enabling_tracing_libraries" "synthetics_platform_dashboards" "synthetics_private_location" "synthetics_results_explorer" "ndm_netflow" "dashboards_ddsql_editor_reference" "application_security_software_composition_analysis_setup"
                                             "application_security_code_security_setup" "tracing_proxies" "appsec_threats_management_setup" "observability_pipelines_log_volume_control" "observability_pipelines_dual_ship_logs" "observability_pipelines_archive_logs" "observability_pipelines_split_logs" "observability_pipelines_sensitive_data_redaction" "observability_pipelines_log_enrichment" "observability_pipelines_install_the_worker" "csm_setup_agentless_scanning" "observability_pipelines_generate_metrics" "log_explorer_calculated_fields" "test_impact_analysis_setup" "dbm_setup_postgres_rds" "dbm_postgres_supabase" "sca_setup_runtime" "ndm_setup" "otel-setup-collector-exporter" "otel-setup-intake-endpoint" "otel_guides_migration" "otel-api-dd-sdk" "otel-setup-agent" "ide_plugins_idea" "ide_plugins_vscode" "agent_configuration_proxy"
-                                            "catalog_set_up" "catalog_entity_model" "asm_serverless" "otel-setup-ddot" "otel-setup-other" "cloud_siem_custom_detection_rules" "llm_obs_managed_evaluations" "llm_obs_external_evaluations" "cnm_analytics" "cloud_siem_open_cybersecurity_schema_framework" "infrastructure_livecontainers_explorer" "otel-dd-sdk-parent" "llm_obs_custom_llm_as_a_judge_evaluations" "ndm_profiles" "synthetics_notifications_template_variables" "dev_tool_int_mcp_server" "serverless_aws_lambda" "serverless_step_functions" "serverless_aws_fargate" "serverless_app_services" "serverless_container_apps" "serverless_azure_functions" "serverless_logic_apps" "serverless_gcr" "serverless_azure_database_messaging_services" "asm_api_security") .Identifier) }}d-none{{ end }}">
+                                            "catalog_set_up" "catalog_entity_model" "asm_serverless" "otel-setup-ddot" "otel-setup-other" "cloud_siem_custom_detection_rules" "llm_obs_managed_evaluations" "llm_obs_external_evaluations" "cnm_analytics" "cloud_siem_open_cybersecurity_schema_framework" "infrastructure_livecontainers_explorer" "otel-dd-sdk-parent" "llm_obs_custom_llm_as_a_judge_evaluations" "ndm_profiles" "synthetics_notifications_template_variables" "dev_tool_int_mcp_server" "serverless_aws_lambda" "serverless_step_functions" "serverless_aws_fargate" "serverless_app_services" "serverless_container_apps" "serverless_azure_functions" "serverless_logic_apps" "serverless_gcr" "serverless_azure_database_messaging_services" "asm_api_security" "application_security_security_signals" "application_security_policies") .Identifier) }}d-none{{ end }}">
 
                                             {{/*  LEVEL 4 */}}
                                             {{ range .Children }}

From 22c0305d7173d0245b4430c9a5959216205c1e5c Mon Sep 17 00:00:00 2001
From: DeForest Richards <deforest.richards@datadoghq.com>
Date: Thu, 11 Jun 2026 16:57:04 -0600
Subject: [PATCH 2/2] [DOCS-14642] Group Threat Protection docs under a
 dedicated section

---
 config/_default/menus/main.en.yaml            | 24 +++++++++----------
 content/en/glossary/terms/rasp.md             |  2 +-
 content/en/security/ai_guard/signals.md       |  2 +-
 .../security/application_security/_index.md   |  6 ++---
 .../api_posture/api_findings.md               |  2 +-
 .../api_inventory/api_endpoints.md            |  2 +-
 .../guide/manage_account_theft_appsec.md      |  6 ++---
 .../how-it-works/_index.md                    |  4 ++--
 .../setup/aws/waf/_index.md                   |  2 +-
 .../setup/compatibility/serverless.md         |  2 +-
 .../application_security/setup/envoy.md       |  2 +-
 .../setup/gcp/cloud-run/dotnet.md             |  2 +-
 .../setup/gcp/cloud-run/go.md                 |  2 +-
 .../setup/gcp/cloud-run/java.md               |  2 +-
 .../setup/gcp/cloud-run/nodejs.md             |  2 +-
 .../setup/gcp/cloud-run/php.md                |  2 +-
 .../setup/gcp/cloud-run/python.md             |  2 +-
 .../setup/gcp/cloud-run/ruby.md               |  2 +-
 .../setup/gcp/service-extensions.md           |  2 +-
 .../application_security/setup/go/sdk.md      |  4 ++--
 .../application_security/setup/haproxy.md     |  2 +-
 .../setup/kubernetes/envoy-gateway.md         |  2 +-
 .../setup/kubernetes/gateway-api.md           |  2 +-
 .../setup/kubernetes/gke.md                   |  2 +-
 .../setup/kubernetes/istio.md                 |  2 +-
 .../en/security/application_security/terms.md |  8 +++----
 .../threat_protection/_index.md               | 10 ++++----
 .../account_takeover_protection.md            |  3 ++-
 .../exploit-prevention.md                     |  3 ++-
 .../policies/_index.md                        |  5 ++--
 .../policies/custom_rules.md                  |  3 ++-
 .../policies/inapp_waf_rules.md               |  5 ++--
 .../policies/library_configuration.md         |  1 +
 .../security_signals/_index.md                |  7 +++---
 .../security_signals/attacker-explorer.md     |  3 ++-
 .../security_signals/attacker_clustering.md   | 11 +++++----
 .../security_signals/attacker_fingerprint.md  |  5 ++--
 .../security_signals/users_explorer.md        |  8 ++++---
 .../waf-integration.md                        |  1 +
 content/en/security/detection_rules/_index.md |  2 +-
 .../trace_collection/dd_libraries/go.md       |  4 ++--
 41 files changed, 88 insertions(+), 75 deletions(-)
 rename content/en/security/application_security/{ => threat_protection}/account_takeover_protection.md (98%)
 rename content/en/security/application_security/{ => threat_protection}/exploit-prevention.md (98%)
 rename content/en/security/application_security/{ => threat_protection}/policies/_index.md (98%)
 rename content/en/security/application_security/{ => threat_protection}/policies/custom_rules.md (98%)
 rename content/en/security/application_security/{ => threat_protection}/policies/inapp_waf_rules.md (97%)
 rename content/en/security/application_security/{ => threat_protection}/policies/library_configuration.md (98%)
 rename content/en/security/application_security/{ => threat_protection}/security_signals/_index.md (95%)
 rename content/en/security/application_security/{ => threat_protection}/security_signals/attacker-explorer.md (98%)
 rename content/en/security/application_security/{ => threat_protection}/security_signals/attacker_clustering.md (90%)
 rename content/en/security/application_security/{ => threat_protection}/security_signals/attacker_fingerprint.md (92%)
 rename content/en/security/application_security/{ => threat_protection}/security_signals/users_explorer.md (96%)
 rename content/en/security/application_security/{ => threat_protection}/waf-integration.md (98%)

diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml
index 1e3330dee04..c89852c9491 100644
--- a/config/_default/menus/main.en.yaml
+++ b/config/_default/menus/main.en.yaml
@@ -8191,37 +8191,37 @@ menu:
       identifier: application_security_threat_protection
       weight: 5
     - name: Security Signals
-      url: security/application_security/security_signals
+      url: security/application_security/threat_protection/security_signals
       parent: application_security_threat_protection
       identifier: application_security_security_signals
       weight: 1
     - name: Attackers Explorer
-      url: security/application_security/security_signals/attacker-explorer/
+      url: security/application_security/threat_protection/security_signals/attacker-explorer/
       parent: application_security_security_signals
       identifier: threats_attackers
       weight: 1
     - name: Attacker Fingerprint
-      url: security/application_security/security_signals/attacker_fingerprint/
+      url: security/application_security/threat_protection/security_signals/attacker_fingerprint/
       parent: application_security_security_signals
       identifier: threats_attacker_fingerprint
       weight: 2
     - name: Attacker Clustering
-      url: security/application_security/security_signals/attacker_clustering/
+      url: security/application_security/threat_protection/security_signals/attacker_clustering/
       parent: application_security_security_signals
       identifier: threats_attacker_clustering
       weight: 3
     - name: Users Explorer
-      url: security/application_security/security_signals/users_explorer/
+      url: security/application_security/threat_protection/security_signals/users_explorer/
       parent: application_security_security_signals
       identifier: threats_users
       weight: 4
     - name: Policies
-      url: security/application_security/policies/
+      url: security/application_security/threat_protection/policies/
       parent: application_security_threat_protection
       identifier: application_security_policies
       weight: 2
     - name: Custom Rules
-      url: security/application_security/policies/custom_rules/
+      url: security/application_security/threat_protection/policies/custom_rules/
       parent: application_security_policies
       identifier: application_security_policies_custom_rules
       weight: 1
@@ -8231,27 +8231,27 @@ menu:
       identifier: application_security_policies_ootb_rules
       weight: 2
     - name: In-App WAF Rules
-      url: security/application_security/policies/inapp_waf_rules/
+      url: security/application_security/threat_protection/policies/inapp_waf_rules/
       parent: application_security_policies
       identifier: application_security_policies_inappwaf_rules
       weight: 3
     - name: Tracing Library Configuration
-      url: security/application_security/policies/library_configuration/
+      url: security/application_security/threat_protection/policies/library_configuration/
       parent: application_security_policies
       identifier: application_security_policies_tracing_lib
       weight: 4
     - name: Exploit Prevention
-      url: security/application_security/exploit-prevention/
+      url: security/application_security/threat_protection/exploit-prevention/
       parent: application_security_threat_protection
       identifier: exploit_prevention
       weight: 3
     - name: WAF Integrations
-      url: security/application_security/waf-integration/
+      url: security/application_security/threat_protection/waf-integration/
       parent: application_security_threat_protection
       identifier: aws_waf_int
       weight: 4
     - name: Account Takeover Protection
-      url: security/application_security/account_takeover_protection/
+      url: security/application_security/threat_protection/account_takeover_protection/
       parent: application_security_threat_protection
       identifier: security_ato_protection
       weight: 5
diff --git a/content/en/glossary/terms/rasp.md b/content/en/glossary/terms/rasp.md
index 0443c5e655d..9f190059f7d 100644
--- a/content/en/glossary/terms/rasp.md
+++ b/content/en/glossary/terms/rasp.md
@@ -7,4 +7,4 @@ core_product:
 ---
 RASP is a security technology that detects and prevents attacks in real time.
 
-For more information about RASP, see the <a href='/security/application_security/exploit-prevention/'>App and API Protection documentation</a>.
+For more information about RASP, see the <a href='/security/application_security/threat_protection/exploit-prevention/'>App and API Protection documentation</a>.
diff --git a/content/en/security/ai_guard/signals.md b/content/en/security/ai_guard/signals.md
index 9183504533d..750f2c56860 100644
--- a/content/en/security/ai_guard/signals.md
+++ b/content/en/security/ai_guard/signals.md
@@ -138,7 +138,7 @@ Additionally, you can click **Explore in graph view** to see the requests in the
 
 {{< partial name="whats-next/whats-next.html" >}}
 
-[1]: /security/application_security/security_signals/
+[1]: /security/application_security/threat_protection/security_signals/
 [2]: https://app.datadoghq.com/security/ai-guard/settings/detection-rules
 [3]: /security/detection_rules/
 [4]: https://app.datadoghq.com/security/ai-guard/signals
diff --git a/content/en/security/application_security/_index.md b/content/en/security/application_security/_index.md
index 20388984477..92c4e6ba57a 100644
--- a/content/en/security/application_security/_index.md
+++ b/content/en/security/application_security/_index.md
@@ -134,8 +134,8 @@ For information on disabling AAP or its features, see the following:
 [10]: /security/application_security/troubleshooting/#disabling-aap
 [11]: /security/application_security/troubleshooting/#disabling-software-composition-analysis
 [12]: /security/application_security/troubleshooting/#disabling-code-security
-[13]: /security/application_security/exploit-prevention/#library-compatibility
-[14]: /security/application_security/exploit-prevention/
-[15]: /security/application_security/waf-integration/
+[13]: /security/application_security/threat_protection/exploit-prevention/#library-compatibility
+[14]: /security/application_security/threat_protection/exploit-prevention/
+[15]: /security/application_security/threat_protection/waf-integration/
 [16]: /security/application_security/setup/
 [17]: /security/application_security/api_posture/endpoint_scanning/
diff --git a/content/en/security/application_security/api_posture/api_findings.md b/content/en/security/application_security/api_posture/api_findings.md
index f4df2ac24a8..384345f6a1f 100644
--- a/content/en/security/application_security/api_posture/api_findings.md
+++ b/content/en/security/application_security/api_posture/api_findings.md
@@ -31,4 +31,4 @@ Click a finding to view its details and perform a workflow such as Validate > In
    - Use **Reference Links** for developer education or code review.
 
 [1]: https://app.datadoghq.com/security/appsec/inventory/finding
-[2]: /security/application_security/policies/custom_rules/
+[2]: /security/application_security/threat_protection/policies/custom_rules/
diff --git a/content/en/security/application_security/api_posture/api_inventory/api_endpoints.md b/content/en/security/application_security/api_posture/api_inventory/api_endpoints.md
index a228b124b09..800a52aa37b 100644
--- a/content/en/security/application_security/api_posture/api_inventory/api_endpoints.md
+++ b/content/en/security/application_security/api_posture/api_inventory/api_endpoints.md
@@ -198,6 +198,6 @@ Custom authentication detection is possible by configuring [Endpoint Tagging Rul
 [11]: /security/application_security/api_posture/endpoint_scanning/
 [12]: /integrations/guide/source-code-integration/
 [13]: /internal_developer_portal/catalog/entity_model/
-[14]: /security/application_security/policies/library_configuration/#configuring-a-client-ip-header
+[14]: /security/application_security/threat_protection/policies/library_configuration/#configuring-a-client-ip-header
 [15]: https://app.datadoghq.com/security/configuration/asm/trace-tagging
 [16]: /security/application_security/api_posture/sensitive_data/
diff --git a/content/en/security/application_security/guide/manage_account_theft_appsec.md b/content/en/security/application_security/guide/manage_account_theft_appsec.md
index f6b6b932c37..f1b6689132c 100644
--- a/content/en/security/application_security/guide/manage_account_theft_appsec.md
+++ b/content/en/security/application_security/guide/manage_account_theft_appsec.md
@@ -702,7 +702,7 @@ In this guide, you did the following:
 
 This is general guidance. Depending on your applications and environments, there might be a need for additional response strategies.
 
-[1]: /security/application_security/account_takeover_protection/
+[1]: /security/application_security/threat_protection/account_takeover_protection/
 [2]: https://app.datadoghq.com/services?query=service%3Auser-auth&env=%2A&fromUser=false&hostGroup=%2A&lens=Security&sort=-fave%2C-team&start=1735636008863&end=1735639608863
 [3]: /security/application_security/setup/compatibility/
 [4]: /remote_configuration
@@ -716,7 +716,7 @@ This is general guidance. Depending on your applications and environments, there
 [12]: https://app.datadoghq.com/organization-settings/remote-config?resource_type=agents
 [13]: /security/application_security/how-it-works/add-user-info/?tab=set_user#tracking-business-logic-information-without-modifying-the-code
 [14]: https://app.datadoghq.com/security/appsec/threat
-[15]: /security/application_security/account_takeover_protection/#attacker-strategies
+[15]: /security/application_security/threat_protection/account_takeover_protection/#attacker-strategies
 [16]: https://app.datadoghq.com/security/appsec/detection-rules?query=type%3Aapplication_security%20tag%3A%22category%3Aaccount_takeover%22&deprecated=hide&groupBy=none&sort=date&viz=rules
 [17]: /security/notifications/
 [18]: https://app.datadoghq.com/security/configuration/notification-rules/new?notificationData=
@@ -735,4 +735,4 @@ This is general guidance. Depending on your applications and environments, there
 [31]: /api/latest/spans/#aggregate-spans
 [32]: https://haveibeenpwned.com/
 [33]: https://app.datadoghq.com/security/appsec/in-app-waf?column=services-count&config_by=custom-rules
-[34]: /security/application_security/policies/inapp_waf_rules/
\ No newline at end of file
+[34]: /security/application_security/threat_protection/policies/inapp_waf_rules/
\ No newline at end of file
diff --git a/content/en/security/application_security/how-it-works/_index.md b/content/en/security/application_security/how-it-works/_index.md
index fe210c2c287..83dd47874a9 100644
--- a/content/en/security/application_security/how-it-works/_index.md
+++ b/content/en/security/application_security/how-it-works/_index.md
@@ -126,13 +126,13 @@ Datadog App and API Protection identifies Log4j Log4Shell attack payloads and pr
 [8]: /security/application_security/serverless/
 [9]: /tracing/trace_pipeline/trace_retention/
 [10]: /tracing/configure_data_security/?tab=http
-[11]: /security/application_security/policies/library_configuration/#exclude-specific-parameters-from-triggering-detections
+[11]: /security/application_security/threat_protection/policies/library_configuration/#exclude-specific-parameters-from-triggering-detections
 [12]: https://owasp.org/www-project-modsecurity-core-rule-set/
 [13]: /security/default_rules/?category=cat-application-security
 [14]: https://app.datadoghq.com/security/appsec/event-rules
 [15]: https://app.datadoghq.com/security/appsec/vm/library
 [16]: /security/cloud_siem/
-[17]: /security/application_security/policies/library_configuration/#data-security-considerations
+[17]: /security/application_security/threat_protection/policies/library_configuration/#data-security-considerations
 [26]: /agent/remote_config/#enabling-remote-configuration
 [27]: /internal_developer_portal/catalog/endpoints/
 [28]: /security/code_security/iast/
diff --git a/content/en/security/application_security/setup/aws/waf/_index.md b/content/en/security/application_security/setup/aws/waf/_index.md
index 4fb819a7b9e..e8e67f6b2f4 100644
--- a/content/en/security/application_security/setup/aws/waf/_index.md
+++ b/content/en/security/application_security/setup/aws/waf/_index.md
@@ -4,7 +4,7 @@ further_reading:
     - link: "/security/application_security/how-it-works/"
       tag: "Documentation"
       text: "How App and API Protection Works"
-    - link: "/security/application_security/waf-integration/"
+    - link: "/security/application_security/threat_protection/waf-integration/"
       tag: "Documentation"
       text: "Learn more about WAF Integrations"
     - link: "/security/application_security/troubleshooting"
diff --git a/content/en/security/application_security/setup/compatibility/serverless.md b/content/en/security/application_security/setup/compatibility/serverless.md
index fbb563c9339..f2538cd01ca 100644
--- a/content/en/security/application_security/setup/compatibility/serverless.md
+++ b/content/en/security/application_security/setup/compatibility/serverless.md
@@ -95,4 +95,4 @@ Only *web applications* are supported. Azure Functions are not supported.
 [3]: /serverless/guide/upgrade_java_instrumentation
 [4]: /serverless/guide/serverless_tracing_and_bundlers/
 [5]: /service_management/workflows/
-[6]: /security/application_security/policies/inapp_waf_rules/
+[6]: /security/application_security/threat_protection/policies/inapp_waf_rules/
diff --git a/content/en/security/application_security/setup/envoy.md b/content/en/security/application_security/setup/envoy.md
index c642b7e4e55..ce976f72764 100644
--- a/content/en/security/application_security/setup/envoy.md
+++ b/content/en/security/application_security/setup/envoy.md
@@ -175,5 +175,5 @@ For additional details on the Envoy integration compatibilities, refer to the [E
 [5]: https://github.com/DataDog/dd-trace-go/pkgs/container/dd-trace-go%2Fservice-extensions-callout
 [6]: https://github.com/DataDog/dd-trace-go
 [7]: /tracing/trace_collection/library_config/go/
-[8]: /security/application_security/policies/library_configuration/
+[8]: /security/application_security/threat_protection/policies/library_configuration/
 [9]: /security/application_security/setup/compatibility/envoy
diff --git a/content/en/security/application_security/setup/gcp/cloud-run/dotnet.md b/content/en/security/application_security/setup/gcp/cloud-run/dotnet.md
index 93617eef5bb..c0609effafc 100644
--- a/content/en/security/application_security/setup/gcp/cloud-run/dotnet.md
+++ b/content/en/security/application_security/setup/gcp/cloud-run/dotnet.md
@@ -134,5 +134,5 @@ As long as your command to run is passed as an argument to `datadog-init`, you w
 [3]: https://app.datadoghq.com/security/appsec
 [4]: /security/application_security/serverless/compatibility
 [5]: /actions/workflows/
-[6]: /security/application_security/waf-integration/
+[6]: /security/application_security/threat_protection/waf-integration/
 [apm-lambda-tracing-setup]: https://docs.datadoghq.com/serverless/aws_lambda/distributed_tracing/
diff --git a/content/en/security/application_security/setup/gcp/cloud-run/go.md b/content/en/security/application_security/setup/gcp/cloud-run/go.md
index a5f4f0a3867..09cb9535090 100644
--- a/content/en/security/application_security/setup/gcp/cloud-run/go.md
+++ b/content/en/security/application_security/setup/gcp/cloud-run/go.md
@@ -108,5 +108,5 @@ As long as your command to run is passed as an argument to `datadog-init`, you w
 [3]: https://app.datadoghq.com/security/appsec
 [4]: /security/application_security/serverless/compatibility
 [5]: /actions/workflows/
-[6]: /security/application_security/waf-integration/
+[6]: /security/application_security/threat_protection/waf-integration/
 [apm-lambda-tracing-setup]: https://docs.datadoghq.com/serverless/aws_lambda/distributed_tracing/
diff --git a/content/en/security/application_security/setup/gcp/cloud-run/java.md b/content/en/security/application_security/setup/gcp/cloud-run/java.md
index 848a4f52659..834141dbf99 100644
--- a/content/en/security/application_security/setup/gcp/cloud-run/java.md
+++ b/content/en/security/application_security/setup/gcp/cloud-run/java.md
@@ -117,5 +117,5 @@ As long as your command to run is passed as an argument to `datadog-init`, you w
 [3]: https://app.datadoghq.com/security/appsec
 [4]: /security/application_security/serverless/compatibility
 [5]: /actions/workflows/
-[6]: /security/application_security/waf-integration/
+[6]: /security/application_security/threat_protection/waf-integration/
 [apm-lambda-tracing-setup]: https://docs.datadoghq.com/serverless/aws_lambda/distributed_tracing/
diff --git a/content/en/security/application_security/setup/gcp/cloud-run/nodejs.md b/content/en/security/application_security/setup/gcp/cloud-run/nodejs.md
index 05c2d221f52..ea2174dab81 100644
--- a/content/en/security/application_security/setup/gcp/cloud-run/nodejs.md
+++ b/content/en/security/application_security/setup/gcp/cloud-run/nodejs.md
@@ -122,5 +122,5 @@ As long as your command to run is passed as an argument to `datadog-init`, you w
 [3]: https://app.datadoghq.com/security/appsec
 [4]: /security/application_security/serverless/compatibility
 [5]: /actions/workflows/
-[6]: /security/application_security/waf-integration/
+[6]: /security/application_security/threat_protection/waf-integration/
 [apm-lambda-tracing-setup]: https://docs.datadoghq.com/serverless/aws_lambda/distributed_tracing/
diff --git a/content/en/security/application_security/setup/gcp/cloud-run/php.md b/content/en/security/application_security/setup/gcp/cloud-run/php.md
index cd4104f0ca0..87dedd09eea 100644
--- a/content/en/security/application_security/setup/gcp/cloud-run/php.md
+++ b/content/en/security/application_security/setup/gcp/cloud-run/php.md
@@ -151,5 +151,5 @@ As long as your command to run is passed as an argument to `datadog-init`, you w
 [3]: https://app.datadoghq.com/security/appsec
 [4]: /security/application_security/serverless/compatibility
 [5]: /actions/workflows/
-[6]: /security/application_security/waf-integration/
+[6]: /security/application_security/threat_protection/waf-integration/
 [apm-lambda-tracing-setup]: https://docs.datadoghq.com/serverless/aws_lambda/distributed_tracing/
diff --git a/content/en/security/application_security/setup/gcp/cloud-run/python.md b/content/en/security/application_security/setup/gcp/cloud-run/python.md
index d4e8b8eb510..a53087dc638 100644
--- a/content/en/security/application_security/setup/gcp/cloud-run/python.md
+++ b/content/en/security/application_security/setup/gcp/cloud-run/python.md
@@ -116,5 +116,5 @@ As long as your command to run is passed as an argument to `datadog-init`, you w
 [3]: https://app.datadoghq.com/security/appsec
 [4]: /security/application_security/serverless/compatibility
 [5]: /actions/workflows/
-[6]: /security/application_security/waf-integration/
+[6]: /security/application_security/threat_protection/waf-integration/
 [apm-lambda-tracing-setup]: https://docs.datadoghq.com/serverless/aws_lambda/distributed_tracing/
diff --git a/content/en/security/application_security/setup/gcp/cloud-run/ruby.md b/content/en/security/application_security/setup/gcp/cloud-run/ruby.md
index c638fe7cb3d..0d7ebfe4310 100644
--- a/content/en/security/application_security/setup/gcp/cloud-run/ruby.md
+++ b/content/en/security/application_security/setup/gcp/cloud-run/ruby.md
@@ -119,5 +119,5 @@ As long as your command to run is passed as an argument to `datadog-init`, you w
 [3]: https://app.datadoghq.com/security/appsec
 [4]: /security/application_security/serverless/compatibility
 [5]: /actions/workflows/
-[6]: /security/application_security/waf-integration/
+[6]: /security/application_security/threat_protection/waf-integration/
 [apm-lambda-tracing-setup]: https://docs.datadoghq.com/serverless/aws_lambda/distributed_tracing/
diff --git a/content/en/security/application_security/setup/gcp/service-extensions.md b/content/en/security/application_security/setup/gcp/service-extensions.md
index 0b51c8dc12b..756fa148ffb 100644
--- a/content/en/security/application_security/setup/gcp/service-extensions.md
+++ b/content/en/security/application_security/setup/gcp/service-extensions.md
@@ -524,5 +524,5 @@ For additional details on the GCP Service Extensions integration compatibilities
 [5]: https://cloud.google.com/service-extensions/docs/configure-traffic-extensions
 [6]: https://github.com/DataDog/dd-trace-go
 [7]: /tracing/trace_collection/library_config/go/
-[8]: /security/application_security/policies/library_configuration/
+[8]: /security/application_security/threat_protection/policies/library_configuration/
 [9]: /security/application_security/setup/compatibility/gcp-service-extensions
\ No newline at end of file
diff --git a/content/en/security/application_security/setup/go/sdk.md b/content/en/security/application_security/setup/go/sdk.md
index ea1fc887a46..cbc6852ef64 100644
--- a/content/en/security/application_security/setup/go/sdk.md
+++ b/content/en/security/application_security/setup/go/sdk.md
@@ -185,13 +185,13 @@ Key points:
 [2]: https://pkg.go.dev/github.com/DataDog/dd-trace-go/v2/appsec
 [3]: https://pkg.go.dev/github.com/DataDog/dd-trace-go/v2/appsec/events#BlockingSecurityEvent
 [4]: https://pkg.go.dev/github.com/DataDog/dd-trace-go/v2/appsec/events#IsSecurityError
-[5]: /security/application_security/policies/#customize-protection-behavior
+[5]: /security/application_security/threat_protection/policies/#customize-protection-behavior
 [6]: https://pkg.go.dev/github.com/DataDog/dd-trace-go/v2/appsec#TrackUserLoginFailure
 [7]: https://pkg.go.dev/github.com/DataDog/dd-trace-go/v2/appsec#SetUser
 [8]: https://pkg.go.dev/github.com/DataDog/dd-trace-go/v2/appsec#MonitorParsedHTTPBody
 [9]: https://pkg.go.dev/github.com/DataDog/dd-trace-go/v2/appsec#MonitorHTTPResponseBody
 [10]: https://pkg.go.dev/github.com/DataDog/dd-trace-go/v2/appsec#TrackUserLoginSuccess
-[11]: /security/application_security/policies/custom_rules/#business-logic-abuse-detection-rule
+[11]: /security/application_security/threat_protection/policies/custom_rules/#business-logic-abuse-detection-rule
 [12]: https://github.com/DataDog/orchestrion
 [13]: https://pkg.go.dev/github.com/DataDog/dd-trace-go/v2/appsec#TrackCustomEvent
 [14]: /security/application_security/how-it-works/#built-in-protection
diff --git a/content/en/security/application_security/setup/haproxy.md b/content/en/security/application_security/setup/haproxy.md
index 77023c53980..c46580e95c3 100644
--- a/content/en/security/application_security/setup/haproxy.md
+++ b/content/en/security/application_security/setup/haproxy.md
@@ -166,7 +166,7 @@ For additional details on the HAProxy integration compatibilities, refer to the
 [4]: https://github.com/DataDog/dd-trace-go/pkgs/container/dd-trace-go%2Fhaproxy-spoa
 [5]: https://github.com/DataDog/dd-trace-go
 [6]: /tracing/trace_collection/library_config/go/
-[7]: /security/application_security/policies/library_configuration/
+[7]: /security/application_security/threat_protection/policies/library_configuration/
 [8]: https://github.com/DataDog/dd-trace-go/tree/main/contrib/haproxy/stream-processing-offload/cmd/spoa/haproxyconf/
 [9]: https://github.com/DataDog/dd-trace-go/blob/main/contrib/haproxy/stream-processing-offload/cmd/spoa/haproxyconf/CHANGELOG.md
 [10]: /security/application_security/setup/compatibility/haproxy
\ No newline at end of file
diff --git a/content/en/security/application_security/setup/kubernetes/envoy-gateway.md b/content/en/security/application_security/setup/kubernetes/envoy-gateway.md
index ae6621bc85d..5910ee4d51c 100644
--- a/content/en/security/application_security/setup/kubernetes/envoy-gateway.md
+++ b/content/en/security/application_security/setup/kubernetes/envoy-gateway.md
@@ -321,7 +321,7 @@ For additional details on the Envoy Gateway integration compatibilities, see the
 [6]: https://github.com/DataDog/dd-trace-go/pkgs/container/dd-trace-go%2Fservice-extensions-callout
 [7]: https://github.com/DataDog/dd-trace-go
 [8]: /tracing/trace_collection/library_config/go/
-[9]: /security/application_security/policies/library_configuration/
+[9]: /security/application_security/threat_protection/policies/library_configuration/
 [10]: https://gateway-api.sigs.k8s.io/api-types/referencegrant/
 [11]: /security/application_security/setup/compatibility/envoy-gateway
 [12]: /security/application_security/
diff --git a/content/en/security/application_security/setup/kubernetes/gateway-api.md b/content/en/security/application_security/setup/kubernetes/gateway-api.md
index 732c7fe387c..0ca62ee8e4e 100644
--- a/content/en/security/application_security/setup/kubernetes/gateway-api.md
+++ b/content/en/security/application_security/setup/kubernetes/gateway-api.md
@@ -185,7 +185,7 @@ For finer-grained analysis and other AAP features, consider trying other AAP int
 [2]: /agent/remote_config/?tab=configurationyamlfile#enabling-remote-configuration
 [6]: https://github.com/DataDog/dd-trace-go
 [7]: /tracing/trace_collection/library_config/go/
-[8]: /security/application_security/policies/library_configuration/
+[8]: /security/application_security/threat_protection/policies/library_configuration/
 [9]: https://gateway-api.sigs.k8s.io/guides/#installing-gateway-api
 [10]: https://gateway-api.sigs.k8s.io/implementations
 [11]: https://go.dev/doc/install
diff --git a/content/en/security/application_security/setup/kubernetes/gke.md b/content/en/security/application_security/setup/kubernetes/gke.md
index cd48eeb5c04..a7445cc0e16 100644
--- a/content/en/security/application_security/setup/kubernetes/gke.md
+++ b/content/en/security/application_security/setup/kubernetes/gke.md
@@ -266,7 +266,7 @@ For additional details on the underlying compatibility, see the [GCP Service Ext
 [7]: https://github.com/DataDog/dd-trace-go/pkgs/container/dd-trace-go%2Fservice-extensions-callout
 [8]: https://github.com/DataDog/dd-trace-go
 [9]: /tracing/trace_collection/library_config/go/
-[10]: /security/application_security/policies/library_configuration/
+[10]: /security/application_security/threat_protection/policies/library_configuration/
 [11]: https://cloud.google.com/kubernetes-engine/docs/how-to/configure-gateway-resources#configure_health_check
 [12]: https://cloud.google.com/kubernetes-engine/docs/how-to/configure-gke-service-extensions
 [13]: /security/application_security/setup/compatibility/gcp-service-extensions
diff --git a/content/en/security/application_security/setup/kubernetes/istio.md b/content/en/security/application_security/setup/kubernetes/istio.md
index 5cf06cb6071..a5774b251bc 100644
--- a/content/en/security/application_security/setup/kubernetes/istio.md
+++ b/content/en/security/application_security/setup/kubernetes/istio.md
@@ -482,7 +482,7 @@ For additional details on the Istio integration compatibilities, see the [Istio
 [6]: https://github.com/DataDog/dd-trace-go/pkgs/container/dd-trace-go%2Fservice-extensions-callout
 [7]: https://github.com/DataDog/dd-trace-go
 [8]: /tracing/trace_collection/library_config/go/
-[9]: /security/application_security/policies/library_configuration/
+[9]: /security/application_security/threat_protection/policies/library_configuration/
 [10]: https://www.envoyproxy.io/docs/envoy/latest/api-v3/extensions/filters/http/ext_proc/v3/ext_proc.proto
 [11]: /security/application_security/setup/compatibility/istio
 [12]: /containers/kubernetes/appsec/
diff --git a/content/en/security/application_security/terms.md b/content/en/security/application_security/terms.md
index f5dec9ed8f0..61ea2e0d30f 100644
--- a/content/en/security/application_security/terms.md
+++ b/content/en/security/application_security/terms.md
@@ -136,11 +136,11 @@ Object-Graph Navigation Language Injection (OGNLi)
 [8]: /remote_configuration
 [10]: /security/detection_rules/
 [11]: https://app.datadoghq.com/security/appsec/exclusions
-[12]: /security/application_security/policies/inapp_waf_rules/
+[12]: /security/application_security/threat_protection/policies/inapp_waf_rules/
 [13]: https://app.datadoghq.com/security/appsec/signals?query=%40workflow.rule.type%3A%22Application%20Security%22&view=signal
 [14]: /security/application_security/how-it-works/add-user-info/
 [15]: /security/application_security/how-it-works/trace_qualification/
 [16]: /security/application_security/how-it-works/threat-intelligence/
-[17]: /security/application_security/security_signals/attacker-explorer/
-[18]: /security/application_security/security_signals/attacker_fingerprint/
-[19]: /security/application_security/security_signals/attacker_clustering/
+[17]: /security/application_security/threat_protection/security_signals/attacker-explorer/
+[18]: /security/application_security/threat_protection/security_signals/attacker_fingerprint/
+[19]: /security/application_security/threat_protection/security_signals/attacker_clustering/
diff --git a/content/en/security/application_security/threat_protection/_index.md b/content/en/security/application_security/threat_protection/_index.md
index a5de9688b6e..896596023ed 100644
--- a/content/en/security/application_security/threat_protection/_index.md
+++ b/content/en/security/application_security/threat_protection/_index.md
@@ -27,8 +27,8 @@ Threat Protection brings together several capabilities, all built on the same li
 
 [1]: /security/application_security/
 [2]: /security/application_security/setup/
-[3]: /security/application_security/security_signals/
-[4]: /security/application_security/policies/
-[5]: /security/application_security/exploit-prevention/
-[6]: /security/application_security/waf-integration/
-[7]: /security/application_security/account_takeover_protection/
+[3]: /security/application_security/threat_protection/security_signals/
+[4]: /security/application_security/threat_protection/policies/
+[5]: /security/application_security/threat_protection/exploit-prevention/
+[6]: /security/application_security/threat_protection/waf-integration/
+[7]: /security/application_security/threat_protection/account_takeover_protection/
diff --git a/content/en/security/application_security/account_takeover_protection.md b/content/en/security/application_security/threat_protection/account_takeover_protection.md
similarity index 98%
rename from content/en/security/application_security/account_takeover_protection.md
rename to content/en/security/application_security/threat_protection/account_takeover_protection.md
index 46ec8cba722..feecdcdff29 100644
--- a/content/en/security/application_security/account_takeover_protection.md
+++ b/content/en/security/application_security/threat_protection/account_takeover_protection.md
@@ -2,6 +2,7 @@
 title: Account Takeover Protection
 disable_toc: false
 aliases:
+  - /security/application_security/account_takeover_protection/
   - /security/account_takeover_protection/
 further_reading:
 - link: "security/application_security/terms/"
@@ -78,7 +79,7 @@ The following user activity events are used for ATO tracking.
 
 Those enrichment need to hold a user identifier (unique to a user, numeric or otherwise) as `usr.id`. In the case of login failures, it also needs to know whether the user existed in the database or not (`usr.exists`). This helps identifying malicious activity that will regularly target missing accounts.
 
-<div class="alert alert-info">You can use the <a href="https://app.datadoghq.com/security/appsec/policies/in-app-waf?config_by=suggested-rules">Suggested Rules</a> feature to automatically analyze application traffic and propose rules to help monitor and protect login and API flows. See <a href="/security/application_security/policies/inapp_waf_rules/#suggested-rules">Suggested Rules.</a></div>
+<div class="alert alert-info">You can use the <a href="https://app.datadoghq.com/security/appsec/policies/in-app-waf?config_by=suggested-rules">Suggested Rules</a> feature to automatically analyze application traffic and propose rules to help monitor and protect login and API flows. See <a href="/security/application_security/threat_protection/policies/inapp_waf_rules/#suggested-rules">Suggested Rules.</a></div>
 
 For steps on enabling tracking for events that are not automatically instrumented, go to [User Monitoring and Protection][1].
 
diff --git a/content/en/security/application_security/exploit-prevention.md b/content/en/security/application_security/threat_protection/exploit-prevention.md
similarity index 98%
rename from content/en/security/application_security/exploit-prevention.md
rename to content/en/security/application_security/threat_protection/exploit-prevention.md
index 8f63a3f23de..6e947d04795 100644
--- a/content/en/security/application_security/exploit-prevention.md
+++ b/content/en/security/application_security/threat_protection/exploit-prevention.md
@@ -2,12 +2,13 @@
 title: Exploit Prevention
 disable_toc: false
 aliases:
+  - /security/application_security/exploit-prevention/
   - /security/application_security/threats/exploit-prevention
 further_reading:
 - link: "/security/application_security/"
   tag: "Documentation"
   text: "Protect against threats with Datadog App and API Protection"
-- link: "/security/application_security/policies/library_configuration/"
+- link: "/security/application_security/threat_protection/policies/library_configuration/"
   tag: "Documentation"
   text: "Other setup considerations and configuration options"
 - link: "https://www.datadoghq.com/blog/datadog-exploit-prevention/"
diff --git a/content/en/security/application_security/policies/_index.md b/content/en/security/application_security/threat_protection/policies/_index.md
similarity index 98%
rename from content/en/security/application_security/policies/_index.md
rename to content/en/security/application_security/threat_protection/policies/_index.md
index 9c6b4bd5b78..526709d49ee 100644
--- a/content/en/security/application_security/policies/_index.md
+++ b/content/en/security/application_security/threat_protection/policies/_index.md
@@ -1,6 +1,7 @@
 ---
 title: Policies
 aliases:
+  - /security/application_security/policies/
   - /security/application_security/threats/protection
 disable_toc: false
 ---
@@ -105,7 +106,7 @@ As important as it is for you to be able to apply protection granularly and redu
 [7]: https://app.datadoghq.com/security/appsec/denylist
 [8]: https://app.datadoghq.com/security/appsec/passlist
 [9]: https://app.datadoghq.com/security/appsec/in-app-waf
-[10]: /security/application_security/policies/inapp_waf_rules/
+[10]: /security/application_security/threat_protection/policies/inapp_waf_rules/
 [11]: https://app.datadoghq.com/security/appsec/traces
 [12]: /security/application_security/setup/compatibility/
 [14]: https://app.datadoghq.com/security/appsec/detection-rules
@@ -113,4 +114,4 @@ As important as it is for you to be able to apply protection granularly and redu
 [16]: https://app.datadoghq.com/security/appsec/in-app-waf?config_by=custom-responses
 [17]: https://docs.datadoghq.com/service_management/workflows/
 [18]: https://app.datadoghq.com/workflow/blueprints?selected_category=SECURITY
-[20]: /security/application_security/security_signals/
+[20]: /security/application_security/threat_protection/security_signals/
diff --git a/content/en/security/application_security/policies/custom_rules.md b/content/en/security/application_security/threat_protection/policies/custom_rules.md
similarity index 98%
rename from content/en/security/application_security/policies/custom_rules.md
rename to content/en/security/application_security/threat_protection/policies/custom_rules.md
index b372171727b..70c10123feb 100644
--- a/content/en/security/application_security/policies/custom_rules.md
+++ b/content/en/security/application_security/threat_protection/policies/custom_rules.md
@@ -1,6 +1,7 @@
 ---
 title: Custom Detection Rules
 aliases:
+  - /security/application_security/policies/custom_rules/
   - /security_platform/application_security/custom_rules
   - /security/application_security/custom_rules
   - /security/application_security/threats/attacker_fingerprint
@@ -8,7 +9,7 @@ further_reading:
 - link: "/security/application_security/"
   tag: "Documentation"
   text: "Protect against threats with Datadog App and API Protection"
-- link: "/security/application_security/policies/inapp_waf_rules/"
+- link: "/security/application_security/threat_protection/policies/inapp_waf_rules/"
   tag: "Documentation"
   text: "Creating In-App WAF rules"
 - link: "/security/application_security/troubleshooting"
diff --git a/content/en/security/application_security/policies/inapp_waf_rules.md b/content/en/security/application_security/threat_protection/policies/inapp_waf_rules.md
similarity index 97%
rename from content/en/security/application_security/policies/inapp_waf_rules.md
rename to content/en/security/application_security/threat_protection/policies/inapp_waf_rules.md
index 1624462c3a8..8e83f92e5b0 100644
--- a/content/en/security/application_security/policies/inapp_waf_rules.md
+++ b/content/en/security/application_security/threat_protection/policies/inapp_waf_rules.md
@@ -1,6 +1,7 @@
 ---
 title: In-App WAF Rules
 aliases:
+  - /security/application_security/policies/inapp_waf_rules/
   - /security_platform/application_security/event_rules
   - /security/application_security/event_rules
   - /security/application_security/threats/inapp_waf_rules
@@ -140,9 +141,9 @@ Services using a policy are visible directly in the policy management page.
 
 Next, [configure detection rules to create security signals][1] based on those security traces defined by the In-App WAF rules you created. You can modify the provided out-of-the-box AAP detection rules or create new ones.
 
-[1]: /security/application_security/policies/custom_rules/
+[1]: /security/application_security/threat_protection/policies/custom_rules/
 [2]: https://app.datadoghq.com/security/appsec/in-app-waf
 [3]: /security/application_security/setup/
 [4]: https://app.datadoghq.com/security/appsec/in-app-waf?config_by=custom-rules
 [5]: https://app.datadoghq.com/security/appsec/policies/in-app-waf?config_by=suggested-rules
-[6]: /security/application_security/account_takeover_protection/
\ No newline at end of file
+[6]: /security/application_security/threat_protection/account_takeover_protection/
\ No newline at end of file
diff --git a/content/en/security/application_security/policies/library_configuration.md b/content/en/security/application_security/threat_protection/policies/library_configuration.md
similarity index 98%
rename from content/en/security/application_security/policies/library_configuration.md
rename to content/en/security/application_security/threat_protection/policies/library_configuration.md
index b51d8a6d8de..43656f09e76 100644
--- a/content/en/security/application_security/policies/library_configuration.md
+++ b/content/en/security/application_security/threat_protection/policies/library_configuration.md
@@ -1,6 +1,7 @@
 ---
 title: Library Configuration
 aliases:
+  - /security/application_security/policies/library_configuration/
   - /security_platform/application_security/setup_and_configure
   - /security/application_security/setup_and_configure
   - /security/application_security/setup_and_configure
diff --git a/content/en/security/application_security/security_signals/_index.md b/content/en/security/application_security/threat_protection/security_signals/_index.md
similarity index 95%
rename from content/en/security/application_security/security_signals/_index.md
rename to content/en/security/application_security/threat_protection/security_signals/_index.md
index 8465f73f341..6033ee10685 100644
--- a/content/en/security/application_security/security_signals/_index.md
+++ b/content/en/security/application_security/threat_protection/security_signals/_index.md
@@ -1,12 +1,13 @@
 ---
 title: Investigate Security Signals
 aliases:
+  - /security/application_security/security_signals/
   - /security/application_security/threats/security_signals
 further_reading:
   - link: "/security/default_rules/?category=cat-application-security#cat-application-security"
     tag: "Documentation"
     text: "Explore AAP threat detection OOTB rules"
-  - link: "/security/application_security/policies/custom_rules/"
+  - link: "/security/application_security/threat_protection/policies/custom_rules/"
     tag: "Documentation"
     text: "Configure custom AAP threat detection rules"
   - link: "/security/application_security/how-it-works/threat-intelligence/"
@@ -157,5 +158,5 @@ To see all of the saved views, click **Views** next to the **Signals Explorer**
 [7]: https://app.datadoghq.com/security/appsec?
 [8]: /security/notifications/rules/
 [9]: /account_management/rbac/permissions/#cloud-security-platform
-[10]: /security/application_security/policies/#respond-to-threats-in-real-time-by-automating-attacker-blocking
-[11]: /security/application_security/policies/#blocking-attack-attempts-with-in-app-waf
+[10]: /security/application_security/threat_protection/policies/#respond-to-threats-in-real-time-by-automating-attacker-blocking
+[11]: /security/application_security/threat_protection/policies/#blocking-attack-attempts-with-in-app-waf
diff --git a/content/en/security/application_security/security_signals/attacker-explorer.md b/content/en/security/application_security/threat_protection/security_signals/attacker-explorer.md
similarity index 98%
rename from content/en/security/application_security/security_signals/attacker-explorer.md
rename to content/en/security/application_security/threat_protection/security_signals/attacker-explorer.md
index 7c0fb7143ac..bf54e493c43 100644
--- a/content/en/security/application_security/security_signals/attacker-explorer.md
+++ b/content/en/security/application_security/threat_protection/security_signals/attacker-explorer.md
@@ -2,9 +2,10 @@
 title: Attackers Explorer
 disable_toc: false
 aliases:
+  - /security/application_security/security_signals/attacker-explorer/
   - /security/application_security/threats/attacker-explorer
 further_reading:
-- link: "/security/application_security/policies"
+- link: "/security/application_security/threat_protection/policies"
   tag: "Documentation"
   text: "Protection"
 ---
diff --git a/content/en/security/application_security/security_signals/attacker_clustering.md b/content/en/security/application_security/threat_protection/security_signals/attacker_clustering.md
similarity index 90%
rename from content/en/security/application_security/security_signals/attacker_clustering.md
rename to content/en/security/application_security/threat_protection/security_signals/attacker_clustering.md
index dd22be99b07..ad65113f9b3 100644
--- a/content/en/security/application_security/security_signals/attacker_clustering.md
+++ b/content/en/security/application_security/threat_protection/security_signals/attacker_clustering.md
@@ -2,18 +2,19 @@
 title: Attacker Clustering
 disable_toc: false
 aliases:
+  - /security/application_security/security_signals/attacker_clustering/
   - /security/application_security/threats/attacker_clustering
 further_reading:
-- link: "/security/application_security/security_signals/attacker_fingerprint"
+- link: "/security/application_security/threat_protection/security_signals/attacker_fingerprint"
   tag: "Documentation"
   text: "Attacker Fingerprint"
 - link: "/security/application_security/how-it-works/threat-intelligence/"
   tag: "Documentation"
   text: "Threat Intelligence"
-- link: "/security/application_security/policies/inapp_waf_rules/"
+- link: "/security/application_security/threat_protection/policies/inapp_waf_rules/"
   tag: "Documentation"
   text: "In-App WAF Rules"
-- link: "/security/application_security/security_signals/"
+- link: "/security/application_security/threat_protection/security_signals/"
   tag: "Documentation"
   text: "Security Signals"
 - link: "https://www.datadoghq.com/blog/attacker-clustering/"
@@ -90,7 +91,7 @@ This manual approach allows you to create more targeted blocking rules when the
 {{< partial name="whats-next/whats-next.html" >}}
 
 [1]: /security/application_security/how-it-works/threat-intelligence/
-[2]: /security/application_security/security_signals/attacker_fingerprint
-[3]: /security/application_security/policies/inapp_waf_rules/
+[2]: /security/application_security/threat_protection/security_signals/attacker_fingerprint
+[3]: /security/application_security/threat_protection/policies/inapp_waf_rules/
 [4]: /security/workload_protection/security_signals/
 [5]: /tracing/trace_collection/library_config/
diff --git a/content/en/security/application_security/security_signals/attacker_fingerprint.md b/content/en/security/application_security/threat_protection/security_signals/attacker_fingerprint.md
similarity index 92%
rename from content/en/security/application_security/security_signals/attacker_fingerprint.md
rename to content/en/security/application_security/threat_protection/security_signals/attacker_fingerprint.md
index 53d5129e079..47b39266a16 100644
--- a/content/en/security/application_security/security_signals/attacker_fingerprint.md
+++ b/content/en/security/application_security/threat_protection/security_signals/attacker_fingerprint.md
@@ -2,9 +2,10 @@
 title: Attacker Fingerprint
 disable_toc: false
 aliases:
+  - /security/application_security/security_signals/attacker_fingerprint/
   - /security/application_security/threats/attacker_fingerprint
 further_reading:
-- link: "/security/application_security/security_signals/attacker_clustering"
+- link: "/security/application_security/threat_protection/security_signals/attacker_clustering"
   tag: "Documentation"
   text: "Attacker Clustering"
 ---
@@ -72,4 +73,4 @@ Attacker fingerprints are used in the [Attacker Clustering][1] feature. If a sig
 
 {{< partial name="whats-next/whats-next.html" >}}
 
-[1]: /security/application_security/security_signals/attacker_clustering
+[1]: /security/application_security/threat_protection/security_signals/attacker_clustering
diff --git a/content/en/security/application_security/security_signals/users_explorer.md b/content/en/security/application_security/threat_protection/security_signals/users_explorer.md
similarity index 96%
rename from content/en/security/application_security/security_signals/users_explorer.md
rename to content/en/security/application_security/threat_protection/security_signals/users_explorer.md
index 5194eaf8974..dd0b7ba5d5d 100644
--- a/content/en/security/application_security/security_signals/users_explorer.md
+++ b/content/en/security/application_security/threat_protection/security_signals/users_explorer.md
@@ -1,4 +1,6 @@
 ---
+aliases:
+  - /security/application_security/security_signals/users_explorer/
 title: Users Explorer
 disable_toc: false
 ---
@@ -168,11 +170,11 @@ Here are some investigation tips for comparing each datapoint across two (or mor
 
 
 [1]: https://app.datadoghq.com/security/appsec/users
-[2]: /security/application_security/policies/
+[2]: /security/application_security/threat_protection/policies/
 [3]: https://app.datadoghq.com/security/appsec/traces
-[4]: /security/application_security/security_signals/attacker-explorer/
+[4]: /security/application_security/threat_protection/security_signals/attacker-explorer/
 [5]: /security/threat_intelligence/#threat-intelligence-categories
-[6]: /security/application_security/policies/#denylist
+[6]: /security/application_security/threat_protection/policies/#denylist
 [7]: https://app.datadoghq.com/security/appsec/denylist
 [8]: /security/application_security/how-it-works/add-user-info/?tab=java#adding-authenticated-user-information-to-traces-and-enabling-user-blocking-capability
 [9]: https://app.datadoghq.com/security
diff --git a/content/en/security/application_security/waf-integration.md b/content/en/security/application_security/threat_protection/waf-integration.md
similarity index 98%
rename from content/en/security/application_security/waf-integration.md
rename to content/en/security/application_security/threat_protection/waf-integration.md
index 87a6ac7dbae..a60cd72d503 100644
--- a/content/en/security/application_security/waf-integration.md
+++ b/content/en/security/application_security/threat_protection/waf-integration.md
@@ -2,6 +2,7 @@
 title: WAF Integrations
 disable_toc: false
 aliases:
+  - /security/application_security/waf-integration/
   - /security/application_security/threats/waf-integration
 further_reading:
 - link: "https://www.datadoghq.com/blog/aws-waf-datadog/"
diff --git a/content/en/security/detection_rules/_index.md b/content/en/security/detection_rules/_index.md
index 459c5283899..08b89acde5e 100644
--- a/content/en/security/detection_rules/_index.md
+++ b/content/en/security/detection_rules/_index.md
@@ -207,7 +207,7 @@ The rule deprecation process is as follows:
 [9]: /agent/
 [10]: https://app.datadoghq.com/security/configuration/
 [11]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/
-[12]: /security/application_security/policies/custom_rules/
+[12]: /security/application_security/threat_protection/policies/custom_rules/
 [13]: /security/cloud_security_management/misconfigurations/custom_rules
 [14]: /security/workload_protection/workload_security_rules?tab=host#create-custom-rules
 [15]: https://app.datadoghq.com/security/configuration/
diff --git a/content/en/tracing/trace_collection/dd_libraries/go.md b/content/en/tracing/trace_collection/dd_libraries/go.md
index 9a36dc65f0c..4942ed2c773 100644
--- a/content/en/tracing/trace_collection/dd_libraries/go.md
+++ b/content/en/tracing/trace_collection/dd_libraries/go.md
@@ -258,14 +258,14 @@ To troubleshoot builds that `orchestrion` manages, see [Troubleshooting Go Compi
 
 [4]: https://pkg.go.dev/github.com/DataDog/dd-trace-go/v2/ddtrace
 [6]: https://github.com/DataDog/orchestrion
-[7]: /security/application_security/exploit-prevention
+[7]: /security/application_security/threat_protection/exploit-prevention
 [8]: https://go.dev/doc/devel/release#policy
 [10]: https://pkg.go.dev/cmd/go#hdr-Modules__module_versions__and_more
 [11]: https://github.com/DataDog/orchestrion/releases
 [12]: /profiler
 [13]: /tracing/troubleshooting/go_compile_time/
 [14]: /getting_started/tagging/unified_service_tagging/
-[15]: /security/application_security/exploit-prevention/
+[15]: /security/application_security/threat_protection/exploit-prevention/
 [16]: /tracing/trace_collection/library_config/go/#traces
 [17]: https://github.com/DataDog/dd-trace-go/blob/main/orchestrion/all/orchestrion.tool.go
 [18]: /tracing/guide/orchestrion_dockerfile/