diff --git a/README.md b/README.md
index 5b58078..40ce38f 100644
--- a/README.md
+++ b/README.md
@@ -1,17 +1,50 @@
 ![Northwall cover](docs/northwall-cover.svg)
 
-Northwall is an Agentic SOC platform for teams that want multi-agent orchestration using graph-based understanding: custom team of multi-agent specialists, build a knowledge graph, vulnerability analysis & search loops, and GitHub integration.
-
-If you're looking to build a custom agentic SOC tool / platform for your organization, Northwall would be a good fit to start from; whether it is: 
-- Multi Agent Orchestration,
-- Agentic security operations,
-- SOC automation,
-- Alert triage,
-- Vulnerability / threat investigation,
-- Incident response automation,
-- Investigation graph,
-- Security work item creation, or
-- Human-in-the-loop (HITL) security operations.
+# Run AppSec missions with specialist AI agents
+
+Northwall orchestrates specialist AI agents across code, ownership, dependencies, and security context to turn AppSec risk into approved, owner-ready action.
+
+Most security tools hand leaders another queue. Scanners produce alerts, code review bots produce comments, and engineers still have to answer the hard operational questions: what is reachable, which owner should act, what evidence is strong enough, and what should the remediation work actually say?
+
+Northwall is an Agentic AppSec Orchestration product. It builds an application knowledge graph first, dispatches a governed team of security agents, runs safe parallel investigation loops, and keeps humans in control before work is sent to owners.
+
+GitHub is the first execution surface: source context, branch selection, code ownership, dependency evidence, and GitHub issue handoff. The same orchestration pattern is designed to extend to SIEM, EDR, cloud, identity, ticketing, and evidence storage without claiming those connectors as the default path today.
+
+## Core Flow
+
+```text
+Connect evidence source -> Build graph -> Approve agent mission -> Run parallel specialists -> Send owner handoffs
+```
+
+- GitHub OAuth for source context and approved remediation handoff
+- Repo, branch, package, route, auth, config, ownership, and CI inventory
+- AppSec knowledge graph across services, routes, owners, dependencies, controls, and work items
+- Specialist agents with named responsibilities before execution starts
+- Parallel MoE-style investigation across auth, dependency, ownership, config, CI, and threat context
+- Human approval before the mission runs and before work is sent to owners
+- Live Socket.IO event stream while agents execute
+- Owner handoffs with severity, confidence, evidence, remediation, verification notes, issue body, and labels
+
+## Why Northwall
+
+| Alternative | What it gives you | What Northwall adds |
+| --- | --- | --- |
+| Scanners | Findings, alerts, and severity queues | Governed agentic execution that turns evidence into owner-ready action |
+| AI code review bots | Comments on code changes | Application graph context, specialist agents, and approval-gated remediation handoff |
+| Manual AppSec triage | Expert judgment, but limited throughput | Parallel specialists that map, triage, verify, and draft work while analysts stay in control |
+
+## Agent Team
+
+Northwall plans the mission before execution so reviewers can see the team, task order, evidence goals, and approval notes.
+
+| Agent | Responsibility |
+| --- | --- |
+| System Cartographer | Builds the AppSec knowledge graph across repos, routes, packages, owners, controls, and CI. |
+| Auth Boundary Agent | Reviews auth, session, tenant, middleware, and permission-sensitive paths. |
+| Dependency Analyst | Checks package manifests, lockfiles, dependency exposure, and release risk. |
+| CI/Config Analyst | Reviews pipeline, runtime configuration, environment references, and guardrails. |
+| Response Handoff Agent | Converts evidence into owner-ready remediation work with verification steps. |
+| Human Review Agent | Keeps scope, approval, and risky actions behind explicit analyst control. |
 
 ## Demo
 
@@ -21,57 +54,41 @@ If you're looking to build a custom agentic SOC tool / platform for your organiz
 
 <video src="docs/northwall-agentic-soc-demo.mp4" controls width="100%"></video>
 
-### Connect a source
+### Connect an evidence source
 
 Pick a GitHub repo and branch. Northwall keeps provider tokens server-side.
 
 ![Northwall source selection](docs/screenshots/soc-source-selection.png)
 
-### Review the agent plan
+### Approve the agent plan
 
-Northwall builds source context first, then shows the investigation graph, agent team, task order, and approval notes before anything runs.
+Northwall builds AppSec graph context first, then shows the agent team, task order, evidence goals, and approval notes before anything runs.
 
 ![Northwall agent plan](docs/screenshots/agent-plan.png)
 
-### Watch the run
+### Watch the mission run
 
-The run log shows what agents are doing, which findings were created, and what evidence was used.
+The run log shows which specialist agents are executing, which evidence was used, and which owner handoffs were drafted.
 
-![Northwall live SOC run](docs/screenshots/live-soc-run.png)
+![Northwall live AppSec mission](docs/screenshots/live-soc-run.png)
 
 ### Send work to owners
 
-Findings are selected by the analyst, previewed as GitHub issues, and sent only after approval.
+Handoffs are selected by the analyst, previewed as GitHub issues, and sent only after approval.
 
-![Northwall findings handoff](docs/screenshots/findings-handoff.png)
+![Northwall owner handoff](docs/screenshots/findings-handoff.png)
 
 ### Mobile sign-in
 
 ![Northwall mobile login](docs/screenshots/login-mobile.png)
 
-## Core Flow
-
-```text
-Connect source -> Build context -> Review plan -> Approve run -> Review findings -> Create GitHub issues
-```
-
-- GitHub OAuth for repo context and issue creation
-- Repo, branch, package, route, auth, config, and CI inventory
-- Investigation graph across services, routes, owners, dependencies, and work items
-- Specialist agents with named responsibilities before the run starts
-- Human approval before response actions
-- Live Socket.IO event stream while agents work
-- Findings with severity, confidence, evidence, owner notes, issue body, and labels
-
-GitHub is the first connector. The same pattern can extend to SIEM, EDR, cloud, identity, ticketing, and evidence storage.
-
 ## How It Works
 
 The backend keeps source and model credentials server-side.
 
 When a user connects GitHub, Northwall stores the provider token through encrypted local persistence keyed by `TOKEN_ENCRYPTION_KEY`. The frontend only sees connection metadata: account, scopes, and connection time.
 
-When a run starts, the backend reads the selected repo through the GitHub API and inventories the files that usually matter during response:
+When a mission starts, the backend reads the selected repo through the GitHub API and inventories the files that usually matter during AppSec operations:
 
 - package manifests and lockfiles
 - API routes and handlers
@@ -80,15 +97,15 @@ When a run starts, the backend reads the selected repo through the GitHub API an
 - GitHub Actions and CI files
 - service ownership and work item context
 
-OpenAI GPT-5.5 runs on the backend. It turns the source inventory into an agent plan and owner handoff drafts. The prompts stay defensive: owned systems, concrete evidence, no third-party targets, no destructive actions, no exploit payloads.
+OpenAI GPT-5.5 runs on the backend. It turns the source inventory and AppSec graph into an agent plan and owner handoff drafts. The prompts stay defensive: owned systems, static/dependency analysis, concrete evidence, no third-party targets, no destructive actions, no exploit payloads.
 
 ## Packages
 
 | Package | Role |
 | --- | --- |
-| `@northwall/frontend` | Next.js app, source picker, investigation graph, plan approval, live run, findings table |
-| `@northwall/backend` | Hono API, GitHub integration, assessment worker, OpenAI planning, Socket.IO events |
-| `@northwall/shared` | Zod schemas for repos, runs, graphs, plans, findings, and issue payloads |
+| `@northwall/frontend` | Next.js app, source picker, AppSec graph, agent plan approval, live mission, owner handoff table |
+| `@northwall/backend` | Hono API, GitHub integration, mission worker, OpenAI planning, Socket.IO events |
+| `@northwall/shared` | Zod schemas for repos, runs, graphs, plans, handoffs, and issue payloads |
 | `@northwall/agent-runtime` | Agent runtime kept for deeper worker expansion |
 | `@northwall/agent-control` | Sandbox control service kept for future runtime checks |
 
@@ -171,15 +188,15 @@ Required environment:
 
 ## Safety Boundaries
 
-Northwall is for owned systems and authorized security operations work.
+Northwall is for owned systems and authorized AppSec work.
 
-It starts with safe triage, static context, dependency context, and owner handoff. It does not run third-party scanning, destructive tests, credential collection, persistence checks, or weaponized exploit output.
+It starts with safe source context, dependency context, graph building, agent planning, and owner handoff. It does not run third-party scanning, destructive tests, credential collection, persistence checks, or weaponized exploit output.
 
-The output is plain: what happened, why it matters, what evidence supports it, who owns it, and what work item should be created.
+The output is plain: what was found, why it matters, what evidence supports it, who owns it, and what work should be created.
 
 ## Work With Us
 
-We build products like this for teams that want agentic security operations without turning the SOC into a black box.
+We build products like this for teams that want agentic AppSec execution without turning remediation work into a black box.
 
 ![Inferensys](docs/inferensys.svg)
 
diff --git a/package.json b/package.json
index 6bc5ed2..a62526c 100644
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "northwall",
-  "description": "Agentic SOC platform for multi-agent security operations, alert triage, investigation graphs, and owner handoff.",
+  "description": "Agentic AppSec orchestration for specialist security agents, application knowledge graphs, and approved owner handoff.",
   "private": true,
   "workspaces": [
     "packages/shared",
diff --git a/packages/backend/src/services/assessment-manager.ts b/packages/backend/src/services/assessment-manager.ts
index 548269b..bc34acc 100644
--- a/packages/backend/src/services/assessment-manager.ts
+++ b/packages/backend/src/services/assessment-manager.ts
@@ -102,11 +102,11 @@ export class AssessmentManager {
     }
 
     this.setPhase(assessment, "understanding");
-    this.emit(id, "understanding_started", "Building investigation context from source, ownership, and security-sensitive surfaces");
+    this.emit(id, "understanding_started", "Building AppSec graph context from source, ownership, dependencies, and security-sensitive surfaces");
     const token = await this.requireToken(userId);
     const snapshot = await this.analyzer.analyze(token, assessment.repository, assessment.branch);
     this.applySnapshot(assessment, snapshot);
-    this.emit(id, "graph_updated", `Mapped ${snapshot.graph.nodes.length} investigation graph nodes from ${snapshot.inventory.files} files`, {
+    this.emit(id, "graph_updated", `Mapped ${snapshot.graph.nodes.length} AppSec graph nodes from ${snapshot.inventory.files} files`, {
       nodes: snapshot.graph.nodes.length,
       edges: snapshot.graph.edges.length,
     });
@@ -128,7 +128,7 @@ export class AssessmentManager {
     });
     assessment.plan = plan;
     this.setPhase(assessment, "plan_ready");
-    this.emit(id, "plan_ready", `Response plan ready with ${plan.agents.length} agents and ${plan.tasks.length} tasks`);
+    this.emit(id, "plan_ready", `Agent plan ready with ${plan.agents.length} specialists and ${plan.tasks.length} tasks`);
     await this.save(id);
     return assessment;
   }
@@ -140,7 +140,7 @@ export class AssessmentManager {
     }
 
     this.setPhase(assessment, "approved");
-    this.emit(id, "plan_approved", "SOC response plan approved for safe execution");
+    this.emit(id, "plan_approved", "AppSec agent plan approved for safe execution");
     await this.save(id);
     return assessment;
   }
@@ -152,7 +152,7 @@ export class AssessmentManager {
     }
 
     this.setPhase(assessment, "running");
-    this.emit(id, "run_started", "Starting agentic SOC run");
+    this.emit(id, "run_started", "Starting agentic AppSec mission");
 
     for (const agent of assessment.plan.agents) {
       agent.status = "working";
@@ -195,7 +195,7 @@ export class AssessmentManager {
   async createIssues(id: string, userId: string, findingIds: string[]): Promise<Assessment> {
     const assessment = this.requireOwnedAssessment(id, userId);
     if (assessment.phase !== "findings_ready" && assessment.phase !== "issues_created") {
-      throw new Error("Issues can only be created after findings are ready.");
+      throw new Error("Owner handoffs can only be sent after they are ready.");
     }
     if (findingIds.length === 0) throw new Error("Select at least one finding.");
 
diff --git a/packages/backend/src/services/github-client.ts b/packages/backend/src/services/github-client.ts
index 6026c04..3d7efa5 100644
--- a/packages/backend/src/services/github-client.ts
+++ b/packages/backend/src/services/github-client.ts
@@ -146,7 +146,7 @@ export class GitHubClient {
           headers: { "Content-Type": "application/json" },
           body: JSON.stringify({
             name: label,
-            color: label === "security-operations" || label === "agentic-soc" ? "051914" : label === "security" ? "d73a4a" : "0e8a16",
+            color: label === "appsec-orchestration" || label === "agentic-appsec" ? "051914" : label === "security" ? "d73a4a" : "0e8a16",
           }),
         });
       } catch {
diff --git a/packages/backend/src/services/mission-manager.ts b/packages/backend/src/services/mission-manager.ts
index cfe5b3d..734bc10 100644
--- a/packages/backend/src/services/mission-manager.ts
+++ b/packages/backend/src/services/mission-manager.ts
@@ -344,7 +344,7 @@ export class MissionManager {
     const activities = [
       { summary: "Confirmed owned application scope and safe AppSec limits", tool: "Read" },
       { summary: "Mapped target routes, auth boundaries, packages, and data stores", tool: "Task" },
-      { summary: "Prepared an agent assessment strategy with evidence requirements", tool: "Plan" },
+      { summary: "Prepared an agent mission strategy with evidence requirements", tool: "Plan" },
     ];
     for (const activity of activities) {
       const event: SessionEvent = {
@@ -361,7 +361,7 @@ export class MissionManager {
     }
 
     const text =
-      "I have enough context to plan this as an authorized AppSec assessment. I would map the system first, form a specialist security team, run safe code and dependency checks, verify only approved local routes, and turn high-confidence evidence into a remediation queue.";
+      "I have enough context to plan this as an authorized AppSec mission. I would map the graph first, form a specialist security team, run safe code and dependency checks, verify only approved local routes, and turn high-confidence evidence into owner handoffs.";
     const assistant: ChatMessage = {
       id: `msg-${nanoid(8)}`,
       sessionId: id,
@@ -475,7 +475,7 @@ export class MissionManager {
       const d = this.missions.get(id);
       if (!d) return;
       d.containerStatus = "running";
-      d.vncUrl = createDesktopPreviewUrl("Agent desktop live", "Assessment cockpit and local target app running at localhost:3000");
+      d.vncUrl = createDesktopPreviewUrl("Agent desktop live", "AppSec mission cockpit and local target app running at localhost:3000");
       this.emitEvent(id, "container_running", "Agent VM ready", { vncUrl: d.vncUrl });
       this.runSampleExecution(id);
     }, 900);
@@ -517,12 +517,12 @@ export class MissionManager {
     await fs.mkdir(path.join(workspace, "docs"), { recursive: true });
     await fs.writeFile(
       path.join(workspace, "README.md"),
-      `# AcmePay AppSec Assessment\n\nAssessment prompt:\n\n${prompt}\n\n## Delivered\n\n- System graph of routes, auth boundaries, dependencies, and data stores\n- Prioritized findings with evidence, owners, and verification steps\n- Safe local probe notes\n- Remediation handoff for engineering review\n`,
+      `# AcmePay AppSec Mission\n\nMission prompt:\n\n${prompt}\n\n## Delivered\n\n- AppSec graph of routes, auth boundaries, dependencies, and data stores\n- Prioritized owner handoffs with evidence, owners, and verification steps\n- Safe local probe notes\n- Remediation handoff for engineering review\n`,
       "utf-8",
     );
     await fs.writeFile(
-      path.join(workspace, "src", "components", "AssessmentCockpit.tsx"),
-      `export function AssessmentCockpit() {\n  return <main>Northwall assessment cockpit with findings, graph, and remediation queue</main>;\n}\n`,
+      path.join(workspace, "src", "components", "MissionCockpit.tsx"),
+      `export function MissionCockpit() {\n  return <main>Northwall AppSec mission cockpit with handoffs, graph, and remediation queue</main>;\n}\n`,
       "utf-8",
     );
     await fs.writeFile(
@@ -541,8 +541,8 @@ export class MissionManager {
       () => this.updateAgent(id, "auth-analyst", "working", "Reviewing session, tenant, and role boundaries"),
       () => this.completeTask(id, "t3", "auth-analyst", "Verified tenant export finding with safe local fixtures"),
       () => this.updateAgent(id, "runtime-verifier", "working", "Running approved local probes under scope rate limit"),
-      () => this.completeTask(id, "t4", "runtime-verifier", "Attached runtime evidence to webhook and session findings"),
-      () => this.updateAgent(id, "risk-reviewer", "working", "Ranking findings and writing remediation handoff"),
+      () => this.completeTask(id, "t4", "runtime-verifier", "Attached runtime evidence to webhook and session handoffs"),
+      () => this.updateAgent(id, "risk-reviewer", "working", "Ranking handoffs and writing remediation guidance"),
       () => this.completeTask(id, "t5", "risk-reviewer", "Prepared owner-ready remediation queue and verification steps"),
       () => this.finishSampleMission(id),
     ];
@@ -602,12 +602,12 @@ export class MissionManager {
     data.status = "completed";
     data.completedAt = Date.now();
     data.containerStatus = "running";
-    data.vncUrl = createDesktopPreviewUrl("Assessment completed", "Findings, evidence, and remediation notes are ready.");
+    data.vncUrl = createDesktopPreviewUrl("Mission completed", "Owner handoffs, evidence, and remediation notes are ready.");
     data.agents = data.agents.map((agent) => ({ ...agent, status: "completed", currentAction: null }));
-    this.emitEvent(id, "agent_message", "Delivered system graph, evidence-backed findings, and remediation handoff.", {
-      text: "Delivered system graph, evidence-backed findings, and remediation handoff.",
+    this.emitEvent(id, "agent_message", "Delivered AppSec graph, evidence-backed handoffs, and remediation guidance.", {
+      text: "Delivered AppSec graph, evidence-backed handoffs, and remediation guidance.",
     }, "orchestrator");
-    this.emitEvent(id, "session_completed", "Assessment completed");
+    this.emitEvent(id, "session_completed", "Mission completed");
     this.saveMission(id, true).catch((err) => console.error(`Save failed ${id}:`, err));
   }
 
@@ -960,9 +960,9 @@ function createPortfolioPlan(): MissionPlan {
   const now = Date.now();
   return {
     id: `plan-${nanoid(8)}`,
-    title: "AcmePay AppSec Assessment",
+    title: "AcmePay AppSec Mission",
     objective:
-      "Map the owned AcmePay SaaS application, run a safe AppSec assessment, and produce evidence-backed findings with remediation steps.",
+      "Map the owned AcmePay SaaS application, run a safe AppSec mission, and produce evidence-backed owner handoffs with remediation steps.",
     estimatedComplexity: "complex",
     createdAt: now,
     agents: [
@@ -971,7 +971,7 @@ function createPortfolioPlan(): MissionPlan {
         displayName: "System Cartographer",
         specialization: "Application graph mapping",
         description: "Maps routes, services, auth boundaries, data stores, packages, and integrations.",
-        prompt: "Create a system graph first. Identify trust boundaries and risky paths. Do not run destructive checks.",
+        prompt: "Create an AppSec graph first. Identify trust boundaries and risky paths. Do not run destructive checks.",
         tools: ["Read", "Glob", "Grep", "Write"],
         model: "sonnet",
       },
@@ -998,7 +998,7 @@ function createPortfolioPlan(): MissionPlan {
         displayName: "Runtime Verifier",
         specialization: "Safe local verification",
         description: "Runs approved local probes against in-scope routes and records runtime evidence.",
-        prompt: "Verify findings only against approved local targets under rate limits. Stop before side effects.",
+        prompt: "Verify handoffs only against approved local targets under rate limits. Stop before side effects.",
         tools: ["Read", "Bash", "Write"],
         model: "sonnet",
       },
@@ -1007,7 +1007,7 @@ function createPortfolioPlan(): MissionPlan {
         displayName: "Risk Reviewer",
         specialization: "Evidence and remediation triage",
         description: "Deduplicates weak signals, ranks risk, assigns owners, and writes verification steps.",
-        prompt: "Turn evidence into a prioritized remediation queue mapped to ASVS, CWE, and owner workflows.",
+        prompt: "Turn evidence into prioritized owner handoffs mapped to ASVS, CWE, and owner workflows.",
         tools: ["Read", "Write"],
         model: "sonnet",
       },
@@ -1015,7 +1015,7 @@ function createPortfolioPlan(): MissionPlan {
     tasks: [
       {
         id: "t1",
-        title: "Map system graph",
+        title: "Map AppSec graph",
         description: "Identify routes, services, packages, secrets, data stores, auth flows, and external integrations.",
         assignee: "system-cartographer",
         dependencies: [],
@@ -1047,8 +1047,8 @@ function createPortfolioPlan(): MissionPlan {
       },
       {
         id: "t5",
-        title: "Prioritize remediation queue",
-        description: "Deduplicate findings, map evidence to ASVS/CWE, assign owners, and write verification steps.",
+        title: "Prioritize owner handoffs",
+        description: "Deduplicate handoffs, map evidence to ASVS/CWE, assign owners, and write verification steps.",
         assignee: "risk-reviewer",
         dependencies: ["t3", "t4"],
         status: "pending",
@@ -1088,14 +1088,14 @@ function createDesktopPreviewUrl(title: string, subtitle: string): string {
         <p>${escapeHtml(subtitle)}</p>
         <div class="metric">
           <div class="card"><p>Graph confidence</p><div class="value">94%</div></div>
-          <div class="card"><p>Findings</p><div class="value">4</div></div>
+          <div class="card"><p>Handoffs</p><div class="value">4</div></div>
           <div class="card"><p>High confidence</p><div class="value">3</div></div>
           <div class="card"><p>Owners</p><div class="value">4</div></div>
         </div>
       </section>
       <section>
-        <h1>Live Assessment Preview</h1>
-        <p><code>npm run dev</code> completed. Findings, graph, and remediation queue are visible for review.</p>
+        <h1>Live Mission Preview</h1>
+        <p><code>npm run dev</code> completed. Handoffs, graph, and remediation queue are visible for review.</p>
         <div class="chart"></div>
       </section>
     </main>
diff --git a/packages/backend/src/services/openai-assessment.ts b/packages/backend/src/services/openai-assessment.ts
index 03b6f48..fc411b4 100644
--- a/packages/backend/src/services/openai-assessment.ts
+++ b/packages/backend/src/services/openai-assessment.ts
@@ -58,9 +58,9 @@ export class OpenAIAssessmentService {
     if (!this.client) return fallbackPlan(input);
 
     const prompt = [
-      "You are Northwall, a defensive Agentic SOC planning system for owned environments.",
+      "You are Northwall, a defensive Agentic AppSec orchestration system for owned environments.",
       "Return only JSON with keys: summary, agents, tasks, approvalNotes.",
-      "Treat the GitHub repository as one context source for a security operations run: code ownership, vulnerable paths, response handoff, and evidence.",
+      "Treat the GitHub repository as the first evidence source for an AppSec mission: code ownership, vulnerable paths, graph context, remediation handoff, and evidence.",
       "Keep all checks static, dependency, triage, and investigation oriented. Do not include exploit payloads, third-party scanning, credential collection, persistence, or destructive tests.",
       "Agents need id, name, title, focus, status. Tasks need id, title, agentId, dependsOn, status, evidence.",
       "",
@@ -85,11 +85,11 @@ export class OpenAIAssessmentService {
     if (!this.client) return fallbackFindings(input);
 
     const prompt = [
-      "You are Northwall, a defensive Agentic SOC evidence reviewer.",
-      "Given a repository inventory and investigation graph, produce security-operations findings only when evidence is concrete.",
+      "You are Northwall, a defensive Agentic AppSec evidence reviewer.",
+      "Given a repository inventory and AppSec knowledge graph, produce owner handoffs only when evidence is concrete.",
       "Return only JSON with key findings. Each finding needs id, title, severity, confidence, status, affectedNodes, evidence, impact, remediation, labels, issueTitle, issueBody.",
       "Evidence items need path, optional line, optional excerpt. Do not reveal secret values; describe config references without copying values.",
-      "Write findings as owner handoffs for alert triage, threat investigation, response planning, or remediation. Keep human approval in the loop.",
+      "Write findings as owner handoffs for AppSec triage, specialist investigation, response planning, or remediation. Keep human approval in the loop.",
       "",
       JSON.stringify(input, null, 2),
     ].join("\n");
@@ -111,7 +111,7 @@ export class OpenAIAssessmentService {
 function normalizePlan(plan: AssessmentPlan, input: PlanningInput): AssessmentPlan {
   if (!plan.agents?.length || !plan.tasks?.length) return fallbackPlan(input);
   return {
-    summary: plan.summary || `Run an Agentic SOC investigation on ${input.repo.fullName}: map context, triage risk, plan response, and prepare owner handoff.`,
+    summary: plan.summary || `Run an Agentic AppSec mission on ${input.repo.fullName}: map graph context, triage risk, plan specialist work, and prepare owner handoff.`,
     agents: plan.agents.map((agent) => ({
       ...agent,
       status: agent.status ?? "queued",
@@ -142,11 +142,11 @@ function normalizeFindings(findings: VulnerabilityFinding[], input: PlanningInpu
 
 function fallbackPlan(input: PlanningInput): AssessmentPlan {
   return {
-    summary: `Run an Agentic SOC investigation on ${input.repo.fullName} (${input.branch}): build context, triage risk, review sensitive paths, and prepare owner-ready work items.`,
+    summary: `Run an Agentic AppSec mission on ${input.repo.fullName} (${input.branch}): build graph context, triage risk, run specialist reviews, and prepare owner-ready work items.`,
     agents: [
-      { id: "cartographer", name: "Rhea", title: "Incident Cartographer", focus: "Map services, owners, auth boundaries, config, CI, and dependency surfaces.", status: "queued" },
-      { id: "triage-agent", name: "Kade", title: "Alert Triage Agent", focus: "Separate weak signals from issues that need investigation or owner action.", status: "queued" },
-      { id: "threat-investigator", name: "Mira", title: "Threat Investigator", focus: "Review sensitive paths, dependency context, and likely blast radius.", status: "queued" },
+      { id: "cartographer", name: "Rhea", title: "System Cartographer", focus: "Map services, owners, auth boundaries, config, CI, and dependency surfaces.", status: "queued" },
+      { id: "triage-agent", name: "Kade", title: "AppSec Triage Agent", focus: "Separate weak signals from issues that need investigation or owner action.", status: "queued" },
+      { id: "threat-investigator", name: "Mira", title: "Specialist Investigator", focus: "Review sensitive paths, dependency context, and likely blast radius.", status: "queued" },
       { id: "handoff-writer", name: "Nova", title: "Response Handoff Writer", focus: "Convert evidence into owner-ready work item drafts with verification steps.", status: "queued" },
     ],
     tasks: [
@@ -156,7 +156,7 @@ function fallbackPlan(input: PlanningInput): AssessmentPlan {
       { id: "t4", title: "Prepare owner handoff drafts", agentId: "handoff-writer", dependsOn: ["t2", "t3"], status: "queued", evidence: [] },
     ],
     approvalNotes: [
-      "Only safe triage, static, dependency, and owner-handoff checks will run.",
+      "Only safe graph building, static, dependency, and owner-handoff checks will run.",
       "No third-party hosts, destructive actions, credential collection, or exploit payload output.",
       "Human approval is required before creating work items.",
     ],
@@ -169,7 +169,7 @@ function fallbackFindings(input: PlanningInput): VulnerabilityFinding[] {
   if (input.inventory.authFiles.length > 0 && input.inventory.routes.length > 0) {
     findings.push({
       id: "BG-101",
-      title: "Auth-sensitive route belongs in the SOC response queue",
+      title: "Auth-sensitive route belongs in the AppSec owner queue",
       severity: "high",
       confidence: "medium",
       status: "open",
@@ -180,8 +180,8 @@ function fallbackFindings(input: PlanningInput): VulnerabilityFinding[] {
       ],
       impact: "The route and auth-sensitive code sit in the same request path; the owning team should confirm exposure before the case closes.",
       remediation: "Assign the owner, add tests for cross-tenant access, and verify every route derives tenant/workspace from the authenticated session.",
-      labels: ["soc", "backend"],
-      issueTitle: "[Northwall] SOC handoff: review auth-sensitive route ownership",
+      labels: ["appsec", "backend"],
+      issueTitle: "[Northwall] AppSec handoff: review auth-sensitive route ownership",
       issueBody: "",
     });
   }
@@ -189,7 +189,7 @@ function fallbackFindings(input: PlanningInput): VulnerabilityFinding[] {
   if (input.inventory.packageFiles.length > 0) {
     findings.push({
       id: "BG-102",
-      title: "Dependency signal needs SOC triage before release",
+      title: "Dependency signal needs AppSec triage before release",
       severity: input.inventory.dependencies.length > 50 ? "medium" : "low",
       confidence: "high",
       status: "open",
@@ -197,8 +197,8 @@ function fallbackFindings(input: PlanningInput): VulnerabilityFinding[] {
       evidence: input.inventory.packageFiles.map((file) => ({ path: file })).slice(0, 4),
       impact: "Deployable packages should be checked for known advisories and lockfile drift before the change moves into the incident path.",
       remediation: "Run dependency audit in CI, pin patched versions, and fail builds on known vulnerable production dependencies.",
-      labels: ["soc", "dependencies"],
-      issueTitle: "[Northwall] SOC handoff: review production dependency risk",
+      labels: ["appsec", "dependencies"],
+      issueTitle: "[Northwall] AppSec handoff: review production dependency risk",
       issueBody: "",
     });
   }
@@ -214,8 +214,8 @@ function fallbackFindings(input: PlanningInput): VulnerabilityFinding[] {
       evidence: input.inventory.configFiles.map((file) => ({ path: file })).slice(0, 4),
       impact: "Configuration and environment files define sensitive runtime behavior and can change the response path.",
       remediation: "Keep example env files value-free, enforce secret scanning in CI, and document required runtime secrets separately.",
-      labels: ["soc", "config"],
-      issueTitle: "[Northwall] SOC handoff: review runtime configuration",
+      labels: ["appsec", "config"],
+      issueTitle: "[Northwall] AppSec handoff: review runtime configuration",
       issueBody: "",
     });
   }
diff --git a/packages/frontend/src/app/layout.tsx b/packages/frontend/src/app/layout.tsx
index d74bbf7..d9ae30f 100644
--- a/packages/frontend/src/app/layout.tsx
+++ b/packages/frontend/src/app/layout.tsx
@@ -16,9 +16,47 @@ const brandMono = IBM_Plex_Mono({
 });
 
 export const metadata: Metadata = {
-  title: "Northwall — Agentic SOC platform",
+  title: {
+    default: "Northwall - Agentic AppSec Orchestration",
+    template: "%s | Northwall",
+  },
   description:
-    "Multi-agent security operations for alert triage, investigation graphs, response plans, and remediation work items.",
+    "Northwall runs AppSec missions with specialist AI agents, parallel MoE orchestration, application security knowledge graphs, human approval gates, and owner-ready remediation handoff.",
+  keywords: [
+    "agentic AppSec orchestration",
+    "AI application security",
+    "multi-agent security",
+    "AppSec knowledge graph",
+    "parallel security agents",
+    "MoE agents",
+    "AI code security",
+    "application security automation",
+    "security remediation workflow",
+    "owner-ready remediation",
+    "GitHub security review",
+    "dependency reachability",
+    "CI/CD security",
+    "OWASP ASVS",
+    "CWE",
+    "CVSS",
+    "EPSS",
+    "SBOM",
+    "SAST",
+    "SCA",
+  ],
+  openGraph: {
+    title: "Northwall - Agentic AppSec Orchestration",
+    description:
+      "Build an AppSec knowledge graph, dispatch parallel specialist AI agents, approve governed missions, and send owner-ready remediation work.",
+    siteName: "Northwall",
+    type: "website",
+  },
+  twitter: {
+    card: "summary",
+    title: "Northwall - Agentic AppSec Orchestration",
+    description:
+      "Specialist AI agents, AppSec knowledge graphs, parallel investigation, human approval, and owner-ready remediation handoff.",
+  },
   icons: [{ rel: "icon", url: "/favicon.svg", type: "image/svg+xml" }],
 };
 
diff --git a/packages/frontend/src/app/login/page.tsx b/packages/frontend/src/app/login/page.tsx
index 833a1da..6c92c98 100644
--- a/packages/frontend/src/app/login/page.tsx
+++ b/packages/frontend/src/app/login/page.tsx
@@ -25,14 +25,14 @@ export default async function LoginPage() {
             <NorthwallLogo className="text-2xl" />
           </div>
           <h1 className="max-w-2xl text-4xl font-semibold tracking-normal text-[#051914]">
-            Agentic SOC, starting with real context.
+            Agentic AppSec orchestration, starting with real source context.
           </h1>
           <p className="mt-4 max-w-xl text-base leading-7 text-[#31413b]">
-            Northwall brings agents into security operations: triage alerts, build the investigation graph, draft the response plan, and send the work to the right owner.
+            Northwall builds an AppSec graph, dispatches specialist agents across code and ownership context, and sends approved remediation work to the right owner.
           </p>
           <div className="mt-8 grid max-w-2xl gap-3 text-sm text-[#31413b] sm:grid-cols-3">
-            <div className="rounded-md border border-[#d9ded7] bg-white p-4">SOC triage</div>
-            <div className="rounded-md border border-[#d9ded7] bg-white p-4">Agent graph</div>
+            <div className="rounded-md border border-[#d9ded7] bg-white p-4">Agent missions</div>
+            <div className="rounded-md border border-[#d9ded7] bg-white p-4">AppSec graph</div>
             <div className="rounded-md border border-[#d9ded7] bg-white p-4">Owner handoff</div>
           </div>
         </section>
@@ -41,7 +41,7 @@ export default async function LoginPage() {
           <div className="mb-6">
             <h2 className="text-xl font-semibold text-[#051914]">Sign in</h2>
             <p className="mt-1 text-sm text-[#77827d]">
-              GitHub is the first connector for code context and remediation work items.
+              GitHub is the first connector for source context and approved remediation work.
             </p>
           </div>
           <LoginButton />
diff --git a/packages/frontend/src/app/page.tsx b/packages/frontend/src/app/page.tsx
index f092a4a..b5932a5 100644
--- a/packages/frontend/src/app/page.tsx
+++ b/packages/frontend/src/app/page.tsx
@@ -1,16 +1,290 @@
 import Link from "next/link";
-import { ArrowUpRight } from "lucide-react";
+import type { LucideIcon } from "lucide-react";
+import {
+  ArrowRight,
+  ArrowUpRight,
+  Braces,
+  BrainCircuit,
+  CheckCircle2,
+  GitBranch,
+  LockKeyhole,
+  Network,
+  PackageCheck,
+  Route,
+  SearchCheck,
+  Settings2,
+  ShieldCheck,
+  Split,
+  UserCheck,
+  Workflow,
+} from "lucide-react";
 import { NorthwallLogo, NorthwallMark } from "@/components/logo";
 
-const steps = [
-  ["01", "Connect source", "GitHub repo, branch, owners, CI, and package context."],
-  ["02", "Review plan", "Agent team, task order, evidence goals, and approval notes."],
-  ["03", "Create issues", "Approved findings become owner-ready GitHub work items."],
+type Step = {
+  number: string;
+  title: string;
+  body: string;
+  icon: LucideIcon;
+};
+
+type Detail = {
+  title: string;
+  body: string;
+  icon?: LucideIcon;
+};
+
+const steps: Step[] = [
+  {
+    number: "01",
+    title: "Connect GitHub context",
+    body: "Start with a repo, branch, owners, routes, packages, auth boundaries, config, and CI/CD evidence.",
+    icon: GitBranch,
+  },
+  {
+    number: "02",
+    title: "Build the AppSec graph",
+    body: "Map services, files, dependencies, routes, controls, owners, risks, and remediation work as linked context.",
+    icon: Network,
+  },
+  {
+    number: "03",
+    title: "Approve the agent mission",
+    body: "Review the agent team, task DAG, evidence goals, policy limits, and approval notes before execution starts.",
+    icon: Workflow,
+  },
+  {
+    number: "04",
+    title: "Run parallel specialists",
+    body: "Dispatch MoE-style agents for auth, dependencies, ownership, config, CI, and threat context in parallel.",
+    icon: Split,
+  },
+  {
+    number: "05",
+    title: "Send owner handoffs",
+    body: "Turn approved evidence into concise remediation work with owner context, verification steps, and GitHub handoff.",
+    icon: CheckCircle2,
+  },
+];
+
+const missionMetrics = [
+  ["Context", "Repo, branch, owners, routes, packages"],
+  ["Planner", "Task DAG, approval gates, evidence goals"],
+  ["Specialists", "Auth, dependency, config, CI/CD, threat"],
+  ["Output", "Owner handoff with verification steps"],
+];
+
+const advantages: Detail[] = [
+  {
+    title: "Agentic execution",
+    body: "Northwall runs governed AppSec missions. It plans work, executes with tools, gathers evidence, and pauses for approval where human judgment matters.",
+    icon: BrainCircuit,
+  },
+  {
+    title: "Multi-agent orchestration",
+    body: "Security work is split across named agents with clear responsibilities, dependencies, task order, and status visible during the run.",
+    icon: Workflow,
+  },
+  {
+    title: "Parallel MoE specialists",
+    body: "The mission planner routes work to focused agents instead of asking one general model to reason through every risk surface sequentially.",
+    icon: Split,
+  },
+  {
+    title: "AppSec knowledge graph",
+    body: "A living graph links code, services, owners, routes, packages, controls, findings, and handoffs so every action has context.",
+    icon: Network,
+  },
+];
+
+const technicalLayers: Detail[] = [
+  {
+    title: "Graph-first context",
+    body: "Entity resolution, graph traversal, and relationship-aware retrieval help agents reason about routes, packages, owners, controls, and blast radius together.",
+  },
+  {
+    title: "MoE-style agent routing",
+    body: "A planner breaks missions into specialist tracks for authentication, dependency reachability, CI/CD policy, configuration exposure, and owner routing.",
+  },
+  {
+    title: "Task DAGs and approval gates",
+    body: "Northwall turns AppSec work into an execution graph with ordered tasks, dependencies, human review points, and auditable decisions.",
+  },
+  {
+    title: "Evidence-grounded RAG",
+    body: "Agents should ground reasoning in repo inventory, code paths, package metadata, runtime notes, and prior decisions instead of producing generic advice.",
+  },
+  {
+    title: "Bounded ReAct-style loops",
+    body: "Specialists inspect, reason, call tools, summarize evidence, and stop at safe AppSec outputs rather than drifting into open-ended investigation.",
+  },
+  {
+    title: "Security vocabulary built in",
+    body: "The workflow can speak in terms of CWE, CVE, CVSS, EPSS, OWASP ASVS, SLSA, OSSF Scorecard, SBOM, SAST, SCA, and dependency reachability.",
+  },
+];
+
+const useCases: Detail[] = [
+  {
+    title: "Auth and tenant-boundary review",
+    body: "Trace session handling, middleware, role checks, route guards, and permission-sensitive code paths before owners receive remediation work.",
+    icon: LockKeyhole,
+  },
+  {
+    title: "Dependency and package exposure",
+    body: "Connect package findings to lockfiles, reachable code paths, owners, release context, and practical fix guidance.",
+    icon: PackageCheck,
+  },
+  {
+    title: "CI/CD and configuration checks",
+    body: "Review pipeline defaults, secret handling, branch controls, deploy gates, and environment-sensitive configuration with specialist context.",
+    icon: Settings2,
+  },
+  {
+    title: "Application route and API context",
+    body: "Map routes, handlers, edge functions, webhooks, and service boundaries so risk is tied to the system surface security teams care about.",
+    icon: Route,
+  },
+  {
+    title: "Owner-ready remediation",
+    body: "Create handoffs that include evidence, priority, affected area, suggested action, and verification steps for the responsible owner.",
+    icon: UserCheck,
+  },
+  {
+    title: "Security leader review",
+    body: "Give AppSec leaders one place to inspect mission scope, agent behavior, evidence quality, approvals, and handoff status.",
+    icon: SearchCheck,
+  },
 ];
 
+const agents: Detail[] = [
+  {
+    title: "System Cartographer",
+    body: "Builds the AppSec graph across source, routes, packages, owners, controls, and CI/CD context.",
+  },
+  {
+    title: "Auth Boundary Agent",
+    body: "Reviews session, tenant, middleware, and permission-sensitive paths with OWASP ASVS-style framing.",
+  },
+  {
+    title: "Dependency Analyst",
+    body: "Connects package risk to lockfiles, reachable code paths, release notes, and owner context.",
+  },
+  {
+    title: "CI/Config Analyst",
+    body: "Inspects branch rules, workflow defaults, secret handling, deploy gates, and configuration drift.",
+  },
+  {
+    title: "Threat Context Agent",
+    body: "Adds CWE, CVE, CVSS, EPSS, exploit maturity, and business exposure context where it is useful.",
+  },
+  {
+    title: "Response Handoff Agent",
+    body: "Turns approved evidence into remediation work with owner, priority, rationale, and verification steps.",
+  },
+];
+
+const comparisons = [
+  {
+    alternative: "Scanners",
+    usefulFor: "Detecting known patterns and producing raw finding queues.",
+    northwall: "Organizing evidence into graph-backed missions and owner-ready action.",
+  },
+  {
+    alternative: "AI code review bots",
+    usefulFor: "Commenting on diffs, pull requests, or narrow code snippets.",
+    northwall: "Coordinating specialist agents across source, dependencies, owners, controls, and handoff.",
+  },
+  {
+    alternative: "Ticket queues",
+    usefulFor: "Tracking work after someone has already translated the risk.",
+    northwall: "Producing the translation: evidence, owner, action, priority, and verification path.",
+  },
+  {
+    alternative: "Manual AppSec triage",
+    usefulFor: "Expert judgment, exception handling, and final approval.",
+    northwall: "Doing the repeatable investigation work before the reviewer makes the decision.",
+  },
+];
+
+const faqs = [
+  {
+    question: "What is agentic AppSec orchestration?",
+    answer:
+      "Agentic AppSec orchestration is a way to run application security work through planned AI missions. The system builds context, assigns work to specialist agents, runs evidence gathering, and keeps humans in control before remediation is sent to owners.",
+  },
+  {
+    question: "Is Northwall just an AI code review tool?",
+    answer:
+      "No. GitHub is the first execution surface, but the product is positioned as an AppSec operations layer. Code review is one input. Northwall also focuses on graph context, owner mapping, dependency context, approval-gated missions, and remediation handoff.",
+  },
+  {
+    question: "Does Northwall replace SAST, SCA, DAST, or cloud security tools?",
+    answer:
+      "No. Northwall is designed to work around those security signals, not replace them. The current product starts with GitHub application context, while SAST, SCA, DAST, SBOM, SIEM, EDR, cloud, Jira, and evidence-store connectors are extension paths.",
+  },
+  {
+    question: "What are parallel MoE security agents?",
+    answer:
+      "MoE means mixture of experts. In Northwall, it means routing a mission to focused security agents such as an auth boundary agent, dependency analyst, CI/config analyst, system cartographer, and response handoff agent instead of relying on one generic agent.",
+  },
+  {
+    question: "Why does the AppSec knowledge graph matter?",
+    answer:
+      "Security findings are easier to act on when they are connected to services, routes, packages, owners, controls, and prior decisions. The graph helps agents and reviewers understand impact, ownership, and remediation sequence.",
+  },
+  {
+    question: "How does Northwall keep humans in control?",
+    answer:
+      "Northwall shows the mission plan before execution, uses approval gates, streams agent activity, and drafts owner handoffs for review. The goal is governed execution, not a black-box security bot.",
+  },
+];
+
+const schema = {
+  "@context": "https://schema.org",
+  "@graph": [
+    {
+      "@type": "Organization",
+      "@id": "https://inferensys.com/#organization",
+      name: "Inferensys",
+      url: "https://inferensys.com/",
+    },
+    {
+      "@type": "SoftwareApplication",
+      "@id": "https://github.com/Inferensys/northwall#software",
+      name: "Northwall",
+      applicationCategory: "SecurityApplication",
+      operatingSystem: "Web",
+      publisher: { "@id": "https://inferensys.com/#organization" },
+      description:
+        "Northwall is Agentic AppSec orchestration for security teams. It builds application graph context, dispatches specialist AI agents, and turns approved evidence into owner-ready remediation work.",
+      featureList: [
+        "Agentic AppSec missions",
+        "AppSec knowledge graph",
+        "Multi-agent orchestration",
+        "Parallel MoE security agents",
+        "Human approval gates",
+        "Owner-ready remediation handoff",
+      ],
+      sameAs: ["https://github.com/Inferensys/northwall"],
+    },
+    {
+      "@type": "FAQPage",
+      "@id": "https://github.com/Inferensys/northwall#faq",
+      mainEntity: faqs.map((faq) => ({
+        "@type": "Question",
+        name: faq.question,
+        acceptedAnswer: {
+          "@type": "Answer",
+          text: faq.answer,
+        },
+      })),
+    },
+  ],
+};
+
 function SignalField() {
   return (
-    <div className="relative h-[190px] overflow-hidden border-b border-[#dfe4dd] bg-[#fbfcfa]">
+    <div className="relative h-[100px] overflow-hidden border-b border-[#dfe4dd] bg-[#fbfcfa] sm:h-[115px] lg:h-[120px]">
       <div className="absolute inset-0 bg-[linear-gradient(90deg,rgba(5,25,20,0.055)_1px,transparent_1px)] bg-[length:18px_18px]" />
       <div className="absolute inset-x-7 bottom-7 h-32">
         {Array.from({ length: 64 }).map((_, index) => {
@@ -44,11 +318,35 @@ function SignalField() {
   );
 }
 
+function SectionIntro({
+  eyebrow,
+  title,
+  body,
+}: {
+  eyebrow: string;
+  title: string;
+  body?: string;
+}) {
+  return (
+    <div>
+      <p className="font-display text-xs uppercase tracking-[0.18em] text-[#68736d]">{eyebrow}</p>
+      <h2 className="mt-4 max-w-2xl font-serif text-4xl font-normal leading-tight text-[#051914] sm:text-5xl">
+        {title}
+      </h2>
+      {body && <p className="mt-5 max-w-xl text-sm leading-6 text-[#53615b] sm:text-base sm:leading-7">{body}</p>}
+    </div>
+  );
+}
+
 export default function LandingPage() {
   return (
     <main className="min-h-screen bg-white text-[#051914]">
-      <section className="min-h-screen">
-        <div className="grid min-h-screen grid-rows-[auto_auto_1fr_auto] bg-white">
+      <script
+        type="application/ld+json"
+        dangerouslySetInnerHTML={{ __html: JSON.stringify(schema) }}
+      />
+      <section>
+        <div className="grid bg-white">
           <header className="flex h-16 items-center justify-between border-b border-[#dfe4dd] px-5 sm:px-10 lg:px-14">
             <Link href="/" className="flex items-center gap-3">
               <NorthwallMark size={26} className="text-[#051914]" />
@@ -64,36 +362,84 @@ export default function LandingPage() {
 
           <SignalField />
 
-          <div className="grid min-h-0 md:grid-cols-[1fr_380px] xl:grid-cols-[1fr_430px]">
-            <section className="px-5 py-10 sm:px-10 sm:py-14 lg:px-14">
-              <h1 className="max-w-4xl font-serif text-[3.2rem] font-normal leading-[0.93] text-[#051914] sm:text-[5.5rem] lg:text-[6.7rem] xl:text-[7.4rem]">
-                Turn SOC alerts into owner-ready work.
+          <div className="grid min-h-0 md:grid-cols-[1fr_390px] xl:grid-cols-[1fr_460px]">
+            <section className="px-5 py-8 sm:px-10 sm:py-10 lg:px-14 lg:py-10">
+              <p className="font-display text-xs uppercase tracking-[0.18em] text-[#68736d]">
+                Agentic AppSec orchestration
+              </p>
+              <h1 className="mt-5 max-w-5xl font-serif text-[2.65rem] font-normal leading-[0.96] text-[#051914] sm:text-[3.7rem] lg:text-[4.35rem] xl:text-[5rem]">
+                Run security missions with specialist AI agents.
               </h1>
-              <p className="mt-7 max-w-2xl text-base leading-7 text-[#31413b] sm:text-lg lg:text-xl lg:leading-8">
-                Northwall runs specialist agents across source context, evidence, and ownership. Analysts approve the plan before issues are created.
+              <p className="mt-7 max-w-3xl text-base leading-7 text-[#31413b] sm:text-lg lg:text-xl lg:leading-8">
+                Northwall turns GitHub application context into approved AppSec work by building a knowledge graph, planning governed agent missions, and dispatching parallel MoE specialists across auth, dependencies, CI/CD, config, ownership, and threat context.
               </p>
+              <div className="mt-8 flex flex-col gap-3 sm:flex-row">
+                <Link
+                  href="/workspace"
+                  className="inline-flex min-h-11 items-center justify-center gap-2 border border-[#051914] bg-[#051914] px-4 py-3 font-display text-xs uppercase text-white transition-colors hover:bg-[#102a22]"
+                >
+                  See the mission workflow
+                  <ArrowRight className="h-4 w-4" />
+                </Link>
+                <a
+                  href="#architecture"
+                  className="inline-flex min-h-11 items-center justify-center gap-2 border border-[#dfe4dd] bg-white px-4 py-3 font-display text-xs uppercase text-[#051914] transition-colors hover:border-[#051914]"
+                >
+                  Read the architecture
+                  <ArrowRight className="h-4 w-4" />
+                </a>
+              </div>
             </section>
 
-            <aside className="flex border-t border-[#dfe4dd] p-5 md:border-l md:border-t-0 sm:p-8 lg:p-10">
-              <Link
-                href="/workspace"
-                className="group mt-auto flex w-full items-center justify-between border border-[#dfe4dd] bg-[#fbfcfa] px-4 py-4 text-left transition-colors hover:border-[#051914]"
-              >
-                <span className="font-serif text-2xl leading-none text-[#051914]">
-                  See Northwall in action
-                </span>
-                <ArrowUpRight className="h-5 w-5 transition-transform group-hover:-translate-y-0.5 group-hover:translate-x-0.5" />
-              </Link>
+            <aside className="border-t border-[#dfe4dd] p-5 md:border-l md:border-t-0 sm:p-7 lg:p-8">
+              <div className="flex h-full flex-col">
+                <div>
+                  <div className="flex items-center justify-between gap-3">
+                    <p className="font-display text-xs uppercase tracking-[0.18em] text-[#68736d]">
+                      Mission preview
+                    </p>
+                    <ShieldCheck className="h-5 w-5 text-[#0b7f56]" />
+                  </div>
+                  <h2 className="mt-4 font-serif text-3xl font-normal leading-tight text-[#051914]">
+                    Auth boundary graph review
+                  </h2>
+                  <p className="mt-3 text-sm leading-6 text-[#53615b]">
+                    Northwall turns source evidence into a scoped plan before any specialist agent executes.
+                  </p>
+                </div>
+
+                <div className="mt-5 grid gap-2">
+                  {missionMetrics.map(([label, value]) => (
+                    <div key={label} className="border-t border-[#dfe4dd] pt-2">
+                      <div className="font-display text-[11px] uppercase tracking-[0.12em] text-[#68736d]">{label}</div>
+                      <div className="mt-1 text-sm leading-5 text-[#051914]">{value}</div>
+                    </div>
+                  ))}
+                </div>
+
+                <Link
+                  href="/workspace"
+                  className="group mt-5 flex w-full items-center justify-between border border-[#dfe4dd] bg-[#fbfcfa] px-4 py-3 text-left transition-colors hover:border-[#051914] md:mt-auto"
+                >
+                  <span className="font-serif text-2xl leading-none text-[#051914]">
+                    Inspect the mission
+                  </span>
+                  <ArrowUpRight className="h-5 w-5 shrink-0 transition-transform group-hover:-translate-y-0.5 group-hover:translate-x-0.5" />
+                </Link>
+              </div>
             </aside>
           </div>
 
-          <section className="grid border-t border-[#dfe4dd] sm:grid-cols-3">
-            {steps.map(([number, title, body]) => (
+          <section id="workflow" className="grid border-t border-[#dfe4dd] sm:grid-cols-2 xl:grid-cols-5">
+            {steps.map(({ number, title, body, icon: Icon }) => (
               <article
                 key={title}
-                className="min-h-36 border-b border-[#dfe4dd] p-5 last:border-b-0 sm:border-b-0 sm:border-r sm:last:border-r-0 lg:px-10"
+                className="min-h-40 border-b border-[#dfe4dd] p-5 last:border-b-0 sm:border-r xl:border-b-0 xl:last:border-r-0 lg:px-7"
               >
-                <div className="font-display text-xs text-[#68736d]">{number}</div>
+                <div className="flex items-center justify-between gap-3">
+                  <span className="font-display text-xs text-[#68736d]">{number}</span>
+                  <Icon className="h-4 w-4 text-[#0b7f56]" />
+                </div>
                 <h2 className="mt-5 text-sm font-semibold text-[#051914]">{title}</h2>
                 <p className="mt-2 max-w-xs text-sm leading-5 text-[#53615b]">{body}</p>
               </article>
@@ -101,6 +447,183 @@ export default function LandingPage() {
           </section>
         </div>
       </section>
+
+      <section className="border-t border-[#dfe4dd] bg-[#fbfcfa] px-5 py-16 sm:px-10 lg:px-14">
+        <div className="grid gap-8 lg:grid-cols-[0.85fr_1.15fr]">
+          <SectionIntro
+            eyebrow="Definition"
+            title="What is Northwall?"
+            body="Northwall is an agentic AppSec orchestration layer for security leaders who need application security work to move from evidence to action without losing control."
+          />
+          <div className="border-l border-[#dfe4dd] pl-5 sm:pl-8">
+            <p className="max-w-3xl text-xl leading-9 text-[#31413b] sm:text-2xl sm:leading-10">
+              It is not a passive code review bot. Northwall builds graph context from application evidence, proposes a mission plan, routes work to specialist security agents, streams execution, and creates owner-ready remediation handoffs after approval.
+            </p>
+            <div className="mt-7 grid gap-3 sm:grid-cols-2">
+              {["Agentic AI execution", "Multi-agent AppSec orchestration", "Parallel MoE security specialists", "Application security knowledge graph"].map((item) => (
+                <div key={item} className="flex items-center gap-2 text-sm font-medium text-[#051914]">
+                  <CheckCircle2 className="h-4 w-4 text-[#0b7f56]" />
+                  {item}
+                </div>
+              ))}
+            </div>
+          </div>
+        </div>
+      </section>
+
+      <section className="border-t border-[#dfe4dd] bg-white px-5 py-16 sm:px-10 lg:px-14">
+        <div className="grid gap-8 lg:grid-cols-[0.8fr_1.2fr]">
+          <SectionIntro
+            eyebrow="Why Northwall"
+            title="Scanners produce signals. Northwall runs the AppSec mission."
+            body="Existing scanners and review tools still matter. Northwall adds the orchestration layer that turns those signals into scoped, reviewed, owner-ready work."
+          />
+          <div className="grid gap-3 sm:grid-cols-2">
+            {advantages.map(({ title, body, icon: Icon }) => (
+              <article key={title} className="border border-[#dfe4dd] bg-[#fbfcfa] p-5">
+                {Icon && <Icon className="h-5 w-5 text-[#0b7f56]" />}
+                <h3 className="mt-5 text-sm font-semibold text-[#051914]">{title}</h3>
+                <p className="mt-3 text-sm leading-6 text-[#53615b]">{body}</p>
+              </article>
+            ))}
+          </div>
+        </div>
+      </section>
+
+      <section id="architecture" className="border-t border-[#dfe4dd] bg-[#fbfcfa] px-5 py-16 sm:px-10 lg:px-14">
+        <div className="grid gap-8 lg:grid-cols-[0.8fr_1.2fr]">
+          <SectionIntro
+            eyebrow="Technical foundation"
+            title="Graph context, MoE routing, RAG, and governed tool use."
+            body="The product language is technical because the work is technical, but every layer has a practical job: reduce manual triage and make security action easier to approve."
+          />
+          <div className="grid gap-3">
+            {technicalLayers.map(({ title, body }) => (
+              <article key={title} className="grid gap-2 border-b border-[#dfe4dd] pb-4 sm:grid-cols-[230px_1fr]">
+                <h3 className="text-sm font-semibold text-[#051914]">{title}</h3>
+                <p className="text-sm leading-6 text-[#53615b]">{body}</p>
+              </article>
+            ))}
+          </div>
+        </div>
+      </section>
+
+      <section className="border-t border-[#dfe4dd] bg-white px-5 py-16 sm:px-10 lg:px-14">
+        <div className="grid gap-8 lg:grid-cols-[0.8fr_1.2fr]">
+          <SectionIntro
+            eyebrow="Use cases"
+            title="Built for AppSec work that needs context, ownership, and approval."
+            body="Northwall starts with GitHub because source, package, ownership, and CI context are where many application security decisions become concrete."
+          />
+          <div className="grid gap-3 sm:grid-cols-2">
+            {useCases.map(({ title, body, icon: Icon }) => (
+              <article key={title} className="border border-[#dfe4dd] bg-white p-5">
+                {Icon && <Icon className="h-5 w-5 text-[#315e80]" />}
+                <h3 className="mt-5 text-sm font-semibold text-[#051914]">{title}</h3>
+                <p className="mt-3 text-sm leading-6 text-[#53615b]">{body}</p>
+              </article>
+            ))}
+          </div>
+        </div>
+      </section>
+
+      <section className="border-t border-[#dfe4dd] bg-[#fbfcfa] px-5 py-16 sm:px-10 lg:px-14">
+        <div className="grid gap-8 lg:grid-cols-[0.8fr_1.2fr]">
+          <SectionIntro
+            eyebrow="Agent team"
+            title="Parallel specialists, approved before they execute."
+            body="Security teams can see who is doing what, why it is in scope, and where each agent fits in the mission before the run begins."
+          />
+          <div className="grid gap-3">
+            {agents.map(({ title, body }) => (
+              <article key={title} className="grid gap-3 border-b border-[#dfe4dd] pb-4 sm:grid-cols-[230px_1fr]">
+                <h3 className="text-sm font-semibold text-[#051914]">{title}</h3>
+                <p className="text-sm leading-6 text-[#53615b]">{body}</p>
+              </article>
+            ))}
+          </div>
+        </div>
+      </section>
+
+      <section className="border-t border-[#dfe4dd] bg-white px-5 py-16 sm:px-10 lg:px-14">
+        <div className="grid gap-8 lg:grid-cols-[0.8fr_1.2fr]">
+          <SectionIntro
+            eyebrow="Evaluation"
+            title="Use Northwall alongside the tools security teams already trust."
+            body="The goal is not to replace every security control. The goal is to make AppSec evidence easier to understand, approve, assign, and verify."
+          />
+          <div className="overflow-hidden border border-[#dfe4dd]">
+            <div className="grid bg-[#fbfcfa] font-display text-[11px] uppercase tracking-[0.12em] text-[#68736d] sm:grid-cols-[0.7fr_1fr_1fr]">
+              <div className="border-b border-[#dfe4dd] p-4 sm:border-r">Tool type</div>
+              <div className="border-b border-[#dfe4dd] p-4 sm:border-r">Useful for</div>
+              <div className="border-b border-[#dfe4dd] p-4">What Northwall adds</div>
+            </div>
+            {comparisons.map((row) => (
+              <div key={row.alternative} className="grid border-b border-[#dfe4dd] last:border-b-0 sm:grid-cols-[0.7fr_1fr_1fr]">
+                <div className="border-b border-[#dfe4dd] p-4 text-sm font-semibold text-[#051914] sm:border-b-0 sm:border-r">
+                  {row.alternative}
+                </div>
+                <div className="border-b border-[#dfe4dd] p-4 text-sm leading-6 text-[#53615b] sm:border-b-0 sm:border-r">
+                  {row.usefulFor}
+                </div>
+                <div className="p-4 text-sm leading-6 text-[#53615b]">{row.northwall}</div>
+              </div>
+            ))}
+          </div>
+        </div>
+      </section>
+
+      <section className="border-t border-[#dfe4dd] bg-[#fbfcfa] px-5 py-16 sm:px-10 lg:px-14">
+        <div className="grid gap-8 lg:grid-cols-[0.8fr_1.2fr]">
+          <SectionIntro
+            eyebrow="Connector posture"
+            title="GitHub first. Broader security evidence next."
+            body="The current product story stays honest: GitHub is the first real connector and execution surface. SIEM, EDR, cloud, Jira, SAST, SCA, DAST, SBOM, and evidence-store integrations are framed as extension paths."
+          />
+          <div className="border-l border-[#dfe4dd] pl-5 sm:pl-8">
+            <Braces className="h-5 w-5 text-[#315e80]" />
+            <p className="mt-5 max-w-3xl text-base leading-7 text-[#31413b]">
+              That framing matters for security buyers. It says Northwall is practical today, extensible tomorrow, and careful about the difference between implemented surfaces and roadmap direction.
+            </p>
+          </div>
+        </div>
+      </section>
+
+      <section className="border-t border-[#dfe4dd] bg-white px-5 py-16 sm:px-10 lg:px-14">
+        <div className="grid gap-8 lg:grid-cols-[0.8fr_1.2fr]">
+          <SectionIntro
+            eyebrow="FAQ"
+            title="Straight answers for security leaders evaluating agentic AppSec."
+            body="These answers are written for people comparing AI code review, security scanners, AppSec automation, and agentic AI execution platforms."
+          />
+          <div className="grid gap-3">
+            {faqs.map((faq) => (
+              <article key={faq.question} className="border-b border-[#dfe4dd] pb-5">
+                <h3 className="text-sm font-semibold text-[#051914]">{faq.question}</h3>
+                <p className="mt-3 text-sm leading-6 text-[#53615b]">{faq.answer}</p>
+              </article>
+            ))}
+          </div>
+        </div>
+      </section>
+
+      <section className="border-t border-[#dfe4dd] bg-[#051914] px-5 py-12 text-white sm:px-10 lg:px-14">
+        <div className="grid items-center gap-7 lg:grid-cols-[1fr_auto]">
+          <div>
+            <p className="font-display text-xs uppercase tracking-[0.18em] text-white/55">Run a mission</p>
+            <h2 className="mt-4 max-w-3xl font-serif text-4xl font-normal leading-tight sm:text-5xl">
+              See how graph context becomes approved AppSec action.
+            </h2>
+          </div>
+          <Link
+            href="/workspace"
+            className="inline-flex min-h-11 items-center justify-center gap-2 border border-white/20 bg-white px-4 py-3 font-display text-xs uppercase text-[#051914] transition-colors hover:bg-[#e6ebe4]"
+          >
+            Open the demo workspace
+            <ArrowRight className="h-4 w-4" />
+          </Link>
+        </div>
+      </section>
     </main>
   );
 }
diff --git a/packages/frontend/src/app/workspace/page.tsx b/packages/frontend/src/app/workspace/page.tsx
index 9232560..d26602c 100644
--- a/packages/frontend/src/app/workspace/page.tsx
+++ b/packages/frontend/src/app/workspace/page.tsx
@@ -36,14 +36,14 @@ const BACKEND_URL = process.env.NEXT_PUBLIC_BACKEND_URL ?? "http://localhost:400
 const DEV_BYPASS = process.env.NEXT_PUBLIC_DEV_AUTH_BYPASS === "true";
 
 const phases: Array<{ id: AssessmentPhase; label: string }> = [
-  { id: "connect_repo", label: "Connect source" },
+  { id: "connect_repo", label: "Connect evidence source" },
   { id: "repo_selected", label: "Source selected" },
-  { id: "understanding", label: "Context built" },
-  { id: "plan_ready", label: "Plan approval" },
+  { id: "understanding", label: "Graph built" },
+  { id: "plan_ready", label: "Agent plan approval" },
   { id: "approved", label: "Approved" },
-  { id: "running", label: "Execution" },
-  { id: "findings_ready", label: "Findings" },
-  { id: "issues_created", label: "Issues" },
+  { id: "running", label: "Specialist execution" },
+  { id: "findings_ready", label: "Owner handoffs" },
+  { id: "issues_created", label: "Work sent" },
 ];
 
 const severityStyles: Record<VulnerabilityFinding["severity"], string> = {
@@ -273,7 +273,7 @@ export default function Home() {
         body: JSON.stringify({ findingIds: Array.from(selectedFindingIds) }),
       });
       const data = await res.json();
-      if (!res.ok) throw new Error(data.error ?? "Could not create issues");
+      if (!res.ok) throw new Error(data.error ?? "Could not send handoffs");
       setAssessment(data.assessment);
       setEvents(data.assessment.events ?? []);
     } catch (err) {
@@ -292,12 +292,12 @@ export default function Home() {
           <NorthwallLogo className="text-xl" />
           <div className="hidden h-6 w-px bg-border sm:block" />
           <div className="hidden text-xs text-text-muted sm:block">
-            Agentic SOC workspace
+            Agentic AppSec mission workspace
           </div>
         </div>
         <div className="hidden w-full max-w-lg items-center gap-2 rounded-md border border-border bg-bg-elevated px-3 py-1.5 text-sm text-text-muted md:flex">
           <Search className="h-4 w-4" />
-          Search alerts, entities, code paths, findings
+          Search sources, graph nodes, agents, handoffs
         </div>
         <div className="flex items-center gap-3 text-sm">
           <span className={cn("rounded-md border px-2.5 py-1 font-medium", connection?.connected ? "border-[#b8d8c7] bg-[#ecf6f0] text-[#0b6b49]" : "border-border bg-bg-elevated text-text-secondary")}>
@@ -310,10 +310,10 @@ export default function Home() {
         <nav className="hidden border-r border-[#102a22] bg-[#051914] py-3 lg:flex lg:flex-col lg:items-center lg:gap-2">
           {[
             { label: "Sources", icon: Github },
-            { label: "Investigation graph", icon: Network },
-            { label: "Plan", icon: ShieldCheck },
-            { label: "Run log", icon: SquareKanban },
-            { label: "Work items", icon: GitPullRequest },
+            { label: "AppSec graph", icon: Network },
+            { label: "Agent plan", icon: ShieldCheck },
+            { label: "Mission log", icon: SquareKanban },
+            { label: "Owner handoffs", icon: GitPullRequest },
           ].map(({ label, icon: Icon }, index) => (
             <button
               key={label}
@@ -335,7 +335,7 @@ export default function Home() {
               className="flex w-full items-center justify-center gap-2 rounded-md bg-accent px-3 py-2.5 text-sm font-semibold text-white disabled:opacity-60"
             >
               {busy === "connect" ? <Loader2 className="h-4 w-4 animate-spin" /> : <Github className="h-4 w-4" />}
-              {connection?.connected ? "Refresh GitHub source" : "Connect GitHub source"}
+              {connection?.connected ? "Refresh GitHub source" : "Connect GitHub evidence source"}
             </button>
             {connection?.connected && (
               <button
@@ -349,13 +349,13 @@ export default function Home() {
 
           <div className="border-b border-border p-4">
             <div className="mb-3 flex items-center justify-between">
-              <h2 className="text-xs font-semibold uppercase tracking-wide text-text-muted">Signal source</h2>
+              <h2 className="text-xs font-semibold uppercase tracking-wide text-text-muted">Evidence source</h2>
               <span className="text-xs text-text-muted">{repos.length} repos</span>
             </div>
             <div className="max-h-64 space-y-1 overflow-auto">
               {repos.length === 0 ? (
                 <p className="rounded-md bg-bg-elevated p-3 text-sm leading-5 text-text-muted">
-                  Connect GitHub to load source context.
+                  Connect GitHub to load source, ownership, dependency, and CI context.
                 </p>
               ) : repos.map((repo) => (
                 <button
@@ -389,7 +389,7 @@ export default function Home() {
                   className="flex w-full items-center justify-center gap-2 rounded-md bg-accent px-3 py-2.5 text-sm font-semibold text-white disabled:opacity-60"
                 >
                   {busy === "create" ? <Loader2 className="h-4 w-4 animate-spin" /> : <ArrowRight className="h-4 w-4" />}
-                  Start SOC run
+                  Start AppSec mission
                 </button>
               </div>
             )}
@@ -427,38 +427,38 @@ export default function Home() {
                 {assessment?.repository.fullName ?? selectedRepo?.fullName ?? "No source selected"}
               </div>
               <h1 className="text-2xl font-semibold tracking-normal text-text-primary">
-                Agentic SOC run
+                Agentic AppSec mission
               </h1>
               <p className="mt-1 text-sm text-text-secondary">
-                Build context, assign agents, approve the response plan, then send the work to owners.
+                Build the AppSec graph, approve the specialist agent plan, run parallel investigation, then send the work to owners.
               </p>
             </div>
             <div className="flex flex-wrap gap-2">
-              <ActionButton label="Build context" busy={busy === "understand"} disabled={!assessment || assessment.phase !== "repo_selected"} onClick={() => runStep("understand")} />
-              <ActionButton label="Draft plan" busy={busy === "plan"} disabled={!assessment || assessment.phase !== "understanding"} onClick={() => runStep("plan")} />
-              <ActionButton label="Approve" busy={busy === "approve"} disabled={!assessment || assessment.phase !== "plan_ready"} onClick={() => runStep("approve")} />
-              <ActionButton label="Run" icon={Play} busy={busy === "run"} disabled={!assessment || assessment.phase !== "approved"} onClick={() => runStep("run")} />
-              <ActionButton label="Create work items" icon={GitPullRequest} busy={busy === "issues"} disabled={!assessment || selectedFindingIds.size === 0 || !["findings_ready", "issues_created"].includes(assessment.phase)} onClick={createIssues} />
+              <ActionButton label="Build graph" busy={busy === "understand"} disabled={!assessment || assessment.phase !== "repo_selected"} onClick={() => runStep("understand")} />
+              <ActionButton label="Draft agent plan" busy={busy === "plan"} disabled={!assessment || assessment.phase !== "understanding"} onClick={() => runStep("plan")} />
+              <ActionButton label="Approve plan" busy={busy === "approve"} disabled={!assessment || assessment.phase !== "plan_ready"} onClick={() => runStep("approve")} />
+              <ActionButton label="Run specialists" icon={Play} busy={busy === "run"} disabled={!assessment || assessment.phase !== "approved"} onClick={() => runStep("run")} />
+              <ActionButton label="Send handoffs" icon={GitPullRequest} busy={busy === "issues"} disabled={!assessment || selectedFindingIds.size === 0 || !["findings_ready", "issues_created"].includes(assessment.phase)} onClick={createIssues} />
             </div>
           </div>
 
           <div className="grid gap-4 xl:grid-cols-[1.2fr_0.8fr]">
-            <Panel title="Investigation graph" icon={Network}>
+            <Panel title="AppSec knowledge graph" icon={Network}>
               <KnowledgeGraphView assessment={assessment} />
             </Panel>
-            <Panel title="Agent task map" icon={Workflow}>
+            <Panel title="Parallel specialist map" icon={Workflow}>
               <TaskMap assessment={assessment} />
             </Panel>
-            <Panel title="Response plan" icon={ShieldCheck}>
+            <Panel title="Agent plan" icon={ShieldCheck}>
               <PlanReview assessment={assessment} />
             </Panel>
-            <Panel title="Live SOC run" icon={SquareKanban}>
+            <Panel title="Live AppSec mission" icon={SquareKanban}>
               <EventStream events={events} />
             </Panel>
           </div>
 
           <div className="mt-4 grid gap-4 2xl:grid-cols-[minmax(0,1fr)_420px]">
-            <Panel title="Findings and work items" icon={GitPullRequest}>
+            <Panel title="Owner handoffs" icon={GitPullRequest}>
               <FindingsTable
                 findings={assessment?.findings ?? []}
                 selected={selectedFindingIds}
@@ -467,7 +467,7 @@ export default function Home() {
                 onPreview={setPreviewFindingId}
               />
             </Panel>
-            <Panel title="Owner handoff preview" icon={GitPullRequest}>
+            <Panel title="Handoff preview" icon={GitPullRequest}>
               <IssuePreview finding={previewFinding} />
             </Panel>
           </div>
@@ -505,7 +505,7 @@ function ActionButton({
 function KnowledgeGraphView({ assessment }: { assessment: Assessment | null }) {
   const graph = assessment?.graph;
   if (!graph) {
-    return <EmptyState>Select a source and build context to map alerts, code paths, identities, services, and owners.</EmptyState>;
+    return <EmptyState>Select a source and build the graph to map routes, packages, auth boundaries, controls, owners, and remediation work.</EmptyState>;
   }
 
   return (
@@ -543,7 +543,7 @@ function KnowledgeGraphView({ assessment }: { assessment: Assessment | null }) {
 
 function TaskMap({ assessment }: { assessment: Assessment | null }) {
   const plan = assessment?.plan;
-  if (!plan) return <EmptyState>Draft a plan to see the agents, owners, and task order before the SOC run starts.</EmptyState>;
+  if (!plan) return <EmptyState>Draft an agent plan to see specialist roles, dependencies, and task order before the mission starts.</EmptyState>;
 
   return (
     <div className="p-4">
@@ -579,7 +579,7 @@ function TaskMap({ assessment }: { assessment: Assessment | null }) {
 }
 
 function PlanReview({ assessment }: { assessment: Assessment | null }) {
-  if (!assessment?.plan) return <EmptyState>The response plan appears here after Northwall builds the source context.</EmptyState>;
+  if (!assessment?.plan) return <EmptyState>The approval-gated agent plan appears here after Northwall builds the AppSec graph.</EmptyState>;
 
   return (
     <div className="p-4">
@@ -597,7 +597,7 @@ function PlanReview({ assessment }: { assessment: Assessment | null }) {
 }
 
 function EventStream({ events }: { events: AssessmentEvent[] }) {
-  if (events.length === 0) return <EmptyState>Run events appear here as agents triage signals, inspect context, and write findings.</EmptyState>;
+  if (events.length === 0) return <EmptyState>Mission events appear here as agents inspect context, run parallel checks, and write owner handoffs.</EmptyState>;
 
   return (
     <div className="max-h-[360px] overflow-auto p-4">
@@ -630,7 +630,7 @@ function FindingsTable({
   onPreview: (id: string) => void;
 }) {
   if (findings.length === 0) {
-    return <EmptyState>Run the approved plan to get findings and owner-ready work item drafts.</EmptyState>;
+    return <EmptyState>Run the approved agent plan to get owner-ready remediation handoffs.</EmptyState>;
   }
 
   function toggle(id: string) {
@@ -646,11 +646,11 @@ function FindingsTable({
         <thead className="border-b border-border bg-bg-elevated text-xs font-semibold uppercase tracking-wide text-text-muted">
           <tr>
             <th className="w-10 px-4 py-3" />
-            <th className="px-4 py-3">Finding</th>
+            <th className="px-4 py-3">Handoff</th>
             <th className="px-4 py-3">Severity</th>
             <th className="px-4 py-3">Confidence</th>
             <th className="px-4 py-3">Evidence</th>
-            <th className="px-4 py-3">Work item</th>
+            <th className="px-4 py-3">Owner work</th>
             <th className="px-4 py-3" />
           </tr>
         </thead>
@@ -712,13 +712,13 @@ function FindingsTable({
 
 function IssuePreview({ finding }: { finding: VulnerabilityFinding | null }) {
   if (!finding) {
-    return <EmptyState>Select a finding to read the owner handoff before Northwall creates it.</EmptyState>;
+    return <EmptyState>Select a handoff to review the owner-ready work before Northwall sends it.</EmptyState>;
   }
 
   return (
     <div className="p-4">
       <div className="mb-4 flex flex-wrap gap-2">
-        {["northwall", "agentic-soc", "security-operations", finding.severity, finding.confidence, ...finding.labels].filter(Boolean).map((label) => (
+        {["northwall", "agentic-appsec", "appsec-orchestration", finding.severity, finding.confidence, ...finding.labels].filter(Boolean).map((label) => (
           <span key={label} className="rounded-md border border-border bg-bg-elevated px-2 py-1 text-xs font-medium text-text-secondary">
             {label}
           </span>
diff --git a/packages/frontend/src/components/portfolio-screens.tsx b/packages/frontend/src/components/portfolio-screens.tsx
index 3ea2211..52c16d2 100644
--- a/packages/frontend/src/components/portfolio-screens.tsx
+++ b/packages/frontend/src/components/portfolio-screens.tsx
@@ -25,7 +25,7 @@ import { cn } from "@/lib/utils";
 import { evidenceTimeline, findings, systemGraph } from "@/lib/northwall-demo";
 
 const nav = [
-  { href: "/", label: "SOC Run" },
+  { href: "/", label: "AppSec Mission" },
   { href: "/admin", label: "Admin" },
   { href: "/team", label: "Team" },
   { href: "/integrations", label: "Integrations" },
@@ -65,8 +65,8 @@ export function PortfolioShell({
         </nav>
         <div className="absolute bottom-0 left-0 right-0 border-t border-accent/10 p-4">
           <div className="rounded-md border border-white/10 bg-white/[0.06] p-3">
-            <p className="text-xs font-medium text-white">Agentic SOC</p>
-            <p className="mt-1 text-[11px] leading-5 text-white/55">Triage, investigation, response, and owner handoff in one run.</p>
+            <p className="text-xs font-medium text-white">Agentic AppSec</p>
+            <p className="mt-1 text-[11px] leading-5 text-white/55">Graph context, parallel agents, approval, and owner handoff in one mission.</p>
           </div>
         </div>
       </aside>
@@ -126,23 +126,23 @@ export function StatCard({
 
 export function AdminScreen() {
   const rows = [
-    ["AcmePay identity incident", "Running", "7 agents", "4 findings", "2m ago"],
-    ["Customer Portal alert cluster", "Review", "5 agents", "3 findings", "18m ago"],
-    ["Payments webhook case", "Responding", "4 agents", "2 findings", "41m ago"],
-    ["CI dependency signal", "Verified", "3 agents", "1 finding", "2h ago"],
+    ["AcmePay auth boundary mission", "Running", "7 agents", "4 handoffs", "2m ago"],
+    ["Customer Portal graph review", "Review", "5 agents", "3 handoffs", "18m ago"],
+    ["Payments webhook ownership", "Handoff", "4 agents", "2 handoffs", "41m ago"],
+    ["CI dependency exposure", "Verified", "3 agents", "1 handoff", "2h ago"],
   ];
 
   return (
     <PortfolioShell active="Admin">
       <PageHeader
         title="Admin Console"
-        description="SOC runs, agent actions, open risk, and owner handoff in one place."
+        description="AppSec missions, agent actions, graph context, open risk, and owner handoff in one place."
         action="Invite Analyst"
       />
       <div className="space-y-6 p-8">
         <div className="grid grid-cols-4 gap-4">
-          <StatCard label="Active SOC runs" value="12" trend="+4 this week" icon={Activity} />
-          <StatCard label="Findings open" value="38" trend="11 high confidence" icon={TriangleAlert} />
+          <StatCard label="Active missions" value="12" trend="+4 this week" icon={Activity} />
+          <StatCard label="Handoffs open" value="38" trend="11 high confidence" icon={TriangleAlert} />
           <StatCard label="Graph nodes" value="1,284" trend="Across 9 apps" icon={GitBranch} />
           <StatCard label="Verified fixes" value="76%" trend="+18% this month" icon={CheckCircle2} />
         </div>
@@ -150,12 +150,12 @@ export function AdminScreen() {
         <div className="grid grid-cols-12 gap-4">
           <section className="col-span-8 rounded-lg border border-border bg-bg-surface">
             <div className="border-b border-border px-5 py-4">
-            <h2 className="font-display text-base font-semibold">Security operations</h2>
+            <h2 className="font-display text-base font-semibold">AppSec orchestration</h2>
             </div>
             <table className="w-full text-left text-sm">
               <thead className="text-xs uppercase tracking-[0.16em] text-text-muted">
                 <tr className="border-b border-border">
-                  {["SOC run", "Status", "Agents", "Risk", "Updated"].map((head) => (
+                  {["Mission", "Status", "Agents", "Risk", "Updated"].map((head) => (
                     <th key={head} className="px-5 py-3 font-medium">{head}</th>
                   ))}
                 </tr>
@@ -174,7 +174,7 @@ export function AdminScreen() {
             </table>
           </section>
           <section className="col-span-4 rounded-lg border border-border bg-bg-surface p-5">
-            <h2 className="font-display text-base font-semibold">Run rules</h2>
+            <h2 className="font-display text-base font-semibold">Mission rules</h2>
             <div className="mt-4 space-y-3">
               {["Owned scope required", "Rate limits enforced", "Destructive checks off", "Owner approval before execution"].map((item) => (
                 <div key={item} className="flex items-center gap-3 rounded-lg bg-bg-elevated px-3 py-2">
@@ -192,21 +192,21 @@ export function AdminScreen() {
 
 export function BillingScreen() {
   const invoices = [
-    ["INV-2026-05", "May SOC runs", "$1,820.00", "Paid"],
-    ["INV-2026-04", "April SOC runs", "$1,395.50", "Paid"],
-    ["INV-2026-03", "March SOC runs", "$1,104.80", "Paid"],
+    ["INV-2026-05", "May AppSec missions", "$1,820.00", "Paid"],
+    ["INV-2026-04", "April AppSec missions", "$1,395.50", "Paid"],
+    ["INV-2026-03", "March AppSec missions", "$1,104.80", "Paid"],
   ];
 
   return (
     <PortfolioShell active="Billing">
-      <PageHeader title="Billing & Usage" description="Agent minutes, SOC runs, evidence storage, invoices, and budget limits." action="Update Plan" />
+      <PageHeader title="Billing & Usage" description="Agent minutes, AppSec missions, evidence storage, invoices, and budget limits." action="Update Plan" />
       <div className="grid grid-cols-12 gap-4 p-8">
         <section className="col-span-5 rounded-lg border border-border bg-bg-surface p-5">
           <div className="flex items-start justify-between">
             <div>
               <p className="text-xs uppercase tracking-[0.18em] text-text-muted">Current plan</p>
-              <h2 className="mt-2 font-display text-3xl font-semibold">Security Ops</h2>
-              <p className="mt-1 text-sm text-text-muted">For teams running agent-assisted security operations every week.</p>
+              <h2 className="mt-2 font-display text-3xl font-semibold">AppSec Orchestration</h2>
+              <p className="mt-1 text-sm text-text-muted">For teams running graph-backed, agent-assisted AppSec work every week.</p>
             </div>
             <WalletCards className="h-5 w-5 text-accent" />
           </div>
@@ -229,7 +229,7 @@ export function BillingScreen() {
           </div>
         </section>
         <section className="col-span-12 grid grid-cols-3 gap-4">
-          <StatCard label="Agent minutes" value="1,940" trend="62% of budget" icon={Activity} />
+          <StatCard label="Agent minutes" value="1,940" trend="62% of mission budget" icon={Activity} />
           <StatCard label="Evidence retention" value="365d" trend="Encrypted archive" icon={FileClock} />
           <StatCard label="Payment method" value="4242" trend="Visa on file" icon={CreditCard} />
         </section>
@@ -248,7 +248,7 @@ export function TeamScreen() {
 
   return (
     <PortfolioShell active="Team">
-      <PageHeader title="Team & Access" description="Set alert owners, incident reviewers, and scope approvers." action="Add Member" />
+      <PageHeader title="Team & Access" description="Set service owners, AppSec reviewers, mission approvers, and handoff roles." action="Add Member" />
       <div className="grid grid-cols-12 gap-4 p-8">
         <section className="col-span-8 rounded-lg border border-border bg-bg-surface">
           <div className="border-b border-border px-5 py-4">
@@ -269,7 +269,7 @@ export function TeamScreen() {
         <section className="col-span-4 rounded-lg border border-border bg-bg-surface p-5">
           <h2 className="font-display text-base font-semibold">Approval Rules</h2>
           <div className="mt-4 space-y-3">
-            {["High severity findings require security lead review", "External URL scopes require admin approval", "Fix verification must include test evidence"].map((item) => (
+            {["High severity handoffs require security lead review", "External URL scopes require admin approval", "Fix verification must include test evidence"].map((item) => (
               <p key={item} className="rounded-lg bg-bg-elevated p-3 text-sm text-text-secondary">{item}</p>
             ))}
           </div>
@@ -281,17 +281,17 @@ export function TeamScreen() {
 
 export function IntegrationsScreen() {
   const integrations: Array<[string, string, LucideIcon]> = [
-    ["GitHub", "Code context, ownership, and issue handoff", GitBranch],
-    ["CrowdStrike", "Endpoint signals and case context", ShieldCheck],
-    ["Microsoft Sentinel", "SIEM alerts and incident queue", Fingerprint],
-    ["Jira", "Response tasks and owner sync", PlugZap],
-    ["Postgres", "App data context for investigations", Database],
-    ["Stripe", "Payment event context for fraud and abuse cases", ReceiptText],
+    ["GitHub", "First connector for code context, ownership, and issue handoff", GitBranch],
+    ["CrowdStrike", "Roadmap connector for endpoint evidence and case context", ShieldCheck],
+    ["Microsoft Sentinel", "Roadmap connector for SIEM alerts and incident queue context", Fingerprint],
+    ["Jira", "Roadmap connector for response tasks and owner sync", PlugZap],
+    ["Postgres", "Roadmap connector for app data context during investigations", Database],
+    ["Stripe", "Roadmap connector for payment event context in abuse cases", ReceiptText],
   ];
 
   return (
     <PortfolioShell active="Integrations">
-      <PageHeader title="Integrations" description="Connect SIEM, EDR, source control, ticketing, evidence storage, and ownership data." action="Connect Source" />
+      <PageHeader title="Integrations" description="GitHub is the first evidence source; SIEM, EDR, cloud, ticketing, and storage follow the same orchestration pattern." action="Connect Source" />
       <div className="grid grid-cols-3 gap-4 p-8">
         {integrations.map(([name, description, Icon]) => {
           const IntegrationIcon = Icon as LucideIcon;
@@ -312,7 +312,7 @@ export function IntegrationsScreen() {
 export function AuditScreen() {
   return (
     <PortfolioShell active="Audit">
-      <PageHeader title="Audit Trail" description="Scope changes, agent actions, evidence, work item creation, and response review." action="Export Evidence" />
+      <PageHeader title="Audit Trail" description="Scope changes, agent actions, graph updates, evidence, owner handoff, and review decisions." action="Export Evidence" />
       <div className="grid grid-cols-12 gap-4 p-8">
         <section className="col-span-8 rounded-lg border border-border bg-bg-surface p-5">
           <h2 className="font-display text-base font-semibold">Event stream</h2>
@@ -329,7 +329,7 @@ export function AuditScreen() {
         <section className="col-span-4 rounded-lg border border-border bg-bg-surface p-5">
           <h2 className="font-display text-base font-semibold">Control mapping</h2>
           <div className="mt-4 space-y-3">
-            {["ASVS mapped findings", "CWE attached where relevant", "KEV enrichment enabled", "Reviewer approval retained"].map((item) => (
+            {["ASVS mapped handoffs", "CWE attached where relevant", "KEV enrichment enabled", "Reviewer approval retained"].map((item) => (
               <div key={item} className="flex items-center gap-3 rounded-lg bg-bg-elevated px-3 py-2">
                 <CheckCircle2 className="h-4 w-4 text-accent" />
                 <span className="text-sm text-text-secondary">{item}</span>
@@ -345,7 +345,7 @@ export function AuditScreen() {
 export function SettingsScreen() {
   return (
     <PortfolioShell active="Settings">
-      <PageHeader title="Settings" description="Authentication, scope policy, run defaults, and evidence retention." action="Save Changes" />
+      <PageHeader title="Settings" description="Authentication, scope policy, mission defaults, graph context, and evidence retention." action="Save Changes" />
       <div className="grid grid-cols-12 gap-4 p-8">
         <section className="col-span-6 rounded-lg border border-border bg-bg-surface p-5">
           <h2 className="font-display text-base font-semibold">Authentication</h2>
@@ -369,12 +369,12 @@ export function SettingsScreen() {
           </div>
         </section>
         <section className="col-span-6 rounded-lg border border-border bg-bg-surface p-5">
-          <h2 className="font-display text-base font-semibold">Run defaults</h2>
+          <h2 className="font-display text-base font-semibold">Mission defaults</h2>
           <div className="mt-4 space-y-3 text-sm text-text-secondary">
-            <p>Human approval is required before response actions run.</p>
+            <p>Human approval is required before agent execution and owner handoff.</p>
             <p>Request rate is capped at 30 rpm unless an admin lowers it.</p>
             <p>Evidence retention is 365 days for paid workspaces.</p>
-            <p>External systems require explicit scope approval.</p>
+            <p>External systems require explicit scope approval before they enter the graph.</p>
           </div>
         </section>
       </div>
@@ -391,10 +391,10 @@ export function LoginScreen() {
         </div>
         <div>
           <h1 className="mt-10 max-w-xl text-4xl font-semibold leading-tight tracking-normal sm:text-5xl">
-            Agentic SOC for teams that still want control.
+            Agentic AppSec for teams that still want control.
           </h1>
           <p className="mt-5 max-w-lg text-sm leading-6 text-text-secondary">
-            Northwall gives security teams an agent crew for alert triage, investigation graphs, response plans, and owner handoff.
+            Northwall gives security teams a specialist agent crew for AppSec graph building, parallel investigation, approved execution, and owner handoff.
           </p>
         </div>
         <p className="mt-8 text-xs text-text-muted">Human approval stays in the loop. Scope is checked before a run starts.</p>
diff --git a/packages/frontend/src/hooks/use-sdk-stream.ts b/packages/frontend/src/hooks/use-sdk-stream.ts
index 829a7df..5b23562 100644
--- a/packages/frontend/src/hooks/use-sdk-stream.ts
+++ b/packages/frontend/src/hooks/use-sdk-stream.ts
@@ -331,7 +331,7 @@ function processResult(
     state.feed.push({
       kind: "result",
       status: "success",
-      summary: msg.result?.slice(0, 200) ?? "Assessment completed",
+      summary: msg.result?.slice(0, 200) ?? "Mission completed",
       costUsd: msg.total_cost_usd,
       durationMs: msg.duration_ms,
       turns: msg.num_turns,
diff --git a/packages/frontend/src/lib/northwall-demo.ts b/packages/frontend/src/lib/northwall-demo.ts
index 9f18292..6ced8d6 100644
--- a/packages/frontend/src/lib/northwall-demo.ts
+++ b/packages/frontend/src/lib/northwall-demo.ts
@@ -1,10 +1,10 @@
 import type { AssessmentLoop, Finding, SystemGraph } from "@northwall/shared";
 
 export const targetProfile = {
-  name: "AcmePay Security Operations",
-  type: "Owned SOC workspace",
-  stack: ["Microsoft Sentinel", "CrowdStrike", "GitHub", "Postgres", "Stripe webhooks", "Jira"],
-  scope: ["siem://acmepay", "edr://acmepay", "repo://acmepay", "jira://security"],
+  name: "AcmePay AppSec Orchestration",
+  type: "Owned AppSec mission workspace",
+  stack: ["GitHub", "Postgres", "Stripe webhooks", "Jira", "Microsoft Sentinel roadmap", "CrowdStrike roadmap"],
+  scope: ["repo://acmepay", "owner://acmepay", "jira://security", "siem://roadmap", "edr://roadmap"],
   budget: "35 min / human approval required",
 };
 
@@ -12,21 +12,21 @@ export const systemGraph: SystemGraph = {
   confidence: 94,
   lastUpdatedAt: 1_777_897_200_000,
   nodes: [
-    { id: "siem", label: "SIEM incident queue", kind: "service", risk: "high" },
-    { id: "edr", label: "Endpoint telemetry", kind: "integration", risk: "high" },
-    { id: "identity", label: "Identity events", kind: "auth", risk: "critical" },
-    { id: "cloud", label: "Cloud audit logs", kind: "service", risk: "medium" },
+    { id: "repo", label: "GitHub source context", kind: "integration", risk: "medium" },
     { id: "app", label: "Customer app", kind: "app", risk: "medium" },
-    { id: "repo", label: "GitHub code context", kind: "integration", risk: "medium" },
+    { id: "auth", label: "Auth boundary", kind: "auth", risk: "critical" },
+    { id: "deps", label: "Dependency graph", kind: "package", risk: "high" },
+    { id: "ci", label: "CI and release controls", kind: "integration", risk: "medium" },
+    { id: "config", label: "Runtime configuration", kind: "service", risk: "medium" },
     { id: "owners", label: "Service owners", kind: "service", risk: "low" },
-    { id: "tickets", label: "Response work items", kind: "integration", risk: "low" },
+    { id: "tickets", label: "Owner handoff work", kind: "integration", risk: "low" },
   ],
   edges: [
-    { id: "siem-edr", source: "siem", target: "edr", label: "alert evidence" },
-    { id: "siem-identity", source: "siem", target: "identity", label: "user context" },
-    { id: "identity-cloud", source: "identity", target: "cloud", label: "session activity" },
-    { id: "cloud-app", source: "cloud", target: "app", label: "affected service" },
-    { id: "app-repo", source: "app", target: "repo", label: "code owner lookup" },
+    { id: "repo-app", source: "repo", target: "app", label: "source context" },
+    { id: "app-auth", source: "app", target: "auth", label: "auth boundary" },
+    { id: "repo-deps", source: "repo", target: "deps", label: "package evidence" },
+    { id: "repo-ci", source: "repo", target: "ci", label: "release guardrails" },
+    { id: "app-config", source: "app", target: "config", label: "runtime context" },
     { id: "repo-owners", source: "repo", target: "owners", label: "ownership" },
     { id: "owners-tickets", source: "owners", target: "tickets", label: "handoff" },
   ],
@@ -35,38 +35,38 @@ export const systemGraph: SystemGraph = {
 export const expertTeam = [
   {
     name: "Nova",
-    role: "Incident Cartographer",
-    focus: "Maps alerts, entities, assets, owners, and investigation paths.",
-    status: "Investigation graph ready",
+    role: "System Cartographer",
+    focus: "Maps routes, packages, controls, owners, and remediation paths.",
+    status: "AppSec graph ready",
   },
   {
     name: "Rhea",
-    role: "Alert Triage Agent",
-    focus: "Cuts duplicate signals, groups related alerts, and ranks urgency.",
-    status: "Triage complete",
+    role: "Auth Boundary Agent",
+    focus: "Reviews auth, tenant, session, middleware, and permission-sensitive paths.",
+    status: "Boundary review complete",
   },
   {
     name: "Kade",
-    role: "Threat Investigator",
-    focus: "Checks identity, endpoint, cloud, and repo context for a coherent case.",
-    status: "Correlating evidence",
+    role: "Dependency Analyst",
+    focus: "Checks package evidence, lockfile exposure, ownership, and release risk.",
+    status: "Correlating package evidence",
   },
   {
     name: "Mira",
-    role: "Response Planner",
-    focus: "Drafts response tasks with owners, approvals, and rollback notes.",
+    role: "CI/Config Analyst",
+    focus: "Reviews pipeline, runtime configuration, environment references, and guardrails.",
     status: "Plan ready",
   },
   {
     name: "Ilya",
     role: "Control Verifier",
-    focus: "Checks whether compensating controls already reduced the risk.",
+    focus: "Checks whether compensating controls already reduce AppSec risk.",
     status: "Verification running",
   },
   {
     name: "Vera",
     role: "Human Review Agent",
-    focus: "Prepares the analyst handoff and keeps risky actions behind approval.",
+    focus: "Prepares owner handoff and keeps risky actions behind approval.",
     status: "Preparing handoff",
   },
 ];
@@ -74,32 +74,32 @@ export const expertTeam = [
 export const loops: AssessmentLoop[] = [
   {
     id: "loop-1",
-    title: "Map the incident",
-    strategy: "Correlate SIEM, EDR, identity, cloud, repo, and ownership context.",
+    title: "Map the AppSec graph",
+    strategy: "Correlate source, routes, auth, dependencies, CI, config, and ownership context.",
     agents: ["Nova", "Rhea"],
     findingsAdded: 1,
     graphChanges: 11,
-    nextHypothesis: "Identity event and endpoint alert point to the same privileged workflow.",
+    nextHypothesis: "Auth boundary and service ownership point to the same high-risk route.",
     status: "complete",
   },
   {
     id: "loop-2",
-    title: "Triage likely blast radius",
-    strategy: "Separate noisy alerts from assets, users, and services with real exposure.",
+    title: "Run parallel specialists",
+    strategy: "Split auth, dependency, ownership, config, and CI work across focused agents.",
     agents: ["Rhea", "Mira", "Kade"],
     findingsAdded: 3,
     graphChanges: 6,
-    nextHypothesis: "Cloud session and service owner data can narrow response scope.",
+    nextHypothesis: "Dependency and CI context can narrow which owners need action.",
     status: "complete",
   },
   {
     id: "loop-3",
     title: "Verify controls",
-    strategy: "Check safe evidence sources and existing controls before escalation.",
+    strategy: "Check safe source evidence and existing controls before escalation.",
     agents: ["Ilya", "Mira"],
     findingsAdded: 1,
     graphChanges: 3,
-    nextHypothesis: "Evidence supports two high-confidence response tasks.",
+    nextHypothesis: "Evidence supports two high-confidence owner handoffs.",
     status: "running",
   },
   {
@@ -109,7 +109,7 @@ export const loops: AssessmentLoop[] = [
     agents: ["Vera"],
     findingsAdded: 0,
     graphChanges: 1,
-    nextHypothesis: "Stop after response plan generation unless new evidence appears.",
+    nextHypothesis: "Stop after owner handoff generation unless new evidence appears.",
     status: "queued",
   },
 ];
@@ -117,38 +117,38 @@ export const loops: AssessmentLoop[] = [
 export const findings: Finding[] = [
   {
     id: "BG-104",
-    title: "Privileged session touched billing export path after unusual login",
+    title: "Billing export route crosses auth and ownership boundaries",
     severity: "high",
     confidence: "high",
     status: "open",
     owner: "Security Engineering",
-    affectedNodeIds: ["identity", "app", "repo"],
+    affectedNodeIds: ["auth", "app", "repo"],
     evidence: [
-      "Identity events show a new device for an admin user.",
-      "Endpoint telemetry puts the same user on a managed laptop.",
+      "Auth middleware and billing export route sit in the same request path.",
+      "Tenant ownership checks are owned by Security Engineering.",
       "Code ownership maps the touched billing export path to the Payments team.",
     ],
-    businessImpact: "The case may be benign, but it crosses identity, endpoint, and sensitive billing code in one short window.",
-    fixPlan: "Ask the owner to verify the session, check device posture, and review the export route permissions before closing the case.",
-    verificationStep: "Attach identity, EDR, and code-owner evidence to the work item; require analyst approval before closure.",
+    businessImpact: "The path touches sensitive billing exports and shared auth logic, so weak ownership can delay remediation.",
+    fixPlan: "Ask the owner to verify tenant checks, route permissions, and billing export ownership before release.",
+    verificationStep: "Attach route, auth, and code-owner evidence to the work item; require analyst approval before closure.",
     cwe: "CWE-862",
     asvs: "ASVS 4.3.1",
     kev: false,
   },
   {
     id: "BG-117",
-    title: "Payment webhook alert lacks owner and rollback path",
+    title: "Payment webhook route lacks owner and rollback path",
     severity: "high",
     confidence: "medium",
     status: "in_progress",
     owner: "Payments",
-    affectedNodeIds: ["siem", "app", "owners"],
+    affectedNodeIds: ["app", "config", "owners"],
     evidence: [
-      "SIEM alert is tied to the Stripe webhook route.",
+      "Source inventory maps the Stripe webhook route.",
       "Service ownership points to Payments, not the platform queue.",
       "No rollback note is attached to the current ticket template.",
     ],
-    businessImpact: "A real payment incident can sit in the wrong queue while billing state changes continue.",
+    businessImpact: "A payment security issue can sit in the wrong queue while billing state changes continue.",
     fixPlan: "Create a Payments-owned response task with webhook replay checks, rollback owner, and customer-impact notes.",
     verificationStep: "Reviewer confirms owner assignment and rollback path before the work item is marked ready.",
     cwe: "CWE-345",
@@ -157,18 +157,18 @@ export const findings: Finding[] = [
   },
   {
     id: "BG-122",
-    title: "Dependency signal affects service in active incident path",
+    title: "Dependency signal affects a service on the AppSec graph",
     severity: "medium",
     confidence: "high",
     status: "ready_for_review",
     owner: "Platform",
-    affectedNodeIds: ["repo", "cloud"],
+    affectedNodeIds: ["repo", "deps"],
     evidence: [
       "Lockfile contains a vulnerable transitive package below the patched advisory range.",
-      "The package is pulled into the service linked to the active alert.",
+      "The package is pulled into a service on the approved mission graph.",
       "CISA KEV enrichment raised response priority.",
     ],
-    businessImpact: "The package issue is no longer just backlog hygiene because it sits on the current incident graph.",
+    businessImpact: "The package issue is no longer just backlog hygiene because it sits on the current AppSec graph.",
     fixPlan: "Update the parent package, regenerate the lockfile, and attach the SBOM diff to the response task.",
     verificationStep: "Confirm the affected package is absent from the production dependency graph.",
     cve: "CVE-2025-47281",
@@ -178,17 +178,17 @@ export const findings: Finding[] = [
   },
   {
     id: "BG-131",
-    title: "Low-confidence alert kept out of the response queue",
+    title: "Low-confidence signal kept out of the owner queue",
     severity: "medium",
     confidence: "medium",
     status: "open",
-    owner: "SOC Analyst",
-    affectedNodeIds: ["siem", "edr"],
+    owner: "AppSec Reviewer",
+    affectedNodeIds: ["repo", "ci"],
     evidence: [
-      "Alert pattern matched an older detection rule.",
-      "Endpoint and identity context did not support escalation.",
+      "Pattern matched an older dependency signal.",
+      "Graph and ownership context did not support escalation.",
     ],
-    businessImpact: "Without filtering, analysts waste time on a weak signal while higher-confidence work waits.",
+    businessImpact: "Without filtering, reviewers waste time on a weak signal while higher-confidence handoffs wait.",
     fixPlan: "Keep the evidence on the case, but do not create an owner task unless a second signal appears.",
     verificationStep: "Reviewer checks that no response task was created for the weak signal.",
     cwe: "CWE-1032",
@@ -199,9 +199,9 @@ export const findings: Finding[] = [
 
 export const evidenceTimeline = [
   ["09:41", "Scope gate", "Owned systems confirmed; response actions require approval."],
-  ["09:43", "Graph update", "Mapped 8 nodes across SIEM, EDR, identity, cloud, app, repo, owners, and work items."],
-  ["09:47", "Agent handoff", "Triage Agent and Threat Investigator started parallel evidence review."],
-  ["09:52", "Finding", "BG-104 promoted to high confidence after identity and endpoint correlation."],
-  ["09:57", "Finding", "BG-117 kept at medium confidence pending Payments owner confirmation."],
+  ["09:43", "Graph update", "Mapped 8 nodes across repo, app, auth, dependencies, CI, config, owners, and work items."],
+  ["09:47", "Agent handoff", "Auth Boundary Agent and Dependency Analyst started parallel evidence review."],
+  ["09:52", "Handoff", "BG-104 promoted to high confidence after route and auth correlation."],
+  ["09:57", "Handoff", "BG-117 kept at medium confidence pending Payments owner confirmation."],
   ["10:04", "Owner handoff", "BG-122 moved to review with SBOM verification step."],
 ];
diff --git a/packages/shared/src/schemas/appsec.test.ts b/packages/shared/src/schemas/appsec.test.ts
index cf41113..57e9a83 100644
--- a/packages/shared/src/schemas/appsec.test.ts
+++ b/packages/shared/src/schemas/appsec.test.ts
@@ -31,7 +31,7 @@ describe("AppSec scope gate", () => {
     });
     expect(result.allowed).toBe(false);
     expect(result.reasons).toContain("Third-party targets are outside scope.");
-    expect(result.reasons).toContain("Destructive testing is disabled for safe SOC runs.");
+    expect(result.reasons).toContain("Destructive testing is disabled for safe AppSec missions.");
   });
 
   it("requires allowed hosts for staging URL assessments", () => {
diff --git a/packages/shared/src/schemas/appsec.ts b/packages/shared/src/schemas/appsec.ts
index e6b0ea7..1b5cd60 100644
--- a/packages/shared/src/schemas/appsec.ts
+++ b/packages/shared/src/schemas/appsec.ts
@@ -112,7 +112,7 @@ export function validateScopeGate(scope: EngagementScope): ScopeGateResult {
   if (!scope.ownedEnvironment) reasons.push("Target must be an owned or explicitly authorized environment.");
   if (!scope.authorizationConfirmed) reasons.push("Authorization must be confirmed before execution.");
   if (scope.thirdPartyTargets) reasons.push("Third-party targets are outside scope.");
-  if (scope.destructiveTesting) reasons.push("Destructive testing is disabled for safe SOC runs.");
+  if (scope.destructiveTesting) reasons.push("Destructive testing is disabled for safe AppSec missions.");
   if (scope.targetType === "staging-url" && scope.allowedHosts.length === 0) {
     reasons.push("Staging URL runs require at least one allowed host.");
   }
diff --git a/packages/shared/src/schemas/assessment.test.ts b/packages/shared/src/schemas/assessment.test.ts
index 0b066ff..3a1cf0c 100644
--- a/packages/shared/src/schemas/assessment.test.ts
+++ b/packages/shared/src/schemas/assessment.test.ts
@@ -70,7 +70,7 @@ describe("GitHub issue payload", () => {
     };
 
     const payload = buildGitHubIssuePayload(finding);
-    expect(payload.labels).toEqual(["northwall", "agentic-soc", "security-operations", "high", "backend"]);
+    expect(payload.labels).toEqual(["northwall", "agentic-appsec", "appsec-orchestration", "high", "backend"]);
   });
 });
 
diff --git a/packages/shared/src/schemas/assessment.ts b/packages/shared/src/schemas/assessment.ts
index 73771fb..91f8685 100644
--- a/packages/shared/src/schemas/assessment.ts
+++ b/packages/shared/src/schemas/assessment.ts
@@ -205,6 +205,6 @@ export function buildGitHubIssuePayload(finding: VulnerabilityFinding): {
   return {
     title: finding.issueTitle,
     body: finding.issueBody,
-    labels: Array.from(new Set(["northwall", "agentic-soc", "security-operations", finding.severity, finding.confidence, ...finding.labels])),
+    labels: Array.from(new Set(["northwall", "agentic-appsec", "appsec-orchestration", finding.severity, finding.confidence, ...finding.labels])),
   };
 }