diff --git a/config/_default/menus/main.en.yaml b/config/_default/menus/main.en.yaml
index b3feb94f118ec..09bae3c947cd3 100644
--- a/config/_default/menus/main.en.yaml
+++ b/config/_default/menus/main.en.yaml
@@ -6005,66 +6005,91 @@ menu:
       parent: security_platform_heading
       identifier: cloud_siem
       weight: 20000
-    - name: Content Packs
-      url: security/cloud_siem/content_packs
+    - name: Ingest and Enrich
+      url: security/cloud_siem/ingest_and_enrich/
       parent: cloud_siem
-      identifier: cloud_siem_content_packs
+      identifier: cloud_siem_ingest_and_enrich
       weight: 1
-    - name: Detection Rules
-      url: security/cloud_siem/detection_rules
+    - name: Content Packs
+      url: security/cloud_siem/ingest_and_enrich/content_packs
+      parent: cloud_siem_ingest_and_enrich
+      identifier: cloud_siem_content_packs
+      weight: 101
+    - name: Threat Intelligence
+      url: security/cloud_siem/ingest_and_enrich/threat_intelligence
+      parent: cloud_siem_ingest_and_enrich
+      identifier: cloud_siem_threat_intelligence
+      weight: 102
+    - name: Open Cybersecurity Schema Framework
+      url: security/cloud_siem/ingest_and_enrich/open_cybersecurity_schema_framework
+      parent: cloud_siem_ingest_and_enrich
+      identifier: cloud_siem_open_cybersecurity_schema_framework
+      weight: 103
+    - name: Detect and Monitor
+      url: security/cloud_siem/detect_and_monitor/
       parent: cloud_siem
-      identifier: cloud_siem_detection_rules
+      identifier: cloud_siem_detect_and_monitor
       weight: 2
-    - name: Signal Correlation Rules
-      url: security/cloud_siem/detection_rules/signal_correlation_rules
-      parent: cloud_siem_detection_rules
+    - name: Custom Detection Rules
+      url: security/cloud_siem/detect_and_monitor/custom_detection_rules
+      parent: cloud_siem_detect_and_monitor
+      identifier: cloud_siem_custom_detection_rules
+      weight: 201
+    - name: Signal Correlation
+      url: security/cloud_siem/detect_and_monitor/custom_detection_rules/signal_correlation_rules
+      parent: cloud_siem_custom_detection_rules
       identifier: cloud_siem_signal_correlation_rules
-      weight: 20500
-    - name: MITRE ATT&CK Map
-      url: security/cloud_siem/detection_rules/mitre_attack_map
-      parent: cloud_siem_detection_rules
-      identifier: cloud_siem_mitre_attack_map
-      weight: 20510
+      weight: 2101
     - name: OOTB Rules
       url: /security/default_rules/#cat-cloud-siem-log-detection
-      parent: cloud_siem
+      parent: cloud_siem_detect_and_monitor
       identifier: cloud_siem_default_rules
-      weight: 4
-    - name: Threat Intelligence
-      url: /security/cloud_siem/threat_intelligence
-      parent: cloud_siem
-      identifier: cloud_siem_threat_intelligence
-      weight: 5
-    - name: Open Cybersecurity Schema Framework
-      url: /security/cloud_siem/open_cybersecurity_schema_framework
+      weight: 202
+    - name: Suppressions
+      url: security/cloud_siem/detect_and_monitor/suppressions
+      parent: cloud_siem_detect_and_monitor
+      identifier: cloud_siem_suppressions
+      weight: 203
+    - name: Historical Jobs
+      url: security/cloud_siem/detect_and_monitor/historical_jobs
+      parent: cloud_siem_detect_and_monitor
+      identifier: cloud_siem_log_historical_jobs
+      weight: 204
+    - name: MITRE ATT&CK Map
+      url: security/cloud_siem/detect_and_monitor/mitre_attack_map
+      parent: cloud_siem_detect_and_monitor
+      identifier: cloud_siem_mitre_attack_map
+      weight: 205
+    - name: Triage and Investigate
+      url: security/cloud_siem/triage_and_investigate
       parent: cloud_siem
-      identifier: cloud_siem_open_cybersecurity_schema_framework
-      weight: 5
+      identifier: cloud_siem_triage_and_investigate
+      weight: 3
     - name: Investigate Security Signals
-      url: /security/cloud_siem/investigate_security_signals
-      parent: cloud_siem
+      url: security/cloud_siem/triage_and_investigate/investigate_security_signals
+      parent: cloud_siem_triage_and_investigate
       identifier: cloud_siem_investigate_security_signals
-      weight: 6
+      weight: 301
+    - name: Risk Insights
+      url: security/cloud_siem/triage_and_investigate/entities_and_risk_scoring
+      parent: cloud_siem_triage_and_investigate
+      identifier: cloud_siem_entities_and_risk_scoring
+      weight: 302
     - name: Investigator
-      url: security/cloud_siem/investigator
-      parent: cloud_siem
+      url: security/cloud_siem/triage_and_investigate/investigator
+      parent: cloud_siem_triage_and_investigate
       identifier: cloud_siem_investigator
-      weight: 7
-    - name: Historical Jobs
-      url: security/cloud_siem/historical_jobs
-      parent: cloud_siem
-      identifier: cloud_siem_log_historical_jobs
-      weight: 8
-    - name: Risk Insights
-      url: security/cloud_siem/entities_and_risk_scoring
+      weight: 303
+    - name: Respond and Report
+      url: security/cloud_siem/respond_and_report
       parent: cloud_siem
-      identifier: cloud_siem_entities_and_risk_scoring
-      weight: 9
+      identifier: cloud_siem_respond_and_report
+      weight: 4
     - name: Security Operational Metrics
-      url: security/cloud_siem/security_operational_metrics/
-      parent: cloud_siem
+      url: security/cloud_siem/respond_and_report/security_operational_metrics
+      parent: cloud_siem_respond_and_report
       identifier: siem_security_operational_metrics
-      weight: 10
+      weight: 401
     - name: Guides
       url: security/cloud_siem/guide/
       parent: cloud_siem
diff --git a/content/en/getting_started/integrations/aws.md b/content/en/getting_started/integrations/aws.md
index 3dec35847b954..4d48eed71930c 100644
--- a/content/en/getting_started/integrations/aws.md
+++ b/content/en/getting_started/integrations/aws.md
@@ -279,7 +279,7 @@ If you encounter the error `Datadog is not authorized to perform sts:AssumeRole`
 [49]: /watchdog/
 [50]: /getting_started/cloud_siem/
 [51]: /security/default_rules/#cat-log-detection
-[52]: /security/cloud_siem/investigate_security_signals
+[52]: /security/cloud_siem/triage_and_investigate/investigate_security_signals
 [53]: /security/notifications/rules/
 [54]: /security/cloud_security_management/setup/
 [55]: /security/default_rules/#cat-posture-management-cloud
diff --git a/content/en/getting_started/security/cloud_siem.md b/content/en/getting_started/security/cloud_siem.md
index 7cacd7f14b81d..c19b0e491c221 100644
--- a/content/en/getting_started/security/cloud_siem.md
+++ b/content/en/getting_started/security/cloud_siem.md
@@ -132,15 +132,15 @@ Contact [support][26] to disable Cloud SIEM.
 [12]: /security/default_rules/#cat-cloud-siem-log-detection
 [13]: /security/detection_rules/
 [14]: https://app.datadoghq.com/security?query=%40workflow.rule.type%3A%28%22Log%20Detection%22%20OR%20%22Signal%20Correlation%22%29&column=time&order=desc&product=siem&view=signal&viz=stream&start=1676321431953&end=1676407831953&paused=false
-[15]: /security/cloud_siem/investigate_security_signals
+[15]: /security/cloud_siem/triage_and_investigate/investigate_security_signals
 [16]: https://app.datadoghq.com/security/configuration/notification-rules
 [17]: /security/notifications/rules/
 [18]: https://app.datadoghq.com/security/configuration/reports
 [19]: https://app.datadoghq.com/security/investigator/
-[20]: /security/cloud_siem/investigator
+[20]: /security/cloud_siem/triage_and_investigate/investigator
 [21]: https://app.datadoghq.com/dashboard/lists/preset/100
 [22]: /dashboards/#overview
 [23]: /security/suppressions/
-[24]: /security/cloud_siem/detection_rules/
+[24]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/
 [25]: https://www.datadoghq.com/blog/writing-datadog-security-detection-rules/
 [26]: /help/
diff --git a/content/en/integrations/guide/amazon-eks-audit-logs.md b/content/en/integrations/guide/amazon-eks-audit-logs.md
index dbfd8deb55f3b..3fe08f788bc75 100644
--- a/content/en/integrations/guide/amazon-eks-audit-logs.md
+++ b/content/en/integrations/guide/amazon-eks-audit-logs.md
@@ -76,10 +76,10 @@ To create a rule, navigate to the in-app [Rule Setup and Configuration][13] page
 [5]: /logs/guide/send-aws-services-logs-with-the-datadog-lambda-function/?tab=awsconsole#set-up-triggers
 [6]: https://console.aws.amazon.com/lambda/home#/functions
 [7]: https://app.datadoghq.com/logs
-[8]: /security/cloud_siem/detection_rules/
+[8]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/
 [9]: /getting_started/cloud_siem/#phase-2-signal-exploration
 [10]: https://app.datadoghq.com/security
 [11]: /security/default_rules/#cat-cloud-siem
 [12]: /security/detection_rules/#creating-and-managing-detection-rules
 [13]: https://app.datadoghq.com/security/configuration/rules/new?product=siem
-[14]: /security/cloud_siem/detection_rules/?tab=threshold#choose-a-detection-method
+[14]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/?tab=threshold#choose-a-detection-method
diff --git a/content/en/security/cloud_siem/_index.md b/content/en/security/cloud_siem/_index.md
index aaad2659df4ff..3a266d3f8b222 100644
--- a/content/en/security/cloud_siem/_index.md
+++ b/content/en/security/cloud_siem/_index.md
@@ -258,6 +258,11 @@ See which rules are the noisiest by calculating the percentage of signals that a
 
 {{< partial name="whats-next/whats-next.html" >}}
 
+<<<<<<< HEAD
+[1]: /security/cloud_siem/triage_and_investigate/investigate_security_signals
+[2]: /security/default_rules#cat-cloud-siem
+[3]: /security/detection_rules
+=======
 [1]: https://securitylabs.datadoghq.com/
 [2]: https://www.datadoghq.com/product/cloud-siem/
 [3]: https://app.datadoghq.com/security/home?
@@ -268,4 +273,5 @@ See which rules are the noisiest by calculating the percentage of signals that a
 [8]: /logs/log_configuration/archives/
 [9]: /security/cloud_siem/content_packs/
 [10]: /logs/explorer/search_syntax/
-[11]: /logs/explorer/
\ No newline at end of file
+[11]: /logs/explorer/
+>>>>>>> master
diff --git a/content/en/security/cloud_siem/detect_and_monitor/_index.md b/content/en/security/cloud_siem/detect_and_monitor/_index.md
new file mode 100644
index 0000000000000..e7352d88df528
--- /dev/null
+++ b/content/en/security/cloud_siem/detect_and_monitor/_index.md
@@ -0,0 +1,6 @@
+---
+title: Detect and Monitor
+disable_toc: false
+---
+
+TKTK
\ No newline at end of file
diff --git a/content/en/security/cloud_siem/detection_rules/_index.md b/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/_index.md
similarity index 99%
rename from content/en/security/cloud_siem/detection_rules/_index.md
rename to content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/_index.md
index 3e49c5e9064b9..3483c6086052a 100644
--- a/content/en/security/cloud_siem/detection_rules/_index.md
+++ b/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/_index.md
@@ -1,5 +1,5 @@
 ---
-title: Detection Rules
+title: Custom Detection Rules
 type: documentation
 aliases:
  - /security_platform/detection_rules/cloud_siem
@@ -11,6 +11,7 @@ aliases:
  - /security/detection_rules/security_monitoring
  - /security/detection_rules/create_a_new_rule
  - /security/cloud_siem/log_detection_rules/
+ - /security/cloud_siem/detection_rules/
 further_reading:
 - link: "/cloud_siem/default_rules/"
   tag: "Documentation"
@@ -439,5 +440,5 @@ The rule deprecation process is as follows:
 [2]: /security/detection_rules/#clone-a-rule
 [3]: https://app.datadoghq.com/logs/
 [4]: https://app.datadoghq.com/security/rules
-[5]: /security/cloud_siem/historical_jobs/
+[5]: /security/cloud_siem/detect_and_monitor/historical_jobs/
 [6]: /security/default_rules/?category=cat-cloud-siem-log-detection#all
diff --git a/content/en/security/cloud_siem/detection_rules/signal_correlation_rules.md b/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/signal_correlation_rules.md
similarity index 98%
rename from content/en/security/cloud_siem/detection_rules/signal_correlation_rules.md
rename to content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/signal_correlation_rules.md
index 724924728d96a..7751734c88ce9 100644
--- a/content/en/security/cloud_siem/detection_rules/signal_correlation_rules.md
+++ b/content/en/security/cloud_siem/detect_and_monitor/custom_detection_rules/signal_correlation_rules.md
@@ -4,6 +4,7 @@ type: documentation
 aliases:
  - /security_platform/cloud_siem/signal_correlation_rules
  - /security/cloud_siem/signal_correlation_rules
+ - /security/cloud_siem/detection_rules/signal_correlation_rules
 further_reading:
 - link: "/cloud_siem/explorer/"
   tag: "Documentation"
diff --git a/content/en/security/cloud_siem/historical_jobs.md b/content/en/security/cloud_siem/detect_and_monitor/historical_jobs.md
similarity index 98%
rename from content/en/security/cloud_siem/historical_jobs.md
rename to content/en/security/cloud_siem/detect_and_monitor/historical_jobs.md
index 1db589701361d..fe0e459fe29e9 100644
--- a/content/en/security/cloud_siem/historical_jobs.md
+++ b/content/en/security/cloud_siem/detect_and_monitor/historical_jobs.md
@@ -1,5 +1,7 @@
 ---
 title: Historical Jobs
+aliases:
+    - /security/cloud_siem/historical_jobs/
 further_reading:
 - link: "https://www.datadoghq.com/blog/cloud-siem-historical-jobs/"
   tag: "Blog"
diff --git a/content/en/security/cloud_siem/detection_rules/mitre_attack_map.md b/content/en/security/cloud_siem/detect_and_monitor/mitre_attack_map.md
similarity index 94%
rename from content/en/security/cloud_siem/detection_rules/mitre_attack_map.md
rename to content/en/security/cloud_siem/detect_and_monitor/mitre_attack_map.md
index 38eace9a457c9..5f97bc639bc0c 100644
--- a/content/en/security/cloud_siem/detection_rules/mitre_attack_map.md
+++ b/content/en/security/cloud_siem/detect_and_monitor/mitre_attack_map.md
@@ -3,8 +3,9 @@ title: MITRE ATT&CK Map
 disable_toc: false
 aliases:
   - /security/cloud_siem/detection_rules/attack_map
+  - /security/cloud_siem/detection_rules/mitre_attack_map
 further_reading:
-- link: "/security/cloud_siem/detection_rules/"
+- link: "/security/cloud_siem/detect_and_monitor/custom_detection_rules/"
   tag: "Documentation"
   text: "Create custom detection rules"
 - link: "https://www.datadoghq.com/blog/cloud-siem-mitre-attack-map/"
@@ -63,4 +64,4 @@ This is an example of the format you need to use for tagging custom rules and th
 [1]: https://app.datadoghq.com/security/rules
 [2]: https://docs.datadoghq.com/security/cloud_siem/guide/how-to-setup-security-filters-using-cloud-siem-api/
 [3]: https://app.datadoghq.com/security/rules?query=product=siem&sort=date&viz=attck-map
-[4]: https://docs.datadoghq.com/security/cloud_siem/detection_rules/?tab=threshold
+[4]: https://docs.datadoghq.com/security/cloud_siem/detect_and_monitor/custom_detection_rules/?tab=threshold
diff --git a/content/en/security/cloud_siem/detect_and_monitor/suppressions.md b/content/en/security/cloud_siem/detect_and_monitor/suppressions.md
new file mode 100644
index 0000000000000..4500e95c1769b
--- /dev/null
+++ b/content/en/security/cloud_siem/detect_and_monitor/suppressions.md
@@ -0,0 +1,6 @@
+---
+title: Suppressions
+disable_toc: false
+---
+
+{{< include-markdown "security/suppressions" >}}
\ No newline at end of file
diff --git a/content/en/security/cloud_siem/guide/automate-the-remediation-of-detected-threats.md b/content/en/security/cloud_siem/guide/automate-the-remediation-of-detected-threats.md
index 3e41b9f95d1bf..73456cd383f6e 100644
--- a/content/en/security/cloud_siem/guide/automate-the-remediation-of-detected-threats.md
+++ b/content/en/security/cloud_siem/guide/automate-the-remediation-of-detected-threats.md
@@ -1,7 +1,7 @@
 ---
 title: Automate the Remediation of Detected Threats with Webhooks
 further_reading:
-- link: "/security/cloud_siem/investigate_security_signals"
+- link: "/security/cloud_siem/triage_and_investigate/investigate_security_signals"
   tag: "Documentation"
   text: "Start investigating signals in the Signals Explorer"
 aliases:
@@ -94,6 +94,6 @@ Datadog generates the Security Signal, which details the offense as well as the
 [2]: https://app.datadoghq.com/account/settings#integrations/webhooks
 [3]: /security/detection_rules/
 [4]: https://www.datadoghq.com/blog/new-term-detection-method-datadog/
-[5]: /security/cloud_siem/detection_rules/?tab=threshold#new-value
+[5]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/?tab=threshold#new-value
 [6]: https://www.datadoghq.com/blog/detect-abuse-of-functionality-with-datadog/
-[7]: /security/cloud_siem/detection_rules/?tab=threshold#define-a-search-query
\ No newline at end of file
+[7]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/?tab=threshold#define-a-search-query
\ No newline at end of file
diff --git a/content/en/security/cloud_siem/guide/aws-config-guide-for-cloud-siem.md b/content/en/security/cloud_siem/guide/aws-config-guide-for-cloud-siem.md
index 48b4c55aba0ca..241ff739d88d8 100644
--- a/content/en/security/cloud_siem/guide/aws-config-guide-for-cloud-siem.md
+++ b/content/en/security/cloud_siem/guide/aws-config-guide-for-cloud-siem.md
@@ -4,10 +4,10 @@ further_reading:
 - link: "/security/default_rules/#cat-cloud-siem-log-detection"
   tag: "Documentation"
   text: "Explore Cloud SIEM default detection rules"
-- link: "/security/cloud_siem/investigate_security_signals"
+- link: "/security/cloud_siem/triage_and_investigate/investigate_security_signals"
   tag: "Documentation"
   text: "Learn about the Security Signals Explorer"
-- link: "/security/cloud_siem/detection_rules/"
+- link: "/security/cloud_siem/detect_and_monitor/custom_detection_rules/"
   tag: "Documentation"
   text: "Create new detection rules"
 - link: "/getting_started/integrations/aws/"
@@ -64,7 +64,7 @@ Since Cloud SIEM applies detection rules to all processed logs, see the [in-app
 
 [1]: https://app.datadoghq.com/security?query=%40workflow.rule.type%3A%22Log%20Detection%22
 [9]: https://app.datadoghq.com/security?query=%40workflow.rule.type%3A%28%22Log%20Detection%22%29%20&column=time&order=desc&product=siem
-[10]: /security/cloud_siem/investigate_security_signals
+[10]: /security/cloud_siem/triage_and_investigate/investigate_security_signals
 [11]: https://app.datadoghq.com/dash/integration/30459/aws-cloudtrail
 [12]: https://docs.datadoghq.com/security/default_rules/#cat-cloud-siem
 [13]: https://docs.datadoghq.com/security/detection_rules/
diff --git a/content/en/security/cloud_siem/guide/azure-config-guide-for-cloud-siem.md b/content/en/security/cloud_siem/guide/azure-config-guide-for-cloud-siem.md
index e1a1dbf297d0d..d55c114eaad88 100644
--- a/content/en/security/cloud_siem/guide/azure-config-guide-for-cloud-siem.md
+++ b/content/en/security/cloud_siem/guide/azure-config-guide-for-cloud-siem.md
@@ -4,10 +4,10 @@ further_reading:
 - link: "/security/default_rules/#cat-cloud-siem-log-detection"
   tag: "Documentation"
   text: "Explore Cloud SIEM default detection rules"
-- link: "/security/cloud_siem/investigate_security_signals"
+- link: "/security/cloud_siem/triage_and_investigate/investigate_security_signals"
   tag: "Documentation"
   text: "Learn about the Security Signals Explorer"
-- link: "/security/cloud_siem/detection_rules/"
+- link: "/security/cloud_siem/detect_and_monitor/custom_detection_rules/"
   tag: "Documentation"
   text: "Create new detection rules"
 ---
diff --git a/content/en/security/cloud_siem/guide/google-cloud-config-guide-for-cloud-siem.md b/content/en/security/cloud_siem/guide/google-cloud-config-guide-for-cloud-siem.md
index ad6de03ce6c54..af3b411e93758 100644
--- a/content/en/security/cloud_siem/guide/google-cloud-config-guide-for-cloud-siem.md
+++ b/content/en/security/cloud_siem/guide/google-cloud-config-guide-for-cloud-siem.md
@@ -4,10 +4,10 @@ further_reading:
 - link: "/security/default_rules/#cat-cloud-siem-log-detection"
   tag: "Documentation"
   text: "Explore Cloud SIEM default detection rules"
-- link: "/security/cloud_siem/investigate_security_signals"
+- link: "/security/cloud_siem/triage_and_investigate/investigate_security_signals"
   tag: "Documentation"
   text: "Learn about the Security Signals Explorer"
-- link: "/security/cloud_siem/detection_rules/"
+- link: "/security/cloud_siem/detect_and_monitor/custom_detection_rules/"
   tag: "Documentation"
   text: "Create new detection rules"
 - link: "/integrations/google_cloud_platform/#log-collection"
diff --git a/content/en/security/cloud_siem/ingest_and_enrich/_index.md b/content/en/security/cloud_siem/ingest_and_enrich/_index.md
new file mode 100644
index 0000000000000..db8231c18f55e
--- /dev/null
+++ b/content/en/security/cloud_siem/ingest_and_enrich/_index.md
@@ -0,0 +1,6 @@
+---
+title: Ingest and Enrich
+disable_toc: false
+---
+
+TKTK
\ No newline at end of file
diff --git a/content/en/security/cloud_siem/content_packs.md b/content/en/security/cloud_siem/ingest_and_enrich/content_packs.md
similarity index 90%
rename from content/en/security/cloud_siem/content_packs.md
rename to content/en/security/cloud_siem/ingest_and_enrich/content_packs.md
index f972302dad4a4..08f94ddfc9fd7 100644
--- a/content/en/security/cloud_siem/content_packs.md
+++ b/content/en/security/cloud_siem/ingest_and_enrich/content_packs.md
@@ -1,6 +1,8 @@
 ---
 title: Content Packs
 disable_toc: true
+aliases:
+  - /security/cloud_siem/content_packs
 further_reading:
 - link: "/security/cloud_siem/detection_rules"
   tag: "Documentation"
@@ -8,7 +10,7 @@ further_reading:
 - link: "security/cloud_siem/investigator"
   tag: "Documentation"
   text: "Learn more about the Investigator"
-- link: "/security/cloud_siem/investigate_security_signals"
+- link: "/security/cloud_siem/triage_and_investigate/investigate_security_signals"
   tag: "Documentation"
   text: "Investigate security signals"
 - link: "https://www.datadoghq.com/blog/cloud-siem-content-packs-whats-new-2024-09/"
@@ -43,5 +45,5 @@ further_reading:
 
 [1]: https://app.datadoghq.com/security/content-packs
 [2]: /security/detection_rules/
-[3]: /security/cloud_siem/investigator
+[3]: /security/cloud_siem/triage_and_investigate/investigator
 [4]: /service_management/workflows/
\ No newline at end of file
diff --git a/content/en/security/cloud_siem/open_cybersecurity_schema_framework.md b/content/en/security/cloud_siem/ingest_and_enrich/open_cybersecurity_schema_framework.md
similarity index 98%
rename from content/en/security/cloud_siem/open_cybersecurity_schema_framework.md
rename to content/en/security/cloud_siem/ingest_and_enrich/open_cybersecurity_schema_framework.md
index 71dc578ed2b9a..ec522ac82f9ae 100644
--- a/content/en/security/cloud_siem/open_cybersecurity_schema_framework.md
+++ b/content/en/security/cloud_siem/ingest_and_enrich/open_cybersecurity_schema_framework.md
@@ -1,6 +1,8 @@
 ---
 title: Open Cybersecurity Schema Framework (OCSF) Common Data Model in Datadog
 disable_toc: false
+aliases:
+  - /security/cloud_siem/open_cybersecurity_schema_framework
 further_reading:
 - link: "logs/processing/pipelines"
   tag: "Documentation"
diff --git a/content/en/security/cloud_siem/threat_intelligence.md b/content/en/security/cloud_siem/ingest_and_enrich/threat_intelligence.md
similarity index 99%
rename from content/en/security/cloud_siem/threat_intelligence.md
rename to content/en/security/cloud_siem/ingest_and_enrich/threat_intelligence.md
index a10aee947835f..fafa0d0bd9cb8 100644
--- a/content/en/security/cloud_siem/threat_intelligence.md
+++ b/content/en/security/cloud_siem/ingest_and_enrich/threat_intelligence.md
@@ -1,6 +1,8 @@
 ---
 title: Threat Intelligence
 disable_toc: false
+aliases:
+  - /security/cloud_siem/threat_intelligence
 further_reading:
 - link: "security/cloud_siem/detection_rules"
   tag: "Documentation"
diff --git a/content/en/security/cloud_siem/respond_and_report/_index.md b/content/en/security/cloud_siem/respond_and_report/_index.md
new file mode 100644
index 0000000000000..7a1ca29b2f36a
--- /dev/null
+++ b/content/en/security/cloud_siem/respond_and_report/_index.md
@@ -0,0 +1,6 @@
+---
+title: Respond and Report
+disable_toc: false
+---
+
+TKTK 
\ No newline at end of file
diff --git a/content/en/security/cloud_siem/security_operational_metrics.md b/content/en/security/cloud_siem/respond_and_report/security_operational_metrics.md
similarity index 96%
rename from content/en/security/cloud_siem/security_operational_metrics.md
rename to content/en/security/cloud_siem/respond_and_report/security_operational_metrics.md
index edad03de2df6b..3d11ecbd1d5d1 100644
--- a/content/en/security/cloud_siem/security_operational_metrics.md
+++ b/content/en/security/cloud_siem/respond_and_report/security_operational_metrics.md
@@ -1,8 +1,10 @@
 ---
 title: Security Operational Metrics
 disable_toc: false
+aliases:
+  - /security/cloud_siem/security_operational_metrics
 further_reading:
-- link: "security/cloud_siem/investigate_security_signals"
+- link: "security/cloud_siem/triage_and_investigate/investigate_security_signals"
   tag: "Documentation"
   text: "Investigate Cloud SIEM Security Signals"
 - link: "getting_started/dashboards"
diff --git a/content/en/security/cloud_siem/triage_and_investigate/_index.md b/content/en/security/cloud_siem/triage_and_investigate/_index.md
new file mode 100644
index 0000000000000..0afdf83e84707
--- /dev/null
+++ b/content/en/security/cloud_siem/triage_and_investigate/_index.md
@@ -0,0 +1,6 @@
+---
+title: Triage and Investigate
+disable_toc: false
+---
+
+TKTK
\ No newline at end of file
diff --git a/content/en/security/cloud_siem/entities_and_risk_scoring.md b/content/en/security/cloud_siem/triage_and_investigate/entities_and_risk_scoring.md
similarity index 98%
rename from content/en/security/cloud_siem/entities_and_risk_scoring.md
rename to content/en/security/cloud_siem/triage_and_investigate/entities_and_risk_scoring.md
index f9a971ad65bf6..04e3549019c91 100644
--- a/content/en/security/cloud_siem/entities_and_risk_scoring.md
+++ b/content/en/security/cloud_siem/triage_and_investigate/entities_and_risk_scoring.md
@@ -1,5 +1,7 @@
 ---
 title: Risk Insights
+aliases:
+- /security/cloud_siem/entities_and_risk_scoring
 further_reading:
     - link: "https://www.datadoghq.com/blog/risk-prioritization-entity-analytics/"
       tag: Blog
diff --git a/content/en/security/cloud_siem/investigate_security_signals.md b/content/en/security/cloud_siem/triage_and_investigate/investigate_security_signals.md
similarity index 99%
rename from content/en/security/cloud_siem/investigate_security_signals.md
rename to content/en/security/cloud_siem/triage_and_investigate/investigate_security_signals.md
index c18ea343c4c23..508016ad428cd 100644
--- a/content/en/security/cloud_siem/investigate_security_signals.md
+++ b/content/en/security/cloud_siem/triage_and_investigate/investigate_security_signals.md
@@ -1,6 +1,8 @@
 ---
 title: Investigate Security Signals
 disable_toc: false
+aliases:
+  - /security/cloud_siem/investigate_security_signals
 further_reading:
   - link: "/cloud_siem/detection_rules/"
     tag: "Documentation"
diff --git a/content/en/security/cloud_siem/investigator.md b/content/en/security/cloud_siem/triage_and_investigate/investigator.md
similarity index 99%
rename from content/en/security/cloud_siem/investigator.md
rename to content/en/security/cloud_siem/triage_and_investigate/investigator.md
index 45bc169a30dd6..bafff22f47663 100644
--- a/content/en/security/cloud_siem/investigator.md
+++ b/content/en/security/cloud_siem/triage_and_investigate/investigator.md
@@ -6,6 +6,7 @@ aliases:
   - /security_platform/cloud_siem/investigator/
   - /security/cloud_siem/cloud_security_investigator/
   - /security/cloud_siem/cloud_siem_investigator/
+  - /security/cloud_siem/investigator/
 further_reading:
 - link: "/security/cloud_siem/guide/aws-config-guide-for-cloud-siem/"
   tag: "Documentation"
diff --git a/content/en/security/detection_rules/_index.md b/content/en/security/detection_rules/_index.md
index 0d51389c31787..7e14a6a8634b7 100644
--- a/content/en/security/detection_rules/_index.md
+++ b/content/en/security/detection_rules/_index.md
@@ -194,7 +194,7 @@ The rule deprecation process is as follows:
 [8]: /tracing/
 [9]: /agent/
 [10]: https://app.datadoghq.com/security/configuration/
-[11]: /security/cloud_siem/detection_rules/
+[11]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/
 [12]: /security/application_security/policies/custom_rules/
 [13]: /security/cloud_security_management/misconfigurations/custom_rules
 [14]: /security/workload_protection/workload_security_rules?tab=host#create-custom-rules
diff --git a/content/en/security/threats/workload_security_rules/custom_rules.md b/content/en/security/threats/workload_security_rules/custom_rules.md
index 3a27f3b62350f..7c3a5e7e91eae 100644
--- a/content/en/security/threats/workload_security_rules/custom_rules.md
+++ b/content/en/security/threats/workload_security_rules/custom_rules.md
@@ -266,7 +266,7 @@ You can also disable a rule by setting the **Then...** section of a rule to **Do
 [6]: https://app.datadoghq.com/security/configuration/workload/agent-rules
 [7]: /security/workload_protection/workload_security_rules
 [8]: /security/workload_protection/
-[9]: /security/cloud_siem/detection_rules/?tab=threshold#set-a-rule-case
+[9]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/?tab=threshold#set-a-rule-case
 [10]: https://app.datadoghq.com/notebook/list?type=runbook
 [11]: /account_management/rbac/permissions/
 [12]: /security/workload_protection/guide/active-protection
diff --git a/content/en/security/workload_protection/workload_security_rules/custom_rules.md b/content/en/security/workload_protection/workload_security_rules/custom_rules.md
index 699b2494ccbc8..88878e60cc3e5 100644
--- a/content/en/security/workload_protection/workload_security_rules/custom_rules.md
+++ b/content/en/security/workload_protection/workload_security_rules/custom_rules.md
@@ -233,7 +233,7 @@ You can also disable a rule by setting the **Then...** section of a rule to **Do
 [6]: https://app.datadoghq.com/security/configuration/workload/agent-rules
 [7]: /security/workload_protection/workload_security_rules
 [8]: /security/workload_protection/
-[9]: /security/cloud_siem/detection_rules/?tab=threshold#set-a-rule-case
+[9]: /security/cloud_siem/detect_and_monitor/custom_detection_rules/?tab=threshold#set-a-rule-case
 [10]: https://app.datadoghq.com/notebook/list?type=runbook
 [11]: /account_management/rbac/permissions/
 [12]: /security/workload_protection/guide/active-protection
diff --git a/layouts/partials/nav/left-nav.html b/layouts/partials/nav/left-nav.html
index 6ef5e91c77fb2..2776564cc0293 100644
--- a/layouts/partials/nav/left-nav.html
+++ b/layouts/partials/nav/left-nav.html
@@ -69,8 +69,8 @@
 
                                             <ul class="list-unstyled sub-menu {{ if not (in (slice "automatic_instrumentation" "custom_instrumentation" "observability_pipelines_reference_processing_language" "observability_pipelines_vector_configuration" "cloud_cost_container_cost_allocation" "cloud_cost_saas_cost_integrations" "csm_setup_enterprise" "csm_setup_pro" "csm_setup_cloud_workload_security" "cspm_frameworks_benchmarks" "cspm_findings_explorer" "cws_workload_security_rules" "otel_integrations" "otel_collector_configuration" "rum_dashboards" 
                                             "rum_browser_setup" "rum_session_replay_browser" "rum_session_replay_mobile" "rum_mobile_android" "rum_mobile_ios" "rum_mobile_flutter" "rum_mobile_kotlin" "rum_mobile_react_native" "rum_mobile_roku" "rum_mobile_unity" "pa_session_replay_mobile" "pa_session_replay_browser" "cloudcraft_api_aws_accounts" "cloudcraft_api_azure_accounts" "cloudcraft_api_blueprints" "cloudcraft_api_budgets" "cloudcraft_api_users" "appsec_enabling_single_step" "appsec_enabling_tracing_libraries" "synthetics_platform_dashboards" "synthetics_private_location" "synthetics_results_explorer" "ndm_netflow" "dashboards_ddsql_editor_reference" "application_security_software_composition_analysis_setup"
-                                            "application_security_code_security_setup" "appsec_threats_management_setup" "observability_pipelines_log_volume_control" "observability_pipelines_dual_ship_logs" "observability_pipelines_archive_logs" "observability_pipelines_split_logs" "observability_pipelines_sensitive_data_redaction" "observability_pipelines_log_enrichment" "csm_setup_agentless_scanning" "observability_pipelines_generate_metrics" "log_explorer_calculated_fields" "test_impact_analysis_setup" "dbm_setup_postgres_rds" "sca_setup_runtime" "ndm_setup" "otel-setup-collector-exporter" "otel-setup-intake-endpoint" "otel_guides_migration" "otel-api-dd-sdk" "otel-setup-agent" "ide_plugins_idea" "otel_guides_migration" "agent_configuration_proxy" 
-                                            "software_catalog_set_up" "software_catalog_entity_model" "asm_serverless") .Identifier) }}d-none{{ end }}">
+                                            "application_security_code_security_setup" "appsec_threats_management_setup" "observability_pipelines_log_volume_control" "observability_pipelines_dual_ship_logs" "observability_pipelines_archive_logs" "observability_pipelines_split_logs" "observability_pipelines_sensitive_data_redaction" "observability_pipelines_log_enrichment" "csm_setup_agentless_scanning" "observability_pipelines_generate_metrics" "log_explorer_calculated_fields" "test_impact_analysis_setup" "dbm_setup_postgres_rds" "sca_setup_runtime" "ndm_setup" "otel-setup-collector-exporter" "otel-setup-intake-endpoint" "otel_guides_migration" "otel-api-dd-sdk" "otel-setup-agent" "ide_plugins_idea" "otel_guides_migration" "agent_configuration_proxy"
+                                            "software_catalog_set_up" "software_catalog_entity_model" "asm_serverless" "cloud_siem_custom_detection_rules") .Identifier) }}d-none{{ end }}">
 
                                             {{/*  LEVEL 4 */}}
                                             {{ range .Children }}