The common AppDefense concepts that are used in the documentation and user interface.

Scope
A Scope in AppDefense is the foundational component that establishes what the intended state and specific allowed behaviors of an application should be.
A Security Scope defines the relevant configuration elements to protect an application and its constituent workloads. These configuration elements are like a blueprint or a birth certificate for the application. It contains a description, member workloads, rules, and behaviors.
Service
A service is a tier or a role within a scope. Typically, homegrown applications have three services (Application, Web, and Database), but scopes can include more than three services (file server, print server, compliance server, and so on).
Member
A member is a virtual machine (VM) within a service. Members (or VMs) in a service must have an identical operating system (means within a service, all the VMs must be homogeneous – either all Microsoft or all Linux).
Provisioning Events
AppDefense can tie into provisioning systems such as vRealize Automation or Puppet to define appropriate and allowed behaviors.
Behaviors
Behaviors are process executions (CLIs) and network activities (inbound and outbound connections) exhibited within a service.
Discovery Mode
When you set up your scopes and services, AppDefense automatically enters into discovery mode. Discovery mode is when AppDefense creates a list of allowed behaviors to build a blueprint or a birth certificate of the natural state of the application. This mode helps AppDefense to understand how the application must function so that AppDefense can identify malicious or unintended behaviors.
The orange color represents the VMs that are either in discovery mode or under protection.
Protected Mode
You can put your scope (application) into protected mode when AppDefense is learning no new behaviors, or you are comfortable with the number of behaviors it has learned. However, it is best practice to keep AppDefense in discovery mode for at least 14 days before moving to protected mode.