diff --git a/handbook/company/pricing-features-table.yml b/handbook/company/pricing-features-table.yml
index 965b6c106b..cd6ef72cda 100644
--- a/handbook/company/pricing-features-table.yml
+++ b/handbook/company/pricing-features-table.yml
@@ -35,7 +35,7 @@
     #  ╚═╗║  ╠╦╝║╠═╝ ║   ║╣ ╔╩╦╝║╣ ║  ║ ║ ║ ║║ ║║║║
     #  ╚═╝╚═╝╩╚═╩╩   ╩   ╚═╝╩ ╚═╚═╝╚═╝╚═╝ ╩ ╩╚═╝╝╚╝
     - industryName: Script execution
-      fiendlyName: Safely execute custom scripts (macOS, Windows, and Linux)
+      friendlyName: Safely execute custom scripts (macOS, Windows, and Linux)
       description: Deploy and execute custom scripts using a REST API, and manage your library of scripts in the UI or a git repo.
       documentationUrl: https://fleetdm.com/docs/using-fleet/scripts
       tier: Premium
@@ -71,7 +71,7 @@
         - description: 
           quote: 
           moreInfoUrl: 
-      buzzwords: [Attack surface management (ASM),Endpoint hardening,Security posture,Cyber hygiene,Threat hunting]
+      buzzwords: [Attack surface management (ASM),Endpoint hardening,Security posture,Cyber hygiene,Anomaly detection,Configuration management]
       waysToUse:
         - description: Monitor devices that don't meet your organization's custom security policies
         - description: Quickly report your posture and vulnerabilities to auditors, showing remediation status and timing.
@@ -176,17 +176,22 @@
     #  ╔╦╗╔═╗╦  ╦ ╦╔═╗╦═╗╔═╗  ╔╦╗╔═╗╔╦╗╔═╗╔═╗╔╦╗╦╔═╗╔╗╔  ┌─╦ ╦╔═╗╦═╗╔═╗─┐
     #  ║║║╠═╣║  ║║║╠═╣╠╦╝║╣    ║║║╣  ║ ║╣ ║   ║ ║║ ║║║║  │ ╚╦╝╠═╣╠╦╝╠═╣ │
     #  ╩ ╩╩ ╩╩═╝╚╩╝╩ ╩╩╚═╚═╝  ═╩╝╚═╝ ╩ ╚═╝╚═╝ ╩ ╩╚═╝╝╚╝  └─ ╩ ╩ ╩╩╚═╩ ╩─┘
-    - industryName: Malware detection (YARA)
-      fiendlyName: Scan files for malware signatures
+    - industryName: Malware detection (YARA)  # TODO: consider: technically more than YARA, consider generalizing this and including the concept of comparing known binary hashes (either via live query or in the data lake to compare threat intel feed)
+      friendlyName: Scan files for malware signatures
       description: Report and trigger automations when malware or other unexpected files are detected on a host using YARA signatures.
       documentationUrl: https://fleetdm.com/tables/yara
       tier: Free
       dri: mikermcneil
       usualDepartment: Security
       productCategories: [Endpoint operations,Vulnerability management]
-      buzzwords: [YARA scanning,Antivirus (AV),Endpoint protection platform (EPP),Signature-based malware detection,Malware scanning,Malware analysis,Anomaly detection]
+      buzzwords: [YARA scanning,Cyber Threat Intelligence (CTI),Indicators of compromise (IOCs),Antivirus (AV),Endpoint protection platform (EPP),Endpoint detection and response (EDR),Malware detection,Signature-based malware detection,Malware scanning,Malware analysis,Anomaly detection]
+      demos:
+        - description: A top media company used Fleet policies with YARA rules to continuously scan host filesystems for malware signatures provided by internal and external threat intelligence teams.
+          moreInfoUrl: # short demo video
       waysToUse:
-        - description: Write YARA rules to continuously scan host filesystems for malware signatures using policies.
+        - description: Detect suspicious bytecode in JAR files
+        - description: Identify suspicious patterns in binaries using YARA signatures  # (≈regular expressions for binary)
+        - description: Continuously scan host filesystems for malware signatures.
           moreInfoUrl: https://yara.readthedocs.io/en/stable/writingrules.html
         - description: Monitor for relevent filesystem changes (YARA events) and on-demand YARA signature scans.
           moreInfoUrl: https://osquery.readthedocs.io/en/stable/deployment/yara/
@@ -200,6 +205,68 @@
           moreInfoUrl: https://osquery.readthedocs.io/en/stable/deployment/anomaly-detection/
         - description: Run a targeted YARA scan with osquery as a lightweight approach to scan anything on a host filesystem, with minimal performance impact.  Unlike full system YARA scans which consume considerable CPU resources, an equivalent YARA scan targeted in Fleet can be 8x cheaper (CPU %).
           moreInfoUrl: https://www.tripwire.com/state-of-security/signature-socket-based-malware-detection-osquery-yara
+    - industryName: Detection engineering
+      friendlyName: # Ship logs to your data lake and comopare with known bad binary hashes or capture behavioral data and build custom detections (e.g. using a framework like MITRE)
+      description: 
+      documentationUrl:
+      tier: Free
+      dri: mikermcneil
+      usualDepartment: Security
+      productCategories: [Endpoint operations]
+      buzzwords: [Security analytics,Behavioral analytics,MITRE ATT&CK,Tactics techniques and procedures (TTPs),Security information and event management (SIEM)]
+      demos:
+        - description: 
+          moreInfoUrl: 
+      waysToUse:
+        - description: 
+    - industryName: Threat hunting
+      friendlyName: # TODO: live query
+      description: 
+      documentationUrl:
+      tier: Free
+      dri: mikermcneil
+      usualDepartment: Security
+      productCategories: [Endpoint operations]
+      buzzwords: []
+      demos:
+        - description: 
+          moreInfoUrl: 
+      waysToUse:
+        - description: 
+    - industryName: Incident response
+      friendlyName: # TODO: live query, triage, figuring out scope of impact, remediate using scripts, MDM commands (e.g. remote wipe), and quarantine or reimage using other systems and APIs (e.g. remove from network, decommission container)
+      description: 
+      documentationUrl:
+      tier: Free
+      dri: mikermcneil
+      usualDepartment: Security
+      productCategories: [Endpoint operations]
+      buzzwords: []
+      demos:
+        - description: 
+          moreInfoUrl: 
+      waysToUse:
+        - description: 
+    - industryName: Binary authorization
+      friendlyName: Restrict what programs can run, and what files running programs can access.
+      description: 
+      documentationUrl:
+      tier: Free
+      dri: mikermcneil
+      usualDepartment: Security
+      productCategories: [Endpoint operations]
+      comingSoonOn: YYYY-MM-DD
+      buzzwords: [Mandatory Access Control (MAC),Privilege confinement,Binary authorization,Santa,Binary allowlisting,Binary whitelisting]
+      demos:
+        - description: 
+          moreInfoUrl: 
+      waysToUse:
+        - description: Confine programs to a limited set of resources.
+        - description: Report on AppArmor events
+          moreInfoUrl: https://fleetdm.com/tables/apparmor_events
+        - description: Confine programs according to a set of rules that specify which files a program can access.
+          moreInfoUrl: https://wiki.debian.org/AppArmor
+        - description: Proactively protect the system against both known and unknown vulnerabilities.
     #  ╔═╗╔═╗╔═╗╔╗╔╔╦╗  ╔═╗╦ ╦╔╦╗╔═╗   ╦ ╦╔═╗╔╦╗╔═╗╔╦╗╔═╗
     #  ╠═╣║ ╦║╣ ║║║ ║   ╠═╣║ ║ ║ ║ ║───║ ║╠═╝ ║║╠═╣ ║ ║╣
     #  ╩ ╩╚═╝╚═╝╝╚╝ ╩   ╩ ╩╚═╝ ╩ ╚═╝   ╚═╝╩  ═╩╝╩ ╩ ╩ ╚═╝