Update for SO-CON 2026

.gitignore

@@ -2,6 +2,8 @@
 .env
 .vscode
 test-report.md
+/resources
+/.claude
 
 # Byte-compiled / optimized / DLL files
 __pycache__/

README.md

@@ -14,7 +14,7 @@
 </p>
 
 
-# BloodHound Query Library 
+# BloodHound Query Library
 
 The BloodHound Query Library is a community-driven collection of [Cypher queries](https://support.bloodhoundenterprise.io/hc/en-us/articles/16721164740251) designed to help [BloodHound Community Edition](https://github.com/SpecterOps/BloodHound) and [BloodHound Enterprise](https://specterops.io/bloodhound-overview/) users to unlock the full potential of the flexible BloodHound platform by creating an open query ecosystem.
 
@@ -33,7 +33,25 @@ For an introduction to the project, please read our blog post:
 
 - [Introducing the BloodHound Query Library](https://specterops.io/blog/2025/06/17/introducing-the-bloodhound-query-library/)
 
-# Overview
+## Deprecation Notice: `system_tags` Queries
+
+Queries in the library currently use two methods to scope nodes to Tier Zero and Owned, supporting both old and new versions of BloodHound. At the end of July 2026, all queries will be updated to use the newer simpler method.
+
+Old versions require scoping with a node property and null handling:
+
+```cypher
+WHERE COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0'
+```
+
+New versions can use node labels directly:
+
+```cypher
+WHERE (n:Tag_Tier_Zero)
+```
+
+The simpler label-based approach was introduced with [Privilege Zones](https://specterops.io/privilege-zones/), which became generally available in [v2026.03.23](https://bloodhound.specterops.io/resources/release-notes/2026-03-23). Upgrade your BloodHound version to ensure queries from the library continue to work.
+
+## Overview
 
 The library contains queries that demonstrate BloodHound's versatility beyond traditional attack path analysis. This includes:
 - All existing pre-built queries from BloodHound
@@ -42,7 +60,7 @@ The library contains queries that demonstrate BloodHound's versatility beyond tr
 - Community contributed queries (see [Contributing](#contributing))
 - Novel queries to further showcase BloodHound's security assessment capabilities (see [security-assessment-mapping.md](/docs/security-assessment-mapping.md))
 
-Individual query files are stored in stored [/queries](/queries/) as `.yml` and are automatically combined into a single Queries.json/Queries.zip as part of our [releases](https://github.com/SpecterOps/BloodHoundQueryLibrary/releases).
+Individual query files are stored in [/queries](/queries/) as `.yml` and are automatically combined into a single Queries.json/Queries.zip as part of our [releases](https://github.com/SpecterOps/BloodHoundQueryLibrary/releases).
 
 The query files use the YAML structure found in [query-structure.yml](/docs/query-structure.yml), for example:
 
@@ -67,6 +85,12 @@ acknowledgements: Martin Sohn Christensen, @martinsohndk
 
 Whenever new queries are added, the syntax is automatically validated, ensuring that only syntactically compatible queries are added.
 
+## Security Assessment Mapping
+
+BloodHound queries in this library have been mapped to controls from common security assessment tools, demonstrating how BloodHound can validate findings typically associated with dedicated tools like PingCastle, Microsoft Defender for Identity, and Tenable Nessus.
+
+For full coverage details and mapping structure, see [security-assessment-mapping.md](/docs/security-assessment-mapping.md).
+
 ## Learning Cypher Queries
 
 One of BloodHound’s key features is its flexibility through Cypher queries – a query language to search the BloodHound graph database.
@@ -78,7 +102,7 @@ The library gives you practical examples for learning Cypher and can be combined
 - [openCypher resources](https://opencypher.org/resources/)
 - [Neo4j Cypher Cheat Sheet](https://neo4j.com/docs/cypher-cheat-sheet/current/lists/)
 
-You can also learn with the communty by joining the #cypher_queries channel in the [BloodHound community Slack](https://support.bloodhoundenterprise.io/hc/en-us/articles/16730536907547).
+You can also learn with the community by joining the #cypher_queries channel in the [BloodHound community Slack](https://support.bloodhoundenterprise.io/hc/en-us/articles/16730536907547).
 
 ## BloodHound Operator usage example
 
@@ -95,9 +119,8 @@ Example: Run a query in BloodHound:
 ```powershell
 $queries[0] | BHInvoke
 ```
-```
-
 
+```powershell
 Name      : Tier Zero / High Value external Entra ID users
 Query     : MATCH (n:AZUser)
             WHERE ((n:Tag_Tier_Zero) OR COALESCE(n.system_tags, '') CONTAINS 'admin_tier_0')
@@ -145,7 +168,7 @@ $queries | % {
 
 The BloodHound Query Library's success depends on community participation. BloodHound users who have developed useful queries are encouraged to contribute them to the library.
 
-Before comitting, please ensure that:
+Before committing, please ensure that:
 - The query follows the [YAML query structure](docs/query-structure.yml).
 - The query is compatible with the [latest BloodHound CE version](https://github.com/SpecterOps/BloodHound)
-- The query passess all automated CI/CD tests
+- The query passes all automated CI/CD tests