Glossary
Cybersecurity Fundamentals and Acronyms
Establish a baseline vocabulary for cybersecurity conversations.
FUNDAMENTALS
Cybersecurity Terminology
Endpoint: Any device that connects to the network. Laptops, desktops, servers, phones, tablets, IoT devices. Each endpoint is a potential entry point for attackers.
Network: The infrastructure connecting endpoints. Routers, switches, firewalls, cables, wireless access points. The network is where traffic flows between systems.
Cloud: Infrastructure and applications hosted by third parties. AWS, Azure, Google Cloud Platform, SaaS applications like Salesforce or Microsoft 365. Cloud environments have different security models than on-premises infrastructure.
Identity: User accounts, credentials, access permissions. Who can access what. Identity is a primary target for attackers because valid credentials bypass many defenses.
Threat: Something trying to cause harm. External attackers, malware, ransomware gangs, nation-state actors, malicious insiders. Threats are the adversaries security defends against.
Vulnerability: A weakness that can be exploited. Unpatched software, misconfigured systems, weak passwords, missing security controls. Vulnerabilities are the gaps threats exploit.
Attack Surface: All the ways an attacker could get in. Every endpoint, every application, every user account, every external-facing service. Larger attack surfaces mean more potential entry points.
Detection: Identifying that something suspicious or malicious is happening. The process of finding threats in the environment through monitoring, alerting, and analysis.
Response: Taking action to contain, remediate, and recover from an incident. The actions taken after a threat is detected to stop damage and restore normal operations.
Incident: A confirmed security event requiring response. Not every alert is an incident. An incident is a verified threat that needs action.
Alert: A notification that something might be wrong. Generated by detection systems when rules trigger. Alerts require triage to determine if they are real threats.
False Positive: An alert that turns out to be nothing. Noise. Legitimate activity that triggered a detection rule. Too many false positives overwhelm analysts and obscure real threats.
True Positive: An alert that turns out to be real. Signal. An actual threat that was correctly detected. The goal is to maximize true positives while minimizing false positives.
ACRONYMS
Cybersecurity Glossary
BYOT (Bring Your Own Technology): A model where the provider works with the customer's existing tools rather than requiring new ones. The customer keeps their SIEM, EDR, and other investments. The provider integrates with what exists.
CASB (Cloud Access Security Broker): A security tool that monitors and controls access to cloud applications. Provides visibility into cloud usage and enforces security policies for SaaS and cloud services.
CISO (Chief Information Security Officer): The executive responsible for security strategy, risk management, and the security program. The person accountable for protecting the organization from cyber threats.
CIO (Chief Information Officer): The executive responsible for IT infrastructure and technology. Often has security reporting to them in organizations without a separate CISO.
CNAPP (Cloud-Native Application Protection Platform): A security platform that combines workload protection, configuration management, vulnerability scanning, and runtime protection for cloud-native environments including containers, Kubernetes, and serverless functions.
DLP (Data Loss Prevention): Tools and policies that detect and prevent sensitive data from leaving the organization. DLP monitors email, file transfers, cloud uploads, and endpoint activity to block unauthorized sharing of confidential information.
EDR (Endpoint Detection and Response): Software installed on endpoints that monitors behavior, detects threats, and enables response actions on those devices.
IAM (Identity and Access Management): The discipline and tools for managing user identities and controlling access to resources. Includes authentication, authorization, and access governance.
ICS (Industrial Control Systems): Systems that control industrial processes like manufacturing, power generation, and utilities. A subset of operational technology with specific security requirements.
IOC (Indicator of Compromise): Evidence that a breach has occurred. A malicious IP address, a file hash from known malware, a suspicious domain. Specific artifacts that indicate an attacker was present.
IDS/IPS (Intrusion Detection System / Intrusion Prevention System): Network security tools that monitor traffic for malicious activity. IDS detects and alerts. IPS detects and blocks. Often built into next-generation firewalls.
MDR (Managed Detection and Response): An outsourced service focused on detecting threats and responding to them on the customer's behalf. A subset of MSSP focused specifically on detection and response.
MFA (Multi-Factor Authentication): Authentication requiring multiple proof factors: something you know (password), something you have (phone, key), something you are (biometric). Reduces risk from stolen passwords.
MSSP (Managed Security Service Provider): An outsourced provider that handles security operations. MSSPs monitor, detect, and respond on the customer's behalf, typically providing 24/7 coverage.
NDR (Network Detection and Response): Monitors network traffic for suspicious patterns. Detects command and control communications, data exfiltration, lateral movement.
NGFW (Next-Generation Firewall): A firewall that goes beyond traditional port/protocol filtering to include application awareness, intrusion prevention, and advanced threat detection.
NOC (Network Operations Center): The team that monitors and manages network infrastructure. Responsible for uptime, performance, and infrastructure health. The IT operations counterpart to the security-focused SOC.
OCSF (Open Cybersecurity Schema Framework): An open standard for normalizing security log data across vendors and platforms. Backed by AWS, Splunk, IBM, and others to enable cross-platform detection and interoperability.
OT (Operational Technology): Hardware and software that controls physical processes and equipment. Manufacturing systems, building automation, industrial equipment. Different security requirements than traditional IT.
PAM (Privileged Access Management): Controls for privileged accounts (admins, root users) that have broad system access. Includes credential vaulting, session recording, and just-in-time access.
SASE (Secure Access Service Edge): A framework combining networking and security delivered from the cloud. Includes SWG, CASB, ZTNA, and SD-WAN capabilities. Pronounced "sassy."
SD-WAN (Software-Defined Wide Area Network): Technology that uses software to manage connectivity across distributed locations, routing traffic intelligently across multiple connection types.
SIEM (Security Information and Event Management): The central platform that collects logs from across the environment, correlates events, and surfaces alerts. The brain that sees everything.
SOAR (Security Orchestration, Automation, and Response): Automates response workflows. When an alert fires, SOAR kicks off playbooks to enrich, decide, contain, and notify.
SOC (Security Operations Center): The team of analysts who monitor, investigate, and respond to threats. Can be in-house or outsourced.
SSO (Single Sign-On): Authentication that allows users to log in once and access multiple applications without re-authenticating.
SWG (Secure Web Gateway): Inspects and filters web traffic. Blocks malicious sites, enforces acceptable use policies, scans downloads for malware.
TTP (Tactics, Techniques, and Procedures): The methods attackers use. Understanding TTPs helps detect patterns across different attacks.
WAF (Web Application Firewall): Protects web applications by filtering and monitoring HTTP traffic. Defends against attacks like SQL injection and cross-site scripting (XSS) that target application vulnerabilities rather than network infrastructure.
XDR (Extended Detection and Response): Integrates detection across endpoint, network, cloud, and identity into a unified view. "Extended" beyond just endpoints.
ZTNA (Zero Trust Network Access): Secure access to applications based on identity and context, without traditional VPN. Part of Zero Trust architecture.