84 essential terms across 8 SecOps domains — attack types, malware, compliance frameworks, IAM, detection, network security, SOC operations, and vulnerability management.
// 84 terms · 8 categories · last updated 2026-05-06
A sophisticated, long-term cyberattack in which an intruder establishes an undetected presence in a network to steal data or cause damage over an extended period. APT actors are typically nation-state-sponsored or highly organized criminal groups.
The total sum of different points (attack vectors) where an unauthorized user can try to enter or extract data from an environment. Reducing attack surface is a core principle of zero-trust architecture.
The path or means by which a threat actor gains access to a target system. Common vectors include phishing emails, unpatched vulnerabilities, compromised credentials, and supply chain compromise.
A form of social engineering attack in which an attacker impersonates a business executive or trusted partner via email to trick employees into transferring funds or revealing sensitive information.
A vulnerability in which a program writes more data to a buffer than it can hold, causing adjacent memory to be overwritten. Attackers exploit this to inject malicious code or crash the target system.
Infrastructure used by threat actors to remotely communicate with compromised systems (bots/implants). C2 channels are used to issue instructions, exfiltrate data, and maintain persistence. Beaconing to C2 servers is a primary detection signal.
An attack in which stolen username/password pairs from one breach are automatically tested against other services, exploiting users who reuse passwords across accounts.
A prioritized set of 18 cybersecurity best practices developed by the Center for Internet Security. Organized into Implementation Groups (IG1-IG3) based on organizational maturity. Widely used as a practical complement to NIST CSF.
An alternative security measure implemented when a primary control cannot be applied. For example, if a legacy system cannot be patched, network segmentation may serve as a compensating control. Must be documented for audit purposes.
A publicly disclosed list of cybersecurity vulnerabilities, each assigned a unique identifier (e.g., CVE-2024-1234). Maintained by MITRE and used universally to reference and track known vulnerabilities.
A standardized framework for rating the severity of security vulnerabilities on a scale of 0-10. Scores are derived from metrics including attack complexity, privileges required, and impact to confidentiality, integrity, and availability.
The process of organizing data into categories (e.g., Public, Internal, Confidential, Restricted) based on sensitivity and business impact, enabling appropriate security controls and handling procedures for each tier.
An internationally recognized standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). Certification demonstrates a structured approach to managing information security risks.
A globally accessible knowledge base of adversary tactics and techniques based on real-world observations. Used by security teams to map threat actor behavior, improve detection coverage, and prioritize defensive investments. Organized into Tactics (the 'why'), Techniques (the 'how'), and Sub-techniques.
The National Institute of Standards and Technology Cybersecurity Framework — a voluntary, risk-based framework organized around five core functions: Identify, Protect, Detect, Respond, and Recover. The de facto standard for U.S. federal and enterprise security programs.
The process of translating cybersecurity risks into financial and business impact terms, enabling the CISO to communicate risk to the board in dollars rather than technical severity ratings. Frameworks include FAIR (Factor Analysis of Information Risk).
The risk that remains after security controls have been applied. Residual risk is accepted, transferred (via insurance), or mitigated further. CISOs must formally accept or escalate residual risk above defined thresholds.
A structured approach to identifying potential threats, attack vectors, and vulnerabilities in a system during the design phase. Common methodologies include STRIDE, PASTA, and DREAD. Output informs security architecture decisions and control prioritization.
Periodic outbound network communication from a compromised host to a C2 server, used to signal availability and receive instructions. Beacon intervals are often randomized (jittered) to evade detection. RITA and Zeek are commonly used to detect beaconing patterns.
The documented, chronological record of who has collected, handled, transferred, and analyzed digital evidence during a forensic investigation. Maintaining chain of custody is critical for legal admissibility of evidence.
The combined discipline of collecting and preserving digital evidence (forensics) and responding to security incidents (IR). Tools like Velociraptor and GRR Rapid Response are core to DFIR workflows.
The length of time an attacker has been present in a network before being detected. Industry average dwell time is approximately 16 days. Reducing dwell time is a primary goal of threat hunting and SIEM tuning.
Security software deployed on endpoints to continuously monitor and collect data, detect suspicious behavior, and enable automated or manual response. EDR solutions provide telemetry for forensic investigation and are a cornerstone of modern SOC architecture.
An alert generated by a security tool that incorrectly identifies benign activity as malicious. High false-positive rates lead to alert fatigue and reduced analyst effectiveness. Tuning detection rules and applying ML-based scoring helps reduce false positives.
Artifacts observed in a network or on an endpoint that indicate a potential intrusion. Common IOCs include malicious IP addresses, file hashes, domain names, registry keys, and unusual process names. IOCs are shared via platforms like MISP and OpenCTI.
A model (originally from Lockheed Martin) that describes the stages of a cyberattack: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, C2, and Actions on Objectives. Understanding the kill chain helps defenders identify where to interrupt an attack.
Techniques used by attackers to progressively move through a network after initial compromise, seeking access to higher-value assets. Common methods include pass-the-hash, Kerberoasting, and RDP hijacking.
The average time between when a security incident begins and when it is detected by the security team. A key performance indicator (KPI) for SOC effectiveness. Reducing MTTD limits attacker dwell time and minimizes damage.
The average time from when an incident is detected to when it is fully contained and remediated. A primary KPI for incident response effectiveness. Automation via SOAR platforms significantly reduces MTTR.
Techniques used by attackers to maintain access to a compromised system across reboots, credential changes, or other disruptions. Common persistence mechanisms include scheduled tasks, registry run keys, and web shells.
A structured review conducted after a security incident to document what happened, why it happened, and what can be improved. Also called a 'lessons learned' review. Outputs include updated playbooks, detection rules, and process improvements.
The systematic process of identifying the fundamental cause of a security incident, rather than addressing only the symptoms. RCA findings drive permanent remediation and help prevent recurrence.
A platform that aggregates, normalizes, and correlates log data from across the environment to detect threats and support compliance. Modern SIEMs incorporate ML-based anomaly detection and integrate with SOAR for automated response. Examples: Elastic SIEM, Wazuh, Splunk.
A platform that automates repetitive SOC tasks, orchestrates workflows across security tools, and enables consistent incident response. SOAR reduces MTTR by automating alert triage, ticket creation, and containment actions. Examples: Shuffle, Tines.
The proactive, human-led search for threats that have evaded automated detection within a network. Hunters use hypothesis-driven investigation, baselining normal behavior, and MITRE ATT&CK to identify attacker activity before alerts are triggered.
The behavioral fingerprint of a threat actor — the goals they pursue (tactics), the methods they use (techniques), and the specific tools/procedures they employ. Mapped to MITRE ATT&CK for standardized tracking and detection engineering.
An evolution of EDR that integrates telemetry from endpoints, networks, cloud workloads, and email into a unified detection and response platform. XDR correlates signals across layers to surface high-fidelity detections that siloed tools miss.
The framework of policies and technologies for managing digital identities and controlling user access to resources. Core IAM capabilities include authentication, authorization, lifecycle management, and access reviews.
A system that creates, maintains, and manages identity information and provides authentication services. Common IdPs include Okta, Azure Active Directory, and Ping Identity. IdPs are the foundation of SSO architectures.
The security principle that every user, process, or system should have only the minimum permissions required to perform its function. Enforcing least privilege limits the blast radius of credential compromise or insider threats.
An authentication mechanism requiring users to provide two or more verification factors: something you know (password), something you have (token/app), or something you are (biometric). MFA is the single most effective control against credential-based attacks.
Solutions for securing, managing, and monitoring access to critical systems by privileged accounts (admins, service accounts). PAM capabilities include session recording, just-in-time access, and password vaulting.
A social engineering attack in which a threat actor impersonates a trusted entity via email, SMS, or voice to trick victims into revealing credentials, clicking malicious links, or installing malware. Spear phishing targets specific individuals with personalized lures.
An access control model in which permissions are assigned to roles rather than individuals, and users are assigned roles based on their job function. RBAC simplifies access management and enforces least privilege at scale.
An authentication scheme allowing users to log in once and gain access to multiple applications without re-authenticating. SSO improves usability and centralizes access control but creates a high-value target — requiring strong MFA protection.
Malware that secretly uses the victim's computing resources to mine cryptocurrency for the attacker. Often delivered via browser-based scripts or compromised software packages. Detection relies on CPU/GPU anomaly monitoring.
Code or a technique that takes advantage of a vulnerability in software or hardware to cause unintended behavior, typically granting the attacker elevated access or code execution. Exploits targeting unpatched vulnerabilities are particularly dangerous.
A class of attacks in which untrusted data is sent to an interpreter as part of a command or query. Subtypes include SQL injection, command injection, LDAP injection, and XSS. Injection vulnerabilities are perennially in the OWASP Top 10.
Malware that records keystrokes on a victim's device, capturing passwords, credit card numbers, and other sensitive input. Can be software-based or hardware-based (USB device). Often a component of larger RAT or spyware packages.
Malware that opens a covert remote access channel to the attacker, enabling full control of the victim system. RATs typically include keylogging, screenshot capture, webcam access, and file exfiltration capabilities.
Malware that encrypts a victim's files or systems and demands payment for the decryption key. Modern ransomware operations employ double extortion (encrypting AND threatening to publish stolen data). Backup integrity and network segmentation are primary defenses.
Malware designed to conceal its presence and the presence of other malicious software on a system, often by modifying the operating system kernel. Rootkits are extremely difficult to detect and typically require offline analysis or re-imaging to remove.
Malware that covertly monitors user activity and transmits information to a third party without the user's knowledge. Includes commercial stalkerware, nation-state implants, and adware-grade tracking software.
Malware disguised as legitimate software that, when executed, performs malicious actions. Unlike viruses, Trojans do not self-replicate. Often used as a delivery mechanism for ransomware, RATs, or credential stealers.
Destructive malware designed to permanently destroy data on infected systems, with no financial motive. Wipers are frequently used in nation-state attacks to cause maximum disruption. Examples: Shamoon, HermeticWiper, CaddyWiper.
A vulnerability that is unknown to the software vendor and for which no patch exists. Zero-day exploits are highly valuable to attackers because defenders have zero days to prepare a fix before exploitation begins. Active zero-days command high prices on underground markets.
See Beaconing under Detection & Response. Network-layer beaconing detection uses tools like RITA and Zeek to identify periodic outbound connections consistent with C2 communication.
A technique for exfiltrating data or establishing C2 communication by encoding information within DNS query/response traffic. Effective at bypassing firewalls that allow unrestricted DNS traffic. Detected via anomalous DNS query patterns and high-entropy subdomains.
Network traffic that moves laterally between systems within a data center or cloud environment, as opposed to north-south traffic moving between internal and external networks. Monitoring east-west traffic is critical for detecting lateral movement after initial breach.
A network security technique that divides a network into small, isolated segments with granular access controls, limiting an attacker's ability to move laterally after initial compromise. Implemented at the workload or application level, typically in cloud or SDN environments.
Security solutions that monitor network traffic to detect threats using behavioral analytics, ML, and threat intelligence. NDR provides visibility into east-west traffic that endpoint agents cannot see, and is a key component of XDR architectures.
A network protocol (originally developed by Cisco) that collects IP traffic metadata — source/destination IPs, ports, protocols, and byte counts — without capturing full packet payloads. Used for baselining normal traffic and detecting anomalies at scale.
The process of intercepting and recording network packets at the wire level for forensic analysis. Full packet capture provides the richest forensic data but requires significant storage. Tools: Wireshark, tcpdump, Zeek.
A technology that creates an encrypted tunnel for network traffic between a client and a server, protecting data in transit and masking the user's IP address. Increasingly replaced or augmented by zero-trust network access (ZTNA) for enterprise remote access.
A security control that monitors, filters, and blocks HTTP/HTTPS traffic to and from a web application. WAFs protect against OWASP Top 10 attacks including SQL injection, XSS, and CSRF. Can be deployed as hardware, software, or cloud service.
A security model based on the principle 'never trust, always verify' — no user, device, or system is inherently trusted, regardless of network location. Every access request is authenticated, authorized, and continuously validated. Contrasts with legacy perimeter-based security models.
A condition in which SOC analysts become desensitized to security alerts due to excessive volume, leading to missed detections and poor response quality. Addressed through SIEM tuning, alert prioritization, and SOAR automation to reduce noise.
A chronological, tamper-evident record of system activities that enables reconstruction of events and demonstrates compliance with security policies. Required by most regulatory frameworks (PCI DSS, HIPAA, SOX) and essential for forensic investigations.
Technology that detects and prevents unauthorized transmission, storage, or use of sensitive data. DLP solutions monitor endpoints, email, web traffic, and cloud storage to enforce data classification policies and prevent exfiltration.
The unauthorized transfer of data from a victim's environment to an attacker-controlled destination. A key stage of the kill chain. Exfiltration channels include HTTPS, DNS tunneling, email, and cloud storage services.
The defined process by which a security incident is escalated from one tier of the SOC to the next based on severity, complexity, or required expertise. Clear escalation paths ensure incidents receive appropriate attention without delays.
A configured policy on a firewall that permits or denies network traffic based on criteria such as source/destination IP, port, protocol, and application. Rule sprawl (accumulation of outdated rules) is a common source of misconfiguration vulnerabilities.
A security vulnerability arising from incorrect or insecure configuration of systems, services, or cloud resources. The leading cause of cloud security incidents. Examples include open S3 buckets, overly permissive IAM policies, and exposed management ports.
A documented, step-by-step procedure for responding to a specific type of security incident (e.g., ransomware, phishing, insider threat). Playbooks ensure consistent, repeatable response and can be automated via SOAR platforms. Distinct from runbooks (which are more operational).
A detailed set of standardized procedures for performing routine operational tasks in the SOC, such as onboarding a new log source, triaging a specific alert type, or rotating API keys. Runbooks support analyst consistency and are the basis for SOAR automation.
An attack that targets a less-secure element in the supply chain (software vendor, managed service provider, hardware supplier) to compromise downstream victims. The SolarWinds and XZ Utils incidents are canonical examples. Requires third-party risk management programs.
A discussion-based simulation in which key stakeholders walk through a hypothetical security incident scenario to evaluate the effectiveness of response plans, identify gaps, and improve coordination. No live systems are involved.
Security analytics that establish behavioral baselines for users and entities (devices, applications) and alert on deviations that may indicate insider threats, compromised accounts, or lateral movement. Often integrated into SIEM platforms.
See Attack Surface under Attack Types. From a vulnerability management perspective, reducing attack surface means decommissioning unused services, closing exposed ports, and removing unnecessary software.
See CVE under Compliance & Frameworks. In vulnerability management workflows, CVEs are ingested from scanners (OpenVAS, Nuclei), enriched with CVSS scores, and prioritized for remediation based on exploitability and asset criticality.
The systematic process of identifying, acquiring, testing, and deploying software patches to remediate known vulnerabilities. Effective patch management requires asset inventory, SLA-based remediation timelines (e.g., Critical = 24 hours), and validation scanning post-patch.
A technique in which an attacker gains higher-level permissions than initially obtained, moving from a standard user to admin or SYSTEM privileges. Vertical escalation targets higher privileges; horizontal escalation accesses resources of other users at the same privilege level.
A tool that automatically identifies known security weaknesses in systems, applications, and networks by comparing configurations and software versions against vulnerability databases. Open-source options include OpenVAS (Greenbone) and Nuclei. Output must be contextualized for effective prioritization.
Detect • Protect • Prevail Prepared by ThreatStealth Security Operations | Powered by Anthropic Claude | May 2026