Abuse.ch
Community-driven malware infrastructure tracking; free public feeds for malicious IPs, domains, and hashes. Strong on ransomware family tracking.
VENDOR & PLATFORM VOCABULARY
The C.A.T. Glossary
Cybersecurity Applications & Tools.
The vendor and platform vocabulary an analyst meets in the SOC. Each tool is defined by what it does: threat-intel feed, EDR, SIEM, SOAR, IAM, forensics, network security. The name on the slide maps back to a category an analyst can reason about.
Advisories & threat intelligence feeds
Sources of curated indicators, campaign reports, and analyst-grade intelligence.
AlienVault OTX
Collaborative threat-intel exchange aggregating IOCs from a global community, with SIEM/automated integrations.
Anomali ThreatStream
Collects, analyzes, and prioritizes threat data with enrichment and risk scoring; integrates with existing security stacks.
CISA Advisories
U.S. Cybersecurity and Infrastructure Security Agency advisories on vulnerabilities and active threats, with mitigation guidance.
E-ISAC
Electricity sector ISAC; threat intel, IR support, and risk analysis tailored to grid operators.
FBI Flash Reports
Rapid high-priority notifications about imminent cyber threats targeting public and private partners.
FS-ISAC
Global financial-sector ISAC providing real-time alerts, incident coordination, and member collaboration.
GreyNoise
Filters internet background-scan noise so SOCs focus on targeted attacks. IP context with malicious vs. benign classification.
H-ISAC
Healthcare-sector ISAC; threat intelligence, incident response coordination, and best practices for clinical environments.
Intel 471
Commercial deep/dark-web monitoring with adversary infrastructure, TTP, and threat-actor behavior intelligence.
MITRE ATT&CK
Global knowledge base of adversary tactics, techniques, and procedures. The shared vocabulary of modern SOCs.
MS-ISAC
Multi-State ISAC for U.S. state, local, tribal, and territorial governments; alerts, IR, and risk management resources.
NCSC (UK)
UK National Cyber Security Centre; guidance, threat intelligence, and IR services across public and private sectors.
Microsoft Defender Threat Intelligence (MDTI)
Successor to RiskIQ PassiveTotal (acquired by Microsoft, 2021). Aggregates passive DNS, WHOIS, SSL, and infrastructure data for attribution and threat hunting.
PhishTank
Community-validated database of phishing URLs; supplies security tools and browsers with up-to-date intelligence.
Recorded Future
Threat-intelligence platform combining machine learning with human analysis across open, dark, and technical sources.
Microsoft Defender EASM
External Attack Surface Management, the renamed RiskIQ Illuminate (acquired by Microsoft, 2021). Discovers and monitors internet-facing assets, third-party services, and shadow IT.
SANS Institute
Training, certification, and research; publishes critical threat research and runs the Internet Storm Center.
VirusTotal
Free analysis of files and URLs across many AV engines; community sharing and reputation data.
WHOIS
Protocol and database of domain registration data; used to investigate suspicious domains and attribution.
Cloud & infrastructure monitoring / security
Platforms that watch cloud workloads, identities, and posture across multi-account, multi-cloud environments.
AWS CloudTrail
Records and logs API activity within an AWS account, the audit trail for security and forensic work.
AWS CloudWatch
Monitoring and observability for AWS resources and applications; metrics, logs, alarms, automation hooks.
Azure AD (Entra ID)
Microsoftβs cloud identity and access management; SSO, MFA, conditional access, and integration with SaaS apps.
Azure Sentinel UEBA
Behavior analytics layered onto Microsoft Sentinel for detecting insider threats and anomalous activity.
Chronicle
Cloud-native security analytics platform from Google Cloud; high-speed search and threat detection at petabyte scale.
Cloudflare Cloudforce One
Cloudflareβs threat-research team and intelligence service; produces actionable indicators, campaign tracking, and disruption support against active adversaries.
Forcepoint
DLP, cloud security, and insider-threat behavior analytics across endpoints, networks, and cloud applications.
Microsoft Sentinel
Cloud-native SIEM/SOAR; AI-driven analytics across on-prem, cloud, and hybrid with rich connector library.
Orca Security
Agentless cloud security; full-stack visibility, vulnerability management, and risk prioritization across cloud workloads.
Prisma Cloud
Cloud-native security platform from Palo Alto Networks; workload protection, IaC scanning, compliance, runtime defense.
Sysdig
Cloud-native security focused on container runtime, Kubernetes monitoring, and cloud workload protection.
WIZ
Agentless cloud risk visibility; correlates infra/config/workload data to map attack paths and prioritize risk.
Data collection / logging / SIEM
Where the logs go to be aggregated, normalized, and queried. The SOCβs primary lens.
ArcSight
Long-standing SIEM with strong correlation engine for compliance reporting and forensic analysis.
Cribl
Data routing and processing for observability pipelines; filter, enrich, and reduce log data before forwarding.
Elastic Security
Unified security on the Elastic Stack; endpoint protection, prebuilt detections, and customizable monitoring.
Exabeam
Next-gen SIEM with built-in UEBA; user-behavior timelines and automated investigation workflows.
Fluentd
Open-source data collector that unifies log collection and processing across distributed systems via plugins.
IBM QRadar
Enterprise SIEM with real-time correlation, ML-assisted prioritization, and broad ecosystem integration.
Logstash
Server-side pipeline that ingests, transforms, and forwards data; central to the Elastic Stack.
SIEM (concept)
Aggregation and correlation of security event data for centralized detection, compliance, and IR.
Splunk Enterprise Security
Premium SIEM on the Splunk platform; correlation searches, ML, prebuilt content for SOC workflows.
Sysmon
Windows service that produces rich endpoint telemetry, process creation, network connections, file events, for SIEM ingestion.
Endpoint detection & response / endpoint security
The agents that watch process trees, file activity, and on-host behavior.
Bitdefender GravityZone
EDR with behavior analysis, anti-exploit, root-cause analysis, and policy-based remediation.
CrowdStrike Falcon
Cloud-native EDR with a lightweight agent; combines behavioral analytics, threat intel, and ML.
Cybereason
EDR/XDR focused on endpoint visibility, malware detection, IR, and deep process-tree forensics.
Darktrace
Self-learning AI; builds behavioral baselines, detects anomalies, autonomously responds via Antigena.
Digital Guardian
DLP and endpoint security with context-aware policies for data usage across endpoints, networks, cloud.
Falcon OverWatch
Managed threat-hunting service on top of CrowdStrike Falcon; 24/7 human-led analysis to validate stealthy intrusions.
Proofpoint Identity Threat Defense (formerly Illusive)
Deception-based identity-threat detection. Plants fake credentials and decoy paths to surface attacker lateral movement. Illusive Networks acquired by Proofpoint, 2022.
Kaspersky EDR
Attack-chain visualization, IOC search, sandboxing, and threat-intel integration with centralized management.
Malwarebytes EDR
Lightweight EDR with strong remediation; ransomware rollback and post-infection recovery.
Microsoft Defender
Antivirus, endpoint protection, EDR (Defender for Endpoint), and XDR ties to Sentinel and Entra ID.
SentinelOne
Unified EPP/EDR with behavioral AI, autonomous response, rollback on Windows, and threat-hunting telemetry.
Sophos Intercept X
Next-gen AV plus EDR with deep learning and exploit prevention; strong investigation tools for SMB and enterprise.
Symantec (Broadcom)
Endpoint protection, email security, DLP, and EDR; global sensor network feeding detection and response.
Trellix Endpoint Security
Part of the broader Trellix XDR; detection, investigation, and response with behavioral analytics and forensic timelines.
Trend Micro Vision One
XDR correlating telemetry across email, endpoint, server, and cloud workloads.
Forensics / digital evidence / mobile forensics
The kit that turns a disk image, a memory dump, or a phone into a defensible report.
Autopsy
Open-source forensics platform on The Sleuth Kit; timeline analysis, keyword search, file carving, media analysis.
Belkasoft Evidence Center X
DFIR tool focused on memory, disk, mobile, and cloud forensics; parses encrypted containers and RAM dumps.
Cellebrite
Industry standard for mobile-device extraction and analysis; UFED covers a wide range of devices.
EnCase Forensic
Long-standing digital-investigation suite; acquisition, indexing, analysis, and court-admissible reporting.
Magnet AXIOM
Forensics across computers, mobile, cloud, IoT; powerful artifact parsing and cross-source correlation.
MSAB
Mobile forensics for law enforcement; XRY for extraction, XAMN for evidence visualization, XEC for lab management.
Oxygen Forensic Detective
Mobile, cloud, drone, and IoT forensics with deep parsing of app data including secure messengers.
X-Ways Forensics
Lightweight, fast forensic suite with strong scripting and hex-level analysis for deep investigations.
Identity & access management / privilege management
Who you are, what you can touch, and how the SOC proves it.
BeyondTrust
Privileged access management; just-in-time access, password vaulting, session monitoring, endpoint privilege management.
CyberArk
Market leader in PAM; credential rotation, secret management, session monitoring, secure remote access.
Duo (Cisco)
MFA, device trust, and contextual access; widely used for remote access and SaaS protection.
ForgeRock
Enterprise IAM with lifecycle management, governance, AI-driven access recommendations, and risk-based auth.
Okta
Identity platform with SSO, MFA, lifecycle management, and federation across thousands of apps.
One Identity
IGA with lifecycle, RBAC, privileged access governance; unifies AD, Azure AD, and cloud platform identity.
Ping Identity
Cloud-first identity for SSO, MFA, and customer IAM; strong hybrid and multi-cloud support.
SailPoint
Identity governance with least-privilege enforcement, access reviews, and ML-driven anomaly detection.
Intrusion detection & network security
Where the wire is inspected. Flow data, deep packet inspection, NIDS, and scanners.
Cisco Umbrella
Cloud-delivered DNS-layer security; blocks malicious domains at resolution time, secures outbound web traffic.
Lansweeper
IT asset discovery and inventory; CMDB foundations and continuous visibility into devices, software, and users.
NetFlow
Cisco-developed protocol for flow-based monitoring and anomaly detection; metadata about traffic sessions.
Nexpose (Rapid7)
Vulnerability management with dynamic scans and exploitability-based prioritization; pairs with Metasploit.
Nessus (Tenable)
Vulnerability scanner with authenticated/unauthenticated scans and compliance framework support.
NIDS (concept)
Network intrusion detection: inspects traffic for signatures, protocol anomalies, and behavioral indicators.
Snort
Open-source NIDS with deep packet inspection and a large community rule set maintained by Cisco Talos.
Suricata
Open-source NIDS/IPS with multi-threaded inspection, file extraction, TLS inspection, and JSON output.
Tripwire
File-integrity monitoring and change detection; enforces baselines and supports compliance.
Wireshark
Open-source packet analyzer; deep protocol decoding for investigation and forensics.
Zeek (formerly Bro)
Behavior-focused network monitoring producing structured session logs for SIEM-friendly analytics.
Incident response / SOAR / automation
Where playbooks live, alerts get enriched, and analysts get back their afternoons.
Cynet AutoXDR
XDR with autonomous investigation and remediation playbooks aimed at small-to-mid SOCs.
DFIR ORC
Open-source forensic-artifact collector from ANSSI (the French national cyber agency). Runs on Windows endpoints to gather a broad, configurable set of artifacts for offline post-compromise analysis. Not a case-management platform.
Sumo Logic Cloud SOAR (formerly DFLabs IncMan)
SOAR with advanced playbooks, threat-intel enrichment, KPI tracking, and human-in-the-loop decisions. DFLabs acquired by Sumo Logic, 2021.
Cortex XSOAR (Palo Alto)
Comprehensive SOAR with case management, threat intel, playbook-driven automation, and hundreds of integrations.
ServiceNow SecOps
ITSM and security workflow with ticketing, change management, CMDB integration, and security automation.
Google Security Operations SOAR (formerly Siemplify / Chronicle SOAR)
SOAR with case management, playbooks, and analyst dashboards; integrated with Google SecOps (Chronicle) telemetry. Siemplify acquired by Google, 2022; fully integrated into Google SecOps.
SOAR (concept)
Security orchestration, automation, and response: define, automate, and orchestrate IR workflows at scale.
Splunk SOAR (formerly Splunk Phantom)
SOAR with Python-based playbooks, 300+ integrations, and deep Splunk analytics ties. Phantom acquired by Splunk in 2018 and renamed Splunk SOAR in 2021; Splunk itself acquired by Cisco, 2024.
Swimlane
Low-code SOAR for SOC analysts to build automation workflows without deep programming expertise.
TheHive Project
Open-source IR platform with collaborative case management; integrates with Cortex for automated analysis.
Tines
No-code automation built for security teams; modular βstoriesβ for alert ingestion, enrichment, and response.
Malware analysis / threat simulation / deception
Sandboxes for malware, honeypots for attackers, and frameworks for stress-testing defenses.
Any.Run
Interactive malware sandbox with behavioral and network analysis for collaborative investigation.
Canary (Thinkst)
Deception platform deploying low-interaction honeypots that produce high-fidelity alerts on attacker interaction.
Cuckoo Sandbox
Open-source automated malware analysis running suspect files in VMs and capturing behavior.
CyberTrap
Deception platform with realistic traps and decoys to misdirect attackers and surface intrusion attempts.
Cymmetria
Deception technology focused on detecting lateral movement via decoys and traps that mimic real assets.
FireEye Mandiant Attack Simulator
Controlled attack simulations to validate detection and response based on real-world TTPs.
FireEye Mandiant Red Team Tools
Offensive emulation and red-team tooling to stress-test defenses with realistic adversary behavior.
SafeBreach
Breach-and-attack simulation continuously testing defenses across the kill chain.
Smokescreen
Deception with decoys and lures mimicking real IT; alerts on engagement and provides attacker-TTP insight.
ThreatConnect
Threat-intel platform with playbooks for attack simulation, response automation, and intel-driven workflows.
ThreatGRID (Cisco)
Cloud sandbox combining behavior analysis with threat intelligence for advanced-malware investigation.
Commvault ThreatWise (formerly TrapX)
Deception and threat detection with decoys across endpoints, networks, and cloud. TrapX Security acquired by Commvault, 2022; rebranded as ThreatWise.
Verodin (FireEye)
Security-controls validation through simulated real-world attacks; risk-based testing and gap identification.
Zscaler ThreatLabZ
Threat research and malware sandboxing powering Zscalerβs cloud security services.
Network & application security testing
Scanners, fuzzers, and surface-discovery tools that find the holes before adversaries do.
Acunetix
Automated web vulnerability scanner for SQLi, XSS, misconfig, and modern-web/SPA technologies.
Burp Suite
Industry-leading web app security tooling: intercepting proxy, scanning, manual pentest tools, and extensions.
Censys
Internet-wide asset discovery via continuous scanning; SSL/TLS, services, and attack-surface monitoring.
Nikto
Open-source web-server scanner for dangerous files, outdated components, and known issues.
Nmap
Network discovery and security auditing with rich NSE scripting for service detection.
OWASP ZAP
Free, open-source web app security testing with automated and manual capabilities.
Qualys
Cloud-based vulnerability management, policy compliance, and web app scanning across enterprise estates.
Shodan
Search engine for internet-connected devices; identifies exposed services, outdated software, ICS, IoT.
Tenable
Vulnerability management platform; Nessus-based scanning with on-prem, cloud, and hybrid coverage.
W3af
Open-source web app scanner combining automated checks with a manual testing framework.
Wapiti
Open-source command-line web vulnerability scanner; crawls and injects payloads for common flaws.
Backup & data protection
What you actually need before ransomware shows up, backups, immutability, and recovery posture.
Acronis Cyber Backup
Backup with integrated anti-malware; blockchain-based notarization and broad workload coverage.
Arcserve UDP
Unified data protection with replication, HA, and ransomware-resistant immutable storage.
Carbonite
Cloud-based backup and DR for SMBs; encrypted transmission, hybrid backup, ransomware features.
Code42
Cloud-native endpoint data protection focused on insider risk and self-service restore.
Commvault
Unified data management; backup, archive, governance, and SaaS-app protection with AI analytics.
Druva
Cloud-native, agentless data protection for endpoints, data center, and cloud workloads.
Rubrik
Cloud-native data management; instant recovery, immutable backups, and ransomware detection.
Veeam
Backup and recovery across virtual, physical, and cloud workloads with cloud-mobility options.
Veritas NetBackup
Enterprise-grade backup with broad workload coverage and centralized hybrid-cloud management.
Software development & scripting
The languages, frameworks, and editors that the rest of security operations runs on top of.
Ansible
Open-source automation for config management, deployment, and orchestration via YAML playbooks.
Electron
Cross-platform desktop app framework using web technologies; powers Cursor, VS Code, Slack, and more.
Jenkins
Open-source CI/CD automation server; builds, tests, and deploys with a vast plugin ecosystem.
Node.js
Event-driven JavaScript runtime on V8; backend services, APIs, automation scripts, and tooling.
PowerShell
Task automation and configuration shell built on .NET; cross-platform via PowerShell Core.
Python
High-level language ubiquitous in security tooling, automation, data analysis, and ML.
Visual Studio Code
Lightweight, extensible code editor from Microsoft; rich ecosystem of extensions for development and security.
Security configuration & patch management
Tools that keep the fleet patched, the baselines enforced, and the auditors quiet.
Ansible Tower
Web-based interface for Ansible automation; RBAC, scheduling, visual dashboards, workflow orchestration.
BigFix (IBM)
Endpoint management platform automating patching, compliance, and security configuration at scale.
Chef
Infrastructure-as-code platform enforcing security configurations via recipes and cookbooks.
Microsoft Configuration Manager (MECM)
Formerly System Center Configuration Manager (SCCM). Patching, software distribution, and compliance for Windows ecosystems; now part of the Microsoft Intune family alongside cloud-only endpoint management.
Microsoft WSUS
Free Microsoft tool for centrally approving and distributing Windows updates within an organization.
Ninite Pro
Automates installation and updates of popular third-party software across many endpoints.
Puppet Enterprise
Config management automating patching and continuous compliance through code-defined policies.
Qualys Patch Management
Cloud-based patching tied to vulnerability management; prioritizes patches by risk exposure.
SolarWinds Patch Manager
Centralized patching for Windows and third-party apps; integrates with WSUS and Microsoft Configuration Manager (MECM/SCCM).
Symantec Endpoint Management
Patch management, software distribution, and configuration enforcement across enterprise endpoints.
Physical security
Cameras, badge readers, intrusion detection, and the tools that bridge physical and cyber.
Avigilon
HD surveillance, video analytics, and access control with AI-powered anomaly detection.
Axis Communications
Pioneer of network video surveillance; broad IP-camera portfolio with edge analytics.
Bosch Security Systems
Surveillance, intrusion detection, access, and fire across enterprise and critical-infrastructure deployments.
Cisco Physical Security
Converged networking-plus-security platform unifying surveillance, access, and IoT device management.
Genetec
Unified Security Center for video surveillance, access control, and license plate recognition.
Honeywell
Integrated physical security: surveillance, access, intrusion detection, alarms across critical infrastructure.
Johnson Controls
Physical security with OpenBlue platform; security plus building automation, with cybersecurity built in.
Lenel S2
OnGuard access control, video, and alarm management for enterprise environments.
Milestone Systems
Open-platform IP video management with broad camera support and rich analytics.
Pelco
Surveillance cameras, recorders, and VideoXpert management; rugged builds for outdoor and industrial use.
Vicon Industries
End-to-end surveillance with the Valerus VMS platform; open architecture and flexible deployment.