Reference

Cybersecurity glossary.

Plain-English definitions for the terms that come up most often in mid-market security conversations. Written by senior practitioners. Links to deeper material where it exists.

Jump to letter

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Access Control: The set of policies and mechanisms that determine which users, systems, or processes are permitted to view, modify, or use specific resources. Foundational to every security program.
API Security: Protecting application programming interfaces from abuse, data exposure, and broken authentication. Increasingly central as more business logic moves behind APIs rather than user-facing UIs.
Asset Inventory: A maintained record of every system, device, application, and data store an organization uses. Required by every major framework (SOC 2, HIPAA, ISO 27001, CMMC). You cannot protect what you cannot enumerate.
Authentication: Verifying that a user, device, or system is who or what it claims to be. Distinct from authorization (which determines what they can do once verified).
Authorization: Determining what actions an authenticated user or system is permitted to perform. Often expressed as policies tied to roles, attributes, or resources.

BCP (Business Continuity Plan): Documented procedures that keep critical business functions running during and after a disruption. Distinct from disaster recovery (DR), which focuses specifically on restoring IT systems.
BEC (Business Email Compromise): An attack pattern where an adversary impersonates a trusted party (typically an executive or vendor) over email to authorize a fraudulent wire transfer or data release. One of the highest-loss attack categories for mid-market businesses.
Bug Bounty: A program in which an organization pays external researchers for responsibly disclosing vulnerabilities. Complements internal testing; does not replace formal penetration testing.

CISO (Chief Information Security Officer): The executive accountable for an organization's information security strategy, risk posture, and program execution. At mid-market scale, the role is often filled fractionally as a vCISO.
CMMC (Cybersecurity Maturity Model Certification): A Department of Defense framework establishing cybersecurity requirements for contractors handling Controlled Unclassified Information (CUI). CMMC 2.0 became enforceable for new DoD contracts in 2025.
CSPM (Cloud Security Posture Management): Tooling that continuously evaluates cloud infrastructure (AWS, Azure, GCP) for misconfigurations against best-practice benchmarks. Detects exposed storage, overly permissive IAM, missing encryption, and similar drift.
CVE (Common Vulnerabilities and Exposures): A public catalog of disclosed software vulnerabilities, each assigned a unique identifier (e.g., CVE-2024-12345). The shared reference enables vulnerability management programs to track, prioritize, and remediate consistently.
CVSS (Common Vulnerability Scoring System): A numerical scoring system (0.0–10.0) used to rate the severity of CVEs based on exploitability and impact. CVSS scores drive patching priority in mature vulnerability programs.
Cyber Insurance: Coverage for losses from cybersecurity incidents (ransom payments, breach response, regulatory fines, business interruption). Underwriters increasingly require evidence of MFA, EDR, backups, and IR planning before binding.

DDoS (Distributed Denial of Service): An attack that overwhelms a target system with traffic from many sources, rendering it unavailable to legitimate users. Mitigated through scrubbing services, rate limiting, and edge providers like Cloudflare.
Defense in Depth: Layered security design where multiple independent controls protect the same asset, so the failure of any one layer does not result in compromise. Foundational architectural principle.
DLP (Data Loss Prevention): Technology and policy controls that detect and prevent sensitive data (PII, PHI, financial records, trade secrets) from leaving the organization through email, web upload, cloud sync, or removable media.
Disaster Recovery (DR): The technology-focused subset of business continuity. Procedures and infrastructure for restoring IT systems and data after a disruption. Measured by RTO and RPO targets.

EDR (Endpoint Detection and Response): Software installed on endpoints (laptops, servers) that records detailed activity and alerts on suspicious behavior. Provides far deeper visibility than traditional antivirus. CrowdStrike Falcon and SentinelOne are common examples.
Encryption at Rest: Protecting stored data (in databases, file systems, backups, drives) by making it unreadable without the proper key. Required by most compliance frameworks for sensitive data.
Encryption in Transit: Protecting data while it moves across networks, typically via TLS. Required for any system handling regulated data and considered table stakes for all modern applications.
Evidence Collection: Gathering and storing the artifacts (logs, screenshots, configurations, tickets) that demonstrate a control is operating as designed. Manual evidence collection is where compliance programs typically break down at scale.

FedRAMP: The Federal Risk and Authorization Management Program standardizes security assessment, authorization, and continuous monitoring for cloud products and services used by U.S. federal agencies. Authorization is a multi-month effort.
Firewall: Network security device or service that filters traffic between zones based on defined rules. Next-generation firewalls (NGFW) add application awareness, IDS/IPS, and threat intelligence integration.

GDPR (General Data Protection Regulation): European Union regulation governing the collection, processing, and storage of personal data. Applies extraterritorially to any organization handling data from EU residents, regardless of where the organization is based.
GRC (Governance, Risk, and Compliance): The integrated discipline that aligns security governance, risk management, and regulatory compliance into one operating model. GRC platforms operationalize the workflow across these three.

HIPAA: The Health Insurance Portability and Accountability Act establishes U.S. rules for protecting individually identifiable health information (PHI). Enforced by HHS Office for Civil Rights (OCR).
HITRUST CSF: A certifiable security framework specifically built for healthcare and other regulated industries. Maps to HIPAA, ISO 27001, NIST, PCI, and other frameworks in a single audit.

IAM (Identity and Access Management): The discipline and tooling for managing digital identities and what they can access. Modern IAM includes SSO, MFA, lifecycle management, and access reviews.
Incident Response (IR): The structured process for detecting, containing, eradicating, and recovering from a security incident. Effective IR depends on rehearsed plans, defined roles, and senior judgment in the first 72 hours.
IOC (Indicator of Compromise): An observable artifact (file hash, IP address, domain, user-agent string) that suggests a system has been compromised. IOCs feed detection rules and threat hunting workflows.
ISO 27001: International standard for information security management systems (ISMS). Certification demonstrates a documented, audited security program. Frequently required for global enterprise sales.

JWT (JSON Web Token): A compact, URL-safe token format used to securely transmit identity and claims between parties as a signed JSON object. The default authentication token in most modern APIs and single-page apps. Misissued or improperly validated JWTs are a common vulnerability in pen-test reports.

Key Management (KMS): The discipline and tooling that generate, distribute, rotate, and destroy the cryptographic keys protecting data. Cloud providers offer dedicated services (AWS KMS, Azure Key Vault, Google Cloud KMS). Compromise of the key management system effectively unlocks every system that depends on it.

Lateral Movement: The phase of an attack where an adversary, having gained initial access, pivots between systems to reach higher-value targets. Detecting lateral movement is a primary objective of EDR and SIEM correlation.
Least Privilege: The principle that users, systems, and processes should have only the permissions strictly necessary to perform their function. The single highest-leverage control for limiting blast radius from a compromise.

MDR (Managed Detection and Response): An outsourced service combining EDR or SIEM telemetry with 24/7 human analysis, triage, and response. Closes the analyst-hours gap most mid-market organizations cannot fill internally.
MFA (Multi-Factor Authentication): Authentication requiring two or more independent factors (something you know, have, or are). The single highest-impact control against credential-based attacks. Now required by most cyber insurance underwriters.
MSSP (Managed Security Services Provider): A vendor that delivers operational security capabilities (monitoring, detection, response, vulnerability management) on a subscription basis. MSSPs differ from vCISOs in that they execute, not strategize.

NDR (Network Detection and Response): Detection technology that analyzes network traffic patterns rather than endpoint behavior. Catches threats that bypass endpoint controls or move within the network through unmonitored channels.
NIST CSF (Cybersecurity Framework): A voluntary framework from NIST organizing security activities into six functions: Govern, Identify, Protect, Detect, Respond, Recover. Version 2.0 (2024) added the Govern function and is the de facto reference for U.S. cybersecurity programs.
NIST 800-53: A NIST publication cataloging security and privacy controls for federal information systems. The foundation for FedRAMP authorization and a common reference even outside federal contexts.

OAuth 2.0: A delegation framework that lets a user authorize one application to act on their behalf with another, without sharing credentials. Powers nearly every "Sign in with…" button on the modern web. Authentication-by-OAuth (vs. authorization) is a common misuse and a recurring source of vulnerabilities.
OIDC (OpenID Connect): An identity authentication layer built on top of OAuth 2.0. Where OAuth focuses on access delegation, OIDC explicitly conveys "who the user is" through a standardized ID token. The protocol behind most modern enterprise SSO implementations.
OWASP (Open Worldwide Application Security Project): A nonprofit foundation that publishes free application-security guidance, most famously the OWASP Top 10 list of the most critical web application security risks. Updated roughly every four years and referenced in nearly every pen-test report.

PAM (Privileged Access Management): Controls specifically governing administrative and privileged accounts: vaulting, session recording, just-in-time elevation, and credential rotation. Targeted because privileged accounts are the highest-value compromise.
Patch Management: The process of identifying, testing, and deploying software updates to remediate known vulnerabilities. Failed patch programs are a leading root cause of ransomware and major breaches.
PCI DSS: The Payment Card Industry Data Security Standard, governing how organizations handle credit card data. Applies to any business that stores, processes, or transmits cardholder data.
Penetration Testing: Authorized adversarial testing of systems, applications, networks, or people, performed by trained operators. Distinct from automated vulnerability scanning, which only catches known issues.
Phishing: Social-engineering attacks delivered via email, SMS, or voice that trick recipients into disclosing credentials, transferring funds, or installing malware. Still the most common initial access vector.
PHI (Protected Health Information): Individually identifiable health information protected under HIPAA. Includes diagnoses, treatments, billing records, and any identifier (name, MRN, dates) connected to health data.
PII (Personally Identifiable Information): Data that can identify a specific individual, either alone (SSN, driver's license) or in combination (name + DOB + ZIP). Regulated under various state and federal laws including CCPA and GDPR.

Quantum-Resistant Cryptography: Cryptographic algorithms designed to remain secure against attacks from sufficiently large quantum computers. Also called post-quantum cryptography (PQC). NIST finalized the first three PQC standards in August 2024. Mid-market boards in regulated industries are starting to ask when crypto-agility plans land.

Ransomware: Malware that encrypts an organization's data and demands payment for the decryption key. Modern variants also exfiltrate data first and threaten public release (double extortion). The dominant breach driver in healthcare and critical infrastructure.
Red Team / Blue Team / Purple Team: Red Team simulates real adversaries; Blue Team defends; Purple Team is the collaboration between the two, sharing techniques and detection gaps in real time to improve both sides simultaneously.
Risk Assessment: A documented analysis identifying threats, vulnerabilities, and the likelihood and impact of their realization. HIPAA, NIST, ISO 27001, and SOC 2 all require a current, defensible risk assessment.
Risk Register: The living document recording identified risks, their assessed severity, owners, mitigation plans, and current status. A real risk register is updated continuously, not a one-time spreadsheet.
RPO / RTO: Recovery Point Objective (how much data loss is tolerable, measured in time) and Recovery Time Objective (how long restoration may take). Together they define the contract between security/IT and the business for disaster recovery.

SAML (Security Assertion Markup Language): An XML-based standard for exchanging authentication assertions between identity providers and service providers. The protocol behind most enterprise SSO integrations.
SCIM (System for Cross-domain Identity Management): A standard for automated user provisioning and deprovisioning between identity providers and applications. Critical for closing the gap between an employee's departure and their access being revoked everywhere.
SIEM (Security Information and Event Management): A platform that aggregates security logs from systems across the environment and runs correlation rules to detect threats. Splunk, Microsoft Sentinel, and Elastic Security are common examples.
SOAR (Security Orchestration, Automation, and Response): Platforms that automate routine SOC workflows: enrichment, triage, containment actions. Reduces analyst toil and enables consistent response at speed.
SOC (Security Operations Center): The team and platform responsible for continuous monitoring, detection, and response to security events. Real 24/7 coverage requires ~8 analysts across shifts, which is why most mid-market organizations buy SOC capability rather than build it.
SOC 2: An auditing framework from the AICPA evaluating a service provider's controls against five Trust Service Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy). The de facto B2B SaaS compliance certification.
Spear Phishing: A targeted phishing attack tailored to a specific individual, often using public information (LinkedIn, press releases) to enhance credibility. Distinct from mass phishing in success rate and impact.
SQL Injection: An attack that exploits unsanitized user input in a SQL query to read, modify, or destroy data. Decades old yet still present in most application vulnerability assessments.
SSO (Single Sign-On): Authentication scheme where a user signs in once and gains access to multiple connected applications. Typically implemented via SAML or OIDC against a central identity provider (Okta, Entra ID, Google Workspace).
Supply Chain Attack: Compromising an organization indirectly through one of its vendors, software dependencies, or service providers. SolarWinds and the 2024 Change Healthcare incident are widely studied examples.

Tabletop Exercise: A simulated incident walk-through where stakeholders rehearse the response without touching production systems. Reveals plan gaps before real events do.
Threat Hunting: Proactive investigation for adversaries that may already be in the environment but have evaded alerting. Hypothesis-driven analysis, not reactive triage.
Threat Intelligence: Curated information about adversary infrastructure, tools, and techniques relevant to your industry and environment. Feeds detection rules, prioritizes patching, and informs strategic decisions.

UEBA (User and Entity Behavior Analytics): A detection approach that establishes baseline behavior for users, devices, and accounts, then flags deviations from that baseline. Catches threats that signature-based detection misses, such as compromised credentials being used in unusual ways. Typically integrated into modern SIEM and XDR platforms.

vCISO (Virtual CISO): A part-time, outsourced Chief Information Security Officer delivering executive-level security leadership without a full-time hire. Suits mid-market organizations needing senior strategy without the $250K+ price tag.
VPN (Virtual Private Network): A tunnel that extends a private network across a public one, traditionally used for remote access to corporate resources. Steadily being supplanted by zero-trust network access (ZTNA) architectures.
Vulnerability Management: The continuous program of discovering, prioritizing, remediating, and reporting on vulnerabilities across systems and applications. Distinct from one-off scanning; effectiveness is measured by mean time to remediate.

WAF (Web Application Firewall): A protective layer that filters HTTP traffic to web applications, blocking common attack patterns like SQL injection, XSS, and credential stuffing. Most modern WAFs operate at the edge (Cloudflare, AWS WAF, Akamai).

XDR (Extended Detection and Response): Detection and response that correlates telemetry across endpoint, network, identity, cloud, and email rather than treating each as an island. The current evolution beyond standalone EDR.
XSS (Cross-Site Scripting): A web vulnerability where malicious script is injected into pages viewed by other users, executing in their browser session. Found in most application penetration tests.

YARA: A pattern-matching language and tool used to describe and identify malware families. Threat hunters write YARA rules to scan files, memory, and traffic for indicators of specific adversaries or malware variants. The de facto standard for sharing malware detection signatures.

Zero-Day Exploit: An attack that exploits a vulnerability before the vendor releases a patch or the public is aware of it. Defensively mitigated by behavioral detection (EDR), segmentation, and assumed-breach architecture.
Zero Trust: A security architecture that assumes no implicit trust based on network location, identity, or device, and instead verifies every access request continuously. Foundation of modern cloud and remote-work security.

Need help with any of this?

We translate these terms into running programs.

Knowing what SOC 2 means is the easy part. Standing one up, defending it at audit, and keeping it current is the hard part. We do that work for mid-market companies every day.

Get a security assessment See our services