SOC & Cybersecurity Glossary

A sophisticated, long-duration cyberattack campaign — typically nation-state or well-resourced criminal actor — characterised by stealth, patience, and a defined strategic objective (espionage, IP theft, sabotage). APT actors use custom malware, zero-days, and living-off-the-land techniques to evade detection. Examples include Cozy Bear (APT29), Lazarus Group (DPRK), and Volt Typhoon (China). APT intrusions often remain undetected for months; the 2024 Mandiant M-Trends report placed median dwell time at 10 days globally, but APT intrusions in critical sectors averaged significantly longer.

The continuous discovery, inventory, classification, and monitoring of all assets — internal and external — that an attacker could target. External ASM (EASM) focuses on internet-exposed assets: domains, IPs, cloud storage, APIs, certificates, and exposed credentials. Internal ASM covers the internal attack surface visible to a compromised insider or lateral mover. ASM tools (Censys, Randori, Microsoft Defender EASM, CyCognito) continuously scan from an attacker's perspective, identifying shadow IT, misconfigured cloud resources, expired certificates, and forgotten VPN endpoints before adversaries exploit them. ASM is a foundational input to CTEM programmes.

Automated, continuous simulation of attack techniques mapped to MITRE ATT&CK to validate that security controls — SIEM detection rules, EDR behavioural signatures, email filters, network egress controls — perform as expected against realistic adversary TTPs. BAS platforms (AttackIQ, SafeBreach, Cymulate, Picus Security) run thousands of simulated attack scenarios continuously, producing a control efficacy score and identifying detection gaps. BAS differs from red teaming in that it is automated, continuous, and non-destructive. It is a key component of CTEM validation stages.

A security discipline and tooling category focused on detecting, investigating, and responding to threats within cloud infrastructure — IaaS (AWS, Azure, GCP), cloud-native services (S3, Lambda, Cloud Run), and cloud control planes. CDR ingests cloud-native telemetry (CloudTrail, Azure Activity Logs, GCP Audit Logs), detects anomalous API calls, privilege escalation in IAM, data exfiltration from storage, and cryptomining on compute. CDR platforms (Lacework, Orca Security, Wiz Defend) apply behavioural analytics to cloud telemetry that volume-based SIEM approaches struggle to handle at cloud scale.

A unified platform converging Cloud Security Posture Management (CSPM), Cloud Workload Protection Platform (CWPP), Cloud Infrastructure Entitlement Management (CIEM), and increasingly CDR into a single solution. CNAPP provides integrated visibility from code (SAST, SCA, IaC scanning) through to runtime cloud workload protection. Vendors include Wiz, Prisma Cloud, Lacework, and Microsoft Defender for Cloud. The SOC relevance is in the runtime detection and response capabilities — particularly cloud lateral movement detection and identity-based attack paths.

Continuous monitoring of cloud infrastructure configuration against security benchmarks (CIS, NIST, PCI-DSS, SOC 2). CSPM tools inventory cloud resources, assess configurations, and alert on deviations: publicly accessible S3 buckets, unrestricted security groups, MFA not enforced on privileged accounts, encryption disabled on databases. CSPM is primarily a prevention and hygiene capability, but misconfiguration findings feed directly into SOC prioritisation — a misconfigured internet-facing asset is both a vulnerability and a likely entry point for active threat actors.

Runtime protection for cloud workloads — virtual machines, containers, and serverless functions. CWPP provides vulnerability scanning of running workloads, runtime behavioural monitoring (anomalous process execution in containers, unexpected network connections from serverless functions), and memory protection (exploitation of running processes). CWPP capabilities are increasingly integrated into CNAPP platforms. In a SOC context, CWPP is the cloud equivalent of EDR — the runtime telemetry source that detects threats executing in cloud workloads rather than on endpoints.

A Gartner-defined programme framework (introduced 2022) for continuously assessing, prioritising, and reducing exploitable exposure across an organisation's attack surface. CTEM runs a five-stage cycle: Scoping (define what assets and business contexts are in scope), Discovery (enumerate exposures — vulnerabilities, misconfigurations, weak credentials), Prioritisation (risk-rank by exploitability and business impact), Validation (confirm exploitability via BAS or manual testing), and Mobilisation (coordinate remediation across IT, DevOps, and security teams). CTEM replaces point-in-time vulnerability management with a continuous risk reduction loop. Gartner predicts that by 2026, organisations prioritising CTEM investments will suffer two-thirds fewer breaches.

Controls and technologies designed to prevent sensitive data — PII, IP, financial records, health data — from leaving the organisation without authorisation. DLP operates at multiple layers: endpoint (monitoring file operations, clipboard, USB transfers), network (inspecting egress traffic for sensitive content patterns), cloud/SaaS (monitoring data sharing in Microsoft 365, Google Workspace, Salesforce). Modern DLP integrates with CASB and SASE platforms for cloud-delivered inspection. DLP generates significant SOC alert volume; effective DLP programmes require tuning and integration with identity context to distinguish legitimate data sharing from exfiltration.

EU regulation effective January 2025 mandating ICT risk management, incident reporting, resilience testing, and third-party risk oversight for financial entities — banks, insurers, investment firms, payment processors — and their critical ICT providers. DORA requires classification and reporting of major ICT incidents within strict timelines (initial notification within 4 hours, intermediate report within 72 hours, final report within 1 month). SOC implications are direct: detection capabilities, incident classification taxonomy, and regulatory notification workflows must all be demonstrably in place. DORA makes Level I SOC maturity a practical compliance floor for EU financial entities.

Endpoint security technology providing continuous monitoring, behavioural detection, and response capabilities at the endpoint level — laptops, desktops, servers. EDR records detailed telemetry: process creation, network connections, file operations, registry modifications, memory access patterns. Detection combines signature matching, behavioural rules, and ML models. Response capabilities include remote isolation, process termination, file quarantine, and forensic data collection. Leading platforms: CrowdStrike Falcon, SentinelOne Singularity, Microsoft Defender for Endpoint, Palo Alto Cortex XDR. EDR is a prerequisite for Level II SOC maturity and the primary data source for most incident investigations.

An evolution beyond EDR that correlates telemetry across multiple security layers — endpoint, network, cloud, identity, email — to detect attacks that span multiple domains and would be invisible to siloed tools. XDR reduces alert fatigue by correlating low-confidence signals from multiple sources into high-confidence incidents. Vendors offer native XDR (integrating only their own products: CrowdStrike, SentinelOne, Palo Alto) and open XDR (integrating third-party tools: Stellar Cyber, Exabeam). XDR increasingly overlaps with SIEM capabilities, with some vendors positioning XDR as a SIEM replacement for organisations willing to consolidate their stack.

A security capability and tooling category focused specifically on detecting and responding to attacks targeting identity infrastructure — Active Directory, Azure Entra ID, Okta, privileged access management systems. ITDR detects: DCSync attacks (credential dumping via AD replication), Golden Ticket and Silver Ticket Kerberos attacks, pass-the-hash and pass-the-ticket techniques, privilege escalation via AD ACL manipulation, and credential spray campaigns. ITDR tools (Microsoft Entra ID Protection, Okta Threat Insights, Semperis, Attivo Networks/SentinelOne Ranger) apply behavioural analytics to identity telemetry that traditional SIEM rules frequently miss. Given that 80%+ of breaches involve credential compromise (Verizon DBIR), ITDR has become a critical SOC capability layer.

Behavioural indicators describing attacker actions — techniques and patterns — rather than static artefacts. IOAs focus on what attackers do (e.g., "PowerShell downloading from an external domain followed by a new scheduled task creation") rather than what they leave behind (file hashes, IPs). Because IOAs describe behaviour rather than specific malware versions, they remain valid even when attackers change their tooling. IOAs are central to EDR behavioural detection engines and represent a more durable detection strategy than IOC-based approaches. MITRE ATT&CK is fundamentally a taxonomy of IOAs.

Forensic artefacts indicating that a system has likely been compromised: malware file hashes, malicious IP addresses, C2 domain names, suspicious registry keys, YARA rule matches. IOCs are retrospective — they are typically identified after an attack and shared via threat intelligence feeds (ISACs, VirusTotal, commercial TIPs). IOC-based detection has a fundamental limitation: sophisticated attackers rotate IOCs frequently, so relying solely on IOC blocking means always being one step behind. Effective SOCs combine IOC blocking (for known-bad artefacts) with IOA-based behavioural detection (for unknown variants).

Sector-specific organisations that facilitate sharing of cyber threat intelligence among member organisations in a given industry vertical. Major ISACs include FS-ISAC (financial services), H-ISAC (healthcare), E-ISAC (energy), MS-ISAC (state, local, tribal, territorial government), and Auto-ISAC (automotive). ISAC membership provides access to sector-relevant IOCs, TTP analysis, and coordinated response during widespread incidents. Membership is a Level II+ SOC indicator — it signals integration of external threat intelligence appropriate to the organisation's sector context.

The average time elapsed between the start of a security incident and its detection by the SOC. MTTD is a primary KPI for SOC effectiveness — shorter MTTD means attackers have less time to move laterally, exfiltrate data, or cause damage before containment. Industry benchmarks: MTTD for ransomware incidents averages 9–21 days in organisations without mature SOCs; advanced SOCs with full EDR/XDR and threat hunting achieve MTTD of hours or less for most incident types. MTTD should be tracked per incident type and per detection source (SIEM alert, EDR alert, threat hunting finding, external notification).

The average time from incident detection to confirmed containment and remediation. MTTR encompasses analyst triage, investigation, escalation, containment action (endpoint isolation, account disablement, firewall rule), and validation that the threat is neutralised. MTTR is a composite metric influenced by detection quality, playbook maturity, tool integration, and staffing availability. Regulatory frameworks increasingly mandate maximum MTTR windows: DORA requires major incident classification within 4 hours, NIS2 within 24 hours. SOC automation via SOAR is primarily deployed to reduce MTTR for common, well-understood incident types.

A managed security service delivering 24×7 threat detection, investigation, and guided or active response. Unlike traditional MSSPs that primarily alert-forward from a SIEM, MDR providers employ skilled analysts and threat hunters, use proprietary detection technology (typically EDR or XDR-based), and take active response actions with client authorisation. MDR is distinguished from MSSP by response capability and detection quality. Leading MDR providers: CrowdStrike Falcon Complete, SentinelOne Vigilance, Microsoft MXDR, Secureworks Taegis, Arctic Wolf. MDR is a viable Level I+ delivery model for organisations unable to staff a 24×7 in-house SOC.

A globally accessible, curated knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world threat intelligence. ATT&CK organises attack behaviour into 14 tactics (the "why" of an action: Initial Access, Execution, Persistence, Privilege Escalation, Defense Evasion, Credential Access, Discovery, Lateral Movement, Collection, Command and Control, Exfiltration, Impact) and hundreds of specific techniques and sub-techniques. SOC teams use ATT&CK to: map existing detection coverage (ATT&CK Navigator), design threat hunting hypotheses, evaluate vendor claims, structure red team exercises, and communicate about attacker behaviour in a common language. ATT&CK coverage mapping is a Level II+ SOC indicator.

Authentication requiring two or more factors from different categories: something you know (password), something you have (hardware token, authenticator app, SMS code), something you are (biometric). MFA is the single highest-ROI control for preventing credential-based attacks — it blocks the vast majority of automated credential spray and phishing-harvested credential attacks. SOC relevance: MFA bypass attempts (Adversary-in-the-Middle phishing, MFA fatigue/push bombing, SS7 attacks) are increasingly common and must be detected via ITDR and identity analytics. Phishing-resistant MFA (FIDO2/WebAuthn, hardware keys) eliminates real-time phishing bypass and is the recommended standard for privileged accounts.

Network Detection and Response (NDR, formerly Network Traffic Analysis) monitors network communications — east-west traffic within the network and north-south traffic at the perimeter — to detect threats that bypass endpoint controls. NDR ingests network flows (NetFlow/IPFIX), packet data (PCAP), and DNS logs, applying ML models and behavioural analytics to detect: lateral movement (unusual SMB traffic patterns, unexpected RDP connections), C2 communication (beaconing patterns, DNS tunnelling, encrypted traffic anomalies), and data exfiltration (large outbound transfers, unusual destination geolocations). NDR platforms: Darktrace, Vectra AI, ExtraHop, Corelight. NDR is complementary to EDR — it catches threats that EDR misses (agentless devices, network-only attacks) and provides corroborating evidence for EDR detections.

EU cybersecurity regulation effective October 2024, replacing the original NIS Directive. NIS2 significantly expands scope (18 sectors, 160,000+ entities), raises security requirements (Article 21 mandates incident handling, monitoring, access control, supply chain security, MFA), and increases penalties (up to €10M or 2% of global turnover for essential entities). NIS2 incident reporting timelines: 24-hour early warning, 72-hour notification with initial assessment, 1-month final report. SOC implications are substantial — NIS2 essentially mandates Level I SOC capabilities as a compliance floor across a much broader range of European organisations than previously covered.

Controls and technology for securing, monitoring, and governing privileged access — accounts with elevated rights to systems, data, or infrastructure. PAM encompasses: privileged account vaulting (storing credentials in an encrypted vault, rotating them automatically), just-in-time access (provisioning privileged sessions only when needed, for a defined time window), session recording (recording all privileged session activity for audit and forensics), and least-privilege enforcement. PAM platforms: CyberArk, BeyondTrust, Delinea (formerly Thycotic). SOC relevance: compromised privileged accounts are the "crown jewels" of most intrusions — PAM visibility (session recordings, access anomalies) is critical for detecting privilege abuse and accelerating investigation of suspected insider threats.

A collaborative exercise model in which red team (offensive) and blue team (defensive) capabilities work together, with knowledge sharing, to systematically test and improve detection and response. Unlike traditional red team engagements where findings are delivered post-exercise, purple teaming provides real-time feedback: the red team executes an attack technique, the blue team observes whether it is detected, and the gap is immediately addressed through detection rule improvement or control configuration change. Purple teaming accelerates the red-to-blue learning loop from months (traditional red team debrief) to hours or days.

A structured adversary simulation exercise where a skilled offensive security team emulates the TTPs of a specific threat actor or attack scenario against a target organisation, without the defender's advance knowledge of timing, scope, or techniques. Red team objectives are typically aligned to business-impacting scenarios: "can an attacker exfiltrate customer data?" or "can ransomware reach the production database?" Red team results reveal detection and response gaps that internal teams and automated tools have missed. Full red team exercises (as opposed to penetration tests) typically run for weeks or months and are a Level II+ SOC capability indicator.

A network architecture framework (Gartner, 2019) converging WAN connectivity (SD-WAN) with cloud-delivered security services (SWG, CASB, ZTNA, FWaaS) into a unified, identity-aware service delivered from cloud PoPs. SASE enables consistent security policy enforcement regardless of user location, device, or application — critical as the traditional network perimeter has dissolved. SOC relevance: SASE platforms generate rich telemetry (user access patterns, application usage, data flows) that feeds into SIEM and UEBA. Leading SASE vendors: Zscaler, Netskope, Palo Alto Prisma SASE, Cato Networks. SASE is increasingly the network security foundation for zero trust architectures.

The central log aggregation, correlation, and alerting platform of the SOC. A SIEM ingests logs from across the environment — endpoints, network devices, cloud platforms, applications, identity systems — normalises them into a common schema, applies detection rules and ML analytics to identify suspicious patterns, and generates alerts for analyst review. Modern SIEMs (Microsoft Sentinel, Splunk Enterprise Security, IBM QRadar, Google SecOps/Chronicle, Elastic SIEM) add threat intelligence enrichment, UEBA, case management, and increasingly GenAI capabilities. SIEM is the foundational Level I SOC technology — without it, detection is reactive and fragmented. Log retention, source coverage, and content tuning quality are the primary SIEM maturity differentiators.

Platforms that orchestrate security tool integrations, automate repetitive analyst tasks, and standardise incident response workflows through playbooks. SOAR connects the SOC's disparate tools — SIEM, EDR, ticketing, threat intel, firewall, email gateway — via APIs, enabling automated workflows: a phishing alert triggers automatic extraction of IOCs, VirusTotal lookup, sandbox detonation, affected user identification, email quarantine, and ticket creation — all without analyst intervention. Leading SOAR platforms: Palo Alto XSOAR, Splunk SOAR (Phantom), Microsoft Sentinel Playbooks, Swimlane. SOAR dramatically reduces MTTR for well-defined incident types and is a core Level II+ capability. AI-native platforms are beginning to replace traditional SOAR with more adaptive, LLM-driven orchestration.

The organisational function — team, processes, and technology — responsible for monitoring, detecting, analysing, and responding to cybersecurity threats on a continuous basis. A SOC centralises security monitoring across the environment, provides 24×7 threat visibility, and serves as the operational hub for incident response. SOC models vary: in-house (dedicated internal team), co-managed (internal team plus MDR/MSSP support), or fully managed (outsourced SOC function). SOC maturity describes how systematically and effectively these functions are performed, from reactive/minimal (Below Level I) to autonomous and self-improving (Level III/AI-Native). The RateMySOC assessment benchmarks SOC maturity across 27 capability dimensions.

The security subset of SASE — cloud-delivered security services without the SD-WAN networking component. SSE encompasses: Secure Web Gateway (SWG) for web traffic inspection, Cloud Access Security Broker (CASB) for SaaS data protection, Zero Trust Network Access (ZTNA) for application access control, and Digital Experience Monitoring (DEM). SSE is the appropriate framing for organisations that have separate WAN/SD-WAN infrastructure but want to consolidate cloud security services. Leading SSE vendors: Zscaler (ZIA/ZPA), Netskope, Skyhigh Security, Broadcom (Symantec). SSE telemetry contributes to SOC visibility for user web activity, SaaS data handling, and application access anomalies.

A formal, machine-readable inventory of software components — open-source libraries, commercial dependencies, container base images — included in an application or system. SBOMs enable rapid identification of vulnerable components when new CVEs are disclosed (e.g., within hours of Log4Shell disclosure, organisations with SBOMs could identify affected systems; those without spent days or weeks). SBOM formats: SPDX (Linux Foundation) and CycloneDX (OWASP). US executive order 14028 mandated SBOMs for software sold to the federal government. SOC teams use SBOMs for software supply chain risk management — mapping CVE disclosures to specific deployed applications and accelerating patch prioritisation.

The behaviour patterns that characterise how specific threat actors operate. Tactics are high-level objectives (what the attacker is trying to achieve: lateral movement, persistence). Techniques are specific methods (how they achieve it: Pass-the-Hash, scheduled task creation). Procedures are the specific, often actor-unique implementations (the exact commands, tools, or scripts used). TTPs are more valuable for detection than IOCs because they describe fundamental attacker behaviour that remains consistent even when specific malware or infrastructure changes. MITRE ATT&CK is the primary TTP taxonomy used in the security industry. TTP-level threat intelligence enables proactive detection engineering rather than reactive IOC blocking.

A proactive, analyst-driven activity to search for threats that have evaded automated detection — attackers who are already inside the network but have not yet triggered alerts. Threat hunting follows a hypothesis-driven methodology: the hunter formulates a hypothesis based on threat intelligence or knowledge of attacker TTPs ("APT29 uses living-off-the-land binaries to establish persistence via scheduled tasks — let me look for unusual scheduled task creation patterns"), then queries data sources to prove or disprove it. Unlike SIEM detection (passive, waiting for rules to fire), hunting is active. A structured threat hunting programme is a defining Level II SOC capability, typically requiring senior analysts with deep knowledge of the environment and attacker tradecraft.

Evidence-based knowledge about existing or emerging threats to an organisation's assets, informing decisions about how to respond. Threat intelligence exists at three levels: Strategic (high-level, business-oriented — "ransomware groups targeting our sector", used by executives and boards), Operational (campaign-level — "APT41 is conducting a phishing campaign targeting healthcare organisations using this lure", used by security architects and managers), and Tactical (technical artefacts — IOCs, YARA rules, Sigma detection rules, used by SOC analysts and detection engineers). Mature threat intelligence programmes operationalise all three levels, integrating tactical intel into automated detection and blocking while feeding strategic intel into risk assessments.

A platform for aggregating, normalising, correlating, and operationalising threat intelligence from multiple sources (commercial feeds, ISAC sharing, open-source, internal analysis). TIPs serve two primary functions: (1) Intelligence management — store, enrich, and analyse threat intelligence in STIX/TAXII format; (2) Operationalisation — push IOCs and detection rules to consuming security controls (SIEM, firewall, proxy, EDR) via API. Leading TIPs: Anomali ThreatStream, ThreatQ, MISP (open-source), Mandiant Advantage, Recorded Future, Palo Alto Cortex XSOAR TIP module. TIP integration is a Level II SOC indicator — it transforms threat intelligence from a spreadsheet-based process to an automated detection enhancement capability.

The time elapsed between an alert being generated and an analyst beginning substantive investigation (as opposed to initial triage or acknowledge). TTI is a SOC workload and prioritisation metric that reflects the gap between alert generation volume and analyst bandwidth. High TTI indicates alert backlog — alerts are queuing faster than analysts can investigate them, creating a detection lag. TTI is distinct from MTTD (which measures when the incident actually started to when it was detected) and MTTR (from detection to resolution). Reducing TTI typically requires SOAR automation for enrichment and triage, or AI-assisted alert triage to compress analyst time-per-alert.

A security analytics capability that applies ML models to establish behavioural baselines for users, hosts, service accounts, applications, and other entities, then detects deviations that may indicate compromise or insider threat. UEBA generates risk scores rather than binary alerts — a user travelling to an unusual country, accessing resources they have never touched, and downloading 10× their normal data volume collectively score higher than any single anomaly in isolation. UEBA is built into many enterprise SIEMs (Microsoft Sentinel, Splunk, IBM QRadar) and available as standalone solutions (Exabeam, Securonix). UEBA capability is a Level II+ indicator and the behavioural foundation for AI-augmented SOC operations.

A security architecture philosophy — not a product — based on the principle "never trust, always verify." Zero trust eliminates implicit trust granted to users or devices based on network location (being inside the perimeter no longer grants access). Every access request is authenticated, authorised based on identity, device health, and context, and encrypted — regardless of origin. Core zero trust principles: verify explicitly (authenticate and authorise every request); use least privilege access (limit access scope and duration); assume breach (design systems assuming compromise is inevitable, minimise blast radius). NIST SP 800-207 provides the formal zero trust architecture definition. SOC relevance: zero trust telemetry (identity assertions, device compliance events, policy decisions) provides rich data for detection of policy violations and lateral movement attempts.