Cybersecurity & IT glossary.

An attack in which an adversary gains access to or impersonates a legitimate business email account to initiate fraudulent wire transfers, redirect payments, or extract sensitive data.

BEC typically starts with credential theft via phishing, followed by the attacker operating as the user: reading mail, creating forwarding rules, and sending fraudulent wire instructions. FBI IC3 reports BEC as one of the highest-dollar-loss cybercrime categories annually.

US Department of Defense framework requiring defense industrial base (DIB) contractors to achieve certified cybersecurity posture at one of three levels. Level 2 applies to most contractors handling Controlled Unclassified Information (CUI).

Continuous discovery, assessment, and remediation of security misconfigurations and compliance gaps across cloud environments (AWS, Azure, GCP).

CSPM catches the configuration drift that causes most cloud data breaches: public S3 buckets, exposed storage accounts, over-permissioned IAM roles, and unencrypted resources. It's table stakes for any regulated cloud deployment.

US government information that requires safeguarding under specific rules but is not classified. Defense contractors handling CUI are required to meet NIST SP 800-171 controls and, under CMMC, achieve Level 2 certification.

Defense Federal Acquisition Regulation Supplement clause 252.204-7012 requires DoD contractors to implement NIST SP 800-171 controls and report cyber incidents within 72 hours.

Technology controls that detect and prevent sensitive data from being exfiltrated, whether via email, cloud storage, removable media, or web uploads. Policies are driven by data classification.

Endpoint security platform that collects behavioral telemetry from workstations and servers, detects malicious activity, and enables forensic investigation and response.

EDR is the successor to traditional antivirus. Leading platforms include CrowdStrike Falcon, SentinelOne Singularity, Microsoft Defender for Endpoint, and Palo Alto Cortex XDR. EDR feeds naturally into XDR and SOAR workflows.

US federal program that standardizes security assessment and authorization for cloud services used by federal agencies. FedRAMP authorization levels are Low, Moderate, and High.

Assessment framework from the Federal Financial Institutions Examination Council used by banks and credit unions to evaluate cybersecurity preparedness across five maturity domains.

Open authentication standard enabling passwordless, phishing-resistant authentication using public-key cryptography. WebAuthn is the W3C browser API that exposes FIDO2 to web apps.

FIDO2 is the authentication standard that can actually stop modern phishing. Passwords and SMS-based MFA remain phishable; FIDO2 hardware tokens and platform authenticators are not.

Discipline of running cloud environments with business-aware cost management, combining engineering, finance, and business stakeholders around cloud spend decisions.

European Union regulation governing the processing of personal data of EU residents. Requires lawful basis for processing, data subject rights, breach notification within 72 hours, and DPO appointment for qualifying organizations.

US law requiring financial institutions to protect the security and confidentiality of customer information. The Safeguards Rule (FTC, updated 2021) specifies technical and procedural controls required.

US regulation requiring covered entities and business associates to implement administrative, physical, and technical safeguards to protect electronic protected health information (ePHI).

Tamper-resistant hardware device that performs cryptographic operations and protects private keys. FIPS 140-2 and 140-3 define the validation standards.

Framework of policies and technologies that ensures the right individuals (and services) access the right resources at the right time for the right reasons. Core components: authentication, authorization, identity governance, and privileged access.

Security category focused on detecting and responding to identity-based attacks: credential theft, token theft, privilege escalation, and suspicious authentication patterns.

Outsourced service that combines an EDR/XDR platform with 24/7 human analyst operations, threat hunting, and pre-authorized containment actions.

Network security approach that creates fine-grained segmentation boundaries between individual workloads or applications, restricting east-west traffic through policy rather than through physical or VLAN-level separation.

Publicly available framework of adversary tactics and techniques observed in real-world attacks. Used by SOC teams to structure detection content, threat hunting, and incident scoping.

Third-party provider that manages a customer's IT infrastructure and end-user systems under a recurring service contract, typically with a defined SLA.

Third-party provider that delivers security operations services (SOC, SIEM, MDR, compliance) to customers under a recurring service contract.

Average time from when an incident is detected to when the adversary's active activity is halted or contained. A core operational metric for SOC and MDR programs.

Best-in-class MTTC for pre-authorized containment operates under 15 minutes. Typical MSSP MTTC with manual approval loops runs 45-90 minutes. The gap is the primary outcome differentiator between MDR providers.

Average time from when an adversary action starts to when a security detection fires. Mature SOC operations target MTTD under 5 minutes for high-severity activity.

Average time from incident detection to full resolution, including containment, eradication, and recovery. In MSP operations, MTTR typically covers production-impacting incidents end-to-end.

Security category focused on analyzing network traffic to detect threats, including lateral movement, command-and-control communications, and data exfiltration patterns.

Widely adopted framework from the US National Institute of Standards and Technology that organizes cybersecurity activities across six functions: Govern, Identify, Protect, Detect, Respond, and Recover. CSF 2.0 (2024) added the Govern function.

NIST publication specifying 110 security requirements for protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations. Required by DFARS 7012 and CMMC Level 2.

NIST publication defining the architectural principles of Zero Trust. The authoritative reference document for Zero Trust implementations, including the seven tenets that any serious Zero Trust program maps back to.

Centralized facility (physical or virtual) where engineers monitor, manage, and respond to IT infrastructure issues. The operational analog of a SOC, focused on availability and performance rather than security.

New York Department of Financial Services cybersecurity regulation applying to banks, insurance companies, and other financial services institutions operating in NY. Requires written cybersecurity program, CISO designation, and incident notification within 72 hours.

Category of controls for managing access to privileged accounts: vaulting credentials, enabling just-in-time elevation, recording privileged sessions, and enforcing approval workflows.

Payment Card Industry Data Security Standard, version 4.0 (effective March 2024 enforcement). Mandatory for organizations that store, process, or transmit cardholder data. Requires annual assessment with scope and control rigor tied to transaction volume.

Multi-factor authentication methods that cannot be compromised by phishing or adversary-in-the-middle attacks. Includes FIDO2 hardware tokens, platform authenticators using WebAuthn, and smart cards. Excludes SMS codes and TOTP pushed over phishable channels.

Responsibility assignment model documenting who is Responsible, Accountable, Consulted, and Informed for each task or decision. Critical for vendor contracts and IR runbooks where role ambiguity creates response delays.

Malware that encrypts victim data (and sometimes exfiltrates it first) to extort payment for decryption and non-disclosure. Modern ransomware operations typically exfiltrate data before encryption and demand two separate payments.

Maximum tolerable data loss measured in time, for example 15 minutes or 1 hour. Drives backup frequency and replication design for business continuity planning.

Maximum tolerable downtime from disruption to restored operation, for example 4 hours or 24 hours. Drives recovery architecture decisions (active-active, pilot-light, backup-and-restore).

Architectural model that converges network connectivity (SD-WAN) and security services (SWG, ZTNA, CASB, FWaaS) into a single cloud-delivered service.

Platform that aggregates and correlates log and event data across an enterprise to detect security issues. Major platforms: Microsoft Sentinel, Splunk Enterprise Security, IBM QRadar, Elastic Security.

Platform that automates security workflows and response playbooks, integrating with SIEM, EDR, ticketing, and other tools to reduce manual analyst work on repetitive investigation and containment tasks.

Facility and team responsible for 24/7 monitoring, detection, investigation, and response to cybersecurity events. Can be in-house, fully outsourced, or hybrid.

Attestation report from an independent auditor on the design and operating effectiveness of controls at a service organization over a period of time (typically 6-12 months). Based on the AICPA Trust Services Criteria (2017).

Browser API (Chromium) that lets pages declare prefetch or prerender rules for likely next navigations, improving perceived performance by starting page loads before the user clicks.

Discipline of connecting disparate enterprise applications (CRM, ERP, billing, HR, custom platforms) into a coherent operational whole through APIs, middleware, event streaming, or data synchronization.

Proactive security activity in which analysts hypothesize adversary behavior and search environment data for evidence of intrusions that automated detection did not surface. Complements alert-driven SOC operations.

Fractional or interim executive security leadership arrangement. Provides strategic direction, board reporting, regulatory interface, and incident leadership without a full-time CISO hire.

Security platform that correlates telemetry across multiple domains (endpoint, network, identity, cloud, SaaS) to detect attacks that span those domains. Typically delivered as a platform that unifies EDR, NDR, and ITDR signals.

Security architecture that eliminates implicit trust based on network location and instead requires continuous verification of every access request against identity, device health, and risk signals.

Access technology that replaces traditional VPN by creating encrypted, policy-enforced connections between users and specific applications rather than granting broad network access. Leading platforms include Zscaler Private Access, Palo Alto Prisma Access, Cloudflare Access, and Microsoft Entra Private Access.