Skip to main content
Cybersecurity Glossary

Master the Language of Security Operations

63+ essential definitions for SOC analysts and security professionals. Every term maps to real SOC training scenarios you can practice free forever.

63+Terms Defined
5Categories
3Tools Covered

What Is a Cybersecurity Glossary?

A cybersecurity glossary is a curated reference of terms, acronyms, and concepts used across Security Operations Centers (SOCs), incident response teams, and threat intelligence programs. For analysts starting their careers, mastering this vocabulary is the fastest way to decode alerts, communicate with senior staff, and navigate security tools with confidence.

This glossary focuses on operational terms: the tools you will use daily (SIEM, XDR, EDR), the threats you will triage (phishing, ransomware, lateral movement), and the frameworks that structure your work (MITRE ATT&CK, NIST, defense in depth). Each definition includes real SOC context so you understand not just what a term means, but how it shapes your workflow.

SOC Glossary
A structured reference of cybersecurity terminology organized by category, with each term including a definition, extended explanation, SOC operational relevance, and links to related concepts. Designed for SOC analysts who need to understand the language of their tools, threats, and processes.

Browse by Category

Tools12 termsConcepts16 termsThreats13 termsFrameworks5 termsProcesses17 terms

Tools(12)

Tools
SIEMTools

Security Information and Event Management (SIEM) is a platform that aggregates, normalizes, and correlates log data from

XDRTools

Extended Detection and Response (XDR) is a security platform that unifies telemetry from endpoints, networks, cloud work

EDRTools

Endpoint Detection and Response (EDR) is a security technology that continuously monitors endpoint activity, recording p

SOARTools

Security Orchestration, Automation, and Response (SOAR) is a platform that integrates security tools, automates repetiti

IDSTools

An Intrusion Detection System (IDS) monitors network traffic or host activity for signs of malicious behavior, policy vi

IPSTools

An Intrusion Prevention System (IPS) is an active network security control deployed inline that inspects traffic in real

WAFTools

A Web Application Firewall (WAF) is a security control between clients and web applications that inspects HTTP/HTTPS tra

NGFWTools

A Next-Generation Firewall (NGFW) combines traditional stateful packet inspection with deep packet inspection, applicati

DLPTools

Data Loss Prevention (DLP) is a set of technologies and policies that detect and prevent unauthorized transmission, stor

NDRTools

Network Detection and Response (NDR) is a security platform that passively monitors network traffic using machine learni

MDRTools

Managed Detection and Response (MDR) is a service where a third-party security provider delivers continuous threat monit

UEBATools

User and Entity Behavior Analytics (UEBA) applies machine learning and statistical modeling to establish behavioral base

Concepts(16)

Concepts
IOCConcepts

An Indicator of Compromise (IOC) is an observable artifact, such as a file hash, IP address, domain name, URL, registry

IOAConcepts

An Indicator of Attack (IOA) is a behavioral signal that identifies adversary intent and technique in real time, such as

TTPsConcepts

Tactics, Techniques, and Procedures (TTPs) describe the behavioral patterns, methods, and operational processes threat a

False PositiveConcepts

A false positive is a security alert that fires on legitimate, benign activity, incorrectly classifying safe behavior as

True PositiveConcepts

A true positive is a security alert that correctly identifies genuine malicious activity or policy violation. It is a re

Alert TriageConcepts

Alert triage is the structured process of reviewing, prioritizing, and investigating security alerts to determine their

Threat IntelligenceConcepts

Threat intelligence is analyzed, contextualized information about current and emerging cyber threats, including threat a

Kill ChainConcepts

The Cyber Kill Chain is a framework developed by Lockheed Martin that describes seven sequential stages of a targeted cy

Defense in DepthConcepts

Defense in depth layers multiple independent defensive controls across the network, endpoint, application, and identity

Zero TrustConcepts

Zero Trust is a security architecture philosophy based on "never trust, always verify," requiring continuous authenticat

Least PrivilegeConcepts

The principle of least privilege states that users, processes, and systems should receive only the minimum access rights

Attack SurfaceConcepts

An organization's attack surface is the total set of points where an adversary could attempt unauthorized access: networ

MFAConcepts

Multi-Factor Authentication (MFA) requires users to provide two or more independent verification factors (something you

MTTD (Mean Time to Detect)Concepts

Mean Time to Detect is the average elapsed time between when a security incident begins and when the SOC first identifie

MTTR (Mean Time to Respond)Concepts

Mean Time to Respond is the average elapsed time between detecting a security incident and completing the initial respon

IOCs (Indicators of Compromise)Concepts

Indicators of Compromise are observable artifacts — IP addresses, domain names, file hashes, registry keys, or behaviora

Threats(13)

Threats
PhishingThreats

Phishing is a social engineering attack delivered via email, SMS, voice calls, or other channels that deceives recipient

Brute Force AttackThreats

A brute force attack systematically tries large numbers of username and password combinations, or decryption keys, until

Lateral MovementThreats

Lateral movement is the attack phase where adversaries expand access from an initial foothold to additional systems, usi

Privilege EscalationThreats

Privilege escalation is how an attacker gains higher access rights than initially obtained: standard user to administrat

PersistenceThreats

Persistence refers to techniques adversaries use to maintain access across reboots, credential changes, and other disrup

Command and ControlThreats

Command and Control (C2) refers to the infrastructure and communication channels adversaries use to remotely direct malw

ExfiltrationThreats

Data exfiltration is the unauthorized transfer of sensitive data from a victim environment to attacker-controlled infras

RansomwareThreats

Ransomware is malware that encrypts victim data or systems and demands payment (typically cryptocurrency) for the decryp

APTThreats

An Advanced Persistent Threat (APT) is a sophisticated, often nation-state-sponsored threat actor conducting long-durati

Insider ThreatThreats

An insider threat is a security risk from current or former employees, contractors, or partners who misuse authorized ac

Supply Chain AttackThreats

A supply chain attack compromises a trusted third-party vendor, service provider, or hardware supplier to use their priv

Social EngineeringThreats

Social engineering is the psychological manipulation of individuals into performing actions or revealing information tha

Threat ActorThreats

A threat actor is any individual, group, or organization that conducts or sponsors malicious cyber activity, including n

Frameworks(5)

Frameworks
MITRE ATT&CKFrameworks

MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques observed in real-world cyberatt

NIST CSFFrameworks

The NIST Cybersecurity Framework (CSF) is a risk management framework developed by the US National Institute of Standard

CIS ControlsFrameworks

The CIS Critical Security Controls are a prioritized set of 18 defensive actions developed by the Center for Internet Se

Diamond ModelFrameworks

The Diamond Model of Intrusion Analysis represents every intrusion event as a relationship between four core features: A

OWASPFrameworks

The Open Web Application Security Project (OWASP) is a nonprofit producing freely available security resources, most not

Processes(17)

Processes
Incident ResponseProcesses

Incident response (IR) is the structured process for preparing for, detecting, containing, eradicating, recovering from,

Threat HuntingProcesses

Threat hunting is the proactive, human-led process of searching through security telemetry to find hidden threats that e

Digital ForensicsProcesses

Digital forensics is the scientific process of collecting, preserving, analyzing, and presenting digital evidence from c

Vulnerability ManagementProcesses

Vulnerability management is the continuous process of identifying, classifying, prioritizing, remediating, and verifying

Patch ManagementProcesses

Patch management is the systematic process of acquiring, testing, approving, and applying software updates and security

Log ManagementProcesses

Log management is the process of collecting, normalizing, storing, retaining, and analyzing log data from across the IT

Alert CorrelationProcesses

Alert correlation combines multiple related security events from different sources into a unified, higher-fidelity alert

TriageProcesses

In SOC operations, triage is the initial assessment where analysts rapidly evaluate an alert to determine severity, vali

EscalationProcesses

Escalation is the formal process of transferring an alert or incident to a higher-tier analyst, specialized team, or man

ContainmentProcesses

Containment is the incident response phase focused on limiting the spread and impact of a confirmed security incident: i

EradicationProcesses

Eradication is the incident response phase where all threat components are permanently removed: malware, backdoors, pers

RecoveryProcesses

Recovery is the incident response phase where normal business operations are restored: affected systems return to produc

Penetration TestingProcesses

Penetration testing is an authorized simulated cyberattack against an organization's systems, networks, or applications,

SOC AnalystProcesses

A SOC analyst is a cybersecurity professional who monitors, detects, investigates, and responds to security threats as p

Mean Time to DetectProcesses

Mean Time to Detect (MTTD) measures the average elapsed time between when a security incident begins and when the SOC id

Red TeamProcesses

A red team is a group of security professionals who simulate advanced adversary tactics against an organization's full d

SLAProcesses

A Service Level Agreement (SLA) in SOC contexts defines contractual or operational targets for alert response times, spe

Frequently Asked Questions

What terms should SOC analysts know first?
Start with the core tools: SIEM, XDR, EDR, and Firewall. Then learn the processes: alert triage, incident response, escalation, and threat hunting. These terms map directly to daily SOC workflows and appear in every analyst job description.
How is this glossary organized?
Terms are grouped into five categories: Tools (SIEM, XDR, EDR, etc.), Concepts (defense in depth, zero trust, etc.), Threats (phishing, ransomware, APT, etc.), Frameworks (MITRE ATT&CK, NIST, etc.), and Processes (incident response, alert triage, etc.). Each term includes a definition, extended explanation, SOC relevance context, and links to related terms.
How often is the glossary updated?
We review and update the glossary monthly to reflect new threats, evolving tools, and changes in industry frameworks. New terms are added as the cybersecurity landscape evolves.
Can I practice these concepts hands-on?
Yes. SOCSimulator provides free SOC analyst training with realistic SIEM, XDR, and Firewall interfaces. Every glossary term maps to a concept you will encounter during hands-on training scenarios. Start free forever with no credit card required.
What is the difference between SIEM, XDR, and EDR?
SIEM aggregates and correlates logs from across your environment for threat detection and compliance. EDR monitors individual endpoints (process execution, file changes, network connections). XDR extends EDR by unifying endpoint, network, cloud, and identity telemetry into a single detection and response platform. Most mature SOCs use all three together.
Free forever

Put These Concepts Into Practice

SOCSimulator puts you in the analyst seat with real alerts, real tools, and real pressure. Investigate MITRE ATT&CK-mapped scenarios across SIEM, XDR, and Firewall consoles. Start free forever — no credit card required.

Start Free — No Credit CardExplore Operations
12,000+ analysts trained
89% report faster triage
4.9/5 analyst rating

Related resources

MITRE ATT&CK TechniquesSOC PlaybooksShift ModeTraining OperationsSOC Career PathsSecurity BlogPricing

We use cookies to improve your experience and measure usage. Learn more