- SIEM
- Security Information and Event Management — collects and correlates logs across the enterprise to detect, investigate, and report on threats.
- Indicator of compromise (IoC)
- A forensic artifact (malicious IP/domain, file hash, registry key, beaconing) that signals a system may have been breached.
- Signature-based detection
- Detection that matches known patterns (hashes, rules, byte sequences). Precise on known threats but blind to novel ones.
- Anomaly-based detection
- Detection that flags deviations from a defined baseline of normal activity; catches unknown threats but needs a good baseline.
- Behavioral analytics
- Detecting threats by modeling normal user, host, and network behavior and flagging deviations — finds insider and novel threats.
- Heuristic detection
- Detection that identifies threats by characteristics/rules of suspicious behavior rather than exact signatures.
- UEBA
- User and Entity Behavior Analytics — uses machine learning to baseline normal behavior and detect anomalies like compromised accounts.
- Threat intelligence
- Evidence-based knowledge about adversaries — actors, their TTPs, and indicators — used to inform and improve defense.
- Threat-intelligence cycle
- The repeating process: planning & direction → collection → processing → analysis → dissemination → feedback.
- Strategic threat intelligence
- High-level intelligence on trends and risk, aimed at executives and long-term decision-making.
- Operational threat intelligence
- Intelligence about specific campaigns and adversary operations, aimed at defenders.
- Tactical threat intelligence
- Technical, immediate intelligence — IoCs and TTPs — consumed by security tools and analysts.
- TTP
- Tactics, Techniques, and Procedures — how an adversary operates; the most durable, hardest-to-change indicator.
- Confidence level (threat intel)
- An assessment of how reliable a piece of intelligence is, so consumers know how much to trust it.
- MITRE ATT&CK
- A knowledge base of real-world adversary tactics (goals) and techniques (methods) used to map detections and drive threat hunting.
- Threat hunting
- The proactive, hypothesis-driven search for adversaries that have evaded existing detections, before any alert fires.
- Dwell time
- The length of time an attacker remains undetected in an environment; threat hunting aims to reduce it.
- STIX
- Structured Threat Information Expression — a standardized language for representing and sharing cyber threat intelligence.
- TAXII
- Trusted Automated Exchange of Intelligence Information — the protocol for transporting STIX threat-intelligence data.
- ISAC / ISAO
- Information Sharing and Analysis Center/Organization — communities that share threat intelligence among members.
- OSINT
- Open-Source Intelligence — intelligence gathered from publicly available sources.
- Zero trust
- A model that removes implicit trust and verifies every request based on identity, device, and context — 'never trust, always verify.'
- SASE
- Secure Access Service Edge — converges networking (SD-WAN) and security (SWG, CASB, ZTNA, FWaaS) into one cloud-delivered service.
- Network segmentation
- Dividing a network into zones to limit lateral movement and contain the blast radius of a compromise.
- SDN
- Software-Defined Networking — separates the network control plane from the data plane for centralized, programmable control.
- SOAR
- Security Orchestration, Automation, and Response — automates and coordinates incident response via playbooks and tool integrations.
- Playbook
- A documented, repeatable set of response steps for a given alert or incident type, often automated through SOAR.
- Packet capture
- Recording raw network traffic (e.g., with tcpdump or Wireshark) so analysts can inspect its contents and flow.
- Wireshark
- A graphical packet-capture and protocol-analysis tool used to inspect network traffic in detail.
- tcpdump
- A command-line packet-capture tool for recording and inspecting network traffic.
- NetFlow
- A protocol that records metadata about network flows (who talked to whom, when, how much) — useful for spotting beaconing and exfiltration.
- Log analysis
- Reviewing and correlating system, network, and application logs to detect, scope, and investigate suspicious activity.
- EDR
- Endpoint Detection and Response — continuously monitors endpoints to detect, investigate, and respond to threats.
- XDR
- Extended Detection and Response — correlates detection and response across endpoints, network, email, and cloud.
- SPF
- Sender Policy Framework — a DNS record listing the mail servers authorized to send email for a domain.
- DKIM
- DomainKeys Identified Mail — a cryptographic signature on outbound email so receivers can detect tampering and forged senders.
- DMARC
- Domain-based Message Authentication, Reporting & Conformance — ties SPF and DKIM together and tells receivers how to handle failures.
- Email header analysis
- Examining headers (Received, Authentication-Results) to trace an email's path and verify SPF/DKIM/DMARC results.
- Phishing
- A social-engineering attack using fraudulent messages to steal credentials, deliver malware, or trick users into actions.
- Spear phishing
- A phishing attack targeted at a specific individual or organization, using personalized details.
- Whaling
- A phishing attack that targets high-value executives such as a CEO or CFO.
- Vishing
- Voice phishing — a social-engineering attack carried out over a phone call.
- Smishing
- SMS phishing — a social-engineering attack delivered by text message.
- Business email compromise (BEC)
- An attack impersonating a trusted executive or vendor to authorize fraudulent payments or data transfers.
- On-path attack
- An attacker secretly relaying or altering traffic between two parties (formerly 'man-in-the-middle').
- DDoS
- Distributed Denial of Service — overwhelming a target with traffic from many sources to make it unavailable.
- DNS poisoning
- Corrupting DNS resolution so victims are sent to attacker-controlled addresses.
- ARP poisoning
- Sending forged ARP messages to associate the attacker's MAC with a victim's IP, enabling interception on a LAN.
- Beaconing
- Periodic, regular network callbacks from a compromised host to a command-and-control server.
- Command and control (C2)
- The channel and infrastructure an attacker uses to remotely control compromised systems.
- Living off the land
- Using legitimate, built-in system tools (e.g., PowerShell, WMI) to carry out an attack and evade detection.
- Obfuscation
- Deliberately making code or data hard to understand to evade detection or analysis.
- Regular expression (regex)
- A pattern-matching syntax analysts use to search and filter logs and data.
- False positive (alert)
- An alert that flags benign activity as malicious — a source of analyst alert fatigue.
- Alert fatigue
- Desensitization caused by too many alerts (often from an untuned SIEM), risking missed real threats.
- Sandboxing
- Running suspicious code in an isolated environment to observe its behavior safely.
- File integrity monitoring (FIM)
- Alerting when critical files change unexpectedly, indicating possible tampering.
- DLP
- Data Loss Prevention — tools that detect and block unauthorized movement of sensitive data.
- Cyber kill chain
- Lockheed Martin's linear 7-stage intrusion model used to detect and disrupt attacks early.
- Diamond Model
- An intrusion-analysis model linking four features of every event: adversary, capability, infrastructure, and victim.
- CIA triad
- Confidentiality, Integrity, Availability — the three core goals of information security.
- Confidentiality
- Ensuring only authorized people can read data; enforced by encryption and access control.
- Integrity
- Ensuring data is accurate and unaltered; enforced by hashing and digital signatures.
- Availability
- Ensuring authorized users can access data and systems when needed; enforced by redundancy and backups.
- IAM
- Identity and Access Management — the policies and tools that manage digital identities and control access.
- MFA
- Multi-factor authentication — requiring two or more factors from different categories (know, have, are).
- Least privilege
- Granting only the minimum access needed to perform a task, limiting the blast radius of a compromise.
- Encryption
- Transforming data so only authorized parties with the key can read it; protects confidentiality.
- Symmetric encryption
- Encryption using one shared secret key to both encrypt and decrypt (e.g., AES) — fast.
- Asymmetric encryption
- Encryption using a public/private key pair (e.g., RSA, ECC) for key exchange and digital signatures.
- Hashing
- A one-way function producing a fixed-length digest (e.g., SHA-256); used for integrity, not reversible.
- Honeypot
- A decoy system that lures attackers away from real assets and records their behavior.
- Honeytoken
- Fake data (a credential, record, or key) that signals compromise the moment it is used.
- Malware
- Malicious software — ransomware, trojans, worms, viruses, spyware, rootkits, and keyloggers.
- Rootkit
- Malware that hides deep in the system (often the kernel) to maintain stealthy, privileged access.
- Trojan
- Malware disguised as legitimate software that performs a hidden malicious action when run.
- Lateral movement
- An attacker moving from an initial foothold to other systems within the network.
- Privilege escalation
- Gaining higher access rights than granted — vertical (to admin) or horizontal (to another user).
- Persistence
- Techniques an attacker uses to maintain access across reboots and credential changes.
- Endpoint analysis
- Examining a host for malicious processes, persistence, and artifacts during detection or response.
- Email analysis
- Examining messages, attachments, and headers for phishing, spoofing, and malicious payloads.
- File analysis
- Inspecting a file's properties, hash, and behavior to determine if it is malicious.
- Sentiment / anomaly baseline
- A reference profile of normal activity against which anomaly detection compares current behavior.
- Scripting (CySA+)
- Reading Python, PowerShell, shell, or JavaScript snippets and regex to analyze and automate — not writing production code.
- API integration
- Connecting security tools through APIs and webhooks to share data and automate workflows.
- Standardization (process)
- Defining consistent processes and configurations to reduce error and enable automation.
- Orchestration
- Coordinating multiple security tools and tasks into a unified, often automated, workflow.
- Syslog
- A standard protocol for forwarding log messages, commonly aggregated centrally by a SIEM.
- Windows Event Log
- The Windows logging system (Security, System, Application logs) analysts review for host activity.
- Sysmon
- A Windows system-monitoring tool that logs detailed process, network, and file events for analysis.
- Log correlation
- Linking events across multiple sources to reveal an attack that no single log shows alone.
- Use case (SIEM)
- A defined detection scenario with the logic and data sources needed to catch a specific threat.
- Tuning (SIEM)
- Adjusting detection rules and thresholds to reduce false positives and surface true threats.
- Threat feed
- A stream of indicators (IPs, domains, hashes) consumed to enrich detection and hunting.
- Pyramid of Pain
- A model ranking indicators by how much disrupting them hurts an attacker — TTPs hurt most, hashes least.
- CASB
- Cloud Access Security Broker — enforces security policy between users and cloud services.
- ZTNA
- Zero Trust Network Access — grants per-application access based on identity and context, not network location.
- Geofencing / impossible travel
- Detecting logins from locations too far apart in time to be legitimate.
- CVSS
- Common Vulnerability Scoring System — a 0.0–10.0 score (Base, Temporal, Environmental groups) rating a vulnerability's severity.
- CVSS Base metrics
- The intrinsic, constant severity: attack vector, attack complexity, privileges required, user interaction, scope, and CIA impact.
- CVSS Temporal metrics
- Severity factors that change over time: exploit code maturity, remediation level, and report confidence.
- CVSS Environmental metrics
- Severity tailored to your organization, including asset-value (CIA) requirements and modified base metrics.
- CVSS severity bands
- None 0.0, Low 0.1–3.9, Medium 4.0–6.9, High 7.0–8.9, Critical 9.0–10.0.
- Attack vector (AV)
- A CVSS base metric describing how a vulnerability is exploited: Network, Adjacent, Local, or Physical.
- Attack complexity (AC)
- A CVSS base metric for how hard the attack is to carry out beyond the attacker's control.
- Privileges required (PR)
- A CVSS base metric for the level of access an attacker needs before exploiting the flaw.
- Scope (CVSS)
- A CVSS base metric indicating whether exploiting the vulnerability impacts resources beyond its security scope.
- CVE
- Common Vulnerabilities and Exposures — a unique public identifier for one specific known vulnerability.
- CWE
- Common Weakness Enumeration — a catalog of software and hardware weakness types.
- Vulnerability management
- The continuous cycle of identifying, scanning, analyzing, prioritizing, remediating, validating, and reporting on vulnerabilities.
- Asset discovery
- Inventorying and mapping the systems and services in an environment — the first step in vulnerability management.
- Attack surface
- The total set of points where an attacker could attempt to enter or extract data; reducing it is a core goal.
- Attack surface management
- Continuously discovering, inventorying, and reducing an organization's exposed footprint.
- Active scanning
- Scanning that sends probes directly to targets — thorough but can disrupt fragile systems.
- Passive scanning
- Identifying assets and issues by observing existing traffic without sending probes — non-disruptive but less complete.
- Credentialed scan
- A vulnerability scan that logs into the target — deeper, more accurate, fewer false positives.
- Non-credentialed scan
- A scan that probes only from the outside, like an unauthenticated attacker — a shallower, attacker's-eye view.
- Agent-based scan
- A scan run by software installed on the host; works offline and for roaming assets.
- Agentless scan
- A scan run from the network with no software installed on the target.
- Internal scan
- A vulnerability scan run from inside the network perimeter.
- External scan
- A vulnerability scan run from outside the perimeter to show internet-facing exposure.
- SAST
- Static Application Security Testing — analyzing source code or binaries for flaws without running the application.
- DAST
- Dynamic Application Security Testing — testing a running application from the outside for exploitable flaws.
- Software composition analysis (SCA)
- Scanning an application's third-party and open-source components for known vulnerabilities and license risk.
- IaC scanning
- Scanning infrastructure-as-code templates for misconfigurations before deployment.
- Nessus / OpenVAS
- Widely used vulnerability scanners that identify and report known vulnerabilities across assets.
- False positive (scan)
- A reported vulnerability that is not actually present or exploitable; must be validated before acting.
- False negative (scan)
- A real vulnerability the scanner failed to report — the more dangerous error.
- True positive
- A correctly reported, confirmed vulnerability that proceeds to prioritization and remediation.
- Validation (vuln)
- Confirming a finding is real and exploitable — via manual checks, correlating tools, and verifying the configuration.
- Context-aware prioritization
- Ranking vulnerabilities by combining CVSS with asset value, exposure, criticality, and active exploitation.
- Zero-day
- A vulnerability unknown to the vendor with no patch available, leaving 'zero days' to fix it before exploitation.
- Exploitability
- How feasible it is to exploit a vulnerability, including whether a working exploit exists in the wild.
- Weaponization
- Turning a vulnerability into a usable exploit or payload.
- Compensating control
- An alternative safeguard used when the primary control (e.g., a patch) cannot be applied, to reduce residual risk.
- Patch management
- The process of acquiring, testing, and applying updates to remediate vulnerabilities.
- SQL injection
- Inserting malicious SQL into input so the database runs unintended commands. Fix: parameterized queries + input validation.
- Cross-site scripting (XSS)
- Injecting script into a trusted site that runs in another user's browser. Fix: output encoding + Content Security Policy.
- Broken access control
- Missing or flawed authorization checks. Fix: enforce least privilege and deny by default.
- Cryptographic failures
- Weak or missing encryption of sensitive data. Fix: strong algorithms, proper key management, and TLS.
- Buffer overflow
- Writing more data than a buffer holds, overwriting adjacent memory. Fix: bounds checking, ASLR/DEP, secure coding.
- Data poisoning
- Corrupting the training data of a machine-learning model so it behaves incorrectly.
- Insecure deserialization
- Processing untrusted serialized data unsafely, potentially allowing code execution.
- SLO (vuln response)
- Service-Level Objective — a target timeframe for remediating vulnerabilities by severity.
- Threat modeling
- Systematically identifying potential threats and weaknesses in a design so they can be mitigated early.
- Secure SDLC
- Building security into every phase of the software development lifecycle.
- OWASP Top 10
- OWASP's regularly updated list of the most critical web-application security risks.
- CVSS vector string
- A compact text encoding of a vulnerability's CVSS metrics (e.g., AV:N/AC:L/PR:N) used to compute the score.
- User interaction (UI)
- A CVSS base metric for whether exploitation requires a user to take some action.
- Confidentiality impact (CVSS)
- A CVSS base metric rating the loss of confidentiality if the vulnerability is exploited.
- Patch (n-day)
- Once a patch is released, an unpatched flaw is an 'n-day' — still dangerous on unpatched systems.
- Vulnerability vs. exploit
- A vulnerability is a weakness; an exploit is the code or technique that takes advantage of it.
- Vulnerability vs. threat
- A vulnerability is a weakness; a threat is a potential danger that could exploit it.
- Risk (vuln context)
- The potential for loss when a threat exploits a vulnerability; a function of likelihood and impact.
- Misconfiguration
- An insecure default or setting (e.g., open cloud storage) — a leading cause of breaches; fix with secure baselines.
- Default credentials
- Unchanged factory usernames/passwords that attackers easily abuse; a common scan finding.
- Hardening
- Reducing a system's attack surface by removing unneeded services, applying secure baselines, and patching.
- Secure baseline
- A defined, minimum-security configuration applied consistently across systems.
- Patch testing
- Validating a patch in a controlled environment before deploying it broadly to avoid breakage.
- Risk-based prioritization
- Ranking remediation by real-world risk (exposure, exploitability, asset value), not raw CVSS alone.
- Remediation
- Eliminating a vulnerability by patching, reconfiguring, or replacing the affected component.
- Mitigation
- Reducing the likelihood or impact of a vulnerability when full remediation isn't possible.
- Web application scanner
- A tool that tests web apps for flaws like injection, XSS, and misconfiguration.
- Network vulnerability scanner
- A tool that probes networked hosts and services for known vulnerabilities.
- Directory traversal
- An attack that accesses files outside the intended directory via crafted path input ('../').
- CSRF
- Cross-Site Request Forgery — tricking a logged-in user's browser into submitting an unwanted request.
- Race condition
- A flaw where timing between a check and use (TOCTOU) can be exploited.
- SSRF
- Server-Side Request Forgery — coercing a server into making requests to unintended internal resources.
- Privilege creep
- The gradual accumulation of access rights a user no longer needs; reduced by access reviews.
- Patch prioritization
- Sequencing patches by severity, exposure, and exploitability rather than applying all at once.
- Asset criticality
- How important an asset is to the business; a key factor in prioritizing its vulnerabilities.
- Exposure
- Whether a vulnerable asset is reachable (e.g., internet-facing); raises real-world risk.
- Scanning cadence
- How often scans run; continuous or frequent scanning catches new vulnerabilities sooner.
- Rescan / validation scan
- Scanning again after remediation to confirm the vulnerability is actually closed.
- Vulnerability feed (NVD)
- The National Vulnerability Database — the U.S. government repository of CVEs and CVSS data.
- Penetration test
- An authorized simulated attack that exploits weaknesses to demonstrate real-world impact.
- Bug bounty
- A program that pays external researchers to responsibly disclose vulnerabilities.
- Incident response lifecycle
- NIST's four phases: preparation; detection & analysis; containment, eradication & recovery; post-incident activity.
- Preparation (IR)
- Building the team, tools, playbooks, training, logging, and communication plan before an incident occurs.
- Detection & analysis (IR)
- Identifying and validating an incident from IoCs, SIEM alerts, and logs, then determining its scope and impact.
- Containment
- Limiting the spread and impact of an incident (e.g., isolating a host) — usually the first action in a live incident.
- Eradication
- Removing the threat — malware, attacker footholds, compromised accounts — from the environment.
- Recovery (IR)
- Restoring affected systems to normal operation from known-good, tested backups and monitoring for reinfection.
- Post-incident activity
- Lessons learned, root cause analysis, IoC generation, and reporting that feed back into preparation.
- Root cause analysis
- Determining the underlying reason an incident occurred so the same issue can be prevented from recurring.
- Lessons learned
- The post-incident review that captures what went well and what to improve for next time.
- Scope determination
- Establishing how far an incident reaches — which systems, accounts, and data are affected.
- Evidence acquisition
- Collecting data relevant to an incident in a forensically sound manner.
- Evidence preservation
- Protecting collected evidence from alteration so it remains reliable and admissible.
- Chain of custody
- The documented, unbroken record of who handled evidence and when — to keep it admissible.
- Order of volatility
- Collecting evidence most-volatile-first (CPU/RAM, network state) before less-volatile data (disk, archives).
- Forensic image
- A bit-for-bit copy of storage made for analysis so the original evidence is never altered; verified with a hash.
- Write blocker
- A device or software that prevents any writes to evidence media during forensic acquisition.
- Hashing (forensics)
- Computing a hash of evidence to prove it has not changed; the same hash means an exact, unaltered copy.
- Legal hold
- A directive to preserve relevant data when litigation or an investigation is anticipated.
- Memory forensics
- Analyzing a captured copy of RAM to find running malware, network connections, and artifacts not on disk.
- Disk forensics
- Analyzing storage media (from a forensic image) for files, deleted data, and artifacts.
- Cyber kill chain stages
- Reconnaissance, weaponization, delivery, exploitation, installation, command & control, and actions on objectives.
- Reconnaissance (kill chain)
- The first kill-chain stage: gathering information about the target before attacking.
- Weaponization (kill chain)
- Coupling an exploit with a deliverable payload (e.g., a malicious document).
- Actions on objectives
- The final kill-chain stage where the attacker achieves their goal (e.g., data theft or destruction).
- Diamond Model vertices
- Adversary, capability, infrastructure, and victim — the four core features linked in each intrusion event.
- Pivoting (analysis)
- Using one known fact about an intrusion (e.g., an IP) to discover related facts, often via the Diamond Model.
- MITRE ATT&CK tactic
- A column in the ATT&CK matrix representing an attacker's goal (e.g., persistence, exfiltration).
- MITRE ATT&CK technique
- A specific method an attacker uses to achieve a tactic (e.g., a particular persistence mechanism).
- OWASP
- Open Worldwide Application Security Project — a community producing resources like the OWASP Top 10.
- Incident declaration
- The formal decision that an event is a security incident, triggering the response process.
- Escalation (IR)
- Routing an incident to higher-tier responders or management based on severity and predefined criteria.
- Communication plan (IR)
- The plan defining who is informed, how, and when during an incident — internal and external.
- Tabletop exercise
- A discussion-based drill that walks a team through an incident scenario to test the plan and readiness.
- Indicator of attack (IoA)
- Evidence of an attack in progress based on intent/behavior, as opposed to a backward-looking IoC.
- Ransomware (IR)
- Malware that encrypts data and demands payment; recover from tested backups rather than paying.
- Containment strategy
- Choosing between isolation, segmentation, or removal based on impact, evidence needs, and business continuity.
- Isolation
- Disconnecting an affected system from the network to stop an incident from spreading.
- Segmentation (containment)
- Restricting affected systems to a network segment to limit an incident while preserving some operation.
- IR playbook
- A documented set of response steps for a specific incident type, ensuring a consistent response.
- CSIRT / CIRT
- Computer Security Incident Response Team — the group responsible for handling incidents.
- Eradication validation
- Confirming the threat and its persistence are fully removed before returning systems to service.
- Threat actor
- An individual or group that carries out an attack — nation-state, organized crime, hacktivist, insider, or unskilled.
- Nation-state actor
- A highly sophisticated, well-resourced adversary (APT) usually motivated by espionage or strategic disruption.
- APT
- Advanced Persistent Threat — a skilled, well-resourced adversary that maintains long-term, stealthy access.
- Insider threat
- A current or former employee, contractor, or partner who misuses authorized access to cause harm.
- Hacktivist
- A threat actor motivated by an ideological cause rather than profit.
- Indicators (IR)
- Observable signs of an incident — from IoCs and IoAs to anomalies in logs and behavior.
- Timeline (incident)
- A chronological reconstruction of an incident's events, essential for root cause and reporting.
- Scope creep (IR)
- Failing to bound an investigation, leading to wasted effort; scope determination prevents it.
- Order of operations (IR)
- The correct sequence of response actions; getting it wrong can destroy evidence.
- Reimaging
- Rebuilding a compromised host from a known-good image to ensure no attacker artifacts remain.
- Known-good backup
- A verified, uncompromised backup used to restore systems during recovery.
- Data exfiltration
- Unauthorized transfer of data out of an organization — a common attacker objective.
- Command-and-control detection
- Identifying C2 channels (beaconing, unusual destinations) during analysis.
- MTTD
- Mean Time to Detect — the average time from when an incident begins to when it is detected.
- MTTR
- Mean Time to Respond/Remediate — the average time to contain and resolve an incident or remediate a vulnerability.
- MTTA
- Mean Time to Acknowledge — the average time from an alert to a responder acknowledging it.
- MTTC
- Mean Time to Contain — the average time to stop an incident from spreading once it is detected.
- KPI
- Key Performance Indicator — a measurable value (e.g., MTTD, MTTR, recurrence) showing how a program performs.
- Recurrence rate
- A metric tracking how often the same vulnerability or incident type reappears.
- Top vulnerabilities (metric)
- A report of the most frequent or highest-risk vulnerabilities, used to focus remediation.
- Risk score
- A combined measure of a finding's likelihood and impact used to prioritize and communicate risk.
- Stakeholder
- Anyone who needs incident or vulnerability information — technical teams, executives, legal, HR, PR, customers, or regulators.
- Stakeholder identification
- Determining who must receive which information so the right message reaches the right audience.
- Compliance report
- A report demonstrating that vulnerability or security posture meets a regulatory or contractual requirement.
- Action plan
- A report pairing each finding with an owner, remediation steps, and a realistic timeline.
- Inhibitor to remediation
- A real-world constraint (MOU/SLA, business interruption, legacy system, downtime cost) that delays or prevents a fix.
- MOU
- Memorandum of Understanding — a non-binding agreement outlining mutual intentions between parties.
- SLA
- Service Level Agreement — a contract defining expected service levels and metrics with a provider.
- Business process interruption
- An inhibitor where patching requires downtime the business cannot yet absorb.
- Degrading functionality
- An inhibitor where a fix breaks a needed feature or integration.
- Legacy system (inhibitor)
- An older or proprietary system with no available patch — mitigate with compensating controls.
- Accepted residual risk
- The remaining risk an organization knowingly and formally accepts after applying controls.
- Indicator of compromise generation
- Producing new IoCs from an incident so detection can be improved going forward.
- Incident report
- A document summarizing what happened, impact, timeline, root cause, response, and lessons learned.
- Executive summary
- A concise, business-focused overview of an incident or assessment for leadership.
- Technical report
- A detailed report for responders covering timeline, affected systems, root cause, and remediation.
- Breach notification
- A required disclosure to regulators and affected individuals after a data breach, within set timeframes.
- Metrics dashboard
- A visual summary of security KPIs (MTTD, MTTR, open vulnerabilities) for ongoing monitoring.
- Trend analysis
- Tracking metrics over time to show whether the security program is improving or declining.
- Audience tailoring
- Adjusting a report's depth and framing for its audience — risk for executives, detail for technical teams.
- Governance (reporting)
- The policies and oversight structures that direct how vulnerabilities and incidents are reported and handled.
- Vulnerability report
- A report communicating findings, severity, affected assets, and remediation guidance to stakeholders.
- Remediation timeline
- A realistic schedule for fixing findings that accounts for inhibitors and SLOs.
- Owner (action plan)
- The person or team accountable for remediating a specific finding.
- Escalation criteria
- Predefined thresholds that determine when to notify higher tiers or management.
- Communication matrix
- A table mapping stakeholders to what information they receive and through which channel.
- Regulatory reporting
- Disclosing incidents or compliance status to regulators as required by law or contract.
- PR / public communication
- Coordinated external messaging about an incident to customers and the public.
- Legal stakeholder
- Counsel involved to manage liability, evidence, and breach-notification obligations.
- HR stakeholder
- Human Resources, engaged when an incident involves an employee (e.g., insider threat).
- Customer notification
- Informing affected customers of a breach within legally required timeframes.
- Metrics maturity
- Improving MTTD/MTTR and recurrence over time as a sign of a maturing security program.
- Closed-loop reporting
- Feeding lessons learned and generated IoCs back into detection and preparation.
- Risk register (reporting)
- A documented list of risks with owner, likelihood, impact, and treatment, referenced in reports.
- Compliance vs. security
- Compliance proves a standard is met; security reduces actual risk — they overlap but aren't identical.
- Evidence in reports
- Including verified facts and, where needed, forensic findings (with chain of custody) to support conclusions.