Glossary of Cybersecurity & SOC Terms
A beginner-friendly dictionary of terms used throughout this repository. Terms are organized alphabetically.
A
| Term |
Definition |
| Active Directory (AD) |
Microsoft's directory service that manages users, computers, and permissions in a Windows network. A primary target for attackers. |
| Alert |
A notification generated by a security tool (e.g., SIEM) when suspicious activity is detected. Alerts require triage by a SOC analyst. |
| APT (Advanced Persistent Threat) |
A highly sophisticated, well-funded attacker (often nation-state) that targets specific organizations over long periods. |
| ATT&CK |
See MITRE ATT&CK. |
B
| Term |
Definition |
| BEC (Business Email Compromise) |
An attack where criminals impersonate executives via email to trick employees into transferring money or sensitive data. |
| Blue Team |
The defensive security team responsible for protecting the organization. SOC analysts are blue team members. |
| Brute Force |
An attack that tries many password combinations until one works. Often seen in login attempts. |
C
| Term |
Definition |
| C2 (Command and Control) |
Infrastructure used by attackers to remotely control compromised systems. Also written as C&C. |
| CISA |
Cybersecurity and Infrastructure Security Agency — the U.S. federal agency for cybersecurity guidance. |
| CISO (Chief Information Security Officer) |
The executive responsible for an organization's overall security strategy. The SOC Manager typically reports to the CISO. |
| CSIRT (Computer Security Incident Response Team) |
A team dedicated to responding to computer security incidents. SOC is a type of CSIRT. |
| CTI (Cyber Threat Intelligence) |
Information about threats, threat actors, and their tactics, collected and analyzed to improve defenses. |
| CVE (Common Vulnerabilities and Exposures) |
A unique identifier for publicly known security vulnerabilities (e.g., CVE-2021-44228 for Log4Shell). |
D
| Term |
Definition |
| DDoS (Distributed Denial of Service) |
An attack that floods a target with traffic from many sources, making it unavailable to legitimate users. |
| Detection Rule |
A logic statement (e.g., Sigma rule) that defines what suspicious activity looks like in log data. When matched, it generates an alert. |
E
| Term |
Definition |
| EDR (Endpoint Detection and Response) |
Software installed on computers/servers that monitors for and responds to malicious activity. Examples: CrowdStrike, SentinelOne, Wazuh. |
| Endpoint |
Any device connected to the network — laptops, desktops, servers, mobile phones. |
| Escalation |
The process of passing an alert or incident from a lower tier analyst to a higher tier for deeper investigation. |
| Exfiltration |
The unauthorized transfer of data out of an organization. The attacker's goal in many breaches. |
F
| Term |
Definition |
| False Positive (FP) |
An alert that triggers on benign (non-malicious) activity. Reducing FPs is a key SOC efficiency metric. |
| False Negative (FN) |
A real attack that the detection system fails to detect. Much more dangerous than a False Positive. |
| Firewall |
A network device that controls incoming and outgoing traffic based on security rules. |
| Forensics |
The process of collecting and analyzing digital evidence after a security incident. |
G-H
| Term |
Definition |
| GDPR (General Data Protection Regulation) |
EU regulation for data privacy. Organizations must report breaches within 72 hours. |
| Hash |
A fixed-length string generated from a file (e.g., MD5, SHA-256). Used to identify malware without needing the actual file. |
| Honeypot |
A decoy system designed to attract attackers, allowing the SOC to study their techniques. |
I
| Term |
Definition |
| IDS/IPS |
Intrusion Detection System (monitors and alerts) / Intrusion Prevention System (monitors and blocks). |
| Incident |
A confirmed security event that requires response. Not all alerts become incidents. |
| IOC (Indicator of Compromise) |
Evidence that an attack has occurred — malicious IP addresses, domain names, file hashes, URLs. |
| IR (Incident Response) |
The process of detecting, analyzing, containing, and recovering from security incidents. |
K-L
| Term |
Definition |
| Kill Chain |
A model describing the stages of a cyber attack: Recon → Weaponize → Deliver → Exploit → Install → C2 → Actions. |
| Lateral Movement |
When an attacker moves from one compromised system to another within the same network. |
| Log |
A recorded event from a system (firewall log, login log, application log). Logs are the raw data SOC analysts analyze. |
M
| Term |
Definition |
| Malware |
Malicious software — viruses, trojans, ransomware, worms, spyware. |
| MISP |
Open-source Threat Intelligence Platform for sharing IOCs between organizations. |
| MITRE ATT&CK |
A knowledge base of adversary Tactics, Techniques, and Procedures (TTPs). The global standard for categorizing attacks. |
| MTTD (Mean Time To Detect) |
Average time from an attack starting to the SOC detecting it. Lower is better. |
| MTTR (Mean Time To Respond) |
Average time from detection to containment of an incident. Lower is better. |
N-O
| Term |
Definition |
| NDR (Network Detection and Response) |
Technology that monitors network traffic for threats. Complements EDR (which monitors endpoints). |
| NIST |
National Institute of Standards and Technology — the U.S. agency that publishes cybersecurity frameworks and guidelines (SP 800 series). |
| OSINT (Open Source Intelligence) |
Intelligence gathered from publicly available sources (social media, websites, public databases). |
P
| Term |
Definition |
| PDPA |
Thailand's Personal Data Protection Act — similar to GDPR. Requires organizations to protect personal data. |
| Phishing |
An attack using fake emails, messages, or websites to trick people into revealing credentials or installing malware. |
| Playbook |
A step-by-step procedure for responding to a specific type of security incident (e.g., Phishing Playbook). |
| Purple Team |
A collaborative exercise where Red Team (attackers) and Blue Team (defenders) work together to test and improve defenses. |
R
| Term |
Definition |
| Ransomware |
Malware that encrypts files and demands payment (ransom) to decrypt them. One of the most damaging attack types. |
| RCA (Root Cause Analysis) |
The process of identifying the fundamental cause of an incident to prevent recurrence. |
| Red Team |
The offensive security team that simulates attacks to test the organization's defenses. |
| Runbook |
See Playbook (terms are often used interchangeably). |
S
| Term |
Definition |
| SIEM (Security Information and Event Management) |
The central platform that collects logs from all sources, correlates events, and generates alerts. The "brain" of a SOC. Examples: Splunk, Microsoft Sentinel, Wazuh. |
| Sigma |
A generic and open signature format for SIEM detection rules. Write once, convert to any SIEM query language. |
| SOAR (Security Orchestration, Automation, and Response) |
A platform that automates repetitive SOC tasks (e.g., auto-blocking an IP, auto-enriching alerts). |
| SOC (Security Operations Center) |
A team and facility dedicated to monitoring, detecting, and responding to cybersecurity threats 24/7. |
| SOC-CMM |
SOC Capability Maturity Model — a framework to assess and improve SOC maturity across 5 levels. |
| STIX/TAXII |
Standards for sharing threat intelligence data between organizations. STIX defines the format; TAXII defines the transport. |
T
| Term |
Definition |
| Threat Hunting |
Proactive searching for hidden threats in the environment that have evaded automated detection. Performed by Tier 3 analysts. |
| Tier 1 / Tier 2 / Tier 3 |
SOC analyst levels. Tier 1 = triage, Tier 2 = investigation, Tier 3 = hunting and advanced analysis. |
| TLP (Traffic Light Protocol) |
A system for classifying how sensitive information can be shared: TLP:RED (restricted), TLP:AMBER (limited), TLP:GREEN (community), TLP:CLEAR (public). |
| True Positive (TP) |
An alert that correctly identifies a real security threat. The opposite of False Positive. |
| TTP (Tactics, Techniques, and Procedures) |
The behavior patterns of an attacker — what they do (Tactic), how they do it (Technique), and the specific steps (Procedure). |
V-W
| Term |
Definition |
| Vulnerability |
A weakness in a system that an attacker can exploit. Tracked by CVE identifiers. |
| VPN (Virtual Private Network) |
An encrypted tunnel for secure remote access to the organization's network. |
| YARA |
A tool and rule format for identifying and classifying malware based on patterns in files. |
X-Z
| Term |
Definition |
| XDR (Extended Detection and Response) |
An evolution of EDR that integrates data from endpoints, network, cloud, and email into a single detection platform. |
| Zero-Day |
A vulnerability that is unknown to the vendor and has no patch available. Extremely dangerous because no defense exists yet. |
References