Cybersecurity 101
BitLyft Cybersecurity Glossary
Clear definitions for the cybersecurity terms, acronyms, and operational concepts security teams run into every day. Browse by topic or jump by letter to find the terms that matter to MDR, SIEM, Microsoft 365, compliance, and response programs.
Glossary index
Each entry is grouped alphabetically and tagged by topic so readers can scan quickly, align teams on the same language, and move from definition to action faster.
Alert Fatigue
When security teams receive so many alerts that real threats become harder to identify and prioritize.
API Security
The practice of protecting application programming interfaces from abuse, data exposure, and unauthorized access.
Attack Surface
The total set of systems, users, apps, identities, and entry points attackers could target.
Automated Incident Response
The use of predefined workflows to contain, investigate, or remediate threats without waiting on manual action.
Behavioral Analytics
Analysis of user, device, and system behavior to detect suspicious deviations from normal activity.
Brute Force Attack
A login attack that repeatedly guesses passwords or keys until access is gained.
Business Email Compromise
A targeted email scam that tricks employees into sending money, credentials, or sensitive information.
BYOD Security
Security controls for employee-owned devices that access company systems and data.
Centralized Logging
The collection of logs from many systems into one place for monitoring, investigation, and compliance.
Cloud Security
The controls and practices used to protect cloud-hosted data, applications, identities, and infrastructure.
CMMC
A cybersecurity certification framework for organizations that handle federal contract information or controlled unclassified information.
Conditional Access
Identity-based access control that uses signals like user, device, location, risk, and MFA status.
Data Exfiltration
The unauthorized transfer of sensitive data out of an organization’s environment.
Detection Engineering
The process of creating, tuning, and improving rules and analytics that identify real threats.
Digital Forensics
The investigation of systems, logs, files, and activity to understand what happened during a security incident.
Dwell Time
The amount of time an attacker remains undetected inside an environment.
Endpoint Detection and Response
Technology that monitors endpoints for suspicious activity and supports investigation and containment.
Event Correlation
The process of linking related security events to identify patterns, incidents, or attack chains.
Exposure Management
The continuous process of finding and reducing exploitable weaknesses across an organization.
Extended Detection and Response
A security approach that connects data from endpoints, identity, cloud, network, and other tools for broader detection and response.
False Positive
A security alert that appears malicious but is ultimately benign.
Fileless Malware
Malware that runs mainly in memory or abuses legitimate tools, making it harder to detect with traditional methods.
Firewall
A security control that monitors and filters network traffic based on defined rules.
Forensic Timeline
A chronological reconstruction of system, user, and attacker activity during an investigation.
GovCloud
Cloud infrastructure designed to meet government security, compliance, and data residency requirements.
Governance, Risk, and Compliance
The business discipline of managing security policies, risk, regulatory obligations, and audit readiness.
Group Policy
A Windows administration feature used to centrally manage user and device settings.
Hashing
A one-way method of transforming data into a fixed-length value used for integrity checks and password protection.
HIPAA Security Rule
U.S. healthcare security requirements for protecting electronic protected health information.
Honeypot
A decoy system or asset used to attract attackers and study malicious behavior.
Human-Guided AI
AI-assisted security automation that remains supervised by analysts for accuracy, safety, and context.
Identity and Access Management
The policies and technologies that control who can access which systems and under what conditions.
Incident Response
The structured process for detecting, containing, investigating, and recovering from security incidents.
Indicator of Compromise
A technical clue, such as a suspicious IP, domain, file hash, or behavior, that may signal compromise.
Insider Threat
A security risk caused by someone with legitimate access, whether malicious, negligent, or compromised.
JavaScript Injection
A web attack where malicious scripts are inserted into trusted pages or applications.
JSON Web Token
A compact token format used to pass identity and authorization claims between systems.
Jump Server
A hardened intermediary system used to access sensitive networks or administrative environments.
Just-in-Time Access
Temporary access granted only when needed, reducing standing privilege and attacker opportunity.
Kerberoasting
An Active Directory attack that targets service account credentials through Kerberos ticket abuse.
Keylogger
Malware or monitoring software that records keystrokes to steal passwords and sensitive information.
Key Management
The secure creation, storage, rotation, and retirement of cryptographic keys.
Kill Chain
A model describing the stages attackers often follow from reconnaissance to impact.
Lateral Movement
An attacker’s movement from one system or account to others after initial compromise.
Least Privilege
The security principle of granting only the access required to perform a specific role or task.
Log Management
The collection, storage, parsing, analysis, retention, and protection of event logs.
Low-and-Slow Attack
A stealthy attack designed to avoid detection by spreading activity over time.
Managed Detection and Response
A managed service that combines technology and human analysts to detect, investigate, and respond to threats.
Managed SIEM
Expert operation, tuning, monitoring, and reporting for a SIEM platform.
Microsoft 365 Security
The controls and monitoring needed to protect Microsoft 365 identities, email, files, and collaboration tools.
Multi-Factor Authentication
Authentication that requires two or more proof factors, such as a password plus a device or biometric.
Network Detection and Response
Security monitoring that analyzes network activity to detect suspicious behavior and threats.
NIST 800-171
A NIST standard defining security requirements for protecting controlled unclassified information.
NIST Cybersecurity Framework
A risk management framework organized around Govern, Identify, Protect, Detect, Respond, and Recover.
Noise Reduction
The process of suppressing low-value alerts so analysts can focus on real risk.
OAuth
An authorization framework that lets applications access resources without sharing user passwords.
OpenID Connect
An identity layer built on OAuth 2.0 for user authentication and single sign-on.
OSINT
Open-source intelligence gathered from publicly available information.
Outsourced SOC
A third-party security operations team that provides monitoring, investigation, and response support.
Packet Capture
The recording of network packets for troubleshooting, investigation, and threat analysis.
Phishing
A social engineering attack that uses deceptive messages to steal credentials, money, or data.
POA&M
A Plan of Action and Milestones document used to track security gaps, remediation owners, milestones, and target dates in compliance and risk management programs.
Privilege Escalation
An attack technique used to gain higher permissions than originally authorized.
Purple Teaming
Collaboration between offensive and defensive teams to improve detection and response.
Quarantine
The isolation of suspicious files, emails, devices, or accounts to prevent further harm.
Query Language
A structured way to search logs, events, and telemetry during detection and investigation.
QUIC Protocol
A modern encrypted transport protocol used by HTTP/3 that can affect network visibility and monitoring.
Quishing
A phishing attack that uses malicious QR codes to direct victims to fraudulent sites or downloads.
Ransomware
Malware that encrypts or steals data and demands payment for recovery or non-disclosure.
Recovery Time Objective
The maximum acceptable time a system can be down after an incident or outage.
Remote Code Execution
A vulnerability that allows an attacker to run commands or code on a remote system.
Risk-Based Alerting
Alert prioritization that weighs context, severity, asset value, and user risk.
Security Information and Event Management
A platform for collecting, correlating, analyzing, and reporting security events across an environment.
Security Operations Center
A team or function responsible for monitoring, detecting, investigating, and responding to threats.
Security Orchestration, Automation, and Response
Technology that coordinates tools and workflows to automate security response actions.
SOC 2
An audit framework for evaluating controls related to security, availability, confidentiality, processing integrity, and privacy.
Threat Hunting
Proactive searching for hidden threats that may have bypassed existing controls.
Threat Intelligence
Contextual information about adversaries, vulnerabilities, tactics, infrastructure, and active threats.
Triage
The process of reviewing, prioritizing, and routing alerts for investigation or closure.
UEBA
User and Entity Behavior Analytics uses behavior patterns to detect abnormal or risky activity.
Unauthorized Access
Access to systems, data, or accounts without proper permission.
Use Case Tuning
Refining SIEM detection rules so alerts match real organizational risk and reduce false positives.
User Risk
The likelihood that a user account or identity is compromised, misused, or likely to cause security harm.
Vendor Risk Management
The process of assessing and reducing cybersecurity risk from suppliers and third-party providers.
Virtual Private Network
An encrypted connection that helps secure remote access to private systems and networks.
Visibility Gap
A blind spot where security teams lack the telemetry needed to detect or investigate threats.
Vulnerability Management
The ongoing process of identifying, prioritizing, remediating, and validating security weaknesses.
Web Application Firewall
A security tool that filters web traffic to protect applications from common attacks.
Web Shell
A malicious script placed on a server to provide remote control or command execution.
Whitelisting / Allowlisting
A security approach that permits only approved users, apps, domains, or actions.
Workflow Automation
Automating repeatable security tasks such as enrichment, notification, containment, and ticket creation.
X.509 Certificate
A digital certificate standard used to verify identities and support encrypted communications.
XDR
A detection and response model that unifies telemetry across multiple security layers.
XML External Entity Injection
A vulnerability where unsafe XML parsing can expose files, services, or internal systems.
XSS
A web vulnerability that allows attackers to run malicious scripts in a user’s browser.
YARA Rules
Pattern-matching rules used by analysts to identify malware, suspicious files, and threat families.
YubiKey
A hardware security key used for phishing-resistant multi-factor authentication.
Zero-Day Vulnerability
A software or hardware flaw unknown to the vendor or without an available patch.
Zero Trust Architecture
A security model that continuously verifies users, devices, and access instead of assuming trust.
Browse by topic
Use the topic map below to jump straight to the part of the glossary that matches the problem you are solving, from threat detection and SIEM tuning to identity controls, ransomware response, and compliance readiness.
Security Operations & Monitoring
30 termsThreats & Attack Techniques
20 termsIdentity & Access
13 termsCompliance & Risk
11 termsCloud, Network & Infrastructure
9 termsIncident Response & Forensics
9 termsApplication & API Security
5 termsData Protection & Cryptography
3 termsNeed help turning definitions into action?
BitLyft helps organizations reduce alert noise, strengthen Microsoft 365 and identity security, improve SIEM outcomes, and support compliance programs with practical detection and response expertise.