Cybersecurity 101
BitLyft Cybersecurity Glossary
Clear definitions for the cybersecurity terms, acronyms, and operational concepts security teams run into every day. Browse by topic or jump by letter to find the terms that matter to MDR, SIEM, Microsoft 365, compliance, and response programs.
Glossary index
Each entry is grouped alphabetically and tagged by topic so readers can scan quickly, align teams on the same language, and move from definition to action faster.
Alert Fatigue
Alert Fatigue happens when security teams receive so many alerts that real threats become harder to identify and prioritize. Security teams usually review it alongside Behavioral Analytics and Centralized Logging.
API Security
API Security is the practice of protecting application programming interfaces from abuse, data exposure, and unauthorized access. Security teams usually review it alongside Unauthorized Access and JavaScript Injection.
Attack Surface
Attack Surface is the total set of systems, users, apps, identities, and entry points attackers could target. Security teams usually review it alongside CMMC and Exposure Management.
Automated Incident Response
Automated Incident Response is the use of predefined workflows to contain, investigate, or remediate threats without waiting on manual action. Security teams usually review it alongside Digital Forensics and Forensic Timeline.
Behavioral Analytics
Behavioral Analytics is analysis of user, device, and system behavior to detect suspicious deviations from normal activity. Security teams usually review it alongside Centralized Logging and Detection Engineering.
Brute Force Attack
Brute Force Attack is a login attack that repeatedly guesses passwords or keys until access is gained. Security teams usually review it alongside Data Exfiltration and Dwell Time.
Business Email Compromise
Business Email Compromise is a targeted email scam that tricks employees into sending money, credentials, or sensitive information. Security teams usually review it alongside Brute Force Attack and Data Exfiltration.
BYOD Security
BYOD Security is security controls for employee-owned devices that access company systems and data. Security teams usually review it alongside Cloud Security and Firewall.
Centralized Logging
Centralized Logging is the collection of logs from many systems into one place for monitoring, investigation, and compliance. Security teams usually review it alongside Detection Engineering and Endpoint Detection and Response.
Cloud Security
Cloud Security is the controls and practices used to protect cloud-hosted data, applications, identities, and infrastructure. Security teams usually review it alongside Firewall and GovCloud.
CMMC
CMMC is a cybersecurity certification framework for organizations that handle federal contract information or controlled unclassified information. Security teams usually review it alongside Exposure Management and Governance, Risk, and Compliance.
Conditional Access
Conditional Access is identity-based access control that uses signals like user, device, location, risk, and MFA status. Security teams usually review it alongside Group Policy and Identity and Access Management.
Data Exfiltration
Data Exfiltration is the unauthorized transfer of sensitive data out of an organization’s environment. Security teams usually review it alongside Dwell Time and Fileless Malware.
Detection Engineering
Detection Engineering is the process of creating, tuning, and improving rules and analytics that identify real threats. Security teams usually review it alongside Endpoint Detection and Response and Event Correlation.
Digital Forensics
Digital Forensics is the investigation of systems, logs, files, and activity to understand what happened during a security incident. Security teams usually review it alongside Forensic Timeline and Incident Response.
Dwell Time
Dwell Time is the amount of time an attacker remains undetected inside an environment. Security teams usually review it alongside Fileless Malware and Honeypot.
Endpoint Detection and Response
Endpoint Detection and Response is technology that monitors endpoints for suspicious activity and supports investigation and containment. Security teams usually review it alongside Event Correlation and Extended Detection and Response.
Event Correlation
Event Correlation is the process of linking related security events to identify patterns, incidents, or attack chains. Security teams usually review it alongside Extended Detection and Response and False Positive.
Exposure Management
Exposure Management is the continuous process of finding and reducing exploitable weaknesses across an organization. Security teams usually review it alongside Governance, Risk, and Compliance and POA&M.
Extended Detection and Response
Extended Detection and Response is a security approach that connects data from endpoints, identity, cloud, network, and other tools for broader detection and response. Security teams usually review it alongside False Positive and Human-Guided AI.
False Positive
False Positive is a security alert that appears malicious but is ultimately benign. Security teams usually review it alongside Human-Guided AI and Log Management.
Fileless Malware
Fileless Malware is malware that runs mainly in memory or abuses legitimate tools, making it harder to detect with traditional methods. Security teams usually review it alongside Honeypot and Insider Threat.
Firewall
Firewall is a security control that monitors and filters network traffic based on defined rules. Security teams usually review it alongside GovCloud and Jump Server.
Forensic Timeline
Forensic Timeline is a chronological reconstruction of system, user, and attacker activity during an investigation. Security teams usually review it alongside Incident Response and Indicator of Compromise.
GovCloud
GovCloud is cloud infrastructure designed to meet government security, compliance, and data residency requirements. Security teams usually review it alongside Jump Server and Microsoft 365 Security.
Governance, Risk, and Compliance
Governance, Risk, and Compliance is the business discipline of managing security policies, risk, regulatory obligations, and audit readiness. Security teams usually review it alongside POA&M and HIPAA Security Rule.
Group Policy
Group Policy is a Windows administration feature used to centrally manage user and device settings. Security teams usually review it alongside Identity and Access Management and Just-in-Time Access.
Hashing
Hashing is a one-way method of transforming data into a fixed-length value used for integrity checks and password protection. Security teams usually review it alongside Key Management and X.509 Certificate.
HIPAA Security Rule
HIPAA Security Rule is u.S. healthcare security requirements for protecting electronic protected health information. Security teams usually review it alongside NIST 800-171 and NIST Cybersecurity Framework.
Honeypot
Honeypot is a decoy system or asset used to attract attackers and study malicious behavior. Security teams usually review it alongside Insider Threat and Kerberoasting.
Human-Guided AI
Human-Guided AI is aI-assisted security automation that remains supervised by analysts for accuracy, safety, and context. Security teams usually review it alongside Log Management and Managed Detection and Response.
Identity and Access Management
Identity and Access Management is the policies and technologies that control who can access which systems and under what conditions. Security teams usually review it alongside Just-in-Time Access and JSON Web Token.
Incident Response
Incident Response is the structured process for detecting, containing, investigating, and recovering from security incidents. Security teams usually review it alongside Indicator of Compromise and Packet Capture.
Indicator of Compromise
Indicator of Compromise is a technical clue, such as a suspicious IP, domain, file hash, or behavior, that may signal compromise. Security teams usually review it alongside Packet Capture and Quarantine.
Insider Threat
Insider Threat is a security risk caused by someone with legitimate access, whether malicious, negligent, or compromised. Security teams usually review it alongside Kerberoasting and Keylogger.
JavaScript Injection
JavaScript Injection is a web attack where malicious scripts are inserted into trusted pages or applications. Security teams usually review it alongside Web Application Firewall and XML External Entity Injection.
JSON Web Token
JSON Web Token is a compact token format used to pass identity and authorization claims between systems. Security teams usually review it alongside Least Privilege and Multi-Factor Authentication.
Jump Server
Jump Server is a hardened intermediary system used to access sensitive networks or administrative environments. Security teams usually review it alongside Microsoft 365 Security and QUIC Protocol.
Just-in-Time Access
Just-in-Time Access is temporary access granted only when needed, reducing standing privilege and attacker opportunity. Security teams usually review it alongside JSON Web Token and Least Privilege.
Kerberoasting
Kerberoasting is an Active Directory attack that targets service account credentials through Kerberos ticket abuse. Security teams usually review it alongside Keylogger and Kill Chain.
Keylogger
Keylogger is malware or monitoring software that records keystrokes to steal passwords and sensitive information. Security teams usually review it alongside Kill Chain and Lateral Movement.
Key Management
Key Management is the secure creation, storage, rotation, and retirement of cryptographic keys. Security teams usually review it alongside X.509 Certificate and Hashing.
Kill Chain
Kill Chain is a model describing the stages attackers often follow from reconnaissance to impact. Security teams usually review it alongside Lateral Movement and Low-and-Slow Attack.
Lateral Movement
Lateral Movement is an attacker’s movement from one system or account to others after initial compromise. Security teams usually review it alongside Low-and-Slow Attack and Phishing.
Least Privilege
Least Privilege is the security principle of granting only the access required to perform a specific role or task. Security teams usually review it alongside Multi-Factor Authentication and OAuth.
Log Management
Log Management is the collection, storage, parsing, analysis, retention, and protection of event logs. Security teams usually review it alongside Managed Detection and Response and Managed SIEM.
Low-and-Slow Attack
Low-and-Slow Attack is a stealthy attack designed to avoid detection by spreading activity over time. Security teams usually review it alongside Phishing and Privilege Escalation.
Managed Detection and Response
Managed Detection and Response is a managed service that combines technology and human analysts to detect, investigate, and respond to threats. Security teams usually review it alongside Managed SIEM and Network Detection and Response.
Managed SIEM
Managed SIEM is expert operation, tuning, monitoring, and reporting for a SIEM platform. Security teams usually review it alongside Network Detection and Response and Noise Reduction.
Microsoft 365 Security
Microsoft 365 Security is the controls and monitoring needed to protect Microsoft 365 identities, email, files, and collaboration tools. Security teams usually review it alongside QUIC Protocol and Virtual Private Network.
Multi-Factor Authentication
Multi-Factor Authentication is authentication that requires two or more proof factors, such as a password plus a device or biometric. Security teams usually review it alongside OAuth and OpenID Connect.
Network Detection and Response
Network Detection and Response is security monitoring that analyzes network activity to detect suspicious behavior and threats. Security teams usually review it alongside Noise Reduction and OSINT.
NIST 800-171
NIST 800-171 is a NIST standard defining security requirements for protecting controlled unclassified information. Security teams usually review it alongside NIST Cybersecurity Framework and SOC 2.
NIST Cybersecurity Framework
NIST Cybersecurity Framework is a risk management framework organized around Govern, Identify, Protect, Detect, Respond, and Recover. Security teams usually review it alongside SOC 2 and Vulnerability Management.
Noise Reduction
Noise Reduction is the process of suppressing low-value alerts so analysts can focus on real risk. Security teams usually review it alongside OSINT and Outsourced SOC.
OAuth
OAuth is an authorization framework that lets applications access resources without sharing user passwords. Security teams usually review it alongside OpenID Connect and Unauthorized Access.
OpenID Connect
OpenID Connect is an identity layer built on OAuth 2.0 for user authentication and single sign-on. Security teams usually review it alongside OAuth and Unauthorized Access.
OSINT
OSINT is open-source intelligence gathered from publicly available information. Security teams usually review it alongside Outsourced SOC and Purple Teaming.
Outsourced SOC
Outsourced SOC is a third-party security operations team that provides monitoring, investigation, and response support. Security teams usually review it alongside Purple Teaming and Query Language.
Packet Capture
Packet Capture is the recording of network packets for troubleshooting, investigation, and threat analysis. Security teams usually review it alongside Quarantine and Recovery Time Objective.
Phishing
Phishing is a social engineering attack that uses deceptive messages to steal credentials, money, or data. Security teams usually review it alongside Privilege Escalation and Quishing.
POA&M
POA&M is a Plan of Action and Milestones document used to track security gaps, remediation owners, milestones, and target dates in compliance and risk management programs. Security teams usually review it alongside HIPAA Security Rule and NIST 800-171.
Privilege Escalation
Privilege Escalation is an attack technique used to gain higher permissions than originally authorized. Security teams usually review it alongside Quishing and Ransomware.
Purple Teaming
Purple Teaming is collaboration between offensive and defensive teams to improve detection and response. Security teams usually review it alongside Query Language and Risk-Based Alerting.
Quarantine
Quarantine is the isolation of suspicious files, emails, devices, or accounts to prevent further harm. Security teams usually review it alongside Recovery Time Objective and Triage.
Query Language
Query Language is a structured way to search logs, events, and telemetry during detection and investigation. Security teams usually review it alongside Risk-Based Alerting and Security Information and Event Management.
QUIC Protocol
QUIC Protocol is a modern encrypted transport protocol used by HTTP/3 that can affect network visibility and monitoring. Security teams usually review it alongside Virtual Private Network and Whitelisting / Allowlisting.
Quishing
Quishing is a phishing attack that uses malicious QR codes to direct victims to fraudulent sites or downloads. Security teams usually review it alongside Phishing and Ransomware.
Ransomware
Ransomware is malware that encrypts or steals data and demands payment for recovery or non-disclosure. Security teams usually review it alongside Remote Code Execution and TTPs.
Recovery Time Objective
Recovery Time Objective is the maximum acceptable time a system can be down after an incident or outage. Security teams usually review it alongside Triage and Quarantine.
Remote Code Execution
Remote Code Execution is a vulnerability that allows an attacker to run commands or code on a remote system. Security teams usually review it alongside TTPs and Web Shell.
Risk-Based Alerting
Risk-Based Alerting is alert prioritization that weighs context, severity, asset value, and user risk. Security teams usually review it alongside User Risk and Security Information and Event Management.
Security Information and Event Management
Security Information and Event Management is a platform for collecting, correlating, analyzing, and reporting security events across an environment. Security teams usually review it alongside Security Operations Center and Security Orchestration, Automation, and Response.
Security Operations Center
Security Operations Center is a team or function responsible for monitoring, detecting, investigating, and responding to threats. Security teams usually review it alongside Security Orchestration, Automation, and Response and Threat Hunting.
Security Orchestration, Automation, and Response
Security Orchestration, Automation, and Response is technology that coordinates tools and workflows to automate security response actions. Security teams usually review it alongside Threat Hunting and Threat Intelligence.
SOC 2
SOC 2 is an audit framework for evaluating controls related to security, availability, confidentiality, processing integrity, and privacy. Security teams usually review it alongside Vulnerability Management and Vendor Risk Management.
Threat Hunting
Threat Hunting is proactive searching for hidden threats that may have bypassed existing controls. Security teams usually review it alongside Threat Intelligence and UEBA.
Threat Intelligence
Threat Intelligence is contextual information about adversaries, vulnerabilities, tactics, infrastructure, and active threats. Security teams usually review it alongside UEBA and Use Case Tuning.
Triage
Triage is the process of reviewing, prioritizing, and routing alerts for investigation or closure. Security teams usually review it alongside Recovery Time Objective and Quarantine.
TTPs
TTPs are the patterns and methods adversaries use to carry out attacks. Security teams usually review it alongside Web Shell and Zero-Day Vulnerability.
UEBA
UEBA is user and Entity Behavior Analytics uses behavior patterns to detect abnormal or risky activity. Security teams usually review it alongside Use Case Tuning and Visibility Gap.
Unauthorized Access
Unauthorized Access is access to systems, data, or accounts without proper permission. Security teams usually review it alongside User Risk and YubiKey.
Use Case Tuning
Use Case Tuning is refining SIEM detection rules so alerts match real organizational risk and reduce false positives. Security teams usually review it alongside Visibility Gap and Workflow Automation.
User Risk
User Risk is the likelihood that a user account or identity is compromised, misused, or likely to cause security harm. Security teams usually review it alongside YubiKey and Zero Trust Architecture.
Vendor Risk Management
Vendor Risk Management is the process of assessing and reducing cybersecurity risk from suppliers and third-party providers. Security teams usually review it alongside Vulnerability Management and SOC 2.
Virtual Private Network
Virtual Private Network is an encrypted connection that helps secure remote access to private systems and networks. Security teams usually review it alongside Whitelisting / Allowlisting and QUIC Protocol.
Visibility Gap
Visibility Gap is a blind spot where security teams lack the telemetry needed to detect or investigate threats. Security teams usually review it alongside Workflow Automation and XDR.
Vulnerability Management
Vulnerability Management is the ongoing process of identifying, prioritizing, remediating, and validating security weaknesses. Security teams usually review it alongside Vendor Risk Management and SOC 2.
Web Application Firewall
Web Application Firewall is a security tool that filters web traffic to protect applications from common attacks. Security teams usually review it alongside XML External Entity Injection and XSS.
Web Shell
Web Shell is a malicious script placed on a server to provide remote control or command execution. Security teams usually review it alongside Zero-Day Vulnerability and TTPs.
Whitelisting / Allowlisting
Whitelisting / Allowlisting is a security approach that permits only approved users, apps, domains, or actions. Security teams usually review it alongside Virtual Private Network and QUIC Protocol.
Workflow Automation
Workflow Automation is automating repeatable security tasks such as enrichment, notification, containment, and ticket creation. Security teams usually review it alongside XDR and YARA Rules.
X.509 Certificate
X.509 Certificate is a digital certificate standard used to verify identities and support encrypted communications. Security teams usually review it alongside Key Management and Hashing.
XDR
XDR is a detection and response model that unifies telemetry across multiple security layers. Security teams usually review it alongside YARA Rules and Workflow Automation.
XML External Entity Injection
XML External Entity Injection is a vulnerability where unsafe XML parsing can expose files, services, or internal systems. Security teams usually review it alongside XSS and Web Application Firewall.
XSS
XSS is a web vulnerability that allows attackers to run malicious scripts in a user’s browser. Security teams usually review it alongside XML External Entity Injection and Web Application Firewall.
YARA Rules
YARA Rules are pattern-matching rules used by analysts to identify malware, suspicious files, and threat families. Security teams usually review it alongside XDR and Workflow Automation.
YubiKey
YubiKey is a hardware security key used for phishing-resistant multi-factor authentication. Security teams usually review it alongside Multi-Factor Authentication and Phishing.
Zero-Day Vulnerability
Zero-Day Vulnerability is a software or hardware flaw unknown to the vendor or without an available patch. Security teams usually review it alongside Web Shell and TTPs.
Zero Trust Architecture
Zero Trust Architecture is a security model that continuously verifies users, devices, and access instead of assuming trust. Security teams usually review it alongside YubiKey and User Risk.
Browse by topic
Use the topic map below to jump straight to the part of the glossary that matches the problem you are solving, from threat detection and SIEM tuning to identity controls, ransomware response, and compliance readiness.
Security Operations & Monitoring
30 termsThreats & Attack Techniques
20 termsIdentity & Access
13 termsCompliance & Risk
11 termsCloud, Network & Infrastructure
9 termsIncident Response & Forensics
9 termsApplication & API Security
5 termsData Protection & Cryptography
3 termsNeed help turning definitions into action?
BitLyft helps organizations reduce alert noise, strengthen Microsoft 365 and identity security, improve SIEM outcomes, and support compliance programs with practical detection and response expertise.