Master the Language of Security Operations
63+ essential definitions for SOC analysts and security professionals. Every term maps to real SOC training scenarios you can practice free forever.
What Is a Cybersecurity Glossary?
A cybersecurity glossary is a curated reference of terms, acronyms, and concepts used across Security Operations Centers (SOCs), incident response teams, and threat intelligence programs. For analysts starting their careers, mastering this vocabulary is the fastest way to decode alerts, communicate with senior staff, and navigate security tools with confidence.
This glossary focuses on operational terms: the tools you will use daily (SIEM, XDR, EDR), the threats you will triage (phishing, ransomware, lateral movement), and the frameworks that structure your work (MITRE ATT&CK, NIST, defense in depth). Each definition includes real SOC context so you understand not just what a term means, but how it shapes your workflow.
- SOC Glossary
- A structured reference of cybersecurity terminology organized by category, with each term including a definition, extended explanation, SOC operational relevance, and links to related concepts. Designed for SOC analysts who need to understand the language of their tools, threats, and processes.
Browse by Category
Tools(12)
ToolsSecurity Information and Event Management (SIEM) is a platform that aggregates, normalizes, and correlates log data from…
Extended Detection and Response (XDR) is a security platform that unifies telemetry from endpoints, networks, cloud work…
Endpoint Detection and Response (EDR) is a security technology that continuously monitors endpoint activity, recording p…
Security Orchestration, Automation, and Response (SOAR) is a platform that integrates security tools, automates repetiti…
An Intrusion Detection System (IDS) monitors network traffic or host activity for signs of malicious behavior, policy vi…
An Intrusion Prevention System (IPS) is an active network security control deployed inline that inspects traffic in real…
A Web Application Firewall (WAF) is a security control between clients and web applications that inspects HTTP/HTTPS tra…
A Next-Generation Firewall (NGFW) combines traditional stateful packet inspection with deep packet inspection, applicati…
Data Loss Prevention (DLP) is a set of technologies and policies that detect and prevent unauthorized transmission, stor…
Network Detection and Response (NDR) is a security platform that passively monitors network traffic using machine learni…
Managed Detection and Response (MDR) is a service where a third-party security provider delivers continuous threat monit…
User and Entity Behavior Analytics (UEBA) applies machine learning and statistical modeling to establish behavioral base…
Concepts(16)
ConceptsAn Indicator of Compromise (IOC) is an observable artifact, such as a file hash, IP address, domain name, URL, registry …
An Indicator of Attack (IOA) is a behavioral signal that identifies adversary intent and technique in real time, such as…
Tactics, Techniques, and Procedures (TTPs) describe the behavioral patterns, methods, and operational processes threat a…
A false positive is a security alert that fires on legitimate, benign activity, incorrectly classifying safe behavior as…
A true positive is a security alert that correctly identifies genuine malicious activity or policy violation. It is a re…
Alert triage is the structured process of reviewing, prioritizing, and investigating security alerts to determine their …
Threat intelligence is analyzed, contextualized information about current and emerging cyber threats, including threat a…
The Cyber Kill Chain is a framework developed by Lockheed Martin that describes seven sequential stages of a targeted cy…
Defense in depth layers multiple independent defensive controls across the network, endpoint, application, and identity …
Zero Trust is a security architecture philosophy based on "never trust, always verify," requiring continuous authenticat…
The principle of least privilege states that users, processes, and systems should receive only the minimum access rights…
An organization's attack surface is the total set of points where an adversary could attempt unauthorized access: networ…
Multi-Factor Authentication (MFA) requires users to provide two or more independent verification factors (something you …
Mean Time to Detect is the average elapsed time between when a security incident begins and when the SOC first identifie…
Mean Time to Respond is the average elapsed time between detecting a security incident and completing the initial respon…
Indicators of Compromise are observable artifacts — IP addresses, domain names, file hashes, registry keys, or behaviora…
Threats(13)
ThreatsPhishing is a social engineering attack delivered via email, SMS, voice calls, or other channels that deceives recipient…
A brute force attack systematically tries large numbers of username and password combinations, or decryption keys, until…
Lateral movement is the attack phase where adversaries expand access from an initial foothold to additional systems, usi…
Privilege escalation is how an attacker gains higher access rights than initially obtained: standard user to administrat…
Persistence refers to techniques adversaries use to maintain access across reboots, credential changes, and other disrup…
Command and Control (C2) refers to the infrastructure and communication channels adversaries use to remotely direct malw…
Data exfiltration is the unauthorized transfer of sensitive data from a victim environment to attacker-controlled infras…
Ransomware is malware that encrypts victim data or systems and demands payment (typically cryptocurrency) for the decryp…
An Advanced Persistent Threat (APT) is a sophisticated, often nation-state-sponsored threat actor conducting long-durati…
An insider threat is a security risk from current or former employees, contractors, or partners who misuse authorized ac…
A supply chain attack compromises a trusted third-party vendor, service provider, or hardware supplier to use their priv…
Social engineering is the psychological manipulation of individuals into performing actions or revealing information tha…
A threat actor is any individual, group, or organization that conducts or sponsors malicious cyber activity, including n…
Frameworks(5)
FrameworksMITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques observed in real-world cyberatt…
The NIST Cybersecurity Framework (CSF) is a risk management framework developed by the US National Institute of Standard…
The CIS Critical Security Controls are a prioritized set of 18 defensive actions developed by the Center for Internet Se…
The Diamond Model of Intrusion Analysis represents every intrusion event as a relationship between four core features: A…
The Open Web Application Security Project (OWASP) is a nonprofit producing freely available security resources, most not…
Processes(17)
ProcessesIncident response (IR) is the structured process for preparing for, detecting, containing, eradicating, recovering from,…
Threat hunting is the proactive, human-led process of searching through security telemetry to find hidden threats that e…
Digital forensics is the scientific process of collecting, preserving, analyzing, and presenting digital evidence from c…
Vulnerability management is the continuous process of identifying, classifying, prioritizing, remediating, and verifying…
Patch management is the systematic process of acquiring, testing, approving, and applying software updates and security …
Log management is the process of collecting, normalizing, storing, retaining, and analyzing log data from across the IT …
Alert correlation combines multiple related security events from different sources into a unified, higher-fidelity alert…
In SOC operations, triage is the initial assessment where analysts rapidly evaluate an alert to determine severity, vali…
Escalation is the formal process of transferring an alert or incident to a higher-tier analyst, specialized team, or man…
Containment is the incident response phase focused on limiting the spread and impact of a confirmed security incident: i…
Eradication is the incident response phase where all threat components are permanently removed: malware, backdoors, pers…
Recovery is the incident response phase where normal business operations are restored: affected systems return to produc…
Penetration testing is an authorized simulated cyberattack against an organization's systems, networks, or applications,…
A SOC analyst is a cybersecurity professional who monitors, detects, investigates, and responds to security threats as p…
Mean Time to Detect (MTTD) measures the average elapsed time between when a security incident begins and when the SOC id…
A red team is a group of security professionals who simulate advanced adversary tactics against an organization's full d…
A Service Level Agreement (SLA) in SOC contexts defines contractual or operational targets for alert response times, spe…
Frequently Asked Questions
- What terms should SOC analysts know first?
- Start with the core tools: SIEM, XDR, EDR, and Firewall. Then learn the processes: alert triage, incident response, escalation, and threat hunting. These terms map directly to daily SOC workflows and appear in every analyst job description.
- How is this glossary organized?
- Terms are grouped into five categories: Tools (SIEM, XDR, EDR, etc.), Concepts (defense in depth, zero trust, etc.), Threats (phishing, ransomware, APT, etc.), Frameworks (MITRE ATT&CK, NIST, etc.), and Processes (incident response, alert triage, etc.). Each term includes a definition, extended explanation, SOC relevance context, and links to related terms.
- How often is the glossary updated?
- We review and update the glossary monthly to reflect new threats, evolving tools, and changes in industry frameworks. New terms are added as the cybersecurity landscape evolves.
- Can I practice these concepts hands-on?
- Yes. SOCSimulator provides free SOC analyst training with realistic SIEM, XDR, and Firewall interfaces. Every glossary term maps to a concept you will encounter during hands-on training scenarios. Start free forever with no credit card required.
- What is the difference between SIEM, XDR, and EDR?
- SIEM aggregates and correlates logs from across your environment for threat detection and compliance. EDR monitors individual endpoints (process execution, file changes, network connections). XDR extends EDR by unifying endpoint, network, cloud, and identity telemetry into a single detection and response platform. Most mature SOCs use all three together.
Put These Concepts Into Practice
SOCSimulator puts you in the analyst seat with real alerts, real tools, and real pressure. Investigate MITRE ATT&CK-mapped scenarios across SIEM, XDR, and Firewall consoles. Start free forever — no credit card required.