The SOC Analyst
Glossary

What is Access Directory? An access directory is a centralized database or service that stores and manages information about users, devices, resources, and the permissions that govern who can access what within a network. It serves as the authoritative source for authentication and authorization decisions across an organization's IT environment.

Amazon Web Services (AWS): Amazon Web Services (AWS) is a comprehensive cloud computing platform provided by Amazon that delivers on-demand IT resources over the internet. Instead of owning physical servers or data centers, businesses can rent computing power, storage, and other services on a pay-as-you-go basis. Launched publicly in 2006, AWS pioneered the modern cloud computing model by offering scalable infrastructure as web services.

API Security Application Programming Interfaces (APIs) are the invisible backbone of the modern internet. Every time a mobile app fetches your location, a payment gateway processes a transaction, or a SaaS platform syncs data between tools, an API is doing the work. API security is the practice of protecting these interfaces from threats that could compromise the data they transmit, the systems they connect to, or the business logic they expose.

Brute Force Attack Definition: A brute force attack is a method of gaining unauthorized access to an account, system, or encrypted file by systematically trying every possible password or credential combination until the correct one is found. Rather than exploiting a software vulnerability, brute force attacks rely entirely on trial and error backed by automated tools and computing power. The name reflects the approach: overwhelming a target through sheer force of attempts rather than through skill or deception.

Cloud Security Definition: Cloud security is the set of policies, technologies, controls, and practices designed to protect cloud-based systems, data, and infrastructure from cyber threats. It covers everything stored, processed, or transmitted through cloud environments, including applications, virtual machines, containers, databases, and the networks that connect them. As organizations move mission-critical workloads to the cloud for greater flexibility and efficiency, cloud security has become one of the highest-priority disciplines in modern cybersecurity.

Definition: Credential stuffing is an automated cyberattack in which threat actors inject stolen username and password pairs into login forms across multiple websites and applications to gain unauthorized access to user accounts. Because many users reuse the same credentials across different platforms, a single data breach can give attackers a working key to dozens of unrelated services. Unlike brute force attacks, which attempt to guess passwords randomly, credential stuffing uses *verified* credentials pairs already confirmed valid somewhere.

Two reports land on a SOC analyst's desk, both about the same IP address. The first says: 198.51.100.23: malicious, block it. That is the whole report.

Two reports land on a SOC analyst's desk, both about the same IP address. The first says: 198.51.100.23: malicious, block it. That is the whole report.

A SOC analyst opens her queue on a Monday. An endpoint agent flagged powershell.exe spawning from a Word document, then reaching out to an IP in a country the company does no business with. Within twenty minutes she has pulled the process tree, confirmed the macro, isolated the host, and pushed a detection rule so the next attempt fires an alert before anyone clicks.

What is Data Loss Prevention (DLP)? Data Loss Prevention (DLP) is a set of security tools, policies, and processes designed to detect, monitor, and block the unauthorized transfer, sharing, or exposure of sensitive data. DLP solutions inspect data in motion (network traffic), data at rest (stored files), and data in use (endpoint activity) to prevent accidental leaks and deliberate exfiltration before damage occurs.

The responder's first decision is whether to pull the plug. A host is compromised, the malware is running, and the instinct is to power it off to stop the spread. Do that and you destroy the case.

Definition Email security is the practice of protecting email accounts and communications from unauthorized access, data loss, and compromise. It encompasses the policies, tools, and technologies organizations use to defend against malicious threats delivered through email, including phishing, malware, spam, and business email compromise (BEC). Email remains the most heavily used communication channel in the workplace, with over 333 billion emails sent and received globally every day.

What Is Endpoint Management? Endpoint management involves tools, policies, and procedures used by IT and security teams to authenticate, monitor, and manage access to an organization’s devices, whether on-premises or cloud-based. It includes managing security, deploying software, and ensuring compliance across devices like laptops, desktops, and mobile phones.

Definition A firewall is a network security control that monitors and filters traffic between networks, typically between a trusted internal network and an untrusted external one, like the internet, and enforces a defined set of rules to allow or block data from passing through. Think of it as a gatekeeper standing between your infrastructure and everything outside it. Every packet that arrives is inspected against policy rules, and only traffic that meets those rules is permitted through.

GDPR (General Data Protection Regulation) The General Data Protection Regulation (GDPR) is the world's most comprehensive data privacy and security law. Drafted and enacted by the European Union, it entered into force in 2016 and became fully enforceable on May 25, 2018. The regulation establishes strict requirements for how organizations collect, store, process, and protect the personal data of individuals in the EU, and its reach extends well beyond Europe's borders.

Definition A honeypot is a deliberately deployed decoy system, server, or network resource designed to lure attackers away from real production assets, expose their tactics, and generate actionable threat intelligence. Unlike perimeter controls that block threats at the gate, a honeypot lets an attacker inside a controlled, isolated trap and then watches everything they do. The name draws from the same logic used in espionage: bait with something irresistible, then observe who takes it and how.

02:14. An EDR alert fires: a host is encrypting files in bulk. Ninety seconds later, a second host starts.

Indicators of Compromise (IOCs) An Indicator of Compromise (IOC) is a piece of forensic evidence that signals a network, endpoint, or system has likely been breached. Unlike a warning that an attack *might* occur, an IOC is evidence that one *already has* whether through malware installation, unauthorized access, credential theft, or data exfiltration. Think of IOCs as the digital breadcrumbs attackers leave behind.

What Is Kerberoasting? Kerberoasting is a cyberattack that mainly targets Windows networks by exploiting the Kerberos authentication protocol. This attack specifically targets service accounts associated with services rather than individual users within the Active Directory (AD) environment.

What are Managed Cloud Security Services? Managed Cloud Security Services provide organizations with comprehensive security management solutions for cloud-based assets, focusing on protecting data, applications, and infrastructure from threats. Companies opt for external service providers to enhance their cloud security posture while allowing them to focus on core business functions.

An alert fires: a process just read the memory of lsass.exe. On its own, that is a line in a log. Look it up in MITRE ATT&CK and it has a name, an ID, and a paper trail: T1003.001, OS Credential Dumping: LSASS Memory, sitting under the Credential Access tactic.

Explain NTLM vs. Kerberos vs. LDAP NTLM (NT LAN Manager): A challenge-response authentication protocol used primarily in Windows environments.

Ransomware: Ransomware is a type of malware that encrypts files or locks systems on a victim's device, making data inaccessible until the attacker receives a ransom payment, typically in cryptocurrency. It is one of the most damaging and widespread cyber threats facing organizations today, targeting businesses, government agencies, healthcare institutions, and critical infrastructure alike. How Ransomware Works?

A single failed login means nothing. A firewall deny means nothing. A new service installed on a host means nothing.

It is 3 a.m. An alert fires: a service account just authenticated from an IP in a country your company does not operate in, then started enumerating file shares. The endpoint agent flagged a suspicious process minutes earlier.

What Is a Supply Chain Attack? A supply chain attack, also known as a value-chain or third-party attack, occurs when someone infiltrates your system through an outside partner or provider with access to your systems and data. This type of attack can happen in any industry, from the financial sector to utilities and in public and private sectors.

No alert fired. The dashboards are green. A hunter starts anyway, with a hunch: an attacker who got in would try to run code in memory to dodge antivirus, and on Windows the easiest way is encoded PowerShell.

Definition A Virtual Private Network (VPN) is a security technology that creates a secure, encrypted connection between a user’s device and a private network over the public internet. It ensures that data transmitted between endpoints remains confidential, protected from interception, and accessible only to authorized users. VPNs are widely used in both enterprise and personal contexts to protect sensitive data, enable secure remote access, and maintain privacy in increasingly distributed and cloud-based environments.