Blue Team Reference

The SOC Analyst
Glossary

500+ cybersecurity terms explained for practitioners — DFIR, SOC, Threat Hunting, Malware Analysis, and beyond.

A–Z
201-250 of 466 terms
D
9 terms
Digital Forensics and Incident Response (DFIR)
Malware AnalysisThreat IntelNetwork ForensicsCloud ForensicsEndpoint Forensics
The responder's first decision is whether to pull the plug. A host is compromised, the malware is running, and the instinct is to power it off to stop the spread. Do that and you destroy the case.
Digital Risk Protection
Threat Intel
A leaked credential pair shows up for sale on a Telegram channel. A lookalike domain, registered yesterday, is already serving a pixel-perfect copy of your login page. A fake executive profile on LinkedIn is DMing your finance team about an urgent wire.
Disinformation Campaign
Detection EngineeringThreat Intel
A disinformation campaign is social engineering aimed at a population instead of a single inbox. The same levers, false authority, manufactured consensus, emotional pressure, are pointed at how a crowd thinks, votes, panics, or buys. The phishing email tricks one person into clicking.
Distributed Denial-of-Service (DDoS) Attacks
Detection EngineeringNetwork Forensics
In Q4 2025 Cloudflare mitigated a single attack that peaked at 31.4 terabits per second. It lasted about 35 seconds. To put that in scale, that is more traffic in half a minute than most enterprises move in a day, all of it aimed at one target by a coordinated swarm of compromised machines.
DLP Best Practices
Detection EngineeringCloud Forensics
A DLP deployment fails the same way most of the time. Someone buys the tool, turns on every default rule, and a week later the SOC is drowning in alerts that are 90 percent false positive: the marketing team emailing a press release that trips a "confidential" keyword, a developer pushing a test file with a fake credit card number, a finance export that is entirely legitimate. The analysts learn to ignore the channel.
Domain Spoofing
Detection Engineering
A user gets an email from [email protected] asking them to confirm a payment. The display name reads "PayPal Service," the logo is right, the footer is right, and the link goes to a login page that looks identical to the real one. The only thing wrong is one character: the lowercase "L" in the domain is the number "1." That is domain spoofing, and the user who misses that one character hands over a password to an attacker.
Dora SaaS Security
Detection EngineeringCloud Forensics
A European bank can be fully compliant with its own security policy and still fail DORA. The reason sits outside the building. The CRM that holds every client record, the payroll platform, the identity provider that fronts single sign-on, the analytics stack that ingests transaction data: none of it runs on hardware the bank owns.
Downgrade Attacks
Detection EngineeringNetwork Forensics
A client and a server both support TLS 1.3, the connection should be modern and safe, and yet the session ends up negotiated down to SSL 3.0 with a CBC cipher an attacker can pick apart byte by byte. Nobody exploited a buffer overflow. The attacker sat in the middle of the handshake, tampered with the negotiation, and the two endpoints politely agreed to use the weakest option they still had code for.
Dynamic Application Security Testing (DAST)
Detection EngineeringCloud Forensics
A scanner that never sees your source code can still find the SQL injection that empties your database. It sends a crafted request to the login form, watches a database error leak back in the response, and flags the endpoint. That is dynamic application security testing: testing a running application from the outside, the way an attacker would, with no access to the code behind it.
E
26 terms
E-mail security
Cybersecurity EducationSOC Analyst training
Definition Email security is the practice of protecting email accounts and communications from unauthorized access, data loss, and compromise. It encompasses the policies, tools, and technologies organizations use to defend against malicious threats delivered through email, including phishing, malware, spam, and business email compromise (BEC). Email remains the most heavily used communication channel in the workplace, with over 333 billion emails sent and received globally every day.
EDR vs MDR vs XDR
Detection EngineeringEndpoint Forensics
Three letters change and the meaning shifts on a different axis each time. EDR to XDR widens what you watch: one endpoint agent becomes endpoint, network, cloud, identity, and email in one console. EDR to MDR changes who watches it: the same telemetry, but a provider's analysts run the detection and response instead of your team.
EDR vs NGAV
Detection EngineeringEndpoint Forensics
A user opens a macro-laced invoice. The document spawns powershell.exe, which downloads a payload and starts encoding a base64 command. On a laptop running next-generation antivirus alone, one of two things happens: the engine recognizes the behavior and kills the process before the payload lands, or it does not, the process exits clean, and nothing is recorded.
Email Spoofing
Detection Engineering
A finance clerk gets an email from the CEO. The display name is right, the signature is right, the tone is right, and the request is simple: approve the attached invoice before end of day. The clerk replies, the payment goes out, and only later does anyone notice the message never came from the CEO at all.
Employee Cybersecurity Awareness Training Program
Detection Engineering
Most breaches still start with a person, not an exploit. Verizon's 2026 Data Breach Investigations Report puts the human element in 62 percent of breaches: someone clicked, someone reused a password, someone wired money to an address in a spoofed email. No endpoint agent catches the moment a finance clerk approves a fraudulent invoice because the request looked routine.
Endpoint Data Loss Prevention (DLP)
Detection EngineeringEndpoint Forensics
The data leaves on a USB stick a contractor plugged in to "grab a few files" on their last day. It leaves in a customer list copied out of the CRM and pasted into a personal webmail tab. It leaves on a printed report carried out the door, or in a screenshot of a dashboard dropped into a chat app, or in a folder dragged into a personal Dropbox sync client.
Endpoint Detection and Response (EDR)
Detection EngineeringEndpoint Forensics
An analyst gets an alert at 2 a.m. Nothing is obviously wrong. The antivirus is quiet, no known-bad file, no flagged signature.
Endpoint Management
What Is Endpoint Management? Endpoint management involves tools, policies, and procedures used by IT and security teams to authenticate, monitor, and manage access to an organization’s devices, whether on-premises or cloud-based. It includes managing security, deploying software, and ensuring compliance across devices like laptops, desktops, and mobile phones.
Endpoint Monitoring
Detection EngineeringEndpoint Forensics
A finance laptop checks in from a coffee shop at 9 a.m. and looks normal: signed processes, a patched OS, no malware on disk. By 9:40 the same machine has spawned a script that enumerated the local admins, opened an outbound connection to an IP it has never talked to, and started copying files into a staging folder. No file on that device is flagged as malicious.
Endpoint Protection Platforms (EPP)
Detection EngineeringEndpoint Forensics
A workstation runs an antivirus, a separate disk-encryption tool, a host firewall, a USB-control utility, and an EDR sensor. Five agents, five consoles, five sets of alerts that never talk to each other. The analyst chasing one incident pivots between five screens to reconstruct what happened on a single laptop, and the gaps between those tools are exactly where an attacker lives.
Endpoint Protection Software
Detection EngineeringEndpoint Forensics
A laptop in a sales office, a domain controller in a rack, a phone on an airport network, a build server in the cloud. Each one is an endpoint, and each one is a place an attacker can land. The software that watches those devices, blocks what it can, records what it cannot, and lets an analyst respond is endpoint protection software.
Endpoint Security
Detection EngineeringEndpoint Forensics
A single laptop opens a malicious attachment. Forty minutes later, the same credentials are authenticating to a file server two subnets away, and an hour after that a scheduled task is running on a domain controller. None of it touched the network perimeter in a way a firewall would flag.
Endpoints
Detection EngineeringEndpoint Forensics
Pull up the asset inventory for any organization and count the laptops, then the servers, then the phones, then the things nobody remembered: the conference-room camera, the badge printer, the warehouse scanner, the VP's smartwatch on the corporate Wi-Fi. Each one is an endpoint. Each one runs code, holds a credential, or talks to something that does.
Enterprise Browser
Detection Engineering
The browser is now the place most work happens. Email, the CRM, the cloud console, the HR portal, the code repository, the AI assistant: all of it runs in a tab. That makes the browser the single richest target in the environment, and the standard consumer browser was never built to defend it.
Entra ID (formerly Azure Active Directory)
Detection EngineeringCloud Forensics
In July 2023 Microsoft renamed Azure Active Directory to Microsoft Entra ID. The product did not change. The name did.
EPP vs. EDR
Detection EngineeringEndpoint Forensics
A buyer is handed two datasheets. One is headed "endpoint protection platform," the other "endpoint detection and response," and both list machine learning, behavioral analysis, and threat blocking. They read like competitors.
Error Logs
Detection EngineeringEndpoint Forensics
A web app starts throwing 500s. The on-call analyst does not guess. They open the error log and read the line: a timestamp, a severity of ERROR, a stack trace pointing at a database connection that timed out, and the user account that triggered it.
Ethical Hacker
Detection EngineeringThreat Intel
An ethical hacker is paid to do what a criminal does, with one difference that changes everything: a signed authorization. Same tools, same techniques, same goal of reaching the data that should be out of reach. The difference is permission, a defined scope, and a report at the end instead of a ransom note.
Event Log
Detection EngineeringEndpoint Forensics
A Windows host is compromised and the first place a responder opens is the Security event log. The story is usually there. A burst of 4625 failed logons from one account, then a 4624 success.
Exploit Kits
Malware AnalysisThreat Intel
A user opens a news site they read every day and clicks nothing unusual. One of the ads on the page is malicious, and it quietly redirects their browser, in the background, to a server they never chose to visit. That server runs a script that reads the browser version, the operating system, and the plugins installed, finds an unpatched flaw in an outdated plugin, fires the matching exploit, and drops a ransomware payload on the machine.
Exploitation of Misconfigured Image Containers
Detection EngineeringCloud Forensics
An exposed Docker API on port 2375, a container that runs as root, an image pulled from a public registry that nobody scanned. Each is one line in a deploy file. Together they are a path from the open internet to root on the host.
Exposure Management vs. Vulnerability Management
Detection Engineering
A vulnerability scanner returns 18,000 findings across your estate. Two thirds are rated high or critical. Your team can realistically patch a few hundred this quarter.
Extended Detection and Response (XDR)
Detection Engineering
A SOC analyst has four alerts open, one in each console. The email gateway quarantined a suspicious message an hour ago. The identity provider logged a login for that same user from an impossible location.
Extended Internet of Things (XIoT)
Detection EngineeringNetwork Forensics
Plug a network scanner into a hospital subnet and the asset list stops looking like a list of computers. An infusion pump answers on port 443. A building HVAC controller speaks Modbus.
External Attack Surface Management (EASM)
Detection EngineeringThreat Hunting
A subdomain points at a cloud bucket that was decommissioned two years ago. A marketing team spun up a landing page on a hosting provider no one in security has heard of. A subsidiary acquired last quarter still runs an internet-facing VPN appliance on firmware from 2021.
External Authentication Method (EAM)
Detection Engineering
Your organization standardized on a third-party MFA provider years ago: a hardware-token vendor, a behavioral-biometric product, a regional smart-card scheme. Then you moved identity to Microsoft Entra ID, and the question became how to keep that provider in the loop without bolting it on through a brittle federation hack. For years the answer was Conditional Access custom controls, a redirect that Entra could not actually reason about.
F
7 terms
File Integrity Monitoring
Detection EngineeringEndpoint Forensics
An attacker who lands on a host rarely leaves the files alone. They drop a web shell into the web root, swap a signed binary for a trojaned one, add a key to authorized_keys, edit /etc/sudoers, or plant a scheduled task in C:\Windows\System32. Each of those is a change to a file that, a minute earlier, was exactly what the vendor or your build pipeline shipped.
Fileless Malware
Malware Analysis
An incident responder pulls the disk image of a host that is clearly compromised, it is beaconing to a known-bad address every few minutes, and starts hunting for the malware. There is no malicious executable. No suspicious file dropped in a temp folder, no new program installed, nothing the antivirus flagged, nothing that looks out of place on disk at all.
Firewall
Cybersecurity EducationSOC Analyst trainingSOC Analyst Career
Definition A firewall is a network security control that monitors and filters traffic between networks, typically between a trusted internal network and an untrusted external one, like the internet, and enforces a defined set of rules to allow or block data from passing through. Think of it as a gatekeeper standing between your infrastructure and everything outside it. Every packet that arrives is inspected against policy rules, and only traffic that meets those rules is permitted through.
Firewall as a Service (FWaaS)
Detection EngineeringNetwork Forensics
A retailer with 300 stores once ran 300 firewall appliances. Each one needed a rule change pushed by hand, a firmware update scheduled in a maintenance window, and a replacement when it aged out. Then half the workforce went remote and the traffic stopped flowing through the stores at all.
Fog Ransomware
Detection EngineeringThreat Intel
The intrusion started with a login that already worked. No exploit chain, no dropped malware on the first host, just a valid VPN credential bought or harvested from somewhere else. From there the operator ran pass-the-hash against an administrator account, opened an RDP session to a Windows Server running Hyper-V and Veeam, pushed PsExec to a handful of machines, turned off Windows Defender, and began encrypting.
Free Antivirus vs Paid Antivirus Software
Detection EngineeringEndpoint Forensics
A free antivirus tool finds the ransomware note after the files are already encrypted. It scans the disk, flags the known-bad binary, quarantines it, and reports a clean sweep. The encryption ran an hour ago.
Frontier AI
Threat Intel
In November 2025 Anthropic disclosed that a group it assessed with high confidence to be Chinese state-sponsored had jailbroken its Claude model and used it to run most of a cyber-espionage operation against roughly thirty targets, with humans stepping in at only a handful of decision points. The model that ran the operation was not a narrow tool. It was a general-purpose system capable of writing code, reasoning across steps, and calling external tools.
G
4 terms
General Data Protection Regulation (GDPR)
Cybersecurity EducationSOC Analyst training
GDPR (General Data Protection Regulation) The General Data Protection Regulation (GDPR) is the world's most comprehensive data privacy and security law. Drafted and enacted by the European Union, it entered into force in 2016 and became fully enforceable on May 25, 2018. The regulation establishes strict requirements for how organizations collect, store, process, and protect the personal data of individuals in the EU, and its reach extends well beyond Europe's borders.
Generative AI (GenAI) in Cybersecurity
Detection EngineeringThreat Intel
In early 2024, a finance worker at the engineering firm Arup joined a video call with people who looked and sounded like the company's UK chief financial officer and several colleagues. Every face on the call was a deepfake. The worker, reassured by familiar voices, approved fifteen transfers totaling about 200 million Hong Kong dollars, roughly 25 million US dollars, to accounts the attackers controlled.
Golden Ticket Attack
Detection EngineeringThreat Hunting
An attacker who already owns a domain controller dumps one specific account from memory: krbtgt. With that single hash they sit on a laptop, run Mimikatz, and forge a Kerberos ticket-granting ticket that claims to be the domain administrator. They never touched the domain admin's password.
Google Cloud Migration
Detection EngineeringCloud Forensics
The first incident after a Google Cloud migration is rarely a novel exploit. It is a Cloud Storage bucket that was an internal file share on-prem, recreated with allUsers granted read. It is a service account that ran a batch job in the data center, rehosted with the Owner role and a long-lived JSON key now sitting in a repo.
H
4 terms
Hacktivism
Threat Intel
In December 2010, after several payment companies cut off donations to WikiLeaks, a loose collective called Anonymous pointed a flood of traffic at the websites of PayPal, Visa, and Mastercard and knocked them offline. The operation was named "Operation Payback." No data was ransomed, no money was stolen, and no espionage was the goal. The point was the disruption itself, and the message it sent.
Hashing in Cybersecurity
Detection Engineering
A threat intel feed drops a new indicator: 44d88612fea8a8f36de82e1278abb02f. No filename, no path, just thirty-two hex characters. You paste it into your EDR, and it comes back with three hosts that executed a file matching that exact value last night.
Healthcare Cybersecurity
Detection EngineeringThreat Hunting
A ransomware operator does not care that the encrypted server runs an emergency department. When the EHR goes dark, clinicians revert to paper, ambulances divert to other hospitals, and lab and imaging results stop flowing to the people deciding whether a patient goes to surgery. That is the part that makes healthcare different from almost every other sector: a security incident is not only a data problem, it is a patient-safety problem.
HIPAA Security Rule
Detection Engineering
A ransomware operator who locks up a hospital's electronic health records has not just caused an outage. Under federal law, that hospital was already required to have a written risk analysis on file, access controls on the systems holding patient data, audit logs that record who touched a record, and a contingency plan to restore the data. The control that failed, and the one OCR will ask about first, is named in a specific subsection of the Code of Federal Regulations.