Cybersecurity & Incident Response Glossary
Over 60 essential cybersecurity and incident response terms explained in plain language. From APT to Zero Trust, understand the terminology used by security professionals during breach response.
APT (Advanced Persistent Threat)
A prolonged, targeted cyberattack in which an attacker gains unauthorized access to a network and remains undetected for an extended period. APTs are typically carried out by well-funded nation-state or criminal groups seeking to steal data or conduct espionage.
Attack Surface
The total number of possible entry points where an unauthorized user could access a system or extract data. Reducing the attack surface — by disabling unused services, closing unnecessary ports, and removing unused accounts — is a fundamental security practice.
Attack Vector
The specific method or pathway an attacker uses to gain unauthorized access to a system. Common attack vectors include phishing emails, exploited software vulnerabilities, compromised credentials, and malicious USB devices.
Backdoor
A hidden method of bypassing normal authentication or encryption to gain access to a system. Attackers install backdoors to maintain persistent access even after the initial vulnerability is patched. Forensic investigation must identify and remove all backdoors during incident recovery.
Breach Notification
The legal requirement to inform affected individuals, regulators, and sometimes the media when personal data has been compromised. Notification timelines and requirements vary by jurisdiction. See our complete 50-state guide to breach notification requirements.
BAA (Business Associate Agreement)
A contract required under HIPAA between a covered entity and a business associate that handles protected health information (PHI). The BAA establishes the permitted uses of PHI and requires the business associate to implement appropriate safeguards.
BCP (Business Continuity Plan)
A documented plan that outlines how an organization will continue operating during and after a disruption, including a cybersecurity incident. A strong BCP includes communication plans, alternate work arrangements, and prioritized system recovery procedures.
Chain of Custody
The documented process of tracking the handling, transfer, and storage of digital evidence from collection through presentation in legal proceedings. Maintaining chain of custody is essential for evidence to be admissible in court and credible in regulatory investigations.
CISA (Cybersecurity and Infrastructure Security Agency)
The US federal agency responsible for protecting critical infrastructure from cybersecurity threats. CISA provides free resources, vulnerability scanning, and incident response assistance to organizations of all sizes.
C2 (Command and Control)
The infrastructure and communication channels attackers use to maintain contact with compromised systems. C2 servers send commands to malware, receive stolen data, and coordinate attack activities. Identifying and blocking C2 communication is a key step in containment.
Containment
The phase of incident response focused on limiting the scope and impact of a security incident. Short-term containment may involve disconnecting systems from the network, while long-term containment involves implementing temporary fixes that allow business operations to continue while a permanent solution is developed.
Covered Entity
Under HIPAA, a health plan, healthcare clearinghouse, or healthcare provider that transmits health information electronically. Covered entities must comply with HIPAA Privacy, Security, and Breach Notification rules.
Credential Stuffing
An automated attack that uses stolen username/password pairs (typically from previous data breaches) to attempt login across multiple services. Credential stuffing exploits password reuse and is a leading cause of account compromise.
Cyber Insurance
Insurance coverage designed to offset the costs of cybersecurity incidents including forensic investigation, legal fees, notification costs, business interruption, and sometimes ransom payments. Most policies require notification within 24-72 hours of discovering an incident.
CSF (Cybersecurity Framework)
Typically refers to the NIST Cybersecurity Framework, a voluntary set of standards and best practices for managing cybersecurity risk. The CSF 2.0 (2024) includes six core functions: Govern, Identify, Protect, Detect, Respond, and Recover.
Dark Web
A part of the internet accessible only through specialized software (typically Tor) that provides anonymity. Stolen data, credentials, and hacking tools are frequently traded on dark web marketplaces. Monitoring the dark web for your organization's data is part of post-breach assessment.
Data Breach
An incident in which sensitive, protected, or confidential data is accessed, disclosed, or stolen by an unauthorized party. Breaches may result from cyberattacks, insider threats, or accidental exposure. See our guide on data breach costs for small businesses.
Data Exfiltration
The unauthorized transfer of data from an organization's systems to an external destination controlled by the attacker. Data exfiltration often occurs before ransomware deployment as part of a double extortion strategy.
DLP (Data Loss Prevention)
Technologies and policies designed to detect and prevent unauthorized data transfers. DLP tools monitor data in motion (network traffic), data at rest (stored files), and data in use (endpoint activity) to prevent sensitive information from leaving the organization.
DDoS (Distributed Denial of Service)
An attack that overwhelms a target system, server, or network with a flood of traffic from multiple sources, rendering it unavailable to legitimate users. DDoS attacks are sometimes used as a distraction while attackers conduct other malicious activities.
Digital Forensics
The scientific process of collecting, preserving, analyzing, and presenting digital evidence from computer systems, networks, and storage devices. Digital forensics is essential for understanding what happened during a security incident and supporting legal proceedings.
Disaster Recovery
The policies, tools, and procedures for restoring critical technology infrastructure and systems after a natural or human-caused disaster. Disaster recovery focuses on IT systems, while business continuity addresses broader organizational operations.
Double Extortion
A ransomware tactic where attackers both encrypt victim data and exfiltrate it, threatening to publish stolen data if the ransom is not paid. Over 70% of ransomware attacks now involve double extortion. See our ransomware response guide for details.
Dwell Time
The duration between an attacker's initial compromise of a system and when the breach is detected. The average dwell time has decreased over recent years but still averages over 200 days. Shorter dwell times correlate with significantly lower breach costs.
EDR (Endpoint Detection and Response)
Security software installed on endpoints (laptops, servers, workstations) that continuously monitors for suspicious activity, records system events, and enables rapid response to threats. EDR is essential for detecting lateral movement and containing active incidents.
Encryption
The process of converting data into a coded form that cannot be read without the proper decryption key. Encryption of data at rest and in transit is a fundamental security control. In many jurisdictions, breaches involving properly encrypted data may not trigger notification requirements.
Eradication
The phase of incident response focused on completely removing the attacker's presence from the environment. This includes removing malware, closing backdoors, patching vulnerabilities, and resetting compromised credentials. Eradication must be thorough — any remaining access will lead to re-compromise.
Firewall
A network security device or software that monitors and controls incoming and outgoing network traffic based on predetermined security rules. Firewalls establish a barrier between trusted internal networks and untrusted external networks like the internet.
Forensic Image
A bit-for-bit copy of a storage device that preserves all data, including deleted files, slack space, and metadata. Forensic images must be created before any recovery efforts to preserve evidence. They are typically verified using cryptographic hashes to ensure integrity.
GLBA (Gramm-Leach-Bliley Act)
A US federal law that requires financial institutions to explain their information-sharing practices and to safeguard sensitive customer data. The GLBA Safeguards Rule was updated in 2023 to require notification to the FTC within 30 days of discovering a breach affecting 500+ customers.
HIPAA (Health Insurance Portability and Accountability Act)
US federal law that establishes national standards for protecting sensitive patient health information. HIPAA requires breach notification to affected individuals within 60 days of discovery. See our HIPAA breach notification guide.
Honeypot
A decoy system or resource designed to attract attackers and detect unauthorized access attempts. Honeypots help security teams identify attack methods, gather threat intelligence, and provide early warning of intrusions without risking production systems.
Incident
A security event that compromises the confidentiality, integrity, or availability of an information asset. Not every security event is an incident — an incident implies actual or imminent harm that requires a response.
Incident Commander
The person designated to lead and coordinate the overall incident response effort. The incident commander makes key decisions, manages communications between teams, and serves as the single point of authority during the response. This role is typically defined in the IR plan before an incident occurs.
IR (Incident Response)
The organized approach to addressing and managing the aftermath of a security breach or cyberattack. The goal is to handle the situation in a way that limits damage, reduces recovery time and costs, and preserves evidence for investigation.
IR Plan (Incident Response Plan)
A documented set of procedures and guidelines for detecting, responding to, and recovering from security incidents. An effective IR plan includes roles and responsibilities, communication procedures, escalation criteria, and step-by-step response procedures for common incident types.
IOC (Indicator of Compromise)
Observable artifacts or evidence that suggest a system has been breached. IOCs include unusual network traffic patterns, unexpected file changes, suspicious login attempts, known malicious IP addresses, and file hashes matching known malware.
Insider Threat
A security risk that originates from within the organization — employees, contractors, or business partners who have authorized access to systems and data. Insider threats may be malicious (intentional theft or sabotage) or unintentional (accidental data exposure or falling for phishing).
IDS (Intrusion Detection System)
A system that monitors network traffic or system activities for malicious activity or policy violations and generates alerts. IDS can be network-based (NIDS) or host-based (HIDS). Unlike an IPS (Intrusion Prevention System), an IDS only detects and alerts — it does not block traffic.
Lateral Movement
The techniques attackers use to progressively move through a network after gaining initial access, searching for sensitive data and escalating privileges. Detecting and preventing lateral movement is critical for limiting the scope of a breach.
Log Analysis
The process of examining system, application, and security logs to identify suspicious activity, reconstruct attack timelines, and understand the scope of a security incident. Centralized log management and retention are essential for effective incident investigation.
Lessons Learned
The final phase of incident response where the team reviews what happened, what worked well, what failed, and what improvements should be made. This post-incident review should occur within two weeks of incident closure and result in specific, assigned action items.
Malware
Malicious software designed to damage, disrupt, or gain unauthorized access to computer systems. Types include viruses, worms, trojans, ransomware, spyware, and rootkits. Malware is the tool — the attack vector (phishing, exploitation, etc.) is how it gets delivered.
MTTD (Mean Time to Detect)
The average time it takes to discover a security incident after the initial compromise occurs. The current global average is approximately 204 days. Reducing MTTD is one of the most effective ways to lower breach costs.
MTTR (Mean Time to Respond/Recover)
The average time to contain and remediate a security incident after detection. The current global average is approximately 73 days for containment. Organizations with IR plans and automation achieve significantly faster MTTR.
MFA (Multi-Factor Authentication)
An authentication method requiring two or more verification factors — something you know (password), something you have (phone/token), or something you are (biometrics). MFA prevents the vast majority of credential-based attacks and is required by most cyber insurance policies.
NIST (National Institute of Standards and Technology)
A US federal agency that develops cybersecurity standards, guidelines, and best practices. Key publications include the NIST Cybersecurity Framework (CSF), SP 800-61 (Incident Handling Guide), and SP 800-53 (Security Controls).
Notification Timeline
The legally mandated timeframe within which an organization must notify affected parties after discovering a data breach. Timelines vary: HIPAA requires 60 days, many states require 30-60 days, SEC requires 4 business days for material incidents, and GDPR requires 72 hours. See our state-by-state notification guide.
OFAC (Office of Foreign Assets Control)
A division of the US Treasury Department that enforces economic sanctions. OFAC maintains a sanctions list that includes certain ransomware groups and nation-states. Making a ransom payment to a sanctioned entity is illegal and can result in significant penalties, regardless of the circumstances.
OWASP (Open Web Application Security Project)
A nonprofit foundation that provides free, open-source tools and resources for improving software security. The OWASP Top 10 is a widely referenced standard for the most critical web application security risks.
Patch Management
The process of identifying, acquiring, testing, and installing software updates (patches) to fix vulnerabilities. Unpatched vulnerabilities are one of the most common initial access vectors for attackers. Effective patch management prioritizes critical and actively exploited vulnerabilities.
PCI DSS (Payment Card Industry Data Security Standard)
A security standard for organizations that handle credit card information. PCI DSS requires specific security controls, regular assessments, and incident response procedures. Non-compliance can result in fines of $5,000-$100,000 per month.
Penetration Testing
An authorized simulated cyberattack performed to evaluate the security of a system, network, or application. Penetration tests identify exploitable vulnerabilities before real attackers do. Regular penetration testing is required by many compliance frameworks and cyber insurance policies.
PII (Personally Identifiable Information)
Any information that can be used to identify, contact, or locate a specific individual. Examples include names, Social Security numbers, email addresses, phone numbers, and biometric data. Most breach notification laws are triggered by the compromise of PII.
Phishing
A social engineering attack that uses deceptive emails, messages, or websites to trick individuals into revealing sensitive information or installing malware. Phishing remains the most common initial access vector, responsible for approximately 16% of all breaches.
Post-Incident Review
A structured meeting held after an incident is resolved to analyze what happened, evaluate the response, and identify improvements. Also known as a retrospective or after-action review. Effective post-incident reviews are blame-free and focused on systemic improvements.
PHI (Protected Health Information)
Under HIPAA, any individually identifiable health information created, received, maintained, or transmitted by a covered entity or business associate. PHI includes medical records, lab results, insurance information, and any data that can identify a patient.
Privilege Escalation
The act of exploiting a vulnerability, design flaw, or configuration error to gain elevated access to resources that are normally restricted. Attackers use privilege escalation to move from a standard user account to administrator or root access, enabling broader system compromise.
Ransomware
Malware that encrypts a victim's files and demands payment (typically in cryptocurrency) for the decryption key. Modern ransomware attacks frequently include data exfiltration (double extortion) and threats to contact customers or regulators (triple extortion). See our 72-hour ransomware response guide.
RPO (Recovery Point Objective)
The maximum acceptable amount of data loss measured in time. An RPO of 4 hours means the organization can tolerate losing up to 4 hours of data. RPO determines backup frequency — a 1-hour RPO requires backups at least every hour.
RTO (Recovery Time Objective)
The maximum acceptable duration for restoring a system or process after a disruption. An RTO of 8 hours means the system must be operational within 8 hours of an incident. RTOs drive decisions about recovery infrastructure and procedures.
Remediation
The actions taken to fix vulnerabilities, remove threats, and restore systems to a secure state after a security incident. Remediation goes beyond immediate containment to address root causes and prevent recurrence.
Risk Assessment
A systematic process of identifying, analyzing, and evaluating cybersecurity risks to an organization. Risk assessments consider the likelihood of threats exploiting vulnerabilities and the potential impact on business operations. Regular risk assessments are required by most compliance frameworks.
Root Cause Analysis
A methodical investigation to identify the fundamental reason a security incident occurred. Root cause analysis goes beyond the immediate technical cause to examine process failures, control gaps, and organizational factors that allowed the incident to happen.
Rootkit
Stealthy malware designed to provide continued privileged access to a system while hiding its presence from administrators and security tools. Rootkits can modify the operating system itself, making them extremely difficult to detect and remove. Rebuilding from clean images is often the only reliable remediation.
SIEM (Security Information and Event Management)
A system that collects, correlates, and analyzes log data from across an organization's IT infrastructure to detect security threats in real time. SIEMs aggregate data from firewalls, servers, endpoints, and applications to identify patterns indicating attacks or policy violations.
Social Engineering
The psychological manipulation of people into performing actions or divulging confidential information. Social engineering exploits human trust, fear, urgency, and helpfulness rather than technical vulnerabilities. It is a component of most successful cyberattacks.
Spear Phishing
A targeted phishing attack directed at a specific individual or organization, using personalized information to appear legitimate. Unlike broad phishing campaigns, spear phishing messages reference specific details about the target — their name, role, colleagues, or recent activities.
Supply Chain Attack
An attack that targets an organization by compromising a trusted vendor, supplier, or software provider. Attackers inject malicious code into legitimate software updates or compromise managed service providers to gain access to multiple downstream victims simultaneously.
Tabletop Exercise
A discussion-based simulation where key stakeholders walk through a hypothetical security incident scenario to test their incident response plan, identify gaps, and practice decision-making. Tabletop exercises are low-cost and highly effective for improving incident readiness.
Threat Actor
An individual or group that conducts cyberattacks. Threat actors range from script kiddies and hacktivists to organized criminal gangs and nation-state intelligence agencies. Understanding the threat actor behind an incident helps predict their objectives and tactics.
Threat Intelligence
Evidence-based knowledge about existing or emerging threats, including indicators of compromise, attacker tactics, techniques, and procedures (TTPs), and strategic context about threat actors. Threat intelligence helps organizations anticipate, detect, and respond to attacks more effectively.
Triage
The initial assessment process during incident response to determine the severity, scope, and priority of a security event. Effective triage quickly distinguishes critical incidents requiring immediate response from lower-priority events, ensuring resources are allocated appropriately.
Vulnerability
A weakness in a system, application, or process that can be exploited by a threat actor to gain unauthorized access or cause harm. Vulnerabilities can be technical (unpatched software), procedural (weak access controls), or human (susceptibility to social engineering).
Vulnerability Assessment
A systematic review of security weaknesses in an information system. Unlike penetration testing, vulnerability assessments identify and classify vulnerabilities without attempting to exploit them. Regular vulnerability assessments are a baseline security requirement.
Worm
A type of malware that self-replicates and spreads across networks without requiring user interaction. Unlike viruses, worms do not need to attach to a host program. Notable examples include WannaCry and NotPetya, which spread rapidly across global networks causing billions in damage.
Zero-Day
A previously unknown vulnerability that is actively being exploited before the software vendor has released a patch. Zero-day attacks are particularly dangerous because there is no existing fix — organizations must rely on detection and containment until a patch is available.
Zero Trust
A security model based on the principle "never trust, always verify." Zero trust requires strict identity verification for every user and device accessing resources, regardless of whether they are inside or outside the network perimeter. Key principles include least privilege access, microsegmentation, and continuous verification.
Need Help With Incident Response?
Understanding the terminology is the first step. When you need experienced professionals to guide you through an actual incident, our team is available 24/7/365.