Security-Operations

Security information and event management centralizes and analyzes security-relevant logs and events so defenders can detect, investigate, and monitor activity more effectively.

Security orchestration, automation, and response coordinates security workflows and automates selected tasks so alerts and incidents can be handled more consistently.

A security operations center is the team and operating function responsible for monitoring, triaging, investigating, and coordinating responses to security activity.

Log correlation links related events across systems so defenders can identify multi-step activity patterns.

Threat hunting is the proactive search for signs of malicious or risky activity that may not have triggered an obvious alert yet.

A detection rule is reusable security-monitoring logic that identifies suspicious activity from telemetry and decides when a defender-visible signal or alert should be created.

Incident triage is the initial process of reviewing, prioritizing, and routing suspicious events or alerts so the right response happens next.

A forensic artifact is a piece of data or evidence that can help investigators understand what happened on a system or in an incident.

Alert fatigue is the reduced effectiveness that happens when defenders face too many noisy, repetitive, or low-value alerts.

A false positive is an alert or detection result that appears suspicious but does not represent the harmful activity the rule was intended to catch.

A false negative is harmful activity that should have been detected but was missed by a rule or control.

Vulnerability management is the operational process of finding, validating, prioritizing, remediating, and tracking security weaknesses over time.

A vulnerability scanner is a security tool or service that checks systems, applications, cloud assets, or dependencies for known weaknesses and risky misconfigurations at scale.

Threat intelligence is analyzed security information about relevant threats, behaviors, infrastructure, and trends that helps defenders prioritize, detect, and respond more effectively.

Common Vulnerabilities and Exposures is the public identifier system used to label and track specific disclosed security vulnerabilities.

Common Vulnerability Scoring System is a standardized method for describing the technical severity of a vulnerability.

Detection engineering is the security-operations practice of designing, testing, tuning, and maintaining detections so suspicious activity is identified reliably.

Managed detection and response is a security service model where an external provider helps monitor, detect, investigate, and support response to threats.

Attack surface management is the continuous process of finding, monitoring, and reducing the systems and exposures that attackers could target.

External attack surface management focuses on discovering and monitoring the internet-facing systems, services, and exposures an organization presents to the outside world.

Dwell time is the amount of time an attacker or unauthorized activity remains in the environment before being detected or removed.

User and entity behavior analytics is the use of behavioral patterns to identify activity that differs from expected norms for users, devices, or services.

Anomaly detection flags behavior or events that deviate from a baseline so defenders can investigate unusual activity.

A red team is the group or function that simulates adversary behavior to test how well an organization’s defenses, detection, and response hold up under realistic pressure.

A blue team is the defensive function responsible for detecting, investigating, and improving protections across systems.

A purple team is the collaborative practice of bringing offensive simulation and defensive operations together to improve detection, response, and resilience more quickly.

Deception technology is the use of decoy systems, credentials, files, or services to detect suspicious behavior and mislead attackers inside an environment.

An attack graph is a model that maps how different weaknesses, permissions, trust relationships, or exposures could connect to create possible paths to a target.

A cyber kill chain is a staged model used to describe how an attack or intrusion can progress from early activity to later impact.

An attack campaign is a coordinated set of related malicious actions carried out over time against one or more targets.

A honeypot is a deliberately monitored decoy system or service used to attract suspicious activity so defenders can study or detect it without exposing production assets in the same way.

Threat emulation is the controlled practice of simulating realistic adversary behavior patterns so defenders can evaluate detection, response, and resilience without treating the activity as a live malicious incident.

Security chaos engineering is the practice of deliberately testing how security controls and response processes behave under disruptive but controlled conditions.

The threat landscape is the overall picture of relevant threat actors, behaviors, trends, exposures, and defensive pressures affecting an organization or sector.

Defense evasion is the category of attacker behavior aimed at avoiding, weakening, or bypassing security visibility and control enforcement.

Exposure management is the ongoing practice of identifying, prioritizing, and reducing security exposures based on how they create real organizational risk.