This section explains the operational language of defense: alerts, detection rules, SOC workflow, triage, log correlation, SIEM, and SOAR.
Use it when the term is about observing, detecting, or managing security activity day to day.
- Alert Fatigue
Alert fatigue is the reduced effectiveness that happens when defenders face too many noisy, repetitive, or low-value alerts.
- Anomaly Detection
Anomaly detection is the identification of behavior or events that differ meaningfully from an expected baseline.
- Attack Campaign
An attack campaign is a coordinated set of related malicious actions carried out over time against one or more targets.
- Attack Graph
An attack graph is a model that maps how different weaknesses, permissions, trust relationships, or exposures could connect to create possible paths to a target.
- Attack Surface Management
Attack surface management is the continuous process of finding, monitoring, and reducing the systems and exposures that attackers could target.
- Blue Team
A blue team is the group or function responsible for defending systems, detecting suspicious activity, investigating alerts, and improving protective controls.
- Common Vulnerabilities and Exposures
Common Vulnerabilities and Exposures is the public identifier system used to label and track specific disclosed security vulnerabilities.
- Common Vulnerability Scoring System
Common Vulnerability Scoring System is a standardized method for describing the technical severity of a vulnerability.
- Deception Technology
Deception technology is the use of decoy systems, credentials, files, or services to detect suspicious behavior and mislead attackers inside an environment.
- Defense Evasion
Defense evasion is the category of attacker behavior aimed at avoiding, weakening, or bypassing security visibility and control enforcement.
- Detection Engineering
Detection engineering is the practice of designing, testing, tuning, and maintaining security detections so suspicious activity is identified reliably.
- Detection Rule
A detection rule is reusable security-monitoring logic that identifies suspicious activity from telemetry and decides when a defender-visible signal or alert should be created.
- Dwell Time
Dwell time is the amount of time an attacker or unauthorized activity remains in the environment before being detected or removed.
- Exposure Management
Exposure management is the ongoing practice of identifying, prioritizing, and reducing security exposures based on how they create real organizational risk.
- External Attack Surface Management
External attack surface management focuses on discovering and monitoring the internet-facing systems, services, and exposures an organization presents to the outside world.
- False Negative
A false negative is a harmful event or behavior that should have been detected but was missed by the security control or rule.
- False Positive
A false positive is an alert or detection result that appears suspicious but does not represent the harmful activity the rule was intended to catch.
- Forensic Artifact
A forensic artifact is a piece of data or evidence that can help investigators understand what happened on a system or in an incident.
- Honeypot
A honeypot is a deliberately monitored decoy system or service used to attract suspicious activity so defenders can study or detect it without exposing production assets in the same way.
- Incident Triage
Incident triage is the initial process of reviewing, prioritizing, and routing suspicious events or alerts so the right response happens next.
- Kill Chain
A kill chain is a staged model used to describe how an attack or intrusion can progress from early activity to later impact.
- Log Correlation
Log correlation is the practice of linking related events from different systems so defenders can identify patterns that single logs do not show clearly.
- Managed Detection and Response
Managed detection and response is a security service model where an external provider helps monitor, detect, investigate, and support response to threats.
- Purple Team
A purple team is the collaborative practice of bringing offensive simulation and defensive operations together to improve detection, response, and resilience more quickly.
- Red Team
A red team is the group or function that simulates adversary behavior to test how well an organization’s defenses, detection, and response hold up under realistic pressure.
- Security Chaos Engineering
Security chaos engineering is the practice of deliberately testing how security controls and response processes behave under disruptive but controlled conditions.
- Security Information and Event Management
Security information and event management centralizes and analyzes security-relevant logs and events so defenders can detect, investigate, and monitor activity more effectively.
- Security Operations Center
A security operations center is the team and operating function responsible for monitoring, triaging, investigating, and coordinating responses to security activity.
- Security Orchestration, Automation, and Response
Security orchestration, automation, and response coordinates security workflows and automates selected tasks so alerts and incidents can be handled more consistently.
- Threat Emulation
Threat emulation is the controlled practice of simulating realistic adversary behavior patterns so defenders can evaluate detection, response, and resilience without treating the activity as a live malicious incident.
- Threat Hunting
Threat hunting is the proactive search for signs of malicious or risky activity that may not have triggered an obvious alert yet.
- Threat Intelligence
Threat intelligence is analyzed security information about relevant threats, behaviors, infrastructure, and trends that helps defenders prioritize, detect, and respond more effectively.
- Threat Landscape
The threat landscape is the overall picture of relevant threat actors, behaviors, trends, exposures, and defensive pressures affecting an organization or sector.
- User and Entity Behavior Analytics
User and entity behavior analytics is the use of behavioral patterns to identify activity that differs from expected norms for users, devices, or services.
- Vulnerability Management
Vulnerability management is the operational process of finding, validating, prioritizing, remediating, and tracking security weaknesses over time.
- Vulnerability Scanner
A vulnerability scanner is a security tool or service that checks systems, applications, cloud assets, or dependencies for known weaknesses and risky misconfigurations at scale.