Skip to content
Breachfolio
Hero illustration for: Cybersecurity acronyms, decoded.
GLOSSARY RESOURCES

Cybersecurity acronyms, decoded.

The first month of cybersecurity is mostly acronyms. A working glossary you can keep open while you read everything else.

6 min read Breachfolio Research

The first month of cybersecurity is mostly acronyms. They are not hard, but reading three of them in a single sentence — "the SOC team escalates the IOC via SIEM to the IR lead" — can flatten anyone new. This page is a working glossary you can keep open while you read other things. The definitions are short, the examples are real.

People and teams

AcronymFull formOne-line meaning
SOCSecurity Operations CenterThe team that watches alerts 24/7 and decides what is real.
IRIncident ResponseThe people called in when something is confirmed bad.
CISOChief Information Security OfficerThe senior leader responsible for the security programme.
DFIRDigital Forensics & Incident ResponseIR + the forensic work of figuring out what happened.
Red TeamPeople paid to attack the company's systems with authorisation.
Blue TeamPeople paid to defend.
Purple TeamRed and Blue working together rather than in opposition.

What attackers do

AcronymFull formOne-line meaning
TTPTactics, Techniques, ProceduresThe "how" of an attack. The MITRE ATT&CK matrix is a taxonomy of TTPs.
RCERemote Code ExecutionAttacker gets to run code on your server. Worst-class web bug.
LPELocal Privilege EscalationAttacker has a low-priv shell and elevates to admin/root.
XSSCross-Site ScriptingAttacker gets your browser to run their JavaScript on another site.
CSRFCross-Site Request ForgeryAttacker tricks your browser into making a request you didn't intend.
SSRFServer-Side Request ForgeryAttacker makes the server issue a request — often into the cloud metadata service.
SQLiSQL injectionUntrusted input gets concatenated into a query and changes its meaning.
DoS / DDoS(Distributed) Denial of ServiceMake the service unavailable. DDoS uses many sources.
MITMMan-in-the-MiddleAttacker sits between two parties and relays/modifies their traffic.
C2 / C&CCommand & ControlThe infrastructure attackers use to control compromised hosts.

What defenders deploy

AcronymFull formOne-line meaning
EDREndpoint Detection & ResponseAgent on every laptop/server that watches for malicious behaviour.
XDRExtended Detection & ResponseEDR + email + network + identity, all in one console.
SIEMSecurity Information & Event ManagementCentral place to ship and search logs from everywhere.
SOARSecurity Orchestration, Automation, ResponseWorkflows that automate parts of the SOC's response.
WAFWeb Application FirewallFilter in front of your web app that blocks obvious attack patterns.
IDS / IPSIntrusion Detection / Prevention SystemWatches network traffic. IDS alerts. IPS blocks.
DLPData Loss PreventionTries to stop sensitive data from leaving the network.
IAMIdentity & Access ManagementWho can log in, to what, with what.
MFA / 2FAMulti-Factor / Two-Factor AuthenticationLogin requires more than just a password.
PAMPrivileged Access ManagementSpecial controls around admin accounts (vaulting, just-in-time).
ZTNAZero-Trust Network AccessVerify every request, trust nothing by default — replaces VPN.

Vulnerabilities, threats, intelligence

AcronymFull formOne-line meaning
CVECommon Vulnerabilities & ExposuresPublic, numbered ID for a known vulnerability. e.g. CVE-2024-12345.
CVSSCommon Vulnerability Scoring System0-10 severity score for a CVE.
CWECommon Weakness EnumerationThe bug class behind CVEs (e.g. SQL injection is CWE-89).
IOCIndicator of CompromiseA hash, IP, domain, or filename that suggests intrusion.
TI / CTI(Cyber) Threat IntelligenceKnowledge about who is attacking whom and how.
APTAdvanced Persistent ThreatSkilled attacker with patience and a goal. Usually nation-state.
RATRemote Access TrojanMalware that gives an attacker remote control.
POC / PoCProof of ConceptCode that demonstrates a vulnerability is exploitable.

Compliance and governance

AcronymFull formOne-line meaning
GDPRGeneral Data Protection RegulationEU privacy law. The big one.
ISO 27001International standard for an Information Security Management System.
SOC 2(Auditor's) Service Organization Control 2US-origin audit report covering security/availability/privacy controls.
NISTNational Institute of Standards & TechnologyUS body. Their cybersecurity framework is referenced globally.
OWASPOpen Worldwide Application Security ProjectVolunteer project. Their Top 10 is the standard "things that go wrong on the web" list.
PCI DSSPayment Card Industry Data Security StandardWhat you must do if you process card payments.

Crypto and identity

AcronymFull formOne-line meaning
TLS / SSLTransport Layer Security / Secure Sockets LayerEncryption for traffic. SSL is the old name, TLS is the current standard.
PKIPublic Key InfrastructureThe whole system of certificates, CAs and trust chains.
CACertificate AuthorityAn entity trusted to vouch for who owns a domain.
HMACHash-based Message Authentication Code"Did this message come from someone who knows the shared key?"
OIDCOpenID ConnectModern auth protocol built on OAuth 2.0.
SAMLSecurity Assertion Markup LanguageOlder XML-based federation protocol. Common in enterprise SSO.

How to use this page

Bookmark it. The first time you meet an acronym in another article, search for it here. Do not try to memorise the table in one sitting — that is what flashcards are for. By the time you stop needing to look up the basics, you will be deep enough into the field that the new acronyms you meet are the interesting ones.