Categories
Browse SOC terms for cybersecurity professionals.
Security Automation is the application of technology to perform repetitive or time-sensitive security operations tasks—such as detection, response, and remediation—without human intervention, typically using SOAR or automated scripting.
View termThe automated execution of predefined incident response actions and workflows using orchestration tools, reducing manual intervention and response time in SOC operations.
View termThe process of adding contextual information to security alerts, such as asset details, user context, or threat intelligence, to improve investigation and response efficiency.
View termSteps taken to eliminate the cause of a detected security incident, restore affected systems, and strengthen defenses to prevent recurrence.
View termThe formal process of communicating significant security events or incident statuses to designated stakeholders or regulatory bodies, ensuring transparency and compliance.
View termOfficial communication to stakeholders regarding the discovery or presence of a specific cyber threat, often required by regulations or internal policy.
View termThe act of formally informing stakeholders, management, or regulatory bodies about a detected or ongoing security incident in accordance with established policies.
View termThe formal process of informing affected parties, regulators, and other stakeholders about a confirmed data breach, in accordance with legal and contractual obligations.
View termCoordinated organizational actions and communication aimed at containing, resolving, and recovering from severe security incidents or disruptions to minimize operational and reputational damage.
View termThe process of documenting, tracking, and resolving security incidents or investigations within a structured platform, ensuring workflow accountability, auditability, and collaboration among SOC or IR teams, as defined in NIST SP 800-61 and industry playbooks.
View termA coordinated set of processes and tools for identifying, assessing, responding to, tracking, and resolving security incidents to minimize business impact, ensure compliance, and enable post-incident analysis in accordance with established policies and standards (ref: NIST SP 800-61, ISO/IEC 27035).
View termAlert Fatigue is a condition in which security analysts become desensitized or overwhelmed due to excessive or repetitive alerts, potentially resulting in missed detections or slower response in a SOC environment.
View termThreat Attribution is the analytical process of linking a detected cyber threat, campaign, or incident to a specific actor, group, or nation-state, based on technical indicators, tactics, infrastructure, and intelligence sources. Essential in cyber threat intelligence and legal proceedings.
View termThe formal completion and documentation of all response activities for a security incident, ensuring lessons learned and post-incident reviews are recorded before closing the case.
View termThe timely and coordinated exchange of information about an incident’s status, impact, and response among internal teams, stakeholders, and, where required, external parties.
View termMalware Containment is the set of actions and controls enacted to isolate and prevent the spread of malicious software within an organization’s systems, often as part of the incident response lifecycle.
View termThe actions taken to limit the impact of a security incident by isolating affected systems, preventing lateral movement, and preserving evidence for investigation.
View termCoordinated activities by security personnel to mitigate, contain, and resolve identified threats or incidents in accordance with organizational protocols.
View termA coordinated approach to addressing and managing the aftermath of a security breach or cyberattack, with the aim of limiting damage, reducing recovery time and costs, and preventing future incidents. Involves predefined processes for detection, containment, eradication, and recovery, as formalized in NIST SP 800-61 and ISO/IEC 27035.
View termEvidence-based knowledge about existing and emerging threats, derived from analysis of indicators, adversary behavior, and context, which is used to inform defense strategies and enable proactive mitigation, as described in NIST SP 800-150, MITRE ATT&CK, and ISO/IEC 27002.
View termA set of planned actions and measures taken to limit the spread and impact of a cybersecurity incident, preventing further damage or lateral movement within the environment.
View termThe coordinated set of actions taken to restore systems, operations, and services to normal functioning after a security incident, minimizing impact and ensuring business continuity.
View termA proactive and iterative search through networks, endpoints, and datasets to detect and isolate advanced threats that evade automated security solutions.
View termThe discipline of identifying, preserving, analyzing, and documenting digital evidence from electronic devices to support incident response, legal processes, or internal investigations.
View termThe formal process of documenting and communicating the details of a cybersecurity incident to relevant stakeholders, regulatory authorities, or partners, as required by legal, regulatory, or contractual obligations (see NIST SP 800-61 and ENISA guidelines).
View termThe formal communication process for notifying internal or external authorities about detected security incidents, as required by organizational policy, regulatory, or contractual obligations.
View termThe process and policy of securely retaining security event and audit logs for a defined period to ensure availability for investigations, compliance, and forensic analysis.
View termCoordinated actions taken to detect, contain, and mitigate phishing attacks, including user notification, credential reset, and blocking malicious domains.
View termThe process of verifying whether a security alert is genuine, actionable, and relevant, typically by correlating with additional telemetry or threat intelligence to reduce false positives before escalation.
View termThe scientific examination and investigation of digital devices, logs, or data to identify, collect, preserve, and analyze evidence related to security incidents, enabling root-cause determination and supporting legal or disciplinary action, as described in NIST SP 800-86 and ISO/IEC 27037.
View termThe proactive state of an organization’s people, processes, and technology to efficiently detect, respond to, and recover from security incidents in accordance with pre-established plans.
View termA detailed chronological record of all events, actions, and system states related to a security incident, used for investigation, reporting, and post-incident review.
View termThe fundamental underlying reason or origin of a security incident, breach, or operational failure, identified through structured analysis to inform remediation and prevent recurrence.
View termSecurity Telemetry refers to the automated collection, transmission, and aggregation of security-relevant data—such as logs, metrics, events, and alerts—from endpoints, networks, and cloud systems to enable real-time monitoring and analysis.
View termAny action or event that contravenes an established information security policy or standard, triggering investigation or response according to compliance protocols.
View termA security model that assumes no implicit trust is granted to systems or users inside or outside the network; verification is required for every access request.
View termThe systematic process of recording, updating, and monitoring security incidents throughout their lifecycle to ensure accountability, compliance, and timely resolution.
View termLog Aggregation is the process of collecting and centralizing logs from diverse systems, applications, and devices into a unified repository for correlation, analysis, and compliance within security operations.
View termThe process of ranking and categorizing security alerts based on risk, relevance, and organizational impact, to enable efficient triage and response by SOC analysts.
View termThe classification and ranking of security incidents based on risk, severity, and potential business impact to determine response order and resource allocation.
View termThe process of analyzing and validating security alerts to determine their legitimacy, scope, and required response actions.
View termThe structured process of examining the source, context, and impact of a security alert to determine its validity, root cause, and next response steps.
View termA systematic process of collecting, analyzing, and documenting evidence to determine the cause, impact, and scope of a security incident.
View termThe process of examining malicious software to understand its behavior, intent, origin, and potential impact on affected systems.
View termThreat Analysis is the systematic evaluation of potential and actual cyber threats by assessing threat actor capabilities, intent, attack vectors, and potential impact to prioritize mitigation and inform security strategy.
View termThe comprehensive examination and assessment of a security incident to determine its cause, scope, impact, and lessons learned for continuous improvement.
View termThe process of examining and interpreting system, application, and security logs to detect, investigate, and respond to security events and operational issues. Used extensively in SOCs for threat hunting, compliance, and forensic investigations.
View termThe application of specialized techniques to collect, preserve, and analyze digital evidence from information systems following a security incident.
View termSecurity Analytics refers to the use of advanced data analysis techniques, including machine learning and statistical models, to aggregate, process, and interpret large volumes of security event data for detecting threats, prioritizing alerts, and supporting incident response.
View termTargeted actions taken to reduce the immediate and long-term impact of a security incident, including containment, eradication, and recovery measures.
View termThe process of analyzing and combining related security events from multiple sources to identify patterns indicative of incidents or attacks.
View termAlert Correlation is the process of analyzing and linking related security alerts from different sources or systems to identify complex threats, reduce false positives, and streamline incident response.
View termThe analytical process of aggregating and comparing multiple data points from diverse sources to identify relationships or patterns that indicate a sophisticated cyber threat.
View termThe systematic recording of incident details, timelines, actions taken, and outcomes to ensure transparency, facilitate analysis, and support compliance requirements.
View termAn attack or exploit in which a user or application gains higher access rights or privileges than intended by system policy.
View termThe process of forwarding a security alert to higher-level analysts or decision makers when the event exceeds the current responder’s authority or capacity.
View termThe formal process of transferring a detected security incident to higher-level personnel or specialized teams for further analysis, response, or decision-making.
View termThe process of transferring a security incident or case to a higher-level team or authority due to severity, complexity, or policy requirements.
View termIncident Categorization is the process of classifying security events or incidents based on type, severity, impact, and urgency to ensure standardized response procedures and accurate reporting within security operations.
View termThe practice of dividing a computer network into subnetworks, each being a network segment, to improve security, performance, and manageability by restricting lateral movement.
View termCompromise Assessment is the comprehensive evaluation of an organization’s systems, networks, and data to identify evidence of past or ongoing security breaches or unauthorized access, often leveraging threat hunting techniques.
View termA structured process for identifying, analyzing, and prioritizing potential threats to an organization's assets, operations, or information based on current intelligence and risk posture.
View termA discussion-based incident response simulation where team members review and role-play their actions and decisions for hypothetical security scenarios.
View termAutomated or manual notification process by which a security system or analyst informs relevant personnel of detected suspicious activity or confirmed incidents in real time.
View termThe automated coordination and integration of security tools, processes, and workflows to accelerate response and improve operational efficiency in security operations centers.
View termThe structured management and collaboration among teams and stakeholders to ensure efficient containment, eradication, and recovery from a cybersecurity incident.
View termResponse Coordination is the organized management of communication, task allocation, and resource deployment among stakeholders during a cybersecurity incident to ensure effective mitigation and timely resolution.
View termThe detailed recording of all relevant information about a security alert, including source, analysis, actions, and outcomes, to support accountability and future reference.
View termThe detailed and systematic recording of all relevant information, actions, decisions, and evidence related to a cybersecurity incident throughout its lifecycle.
View termThe state of preparedness of personnel, processes, and technology to quickly and effectively respond to cybersecurity incidents.
View termThe systematic process of gathering digital artifacts, logs, devices, or other data relevant to a security incident, following forensic best practices to preserve integrity.
View termThe controlled process of securing, documenting, and protecting digital or physical evidence to maintain integrity for internal review or legal proceedings.
View termA technique used by attackers or legitimate tools to inject code into the address space of another process, enabling code execution within the context of a target process, often to evade detection or escalate privileges.
View termA documented set of repeatable incident response procedures and decision trees tailored to specific threat scenarios or alerts.
View termA documented strategy outlining procedures, roles, responsibilities, and communications for responding to cybersecurity incidents.
View termA documented set of actions designed to eliminate the root cause and effects of a security incident, restore affected systems, and reduce the risk of recurrence.
View termThe sequence of phases that a security alert undergoes, from initial detection and triage through investigation, escalation, response, resolution, and closure.
View termA formal process documenting the chronological handling, transfer, and control of digital evidence, ensuring its integrity and admissibility in legal or regulatory proceedings.
View termA formalized, step-by-step sequence of procedures and roles that guide the incident response process from detection through resolution in accordance with established policies.
View termA structured sequence of tasks and escalation steps followed during the lifecycle of a security incident, from detection through resolution and post-incident review.
View termRemediation Workflow is a structured, documented process for addressing and resolving identified security issues or incidents, encompassing investigation, mitigation, validation, and post-incident review steps within security operations.
View termThe process of removing a compromised or suspicious host from the network to prevent lateral movement and further compromise while incident investigation and remediation are performed.
View termAll coordinated activities performed in a Security Operations Center (SOC) to monitor, detect, investigate, and respond to cybersecurity threats in real time. This includes proactive defense, continuous monitoring, incident handling, and threat intelligence integration, as described in NIST SP 800-137 and ISO/IEC 27035.
View termA structured series of analytical steps undertaken by security teams to determine the scope, cause, and impact of a cybersecurity incident, using forensic techniques and available evidence.
View termThe process of rapidly classifying, prioritizing, and assigning security events for investigation based on impact, severity, and business risk.
View termThe systematic process of evaluating, prioritizing, and categorizing security alerts based on severity, credibility, and potential impact, enabling efficient resource allocation and rapid incident detection within a SOC, as described in NIST SP 800-61 and MITRE ATT&CK®.
View termA table or data structure used to specify permissions attached to system objects, defining which users or processes are granted access to objects and operations.
View termDetection Capability is the measure of an organization's ability to identify and recognize cyber threats, malicious activities, and security incidents in a timely and accurate manner using technical and procedural controls.
View termThe intentional filtering or silencing of specific security alerts to reduce noise from false positives and allow focus on actionable incidents.
View termThe process of identifying potential or actual security incidents in an IT environment by monitoring logs, events, and network activity, using automated tools and manual analysis, as described in NIST SP 800-61, ISO/IEC 27035, and SANS guidelines.
View termAnomaly Detection is the process of identifying unusual patterns, events, or activities in datasets, logs, or network traffic that may indicate a security incident, compromise, or operational risk, utilizing baselines and advanced algorithms. Used in SOCs for early warning and threat detection.
View termThe simulation of real-world attacker behaviors and techniques in a controlled environment to test and improve detection and response capabilities.
View termAdversary Simulation is a controlled security exercise that emulates realistic cyber attacks by mimicking the tactics, techniques, and procedures (TTPs) of threat actors to assess organizational detection, prevention, and response capabilities.
View termA controlled emulation of cyberattacks against systems, networks, or people to assess security posture, validate defenses, and improve response capabilities.
View termA structured post-incident process for evaluating the effectiveness of detection, response, and recovery measures to identify lessons learned and update procedures.
View termContinuous observation, collection, and analysis of security events and data across information systems to detect threats, policy violations, or anomalous activities as part of organizational risk management.
View termA structured set of procedures used by security teams to address, manage, and resolve cybersecurity incidents, including containment, eradication, and recovery, following official frameworks such as NIST SP 800-61 and ISO/IEC 27035.
View termThe comprehensive process of managing a cybersecurity incident from initial detection through analysis, containment, eradication, recovery, and post-incident review.
View termA structured process for identifying, prioritizing, and evaluating potential threats and vulnerabilities to an organization’s information systems to guide security controls design and risk mitigation strategies.
View termThe discipline of designing, implementing, and tuning security monitoring rules, analytics, and automation to identify threats with accuracy and minimal false positives.
View term