Complete Cybersecurity Glossary: SIEM, SOAR, XDR, CSPM, AI Security & GRC | ForshTec Systems
Security engineering glossary

Cybersecurity Glossary

A practical A-Z glossary for SIEM, SOAR, XDR, CSPM, ServiceNow SecOps, connector development, detection engineering, SIEM data pipelines, AI security, cloud security, AppSec, compliance, GRC, identity, vulnerability management, and incident response.

Showing all terms

Cybersecurity glossary terms in alphabetical order

A

ABAC

Identity & Access

Attribute-Based Access Control; an access control model that grants permissions based on attributes such as user role, location, device, or resource type.

ACL

ServiceNow

Access Control List; a rule that controls what users or roles can read, create, update, or delete in a system.

Agentic Workflow

AI Security

A workflow where AI agents help decide, route, summarize, execute, or recommend actions across business or security processes.

AI Governance

AI Security

Policies, controls, reviews, and accountability mechanisms used to manage AI risks and responsible AI usage.

AI Orchestration

AI Security

The coordination of AI agents, prompts, tools, data sources, approvals, and workflow steps to complete a process.

Alert Fatigue

Core

A condition where security teams receive too many alerts, making it harder to identify and respond to real threats.

Alert Triage

Incident Response

The process of reviewing, prioritizing, and assigning security alerts for investigation or response.

API Integration

Connectors

A connection between two systems using APIs to exchange data, trigger actions, or automate workflows.

Application Security

AppSec

The practice of finding and reducing security risks in applications across code, dependencies, configuration, and deployment pipelines.

AppSec

AppSec

A shorter term for application security, focused on securing software before and after it reaches production.

Assignment Rule

ServiceNow

A rule that automatically assigns incidents, tasks, or records to the right team based on defined conditions.

ATT&CK Mapping

Detection Engineering

The process of mapping detections, alerts, logs, or controls to MITRE ATT&CK tactics and techniques to understand security coverage.

Authentication Failure

AppSec

A weakness where identity verification is missing, broken, bypassable, or implemented insecurely.

Autonomous Remediation

AI Security

A remediation action performed automatically by a system or AI workflow without manual execution.

B

Backoff Strategy

Data Pipelines

A retry pattern that increases wait time between failed requests to reduce load and improve integration reliability.

Broken Access Control

AppSec

An application security risk where users can perform actions or access resources outside their intended permissions.

C

Checkpointing

Connectors

Saving the last successfully processed point in a data sync so the integration can continue without duplicates or data loss.

CI/CD Security

AppSec

Security controls built into continuous integration and continuous delivery pipelines to catch risks before release.

CIM

Data Normalization

Common Information Model; a normalized data model commonly used to make security data easier to search and correlate.

Circuit Breaker

Data Pipelines

A reliability pattern that temporarily stops requests to a failing system so an integration can recover safely.

CIS Controls

Compliance

A prioritized set of cybersecurity safeguards used by organizations to improve security hygiene and reduce common risks.

Cloud Asset Inventory

Cloud Security

A structured list of cloud resources such as virtual machines, databases, storage buckets, identities, networks, and workloads.

Cloud Misconfiguration

CSPM

An insecure cloud setting, such as public storage access, weak permissions, exposed services, or missing encryption.

Cloud Risk

Cloud Security

The likelihood and impact of a security issue in a cloud environment, often based on exposure, permissions, vulnerabilities, and business context.

CNAPP

CSPM

Cloud-Native Application Protection Platform; a broader cloud security category that combines posture, workload, identity, and application protection.

Compensating Control

Vulnerability

An alternative security measure used to reduce risk when a primary control or remediation cannot be implemented immediately.

Conditional Access

Identity & Access

An identity security approach that allows or blocks access based on conditions such as user, device, location, risk, or application.

Connector Maintenance Debt

Connectors

The accumulated risk and effort caused by outdated connectors, broken mappings, API changes, missing tests, or undocumented integration behavior.

Container Image Scanning

AppSec

The process of scanning container images for vulnerabilities, secrets, malware, and risky packages before deployment.

Correlation Rule

SIEM

A rule that connects multiple events or signals to detect a larger security pattern or possible attack.

Cryptographic Failures

AppSec

Security weaknesses caused by missing, weak, or incorrectly implemented encryption, hashing, key management, or data protection.

CVE

Vulnerability

Common Vulnerabilities and Exposures; a public identifier assigned to a known cybersecurity vulnerability.

CVSS

Vulnerability

Common Vulnerability Scoring System; a scoring method used to rate the severity of vulnerabilities.

CWPP

Cloud Security

Cloud Workload Protection Platform; a security category focused on protecting cloud workloads such as virtual machines, containers, and serverless functions.

D

DAST

AppSec

Dynamic Application Security Testing; testing a running application for security issues from the outside.

Data Component

Detection Engineering

A specific type of security data described within a broader data source, often used to plan detection coverage.

Data Normalization

Data Normalization

Converting data from different sources into a consistent structure so it can be searched, correlated, and analyzed reliably.

Data Onboarding

Data Pipelines

The process of adding a new log source, parser, schema, enrichment, and validation workflow to a SIEM or analytics platform.

Data Residency

Compliance

A requirement that data must be stored or processed in a specific country, region, or jurisdiction.

Data Retention

Compliance

A policy that defines how long logs, records, evidence, or business data should be stored before deletion or archival.

Data Source

Detection Engineering

A system, sensor, application, or telemetry source that provides security data for detection, investigation, or response.

Dead Letter Queue

Data Pipelines

A queue used to hold failed or unprocessed messages so they can be investigated without blocking the main data pipeline.

Dependency Risk

AppSec

Security or compliance risk introduced by third-party libraries, packages, frameworks, or open-source components.

Detection Engineering

Detection Engineering

The discipline of designing, testing, tuning, and maintaining threat detections across SIEM, XDR, cloud, identity, and endpoint data.

Detection Gap

Detection Engineering

A missing or weak detection area where available logs, rules, or response workflows do not adequately cover a relevant threat.

Detection Logic

Detection Engineering

The conditions, queries, thresholds, or behavioral patterns used to identify suspicious activity in a security platform.

Detection Rule

SIEM

A rule that tells a security platform when to generate an alert based on suspicious activity or known attack patterns.

Detection Tuning

Detection Engineering

The process of adjusting detection rules to reduce noise, improve accuracy, and maintain useful alerts over time.

DevSecOps

DevSecOps

A practice that integrates security into development and operations workflows so risks are found earlier and fixed faster.

DORA

GRC

Digital Operational Resilience Act; a European Union regulation focused on ICT risk management and operational resilience in the financial sector.

Duplicate Events

Data Pipelines

Repeated copies of the same security event that can increase costs, create noise, and distort investigations.

E

ECS

Data Normalization

Elastic Common Schema; a standard field structure used for logs and events in Elastic environments.

EDR

XDR

Endpoint Detection and Response; a security tool used to detect, investigate, and respond to threats on endpoints such as laptops, servers, and workstations.

Endpoint Telemetry

XDR

Security data collected from endpoint devices such as laptops, desktops, servers, or workstations.

EPSS

Vulnerability

Exploit Prediction Scoring System; a scoring model that estimates how likely a vulnerability is to be exploited.

EQL

Detection Engineering

Event Query Language; a query language used to search and correlate event sequences in security and observability platforms.

Event Correlation

SIEM

The process of connecting related security events to identify a larger pattern, suspicious sequence, or possible attack.

Exploit

Vulnerability

Code, technique, or activity that takes advantage of a vulnerability to affect a system.

Exploitability

Vulnerability

The likelihood or ease with which a vulnerability can be exploited in a real environment.

F

Field Mapping

Data Normalization

Matching fields from one system to the correct fields in another system so security data remains meaningful after integration.

G

GDPR

Compliance

General Data Protection Regulation; a European privacy regulation that affects how organizations collect, process, store, and protect personal data.

GitHub Advanced Security

AppSec

A set of GitHub security features for code scanning, secret scanning, dependency review, and developer security workflows.

H

Human Approval Gate

AI Security

A workflow checkpoint where a person must review and approve an action before automation continues.

I

IAM

Identity & Access

Identity and Access Management; the discipline of managing digital identities and their access to systems, applications, and data.

IAST

AppSec

Interactive Application Security Testing; testing that analyzes application behavior while the application is running and being exercised.

Idempotency

Data Pipelines

A property where repeating the same operation produces the same result, helping integrations avoid duplicates during retries.

Identity Governance

Identity & Access

The process of defining, reviewing, approving, and auditing access across users, roles, applications, and systems.

Incident Enrichment

Incident Response

Adding context such as asset details, user identity, threat intelligence, geolocation, or vulnerability information to an incident.

Injection

AppSec

An application security flaw where untrusted input is interpreted as commands, queries, or code by a system.

Insecure Deserialization

AppSec

A vulnerability where unsafe handling of serialized data allows attackers to tamper with objects, execute code, or alter application logic.

Insecure Design

AppSec

A security weakness caused by flawed architecture, missing controls, or unsafe business logic rather than a coding bug alone.

Insecure Output Handling

AI Security

A risk where AI-generated output is trusted or passed into systems without proper validation, sanitization, or review.

IntegrationHub Spoke

ServiceNow

A packaged set of ServiceNow actions and connectors used to integrate workflows with external applications or services.

ISO 27001

Compliance

An international standard for establishing, operating, maintaining, and improving an information security management system.

J

Just-in-Time Access

Identity & Access

An access model where privileged access is granted only when needed and usually for a limited time.

JWT

Identity & Access

JSON Web Token; a compact token format often used to represent identity claims and authorize access between systems.

K

Known Exploited Vulnerability

Vulnerability

A vulnerability with evidence of active exploitation, making it a high-priority input for remediation decisions.

KQL

Detection Engineering

Kusto Query Language; a query language commonly used to search, analyze, and build detections on telemetry in Microsoft security platforms.

L

Least Privilege

Identity & Access

A security principle where users, applications, and services receive only the access they need to perform their tasks.

License Risk

AppSec

Legal or operational risk caused by using open-source or third-party software with incompatible or unmanaged licenses.

LLMOps

AI Security

Operational practices for deploying, monitoring, evaluating, securing, and maintaining large language model applications.

Log Ingestion

SIEM

The process of bringing logs, alerts, events, or telemetry into a SIEM or security analytics platform.

Log Pipeline

Data Pipelines

The flow of logs from source systems through collection, parsing, enrichment, normalization, storage, and analytics.

M

MFA

Identity & Access

Multi-Factor Authentication; an authentication method requiring more than one proof of identity before granting access.

Microsoft Defender CSPM

Cloud Security

A Microsoft cloud security posture capability used to assess, prioritize, and improve security posture across cloud environments.

MID Server

ServiceNow

A ServiceNow component that securely connects a ServiceNow instance to internal systems, networks, or data sources.

MITRE ATT&CK

Detection Engineering

A knowledge base of adversary tactics, techniques, and procedures used by security teams to model threats and evaluate detection coverage.

Model Risk

AI Security

The possibility that an AI or analytical model may produce incorrect, biased, unsafe, or unreliable outcomes.

MTTD

Incident Response

Mean Time to Detect; the average time it takes to identify that a security incident or threat is occurring.

MTTR

Incident Response

Mean Time to Respond or Mean Time to Remediate; the average time it takes to respond to or resolve an incident or issue.

N

NIS2

GRC

A European Union cybersecurity directive that expands security and incident reporting obligations for essential and important entities.

NIST CSF

Compliance

National Institute of Standards and Technology Cybersecurity Framework; a widely used framework for organizing cybersecurity risk management practices.

Now Assist

ServiceNow

ServiceNowโ€™s AI-assisted capability used to support workflows, productivity, summarization, and service operations use cases.

O

OAuth 2.0

Connectors

An authorization framework that allows systems to grant secure API access without sharing user passwords.

OCSF

Data Normalization

Open Cybersecurity Schema Framework; a vendor-neutral schema used to organize cybersecurity data consistently.

OIDC

Identity & Access

OpenID Connect; an identity layer built on OAuth 2.0 that helps applications verify user identity.

Open Source Risk

AppSec

Security, license, maintenance, or supply-chain risk introduced by open-source packages and dependencies.

Over-Permissioned Identity

Identity & Access

A user, service, role, or workload identity that has more permissions than it needs.

P

Pagination

Connectors

A method APIs use to return large data sets in smaller pages or batches instead of sending everything in one response.

PCI DSS

Compliance

Payment Card Industry Data Security Standard; a security standard for organizations that store, process, or transmit payment card data.

Playbook

SOAR

A predefined workflow that tells a SOAR platform what actions to take during a specific security scenario.

Polling

Connectors

A method where one system repeatedly checks another system for new data at defined intervals.

Prisma Cloud

Cloud Security

A cloud security platform commonly used for cloud posture, workload, network, and application security use cases.

Privileged Access

Identity & Access

Access that allows a user, account, service, or process to perform high-impact administrative or sensitive actions.

Privileged Account

Identity & Access

An account with elevated permissions that can modify systems, access sensitive data, or perform administrative actions.

Pull Request Security

AppSec

Security checks, reviews, and guardrails applied during the pull request process before code is merged.

Q

Query Cost

Data Pipelines

The compute, storage, or licensing cost associated with running searches or analytics on security data.

R

RAG

AI Security

Retrieval-Augmented Generation; an AI pattern where a model uses retrieved documents or data to generate more grounded responses.

RBAC

Identity & Access

Role-Based Access Control; an access control model where permissions are assigned to roles rather than individual users.

RBI Cybersecurity Guidelines

Compliance

Cybersecurity expectations and directions issued by the Reserve Bank of India for regulated financial institutions and related entities.

Remediation Window

Vulnerability

The expected timeframe within which a vulnerability, finding, or risk should be fixed based on severity and priority.

Risk Assessment

GRC

A structured process for identifying risks, estimating likelihood and impact, and deciding how those risks should be managed.

Risk-Based Vulnerability Management

Vulnerability

A vulnerability management approach that prioritizes remediation based on business risk, exploitability, asset criticality, and exposure.

Root Cause Analysis

Incident Response

The process of identifying the original source, weakness, or reason behind a security incident.

S

SAML

Identity & Access

Security Assertion Markup Language; a standard used to exchange authentication and authorization data, commonly for enterprise SSO.

SAST

AppSec

Static Application Security Testing; scanning source code or compiled code for security issues without running the application.

SBOM

AppSec

Software Bill of Materials; an inventory of software components, dependencies, and libraries used in an application.

SCA

AppSec

Software Composition Analysis; scanning third-party and open-source components for vulnerabilities, license issues, and supply-chain risk.

Schema Drift

Data Normalization

A situation where incoming data changes over time and no longer matches the expected structure.

Schema Mapping

Data Normalization

Converting one data schema into another schema so information can move correctly between systems.

Scoped Application

ServiceNow

A ServiceNow application built within its own scope to separate code, data, permissions, and configuration from other applications.

SecOps

Core

Security Operations; the function responsible for monitoring, detecting, investigating, and responding to security threats.

Secret Management

Identity & Access

The practice of securely storing, rotating, and controlling access to sensitive values such as API keys, tokens, passwords, and certificates.

Secure SDLC

AppSec

A software development lifecycle that includes security practices from design and development through testing, release, and operations.

Security Benchmark

Cloud Security

A baseline set of recommended security configurations or controls used to assess systems, cloud resources, or workloads.

Security Use Case

Detection Engineering

A defined security monitoring scenario that describes what threat or risk should be detected, why it matters, and what response should follow.

Segregation of Duties

Compliance

A control that separates sensitive responsibilities so one person cannot complete a high-risk process without oversight.

Serverless Security

Cloud Security

The practice of securing serverless functions, event triggers, permissions, secrets, dependencies, and runtime behavior.

Session Recording

Identity & Access

The recording of privileged or sensitive user sessions to support monitoring, forensics, accountability, and compliance.

SIEM

SIEM

Security Information and Event Management; a platform that collects, analyzes, and correlates security data to detect threats.

Sigma Rule

Detection Engineering

A vendor-neutral rule format used to describe log-based detections that can be converted into platform-specific query languages.

SOAR Connector

SOAR

A connector that allows a SOAR platform to trigger actions in another tool through APIs or workflows.

SOC

Core

Security Operations Center; a team or facility responsible for monitoring and responding to cybersecurity threats.

SOC 2

GRC

A compliance framework for service organizations focused on controls related to security, availability, processing integrity, confidentiality, and privacy.

SPL

Detection Engineering

Search Processing Language; the search and analysis language used in Splunk environments.

SSO

Identity & Access

Single Sign-On; an authentication method that lets users access multiple applications through one trusted identity provider.

SSRF

AppSec

Server-Side Request Forgery; a vulnerability where an attacker causes a server to make unintended requests to internal or external systems.

Sub-Technique

Detection Engineering

A more specific behavior under a broader MITRE ATT&CK technique.

T

Table Extension

ServiceNow

A ServiceNow design approach where one table extends another table to reuse fields, logic, and relationships.

Tactic

Detection Engineering

The high-level objective behind an attacker behavior, such as persistence, privilege escalation, or exfiltration.

Technique

Detection Engineering

A specific method an attacker may use to achieve a tactical objective.

Threat Intelligence

Incident Response

Context about threats, indicators, adversary behavior, and attack patterns used to improve detection and response.

Threat Modeling

Detection Engineering

A structured process for identifying potential threats, attack paths, security gaps, and controls for an application or system.

Tiered Retention

Data Pipelines

A retention approach that keeps recent data in faster storage and older data in lower-cost storage based on investigation and compliance needs.

Token Refresh

Connectors

The process of obtaining a new access token after the previous token expires so an integration can continue securely.

TTP

Detection Engineering

Tactics, Techniques, and Procedures; a way to describe attacker behavior and operational patterns.

U

Use Case Development

Detection Engineering

The process of designing security monitoring use cases, including required data, detection logic, alert context, and response steps.

V

Vendor Risk Management

GRC

The process of assessing, monitoring, and managing cybersecurity, compliance, and operational risks from third-party vendors.

Vulnerability Management

Vulnerability

The process of identifying, prioritizing, and fixing security vulnerabilities across systems, applications, and assets.

Vulnerability Response

ServiceNow

A ServiceNow capability used to prioritize, assign, track, and manage vulnerability remediation.

Vulnerability Triage

Vulnerability

The process of reviewing vulnerability findings to determine severity, exploitability, ownership, and remediation priority.

Vulnerable Item

Vulnerability

A specific asset, application, or system record that is affected by a vulnerability and needs review, remediation, or exception handling.

W

Warm Storage

Data Pipelines

Mid-tier storage used for security data that is less recent but still needs reasonably fast access for investigation or reporting.

Wiz

Cloud Security

A cloud security platform commonly used for cloud posture, exposure management, workload visibility, and cloud risk prioritization.

X

Y

YARA Rule

Detection Engineering

A rule format commonly used to identify malware families, suspicious files, or patterns in binaries and text.

Z

Zero-Day

Vulnerability

A vulnerability that is unknown to the vendor or lacks an available patch at the time it is discovered or exploited.

No matching terms found. Try another keyword or clear the selected filter.

Need help building security integrations?

ForshTec Systems can help design, build, test, and maintain SIEM connectors, SOAR playbooks, XDR connectors, CSPM integrations, ServiceNow SecOps workflows, AI-assisted security workflows, cloud security integrations, AppSec workflows, compliance automation, detection engineering programs, and normalized security data pipelines.

Talk to ForshTec