Qevlar AI | SOC & Cybersecurity Glossary

Agentic AI in Security

An AI system capable of autonomously reasoning, planning, and executing multi-step security investigations without requiring predefined playbooks.

Concepts

Read the full definition

Alert

A notification triggered by a security tool when a potentially suspicious or malicious event is detected.

Detection

Read the full definition

Alert Fatigue

The desensitization SOC analysts experience when overwhelmed by excessive alert volumes.

Detection

Read the full definition

APT (Advanced Persistent Threat)

A sophisticated, long-term cyberattack carried out by a well-resourced threat actor.

Threats

Read the full definition

Attack Surface

The total set of entry points through which an attacker could attempt to gain unauthorized access to a system or environment.

Threats

Read the full definition

Behavioral Analytics

The use of data analysis to identify patterns of activity that deviate from established baselines and may indicate malicious behavior.

Tools & Tech

Read the full definition

Benign

A security verdict indicating that a reviewed alert or activity poses no real threat.

Detection

Read the full definition

C2 (Command and Control)

The infrastructure and communication channels used by attackers to control compromised systems.

Threats

Read the full definition

Campaign

A coordinated series of related attacks carried out by the same threat actor targeting multiple victims using the same infrastructure or methods.

Threats

Read the full definition

CERT (Computer Emergency Response Team)

A team responsible for receiving, reviewing, and responding to cybersecurity incident reports.

Roles

Read the full definition

CISO (Chief Information Security Officer)

The senior executive responsible for an organization's overall information security strategy and program.

Roles

Read the full definition

Conclusiveness Rate

The percentage of investigations that reach a clear, confident verdict rather than an inconclusive result.

Metrics

Read the full definition

Containment

The actions taken to limit the spread or impact of a confirmed security threat.

Response

Read the full definition

Correlation

The process of connecting multiple related alerts, events, or observables to identify patterns that reveal a broader attack.

Detection

Read the full definition

CSIRT (Computer Security Incident Response Team)

A team dedicated to handling and coordinating the response to cybersecurity incidents within an organization or sector.

Roles

Read the full definition

CVE (Common Vulnerabilities and Exposures)

A publicly disclosed security vulnerability assigned a unique standardized identifier.

Concepts

Read the full definition

Detection Engineering

The practice of building and maintaining the rules, queries, and logic that generate security alerts.

Concepts

Read the full definition

DORA (Digital Operational Resilience Act)

A European Union regulation requiring financial entities to ensure operational resilience against ICT-related disruptions and cyber threats.

Concepts

Read the full definition

Dwell Time

The length of time an attacker remains undetected inside a compromised environment.

Threats

Read the full definition

EDR (Endpoint Detection and Response)

A security technology that monitors endpoint devices for suspicious behavior and provides investigation and response capabilities.

Tools & Tech

Read the full definition

Enrichment

The process of adding contextual information to an alert or observable to support investigation.

Detection

Read the full definition

Escalation

The process of passing a security alert or incident to a more senior analyst or specialized team for further investigation or action.

Response

Read the full definition

False Negative

A missed detection where a real threat occurs but no alert is generated.

Detection

Read the full definition

False Positive

An alert that incorrectly identifies benign or legitimate activity as malicious.

Detection

Read the full definition

Incident

A confirmed or suspected security event that has or may have a negative impact on an organization's systems, data, or operations.

Response

Read the full definition

Incident Response (IR)

The structured process an organization follows when a security incident is detected.

Response

Read the full definition

IOC (Indicator of Compromise)

A piece of forensic evidence suggesting that a system or network may have been breached or compromised.

Detection

Read the full definition

Kill Chain

A framework describing the sequential stages of a cyberattack from initial reconnaissance through to the attacker's final objective.

Concepts

Read the full definition

L1 Analyst (Tier 1 Analyst)

An entry-level SOC analyst responsible for initial alert monitoring, triage, and basic investigation.

Roles

Read the full definition

L2 Analyst (Tier 2 Analyst)

A mid-level SOC analyst who handles escalated alerts and conducts deeper investigations.

Roles

Read the full definition

L3 Analyst (Tier 3 Analyst)

A senior SOC analyst or specialist responsible for the most complex investigations, threat hunting, and security architecture decisions.

Roles

Read the full definition

Lateral Movement

Techniques used by an attacker to progressively move deeper into a network after gaining initial access.

Threats

Read the full definition

Malware

Malicious software designed to disrupt, damage, or gain unauthorized access to systems.

Threats

Read the full definition

MDR (Managed Detection and Response)

A managed security service that combines technology and human expertise to provide continuous threat monitoring, detection, and response.

Roles

Read the full definition

MITRE ATT&CK

A globally accessible knowledge base cataloguing the tactics, techniques, and procedures used by real-world threat actors.

Concepts

Read the full definition

MSSP (Managed Security Service Provider)

A third-party organization that provides outsourced security monitoring and management services.

Roles

Read the full definition

MTTD (Mean Time to Detect)

The average time between when an attack occurs and when it is first detected by the security team.

Metrics

Read the full definition

MTTI (Mean Time to Investigate)

The average time it takes to complete a full investigation of a security alert once it has been detected.

Metrics

Read the full definition

MTTR (Mean Time to Respond)

The average time from the detection of a threat to its full containment or resolution.

Metrics

Read the full definition

NDR (Network Detection and Response)

A security technology that monitors network traffic to detect threats based on behavioral analysis and anomalies.

Tools & Tech

Read the full definition

NIS2 (Network and Information Security Directive 2)

A European Union directive establishing cybersecurity requirements for organizations operating critical infrastructure and essential services.

Concepts

Read the full definition

Observable

An artifact or piece of data used to identify potential malicious activity, such as an IP address, domain, file hash, or user account.

Detection

Read the full definition

Phishing

A social engineering attack in which an attacker impersonates a trusted entity to trick users into revealing credentials or executing malicious actions.

Threats

Read the full definition

Playbook

A documented set of steps guiding analysts through the investigation and response process for a specific type of security event.

Response

Read the full definition

Privilege Escalation

A technique in which an attacker gains higher levels of access or permissions than they initially had within a system.

Threats

Read the full definition

Ransomware

A type of malware that encrypts a victim's files or systems and demands payment in exchange for the decryption key.

Threats

Read the full definition

Remediation

The actions taken to fully eliminate a threat from an environment after containment.

Response

Read the full definition

Severity Score

A numerical or categorical rating assigned to an alert or incident indicating its potential impact and urgency.

Detection

Read the full definition

SIEM (Security Information and Event Management)

A platform that collects, aggregates, and analyzes security log and event data from across an organization's IT environment in real time.

Tools & Tech

Read the full definition

SOAR (Security Orchestration, Automation and Response)

A platform that enables SOC teams to automate and orchestrate security workflows and response actions.

Tools & Tech

Read the full definition

SOC 2 Type 2

A security compliance framework that verifies an organization's controls around security, availability, processing integrity, confidentiality, and privacy over an extended audit period.

Concepts

Read the full definition

SOC (Security Operations Center)

A centralized team responsible for continuously monitoring, detecting, analyzing, and responding to cybersecurity threats.

Roles

Read the full definition

Threat Hunting

The proactive, human-led process of searching an environment for threats that have evaded automated detection.

Concepts

Read the full definition

Threat Intelligence (TI / CTI)

Information about current or emerging threats, threat actors, and their methods, gathered and analyzed to support defense.

Concepts

Read the full definition

Triage

The initial process of reviewing and prioritizing security alerts to determine which require immediate attention, further investigation, or can be dismissed.

Response

Read the full definition