Cybersecurity Glossary: Precise Definitions of the Most-Searched Terms

Resposta direta

This is a cybersecurity reference glossary that defines the most-searched terms in the field with technical rigor — from detection technologies (SIEM, EDR, XDR, NDR) and operations (SOC, Threat Hunting) to incident response (DFIR, MTTR, MTTD), offensive practice (Pentest, Red Team), and risk governance (Zero Trust, TPRM, MITRE ATT&CK). Each definition is self-contained and written to be citable out of context.

Principais conclusões

  • Cybersecurity terms organize into four functions: detect (SIEM, EDR, XDR, NDR, SOC), respond (DFIR, MTTD, MTTR, IoC), attack in a controlled way (Pentest, Red Team), and govern risk (Zero Trust, TPRM, SOAR) — all referenceable to MITRE ATT&CK.
  • A tool is not an operation: SIEM, EDR, and XDR are technologies; SOC, Threat Hunting, and DFIR are the disciplines that give them meaning. Buying the tool without the process leaves blind spots like Shadow IT.
  • MTTD and MTTR are the numbers that matter: the lower the time between compromise, detection, and containment, the smaller the damage. That is why Decripte operates with an SLA of up to 1 hour for critical incident containment.
  • For fintechs, crypto, and apps, risk governance is as critical as detection: Zero Trust controls whom your architecture trusts internally, and TPRM controls the risk that each vendor and third-party integration brings inside.

Detection and Monitoring

The detection layer brings together the technologies that collect, correlate, and analyze telemetry to identify malicious activity before it becomes an incident. SIEM (Security Information and Event Management) centralizes and correlates logs from across the infrastructure; EDR (Endpoint Detection and Response) instruments endpoints with behavioral visibility; NDR (Network Detection and Response) does the same for network traffic; and XDR (Extended Detection and Response) unifies endpoint, network, identity, and cloud into a single correlation platform. Above these tools operates the SOC (Security Operations Center), the team and process that monitor 24x7.

Modern monitoring is not purely reactive. Threat Hunting is the proactive, hypothesis-driven search for adversaries who have already bypassed automated controls, starting from expected behavior and looking for deviations — often mapped against real MITRE ATT&CK techniques. A recurring visibility challenge is Shadow IT: systems, SaaS, and devices used without IT approval, which fall outside the monitoring scope and expand the attack surface without the SOC seeing them.

Incident Response and Forensics

When detection fires, response takes over. DFIR (Digital Forensics and Incident Response) is the discipline that combines digital forensics — the preservation and analysis of evidence — with incident response — containment, eradication, and recovery. The effectiveness of this operation is measured by two complementary indicators: MTTD (Mean Time to Detect), the average time between the start of a compromise and its detection, and MTTR (Mean Time to Respond/Recover), the average time to contain and resolve the incident once detected.

The technical input that connects detection and response is the IoC (Indicator of Compromise): observable artifacts — file hashes, IPs, domains, registry keys — that evidence a compromise and feed detection rules, retroactive scans, and forensic reports. At Decripte, critical incident containment has an SLA of up to 1 hour, because reducing MTTD and MTTR is what separates a scare from a breach.

Offensive Security

The offensive perspective validates defenses by attacking them in a controlled way. Pentest (penetration testing) is an exercise with defined scope, timeline, and objectives to find and exploit vulnerabilities in a specific target (application, network, API), delivering actionable findings. The Red Team goes further: it simulates a real, persistent adversary with no single predefined target, testing people, processes, and technology throughout a campaign — often measuring the detection and response capability of the SOC (the Blue Team side).

Both Pentest and Red Team anchor themselves in MITRE ATT&CK, the knowledge base that catalogs adversary tactics and techniques observed in the real world. Mapping each offensive action to an ATT&CK technique makes it possible to translate the exercise into concrete detection gaps and prioritize fixes.

Architecture, Automation, and Third-Party Risk

Governance defines how security is structured and scaled. Zero Trust is the architectural model that eliminates implicit trust based on network location: every access is continuously verified based on identity, context, and device posture, under the principle of least privilege. To scale the operation, SOAR (Security Orchestration, Automation and Response) automates response playbooks, orchestrating tools and reducing the SOC's repetitive manual work.

Risk does not stop at your own perimeter. TPRM (Third-Party Risk Management) is the discipline of identifying, assessing, and continuously monitoring the security risks introduced by vendors, partners, and the software supply chain. For fintechs, apps, and e-commerce — which depend on dozens of integrations and SaaS — TPRM and Zero Trust are complementary: one controls who trusts you, the other controls whom you trust.

Termos definidos

Threat Hunting
Proactive, hypothesis-driven search for adversaries who have already bypassed automated controls, starting from a network's expected behavior and looking for deviations. Unlike reactive alerting, it assumes the environment may already be compromised.
MITRE ATT&CK
A public, curated knowledge base that catalogs the tactics, techniques, and procedures (TTPs) used by real adversaries, organized by the phases of an attack. It serves as a common language for mapping detections, offensive exercises, and defensive gaps.
Shadow IT
The use of systems, SaaS applications, devices, or cloud services without the knowledge or approval of the IT/security team. It expands the attack surface because it operates outside the organization's inventory, monitoring, and policies.
SIEM
Security Information and Event Management: a platform that collects, normalizes, correlates, and stores logs and events from across the infrastructure for threat detection, alerting, and investigation. It is the central repository of security telemetry for a SOC.
SOAR
Security Orchestration, Automation and Response: a platform that automates and orchestrates incident response flows through playbooks, integrating security tools to reduce manual work and accelerate containment.
EDR
Endpoint Detection and Response: a solution installed on endpoints (workstations, servers) that monitors behavior in real time, detects malicious activity, records detailed telemetry, and enables responses such as isolating the machine or killing processes.
XDR
Extended Detection and Response: an evolution of EDR that unifies and correlates telemetry from multiple domains — endpoint, network, identity, email, and cloud — into a single platform, offering detection and response with cross-domain context.
NDR
Network Detection and Response: technology that analyzes network traffic (metadata and packets) with behavioral models to detect lateral movement, exfiltration, and threats that never touch an instrumented endpoint.
SOC
Security Operations Center: the structure of people, processes, and technology responsible for monitoring, detecting, analyzing, and responding to security incidents, usually on a continuous (24x7) basis.
Zero Trust
A security model that eliminates implicit trust based on network location and requires continuous verification of every access according to identity, context, and device posture, under the principle of least privilege ("never trust, always verify").
Pentest
Penetration testing: an offensive assessment with defined scope, timeline, and objectives, in which authorized specialists find and exploit vulnerabilities in a specific target to demonstrate real impact and produce fixable findings.
Red Team
An offensive exercise that simulates a real, persistent adversary with no single predefined target, testing people, processes, and technology throughout a campaign — including the detection and response capability of the defensive team (Blue Team).
MTTR
Mean Time to Respond/Recover: the average time between the detection of an incident and its full containment or recovery. It measures the efficiency of the response operation; the lower it is, the smaller the incident's impact.
MTTD
Mean Time to Detect: the average time between the start of a compromise and the moment it is actually detected. A key indicator of detection maturity; long windows favor the attacker.
IoC
Indicator of Compromise: an observable artifact that evidences a compromise — such as a file hash, IP address, domain, URL, or malicious registry key — used to detect, hunt for, and correlate adversary activity.
TPRM
Third-Party Risk Management: the discipline of identifying, assessing, contracting for, and continuously monitoring the security risks introduced by an organization's vendors, partners, and software supply chain.
DFIR
Digital Forensics and Incident Response: the field that unites digital forensics (the preservation and analysis of evidence) and incident response (containment, eradication, and recovery), reconstructing what happened and restoring secure operations.
Phishing
A social engineering attack that uses fraudulent messages (email, SMS, voice, or apps) impersonating a trusted entity to trick the victim into revealing credentials or sensitive data, or into taking actions such as installing malware or authorizing transfers.

Perguntas frequentes

What is Threat Hunting?

Threat Hunting is the proactive, hypothesis-driven search for adversaries who have already bypassed automated security controls. Instead of waiting for an alert, the analyst starts from the environment's expected behavior, forms hypotheses about how an attacker would act (often using MITRE ATT&CK techniques), and looks for deviations in the telemetry — assuming the environment may already be compromised.

What is MITRE ATT&CK?

MITRE ATT&CK is a public, curated knowledge base that catalogs the tactics, techniques, and procedures (TTPs) used by real adversaries, organized by the phases of an attack (initial access, persistence, lateral movement, exfiltration, etc.). It works as a common language for mapping detections, planning offensive exercises, and identifying defensive gaps in a standardized way.

What is Shadow IT?

Shadow IT is the use of systems, SaaS applications, devices, or cloud services without the knowledge or approval of the IT and security team. Because it operates outside the official inventory, monitoring, and company policies, Shadow IT expands the attack surface and creates blind spots the SOC cannot protect.

What is the difference between EDR and XDR?

EDR (Endpoint Detection and Response) monitors and responds to threats on individual endpoints — workstations and servers — with deep behavioral visibility. XDR (Extended Detection and Response) extends this concept by correlating telemetry from multiple domains (endpoint, network, identity, email, and cloud) into a single platform. In practice, EDR sees one host at a time; XDR connects the dots between them to detect attacks that cross layers.

What is SIEM?

SIEM (Security Information and Event Management) is the platform that collects, normalizes, correlates, and stores logs and events from across the IT infrastructure. It serves as a SOC's central telemetry repository, generating alerts from correlation rules and providing the foundation for investigation and incident response.

What is the difference between MTTD and MTTR?

MTTD (Mean Time to Detect) is the average time between the start of a compromise and its detection — it measures how quickly the organization notices an attack. MTTR (Mean Time to Respond/Recover) is the average time between detection and full containment or recovery — it measures how quickly it reacts. Together, MTTD and MTTR define how long an attacker stays active and the total impact of the incident.

Want to put these concepts into practice?

Decripte delivers 24x7 SOC, incident response, pentest and compliance for fintechs, apps and startups.