Cybersecurity acronyms, decoded.
The first month of cybersecurity is mostly acronyms. A working glossary you can keep open while you read everything else.
The first month of cybersecurity is mostly acronyms. They are not hard, but reading three of them in a single sentence — "the SOC team escalates the IOC via SIEM to the IR lead" — can flatten anyone new. This page is a working glossary you can keep open while you read other things. The definitions are short, the examples are real.
People and teams
| Acronym | Full form | One-line meaning |
|---|---|---|
| SOC | Security Operations Center | The team that watches alerts 24/7 and decides what is real. |
| IR | Incident Response | The people called in when something is confirmed bad. |
| CISO | Chief Information Security Officer | The senior leader responsible for the security programme. |
| DFIR | Digital Forensics & Incident Response | IR + the forensic work of figuring out what happened. |
| Red Team | — | People paid to attack the company's systems with authorisation. |
| Blue Team | — | People paid to defend. |
| Purple Team | — | Red and Blue working together rather than in opposition. |
What attackers do
| Acronym | Full form | One-line meaning |
|---|---|---|
| TTP | Tactics, Techniques, Procedures | The "how" of an attack. The MITRE ATT&CK matrix is a taxonomy of TTPs. |
| RCE | Remote Code Execution | Attacker gets to run code on your server. Worst-class web bug. |
| LPE | Local Privilege Escalation | Attacker has a low-priv shell and elevates to admin/root. |
| XSS | Cross-Site Scripting | Attacker gets your browser to run their JavaScript on another site. |
| CSRF | Cross-Site Request Forgery | Attacker tricks your browser into making a request you didn't intend. |
| SSRF | Server-Side Request Forgery | Attacker makes the server issue a request — often into the cloud metadata service. |
| SQLi | SQL injection | Untrusted input gets concatenated into a query and changes its meaning. |
| DoS / DDoS | (Distributed) Denial of Service | Make the service unavailable. DDoS uses many sources. |
| MITM | Man-in-the-Middle | Attacker sits between two parties and relays/modifies their traffic. |
| C2 / C&C | Command & Control | The infrastructure attackers use to control compromised hosts. |
What defenders deploy
| Acronym | Full form | One-line meaning |
|---|---|---|
| EDR | Endpoint Detection & Response | Agent on every laptop/server that watches for malicious behaviour. |
| XDR | Extended Detection & Response | EDR + email + network + identity, all in one console. |
| SIEM | Security Information & Event Management | Central place to ship and search logs from everywhere. |
| SOAR | Security Orchestration, Automation, Response | Workflows that automate parts of the SOC's response. |
| WAF | Web Application Firewall | Filter in front of your web app that blocks obvious attack patterns. |
| IDS / IPS | Intrusion Detection / Prevention System | Watches network traffic. IDS alerts. IPS blocks. |
| DLP | Data Loss Prevention | Tries to stop sensitive data from leaving the network. |
| IAM | Identity & Access Management | Who can log in, to what, with what. |
| MFA / 2FA | Multi-Factor / Two-Factor Authentication | Login requires more than just a password. |
| PAM | Privileged Access Management | Special controls around admin accounts (vaulting, just-in-time). |
| ZTNA | Zero-Trust Network Access | Verify every request, trust nothing by default — replaces VPN. |
Vulnerabilities, threats, intelligence
| Acronym | Full form | One-line meaning |
|---|---|---|
| CVE | Common Vulnerabilities & Exposures | Public, numbered ID for a known vulnerability. e.g. CVE-2024-12345. |
| CVSS | Common Vulnerability Scoring System | 0-10 severity score for a CVE. |
| CWE | Common Weakness Enumeration | The bug class behind CVEs (e.g. SQL injection is CWE-89). |
| IOC | Indicator of Compromise | A hash, IP, domain, or filename that suggests intrusion. |
| TI / CTI | (Cyber) Threat Intelligence | Knowledge about who is attacking whom and how. |
| APT | Advanced Persistent Threat | Skilled attacker with patience and a goal. Usually nation-state. |
| RAT | Remote Access Trojan | Malware that gives an attacker remote control. |
| POC / PoC | Proof of Concept | Code that demonstrates a vulnerability is exploitable. |
Compliance and governance
| Acronym | Full form | One-line meaning |
|---|---|---|
| GDPR | General Data Protection Regulation | EU privacy law. The big one. |
| ISO 27001 | — | International standard for an Information Security Management System. |
| SOC 2 | (Auditor's) Service Organization Control 2 | US-origin audit report covering security/availability/privacy controls. |
| NIST | National Institute of Standards & Technology | US body. Their cybersecurity framework is referenced globally. |
| OWASP | Open Worldwide Application Security Project | Volunteer project. Their Top 10 is the standard "things that go wrong on the web" list. |
| PCI DSS | Payment Card Industry Data Security Standard | What you must do if you process card payments. |
Crypto and identity
| Acronym | Full form | One-line meaning |
|---|---|---|
| TLS / SSL | Transport Layer Security / Secure Sockets Layer | Encryption for traffic. SSL is the old name, TLS is the current standard. |
| PKI | Public Key Infrastructure | The whole system of certificates, CAs and trust chains. |
| CA | Certificate Authority | An entity trusted to vouch for who owns a domain. |
| HMAC | Hash-based Message Authentication Code | "Did this message come from someone who knows the shared key?" |
| OIDC | OpenID Connect | Modern auth protocol built on OAuth 2.0. |
| SAML | Security Assertion Markup Language | Older XML-based federation protocol. Common in enterprise SSO. |
How to use this page
Bookmark it. The first time you meet an acronym in another article, search for it here. Do not try to memorise the table in one sitting — that is what flashcards are for. By the time you stop needing to look up the basics, you will be deep enough into the field that the new acronyms you meet are the interesting ones.