In cybersecurity, acronyms appear everywhere: in SOC alerts, CTI reports, OT/SCADA discussions, AI projects, and incident documentation. For people working in IT, security, networking, industrial operations, or management, the challenge is not only knowing what an acronym stands for, but understanding what role the term plays in a real situation.
This glossary explains the terms used frequently on the Cyber Arena website and in our courses in Bucharest. It is not a dry list of definitions. Each term includes what it means, why it matters, and where you see it in practice. For teams that want to move from theory to exercises, the terms are naturally connected with Cyber Arena hands-on training programs.
Terms and acronyms explained
SOC – Security Operations Center
What it means: A SOC is the center or team that monitors security alerts, investigates suspicious activity, and coordinates the first response when an incident appears.
Why it matters: For an organization, the SOC is the point where logs, alerts, tools, and people meet. Without a clear triage and escalation process, alerts may remain uninvestigated or may be handled too late.
Where you see it in practice: You see it in the work of Tier 1 SOC analysts, monitoring teams, and incident response scenarios. For the foundations of this role, see the Cybersecurity Threats and Defense course. For more advanced scenarios, see the Incident Response course.
SOC Level 1 / SOC Tier 1-3
What it means: SOC Level 1 or Tier 1 usually describes the first level of analysis: checking alerts, removing false positives, and escalating serious cases. Tier 2 and Tier 3 involve more complex investigations, threat hunting, attack analysis, and support for incident response.
Why it matters: The difference between levels helps distribute responsibilities. Not every alert needs to go to a senior expert, but important alerts must be recognized quickly and escalated properly.
Where you see it in practice: You see it in SOC teams, monitoring centers, and simulation exercises. If you are starting in SOC, begin with Cybersecurity Threats and Defense. If you already have experience with alerts, logs, and investigations, continue with Incident Response.
SIEM – Security Information and Event Management
What it means: SIEM is a platform that collects events and logs from different systems and presents them in a form that security teams can analyze.
Why it matters: A good SIEM is not only about collecting data. Its value appears when data is correlated, prioritized, and turned into useful information for detection, investigation, and reporting.
Where you see it in practice: You see it in SOC work, IT infrastructure monitoring, incident detection, and DFIR exercises. The term is important in Cybersecurity Threats and Defense, OT Cybersecurity Essentials and Incident Response.
EDR – Endpoint Detection and Response
What it means: EDR is a solution that monitors endpoints such as laptops, workstations, and servers to identify suspicious activity, abnormal behavior, or possible compromise.
Why it matters: Many attacks become visible at endpoint level: unusual processes, modified files, suspicious commands, or persistence attempts. EDR helps the security team see these signals and respond faster.
Where you see it in practice: You see it in alert analysis, incident response, and endpoint investigations. It is relevant in the Cybersecurity Threats and Defense course and in the Incident Response course.
DFIR – Digital Forensics and Incident Response
What it means: DFIR combines digital forensics with incident response. The goal is to understand what happened, how the attacker entered, which systems were affected, and what actions are needed for containment and recovery.
Why it matters: After an incident, an organization needs facts, not assumptions. DFIR helps teams reconstruct the timeline, preserve evidence, and make decisions based on data.
Where you see it in practice: You see it in security investigations, artifact analysis, evidence collection, and post-incident reporting. For practical exercises, see the Incident Response course.
IR – Incident Response
What it means: IR means incident response. It includes preparation, detection, analysis, containment, eradication, recovery, and lessons learned after a security event.
Why it matters: An incident is not handled only with technology. Clear roles, communication, decisions under pressure, and a working method the team has practiced in advance are all needed.
Where you see it in practice: You see it in response plans, SOC work, DFIR teams, and APT scenarios. The main associated course is Incident Response.
CTI – Cyber Threat Intelligence
What it means: CTI means cyber threat intelligence. It is not just a collection of indicators, but analysis of context: who is attacking, what tactics they use, which targets they prefer, and which recommendations can be applied.
Why it matters: CTI helps teams move beyond constant reaction and better understand the risk specific to their industry. Intelligence becomes useful when it leads to concrete decisions and actions.
Where you see it in practice: You see it in threat hunting, APT investigations, intelligence reports, and defense prioritization. To go deeper, see the Cyber Threat Intelligence course.
APT – Advanced Persistent Threat
What it means: APT describes a sophisticated, persistent, target-oriented attacker or attack campaign. The emphasis is on patience, adaptation, and maintaining access over a longer period.
Why it matters: In an APT-style attack, the signals may be subtle and spread over time. The security team must correlate events, understand adversary behavior, and avoid rushed conclusions.
Where you see it in practice: You see it in attack simulations, CTI, Incident Response, and courses about the attacker’s perspective. The term is central in Cybersecurity Threats and Defense, Cyber Threat Intelligence and Incident Response.
MITRE ATT&CK
What it means: MITRE ATT&CK is a knowledge base that organizes adversary tactics and techniques observed in the real world. It helps teams describe attack behavior in a common language.
Why it matters: Without a common language, a technical report may be interpreted differently by the SOC, management, or the response team. ATT&CK helps with attack mapping, analysis, and communication.
Where you see it in practice: You see it in CTI, threat hunting, Incident Response, and APT scenario analysis. It is used in Cyber Threat Intelligence and Incident Response.
Cyber Kill Chain
What it means: Cyber Kill Chain is a model that describes the stages an attack may go through, from preparation and initial access to actions on the objective.
Why it matters: The model helps teams think of an attack as a process, not as an isolated event. This allows defense to be planned at multiple points in the chain.
Where you see it in practice: You see it in attack analysis, CTI, and incident response exercises. It is relevant for Cybersecurity Threats and Defense, Cyber Threat Intelligence and Incident Response.
OT – Operational Technology
What it means: OT refers to technologies that monitor or control physical processes: industrial systems, production equipment, utilities, energy, or critical infrastructure.
Why it matters: In OT, security does not only mean protecting data. It can mean operational continuity, safety, availability, and preventing the shutdown of critical processes.
Where you see it in practice: You see it in industrial environments, energy, utilities, and critical infrastructures. For IT/OT teams, the relevant course is OT Cybersecurity Essentials.
SCADA – Supervisory Control and Data Acquisition
What it means: SCADA is a type of system used to supervise and control industrial processes. It may include sensors, controllers, operator interfaces, and monitoring systems.
Why it matters: SCADA systems matter in environments where interruptions can affect real operations. That is why SCADA security requires a different approach from classic IT security.
Where you see it in practice: You see it in energy, water, manufacturing, transport, and other industrial environments. The term is central in OT Cybersecurity Essentials.
IT/OT
What it means: IT/OT describes the intersection between classic information systems and operational technologies. As industrial environments become connected, the two worlds need to collaborate more closely.
Why it matters: Many risks appear exactly at the boundary between IT and OT: limited visibility, unclear responsibilities, different processes, and tools not designed for the same environment.
Where you see it in practice: You see it in organizations with industrial infrastructure, utilities, or critical systems. For this area, see the OT Cybersecurity Essentials course.
Modbus and TCP/IP
What it means: Modbus is a communication protocol used in industrial environments, while TCP/IP is the family of protocols behind many network communications. Together, they often appear in discussions about modern OT systems.
Why it matters: Understanding the protocol and network traffic helps teams observe anomalies, misconfigurations, or behavior that may indicate a security problem.
Where you see it in practice: You see them in SCADA environments, OT exercises, and industrial traffic investigations. They are covered in OT Cybersecurity Essentials.
CIA – Confidentiality, Integrity, Availability
What it means: The CIA triad describes three basic security goals: confidentiality of information, integrity of data, and availability of systems.
Why it matters: In IT, confidentiality may be the priority. In OT, availability and operational safety can be just as important or even more important. The triad helps clarify priorities.
Where you see it in practice: You see it in security fundamentals, risk analysis, and IT/OT discussions. For application in industrial environments, see OT Cybersecurity Essentials.
CISO – Chief Information Security Officer
What it means: The CISO is the leader responsible for an organization’s information security strategy. The role connects technical risk, business objectives, compliance, and response capability.
Why it matters: A CISO needs to understand both the technical language of SOC and DFIR teams and the impact on management, reputation, and business continuity.
Where you see it in practice: You see it in strategic decisions, governance, risk management, and major incident response. For the operational exercise component, see Incident Response.
AI – Artificial Intelligence
What it means: AI means artificial intelligence and refers to systems that can analyze data, identify patterns, generate content, or assist decision processes.
Why it matters: In cybersecurity, AI can support analysis and automation, but it can also introduce new risks. Teams need to understand both defensive uses and the limits of the technology.
Where you see it in practice: You see it in log analysis, rule generation, task automation, and securing AI applications. For this topic, see AI for Cybersecurity.
LLM – Large Language Model
What it means: An LLM is a language model capable of processing and generating text. Use cases include assistance with analysis, drafting, summarization, and support in investigating technical data.
Why it matters: LLMs can be useful, but they must be used carefully: they may produce wrong answers, expose sensitive data if not configured correctly, and be targeted by manipulation techniques.
Where you see it in practice: You see it in AI security, chatbot-based application security, and AI-assisted SOC workflows. The term is relevant in AI for Cybersecurity.
GenAI – Generative AI
What it means: GenAI describes AI systems that generate new content: text, code, images, rules, summaries, or analysis variants.
Why it matters: In cybersecurity, GenAI can speed up certain activities, but it can also be misused or produce results that need specialist validation. Control, testing, and human review remain essential.
Where you see it in practice: You see it in discussions about AI applied to security, AI-generated polymorphic malware, playbooks, and YARA rules. For controlled applications, see AI for Cybersecurity.
OWASP
What it means: OWASP is an organization known for educational resources and projects related to application security. In the AI area, OWASP is often used to understand risks linked to LLM-based applications.
Why it matters: For teams that develop or use AI applications, OWASP provides a useful discussion framework about risks, controls, and questions that need to be addressed before production.
Where you see it in practice: You see it in application security, LLM security, and AI projects. It is included in AI for Cybersecurity.
MITRE ATLAS
What it means: MITRE ATLAS is a framework focused on threats against AI systems. It helps teams discuss AI risks in a more structured language.
Why it matters: As organizations use AI in technical or business processes, they need a method to identify risks specific to these systems, not only classic IT risks.
Where you see it in practice: You see it in AI security, risk assessment for AI systems, and securing language models. For practical training, see AI for Cybersecurity.
YARA
What it means: YARA is a tool used to create rules that help identify and classify files or behaviors associated with malware.
Why it matters: YARA rules can support analysis, detection, and threat documentation, but they must be built and tested carefully to avoid wrong conclusions.
Where you see it in practice: You see it in malware analysis, threat hunting, investigations, and applied AI exercises. It is relevant in AI for Cybersecurity.
DDoS – Distributed Denial of Service
What it means: DDoS describes an attack that aims to make a service unavailable by overwhelming it with traffic or requests.
Why it matters: Even when it does not directly compromise data, a DDoS attack can affect availability, reputation, and the continuity of digital services.
Where you see it in practice: You see it in articles about cyberattacks, availability, and response plans. To understand attack types and basic defense, see Cybersecurity Threats and Defense.
CEH and CompTIA
What it means: CEH and CompTIA are names often encountered when people search for cybersecurity certifications or learning paths.
Why it matters: These references can help with orientation, but choosing a course should not depend only on the certification name. Current level, target role, and the amount of practice offered by the program matter.
Where you see it in practice: You see them in discussions about careers, certifications, and transition into SOC, IT security, or incident response roles. As a practical starting point, see Cybersecurity Threats and Defense.
How to use this glossary in practice
If you are a network administrator, systems administrator, or early-stage SOC analyst, start with terms such as SOC, SIEM, EDR, phishing, ransomware, APT, and Cyber Kill Chain. These form the foundation for understanding alerts and common attacks.
If you work in incident response, focus on IR, DFIR, SIEM, EDR, MITRE ATT&CK, CISO, and the process of containment, eradication, and recovery. In this area, terminology must become fast decisions and accurate documentation.
If you work in critical infrastructure or industrial environments, the terms OT, SCADA, IT/OT, Modbus, TCP/IP, and the CIA triad are essential. In these environments, availability and operational safety can weigh as much as data protection.
If you explore AI in cybersecurity, start with AI, LLM, GenAI, OWASP, MITRE ATLAS, and YARA. These terms appear more and more often in discussions about defense, automation, securing AI applications, and analysis supported by language models.
Frequently Asked Questions
Who is this cybersecurity glossary useful for?
It is useful for IT professionals, network administrators, systems administrators, SOC analysts, DFIR teams, OT/SCADA specialists, security managers, and decision makers who want to understand the language used in cybersecurity more clearly.
Do I need to know all the terms before joining a course?
No. The glossary helps with orientation, but practical courses are built precisely to turn terms into exercises, scenarios, and applied decisions.
Which terms are most important for a Tier 1 SOC analyst?
For a Tier 1 SOC analyst, the most important terms are SOC, SIEM, EDR, alert, phishing, malware, APT, Cyber Kill Chain, and Incident Response.
Which terms are most important for OT/SCADA?
For OT/SCADA, the essential terms are OT, SCADA, IT/OT, Modbus, TCP/IP, CIA, and operational availability.
How can the glossary help internal training in a company?
A shared glossary reduces confusion between IT, security, operations, and management teams. When everyone uses the same terms, communication during an incident becomes clearer.
Is reading definitions enough to understand cybersecurity?
No. Definitions are a starting point. In cybersecurity, real learning happens when terms are applied in scenarios, investigations, simulations, and practical exercises.
