The Honest Security Glossary
Security jargon, translated into plain English with brutal honesty.
Every term comes with the official definition (what they tell auditors), the real definition (what it actually means), and the red flag (when to be suspicious).
Things Auditors Ask About
Audit
An independent examination of an organization's controls, processes, or financial records.
Weeks of gathering evidence, answering questions, and explaining why that one exception happened. The auditor's job is to find problems. Your job is to have already fixed them.
An auditor who doesn't ask any hard questions.
Business Associate Agreement (BAA)
A HIPAA-required contract between a covered entity and a vendor who handles PHI.
The legal document that obligates your vendor to protect health data and accept responsibility if they fail. Getting a company to sign one is easy. Getting them to actually follow it is the important part.
A vendor who takes weeks to produce a BAA or wants to "modify" the standard terms.
Control
A safeguard or countermeasure designed to protect the confidentiality, integrity, and availability of information and systems.
Something you do (or a tool you use) to prevent bad things from happening. Controls can be technical (MFA), administrative (policies), or physical (locked doors). Auditors love talking about controls.
Controls that exist in policy but not in practice.
Evidence Collection
The process of gathering documentation to demonstrate control effectiveness.
Screenshots. So many screenshots. Plus logs, policies, and that one approval email from 2019 that you really hope is still in someone's inbox.
Manually collecting logs, configuration screenshots, and other artifacts on a quarterly basis instead of using a platform for automation.
FedRAMP
Federal Risk and Authorization Management Program, a standardized approach to security assessment for cloud services used by federal agencies.
The government's way of saying "prove you're secure enough for us." It's SOC 2's more demanding older sibling. The process is long, expensive, and once you're in, you're basically in the club.
Claiming to be "FedRAMP ready" when you haven't started the authorization process.
HIPAA
The Health Insurance Portability and Accountability Act, establishing national standards for protecting sensitive patient health information.
Healthcare's security law that governs how you handle PHI. There's no official certification. You're either compliant or you're waiting for OCR to come knocking. The fines are substantial.
"We don't need a BAA because we don't look at the data."
HITRUST
A certifiable framework that harmonizes various industry standards (HIPAA, NIST, ISO, PCI) into a single comprehensive security and privacy framework.
A proprietary framework that bundles NIST, ISO, HIPAA, and other standards into one certifiable package. Healthcare enterprises often require it. Critics call it expensive and "pay to play." But if your customers require it, the debate is academic.
Pursuing HITRUST when your customers would accept SOC 2 + HIPAA.
ISO 27001
An international standard for information security management systems (ISMS) that provides requirements for establishing, implementing, maintaining, and continually improving security.
The European cousin of SOC 2. More prescriptive, requires a formal management system, and involves ongoing surveillance audits. Popular with enterprises and anyone selling to European customers.
Claiming ISO 27001 certification when you only did a gap assessment.
NIST Cybersecurity Framework
A voluntary framework developed by the National Institute of Standards and Technology consisting of standards, guidelines, and best practices for managing cybersecurity risk.
The free, government-created framework that most other frameworks borrow from. Organizes security into six functions: Govern, Identify, Protect, Detect, Respond, Recover. Not certifiable, but widely respected and a solid foundation for any security program. Start here if you're not sure where to start.
Using NIST CSF as a checkbox exercise without actually implementing the controls.
PCI DSS
Payment Card Industry Data Security Standard, with requirements for organizations that handle credit card data.
The credit card industry's way of making sure you don't store card numbers in a spreadsheet. The requirements are detailed, the audits are thorough, and the consequences for breaches are significant.
"We're PCI compliant" but the SAQ was filled out by marketing.
Risk Assessment
A systematic process to identify, analyze, and evaluate risks to organizational assets.
The exercise where you write down all the bad things that could happen and try to quantify how bad they'd be. Required by basically every framework, and a great way to discover how much you don't know about your own systems.
A risk assessment that finds zero high-severity risks. Either you're Fort Knox or someone didn't try.
SOC 2
A compliance framework from AICPA for service organizations, covering security, availability, processing integrity, confidentiality, and privacy.
The certificate enterprise customers demand before they'll sign the contract. Think of it as a security report card that auditors create by asking you a lot of questions and looking at your evidence. Type I is a snapshot, Type II is a movie.
"We're SOC 2 compliant" with no report to share.
Technical Stuff That Matters
API Security
Practices and tools to protect application programming interfaces, the entry points to your systems, from attacks.
Your APIs are often your biggest attack surface and you may not have visibility into all of them. Every engineer spins up endpoints; not every engineer thinks about authentication, authorization, and other security controls.
"Our APIs are secure" but there's a missing inventory, ad hoc release process, and limited security reviews.
Cloud Access Security Broker (CASB)
A security policy enforcement point between cloud users and cloud service providers.
The bouncer for your SaaS apps. Sits between employees and cloud services, watching what they're doing and blocking the sketchy stuff. Most useful for controlling shadow IT and stopping people from uploading sensitive files to random apps.
A CASB deployment that only monitors and never blocks anything.
Cloud Infrastructure Entitlement Management (CIEM)
Tools that manage identities and access privileges across cloud environments.
The tool that tells you which IAM policies are insane. Analyzes who has access to what in your cloud and flags the service account with admin permissions that hasn't been used in 400 days. Essential because nobody manually audits IAM policies.
CIEM findings that pile up because nobody has time to fix them.
Cloud Security Posture Management (CSPM)
Tools that continuously monitor cloud infrastructure for misconfigurations and compliance violations.
Your cloud security watchdog, constantly checking for open S3 buckets, overly permissive IAM roles, and the hundred other ways cloud environments drift out of compliance. Essential for cloud-first companies, but only valuable if someone actually triages and remediates the findings.
A CSPM tool with thousands of unacknowledged findings.
Cloud Workload Protection Platform (CWPP)
Security focused on protecting workloads running in the cloud.
Security for the stuff actually running in your cloud: VMs, containers, serverless functions. While CSPM checks your configuration, CWPP checks what's happening at runtime. Looks for vulnerabilities, malware, and weird behavior inside your workloads.
CWPP deployed to production but not to dev, where all the real testing happens.
Cloud-Native Application Protection Platform (CNAPP)
A unified platform combining CSPM, CWPP, and CIEM capabilities.
The consolidation play. Vendors realized customers were drowning in point solutions, so they bundled everything into one platform. Does CSPM, workload protection, and entitlement management in one console. Whether the bundled version is as good as best-of-breed is the eternal debate.
Buying a CNAPP because it checks every box, then only using 20% of it.
Data Security Posture Management (DSPM)
Tools that discover, classify, and protect sensitive data across cloud environments.
Answers the question 'where the hell is our sensitive data?' Scans your cloud storage, databases, and file shares to find PII, PHI, and secrets you forgot about. Critical for compliance, terrifying for what it reveals.
A DSPM scan that finds customer data in 47 places nobody knew about.
Encryption
The process of converting information into code to prevent unauthorized access.
The reason a stolen laptop or intercepted network traffic doesn't automatically mean a breach. "Encryption at rest" protects stored data. "Encryption in transit" protects data moving across networks. You want both, and you need to know where your keys are stored.
"Our data is encrypted" but no one can explain how or where the keys are stored.
Endpoint Detection and Response (EDR)
Security technology that monitors endpoint devices for suspicious activity and responds to threats.
Antivirus that went to graduate school. Watches what's happening on laptops and servers, looks for bad behavior, and can respond automatically. Actually quite good at catching things now.
EDR deployed to half the fleet because "the engineers complained."
Identity and Access Management (IAM)
Policies and technologies ensuring the right people have appropriate access to technology resources.
The gatekeeper for your entire environment. In cloud providers like AWS, it's the 500-page documentation that one person on your team actually understands. Get it wrong and either nobody can do their job or everybody can access everything.
Root credentials stored in a shared password manager with 47 people. All user groups in the cloud have full Admin permissions.
Infrastructure as Code (IaC)
Managing and provisioning infrastructure through code rather than manual processes.
Terraform, CloudFormation, Pulumi. Instead of clicking around the console, you define infrastructure in version-controlled files. Security implication: misconfigurations in IaC propagate everywhere instantly. But at least you can scan them before deployment.
IaC that's never been scanned for security issues before deployment.
Kubernetes Security Posture Management (KSPM)
CSPM specifically for Kubernetes environments.
CSPM's container-obsessed sibling. Scans your Kubernetes clusters for misconfigurations: containers running as root, missing network policies, RBAC that's too permissive. If you're running K8s in production, you need this or something like it.
KSPM that only scans cluster configs but ignores the images running in them.
Least Privilege
The principle that users should have only the minimum access necessary to perform their job functions.
Everyone's an admin until you implement this. The goal is "need to know" and "need to do," nothing more. It sounds simple until you try to actually do it and realize everyone has access to everything.
"We'll clean up permissions after the sprint."
Managed Detection and Response (MDR)
An outsourced cybersecurity service that provides 24/7 threat monitoring, detection, and response capabilities.
A SOC team you rent instead of build. They monitor your endpoints, cloud, and network for threats and respond when something bad happens. Better than a SIEM nobody watches, and cheaper than hiring a full security operations team. The question is whether they actually know your environment or just run playbooks.
An MDR provider who can't explain how they'd detect threats specific to your tech stack.
Mean Time to Remediate (MTTR)
The average time between detecting a security issue and resolving it.
How long it takes you to actually fix things. The metric that separates security theater from real security. A CSPM finding that sits open for 6 months isn't protecting anything. Track this by severity level, or your average gets skewed by low-priority noise.
Not tracking MTTR at all. Or tracking it but not by severity.
Multi-Factor Authentication (MFA)
An authentication method requiring two or more verification factors to gain access.
The single most effective control against account takeover. Modern options include authenticator apps, YubiKeys, registered devices, and biometrics. The goal: a stolen password alone isn't enough to get in.
"We have MFA available" but it's not required.
Penetration Testing
Authorized simulated attacks on a computer system to evaluate security.
Paying someone to try to break into your systems before the actual bad guys do. They'll find things you missed. You'll fix them. That's the point.
A pentest report with zero findings. Or a "pentest" that was actually just an automated vulnerability scan.
Role-Based Access Control (RBAC)
Access control based on roles rather than individual user permissions.
Instead of giving permissions to people, you give permissions to roles, then assign people to roles. Simpler at scale, but requires careful role design. The trap is creating so many roles that it becomes as complex as individual permissions.
A role called 'PowerUser' that 80% of the company is assigned to.
SaaS Security Posture Management (SSPM)
Tools that continuously monitor SaaS application configurations for security misconfigurations and compliance violations.
CSPM's cousin for SaaS apps. Watches your Microsoft 365, Salesforce, Slack, and dozens of other SaaS tools for risky configurations, excessive permissions, and shadow SaaS. If CSPM monitors your cloud infrastructure, SSPM monitors everything your employees log into.
No visibility into which SaaS apps have access to your data, or which users have admin rights.
Security Orchestration, Automation and Response (SOAR)
Tools that automate security operations workflows.
Automation for your SOC. When an alert fires, SOAR can automatically enrich it with context, run playbooks, and even remediate without human intervention. The dream is fewer analysts doing more. The reality requires significant investment to set up properly.
SOAR playbooks that auto-close alerts without actually investigating them.
SIEM
Security Information and Event Management, a platform that collects, analyzes, and reports on security data.
A giant log aggregator that's supposed to detect attacks. In practice, it generates alerts that a human has to review. If you don't have that human, it's an expensive log storage system.
A SIEM that no one has logged into this month.
Single Sign-On (SSO)
An authentication scheme that allows users to access multiple applications with one set of credentials.
Log in once, access everything. Great for users, great for security (when done right), and often absurdly expensive because vendors know you need it.
SSO that doesn't enforce MFA. Or all the SaaS apps left out because of the SSO tax.
Vulnerability Scanning
Automated testing of systems to identify known security weaknesses.
Running a tool that tells you everything that's wrong with your systems. The trick is not drowning in the results. Pro tip: Most of those "critical" findings aren't actually critical in your environment.
Scanning once a year and calling it continuous monitoring.
Zero Trust
A security model that requires strict identity verification for every person and device trying to access resources, regardless of network location.
"Never trust, always verify." Sounds paranoid until you realize the alternative was "trust everyone inside the firewall," and that worked out terribly. It's less a product you buy and more a philosophy you gradually implement across your environment.
Anyone who says they "implemented zero trust" in a single quarter.
Security Leadership
CISO
Chief Information Security Officer, the executive responsible for an organization's information and data security.
The person accountable when things go wrong and often invisible when things go right. Part security expert, part translator, part executive advisor. The job is making the business safer without slowing it down.
A CISO who reports to IT and has no board access.
Cyber Insurance
Insurance coverage designed to protect organizations against losses from cyber incidents including data breaches, ransomware, and business interruption.
Financial protection for when security fails. Best reserved for catastrophic events—claims are burdensome and deductibles are high. Insurers now ask detailed questions about MFA, EDR, and backups. Lie on the application and they won't pay.
A policy that excludes ransomware or "failure to maintain security controls."
Fractional CISO
A part-time or outsourced security executive who provides strategic leadership on a flexible basis. Also known as a virtual CISO (vCISO).
All the strategy, none of the $400K salary. Works for companies that need security leadership but aren't ready for a full-time hire. Same expertise, different employment model.
A "fractional CISO" who's really just a security engineer answering emails. Or one who meets for an hour a month to "check on progress."
Governance
The framework of policies, processes, and decision-making structures that guide security activities.
The boring stuff that determines whether security actually works. Who makes decisions? Who's accountable? How do exceptions get approved? Without governance, security becomes a series of one-off decisions that don't add up to anything.
"Our governance is that everyone's responsible for security."
Incident Response Plan
Documented procedures for detecting, responding to, and recovering from security incidents.
The playbook for when things go wrong. Who do you call? What do you do first? How do you communicate? If you're figuring this out during an incident, you've already lost.
An incident response plan that's never been tested.
M&A Security Due Diligence
The assessment of cybersecurity risks and posture during mergers, acquisitions, or investment transactions.
Finding out what you're actually buying. Acquirers want to know if the target company has hidden security debt, undisclosed breaches, or compliance gaps that become their problem post-close. Sellers want a clean security story that doesn't crater the deal.
Security due diligence that consists of a single questionnaire with no technical validation.
Risk Appetite
The level of risk an organization is willing to accept in pursuit of its objectives.
How much danger the business is comfortable with. Every company says they're "risk-averse" until you show them how much security costs. This is actually a business decision, not a security decision.
Executives who say "just make it secure" without defining acceptable risk.
Security Awareness Training
Programs designed to educate employees about security risks and best practices.
Your people will always be a target. The question is whether they're prepared for it. Good training builds instincts, not just checkbox completion.
Annual training with 100% pass rate and zero actual behavior change.
Security Program
The coordinated set of activities, policies, and controls that protect an organization's information assets.
The difference between random security activities and actual security. Policies, tools, training, processes, and the strategy connecting them into something intentional. Without a program, you're just buying tools and reacting to fires.
A security "program" that's really just a list of tools purchased.
Security Questionnaire
A standardized set of questions used to evaluate an organization's security posture.
The 300-question spreadsheet that gates every enterprise deal. Your answers are reviewed by vendor risk analysts who've seen thousands of these and know which answers don't hold up.
Copying answers from last year's questionnaire without checking if they're still true.
Security Roadmap
A strategic plan outlining security initiatives, timelines, and resource requirements.
Your answer to "what's the security plan?" Shows what you're doing, when, and why, balancing risk reduction, compliance deadlines, and budget reality. Lives in a slide deck, dies in a spreadsheet.
A roadmap that hasn't been updated since it was created.
Tabletop Exercise
A discussion-based exercise where participants walk through a simulated incident scenario.
Getting everyone in a room and asking "what would we actually do if..." Cheaper than a real incident and surprisingly revealing. Most teams discover their plan has holes big enough to drive a truck through.
A tabletop where everyone agrees the plan is perfect.
Third-Party Risk Management
The process of identifying, assessing, and mitigating risks associated with outsourcing to vendors and service providers.
Your security is only as strong as your weakest vendor. This is the practice of figuring out which vendors have access to your data, how secure they are, and what happens if they get breached. Starts with a spreadsheet, ends with security questionnaires and contract clauses.
No inventory of which vendors have access to sensitive data.
Buzzwords VCs Love
Agent Security
Security practices for AI agents that can autonomously execute actions, access data, and interact with systems.
The new frontier of 'what could possibly go wrong.' AI agents that can browse the web, execute code, and access your systems need serious guardrails. Least privilege, sandboxing, human-in-the-loop for dangerous actions. We're all figuring this out in real-time.
An AI agent with production database access and no approval workflow for destructive actions.
AI Firewall
A security layer that inspects and filters AI model inputs and outputs to prevent data leakage and policy violations.
Content filtering for AI traffic. Scans what goes into prompts (blocking PII, secrets, source code) and what comes out (blocking harmful content, hallucinated data). Some are rule-based, some use AI to catch AI. Effectiveness varies wildly.
An AI firewall that only checks inputs but ignores what the model sends back.
AI Gateway
A centralized control point that monitors, secures, and manages AI API traffic between applications and AI model providers.
The security chokepoint for all your AI calls. Routes requests to OpenAI, Anthropic, and other providers through a single point where you can log everything, enforce policies, and block sensitive data from leaving. Essential once you have more than a few AI integrations.
Direct API keys to AI providers scattered across dozens of applications with no central visibility.
AI Security
The practice of securing AI systems and managing risks associated with AI adoption.
Making sure your AI tools don't leak your data, get manipulated by attackers, or make decisions you can't explain to regulators. Includes securing the models you build, the APIs you use, and the data you feed them.
No visibility into data access, data retention, model training policies, or excessive permissions granted to AI tools.
AI Toolshed
A curated collection of AI tools, agents, and integrations available for use within an organization's approved environment.
Your controlled inventory of AI capabilities. Instead of everyone spinning up random AI tools, you provide a menu of vetted options. The goal is enabling productivity while maintaining security guardrails. Better than playing whack-a-mole with shadow AI.
An AI toolshed that's so locked down nobody uses it, so they go around it.
Attack Surface
The sum of all points where an attacker could try to enter or extract data from a system.
Everywhere you can be attacked, which is more places than you think. Every API, every login page, every exposed service, every employee with email access. Modern companies have enormous attack surfaces.
Not knowing what your attack surface actually is.
Cyber Resilience
An organization's ability to continuously deliver intended outcomes despite adverse cyber events.
Accepting that you will get breached and planning to survive it. Less sexy than "we're unhackable" but far more realistic. Includes backup/recovery, incident response, and business continuity.
Resilience planning that assumes backups always work. (They don't.)
Defense in Depth
A security strategy that layers multiple controls so that if one fails, others compensate.
Multiple locks on the door. If the firewall fails, EDR catches it. If EDR fails, the SOC catches it. The goal is no single point of failure.
Defense in depth implemented by different vendors who don't talk to each other.
DevSecOps
The integration of security practices into DevOps processes throughout the software development lifecycle.
Shift left plus automation plus acronyms. The idea is good: security isn't a gate at the end, it's baked into the process. The implementation is often just adding SAST tools that everyone ignores.
DevSecOps without a security person on the DevOps team.
Model Context Protocol (MCP)
An open standard for connecting AI assistants to external data sources and tools.
Anthropic's protocol for letting AI agents access your systems. Instead of copy-pasting context, MCP lets Claude (and other AI) directly read files, query databases, and use tools. Powerful, but every MCP server is an attack surface you're exposing to an AI.
MCP servers with write access to production systems and no audit logging.
Prompt Injection
An attack where malicious instructions are inserted into prompts to manipulate AI model behavior.
Tricking a clanker into ignoring its instructions and doing what the attacker wants instead. The AI equivalent of SQL injection. If your product uses LLMs, this is your problem now.
An AI-powered feature that takes user input without any input validation or output filtering.
Security by Design
An approach where security is built into systems from the beginning rather than added later.
Thinking about security before you write the code, not after the pentest report comes back. Revolutionary concept, rarely practiced, always cheaper than retrofitting.
"Security by design" as a slide in a pitch deck with no budget attached.
Shadow AI
The use of AI tools and services by employees without IT or security approval.
Your employees are already using ChatGPT, Claude, and a dozen other AI tools. The question is whether they're pasting customer data, source code, or credentials into them. Shadow AI is the new shadow IT.
No policy on AI usage. Or a policy that says "don't use AI" while everyone ignores it.
Shift Left
Integrating security practices earlier in the software development lifecycle.
Finding security problems before code ships, not after. Makes sense in theory, requires actual investment in practice. Usually means "make developers do security work without hiring security people."
"We shifted left" but security still isn't involved until the week before launch.
Threat Intelligence
Evidence-based knowledge about threats, threat actors, and their tactics, techniques, and procedures.
Information about who's attacking companies like yours and how. Ranges from free (security news, CISA alerts) to expensive (commercial threat intel platforms). Useful for prioritizing defenses, but most companies need less of it than vendors claim.
Threat intel feeds that don't automatically map to your actual inventory.
Things That Keep You Up at Night
Advanced Persistent Threat (APT)
A prolonged, targeted cyberattack where an intruder gains access and remains undetected.
The sophisticated attackers who get in and stay in, for months or years. Usually nation-states or well-funded criminal groups. If you're a regular company, you probably don't have APT problems. You have "we didn't patch" problems.
Claiming everything is an APT to avoid explaining the real cause.
Business Email Compromise (BEC)
A scam where attackers impersonate executives or trusted parties to trick employees into transferring money.
The CEO emails accounting: "Wire $50K to this account immediately and don't tell anyone." Except it's not the CEO. Low-tech, high-reward. Billions lost annually. Usually defeats all your fancy technical controls. Modern email security solutions can detect impersonation attempts before they reach inboxes.
Wire transfer approval processes that rely solely on email.
Credential Stuffing
An attack where stolen username/password combinations are used to attempt unauthorized access.
Attackers take breached passwords from one site and try them everywhere else. Works because people reuse passwords. This is why MFA matters and why you should use a password manager.
No rate limiting on login attempts.
Data Breach
A security incident in which sensitive, protected, or confidential data is accessed or disclosed without authorization.
When the bad stuff happens. Customer data exposed, credentials stolen, systems compromised. Triggers notification requirements, regulatory scrutiny, and a lot of difficult conversations. Measure your security program by how ready you are for this.
Learning about a breach from a journalist.
Insider Threat
A security risk originating from within the organization, whether malicious or negligent.
Your own employees, contractors, or partners causing problems, sometimes on purpose, often by accident. The admin who takes the customer database when they leave. The engineer who commits secrets to GitHub. The executive who reuses passwords.
No monitoring of access to sensitive systems.
Phishing
Fraudulent attempts to obtain sensitive information by disguising as a trustworthy entity.
Fake emails designed to trick people into clicking links or entering credentials. Responsible for the majority of breaches because it works. It will always work. Train your people anyway.
Relying on people to spot phishing emails without compensating controls.
Ransomware
Malware that encrypts files and demands payment for the decryption key.
Criminals encrypt your stuff and demand Bitcoin. It's a $20 billion industry that ruins companies regularly. Your options are: pay (they might decrypt, might not), restore from backups (if you have good ones), or start over.
Offline backups that aren't actually offline.
Social Engineering
Psychological manipulation techniques used to trick people into divulging confidential information.
Hacking humans instead of computers. Pretexting, pretending to be IT, tailgating into buildings. People are often easier to exploit than systems. Your technical controls mean nothing if someone talks their way in.
Security training that doesn't cover social engineering.
Supply Chain Attack
An attack that targets less-secure elements in the supply network to compromise a final target.
Attacking your vendors to get to you. SolarWinds, Codecov, MOVEit. Instead of breaking down your door, attackers compromise someone you trust and walk right in. Hard to detect, harder to prevent.
Never asking vendors about their security practices.
Zero-Day
A vulnerability that is unknown to the vendor and for which no patch exists.
A security hole nobody knows about except the attackers using it. Named because you have zero days to prepare. Rare in the wild, expensive to acquire, usually reserved for high-value targets. If you're worried about zero-days before fixing known vulnerabilities, you have your priorities backwards.
Using zero-days as an excuse for not patching known vulnerabilities.
Still have questions?
Security jargon is the least of your problems. If you're trying to make sense of your security program, compliance requirements, or whether you actually need a CISO, let's talk.
Get answers