Glossary¶

This glossary provides definitions for key terms used throughout the Nexus SecOps textbook, covering security operations, AI/ML concepts, and defensive security practices.

A¶

Advanced Persistent Threat (APT)¶

A sophisticated, prolonged cyberattack where an unauthorized user gains access to a network and remains undetected for an extended period. APTs typically target high-value organizations and involve multiple attack stages including reconnaissance, initial compromise, and lateral movement.

Related concepts: Threat Actor, Lateral Movement, Command and Control

Alert¶

A notification generated by security tools when suspicious activity or a potential security incident is detected. Alerts require analysis and triage to determine if they represent genuine threats or false positives.

Related concepts: SIEM, Alert Fatigue, True Positive

Alert Fatigue¶

The desensitization that occurs when security analysts are overwhelmed by excessive alerts, leading to decreased effectiveness in identifying genuine threats. This phenomenon often results from poorly tuned detection rules and high false positive rates.

Related concepts: Alert Tuning, False Positive, SOC Efficiency

Alert Tuning¶

The process of adjusting detection rules and thresholds to reduce false positives while maintaining effective threat detection. Proper tuning improves SOC efficiency and reduces alert fatigue.

Related concepts: Detection Engineering, SIEM, Alert Fatigue

Anomaly Detection¶

A technique that identifies patterns in data that deviate from expected normal behavior. In security operations, anomaly detection helps identify potential threats by recognizing unusual user activities, network traffic patterns, or system behaviors.

Related concepts: Baseline, Machine Learning, Behavioral Analysis

Artifact¶

Digital evidence or indicators found during security investigations, such as file hashes, IP addresses, URLs, or registry keys. Artifacts help analysts understand attack patterns and build detection rules.

Related concepts: Indicator of Compromise, Forensics, Threat Intelligence

Attack Surface¶

The total number of points where an unauthorized user could attempt to enter or extract data from an environment. Reducing attack surface is a key defensive strategy.

Related concepts: Attack Vector, Vulnerability Management, Defense in Depth

Attack Vector¶

The specific method or pathway used by an attacker to gain unauthorized access to a system or network. Common attack vectors include phishing, exploiting vulnerabilities, and social engineering.

Related concepts: Attack Surface, Threat Model, Kill Chain

Automation¶

The use of technology to perform tasks with minimal human intervention. In security operations, automation helps handle repetitive tasks, accelerate response times, and improve consistency.

Related concepts: SOAR, Orchestration, Playbook

B¶

Baseline¶

A documented reference point representing normal system or network behavior used for comparison to detect anomalies. Establishing accurate baselines is essential for effective anomaly detection.

Related concepts: Anomaly Detection, Network Traffic Analysis, Behavioral Analysis

Behavioral Analysis¶

The examination of user, system, or network activities to identify patterns that may indicate malicious behavior. This approach focuses on actions rather than known signatures.

Related concepts: Anomaly Detection, User and Entity Behavior Analytics, Machine Learning

Blue Team¶

Security professionals responsible for defending an organization's information systems against attacks. Blue team activities include monitoring, detection, incident response, and implementing defensive controls.

Related concepts: Red Team, Purple Team, SOC

C¶

Chain of Custody¶

The documented chronological record of evidence handling during an investigation to ensure integrity and admissibility. Proper chain of custody is critical for forensic investigations and legal proceedings.

Related concepts: Digital Forensics, Incident Response, Evidence Collection

Classification¶

The process of categorizing data, incidents, or threats based on predefined criteria. In machine learning, classification involves assigning labels to data points based on learned patterns.

Related concepts: Machine Learning, Supervised Learning, Incident Severity

Clustering¶

An unsupervised machine learning technique that groups similar data points together without predefined labels. In security, clustering helps identify patterns in large datasets and group similar incidents or alerts.

Related concepts: Unsupervised Learning, Machine Learning, Anomaly Detection

Command and Control (C2)¶

The infrastructure and communication channels used by attackers to maintain access and control over compromised systems. Detecting C2 communications is a critical SOC function.

Related concepts: APT, Beaconing, Exfiltration

Confusion Matrix¶

A table used to evaluate classification model performance by comparing predicted classifications against actual values. It displays true positives, true negatives, false positives, and false negatives.

Related concepts: Machine Learning, Precision, Recall, F1 Score

Containment¶

An incident response phase focused on limiting the scope and impact of a security incident. Containment strategies include network isolation, account disablement, and system quarantine.

Related concepts: Incident Response, Eradication, Recovery

Correlation¶

The process of analyzing multiple events or data points to identify relationships and patterns. Security correlation engines combine alerts from different sources to detect complex attack scenarios.

Related concepts: SIEM, Event Correlation, Detection Engineering

Cyber Kill Chain¶

A framework developed by Lockheed Martin describing the stages of a cyberattack from reconnaissance to actions on objectives. Understanding the kill chain helps defenders implement controls at each stage.

Related concepts: MITRE ATT&CK, Attack Lifecycle, Threat Modeling

D¶

Data Enrichment¶

The process of enhancing security data with additional context from external sources such as threat intelligence feeds, geolocation databases, or asset inventories. Enrichment improves analysis accuracy and decision-making.

Related concepts: Threat Intelligence, SIEM, Context

Dataset¶

A collection of data used for training, validating, or testing machine learning models. Quality datasets are essential for developing effective security AI/ML solutions.

Related concepts: Training Data, Machine Learning, Data Labeling

Defense in Depth¶

A security strategy employing multiple layers of defensive controls so that if one layer fails, others continue providing protection. This approach reduces single points of failure.

Related concepts: Security Controls, Layered Security, Risk Management

Detection Engineering¶

The practice of developing, implementing, and maintaining detection logic to identify security threats. Detection engineers create rules, signatures, and analytics that power security monitoring tools.

Related concepts: SIEM, Threat Hunting, Alert Tuning

Digital Forensics¶

The process of collecting, preserving, analyzing, and presenting digital evidence from computers and networks for investigation purposes. Forensics is critical for understanding incident scope and attribution.

Related concepts: Incident Response, Chain of Custody, Artifact

DMARC¶

Domain-based Message Authentication, Reporting, and Conformance, an email authentication protocol that helps prevent email spoofing and phishing. DMARC builds on SPF and DKIM technologies.

Related concepts: Phishing, Email Security, SPF, DKIM

E¶

Endpoint Detection and Response (EDR)¶

Security solutions that monitor endpoint devices for suspicious activities and provide investigation and response capabilities. EDR tools collect telemetry from endpoints for threat detection and hunting.

Related concepts: XDR, Endpoint Security, Threat Hunting

Eradication¶

The incident response phase focused on removing threat actor presence and malicious artifacts from the environment. Eradication ensures threats cannot persist or reinfect systems.

Related concepts: Incident Response, Containment, Recovery

Escalation¶

The process of elevating an incident or alert to a higher-tier analyst or management when additional expertise or authority is required. Proper escalation paths ensure timely incident resolution.

Related concepts: Incident Response, Triage, SOC Tiers

Event¶

A single, observable occurrence in a system or network, such as a login attempt, file modification, or network connection. Security tools collect and analyze events to detect threats.

Related concepts: Log, SIEM, Telemetry

Exfiltration¶

The unauthorized transfer of data from a system or network to an external location controlled by attackers. Detecting exfiltration is a key defensive capability.

Related concepts: Data Loss Prevention, Command and Control, Insider Threat

Exploit¶

Code or techniques that take advantage of a vulnerability to gain unauthorized access or execute malicious actions. Understanding exploits helps defenders prioritize patching and implement compensating controls.

Related concepts: Vulnerability, Patch Management, Zero-Day

F¶

F1 Score¶

A machine learning metric that combines precision and recall into a single value, calculated as the harmonic mean of the two. F1 score provides a balanced measure of model performance.

Related concepts: Precision, Recall, Confusion Matrix, Model Evaluation

False Negative¶

A scenario where a security tool or model fails to detect an actual threat, classifying malicious activity as benign. False negatives are dangerous as they allow attacks to proceed undetected.

Related concepts: True Positive, Detection Gap, Model Evaluation

False Positive¶

A scenario where a security tool or model incorrectly identifies benign activity as malicious. High false positive rates lead to alert fatigue and wasted analyst time.

Related concepts: True Positive, Alert Fatigue, Alert Tuning

Feature¶

In machine learning, a measurable property or characteristic used as input for training models. Selecting relevant features is critical for model accuracy in security applications.

Related concepts: Feature Engineering, Machine Learning, Dataset

Feature Engineering¶

The process of selecting, transforming, and creating features from raw data to improve machine learning model performance. Effective feature engineering requires domain expertise in security operations.

Related concepts: Machine Learning, Feature, Data Preprocessing

G¶

Ground Truth¶

Verified, accurate data used as a reference for training or evaluating machine learning models. In security, ground truth represents confirmed malicious or benign classifications.

Related concepts: Data Labeling, Training Data, Model Validation

H¶

Hash¶

A fixed-length cryptographic output generated from input data using hash functions. File hashes serve as unique identifiers for files and are commonly used as indicators of compromise.

Related concepts: MD5, SHA-256, Artifact, IOC

Hyperparameter¶

A configuration setting for machine learning algorithms that must be specified before training begins. Tuning hyperparameters optimizes model performance for specific security use cases.

Related concepts: Machine Learning, Model Tuning, Training

I¶

Incident¶

A confirmed security event that poses a threat to confidentiality, integrity, or availability of systems or data. Incidents require formal response procedures and documentation.

Related concepts: Event, Incident Response, Security Operations

Incident Response¶

The structured approach to handling and managing security incidents, typically following phases of preparation, detection, containment, eradication, recovery, and lessons learned. Effective incident response minimizes damage and recovery time.

Related concepts: NIST Framework, Playbook, SOC

Indicator of Compromise (IOC)¶

Artifacts or observables that suggest a system has been compromised, such as malicious IP addresses, file hashes, or domain names. IOCs enable threat detection and hunting.

Related concepts: Threat Intelligence, Artifact, Hash

Inference¶

The process of using a trained machine learning model to make predictions or classifications on new, unseen data. In security operations, inference applies learned patterns to detect threats in real-time data.

Related concepts: Machine Learning, Model, Prediction

Insider Threat¶

Security risks posed by individuals within an organization who have authorized access to systems and data. Insider threats may be malicious or unintentional.

Related concepts: User Behavior Analytics, Data Loss Prevention, Privilege Abuse

J¶

JSON (JavaScript Object Notation)¶

A lightweight data interchange format commonly used for log data, API communications, and security tool outputs. Understanding JSON is essential for parsing and analyzing security data.

Related concepts: Log Format, API, Data Parsing

K¶

Kill Chain¶

See Cyber Kill Chain.

L¶

Labeling¶

The process of assigning classifications or categories to data points, essential for creating training datasets for supervised learning. In security, labeling identifies whether events are malicious or benign.

Related concepts: Ground Truth, Supervised Learning, Training Data

Lateral Movement¶

Techniques used by attackers to move through a network after initial compromise, seeking to access additional systems and escalate privileges. Detecting lateral movement is critical for limiting breach impact.

Related concepts: APT, Privilege Escalation, Network Segmentation

Living Off the Land (LOtL)¶

Attack techniques that use legitimate system tools and processes already present in the environment rather than introducing custom malware. LOtL techniques are harder to detect with signature-based approaches.

Related concepts: Fileless Malware, Behavioral Analysis, Detection Engineering

Log¶

A record of events that occurred within a system, application, or network device. Logs are fundamental data sources for security monitoring and incident investigation.

Related concepts: Event, SIEM, Log Management

Log Management¶

The collection, aggregation, storage, and analysis of log data from multiple sources. Effective log management is foundational for security operations and compliance.

Related concepts: SIEM, Log Retention, Centralized Logging

M¶

Machine Learning (ML)¶

A subset of artificial intelligence that enables systems to learn from data and improve performance without explicit programming. ML enhances security operations through improved detection, automation, and pattern recognition.

Related concepts: Artificial Intelligence, Supervised Learning, Unsupervised Learning

Mean Time to Detect (MTTD)¶

A metric measuring the average time between when a security incident occurs and when it is detected. Lower MTTD indicates more effective detection capabilities.

Related concepts: Mean Time to Respond, SOC Metrics, Detection

Mean Time to Respond (MTTR)¶

A metric measuring the average time from incident detection to containment or resolution. Lower MTTR indicates more efficient incident response processes.

Related concepts: Mean Time to Detect, Incident Response, SOC Metrics

MITRE ATT&CK¶

A globally accessible knowledge base of adversary tactics and techniques based on real-world observations. ATT&CK provides a common framework for understanding and defending against cyber threats.

Related concepts: Tactics, Techniques, Procedures, Threat Intelligence

Model¶

In machine learning, an algorithm trained on data to make predictions or classifications. Security models learn patterns from historical data to identify threats in new data.

Related concepts: Machine Learning, Training, Inference

Model Drift¶

The degradation of machine learning model performance over time as patterns in data change. Security models require monitoring and retraining to address drift caused by evolving threats.

Related concepts: Model Maintenance, Retraining, Model Performance

N¶

Network Traffic Analysis (NTA)¶

The examination of network communications to identify suspicious patterns, anomalies, or malicious activities. NTA provides visibility into network-based attacks and lateral movement.

Related concepts: Packet Capture, Flow Data, Anomaly Detection

NIST Framework¶

The National Institute of Standards and Technology Cybersecurity Framework, providing guidance for managing cybersecurity risks through five core functions: Identify, Protect, Detect, Respond, and Recover.

Related concepts: Risk Management, Incident Response, Security Framework

O¶

Orchestration¶

The coordination of multiple security tools and processes to execute complex workflows automatically. Orchestration enables efficient incident response and reduces manual effort.

Related concepts: SOAR, Automation, Integration

Outlier¶

A data point that significantly deviates from normal patterns. In security, outliers may indicate anomalous behavior worthy of investigation.

Related concepts: Anomaly Detection, Statistical Analysis, Behavioral Analysis

Overfitting¶

A machine learning problem where a model learns training data too specifically, including noise, resulting in poor performance on new data. Overfitting reduces model generalization and effectiveness.

Related concepts: Model Training, Generalization, Validation

P¶

Patch Management¶

The process of identifying, acquiring, testing, and installing software updates to remediate vulnerabilities. Effective patch management is a critical vulnerability reduction strategy.

Related concepts: Vulnerability Management, Exploit, Zero-Day

Phishing¶

A social engineering attack that uses fraudulent communications, typically email, to trick recipients into revealing sensitive information or executing malicious actions. Phishing remains one of the most common initial attack vectors.

Related concepts: Social Engineering, Email Security, DMARC

Playbook¶

A documented set of procedures and actions to follow when responding to specific security scenarios or incidents. Playbooks ensure consistent, efficient responses and enable automation.

Related concepts: Incident Response, SOAR, Runbook

Precision¶

A machine learning metric measuring the proportion of positive predictions that are actually correct (true positives / (true positives + false positives)). High precision indicates low false positive rates.

Related concepts: Recall, F1 Score, Confusion Matrix

Privilege Escalation¶

Techniques used to gain higher-level permissions than initially granted, allowing attackers to access restricted resources. Detecting privilege escalation is essential for preventing unauthorized access.

Related concepts: Lateral Movement, Access Control, Least Privilege

Q¶

Quarantine¶

The isolation of potentially malicious files, systems, or users to prevent spread of threats while preserving evidence for investigation. Quarantine is a common containment technique.

Related concepts: Containment, Incident Response, Isolation

R¶

Recall¶

A machine learning metric measuring the proportion of actual positives correctly identified (true positives / (true positives + false negatives)). High recall indicates the model catches most threats.

Related concepts: Precision, F1 Score, Confusion Matrix, Sensitivity

Recovery¶

The incident response phase focused on restoring systems and services to normal operation after threat eradication. Recovery includes validation that systems are clean and secure.

Related concepts: Incident Response, Eradication, Business Continuity

Red Team¶

Security professionals who simulate real-world attacks to test an organization's defensive capabilities. Red team exercises help identify security gaps and improve blue team effectiveness.

Related concepts: Blue Team, Purple Team, Penetration Testing

Regex (Regular Expression)¶

A sequence of characters defining a search pattern used for matching strings in text. Regex is valuable for parsing logs, creating detection rules, and extracting artifacts.

Related concepts: Pattern Matching, Detection Engineering, Log Parsing

Reinforcement Learning¶

A machine learning approach where models learn optimal actions through trial and error with reward feedback. While less common in security than supervised learning, reinforcement learning shows promise for adaptive defense.

Related concepts: Machine Learning, Adaptive Security, Autonomous Response

Risk¶

The potential for loss or damage when a threat exploits a vulnerability. Risk is typically calculated as the likelihood of an event multiplied by its potential impact.

Related concepts: Vulnerability, Threat, Risk Management

Root Cause Analysis¶

The systematic investigation to identify the underlying cause of an incident rather than just addressing symptoms. Root cause analysis helps prevent recurrence.

Related concepts: Incident Response, Lessons Learned, Post-Incident Review

Runbook¶

A detailed, step-by-step guide for executing operational tasks or procedures. Runbooks support consistency and enable less experienced analysts to handle complex scenarios.

Related concepts: Playbook, Standard Operating Procedure, Documentation

S¶

Security Information and Event Management (SIEM)¶

A platform that aggregates, correlates, and analyzes security data from multiple sources to detect threats and support investigations. SIEMs are central to SOC operations.

Related concepts: Log Management, Correlation, Alert

Security Orchestration, Automation, and Response (SOAR)¶

A technology stack that combines orchestration, automation, and case management to streamline security operations and incident response. SOAR platforms execute playbooks and integrate multiple security tools.

Related concepts: Automation, Orchestration, Playbook

Security Operations Center (SOC)¶

A centralized team and facility responsible for monitoring, detecting, analyzing, and responding to security incidents. SOCs operate continuously to protect organizational assets.

Related concepts: Blue Team, Incident Response, SIEM

Sensitivity¶

See Recall.

Signature¶

A predefined pattern or characteristic used to identify known threats, such as malware signatures or attack patterns. Signature-based detection is effective against known threats but cannot detect novel attacks.

Related concepts: Detection, Antivirus, Intrusion Detection System

SOAR¶

See Security Orchestration, Automation, and Response.

SOC¶

See Security Operations Center.

Supervised Learning¶

A machine learning approach that trains models using labeled data with known outcomes. Supervised learning is common in security for classification tasks like malware detection.

Related concepts: Machine Learning, Classification, Labeling

T¶

Tactic¶

In the MITRE ATT&CK framework, a high-level adversary goal during an attack, such as initial access, persistence, or exfiltration. Tactics represent the "why" of attacker actions.

Related concepts: MITRE ATT&CK, Technique, Procedure

Technique¶

In the MITRE ATT&CK framework, a specific method adversaries use to achieve tactical goals. Techniques represent the "how" of attacker actions.

Related concepts: MITRE ATT&CK, Tactic, Procedure

Telemetry¶

Data collected from systems, networks, and applications for monitoring and analysis purposes. Rich telemetry is essential for effective threat detection and hunting.

Related concepts: Log, Event, Visibility

Threat¶

Any circumstance or event with the potential to cause harm to systems or data through unauthorized access, destruction, disclosure, or modification. Understanding threats drives defensive strategies.

Related concepts: Threat Actor, Vulnerability, Risk

Threat Actor¶

An individual, group, or organization responsible for cyber attacks. Understanding threat actor motivations, capabilities, and tactics informs defense strategies.

Related concepts: APT, Attribution, Threat Intelligence

Threat Hunting¶

The proactive and iterative search for threats that have evaded existing security controls. Threat hunting assumes compromise and seeks evidence of malicious activity.

Related concepts: Hypothesis-Driven, IOC, Detection Gap

Threat Intelligence¶

Information about threats, threat actors, and their tactics, techniques, and procedures collected from various sources. Actionable threat intelligence improves detection and response capabilities.

Related concepts: IOC, TTP, Threat Feed

Tier 1 Analyst¶

Entry-level SOC analysts responsible for initial alert triage, basic investigation, and escalation. Tier 1 analysts handle high volumes of alerts and follow established procedures.

Related concepts: SOC, Triage, Escalation

Tier 2 Analyst¶

Intermediate SOC analysts who handle escalated incidents, conduct deeper investigations, and may perform basic threat hunting. Tier 2 analysts possess broader technical knowledge than Tier 1.

Related concepts: SOC, Incident Response, Investigation

Tier 3 Analyst¶

Senior SOC analysts with advanced expertise who handle complex incidents, conduct threat hunting, develop detections, and provide guidance to lower tiers. Tier 3 analysts are subject matter experts.

Related concepts: SOC, Threat Hunting, Detection Engineering

Training Data¶

Data used to teach machine learning models patterns and relationships. Quality and representative training data is essential for developing accurate security models.

Related concepts: Dataset, Labeling, Supervised Learning

Triage¶

The process of rapidly assessing and prioritizing alerts or incidents based on severity, impact, and urgency. Effective triage ensures critical threats receive immediate attention.

Related concepts: Alert, Incident Response, Prioritization

True Negative¶

A correct classification where benign activity is identified as benign. True negatives indicate proper model or detection rule performance on legitimate activities.

Related concepts: Confusion Matrix, False Positive, Model Evaluation

True Positive¶

A correct classification where malicious activity is identified as a threat. True positives represent successful detections requiring investigation and response.

Related concepts: False Positive, Alert, Detection

TTP (Tactics, Techniques, and Procedures)¶

The patterns of activities and methods used by threat actors. Understanding TTPs enables defenders to detect and defend against specific adversary behaviors.

Related concepts: MITRE ATT&CK, Threat Intelligence, Behavioral Analysis

U¶

Underfitting¶

A machine learning problem where a model is too simple to capture underlying patterns in data, resulting in poor performance. Underfitted models miss important threat indicators.

Related concepts: Overfitting, Model Complexity, Training

Unsupervised Learning¶

A machine learning approach that finds patterns in unlabeled data without predefined outcomes. Unsupervised learning is useful for anomaly detection and discovering unknown threat patterns.

Related concepts: Machine Learning, Clustering, Anomaly Detection

User and Entity Behavior Analytics (UEBA)¶

Technology that uses machine learning to establish baseline behaviors for users and entities, then detects anomalous activities that may indicate threats. UEBA is particularly effective against insider threats and compromised accounts.

Related concepts: Anomaly Detection, Behavioral Analysis, Machine Learning

V¶

Validation¶

The process of evaluating machine learning model performance on data not used during training to ensure generalization. Proper validation prevents overfitting and ensures real-world effectiveness.

Related concepts: Model Evaluation, Test Data, Overfitting

Vulnerability¶

A weakness in a system, application, or process that could be exploited to compromise security. Identifying and remediating vulnerabilities reduces risk.

Related concepts: Exploit, Patch Management, Risk

Vulnerability Management¶

The continuous process of identifying, classifying, prioritizing, and remediating vulnerabilities. Effective vulnerability management reduces organizational attack surface.

Related concepts: Patch Management, Risk Management, Asset Management

W¶

Whitelisting¶

A security approach that allows only explicitly approved entities (applications, IP addresses, domains, etc.) while blocking everything else. Whitelisting provides strong security but requires careful management.

Related concepts: Allowlist, Blacklist, Access Control

X¶

XDR (Extended Detection and Response)¶

A security solution that integrates multiple security products into a cohesive system for improved threat detection and response across endpoints, networks, cloud, and applications. XDR provides broader visibility than traditional EDR.

Related concepts: EDR, SIEM, Security Integration

Y¶

YARA¶

A pattern matching tool used to identify and classify malware based on textual or binary patterns. YARA rules help analysts detect malicious files and conduct threat hunting.

Related concepts: Malware Analysis, Pattern Matching, Threat Hunting

Z¶

Zero-Day¶

A vulnerability that is exploited before the vendor becomes aware of it or releases a patch. Zero-days are particularly dangerous as no fix is immediately available.

Related concepts: Exploit, Vulnerability, Patch Management

Zero Trust¶

A security model that assumes no user, device, or network segment is inherently trustworthy, requiring continuous verification. Zero trust principles include least privilege access and micro-segmentation.

Related concepts: Defense in Depth, Access Control, Network Segmentation

Nexus SecOps Benchmark Terms¶

Nexus SecOps (Nexus SecOps Benchmark)¶

A comprehensive security benchmark and intelligent textbook defining 220 controls across 14 domains for AI-augmented security operations. Nexus SecOps defines requirements using RFC 2119 language (SHALL, SHOULD, MAY) and aligns with NIST CSF 2.0, MITRE ATT&CK, CIS Controls v8, ISO 27001:2022, NIST SP 800-53 Rev. 5, and NIST AI RMF 1.0.

Related concepts: Benchmark, Maturity Model, Security Controls

Chain of Custody¶

A documented process that tracks who has had possession of evidence, from collection through analysis and legal proceedings. In Nexus SecOps, chain of custody requirements apply to all digital forensic evidence collected during incident response.

Related concepts: Digital Forensics, Evidence Preservation, Incident Response

Change Control (Detection)¶

A governed process for creating, testing, staging, and promoting changes to detection rules. Nexus SecOps-048 requires a minimum 7-day staging period and peer review before production promotion of any detection rule change.

Related concepts: Detection Engineering, Detection-as-Code, Peer Review

CIRT (Computer Incident Response Team)¶

The designated team responsible for coordinating, investigating, and managing security incidents. Distinct from the general SOC analyst population; typically includes senior responders with forensic capabilities.

Related concepts: Incident Response, SOC, Incident Commander

Coverage Gap¶

A technique or threat vector for which an organization has no detection capability. Nexus SecOps-044 requires coverage gap analysis against MITRE ATT&CK at least annually, with gaps documented and prioritized.

Related concepts: Detection Coverage, MITRE ATT&CK, Detection Engineering

D3FEND¶

A MITRE framework that maps defensive countermeasures to ATT&CK techniques. Complements ATT&CK by providing a structured vocabulary for defensive controls. Referenced in Nexus SecOps framework mappings.

Related concepts: MITRE ATT&CK, Defensive Controls, Threat Mapping

Data Exfiltration¶

The unauthorized transfer of data from an organization's environment to an external destination. Nexus SecOps domain DQN and INC controls address detection of and response to exfiltration events.

Related concepts: DLP, Insider Threat, Incident Response

Detection-as-Code¶

The practice of writing, versioning, and deploying detection rules using software development practices — including version control (git), peer review, CI/CD pipelines, and automated testing. Nexus SecOps-041 through Nexus SecOps-050 define the full Detection-as-Code lifecycle.

Related concepts: Detection Engineering, CI/CD, SIEM

Detection Domain (DET)¶

One of 14 Nexus SecOps benchmark domains, covering detection rule lifecycle, behavioral analytics, MITRE ATT&CK coverage, cloud-native detection, and detection performance measurement. Controls Nexus SecOps-031 through Nexus SecOps-060.

Related concepts: Nexus SecOps, Detection Engineering, SIEM

Dwell Time¶

The period between an attacker's initial access and the detection of that access by the defending organization. Also called "time to detect" or "breakout time." Lower dwell time indicates more effective detection. Industry median is approximately 16 days (Mandiant M-Trends 2024).

Related concepts: MTTD, Threat Detection, Incident Response

ECS (Elastic Common Schema)¶

An open-source log normalization schema developed by Elastic. Defines field names and data types for consistent representation of security events across log sources. One of three major normalization schemas alongside OCSF and CIM.

Related concepts: Log Normalization, OCSF, CIM, SIEM

Evidence Catalog¶

A structured inventory of evidence types accepted for Nexus SecOps benchmark assessment. Nexus SecOps defines 12 evidence categories: CFG (configuration), POL (policy), LOG (log), DASH (dashboard), TEST (test result), INT (interview), ARCH (architecture diagram), RPT (report), RUN (runbook), TKT (ticket), TRN (training record), AGR (agreement).

Related concepts: Benchmark Assessment, Evidence, Audit

Grounding (LLM)¶

The practice of connecting LLM outputs to verified, current, and organization-specific knowledge rather than relying solely on training data. Common grounding techniques include Retrieval-Augmented Generation (RAG), real-time database lookups, and explicit citation requirements.

Related concepts: RAG, Hallucination, LLM Copilot

Hallucination (LLM)¶

A phenomenon where a large language model generates confident but factually incorrect or unverifiable content. In SOC contexts, hallucinations in threat intelligence or CVE information can lead analysts to incorrect conclusions. Nexus SecOps-184 requires hallucination mitigation controls.

Related concepts: LLM Copilot, Grounding, RAG

Human-in-the-Loop (HITL)¶

A design pattern requiring human review and approval before automated systems take high-impact actions. In SOAR contexts, Nexus SecOps-099 requires HITL gates for actions that affect availability (host isolation, account disable, IP block).

Related concepts: SOAR, Automation Safety, Playbook

Impossible Travel¶

An authentication anomaly where a user logs in from two geographically distant locations within a time window that is physically impossible given travel constraints. A common indicator of compromised credentials or account sharing.

Related concepts: Identity Analytics, UEBA, Authentication

IOC (Indicator of Compromise)¶

An artifact observed on a network or endpoint that indicates a potential intrusion with high confidence. Examples: known malware hashes, C2 IP addresses, malicious domain names. Distinct from behavioral indicators (which describe patterns rather than specific artifacts).

Related concepts: Threat Intelligence, TTP, STIX

JIT (Just-In-Time) Access¶

A privileged access model where elevated permissions are granted for a specific duration and purpose, then automatically revoked. Reduces the window of opportunity for privilege abuse. Required by Nexus SecOps-110 for SOC administrative access.

Related concepts: Zero Trust, PAM, Least Privilege

LLM Domain (LLM)¶

One of 14 Nexus SecOps benchmark domains, covering LLM copilot governance, prompt injection defense, PII filtering, grounding, hallucination mitigation, human oversight, output logging, and model performance monitoring. Controls Nexus SecOps-181 through Nexus SecOps-200.

Related concepts: Nexus SecOps, LLM Copilot, AI Governance

Maturity Level (Nexus SecOps)¶

A 0–5 scale measuring the sophistication of an organization's security operations capabilities. Level 0: Non-Existent; Level 1: Initial; Level 2: Developing; Level 3: Defined; Level 4: Managed; Level 5: Optimizing. Defined in the Nexus SecOps Maturity Model.

Related concepts: Nexus SecOps, Benchmark, Capability Maturity Model

MFA Fatigue¶

An attack technique where an attacker submits repeated MFA push notification requests to a victim's device until the victim approves one out of frustration or confusion. Also called "MFA push bombing." Mitigated by number matching, user training, and push rate limiting.

Related concepts: MFA, Phishing, Identity Security

MTTD (Mean Time to Detect)¶

The average elapsed time between the start of an attacker's activity and the security team's detection of that activity. A key SOC performance indicator. Nexus SecOps-041 requires MTTD tracking at the domain level.

Related concepts: MTTR, Dwell Time, SOC Metrics

MTTI (Mean Time to Investigate)¶

The average elapsed time from detection of an alert to the start of investigation by an analyst. Measures the responsiveness of alert queue management. Influenced by alert volume, prioritization, and staffing.

Related concepts: MTTD, MTTR, Alert Triage

MTTR (Mean Time to Respond)¶

The average elapsed time from detection of an incident to containment. In Nexus SecOps context, MTTR specifically measures detection-to-containment, not detection-to-full-recovery. A primary SOC SLA metric.

Related concepts: MTTD, Incident Response, Containment

OCSF (Open Cybersecurity Schema Framework)¶

An open-source log normalization schema developed by AWS and other vendors. Defines event categories, classes, and attributes for consistent representation across security products. Increasingly adopted by cloud-native security tools.

Related concepts: ECS, CIM, Log Normalization

PICERL¶

A six-phase incident response lifecycle model: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned. Nexus SecOps adopts PICERL as its reference model for incident response (Nexus SecOps-061).

Related concepts: Incident Response, IR Lifecycle, NIST SP 800-61

Playbook (SOAR)¶

A documented, executable workflow within a SOAR platform that defines the automated and semi-automated steps for responding to a specific alert type or threat scenario. Nexus SecOps-096 requires all production playbooks to be documented, versioned, and peer-reviewed.

Related concepts: SOAR, Runbook, Automation

Precision¶

A detection quality metric measuring the proportion of alerts that are true positives: Precision = TP / (TP + FP). A rule with 90% precision generates 9 true positives for every 10 alerts. Inversely related to false positive rate.

Related concepts: Recall, False Positive, Detection Quality

Prompt Injection¶

An attack technique where malicious content embedded in data (such as log messages, user input, or external documents) is interpreted by an LLM as instructions, overriding the original system prompt. Nexus SecOps-183 requires prompt injection defenses in all LLM-powered security tools.

Related concepts: LLM Copilot, Hallucination, Input Sanitization

RAG (Retrieval-Augmented Generation)¶

A pattern for grounding LLM responses by retrieving relevant documents or data from a knowledge base at inference time and including them in the prompt context. Reduces hallucination risk for knowledge-intensive queries. Recommended by Nexus SecOps-184.

Related concepts: LLM Copilot, Grounding, Hallucination

Recall¶

A detection quality metric measuring the proportion of actual attacks that trigger an alert: Recall = TP / (TP + FN). A rule with 85% recall catches 85 out of 100 real attacks. Reducing false positives (improving precision) often reduces recall.

Related concepts: Precision, False Negative, Detection Coverage

Runbook¶

A step-by-step operational procedure for responding to a specific alert type or scenario. Unlike playbooks, runbooks are primarily human-executed and contain narrative guidance, decision trees, and escalation paths. Nexus SecOps-065 requires runbooks for all Tier 1 alert types.

Related concepts: Playbook, SOC Operations, Incident Response

SOAR (Security Orchestration, Automation, and Response)¶

A platform that integrates security tools, automates repetitive response tasks, and orchestrates workflows across multiple systems. SOAR enables case management, alert enrichment, and automated containment actions within defined safety boundaries.

Related concepts: SIEM, Playbook, Automation

Staging Period (Detection)¶

A mandatory time window during which a new or modified detection rule runs in shadow mode (generating alerts but not triggering automated response) before promotion to production. Nexus SecOps-048 requires a minimum 7-day staging period.

Related concepts: Detection-as-Code, Change Control, Rule Tuning

STIX (Structured Threat Information Expression)¶

An industry-standard language for representing threat intelligence in a machine-readable format. STIX 2.1 objects include indicators, malware, threat actors, campaigns, and attack patterns. Used with TAXII for threat intelligence sharing.

Related concepts: TAXII, Threat Intelligence, IOC

TAXII (Trusted Automated eXchange of Indicator Information)¶

A protocol for sharing STIX threat intelligence between organizations and threat intelligence platforms. TAXII 2.1 uses a REST API model. Nexus SecOps-072 recommends TAXII integration for organizations at maturity Level 3+.

Related concepts: STIX, Threat Intelligence, Threat Sharing

TTP (Tactics, Techniques, and Procedures)¶

The behavioral patterns and methods used by threat actors. Tactics describe the high-level objective (e.g., Lateral Movement); Techniques describe how the tactic is achieved (e.g., Pass the Hash); Procedures are specific implementations observed in real attacks. The MITRE ATT&CK framework organizes TTPs systematically.

Related concepts: MITRE ATT&CK, Threat Intelligence, Threat Hunting

UEBA (User and Entity Behavior Analytics)¶

A security analytics approach that establishes behavioral baselines for users and systems, then alerts on deviations. UEBA detects insider threats, compromised accounts, and anomalous lateral movement by analyzing patterns rather than signatures. Required by Nexus SecOps-052.

Related concepts: Anomaly Detection, Insider Threat, Identity Security