Fundamentals
Cyber security - protection of digital systems, data and identities from attack, manipulation and outage. See Cyber security.
IT security - traditional term focused on systems and networks.
Information security - broader term including non-digital information.
Protection goals - confidentiality, integrity and availability, often extended by authenticity and accountability.
Cyber resilience - ability of an organisation to keep operating through incidents.
SOC and detection
SOC - Security Operations Centre that detects, triages and handles incidents. See SOC.
SIEM - central system to collect and analyse security relevant logs. See SIEM.
EDR - Endpoint Detection and Response, telemetry and response on endpoints.
XDR - extends EDR by further sources such as identity, mail and cloud.
MDR - Managed Detection and Response, an externally run detection and response service.
Use case - defined detection scenario with data source, logic and expected behaviour.
Detection - deliberate identification of threats by indicators or behaviour.
Alert triage - first assessment of an alert: relevant, irrelevant or to escalate.
False positive - an alert that is not a real incident after review.
Log source - a system providing security relevant events (EDR, mail gateway, directory).
Threats and attacks
Ransomware - malware that encrypts data or threatens publication. See Ransomware.
Phishing - deceptive messages that harvest credentials or actions. See Phishing.
Business email compromise - targeted manipulation of business mail, often payment related.
Malware - umbrella term for malicious software.
Exploit - concrete abuse of a vulnerability.
Vulnerability - a weakness in software, configuration or process.
Threat intelligence - processed knowledge about attackers, techniques and indicators.
MITRE ATT&CK - public knowledge model of attacker tactics and techniques.
TTP - tactics, techniques and procedures, i.e. attacker behaviour.
IOC - Indicator of Compromise, technical hint of a compromise.
IOA - Indicator of Attack, sign of ongoing attacker activity.
Incident response and resilience
Incident response - structured reaction to security incidents. See Incident response.
Incident response plan - documented process for detection, containment and recovery. See Incident response plan.
Backup - tested copy of important data, ideally immutable.
Business continuity - keeping critical processes running through incidents.
Lessons learned - structured review after an incident.
Identity, access and architecture
MFA - Multi-Factor Authentication, additional factors beyond a password.
Zero trust - architectural principle that verifies every access and trusts no location.
Least privilege - accounts and services hold only the rights they need.
Identity security - protection of accounts, roles and permissions.
Patch management - orderly rollout of security updates.
Endpoint security - protection of workstations and servers.
Network security - segmentation, firewalls, secure remote access.
Cloud security - secure configuration, IAM, logging and detection in cloud services.
EU regulation
NIS2 - EU directive raising cyber security requirements for essential and important entities. See NIS2.
DORA - EU regulation on digital operational resilience for the financial sector. See DORA.
TIBER-EU - framework for threat-led resilience tests. See TIBER-EU.
TLPT - Threat-Led Penetration Testing, referenced by DORA.
Cyber Resilience Act - EU regulation on security requirements for products with digital elements.
People and awareness
Security awareness - lasting enablement of staff for safe behaviour. See Security awareness.
Reporting culture - a culture where unsafe observations can be reported without fear.
Phishing simulation - controlled exercise with harmless test mails.
Insider risk - risk from internal staff, whether negligent or intentional.
Authentication and identity
Passkeys - modern, phishing-resistant sign-in using a device-bound key pair. See MFA.
FIDO2 - open standard for phishing-resistant authentication, often with security keys.
Conditional access - rule-based access decision using identity, device and context.
Token theft - theft of session tokens after a valid sign-in, where MFA no longer applies. See Account compromise.
Consent phishing - attack via malicious third-party apps that request permissions.
Mailbox rule - server-side rule often abused to hide compromised mailboxes.
Backup, resilience and vulnerabilities
Immutable backup - a backup that cannot be changed or deleted within a defined retention. See Backup.
Restore test - documented test of recovering data from backup.
CVE - unique identifier for a known vulnerability.
CVSS - scoring system for the technical severity of a vulnerability. See Vulnerability management.
Exposure management - process that combines visibility, assessment and treatment of your attack surface.
Attack surface - the totality of potential entry points of an organisation.
Lateral movement - attackers spreading within a network after the first foothold.
Security baseline - defined minimum configuration for a system class.
Cloud and architecture
Shared responsibility model - split of responsibility between cloud provider and customer. See Cloud security.
XDR - see XDR.
MDR - see MDR.
Related topics
Cyber security is more than antivirus. It combines technology, processes and people, protects digital business models and has become a strategic leadership topic. This hub page explains the building blocks and links to deeper topic pages.
Cyber security protects digital assets from attack, manipulation and outage. This page explains in plain language what it covers, how it differs from IT and information security and which measures are part of today's standard.
MFA significantly reduces the risk of compromised accounts. This page explains which methods actually work, where the weak points are and how to prioritise rollout in practice.
Identities are a primary target today. Clean handling of accounts, roles and permissions reduces the risk of many incidents significantly.
Zero trust is an architectural principle, not a product. It means: trust nothing automatically, verify every access based on identity, device and context.
EDR provides telemetry and response on endpoints. It is standard in many organisations today and extends classic endpoint protection with detection and response.
Cloud security combines safe configuration, strong identities, good logging and clear responsibility. This page outlines the core building blocks.
Backups are a core defence against data loss and ransomware. This page explains the 3-2-1 rule, offline and immutable backups, restore tests and common mistakes.
Vulnerability management is more than the occasional scan. It is a continuous process of finding, assessing, prioritising, fixing and verifying.
Threat intelligence is more than a list of IOCs. It is processed, contextual knowledge about adversaries, techniques and risks - useful only when it drives decisions.