Cybersecurity Acronyms: A Complete 2026 Glossary for Executives, Boards, and Practitioners

1. Identity and Access Management (IAM)

2FA — Two-Factor Authentication

Authentication that requires two distinct factors: something the user knows (a password), something the user has (a hardware token or phone), or something the user is (a biometric). 2FA is the minimum acceptable authentication standard for any account holding sensitive data and is increasingly mandated by FTC consent orders, PCI DSS requirements, and HIPAA Security Rule guidance.

MFA — Multi-Factor Authentication

The general term for authentication requiring two or more factors. MFA includes 2FA and any stronger combination. Modern best practice favors phishing-resistant MFA — hardware security keys (FIDO2 / WebAuthn) or platform authenticators — over SMS or one-time-passcode email, which are subject to social engineering. Read more about MFA.

SSO — Single Sign-On

An authentication scheme that lets a user log in once to access multiple applications. SSO reduces password reuse, simplifies de-provisioning when an employee leaves, and consolidates authentication into a single point that can be hardened with MFA. Common SSO standards include SAML and OIDC.

IAM — Identity and Access Management

The discipline of managing user identities and what those identities can do. IAM encompasses authentication (proving who you are), authorization (defining what you can do), provisioning (granting access on hire and removing access on termination), and audit (tracking who did what).

PAM — Privileged Access Management

Specialized IAM for high-privilege accounts — domain administrators, root accounts, service accounts, and break-glass credentials. PAM systems typically enforce just-in-time access, session recording, credential vaulting, and approval workflows for the kind of access that, if compromised, would produce material consequences.

IGA — Identity Governance and Administration

The governance layer on top of IAM. IGA addresses who should have what access (access certification), enforces separation-of-duties policies, and produces the audit evidence that compliance frameworks (SOC 2, ISO 27001, HIPAA, SOX) require.

SAML — Security Assertion Markup Language

An XML-based open standard for exchanging authentication and authorization data between an identity provider and a service provider. SAML is the dominant enterprise SSO protocol for older SaaS applications and identity federation between on-premises Active Directory and cloud services.

OAuth — Open Authorization

An open standard for delegated access — the protocol that lets one application access another on behalf of a user without sharing the user's password. OAuth is the foundation for most modern API integrations and is what was misused in the Facebook-Cambridge Analytica incident through the Friends API.

OIDC — OpenID Connect

An authentication layer built on top of OAuth 2.0. OIDC is the protocol that powers most modern "log in with Google" / "log in with Microsoft" patterns and is the SAML successor for newer SaaS applications.

RBAC — Role-Based Access Control

An access control model in which permissions are assigned to roles, and users are assigned to roles. RBAC simplifies access administration at scale and is the most common access control model in enterprise systems. ABAC (Attribute-Based Access Control) is a more granular alternative based on attributes of the user, resource, and context.

AD — Active Directory

Microsoft's directory service for managing users, groups, and computers in a Windows network. AD is the central identity infrastructure for most large enterprises and is a primary target for adversaries seeking to escalate from initial access to domain administrator privileges. Compromises of AD typically produce the most severe enterprise breaches.

2. Detection and Response

EDR — Endpoint Detection and Response

Security tooling that continuously monitors endpoint activity (process execution, file changes, network connections, registry modifications) to detect malicious behavior and provide forensic data for investigation. EDR is the post-2017 successor to traditional antivirus and is now baseline for most enterprise security programs.

XDR — Extended Detection and Response

EDR extended across multiple security data sources — endpoint, network, email, identity, cloud workloads — with correlation across those sources to detect attacks that span multiple vectors. XDR is increasingly the architectural successor to standalone EDR + SIEM deployments.

MDR — Managed Detection and Response

The outsourced operational layer on top of EDR or XDR. MDR providers staff 24/7 security operations centers that monitor customer environments, triage alerts, and respond to incidents. MDR is the dominant procurement pattern for mid-market organizations that cannot economically operate an in-house SOC.

SIEM — Security Information and Event Management

A centralized logging and analysis platform that collects security-relevant events from across the enterprise — firewalls, EDR agents, identity systems, applications, network devices — and applies correlation rules to detect attacks. SIEM is the foundation for most enterprise SOC operations and the substrate on which threat hunting is conducted.

SOAR — Security Orchestration, Automation and Response

Workflow automation tooling that orchestrates security tools and codifies incident response procedures into runbooks. SOAR is what allows a single analyst to respond to alerts that would otherwise require manual coordination across a dozen tools.

TDIR — Threat Detection, Investigation, and Response

An umbrella term encompassing the operational capability that EDR, SIEM, SOAR, and threat hunting collectively provide. TDIR is increasingly the procurement category that vendors compete in, replacing the narrower SIEM and EDR procurement frames.

UEBA — User and Entity Behavior Analytics

Analytics that establish baseline patterns of legitimate user and system behavior and flag deviations. UEBA is the primary detection technique for insider threats and account-takeover scenarios where the attacker is using legitimate credentials.

IDS / IPS — Intrusion Detection / Prevention System

Network monitoring systems that detect (IDS) or block (IPS) malicious traffic patterns. IDS / IPS are largely legacy categories in modern enterprise architecture, having been substantially absorbed into next-generation firewalls and XDR platforms, though they remain present in many environments.

3. Network Security

VPN — Virtual Private Network

An encrypted tunnel between a user's device and a network, typically used to give remote workers access to internal corporate resources. VPNs are increasingly being replaced by ZTNA architectures because of the over-broad network access they provide once authenticated.

SASE — Secure Access Service Edge

An architecture that combines network connectivity (SD-WAN) and security functions (SWG, CASB, ZTNA, FWaaS) into a single cloud-delivered service. Coined by Gartner in 2019, SASE is the architectural direction for enterprises that have decoupled their workforce and applications from the traditional perimeter.

SSE — Security Service Edge

The security half of SASE — cloud-delivered SWG, CASB, ZTNA, and DLP without the SD-WAN connectivity layer. SSE is the procurement category for enterprises that already have separate network connectivity strategies.

ZTNA — Zero Trust Network Access

An architectural pattern in which access decisions are made per-application, per-session, based on identity, device posture, and context — not based on network location. ZTNA is the operational manifestation of Zero Trust principles for remote access. Read more about Zero Trust.

WAF — Web Application Firewall

A specialized firewall that inspects HTTP/HTTPS traffic to a web application and blocks application-layer attacks (SQL injection, cross-site scripting, request smuggling). Capital One's 2019 breach involved a misconfigured WAF and is the canonical case for WAF governance.

NAC — Network Access Control

Technology that controls which devices can connect to a network based on the device's identity, posture, and compliance with policy. NAC is foundational for environments with diverse device types (printers, IoT, BYOD, contractor laptops) that cannot be authenticated through individual user credentials alone.

DLP — Data Loss Prevention

Technology that identifies and controls movement of sensitive data — customer PII, source code, financial data, trade secrets — across email, web, endpoint, and cloud channels. DLP is the technical layer that operationalizes data classification and is central to most enterprise data-handling compliance programs. Read more about DLP.

CASB — Cloud Access Security Broker

A control point between users and cloud services that enforces security policy, detects misconfiguration, and provides visibility into cloud service usage. CASB is foundational for SaaS security in environments where users access dozens or hundreds of cloud applications.

SWG — Secure Web Gateway

A control point between users and the internet that enforces web access policy, blocks malicious sites, and inspects web traffic for malware. SWG is the modern successor to traditional web filtering proxies and is typically delivered as a cloud service.

SD-WAN — Software-Defined Wide Area Network

An architecture that uses software to manage WAN connections across multiple links (MPLS, broadband, LTE, fiber), optimizing routing based on application requirements. SD-WAN is foundational for distributed enterprises and is the connectivity half of SASE.

4. Cloud Security

CSPM — Cloud Security Posture Management

Tooling that continuously assesses the configuration of cloud infrastructure (AWS, Azure, GCP) against security best practices and compliance frameworks. CSPM is the operational answer to the cloud-misconfiguration problem that produced Capital One's 2019 breach.

CIEM — Cloud Infrastructure Entitlement Management

Tooling that manages identity and access permissions specifically in cloud environments, where the entitlement complexity (thousands of IAM policies, service-linked roles, cross-account access) exceeds what traditional PAM was designed for.

CWPP — Cloud Workload Protection Platform

Security tooling for cloud workloads — virtual machines, containers, serverless functions. CWPP addresses runtime protection, vulnerability assessment, and configuration assessment for workloads regardless of where they run.

CNAPP — Cloud-Native Application Protection Platform

An integrated category that combines CSPM, CIEM, CWPP, and other cloud security capabilities into a single platform. CNAPP is the procurement category that has emerged as the cloud-security successor to standalone tools.

SaaS / IaaS / PaaS

The three major cloud service models: Software as a Service (Salesforce, Google Workspace), Infrastructure as a Service (AWS EC2, Azure VMs), and Platform as a Service (AWS Lambda, Azure App Service). The shared-responsibility security model differs across these tiers.

5. Application Security

SAST — Static Application Security Testing

Source-code analysis that identifies security vulnerabilities by examining the code without running it. SAST is the most common appsec testing category and is increasingly integrated into developer workflows through IDE plugins and CI/CD pipelines.

DAST — Dynamic Application Security Testing

Application security testing performed against a running application by sending malicious inputs and observing responses. DAST complements SAST by finding vulnerabilities that depend on runtime behavior, configuration, or environmental context.

IAST — Interactive Application Security Testing

A hybrid testing approach that instruments the running application to observe both code execution and runtime behavior simultaneously. IAST is technically more accurate than SAST or DAST alone but is more operationally complex to deploy.

RASP — Runtime Application Self-Protection

A protection technology that operates inside the running application and detects or blocks attacks at runtime. RASP is conceptually similar to a WAF but operates inside the application boundary rather than in front of it.

SBOM — Software Bill of Materials

A formal list of all open-source and proprietary components included in a software product. SBOMs are now required for federal software procurement under Executive Order 14028 and are the foundational artifact for managing software supply chain risk after SolarWinds.

API — Application Programming Interface

The contract through which one software component communicates with another. API security has become a primary cybersecurity concern as enterprises increasingly expose APIs externally and rely on third-party APIs internally. Read more about API security.

DevSecOps

The integration of security practices into the DevOps software development lifecycle. DevSecOps shifts security "left" — earlier in the development process — through automated testing in CI/CD pipelines, secret scanning, and developer-facing security tools.

6. Compliance and Governance

NIST CSF — NIST Cybersecurity Framework

A voluntary framework for managing cybersecurity risk developed by the U.S. National Institute of Standards and Technology. NIST CSF organizes cybersecurity activities into six functions (Govern, Identify, Protect, Detect, Respond, Recover) and is the most widely cited cybersecurity framework in U.S. enterprise practice.

ISO 27001

An international standard for information security management systems (ISMS) maintained by the International Organization for Standardization. ISO 27001 certification is the dominant cybersecurity assurance signal for European and international enterprise buyers and is increasingly required in B2B procurement.

SOC 2 — System and Organization Controls 2

An audit framework developed by the AICPA that assesses controls related to security, availability, processing integrity, confidentiality, and privacy. SOC 2 reports (Type I and Type II) are the dominant cybersecurity assurance artifact in U.S. B2B SaaS procurement.

HIPAA — Health Insurance Portability and Accountability Act

The U.S. federal law governing the privacy and security of health information. The HIPAA Security Rule (45 CFR §§ 164.302-318) establishes administrative, physical, and technical safeguards. The HHS Office for Civil Rights enforces HIPAA, and its enforcement posture has increased substantially after Anthem 2015 and Change Healthcare 2024.

PCI DSS — Payment Card Industry Data Security Standard

The security standard governing the storage, processing, and transmission of payment card data. PCI DSS is maintained by the PCI Security Standards Council and is enforced by the major card brands and acquiring banks. Non-compliance can result in significant fines and loss of payment processing privileges.

GDPR — General Data Protection Regulation

The European Union regulation on data protection and privacy effective May 25, 2018. GDPR Article 83 permits administrative fines up to 4% of global annual turnover or €20 million, whichever is greater. The Cambridge Analytica disclosures in March 2018 substantially shaped GDPR's early enforcement posture.

CCPA / CPRA — California Consumer Privacy Act / California Privacy Rights Act

California's comprehensive consumer privacy law, originally enacted in 2018 and amended by CPRA in 2020. CCPA / CPRA established the U.S. state-law privacy regime that subsequent state laws (Virginia CDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, and successors) have largely tracked.

HITRUST — Health Information Trust Alliance

A common security framework that maps to HIPAA, ISO 27001, NIST CSF, PCI DSS, and other standards. HITRUST certification is a frequent procurement requirement in healthcare-sector SaaS and managed services contracts.

FedRAMP — Federal Risk and Authorization Management Program

The U.S. federal government's standardized approach to assessing and authorizing cloud services. FedRAMP authorization is a prerequisite for cloud services that handle federal government data and is a substantial undertaking with implications across an entire SaaS product architecture.

CMMC — Cybersecurity Maturity Model Certification

The U.S. Department of Defense's contractor cybersecurity certification program. CMMC defines five maturity levels of cybersecurity practice that defense contractors must demonstrate depending on the sensitivity of the data they handle.

GRC — Governance, Risk, and Compliance

The umbrella discipline encompassing organizational governance, risk management, and regulatory compliance. GRC platforms (ServiceNow GRC, Archer, MetricStream, Hyperproof, Drata, Vanta) are the operational substrate for managing cybersecurity compliance at scale.

7. Threat Intelligence and Incident Response

APT — Advanced Persistent Threat

A category of adversary characterized by sophisticated tradecraft, sustained access over time, and (typically) state-sponsored attribution. The numbered "APT" designations (APT1, APT28, APT29, APT41) generally refer to specific clusters tracked by Mandiant and other threat intelligence firms. APT29 is Russian SVR, APT28 is Russian GRU, APT1 and APT41 are Chinese MSS-affiliated.

IoC — Indicator of Compromise

A piece of forensic evidence that suggests a system has been compromised — a specific file hash, IP address, domain name, registry key, or behavior pattern. IoCs are the atomic unit of threat intelligence and the input data for detection rules in SIEM and EDR systems.

TTPs — Tactics, Techniques, and Procedures

The behavioral profile of a threat actor — the methods they use to gain access, escalate privileges, move laterally, and exfiltrate data. TTPs are higher-fidelity threat intelligence than IoCs because they describe what the adversary does, not just the specific artifacts of past intrusions. The MITRE ATT&CK framework is the dominant taxonomy for TTPs.

CTI — Cyber Threat Intelligence

The discipline of collecting, analyzing, and operationalizing information about adversaries, their capabilities, and their intent. CTI informs detection engineering, threat hunting, vulnerability prioritization, and strategic security investment. Read more about CTI.

OSINT — Open-Source Intelligence

Intelligence collected from publicly available sources — news, social media, public records, leaked databases, technical documentation. OSINT is the foundation of most attacker reconnaissance and defender threat intelligence.

IR — Incident Response

The organized approach to addressing and managing the aftermath of a security breach. IR includes detection, containment, eradication, recovery, and lessons-learned phases. The SANS and NIST incident response frameworks are the dominant references. Read more about IR.

BCDR — Business Continuity and Disaster Recovery

The combined discipline of maintaining business operations during disruptive events (BCP) and restoring IT systems after them (DRP). BCDR is the operational substrate for organizational resilience and is increasingly tested through ransomware-readiness exercises.

RTO — Recovery Time Objective

The maximum acceptable time between a disruption and the resumption of business operations. RTO is a board-level decision that drives substantial cybersecurity investment, particularly in backup, disaster recovery, and incident response capability.

RPO — Recovery Point Objective

The maximum acceptable amount of data loss measured in time — if your RPO is one hour, you can afford to lose at most one hour of data. RPO drives backup frequency, replication architecture, and database transaction log retention.

MTTR / MTTD — Mean Time to Respond / Detect

The average time between an attack and detection (MTTD) or between detection and response (MTTR). These are the dominant operational metrics for SOC performance. Industry benchmarks suggest MTTD of 200-300 days is typical for breaches that ultimately are detected; reducing MTTD is a primary goal of EDR / MDR / threat hunting investment.

8. Cryptography and Encryption

AES — Advanced Encryption Standard

A symmetric encryption algorithm standardized by NIST in 2001. AES is the dominant symmetric encryption algorithm in modern computing, used in TLS, disk encryption (BitLocker, FileVault), and most data-at-rest encryption. AES-128 and AES-256 are the most common key sizes.

RSA — Rivest-Shamir-Adleman

A public-key cryptography algorithm widely used for secure data transmission and digital signatures. RSA underlies most TLS certificate authentication and is the foundational algorithm for the PKI ecosystem. Modern best practice favors 2048-bit or larger keys.

TLS / SSL — Transport Layer Security / Secure Sockets Layer

Cryptographic protocols for securing communications over computer networks. TLS is the modern successor to SSL; current best practice is TLS 1.2 or 1.3, with TLS 1.0, 1.1, and all SSL versions considered deprecated. TLS is the foundation of HTTPS and most modern enterprise communications.

PKI — Public Key Infrastructure

The framework of policies, procedures, and technologies for managing digital certificates and public-key encryption. PKI is the foundation of TLS certificate authentication, code signing, email encryption (S/MIME), and many other enterprise security capabilities.

HSM — Hardware Security Module

A dedicated hardware device for storing cryptographic keys and performing cryptographic operations. HSMs are used in high-security environments to protect root certificate authority private keys, database master keys, and other high-value cryptographic material.

9. Roles and Functions

CISO — Chief Information Security Officer

The executive responsible for information security across an organization. The CISO role has evolved substantially after the 2023 SEC enforcement of SolarWinds CISO Timothy Brown, which extended personal SEC enforcement liability to a sitting CISO and reshaped how the role is structured, compensated, and indemnified.

CIO — Chief Information Officer

The executive responsible for IT strategy and operations. The CIO and CISO relationship is the primary organizational interface for cybersecurity governance; some organizations have the CISO reporting to the CIO, others have the CISO reporting directly to the CEO or board for independence.

CSO — Chief Security Officer

The executive responsible for security in a broader sense than cybersecurity — encompassing physical security, executive protection, supply chain security, and sometimes information security. The CSO and CISO roles overlap in some organizations and are distinct in others.

CTO — Chief Technology Officer

The executive responsible for technology strategy and engineering. The CTO and CISO relationship is critical for embedding security into product development and engineering practice.

SOC — Security Operations Center

The team and facility responsible for continuous security monitoring and response. SOC analysts are typically organized into tiers (Tier 1 triage, Tier 2 investigation, Tier 3 threat hunting and engineering), and the SOC is the operational substrate for EDR, SIEM, SOAR, and threat intelligence work.

10. Vulnerability and Risk

CVE — Common Vulnerabilities and Exposures

A standardized identifier for publicly disclosed cybersecurity vulnerabilities, maintained by MITRE. Every major vulnerability — CVE-2017-5638 (Equifax / Apache Struts), CVE-2021-44228 (Log4Shell), CVE-2023-34362 (MOVEit) — has a CVE identifier that is the canonical reference across the security industry.

CVSS — Common Vulnerability Scoring System

The numerical scoring system (0-10) for rating the severity of CVEs. CVSS scores feed vulnerability prioritization in most enterprise vulnerability management programs, though increasingly augmented by exploitability data (CISA's KEV catalog) and contextual risk scoring.

CWE — Common Weakness Enumeration

A taxonomy of software and hardware weakness types that may produce vulnerabilities. CWEs are the categories (e.g., CWE-79 Cross-Site Scripting); CVEs are specific instances within those categories. The OWASP Top 10 web application risks map to specific CWEs.

VAPT — Vulnerability Assessment and Penetration Testing

The combined discipline of identifying weaknesses (vulnerability assessment) and simulating attacks against them (penetration testing). VAPT is a frequent procurement category in mid-market cybersecurity services contracts.

11. Email Security and Anti-Fraud

BEC — Business Email Compromise

A category of attack that uses email impersonation to trick employees into making fraudulent payments, sharing credentials, or disclosing sensitive information. BEC produces the largest dollar losses in U.S. cybercrime reporting — the FBI's IC3 has reported BEC losses exceeding $50 billion cumulatively since tracking began. Read more about BEC.

DMARC / SPF / DKIM — Email Authentication Standards

The three email authentication standards that together prevent unauthorized senders from spoofing an organization's domain. SPF specifies authorized sending IPs; DKIM cryptographically signs outgoing messages; DMARC ties them together and instructs receiving servers on how to handle authentication failures. Combined deployment is foundational anti-phishing infrastructure and is now mandated by major email providers including Google and Microsoft.

Frequently asked questions

What's the difference between EDR, XDR, and MDR?

EDR is the endpoint detection technology. XDR extends that detection across multiple data sources (endpoint, network, identity, email, cloud). MDR is the outsourced service operating EDR or XDR on behalf of a customer. EDR and XDR are tools; MDR is a service.

What's the difference between MFA and 2FA?

2FA requires exactly two factors of authentication; MFA requires two or more. All 2FA is MFA, but MFA can include three or more factors. The terms are often used interchangeably; "MFA" is the more current and broader term.

What's the difference between RTO and RPO?

RTO is how long you can be down before resuming operations; RPO is how much data you can afford to lose. RTO is measured forward from the disruption to recovery; RPO is measured backward from the disruption to the last clean backup. Both feed disaster recovery architecture decisions.

What's the difference between SOC 2 and ISO 27001?

SOC 2 is an audit report on controls, with U.S. origin and AICPA backing; ISO 27001 is a certification on a management system, with international origin and ISO backing. SOC 2 dominates U.S. B2B SaaS procurement; ISO 27001 dominates European and international enterprise procurement. Many SaaS providers maintain both.

What's the difference between IDS and IPS?

IDS (Intrusion Detection System) detects and alerts; IPS (Intrusion Prevention System) detects and blocks. The distinction has largely faded as both functions have been absorbed into modern next-generation firewalls and XDR platforms.

What's the difference between CISO and CSO?

CISO is specifically responsible for information security; CSO has a broader portfolio that includes physical security, executive protection, and sometimes supply chain. Some organizations have one combined role; others have both.

What's the difference between APT and ransomware groups?

APT typically refers to state-sponsored adversaries with sustained access goals; ransomware groups typically refer to financially motivated criminal organizations. The distinction has blurred as some APT actors have adopted ransomware tactics (DPRK Lazarus Group's BlueNoroff campaigns) and as some criminal ransomware groups have developed APT-grade tradecraft.