Cybersecurity Acronyms Glossary: 60+ Essential Terms Defined

Cybersecurity has accumulated more acronyms than perhaps any other technical discipline. Even seasoned practitioners regularly encounter unfamiliar abbreviations in vendor pitches, regulatory documents, and threat intelligence reports. This glossary covers the 60-plus acronyms you are most likely to encounter in modern cybersecurity work, organized by category and linked to deeper explanations where available.

For each acronym we provide the full expansion, a working definition, and the operational context in which the term is most commonly used. Many entries link to Cloudskope's full Cybersecurity 101 articles for the topics that warrant a deeper explanation than this glossary can provide.

Authentication and Access Management

MFA — Multi-Factor Authentication

A login process that requires two or more verification methods — typically something you know (password), something you have (phone, token), and/or something you are (biometric). The single most effective control against credential-stuffing and phishing attacks. Learn more →

2FA — Two-Factor Authentication

A subset of MFA requiring exactly two verification factors. Often used interchangeably with MFA in consumer contexts, though MFA can include three or more factors.

SSO — Single Sign-On

An authentication method that allows users to access multiple applications with one set of credentials. Reduces password fatigue and centralizes authentication governance. Learn more →

IAM — Identity and Access Management

The discipline of managing user identities and the resources they can access. Modern IAM systems handle provisioning, authentication, authorization, and auditing across cloud and on-premise systems. Learn more →

PAM — Privileged Access Management

Specialized IAM for accounts with elevated privileges (administrators, service accounts, root). PAM solutions provide vaulting, session recording, just-in-time access, and credential rotation.

RBAC — Role-Based Access Control

Permission model that assigns access based on the user's role rather than individual identity. Simplifies governance but can lead to role explosion in complex organizations.

ZTNA — Zero Trust Network Access

Access framework that treats every connection as untrusted regardless of network location. Each access request is authenticated, authorized, and continuously evaluated. Learn more →

OAuth — Open Authorization

Industry-standard protocol for delegated access that allows third-party applications to access user data without sharing passwords. Powers most 'Sign in with...' integrations.

OIDC — OpenID Connect

Authentication protocol built on top of OAuth 2.0 that adds identity verification. The modern standard for federated authentication in SaaS environments.

SAML — Security Assertion Markup Language

XML-based protocol for exchanging authentication and authorization data between identity providers and service providers. Common in enterprise SSO deployments.

Threats and Attacks

APT — Advanced Persistent Threat

Sophisticated, typically state-sponsored attackers who maintain long-term unauthorized access to networks. Examples include APT29 (Russian SVR), APT41 (Chinese MSS), and the Lazarus Group (North Korea).

BEC — Business Email Compromise

Financial fraud scheme that uses compromised or spoofed business email accounts to trick employees into wire transfers or sensitive data disclosure. The FBI ranks BEC as the costliest cybercrime category — over $50 billion in cumulative losses since 2013. Learn more →

DDoS — Distributed Denial of Service

Attack that overwhelms a target system with traffic from many compromised sources, rendering it unavailable. Often used as cover for other attacks or as extortion leverage.

MITM — Man-in-the-Middle

Attack pattern where an attacker secretly intercepts and potentially alters communications between two parties. Common in unsecured Wi-Fi environments and during certificate validation failures.

SQLi — SQL Injection

Web application vulnerability where attacker-supplied data is interpreted as database commands. The MOVEit Transfer breach exploited a SQL injection vulnerability to compromise hundreds of organizations.

XSS — Cross-Site Scripting

Web vulnerability where attackers inject malicious scripts into pages viewed by other users. Used for session hijacking, credential theft, and malware distribution.

CSRF — Cross-Site Request Forgery

Attack that tricks authenticated users into performing unwanted actions on a web application. Mitigated by CSRF tokens and SameSite cookies.

RCE — Remote Code Execution

Vulnerability that allows attackers to execute arbitrary code on a target system from a remote location. The most severe vulnerability category — Log4Shell and Citrix Bleed are recent examples.

RAT — Remote Access Trojan

Malware that gives attackers ongoing remote control of an infected system. Often the persistence mechanism after initial compromise.

C2 — Command and Control

Infrastructure that attackers use to communicate with and direct compromised systems. Disrupting C2 channels is a primary objective of incident response.

IOC — Indicator of Compromise

Forensic evidence of a security breach — typically IP addresses, file hashes, domain names, or registry keys. Threat intelligence feeds distribute IOCs to enable detection.

TTP — Tactics, Techniques, and Procedures

Framework for describing attacker behavior at three levels: the broad approach (tactics), the methods (techniques), and the specific implementations (procedures). MITRE ATT&CK is the dominant TTP catalog.

Defenses and Security Operations

EDR — Endpoint Detection and Response

Security tooling that monitors endpoints (laptops, servers, workstations) for suspicious behavior and enables investigation and response. The successor to traditional antivirus. Learn more →

XDR — Extended Detection and Response

Security platform that correlates telemetry across endpoints, networks, cloud, identity, and email for unified detection and response. Extends EDR beyond just endpoints.

MDR — Managed Detection and Response

Outsourced security operations service that combines technology, threat intelligence, and human analysts to detect and respond to threats 24/7. Common for organizations without an internal SOC. Learn more →

SIEM — Security Information and Event Management

Platform that aggregates, correlates, and analyzes log data from across the IT environment for security monitoring and compliance reporting. Foundation of most security operations centers. Learn more →

SOAR — Security Orchestration, Automation, and Response

Tooling that automates security workflows — alert triage, enrichment, containment actions — to reduce analyst workload and response time. Often layered on top of SIEM.

SOC — Security Operations Center

The team and infrastructure responsible for detecting, investigating, and responding to cybersecurity incidents. Can be internal, outsourced (MDR), or hybrid. Learn more →

WAF — Web Application Firewall

Security device that filters and monitors HTTP traffic between web applications and the internet. Protects against application-layer attacks like SQL injection and XSS.

IDS / IPS — Intrusion Detection / Prevention System

Network security technologies that monitor for malicious activity. IDS alerts; IPS blocks. Largely subsumed by modern NGFW and EDR/XDR platforms.

NGFW — Next-Generation Firewall

Firewall that combines traditional packet filtering with application awareness, intrusion prevention, and threat intelligence integration. Standard for modern network perimeter.

DLP — Data Loss Prevention

Technology and processes that detect and prevent unauthorized transmission of sensitive data. Critical for protecting PII, PHI, and intellectual property. Learn more →

CASB — Cloud Access Security Broker

Security control point that enforces enterprise policies between users and cloud service providers. Visibility, threat protection, compliance, and data security across SaaS applications.

CSPM — Cloud Security Posture Management

Tooling that continuously assesses cloud environments for misconfigurations and compliance violations. The control that would have caught the Capital One AWS misconfiguration.

CNAPP — Cloud-Native Application Protection Platform

Integrated platform combining CSPM, CWPP, and container/Kubernetes security for comprehensive cloud workload protection.

CWPP — Cloud Workload Protection Platform

Security platform for protecting workloads running in cloud environments — VMs, containers, and serverless functions.

ASPM — Application Security Posture Management

Tooling that provides visibility and prioritization across application security findings from multiple tools — SAST, DAST, SCA, and runtime analysis.

Frameworks and Compliance

NIST — National Institute of Standards and Technology

U.S. federal agency that publishes widely-adopted cybersecurity frameworks including the NIST Cybersecurity Framework (CSF), NIST 800-53, and NIST 800-207 (Zero Trust Architecture).

ISO 27001 — International Organization for Standardization 27001

International standard for information security management systems. Certification is required by many enterprise buyers and indicates mature security governance.

SOC 2 — System and Organization Controls 2

AICPA audit framework that evaluates security, availability, processing integrity, confidentiality, and privacy controls. Standard requirement for SaaS vendors selling to enterprises. Learn more →

PCI DSS — Payment Card Industry Data Security Standard

Mandatory security standard for organizations that handle payment card data. The Target breach is the foundational case for PCI DSS enforcement scope.

HIPAA — Health Insurance Portability and Accountability Act

U.S. law that regulates the privacy and security of protected health information. Change Healthcare and Ascension breaches are recent HIPAA enforcement reference points. Learn more →

GDPR — General Data Protection Regulation

European Union regulation governing data privacy. Article 25 requires data protection by design; Article 32 requires appropriate security measures; fines can reach 4% of global annual turnover. Learn more →

CCPA / CPRA — California Consumer Privacy Act / California Privacy Rights Act

California state privacy laws establishing consumer rights to know, delete, and opt out of sale of personal information. The template for the U.S. state-by-state privacy law cascade.

FedRAMP — Federal Risk and Authorization Management Program

Standardized cybersecurity authorization framework for cloud services used by U.S. federal government agencies. FedRAMP authorization is a prerequisite for selling cloud services to federal customers.

CIS — Center for Internet Security

Nonprofit that publishes the widely-adopted CIS Controls (formerly SANS Top 20) and CIS Benchmarks for system hardening. Popular as a practical security baseline for organizations of all sizes.

MITRE ATT&CK — MITRE Adversarial Tactics, Techniques, and Common Knowledge

Globally accessible knowledge base of adversary tactics and techniques. The dominant framework for organizing threat intelligence, red team engagements, and detection coverage.

CMMC — Cybersecurity Maturity Model Certification

DoD-mandated cybersecurity certification program for defense contractors and subcontractors. Required for organizations handling Controlled Unclassified Information.

Cryptography and Data Protection

AES — Advanced Encryption Standard

Symmetric encryption algorithm adopted by the U.S. government as the cryptographic standard. AES-128, AES-192, and AES-256 are widely deployed for data-at-rest encryption. Learn more →

RSA — Rivest-Shamir-Adleman

Asymmetric public-key cryptography algorithm used for digital signatures, key exchange, and encryption. Foundational to TLS and most internet-scale security.

ECC — Elliptic Curve Cryptography

Public-key cryptography based on elliptic curves over finite fields. Provides equivalent security to RSA with much smaller key sizes, making it efficient for mobile and IoT.

SHA — Secure Hash Algorithm

Family of cryptographic hash functions published by NIST. SHA-256 and SHA-512 are widely used; SHA-1 is deprecated due to known weaknesses.

TLS / SSL — Transport Layer Security / Secure Sockets Layer

Cryptographic protocols that secure communication over computer networks. TLS 1.3 is current; SSL and earlier TLS versions are deprecated.

PKI — Public Key Infrastructure

System for managing digital certificates and public-key encryption. Enables trusted authentication and encryption at scale across organizations and the internet.

HSM — Hardware Security Module

Dedicated physical computing device that safeguards and manages cryptographic keys. Common in PCI DSS environments and high-security workloads.

KMS — Key Management Service

Service for creating, storing, rotating, and controlling access to cryptographic keys. Cloud KMS offerings (AWS KMS, Azure Key Vault, Google Cloud KMS) are standard for cloud workloads.

Network and Infrastructure

VPN — Virtual Private Network

Encrypted network connection that extends a private network across a public network. Legacy VPNs are increasingly being replaced by ZTNA architectures.

DNS — Domain Name System

Hierarchical naming system that translates domain names to IP addresses. A critical attack surface — DNS hijacking, DNS tunneling, and DNS-based exfiltration are common attack patterns.

VLAN — Virtual Local Area Network

Logical network segmentation within a physical network. Foundation of network segmentation strategies that limit lateral movement after compromise. Learn more →

SDN — Software-Defined Networking

Network architecture that separates the control plane from the data plane, enabling programmatic management of network behavior. Foundation of modern cloud networking.

IPSec — Internet Protocol Security

Suite of protocols for securing IP communications by authenticating and encrypting each packet. Used in VPNs and secure site-to-site connections.

Cloud and Architecture

SaaS / PaaS / IaaS — Software / Platform / Infrastructure as a Service

Cloud service models. SaaS delivers complete applications; PaaS provides development platforms; IaaS provides virtualized infrastructure. Each has distinct shared responsibility for security.

IaC — Infrastructure as Code

Practice of managing infrastructure through machine-readable definition files (Terraform, CloudFormation, Pulumi). Enables consistent, version-controlled, auditable infrastructure deployment.

CI/CD — Continuous Integration / Continuous Deployment

Software engineering practice of frequently integrating code changes and automatically deploying them. Critical attack surface — supply chain attacks frequently target CI/CD pipelines.

API — Application Programming Interface

Defined interface that allows software components to communicate. Modern application security increasingly centers on API security — the Facebook/Cambridge Analytica case is the canonical API-governance precedent.

Governance and Operations

CISO — Chief Information Security Officer

Senior executive responsible for an organization's information and cybersecurity strategy. Following the SolarWinds SEC charges, CISOs face increasing personal accountability for security disclosures.

BCP / DRP — Business Continuity Planning / Disaster Recovery Planning

Frameworks for maintaining or restoring operations during and after disruptive events. Increasingly critical given ransomware-driven operational outages.

RTO / RPO — Recovery Time Objective / Recovery Point Objective

Disaster recovery metrics. RTO is the maximum acceptable downtime; RPO is the maximum acceptable data loss measured in time. Drive backup and replication architecture decisions.

MTTR / MTTD — Mean Time to Respond / Mean Time to Detect

Operational security metrics. MTTD measures how long threats remain undetected; MTTR measures how long incidents take to contain. Lower is better — the largest breaches share multi-year MTTD.

IR — Incident Response

The structured process of preparing for, detecting, containing, eradicating, and recovering from cybersecurity incidents. NIST SP 800-61 is the canonical IR framework. Learn more →

Privacy and Data Categories

PII — Personally Identifiable Information

Any data that can identify an individual — names, Social Security numbers, addresses, biometrics. The primary data category protected by U.S. privacy laws and GDPR.

PHI — Protected Health Information

Health information protected under HIPAA. Treated more strictly than general PII due to its sensitivity and the harms its exposure can enable.

DPO — Data Protection Officer

GDPR-required role for organizations processing large volumes of personal data or sensitive categories. The DPO oversees data protection compliance and is the point of contact with supervisory authorities.

Vulnerabilities and Threat Intelligence

CVE — Common Vulnerabilities and Exposures

Standardized identifiers for publicly known cybersecurity vulnerabilities. The Citrix Bleed vulnerability that affected Comcast is tracked as CVE-2023-4966; MOVEit as CVE-2023-34362.

CVSS — Common Vulnerability Scoring System

Standardized framework for rating the severity of CVEs on a 0.0-10.0 scale. CVSS 9.0+ vulnerabilities are typically considered critical and require expedited patching.

NVD — National Vulnerability Database

U.S. government repository of standards-based vulnerability management data. The authoritative reference for CVE details and CVSS scores.

OWASP — Open Web Application Security Project

Nonprofit that publishes the widely-referenced OWASP Top 10 list of web application security risks and many other security resources.

CISA — Cybersecurity and Infrastructure Security Agency

U.S. federal agency responsible for civilian cybersecurity, infrastructure security, and emergency communications. Publishes alerts, advisories, and the Known Exploited Vulnerabilities (KEV) catalog.

How to use this glossary

Cybersecurity acronyms exist on a sliding scale of specificity. Some — MFA, EDR, SIEM, CVE — are foundational vocabulary that every IT professional should know. Others — CASB, CSPM, ASPM, CWPP, CNAPP — are vendor-category labels that map to specific product purchase decisions. A third group — APT, IOC, TTP, MITRE ATT&CK — is the language of threat intelligence and incident response.

For board members and executives without technical security backgrounds, the priority acronyms are the governance and outcome categories: MFA (the single most effective security control), SIEM/EDR/SOC (the operational detection capability), MITRE ATT&CK (the threat framework), and the major regulatory frameworks (NIST CSF, SOC 2, HIPAA, GDPR, PCI DSS). Understanding these acronyms is sufficient to follow most security briefings and to ask the right questions about an organization's security posture.

For practitioners, the operational acronyms — IOC, TTP, IAM, PAM, CVE/CVSS, CASB, CSPM — are the working vocabulary that translates organizational security goals into specific technical implementations. Familiarity with the MITRE ATT&CK framework in particular has become an expected baseline for security analysts, threat intelligence professionals, and incident responders.

Acronyms that frequently confuse

MFA versus 2FA

Multi-Factor Authentication is the broader category; Two-Factor Authentication is a specific type of MFA requiring exactly two factors. In casual usage the terms are often used interchangeably, but in technical specifications MFA may require three or more factors.

EDR versus XDR versus MDR

EDR is endpoint-focused tooling; XDR extends detection across endpoints, network, cloud, identity, and email; MDR is a service model where an external team operates the detection capability. The distinctions matter for vendor evaluation: an organization choosing between EDR products is in a different decision than an organization deciding whether to adopt MDR as a service.

SIEM versus SOAR

SIEM aggregates and correlates log data for detection and investigation; SOAR automates the response workflows that follow detection. Modern security platforms often combine both into a single offering, but the underlying functions remain distinct.

IDS versus IPS versus WAF

IDS detects intrusions; IPS detects and blocks them; WAF specifically protects web applications. Modern next-generation firewalls (NGFWs) and cloud security platforms typically include all three capabilities, but the legacy product categories persist in compliance frameworks and vendor positioning.

SAML versus OIDC versus OAuth

OAuth is an authorization protocol (granting access); OIDC is an authentication layer built on OAuth (verifying identity); SAML is an older XML-based authentication protocol still common in enterprise SSO. OIDC is the modern preferred standard; SAML remains widespread in enterprise deployments.

FAQ

How many cybersecurity acronyms are there?

Hundreds. The acronyms in this glossary are the most commonly encountered, but the broader cybersecurity domain — including specialized fields like industrial control systems security, applied cryptography, secure software development, and threat intelligence — uses thousands of additional abbreviations. Most working practitioners regularly encounter unfamiliar acronyms; the skill is in quickly placing them in the right category rather than memorizing them all.

What is the most important cybersecurity acronym to understand?

For most organizations, MFA is the single highest-leverage control. The breaches in our 30 Biggest Data Breaches ranking that traced to missing MFA include JPMorgan Chase, the Snowflake customer campaign, LastPass, and several others. The next tier of priority acronyms are EDR (or XDR/MDR), SIEM, IAM, and the relevant regulatory framework for your industry.

What does CISO stand for and what do they do?

CISO stands for Chief Information Security Officer. The CISO is the senior executive responsible for an organization's information and cybersecurity strategy. Following the SEC's 2023 charges against the SolarWinds CISO for fraud related to security disclosures, the CISO role has become a position of significant personal accountability — sitting CISOs at public companies now face direct enforcement exposure for cybersecurity disclosures and security program representations.

What is MITRE ATT&CK?

MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally accessible knowledge base of adversary tactics and techniques. It is the dominant framework for organizing threat intelligence, red team engagements, and detection coverage. The framework is published and maintained by MITRE Corporation, a nonprofit federally funded research and development center.

What is the difference between a CVE and a CVSS score?

A CVE is a standardized identifier for a specific publicly known vulnerability (for example, CVE-2023-4966 is the identifier for Citrix Bleed). A CVSS score is a 0.0-10.0 rating of the vulnerability's severity. Most security operations programs prioritize remediation based on CVSS scores combined with whether the CVE appears on CISA's Known Exploited Vulnerabilities (KEV) catalog — vulnerabilities that are both critical-severity and actively exploited in the wild.

Why do compliance frameworks use so many acronyms?

Compliance frameworks accumulate acronyms because they are typically published by standards bodies (NIST, ISO, AICPA) or regulators (HHS, FTC, state attorneys general) that need precise references to specific control sets, control families, and procedural requirements. The proliferation is annoying but unavoidable — the precision is necessary for legal enforceability and for unambiguous certification.