Cyber Incident Response Glossary

Plain-English definitions of the terms that show up in incident command, regulatory notification, and after-action reporting.

AAR — After-Action Review: A structured post-incident document that captures what happened, what worked, what failed, and what the organization will change. See the AAR template.
BEC — Business Email Compromise: A form of targeted social engineering where an attacker impersonates an executive or vendor to redirect payments. Frequently triggers both fraud and breach notification analysis.
CIRM — Cyber Incident Response Management: The Gartner-recognized software category for platforms that coordinate the human side of cyber incident response. See What is CIRM?
Defensible Record: An incident event ledger that can be presented to regulators, auditors, or plaintiffs with confidence that it has not been modified after the fact. See The Defensible Record.
DFIR — Digital Forensics and Incident Response: The discipline and firms that perform forensic investigation and technical response during a cyber incident. Often engaged through outside counsel for privilege.
DPA — Data Protection Authority: The EU supervisory authority that enforces the GDPR. Each member state has its own.
EDPB — European Data Protection Board: The EU body that publishes binding guidance on the GDPR, including Guidelines 9/2022 on personal data breach notification.
Eradication: The NIST 800-61 phase in which the adversary's persistence mechanisms are removed from affected systems. Not the same as recovery.
Hash Chain: A sequence of records where each record's cryptographic hash incorporates the previous record's hash, making post-hoc modification detectable.
IC — Incident Commander: The single named person with decision authority during an incident. See Incident Command Roles.
Item 1.05: The SEC Form 8-K item that requires disclosure of material cybersecurity incidents within four business days of materiality determination. See SEC 96-Hour Notification.
Materiality: The federal securities law standard for disclosure. A fact is material if a reasonable investor would consider it important to an investment decision.
MTTD / MTTR: Mean Time to Detect and Mean Time to Respond. Two of the most-tracked IR metrics.
NIST 800-61: The NIST Special Publication that defines the canonical six-phase incident response lifecycle: Preparation, Detection and Analysis, Containment, Eradication, Recovery, and Post-Incident Activity. See the playbook.
OFAC: The U.S. Treasury's Office of Foreign Assets Control. Enforces sanctions that constrain ransomware payment decisions.
Privilege: Attorney-client privilege and attorney work-product doctrine, applied to incident response when forensics are engaged by outside counsel.
RPO / RTO: Recovery Point Objective and Recovery Time Objective. The maximum acceptable data loss and downtime.
Scribe: The dedicated role that records every decision, notification, and handoff in the defensible record. See Incident Command Roles.
SIEM: Security Information and Event Management. Aggregates and correlates log and telemetry data to detect security events.
SOAR: Security Orchestration, Automation, and Response. Automates technical playbook steps and alert enrichment. Complementary to, not a replacement for, CIRM.
Tabletop Exercise: A facilitated discussion-based exercise where participants work through a simulated incident scenario. See how to run a C-Suite tabletop.
Tenant Isolation: Architectural separation between customer data in a multi-tenant SaaS platform. In IR-OS, enforced via Postgres row-level security.