Incident Command Platform
← Home

Cyber Incident Response Glossary

Plain-English definitions of the terms that show up in incident command, regulatory notification, and after-action reporting.

AAR - After-Action Review
A structured post-incident document that captures what happened, what worked, what failed, and what the organization will change. See the AAR template.
APT - Advanced Persistent Threat
A sophisticated, sustained cyberattack campaign conducted by a well-resourced adversary, typically a nation-state or state-sponsored group, pursuing specific strategic objectives.
BCP - Business Continuity Plan
A documented strategy outlining how an organization will continue operating essential business functions during and after a significant disruption.
BEC - Business Email Compromise
A targeted social engineering attack where an adversary impersonates an executive or vendor to redirect payments. The FBI IC3 ranks BEC as the highest-loss cybercrime category.
Breach (Legal Definition)
The legal definition of breach (under GDPR, HIPAA, state law) is narrower than the technical usage and is what triggers notification obligations.
Chain of Custody
The documented chronological record of who collected, handled, transferred, analyzed, and stored digital evidence. Essential for legal admissibility.
CIRCIA - Cyber Incident Reporting for Critical Infrastructure Act
U.S. 2022 law requiring covered critical infrastructure entities to report substantial cyber incidents to CISA within 72 hours and ransom payments within 24 hours.
CIRM - Cyber Incident Response Management
The Gartner-recognized software category for platforms that coordinate the human side of cyber incident response. See What is CIRM?
CISA - Cybersecurity and Infrastructure Security Agency
U.S. federal agency for civilian cybersecurity. Publishes the Known Exploited Vulnerabilities (KEV) catalog and administers CIRCIA reporting.
Containment - IR Phase
The NIST 800-61 phase in which the adversary's ability to expand the compromise is blocked. Distinct from eradication and recovery.
CVE - Common Vulnerabilities and Exposures
A standardized catalog of publicly disclosed cybersecurity vulnerabilities, each identified by a unique CVE ID issued by MITRE.
CVSS - Common Vulnerability Scoring System
An open framework for rating the severity of software vulnerabilities on a 0.0 to 10.0 scale based on exploitability and impact.
DDoS - Distributed Denial of Service
A cyberattack that disrupts availability by overwhelming a target with traffic from multiple distributed sources.
Defensible Record
An incident event ledger that withstands regulator, auditor, or plaintiff scrutiny. The defining property is that it cannot be modified after the fact undetected. See The Defensible Record.
DFIR - Digital Forensics and Incident Response
The discipline and firms that perform forensic investigation and technical response during a cyber incident. Often engaged through outside counsel for privilege.
DORA - Digital Operational Resilience Act
EU regulation 2022/2554 for the financial sector. Requires ICT risk management, incident reporting, and oversight of critical third-party providers. Applied 17 January 2025.
DPA - Data Protection Authority
The EU supervisory authority that enforces the GDPR. Each member state has its own.
EDPB - European Data Protection Board
The EU body that publishes binding guidance on the GDPR, including Guidelines 9/2022 on personal data breach notification.
EDR - Endpoint Detection and Response
A security solution that provides continuous monitoring, threat detection, and automated response capabilities on endpoint devices.
Eradication - IR Phase
The NIST 800-61 phase in which the adversary's persistence mechanisms are removed from affected systems. Not the same as recovery.
Forensic Image / Disk Image
A bit-for-bit, sector-by-sector copy of a storage device that preserves all data including deleted files and slack space for forensic analysis.
Hash Chain
A sequence of records where each record's cryptographic hash incorporates the previous record's hash, making post-hoc modification detectable. The technical foundation of defensible records.
Holding Statement
A pre-approved short communication that acknowledges awareness of an incident without committing to facts that may change. Essential when speed and accuracy conflict.
IC / IRC - Incident Commander
The single named person with decision authority during an incident. See Incident Command Roles.
ICS - Incident Command System
A standardized, hierarchical management framework for coordinating emergency response, adapted from FEMA for cybersecurity incidents.
Cyber Insurance First Notice
The formal notification to a cyber insurance carrier that an incident may give rise to a claim. Late notice is the most common reason for denied coverage.
IOC - Indicator of Compromise
An observable artifact such as a file hash, IP address, or domain name that provides evidence of a cybersecurity intrusion.
IR - Incident Response
The overall discipline of detecting, containing, and recovering from cyber incidents. See NIST SP 800-61 for the canonical lifecycle.
ISO/IEC 27035 - International IR Standard
The international standard for information security incident management. Part 1 (2023) covers principles; Part 2 (2023) planning; Part 3 (2020) ICT operations.
Item 1.05 - see SEC 8-K Item 1.05
The SEC Form 8-K item requiring disclosure of material cybersecurity incidents within four business days of materiality determination. See SEC 8-K Item 1.05.
Lateral Movement
The techniques adversaries use to move through a compromised network after gaining initial access, progressively accessing additional systems.
Materiality
The federal securities law standard for disclosure. A fact is material if a reasonable investor would consider it important to an investment decision. The trigger for SEC Item 1.05.
Materially Significant Cyber Incident
A cyber incident that meets SEC materiality or the equivalent threshold under NIS2, DORA, or CIRCIA. The determination triggers the disclosure clock.
MITRE ATT&CK
Globally accessible knowledge base of adversary tactics and techniques based on real-world observations. The de facto reference for detection engineering and threat intel.
MITRE D3FEND
Knowledge graph of defensive countermeasures linked to specific MITRE ATT&CK techniques. The defensive counterpart to ATT&CK.
MTTC - Mean Time to Contain
The average elapsed time between detection and successful threat containment.
MTTD - Mean Time to Detect
The average elapsed time between when an incident begins and when it is detected.
MTTR - Mean Time to Respond/Recover
The average time from detection to full containment and recovery.
NIS2 Directive (EU 2022/2555)
EU cybersecurity directive requiring 24-hour early warning, 72-hour notification, and one-month final report for significant incidents at essential and important entities.
NIST SP 800-61 - Computer Security Incident Handling
The U.S. federal reference for cyber IR. Rev. 3 (April 2025) defines the six-phase lifecycle: Preparation, Detection and Analysis, Containment, Eradication, Recovery, Post-Incident Activity. See the playbook.
OFAC - Office of Foreign Assets Control
U.S. Treasury sanctions agency. Ransomware payments to sanctioned persons or jurisdictions can violate U.S. law under strict-liability standards.
PCI DSS Requirement 12.10
PCI DSS requirement for entities handling cardholder data to maintain an incident response plan, designate response personnel, train annually, and test annually.
PFI - PCI Forensic Investigator
A firm qualified by the PCI SSC to perform forensic investigations of payment card data compromises. Required by card brand notification processes.
Phishing
A social engineering technique using deceptive messages to trick recipients into revealing credentials, installing malware, or performing harmful actions.
Playbook - Incident Response Playbook
A documented set of step-by-step procedures for handling specific types of cyber incidents. See the 2026 playbook.
Privilege Chain
Attorney-client privilege and work-product doctrine applied to incident response. Typically requires outside counsel to engage DFIR under Kovel-style agreement.
Ransomware
Malware that encrypts data and demands payment for decryption. Modern variants combine encryption with data exfiltration (double extortion).
Recovery - IR Phase
The NIST 800-61 phase in which systems are restored to normal operation with confidence that the adversary is gone.
RPO - Recovery Point Objective
The maximum acceptable amount of data loss measured in time.
RTO - Recovery Time Objective
The maximum acceptable amount of downtime before operations must resume.
Scribe
The dedicated role that records every decision, notification, and handoff in the defensible record. See Incident Command Roles.
SEC 8-K Item 1.05
The SEC Form 8-K item requiring disclosure of material cybersecurity incidents within four business days of materiality determination. Effective 18 December 2023.
SIEM - Security Information and Event Management
Aggregates and correlates log and telemetry data to detect security events.
SOAR - Security Orchestration, Automation, and Response
Automates technical playbook steps and alert enrichment. Complementary to, not a replacement for, CIRM. See CIRM vs SOAR.
Tabletop Exercise
A facilitated discussion-based exercise where participants work through a simulated incident scenario. See how to run a C-Suite tabletop.
Tenant Isolation
Architectural separation between customer data in a multi-tenant SaaS platform. In IR-OS, enforced via Postgres row-level security.
TLP - Traffic Light Protocol
A standardized system for classifying information sharing boundaries using four color levels (RED, AMBER, GREEN, CLEAR).
TTP - Tactics, Techniques, and Procedures
The three-layer model describing adversary behavior: strategic goals (Tactics), methods (Techniques), and specific implementations (Procedures). See MITRE ATT&CK.
XDR - Extended Detection and Response
A security platform that correlates threat data across endpoints, network, cloud, and email for unified detection and response.
Zero-Day Vulnerability
A software flaw unknown to the vendor with no available patch. Zero-day exploits bypass signature-based defenses.