Tech & Compliance Glossary

Artificial Intelligence. The field of computer science focused on building systems that perform tasks normally requiring human intelligence, such as reasoning, perception, and language understanding.

Adversarial Machine Learning. The study of attacks against ML systems — such as evasion, poisoning, and model extraction — and the defenses that make models robust to them.

Advanced Persistent Threat. A sophisticated, well-resourced adversary — often nation-state backed — that gains and maintains long-term, stealthy access to a target network.

MITRE ATT&CK. A globally accessible, curated knowledge base of adversary tactics and techniques observed in real-world attacks, used to map detections and assess coverage.

Command and Control. The infrastructure and channels attackers use to remotely direct compromised systems, exfiltrate data, and deliver further payloads.

California Consumer Privacy Act. A state statute that gives California residents rights over the personal information businesses collect about them, including the right to know, delete, and opt out of the sale of their data.

Continuous Integration / Continuous Delivery. A set of practices that automate building, testing, and deploying software, enabling frequent and reliable releases.

Cybersecurity and Infrastructure Security Agency. The US federal agency responsible for strengthening cybersecurity and infrastructure protection, publishing widely-used advisories and the Known Exploited Vulnerabilities (KEV) catalog.

Cross-Site Request Forgery. An attack that tricks an authenticated user's browser into submitting unwanted requests to a web application, performing actions without the user's consent.

Common Vulnerabilities and Exposures. A standardized dictionary of publicly disclosed cybersecurity vulnerabilities, each assigned a unique identifier (e.g., CVE-2021-44228) for tracking and reference.

Common Vulnerability Scoring System. An open framework for communicating the characteristics and severity of software vulnerabilities, producing a numerical score from 0 to 10.

Common Weakness Enumeration. A community-developed catalog of software and hardware weakness types, used to describe the root causes behind vulnerabilities (e.g., CWE-79 for XSS).

Dynamic Application Security Testing. A black-box testing method that probes a running application from the outside to find vulnerabilities an attacker could exploit at runtime.

Distributed Denial-of-Service. An attack that overwhelms a target with traffic from many compromised sources, rendering a service unavailable to legitimate users.

Data Loss Prevention. Technologies and policies that detect and block the unauthorized transmission or exfiltration of sensitive data.

Domain Name System. The internet's directory service that translates human-readable domain names into the IP addresses machines use to locate each other.

Digital Operational Resilience Act. An EU regulation that sets uniform requirements for the security and operational resilience of ICT systems supporting financial entities.

Endpoint Detection and Response. Security tooling that continuously monitors endpoints (laptops, servers) to detect, investigate, and respond to threats at the host level.

Federal Risk and Authorization Management Program. A US government-wide program that standardizes security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies.

Family Educational Rights and Privacy Act. A US federal law that protects the privacy of student education records and gives parents and eligible students rights over those records.

General Data Protection Regulation. A regulation in EU law on data protection and privacy in the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas.

Generative AI. AI systems that create new content — text, images, audio, code — by learning the patterns and structure of their training data.

Gramm-Leach-Bliley Act. A US law requiring financial institutions to explain how they share and protect their customers' private information, including the Safeguards Rule and Privacy Rule.

Health Insurance Portability and Accountability Act. A US federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge.

Identity and Access Management. The framework of policies and technologies for ensuring that the right individuals and machines have the appropriate access to technology resources.

Insecure Direct Object Reference. An access-control flaw where an application exposes a reference to an internal object (like a record ID) without verifying the user is authorized to access it.

Indicator of Compromise. Forensic artifacts — such as malicious IPs, file hashes, or domains — that signal a system may have been breached.

ISO/IEC 27001. The leading international standard for an Information Security Management System (ISMS), specifying requirements for establishing, implementing, maintaining, and continually improving information security.

JSON Web Token. A compact, URL-safe, digitally signed token format used to securely transmit claims between parties, widely used for authentication and authorization.

Known Exploited Vulnerabilities. CISA's authoritative catalog of vulnerabilities that have been actively exploited in the wild, used to prioritize remediation.

Large Language Model. A type of artificial intelligence algorithm that uses deep learning techniques and massively large data sets to understand, summarize, generate and predict new content.

Model Context Protocol. An open standard that enables developers to build secure, two-way connections between their data sources and AI-powered tools, allowing AI models to access contextual data reliably.

Multi-Factor Authentication. A security mechanism requiring two or more independent verification factors (something you know, have, or are) to gain access, dramatically reducing the risk of compromised credentials.

Machine Learning. A subset of AI in which systems learn patterns from data to make predictions or decisions without being explicitly programmed for each task.

National Institute of Standards and Technology. A US agency whose Cybersecurity Framework and special publications (e.g., SP 800-53) are widely adopted standards for managing and reducing cybersecurity risk.

Natural Language Processing. The branch of AI concerned with enabling computers to understand, interpret, and generate human language.

Open Authorization. An open standard for delegated access that lets applications obtain limited access to a user's resources without exposing their credentials.

Open Worldwide Application Security Project. A nonprofit foundation that works to improve the security of software, famous for their "Top 10" list of critical security vulnerabilities.

Payment Card Industry Data Security Standard. A set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.

Protected Health Information. Individually identifiable health information protected under HIPAA, covering a person's health status, care, or payment when linked to identifiers.

Personally Identifiable Information. Any data that could potentially identify a specific individual, such as name, Social Security number, biometric records, or any information linkable to a person.

Public Key Infrastructure. The framework of policies, hardware, and certificate authorities that manages digital certificates and public-key encryption to enable trusted communication.

Principle of Least Privilege. The security practice of granting users, processes, and systems only the minimum access required to perform their function, limiting the blast radius of a compromise.

Retrieval-Augmented Generation. An AI technique that grounds a language model's output by retrieving relevant external documents at query time, improving accuracy and reducing hallucination.

Role-Based Access Control. An authorization model that grants permissions to roles rather than individuals, so users receive access based on the role they hold.

Remote Code Execution. A class of vulnerability that allows an attacker to run arbitrary code on a target machine over a network, often the most severe outcome of a security flaw.

Security Assertion Markup Language. An XML-based open standard for exchanging authentication and authorization data between an identity provider and a service provider, commonly powering SSO.

Secure Access Service Edge. A cloud-delivered architecture that converges networking (SD-WAN) and security services (like CASB, SWG, ZTNA) into a single, identity-aware service.

Static Application Security Testing. A white-box testing method that analyzes source code, bytecode, or binaries for security vulnerabilities without executing the program.

Software Bill of Materials. A formal, machine-readable inventory of the components and dependencies in a piece of software, essential for managing supply-chain security risk.

Security Information and Event Management. Technology that aggregates and analyzes log and event data across an organization in real time to detect, investigate, and respond to security threats.

Security Orchestration, Automation, and Response. Platforms that automate and coordinate security workflows and playbooks across tools to speed up incident response.

System and Organization Controls 2. An auditing procedure that ensures your service providers securely manage your data to protect the interests of your organization and the privacy of its clients.

Sarbanes-Oxley Act. A US federal law that sets requirements for financial reporting and internal controls at public companies, with significant implications for IT controls and data integrity.

SQL Injection. A code-injection technique where malicious SQL statements are inserted into application queries, allowing attackers to read, modify, or destroy database contents.

Single Sign-On. An authentication scheme that lets a user log in once with a single set of credentials to access multiple related but independent applications and services.

Server-Side Request Forgery. A vulnerability that lets an attacker coerce a server into making requests to unintended internal or external resources, often reaching systems behind a firewall.

Transport Layer Security. The cryptographic protocol that encrypts data in transit over networks, securing HTTPS and most other internet communications (the successor to SSL).

Tactics, Techniques, and Procedures. The patterns of behavior that describe how a threat actor operates — the backbone of frameworks like MITRE ATT&CK.

Virtual Private Network. A technology that creates an encrypted tunnel over a public network, protecting traffic and masking the user's network location.

Web Application Firewall. A security filter that monitors, filters, and blocks malicious HTTP traffic to and from a web application, protecting against attacks such as XSS and SQL injection.

Extended Detection and Response. An approach that unifies telemetry across endpoints, network, cloud, and identity into a single detection and response platform.

Cross-Site Scripting. A web vulnerability that lets attackers inject malicious client-side scripts into pages viewed by other users, enabling session theft, defacement, or redirection.

Zero Trust Architecture. A security model based on the principle "never trust, always verify," requiring continuous authentication and authorization for every user and device regardless of network location.