A disciplined workflow for recording, assigning, and tracking security incidents or investigations from the first alert to formal closure. It combines ticketing, evidence capture, task ownership, and reporting so every step is auditable—helping teams maintain chain of custody, meet compliance mandates, and extract post-incident lessons.
Further reading:
The set of practices and tools that protect containerized workloads throughout the life cycle—from image creation and registry scanning to runtime monitoring and network segmentation. It addresses vulnerabilities in base images, misconfigurations in orchestration platforms (e.g., Kubernetes), and threats such as container breakout.
An automated approach to proving and maintaining adherence to security and privacy standards (e.g., SOC 2, PCI-DSS) on an ongoing basis rather than at scheduled audits. Integrations with CI/CD pipelines, cloud APIs, and policy-as-code frameworks generate evidence in real time, reducing audit preparation overhead.
A proactive, hypothesis-driven search for adversaries who have slipped past preventive and detective controls. Analysts combine threat intelligence, behavioral analytics, and deep knowledge of attacker tradecraft (e.g., MITRE ATT&CK techniques) to iteratively query logs, endpoints, and network telemetry, surfacing stealthy indicators of compromise before damage escalates.
Further reading:
A combination of tools and policies that continuously monitor data at rest, in motion, and in use to stop unauthorized exposure of sensitive information (e.g., PII, source code, trade secrets). By inspecting content and context, DLP can automatically block, quarantine, or encrypt risky transfers—such as emailing confidential files, copying to USB, or uploading to unsanctioned cloud apps—helping organizations meet regulatory mandates and reduce breach impact.
The practice of embedding security checks, controls, and culture directly into the DevOps pipeline. Automation (e.g., SAST/DAST scans, policy gates) and shared ownership ensure that security issues are detected and remediated as early—and as fast—as code moves from commit to production.
Further reading:
Software agents that continuously monitor endpoints (laptops, servers, VMs) for malicious behavior. They use behavioral analytics and threat intelligence to surface indicators of attack, enable rapid containment (isolation, process kill), and provide forensic data for root-cause analysis.
A unified framework of policies, processes, and technologies that ensures the right users — whether human or machine — have the minimum necessary access to the right resources, at the right time, and for the right reasons. It centralizes identity creation, lifecycle governance, authentication (SSO, MFA), and fine-grained authorization (RBAC/ABAC) across cloud and on-prem environments, while logging every action for auditability and compliance.
A structured, repeatable process for detecting, analyzing, containing, eradicating, and recovering from security events. Runbooks, communications plans, and post-incident retrospectives help teams minimize damage, meet regulatory deadlines, and strengthen defenses.
The principle of granting users and services only the minimum permissions needed to perform their tasks, and nothing more. By limiting the blast radius of compromised credentials, it curbs unauthorized actions and data exposure.
An access-control method that requires users to present at least two distinct forms of verification (e.g., password plus hardware token or biometric) before gaining entry. By layering “something you know,” “something you have,” and/or “something you are,” MFA drastically reduces the success rate of credential-based attacks.
Technology and workflows that secure, monitor, and govern accounts with elevated rights (e.g., admin, root, service accounts). Features like credential vaulting, session recording, and just-in-time access block misuse while preserving audit trails.
An in-process security technology that instruments an application to detect and block attacks in real time. By analyzing runtime behavior (inputs, system calls, data flows), RASP can stop SQL injection, command injection, and other exploits without external WAF rules.
A framework that weaves security activities—requirements, threat modeling, secure coding, code review, and pen testing—into every phase of software creation. The goal is “shift-left” risk reduction: catching defects early when they’re cheaper to fix.
The orchestration of security tasks—such as alert enrichment, phishing triage, malware containment, and playbook-driven response—via scripts, APIs, and SOAR platforms. By letting software handle repetitive, time-sensitive actions at scale, teams cut mean time to detect and respond (MTTD/MTTR), reduce human error, and free analysts for higher-value investigative work.
Further reading:
A centralized platform that collects, normalizes, and correlates logs and security events from across an environment. Real-time analytics, rule-based alerts, and long-term storage let analysts detect anomalies, investigate incidents, and demonstrate regulatory compliance from a single console.
A detailed inventory of all components, libraries, and licenses that make up a software release. SBOMs let organizations trace dependencies, spot vulnerable open-source packages, and comply with emerging software-supply-chain regulations.
Curated data plus contextual analysis about adversaries, their indicators of compromise (IOCs), and tactics, techniques, and procedures (TTPs). Consuming this intel—via feeds, reports, or threat-intel platforms—helps security teams prioritize defenses and hunt emerging threats proactively.
A continuous cycle of identifying, prioritizing, remediating, and verifying fixes for software and infrastructure weaknesses. It blends asset inventory, automated scans, threat context, and patch orchestration to keep known flaws from becoming exploitable breaches.
A security model that assumes no user, device, or workload is inherently trustworthy—even inside the perimeter. It enforces least-privilege access through continuous authentication, micro-segmentation, and policy-based controls to reduce lateral movement.