← Home

Field Guide Collection · Reference

The
Glossary

The collection's vocabulary in one place — the terms and acronyms the guides use, grouped by domain, each defined in a sentence with a pointer to the guide that develops it. Definitions are deliberately compact: enough to place a term while reading a ticket or an alert, not a replacement for the guide. Where a definition also states a limit ("severity, not risk"; "authentication, not encryption"), that caveat is the point.

~100 terms 10 domains one line each

This is a map of the words, not the ideas. A one-line definition is enough to recognize a term and know which guide to open; it is not enough to act on alone. Terms are grouped by the domain where they live and listed alphabetically within each. The See column names the guide that teaches the term properly.

01

Reasoning & Method

TermIn one lineSee
ACH (Analysis of Competing Hypotheses)A structured technique that scores evidence against several hypotheses at once and favours the one with the least disconfirming evidence — a guard against confirmation bias.Critical Thinking
Base rateHow common something is before you weigh case specifics; ignoring it (base-rate neglect) makes rare-event alerts look far more meaningful than they are.Critical Thinking
BlamelessA review stance that treats error as a property of the system rather than the person, because that is how you get honest information.RCA · Incident Response
Confirmation biasThe pull toward evidence that supports what you already believe, and away from what doesn't.Critical Thinking
Fishbone (Ishikawa)A cause-analysis diagram that sorts candidate causes into categories branching off the stated problem.RCA Methods Handbook
5 WhysIterative "why?" questioning that traces a symptom down to a cause you can actually fix.RCA
FMEAFailure Mode & Effects Analysis — a proactive method that scores potential failure modes by severity, occurrence, and detectability.RCA Methods Handbook
FTA (Fault Tree Analysis)A top-down logic tree that decomposes a failure into the combinations of conditions that could produce it.RCA Methods Handbook
First principlesReasoning up from what must be true rather than by analogy to what is usual — expensive, so reserved for when pattern-matching fails.First Principles
Pareto principleThe rough 80/20 observation that a small share of causes drives most of the effect.RCA Methods Handbook
RCA (Root Cause Analysis)A structured search for the systemic cause(s) so a problem doesn't recur — as opposed to only clearing the symptom.RCA
SteelmanEngaging the strongest form of a view you're rejecting; the opposite of a strawman.Critical Thinking
TriageRapidly ordering problems by impact and urgency to decide what to work first.Troubleshooting · Incident Response
02

Identity & Access

TermIn one lineSee
ABAC / RBACAccess decided from attributes (user, resource, context) / from assigned roles.Access Decision
AuthN vs AuthZAuthentication proves who you are; authorization decides what you may do — different questions, different failures.Identity
Break-glassA pre-approved, tightly-scoped, heavily-alerted emergency access path for when normal access fails.Access Decision
Conditional accessRisk-based authentication that weighs signals (device, location, sensitivity) to allow, step up, or deny.Identity
FIDO2 / WebAuthn / passkeyPhishing-resistant public-key authentication bound to the site's origin; passkeys are its consumer form (synced or device-bound — not the same assurance).Identity
IdP (Identity Provider)The system that authenticates users and issues the tokens SSO relies on — a high-value single point.Identity
JIT / JEAJust-in-time / just-enough-access: elevate privilege on request with automatic expiry instead of standing rights.Access Decision
KerberosTicket-based network authentication, common in Windows/Active Directory domains.Identity
Least privilegeGrant only the access a role needs, sized from a definition rather than copied from a colleague.Access Decision
Machine / non-human identityService accounts, API keys, tokens, workload identities — most identities in an estate, often over-privileged and least watched.Identity
MFARequiring two or more independent factors; strength varies widely (SMS weakest, phishing-resistant strongest).Identity
OAuth 2.0 / OIDCOAuth authorizes (delegated access); OIDC is the authentication layer built on top of it.Identity
PAM (Privileged Access Management)Vaulting, monitoring, and time-boxing privileged accounts, often with JIT checkout.Access Decision · Identity
Phishing-resistantAuth that can't be relayed or replayed to a fake site (FIDO2/passkeys, smartcards) — unlike OTP or push.Identity
SAMLThe older XML-based standard for enterprise SSO and federation.Identity
Separation of duties (SoD)No single identity can both initiate and approve a sensitive action.Access Decision
SSO (Single Sign-On)One authentication grants access to many services via an IdP — convenient, and a skeleton key if phished.Identity
ZTNAZero Trust Network Access — per-request, identity-and-context access to specific apps, versus a network-wide VPN tunnel.VPN/IPsec
03

Email Authentication

TermIn one lineSee
AlignmentDMARC's requirement that the SPF- or DKIM-validated domain match the visible From domain — passing auth for the wrong domain doesn't count.Email
ARC (Authenticated Received Chain)Lets trusted intermediaries preserve original auth results across forwarding and mailing lists (RFC 8617, Experimental); attests the results a handler saw, not that the message is safe.Email
BIMIDisplays a brand's logo for mail that passes DMARC at enforcement; still standardizing.Email
DKIMA cryptographic signature over message content, verified against a key published in DNS.Email
DMARCTies SPF/DKIM to the From domain via alignment, sets a policy (none / quarantine / reject), and returns reports.Email
SPFA DNS record listing the IP addresses authorized to send mail for a domain.Email
04

Threat Frameworks & Attribution

TermIn one lineSee
ATT&CKMITRE's knowledge base of adversary tactics (the goal) and techniques (the how), across Enterprise, Mobile, and ICS matrices.Attack Taxonomy
AttributionAssigning activity to an actor — best kept at separate technical, operational, and strategic levels, each with its own confidence.Attack Taxonomy
D3FENDMITRE's defensive counterpart to ATT&CK, mapping countermeasures to techniques through a shared digital-artifact ontology.Attack Taxonomy
Diamond ModelAn intrusion-analysis model linking four features: adversary, capability, infrastructure, victim.Attack Taxonomy
IOC (Indicator of Compromise)An observable artifact of an intrusion (hash, IP, domain) — useful but brittle compared with behavior.Attack Taxonomy · Detection Eng
Kill ChainLockheed Martin's staged model of an intrusion, from reconnaissance to actions on objectives.Attack Taxonomy
Pyramid of PainRanks indicator types by how much disrupting them costs the adversary — hashes are cheap to change, TTPs are not.Detection Eng
TTPTactics, Techniques, and Procedures — the behavioral level of activity, and the most durable thing to detect.Attack Taxonomy · Detection Eng
05

Detection & Incident Response

TermIn one lineSee
ContainmentLimiting an incident's spread while preserving the evidence you'll need later.Incident Response
EradicationRemoving the adversary's foothold and the entry vector before recovery, so you don't restore the hole too.Incident Response
False positive / negativeA benign event flagged / a real event missed; every detection rule trades one against the other.Detection Eng
IR lifecyclePrepare, detect & triage, contain, eradicate, recover, learn — a loop, not a line.Incident Response
MTTD / MTTRMean time to detect / to respond — the headline metrics of a response program.Incident Response
Order of volatilityThe sequence to collect evidence, most-perishable first: memory before disk before archives.Logging & Evidence
SEV (severity level)A pre-agreed scale (e.g. SEV-1..4) mapping an incident's impact to a response tier, so "how bad is it?" has a fast answer.Incident Response
SigmaA vendor-neutral YAML format for log/SIEM detection rules, translated to each backend's query language.Detection Eng
SIEMA platform that centralizes logs and runs correlation and detection over them.Logging & Evidence · Detection Eng
Snort / SuricataSignature-based network intrusion detection/prevention engines.Detection Eng
TabletopA discussion-based rehearsal of an incident plan, run before the incident.Incident Response
YARAPattern-matching rules that classify files and memory by their content.Detection Eng
06

Vulnerability & Risk

TermIn one lineSee
CVEA unique identifier for one publicly-known vulnerability (assigned via MITRE's program).Vuln Mgmt
CVSSA 0–10 severity score with a vector string — a measure of severity, not risk, and meaningless without its vector.Vuln Mgmt
CWEA catalog of weakness classes (e.g. cross-site scripting, SQL injection) that a CVE belongs to.Vuln Mgmt
CPEMachine-readable product-and-version identifiers that scanners match findings against.Vuln Mgmt
EPSSFIRST's daily probability (0–1) that a vulnerability will be exploited in the near term.Vuln Mgmt
KEVCISA's catalog of vulnerabilities with confirmed in-the-wild exploitation — the strongest single urgency signal.Vuln Mgmt
SBOMA machine-readable inventory of software components (SPDX or CycloneDX) — how you answer "are we affected?" fast.Vuln Mgmt
SCASoftware Composition Analysis — finding known vulnerabilities in your open-source dependency tree.Vuln Mgmt
SSVCA decision-tree prioritization (Act / Attend / Track) that folds in exploitation and your own context.Vuln Mgmt
Window of exposureThe span from a flaw becoming exploitable to your systems being patched — where most breaches happen.Vuln Mgmt
07

Networking Fundamentals

TermIn one lineSee
ARPResolves an IPv4 address to a MAC address on the local segment (IPv6 uses NDP instead).Networking
CIDR / subnet maskThe notation and bits that split an IP address into its network and host portions.Networking
DHCPAutomatically hands hosts their IP configuration; a 169.254.x.x address means it wasn't reached.Networking
DNSResolves names to addresses (and much more) — and is a frequent hidden cause of "the network is down."Networking
Default gatewayThe router a host sends any off-subnet traffic to.Networking
RIB / FIBThe full routing information base (control plane) versus the optimized table the hardware forwards with at line rate.Networking
IPv6 / SLAAC128-bit addressing; SLAAC lets a host build its own address from Router Advertisements. No ARP, usually no NAT.Networking
LPM (longest prefix match)Routers forward using the most-specific matching route.Networking
NATRewrites addresses/ports between private and public ranges — an addressing tool, not a security boundary by itself.Networking
QoS / DSCPPrioritizes traffic at points of congestion using header markings; it orders contention, it doesn't create bandwidth.Networking
VLANA logically-separated Layer-2 broadcast domain riding on shared switches.Networking
08

Wireless

TermIn one lineSee
Band (2.4 / 5 / 6 GHz)Frequency ranges trading range against throughput and congestion; higher bands are faster but shorter-reaching.Wi-Fi
Captive portalThe intercept-and-redirect sign-in page on guest networks — authentication and acceptance, not encryption.Wi-Fi
Channel / DFSA slice of a band; DFS channels must vacate on radar detection, which can bounce clients off.Wi-Fi
802.1X / RADIUSPort-based network access control with a back-end authentication server — the basis of enterprise (non-PSK) Wi-Fi.Wi-Fi
RSSI / SNRReceived signal strength / signal-to-noise ratio; SNR predicts usable throughput better than the "bars" do.Wi-Fi
RoamingA client moving between access points on the same network — where "full bars, still slow" often lives.Wi-Fi
SSIDA wireless network's advertised name.Wi-Fi
WPA2 / WPA3Wi-Fi security generations; WPA3 adds SAE and forward secrecy but is only as strong as its weakest transition mode.Wi-Fi
09

Web & Transport

TermIn one lineSee
Cookie / session / tokenMechanisms that add state to stateless HTTP; the live session or token is what an attacker actually steals.HTTP
CORSThe browser rules governing which cross-origin requests a page may make.HTTP
HTTP methods / status classesGET/POST/etc.; responses fall in 1xx–5xx, where the 4xx (client) vs 5xx (server) split is the fastest triage signal.HTTP
HTTP/1.1 · /2 · /3Successive versions; /2 multiplexes over one connection, /3 runs over QUIC (UDP).HTTP
QUICThe UDP-based transport underneath HTTP/3.HTTP
Proxy / CDN / cacheIntermediaries that forward, distribute, or store responses — and can rewrite what you think you're seeing.HTTP
TLS / certificateEncrypts and authenticates the channel; a certificate proves the server's identity, not the site's honesty.HTTP · Networking
WebSocket / SSEA persistent bidirectional channel (after an HTTP upgrade) / one-way server push over an open HTTP response.HTTP
10

Capture & Evidence

TermIn one lineSee
Capture vs display filterWhat you record (BPF — excluded packets are gone) versus what you view (Wireshark, non-destructive).Packet Capture
Chain of custodyThe documented handling record that keeps evidence trustworthy and admissible.Logging & Evidence
HashA fingerprint showing a file or capture is unaltered — it proves integrity, not origin or truth.Logging & Evidence
pcapA packet-capture file.Packet Capture
snaplenBytes captured per packet; set too small, it truncates payloads and you never know what you missed.Packet Capture
SPAN / TAPSwitch port mirroring / an inline hardware tap — the two places a capture comes from, with different fidelity.Packet Capture
SSLKEYLOGFILEThe environment-variable mechanism that logs TLS session keys so you can decrypt your own traffic in Wireshark.Packet Capture
VantageWhere you captured; you only see what crossed that point, so absence of a packet is not proof of absence of the event.Packet Capture

A reference index to the collection, not a source in itself — each definition compresses what its named guide develops, and the guide is authoritative where the two ever seem to differ. Definitions are deliberately conceptual and version-independent: for anything version-specific (current CVSS or ATT&CK release, a framework revision, an RFC's status), the owning guide carries the checked detail and its "verify" flags, and those should be confirmed against the primary source before use. Compiled from the nineteen guides in this collection; the Zero Trust guide is referenced by others but not yet part of this set. Companion to every guide — start at 00 · Start Here for the map.