Field Guide Collection · Reference
The collection's vocabulary in one place — the terms and acronyms the guides use, grouped by domain, each defined in a sentence with a pointer to the guide that develops it. Definitions are deliberately compact: enough to place a term while reading a ticket or an alert, not a replacement for the guide. Where a definition also states a limit ("severity, not risk"; "authentication, not encryption"), that caveat is the point.
This is a map of the words, not the ideas. A one-line definition is enough to recognize a term and know which guide to open; it is not enough to act on alone. Terms are grouped by the domain where they live and listed alphabetically within each. The See column names the guide that teaches the term properly.
| Term | In one line | See |
|---|---|---|
| ACH (Analysis of Competing Hypotheses) | A structured technique that scores evidence against several hypotheses at once and favours the one with the least disconfirming evidence — a guard against confirmation bias. | Critical Thinking |
| Base rate | How common something is before you weigh case specifics; ignoring it (base-rate neglect) makes rare-event alerts look far more meaningful than they are. | Critical Thinking |
| Blameless | A review stance that treats error as a property of the system rather than the person, because that is how you get honest information. | RCA · Incident Response |
| Confirmation bias | The pull toward evidence that supports what you already believe, and away from what doesn't. | Critical Thinking |
| Fishbone (Ishikawa) | A cause-analysis diagram that sorts candidate causes into categories branching off the stated problem. | RCA Methods Handbook |
| 5 Whys | Iterative "why?" questioning that traces a symptom down to a cause you can actually fix. | RCA |
| FMEA | Failure Mode & Effects Analysis — a proactive method that scores potential failure modes by severity, occurrence, and detectability. | RCA Methods Handbook |
| FTA (Fault Tree Analysis) | A top-down logic tree that decomposes a failure into the combinations of conditions that could produce it. | RCA Methods Handbook |
| First principles | Reasoning up from what must be true rather than by analogy to what is usual — expensive, so reserved for when pattern-matching fails. | First Principles |
| Pareto principle | The rough 80/20 observation that a small share of causes drives most of the effect. | RCA Methods Handbook |
| RCA (Root Cause Analysis) | A structured search for the systemic cause(s) so a problem doesn't recur — as opposed to only clearing the symptom. | RCA |
| Steelman | Engaging the strongest form of a view you're rejecting; the opposite of a strawman. | Critical Thinking |
| Triage | Rapidly ordering problems by impact and urgency to decide what to work first. | Troubleshooting · Incident Response |
| Term | In one line | See |
|---|---|---|
| ABAC / RBAC | Access decided from attributes (user, resource, context) / from assigned roles. | Access Decision |
| AuthN vs AuthZ | Authentication proves who you are; authorization decides what you may do — different questions, different failures. | Identity |
| Break-glass | A pre-approved, tightly-scoped, heavily-alerted emergency access path for when normal access fails. | Access Decision |
| Conditional access | Risk-based authentication that weighs signals (device, location, sensitivity) to allow, step up, or deny. | Identity |
| FIDO2 / WebAuthn / passkey | Phishing-resistant public-key authentication bound to the site's origin; passkeys are its consumer form (synced or device-bound — not the same assurance). | Identity |
| IdP (Identity Provider) | The system that authenticates users and issues the tokens SSO relies on — a high-value single point. | Identity |
| JIT / JEA | Just-in-time / just-enough-access: elevate privilege on request with automatic expiry instead of standing rights. | Access Decision |
| Kerberos | Ticket-based network authentication, common in Windows/Active Directory domains. | Identity |
| Least privilege | Grant only the access a role needs, sized from a definition rather than copied from a colleague. | Access Decision |
| Machine / non-human identity | Service accounts, API keys, tokens, workload identities — most identities in an estate, often over-privileged and least watched. | Identity |
| MFA | Requiring two or more independent factors; strength varies widely (SMS weakest, phishing-resistant strongest). | Identity |
| OAuth 2.0 / OIDC | OAuth authorizes (delegated access); OIDC is the authentication layer built on top of it. | Identity |
| PAM (Privileged Access Management) | Vaulting, monitoring, and time-boxing privileged accounts, often with JIT checkout. | Access Decision · Identity |
| Phishing-resistant | Auth that can't be relayed or replayed to a fake site (FIDO2/passkeys, smartcards) — unlike OTP or push. | Identity |
| SAML | The older XML-based standard for enterprise SSO and federation. | Identity |
| Separation of duties (SoD) | No single identity can both initiate and approve a sensitive action. | Access Decision |
| SSO (Single Sign-On) | One authentication grants access to many services via an IdP — convenient, and a skeleton key if phished. | Identity |
| ZTNA | Zero Trust Network Access — per-request, identity-and-context access to specific apps, versus a network-wide VPN tunnel. | VPN/IPsec |
| Term | In one line | See |
|---|---|---|
| Alignment | DMARC's requirement that the SPF- or DKIM-validated domain match the visible From domain — passing auth for the wrong domain doesn't count. | |
| ARC (Authenticated Received Chain) | Lets trusted intermediaries preserve original auth results across forwarding and mailing lists (RFC 8617, Experimental); attests the results a handler saw, not that the message is safe. | |
| BIMI | Displays a brand's logo for mail that passes DMARC at enforcement; still standardizing. | |
| DKIM | A cryptographic signature over message content, verified against a key published in DNS. | |
| DMARC | Ties SPF/DKIM to the From domain via alignment, sets a policy (none / quarantine / reject), and returns reports. | |
| SPF | A DNS record listing the IP addresses authorized to send mail for a domain. |
| Term | In one line | See |
|---|---|---|
| ATT&CK | MITRE's knowledge base of adversary tactics (the goal) and techniques (the how), across Enterprise, Mobile, and ICS matrices. | Attack Taxonomy |
| Attribution | Assigning activity to an actor — best kept at separate technical, operational, and strategic levels, each with its own confidence. | Attack Taxonomy |
| D3FEND | MITRE's defensive counterpart to ATT&CK, mapping countermeasures to techniques through a shared digital-artifact ontology. | Attack Taxonomy |
| Diamond Model | An intrusion-analysis model linking four features: adversary, capability, infrastructure, victim. | Attack Taxonomy |
| IOC (Indicator of Compromise) | An observable artifact of an intrusion (hash, IP, domain) — useful but brittle compared with behavior. | Attack Taxonomy · Detection Eng |
| Kill Chain | Lockheed Martin's staged model of an intrusion, from reconnaissance to actions on objectives. | Attack Taxonomy |
| Pyramid of Pain | Ranks indicator types by how much disrupting them costs the adversary — hashes are cheap to change, TTPs are not. | Detection Eng |
| TTP | Tactics, Techniques, and Procedures — the behavioral level of activity, and the most durable thing to detect. | Attack Taxonomy · Detection Eng |
| Term | In one line | See |
|---|---|---|
| Containment | Limiting an incident's spread while preserving the evidence you'll need later. | Incident Response |
| Eradication | Removing the adversary's foothold and the entry vector before recovery, so you don't restore the hole too. | Incident Response |
| False positive / negative | A benign event flagged / a real event missed; every detection rule trades one against the other. | Detection Eng |
| IR lifecycle | Prepare, detect & triage, contain, eradicate, recover, learn — a loop, not a line. | Incident Response |
| MTTD / MTTR | Mean time to detect / to respond — the headline metrics of a response program. | Incident Response |
| Order of volatility | The sequence to collect evidence, most-perishable first: memory before disk before archives. | Logging & Evidence |
| SEV (severity level) | A pre-agreed scale (e.g. SEV-1..4) mapping an incident's impact to a response tier, so "how bad is it?" has a fast answer. | Incident Response |
| Sigma | A vendor-neutral YAML format for log/SIEM detection rules, translated to each backend's query language. | Detection Eng |
| SIEM | A platform that centralizes logs and runs correlation and detection over them. | Logging & Evidence · Detection Eng |
| Snort / Suricata | Signature-based network intrusion detection/prevention engines. | Detection Eng |
| Tabletop | A discussion-based rehearsal of an incident plan, run before the incident. | Incident Response |
| YARA | Pattern-matching rules that classify files and memory by their content. | Detection Eng |
| Term | In one line | See |
|---|---|---|
| CVE | A unique identifier for one publicly-known vulnerability (assigned via MITRE's program). | Vuln Mgmt |
| CVSS | A 0–10 severity score with a vector string — a measure of severity, not risk, and meaningless without its vector. | Vuln Mgmt |
| CWE | A catalog of weakness classes (e.g. cross-site scripting, SQL injection) that a CVE belongs to. | Vuln Mgmt |
| CPE | Machine-readable product-and-version identifiers that scanners match findings against. | Vuln Mgmt |
| EPSS | FIRST's daily probability (0–1) that a vulnerability will be exploited in the near term. | Vuln Mgmt |
| KEV | CISA's catalog of vulnerabilities with confirmed in-the-wild exploitation — the strongest single urgency signal. | Vuln Mgmt |
| SBOM | A machine-readable inventory of software components (SPDX or CycloneDX) — how you answer "are we affected?" fast. | Vuln Mgmt |
| SCA | Software Composition Analysis — finding known vulnerabilities in your open-source dependency tree. | Vuln Mgmt |
| SSVC | A decision-tree prioritization (Act / Attend / Track) that folds in exploitation and your own context. | Vuln Mgmt |
| Window of exposure | The span from a flaw becoming exploitable to your systems being patched — where most breaches happen. | Vuln Mgmt |
| Term | In one line | See |
|---|---|---|
| ARP | Resolves an IPv4 address to a MAC address on the local segment (IPv6 uses NDP instead). | Networking |
| CIDR / subnet mask | The notation and bits that split an IP address into its network and host portions. | Networking |
| DHCP | Automatically hands hosts their IP configuration; a 169.254.x.x address means it wasn't reached. | Networking |
| DNS | Resolves names to addresses (and much more) — and is a frequent hidden cause of "the network is down." | Networking |
| Default gateway | The router a host sends any off-subnet traffic to. | Networking |
| RIB / FIB | The full routing information base (control plane) versus the optimized table the hardware forwards with at line rate. | Networking |
| IPv6 / SLAAC | 128-bit addressing; SLAAC lets a host build its own address from Router Advertisements. No ARP, usually no NAT. | Networking |
| LPM (longest prefix match) | Routers forward using the most-specific matching route. | Networking |
| NAT | Rewrites addresses/ports between private and public ranges — an addressing tool, not a security boundary by itself. | Networking |
| QoS / DSCP | Prioritizes traffic at points of congestion using header markings; it orders contention, it doesn't create bandwidth. | Networking |
| VLAN | A logically-separated Layer-2 broadcast domain riding on shared switches. | Networking |
| Term | In one line | See |
|---|---|---|
| Band (2.4 / 5 / 6 GHz) | Frequency ranges trading range against throughput and congestion; higher bands are faster but shorter-reaching. | Wi-Fi |
| Captive portal | The intercept-and-redirect sign-in page on guest networks — authentication and acceptance, not encryption. | Wi-Fi |
| Channel / DFS | A slice of a band; DFS channels must vacate on radar detection, which can bounce clients off. | Wi-Fi |
| 802.1X / RADIUS | Port-based network access control with a back-end authentication server — the basis of enterprise (non-PSK) Wi-Fi. | Wi-Fi |
| RSSI / SNR | Received signal strength / signal-to-noise ratio; SNR predicts usable throughput better than the "bars" do. | Wi-Fi |
| Roaming | A client moving between access points on the same network — where "full bars, still slow" often lives. | Wi-Fi |
| SSID | A wireless network's advertised name. | Wi-Fi |
| WPA2 / WPA3 | Wi-Fi security generations; WPA3 adds SAE and forward secrecy but is only as strong as its weakest transition mode. | Wi-Fi |
| Term | In one line | See |
|---|---|---|
| Cookie / session / token | Mechanisms that add state to stateless HTTP; the live session or token is what an attacker actually steals. | HTTP |
| CORS | The browser rules governing which cross-origin requests a page may make. | HTTP |
| HTTP methods / status classes | GET/POST/etc.; responses fall in 1xx–5xx, where the 4xx (client) vs 5xx (server) split is the fastest triage signal. | HTTP |
| HTTP/1.1 · /2 · /3 | Successive versions; /2 multiplexes over one connection, /3 runs over QUIC (UDP). | HTTP |
| QUIC | The UDP-based transport underneath HTTP/3. | HTTP |
| Proxy / CDN / cache | Intermediaries that forward, distribute, or store responses — and can rewrite what you think you're seeing. | HTTP |
| TLS / certificate | Encrypts and authenticates the channel; a certificate proves the server's identity, not the site's honesty. | HTTP · Networking |
| WebSocket / SSE | A persistent bidirectional channel (after an HTTP upgrade) / one-way server push over an open HTTP response. | HTTP |
| Term | In one line | See |
|---|---|---|
| Capture vs display filter | What you record (BPF — excluded packets are gone) versus what you view (Wireshark, non-destructive). | Packet Capture |
| Chain of custody | The documented handling record that keeps evidence trustworthy and admissible. | Logging & Evidence |
| Hash | A fingerprint showing a file or capture is unaltered — it proves integrity, not origin or truth. | Logging & Evidence |
| pcap | A packet-capture file. | Packet Capture |
| snaplen | Bytes captured per packet; set too small, it truncates payloads and you never know what you missed. | Packet Capture |
| SPAN / TAP | Switch port mirroring / an inline hardware tap — the two places a capture comes from, with different fidelity. | Packet Capture |
| SSLKEYLOGFILE | The environment-variable mechanism that logs TLS session keys so you can decrypt your own traffic in Wireshark. | Packet Capture |
| Vantage | Where you captured; you only see what crossed that point, so absence of a packet is not proof of absence of the event. | Packet Capture |
A reference index to the collection, not a source in itself — each definition compresses what its named guide develops, and the guide is authoritative where the two ever seem to differ. Definitions are deliberately conceptual and version-independent: for anything version-specific (current CVSS or ATT&CK release, a framework revision, an RFC's status), the owning guide carries the checked detail and its "verify" flags, and those should be confirmed against the primary source before use. Compiled from the nineteen guides in this collection; the Zero Trust guide is referenced by others but not yet part of this set. Companion to every guide — start at 00 · Start Here for the map.