C
CIS Controls
Security framework
The CIS Critical Security Controls are a prioritized set of actions developed by the Center for Internet Security to protect organizations from known attack vectors. Organized into 18 control groups, they provide a practical, prescriptive baseline for hardening systems — especially useful for MSPs advising SMB clients who need to show measurable security hygiene without implementing a full ISO or NIST program.
Also known as:
CIS CSC, CIS Top 18
Why it matters:
Many MSP clients treat CIS Controls as a starting checklist before pursuing larger frameworks like NIST CSF or ISO 27001.
Source: cisecurity.org
CVE
Vulnerability identifier
Common Vulnerabilities and Exposures (CVE) is a publicly maintained list that assigns unique identifiers (e.g., CVE-2024-12345) to known security vulnerabilities in software and hardware. Managed by MITRE under a CISA contract, CVE IDs allow MSPs, vendors, and security teams to unambiguously reference a specific flaw across tools, advisories, and patch processes.
Also known as:
Common Vulnerabilities and Exposures
Why it matters:
Patch management workflows and vulnerability scanners reference CVE IDs to prioritize remediation. Without them, the same vulnerability would be named differently across every vendor.
Source: cve.org
CVSS
Severity scoring standard
The Common Vulnerability Scoring System (CVSS) is an open standard maintained by FIRST (Forum of Incident Response and Security Teams) that provides a numeric severity score from 0 to 10 for CVEs. It accounts for how easy a vulnerability is to exploit, the privileges required, and the impact on confidentiality, integrity, and availability. Scores above 9.0 are classified as Critical.
Also known as:
Common Vulnerability Scoring System
Why it matters:
CVSS scores are the primary signal MSPs use to triage which patches to deploy first. A score alone is not a complete picture — exploitability in the wild matters too.
Source: first.org/cvss
E
EDR
Vulnerability identifier
Common Vulnerabilities and Exposures (CVE) is a publicly maintained list that assigns unique identifiers (e.g., CVE-2024-12345) to known security vulnerabilities in software and hardware. Managed by MITRE under a CISA contract, CVE IDs allow MSPs, vendors, and security teams to unambiguously reference a specific flaw across tools, advisories, and patch processes.
Also known as:
Common Vulnerabilities and Exposures
Why it matters:
Patch management workflows and vulnerability scanners reference CVE IDs to prioritize remediation. Without them, the same vulnerability would be named differently across every vendor.
Source: cve.org
EPP
Endpoint protection platform
An Endpoint Protection Platform (EPP) focuses on preventing known threats — malware, ransomware, exploits — before they execute on an endpoint, typically using signature matching, heuristics, and machine learning. EPP is the prevention layer; EDR is the detection and response layer. Most modern security platforms combine both into a single agent.
Also known as:
Endpoint Protection Platform
Why it matters:
MSPs that conflate EPP with EDR often discover they have strong prevention but weak visibility when something slips through.
l
IAM
Identity and access management
Identity and Access Management (IAM) is the discipline and set of technologies that control who has access to which resources and under what conditions. Core IAM capabilities include authentication, authorization, role-based access control (RBAC), and lifecycle management for user accounts. In cloud and SaaS environments, IAM is often the most critical security control because there is no network perimeter to fall back on.
Also known as:
Identity and access management
Why it matters:
Compromised identities are the leading initial access vector in enterprise breaches. Weak IAM is frequently the gap that enables lateral movement.
IOC / IOA
Threat indicators
Indicators of Compromise (IOCs) are artifacts — IP addresses, file hashes, domain names — that signal a system has already been breached or is communicating with a malicious actor. Indicators of Attack (IOAs) focus on behavioral patterns that indicate an attack is in progress, regardless of the tool used. IOAs are generally harder to forge or change than IOCs, making them a more durable detection signal.
Also known as:
Also known as:Indicators of Compromise, Indicators of Attack
Why it matters:
IOC-based detection is reactive; IOA-based detection is proactive. A SOC that relies only on IOCs will always be one step behind adaptive attackers.
ITDR
Identity threat detection and response
Identity Threat Detection and Response (ITDR) is an emerging security discipline focused on detecting and responding to attacks that target identity infrastructure — Active Directory, Azure AD/Entra ID, Okta, and similar systems. ITDR platforms monitor for credential abuse, privilege escalation, misconfigured service accounts, and directory recon patterns that EDR and SIEM tools frequently miss.
Also known as:
Identity threat detection and response
Why it matters:
Active Directory compromises underlie the majority of ransomware outbreaks in mid-market organizations. ITDR fills the gap left by endpoint and network tools.
ISO/IEC 27001
Information security standard
ISO/IEC 27001 is an international standard that specifies requirements for establishing, implementing, maintaining, and continuously improving an Information Security Management System (ISMS). Organizations can seek certification against it through an accredited third-party audit. For MSPs, it is a common requirement when serving enterprise clients or regulated sectors in Europe and Asia-Pacific.
Also known as:
ISO 27001
Why it matters:
ISO 27001 certification is often a prerequisite for MSPs tendering into financial services, healthcare, or government supply chains outside the US.
Source: iso.org
L
Lateral movement
Attacker technique
Lateral movement describes the tactics and techniques an attacker uses to progressively move through a network after gaining initial access — pivoting from one compromised host to others, escalating privileges, and accessing additional systems or data stores. Common techniques include Pass-the-Hash, Pass-the-Ticket, RDP abuse, and exploitation of misconfigured services. MITRE ATT&CK documents lateral movement as a named tactic (TA0008).
Why it matters:
Most ransomware operators spend days or weeks moving laterally before deploying encryption. Detecting lateral movement early is the primary way to stop a breach before data loss.
Source: MITRE ATT&CK TA0008
M
MDR
Identity and access management
Managed Detection and Response (MDR) is a security service in which an external provider combines technology (typically EDR and SIEM) with human analysts to monitor an organization's environment, detect threats, and take containment actions on behalf of the client. MDR providers operate SOCs that scale across many customers, making enterprise-grade response available to organizations that cannot staff 24/7 security in-house.
Also known as:
Managed Detection and Response
Why it matters:
MDR is how most MSPs deliver SOC services without building a SOC from scratch. The quality difference between MDR providers comes down to mean time to detect and the scope of response authority.
MFA
Multi-factor authentication
Multi-Factor Authentication (MFA) requires users to prove identity using two or more factors: something they know (password), something they have (authenticator app or hardware token), or something they are (biometric). MFA dramatically reduces the risk of account takeover even when passwords are compromised, and is one of the highest-return controls an MSP can enforce across client environments.
Also known as:
Multi-Factor Authentication, two-factor authentication, 2FA
Why it matters:
CISA and most cyber insurance underwriters now treat MFA on privileged accounts as a baseline requirement, not a best practice.
MITRE ATT&CK
Adversary behavior framework
MITRE ATT&CK is a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. It organizes attack behaviors into tactics (the attacker's goal, such as Initial Access or Persistence) and techniques (the specific methods used). SOC teams and detection engineers use ATT&CK to map coverage gaps, build detection rules, and communicate threat intelligence in a common language.
Also known as:
ATT&CK, MITRE ATT&CK Framework
Why it matters:
ATT&CK is the closest thing the industry has to a universal threat taxonomy. MSPs that map their detection coverage to ATT&CK can demonstrate security posture in a vendor-neutral way.
N
NDR
Network detection and response
Network Detection and Response (NDR) analyzes network traffic — packets, flows, and metadata — to detect threats that operate below the endpoint layer or move between systems without touching the host in ways EDR would capture. NDR tools use behavioral analytics and machine learning to spot anomalies like unusual data staging, beaconing, or lateral movement over SMB and RDP.
Also known as:
Network Detection and Response, network traffic analysis, NTA
Why it matters:
In OT/ICS and IoT environments where agents cannot be deployed, NDR is often the only viable detection layer.
NIST CSF
Security framework
The NIST Cybersecurity Framework (CSF) is a voluntary framework developed by the National Institute of Standards and Technology to help organizations manage and reduce cybersecurity risk. Version 2.0, released in 2024, organizes security activities into six functions: Govern, Identify, Protect, Detect, Respond, and Recover. It is widely used in North America as a universal benchmark for security program maturity.
Also known as:
NIST Cybersecurity Framework, NIST CSF 2.0
Why it matters:
NIST CSF is the most-cited framework in client security reviews and board-level reporting. MSPs that align delivery to CSF functions communicate value more clearly to non-technical stakeholders.
O
Open XDR
Vendor-agnostic XDR architecture
Open XDR refers to an Extended Detection and Response architecture that ingests telemetry from a wide range of third-party security tools — EDR, SIEM, firewalls, identity providers, cloud platforms — rather than requiring a single vendor's full stack. The 'open' refers to interoperability and vendor-agnostic integrations, not an open-source licensing model. It allows MSPs to unify detection across heterogeneous client environments without ripping and replacing existing investments.
Also known as:
vendor-agnostic XDR, hybrid XDR
Why it matters:
Most MSP client environments already have EDR, M365, and a firewall from different vendors. Open XDR turns that fragmented stack into a unified detection surface.
P
Patch management
Vulnerability remediation process
Patch management is the systematic process of identifying, testing, approving, and deploying software and firmware updates to close known vulnerabilities. A mature patch management program tracks assets, monitors CVE disclosures, enforces patch SLAs (e.g., critical patches within 24–72 hours), and validates deployment. For MSPs, it is one of the most labor-intensive recurring services and a frequent source of compliance audit findings.
Why it matters:
The majority of successful ransomware attacks exploit known vulnerabilities for which patches existed at the time of the breach. Patch management is the unsexy control that prevents the most breaches.
Phishing
Social engineering attack
Phishing is a social engineering attack in which an adversary sends deceptive messages — typically email — designed to trick recipients into revealing credentials, downloading malware, or approving fraudulent transactions. Spear phishing targets specific individuals with personalized context. Business Email Compromise (BEC) is a financially motivated variant that impersonates executives or vendors to authorize wire transfers.
Also known as:
spear phishing, BEC, Business Email Compromise
Why it matters:
Phishing and BEC together account for the majority of initial access events and financial losses in SMB incidents handled by MSPs.
Privilege escalation
Attacker technique
Privilege escalation is the technique by which an attacker who has gained limited access to a system — often as a standard user — acquires higher-level permissions, such as local administrator or domain administrator. MITRE ATT&CK categorizes it as tactic TA0004. Common methods include exploiting unpatched local vulnerabilities, abusing misconfigured services, token impersonation, and credential harvesting from memory.
Also known as:
PrivEsc
Why it matters:
Containing privilege escalation attempts is the critical window between initial compromise and full network takeover in most ransomware scenarios.
R
Ransomware
Extortion malware
Ransomware is malware that encrypts a victim's files or systems and demands payment — typically in cryptocurrency — in exchange for the decryption key. Modern ransomware operations often involve double extortion (threatening to publish stolen data if ransom is not paid), RaaS (Ransomware-as-a-Service) models where operators lease the malware to affiliates, and extended dwell time to maximize damage before triggering encryption.
Also known as:
crypto-ransomware, RaaS
Why it matters:
Ransomware is the primary cyber threat to SMBs and the scenario MSP clients most often cite when asking about security. Understanding the kill chain — from phishing to lateral movement to encryption — is essential for effective defense.
S
SIEM
Security information and event management
A Security Information and Event Management (SIEM) platform centrally collects, normalizes, correlates, and prioritizes security log data from across an organization's infrastructure — endpoints, firewalls, servers, cloud services, and applications. SIEM enables analysts to detect patterns across disparate event streams that no single source would reveal. NIST SP 800-92 describes SIEM capabilities including centralized collection, normalization, correlation, prioritization, and the ability to initiate responses.
Also known as:
Security Information and Event Management, log management
Why it matters:
SIEM is the core record-of-truth layer in a SOC. It is distinct from XDR: SIEM aggregates logs broadly; XDR correlates signals to close detection gaps across telemetry types. They are complementary, not interchangeable.
SOAR
Security orchestration, automation and response
Security Orchestration, Automation, and Response (SOAR) platforms automate repetitive SOC tasks — enriching alerts, isolating endpoints, blocking IPs, opening tickets — by connecting security tools via APIs and executing predefined playbooks. SOAR reduces mean time to respond (MTTR) and frees analysts for higher-judgment work. It is often embedded within XDR and MDR platforms rather than deployed as a standalone product.
Also known as:
Security Orchestration Automation and Response, security automation
Why it matters:
At scale, human analysts cannot triage thousands of daily alerts manually. SOAR is what turns a capable SOC into a scalable one.
SOC 2
Audit and compliance standard
SOC 2 (System and Organization Controls 2) is an auditing standard developed by the AICPA that evaluates whether a service organization's controls meet the Trust Services Criteria — Security, Availability, Processing Integrity, Confidentiality, and Privacy. A SOC 2 Type II report covers a specific period (typically 6–12 months) and is commonly required by enterprise clients when evaluating MSP and SaaS vendors.
Also known as:
System and Organization Controls 2
Why it matters:
MSPs seeking enterprise contracts often need SOC 2 Type II certification to pass vendor due diligence. It is a trust signal, not a security guarantee.
T
TTPs
Tactics, techniques, and procedures
Tactics, Techniques, and Procedures (TTPs) describe how a threat actor operates — their strategic goals (tactics), the specific methods they use to achieve them (techniques), and the detailed step-by-step implementations (procedures). TTPs are harder for attackers to change than tooling or infrastructure, making TTP-based detection more durable than IOC-based detection. MITRE ATT&CK is the primary public taxonomy of TTPs.
Also known as:
Tactics, Techniques, and Procedures
Why it matters:
Defenders who hunt by TTP rather than by signature or IOC are consistently ahead of adversaries that rotate tools and infrastructure.
V
Vulnerability management
Continuous risk reduction process
Vulnerability management is the continuous process of discovering, prioritizing, remediating, and verifying security vulnerabilities across an organization's assets. It encompasses asset inventory, authenticated scanning, CVE/CVSS-based risk scoring, remediation tracking, and compliance reporting. For MSPs, it is a billable managed service that directly reduces the attack surface for client environments.
Why it matters:
Vulnerability management is the operational process that turns CVE intelligence into reduced risk. Without it, organizations know they have gaps but take no structured action.
X
XDR
Extended detection and response
Extended Detection and Response (XDR) correlates telemetry across multiple security layers — endpoints, network, identity, cloud, and email — to detect and respond to threats that no single-domain tool would catch in isolation. XDR connects these signals into unified incidents, reducing alert fatigue and speeding investigation. It does not replace SIEM for log aggregation and compliance use cases; the two platforms address different problems and are frequently used together.
Also known as:
Extended Detection and Response
Why it matters:
XDR reduces the analyst burden of correlating events across siloed tools, which is the dominant pain point in understaffed MSP SOCs.
Z
Zero Trust / ZTA
Security architecture
Zero Trust Architecture (ZTA) is a security model based on the principle of 'never trust, always verify' — no user, device, or network segment is inherently trusted, regardless of whether it is inside the corporate perimeter. NIST SP 800-207 defines Zero Trust as a set of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions. Critically, Zero Trust is an architecture and a design philosophy, not a product or a setting you switch on.
Also known as:
Zero Trust Architecture, ZTA, ZTNA
Why it matters:
Vendors often market products as 'Zero Trust.' MSPs should evaluate whether a product implements Zero Trust principles (continuous verification, least-privilege, micro-segmentation) rather than accepting the label at face value.
ZTNA
Zero Trust Network Access
Zero Trust Network Access (ZTNA) is a specific technology category that implements Zero Trust principles for remote access — replacing or augmenting traditional VPN with identity-aware, least-privilege access to individual applications rather than broad network segments. ZTNA is one implementation of Zero Trust; it is not synonymous with ZTA as a whole architecture.
Also known as:
Zero Trust Network Access, software-defined perimeter, SDP
Why it matters:
ZTNA is the most common entry point for MSPs deploying Zero Trust in practice, because replacing VPN for remote access is a well-defined, achievable project.
Frameworks & standards at a glance
NIST CSF 2.0
Six-function voluntary framework (Govern, Identify, Protect, Detect, Respond, Recover) for managing cybersecurity risk across any sector.
MITRE ATT&CK
The authoritative, community-maintained knowledge base of adversary tactics and techniques used for detection engineering and threat intelligence.
ISO/IEC 27001
International ISMS standard with third-party certification; widely required for MSPs serving enterprise and regulated-sector clients outside North America.
SOC 2
AICPA auditing standard evaluated against Trust Services Criteria. SOC 2 Type II reports are a common vendor due-diligence requirement in enterprise procurement.
CIS Controls v8
18 prioritized security actions covering the most critical attack vectors. A practical hardening baseline for MSPs advising SMB clients.
NIST SP 800-207 (Zero Trust)
NIST's authoritative definition of Zero Trust Architecture — the standard reference for separating genuine ZTA implementations from marketing claims.
Authoritative sources
[1]
NIST SP 800-207: Zero Trust Architecture
[2]
NIST SP 800-92: Guide to Computer Security Log Management (SIEM)
[3]
MITRE ATT&CK knowledge base
[4]
CVE Program — cve.org
[5]
CVSS standard — FIRST.org
[6]
NIST Cybersecurity Framework 2.0
[7]
CIS Critical Security Controls
[8]
ISO/IEC 27001 standard
