// glossary

Security & Compliance Glossary

Plain-language definitions of the security and compliance terms that show up in audits, sales questionnaires, and board decks. Written to be accurate and quotable, by the team that delivers SOC 2, penetration testing, AI/LLM security, and fractional CISO work.

A

AI Security

AI / LLM Security

Protecting LLM and AI agent applications from threats like prompt injection and data leakage.

 Offensive

Attack Surface

The full set of points where an attacker could try to enter or extract data from a system.

C

Vulnerabilities

CVE (Common Vulnerabilities and Exposures)

A unique public identifier assigned to a specific, publicly disclosed security vulnerability.

 Vulnerabilities

CVSS (Common Vulnerability Scoring System)

An open framework for rating the severity of a vulnerability from 0.0 to 10.0.

D

Offensive

DAST (Dynamic Application Security Testing)

Testing a running application from the outside to find runtime vulnerabilities.

G

Compliance

GDPR

The EU regulation governing how organizations handle the personal data of people in the EU.

H

Compliance

HIPAA

US rules for safeguarding electronic protected health information.

I

Operations

Incident Response

The organized process for detecting, containing, and recovering from a security incident.

 Compliance

ISO 27001

An international standard for an Information Security Management System (ISMS).

M

Operations

MTTR (Mean Time to Respond / Resolve)

The average time it takes to respond to or resolve an incident.

O

Compliance

OSFI E-21

Canada's operational risk and resilience guideline for federally regulated financial institutions.

P

Compliance

PCI DSS

Security requirements for any organization that handles payment card data.

 Offensive

Penetration Test vs Vulnerability Scan

The difference between automated breadth (scan) and manual depth (pen test).

 Offensive

Penetration Testing

An authorized, manual assessment where testers actively exploit weaknesses like a real attacker.

 AI Security

Prompt Injection

An attack where crafted input makes an LLM ignore its instructions and follow the attacker's.

Q

Compliance

Quebec Law 25

Quebec's modernized private-sector privacy law governing personal information of residents.

R

Offensive

Red Team

A goal-oriented adversarial engagement that tests people, process, and technology together.

S

Offensive

SAST (Static Application Security Testing)

Analyzing source code for security flaws without running the program.

 Compliance

Security Questionnaire

The structured questions an enterprise buyer sends to assess a vendor's security posture.

 Operations

SIEM (Security Information and Event Management)

A system that collects and correlates log data across systems to detect threats.

 Compliance

SOC 2

An AICPA auditing standard reporting on how a service organization manages customer data.

 Compliance

SOC 2 Type I vs Type II

Design at a point in time (Type I) vs operating effectiveness over a period (Type II).

T

Offensive

Threat Modeling

A structured process for identifying threats and mitigations early in system design.

V

Leadership

vCISO (Fractional CISO)

A security executive who runs your security program on a part-time or contract basis.

 Vulnerabilities

Vulnerability Assessment

A systematic review that identifies and prioritizes known security weaknesses.

Z

Architecture

Zero Trust

A security model built on "never trust, always verify," authenticating every access request.
// work with us

Need help putting these into practice?

SOC 2 readiness, penetration testing with our partner Lorikeet Security, AI/LLM security, and fractional CISO leadership, backed by real published research.

Book a strategy call