Incident Response Glossary: 55+ IR Terms Defined (2026)

What are the core detection and response terms?

Detection and response vocabulary describes how defenders find attackers and stop them. These 14 terms—IOC, IOA, EDR, XDR, MDR, SOAR, SIEM, DFIR, MTTD, MTTR, dwell time, threat hunting, threat intelligence, and sandbox—appear in every IR engagement scope of work.

IOC (Indicator of Compromise): Forensic artifact—file hash, IP address, registry key—that signals a system has already been breached. Retrospective by nature; differs from an IOA, which catches attacks in progress.
IOA (Indicator of Attack): Behavioral signal revealing an attack in progress—commands executed, processes spawned, network connections made—before a full compromise is confirmed. Detects novel threats IOCs miss.
Dwell time: How long an attacker remained inside a network before detection. IBM Cost of a Data Breach 2024 reports a global median of 194 days. Longer dwell = larger blast radius and higher breach cost.
MTTD (Mean Time to Detect): Average time between initial intrusion and the moment the organization becomes aware of it. IBM 2024 data: organizations with AI-assisted detection cut MTTD by 108 days versus those without.
MTTR (Mean Time to Recover): Average elapsed time from breach discovery to full restoration of affected systems and services. A core KPI for IR program maturity and cyber-insurance underwriting discussions.
EDR (Endpoint Detection and Response): Agent-based security software that continuously records endpoint activity, detects threats using behavioral analytics, and enables remote isolation of compromised hosts. Foundation of modern IR.
XDR (Extended Detection and Response): Platform that correlates telemetry across endpoint, network, cloud, and email into a unified detection-and-response workflow, reducing analyst context-switching during an incident.
MDR (Managed Detection and Response): Outsourced 24/7 service where a security vendor hunts threats and responds on the client's behalf. Effectively an on-demand external IR team without internal headcount.
SOAR (Security Orchestration, Automation and Response): Platform that automates repetitive analyst tasks—alert triage, ticket creation, IOC enrichment—through playbooks, allowing human analysts to focus on high-fidelity investigation.
SIEM (Security Information and Event Management): Centralizes and correlates log data from across the environment to surface anomalies and alerts. Generates the audit trail investigators rely on post-breach to reconstruct attacker timelines.
DFIR (Digital Forensics and Incident Response): Combined discipline covering identification, preservation, analysis, and documentation of digital evidence alongside active incident containment. Most specialist IR firms lead with DFIR capabilities.
Threat hunting: Proactive, human-led search for hidden attacker activity that automated tools have not yet detected, using hypotheses grounded in threat intelligence and known adversary TTPs.
Threat intelligence: Analyzed information about threat actors, their infrastructure, and TTPs that helps defenders anticipate attacks and contextualize alerts during an active incident.
Sandbox: Isolated execution environment used to safely detonate suspicious files and observe behavior—network calls, registry writes, process creation—without risking production systems.
YARA rule: Pattern-matching rule syntax used by malware analysts to identify malware families based on strings, byte sequences, or structural characteristics. Shared widely via open-source repositories.

What attacker tactics and malware terms will I encounter?

Understanding attacker vocabulary lets you read forensic reports and insurance questionnaires accurately. These terms describe how intruders get in, move, and profit—from phishing through double extortion.

Phishing: Email-based social engineering that tricks recipients into revealing credentials or executing malware. The initial access vector in roughly 41% of breaches (Verizon DBIR 2024). Most common entry point for ransomware.
Smishing: SMS-based phishing directing victims to fake login pages or inducing malicious app installation. Increasingly used for initial access as email gateway defenses mature.
Credential stuffing: Automated attack replaying username/password pairs stolen in prior breaches against new targets, exploiting widespread password reuse. Low cost, high volume, effective against sites without MFA.
Lateral movement: Techniques attackers use to progressively move through a network after initial access—pass-the-hash, RDP pivoting, exploiting trust relationships between systems—to reach high-value targets.
Privilege escalation: Gaining higher-level permissions than originally obtained—local user to local admin, local admin to domain admin—to access sensitive data and deploy ransomware across the domain.
Persistence: Attacker techniques ensuring continued access after reboots or password resets—scheduled tasks, registry run keys, webshells, or implanted firmware. Eradication requires removing all persistence mechanisms.
Living-off-the-land (LOLBins): Attacker technique using legitimate OS tools—PowerShell, WMI, certutil, mshta—to execute malicious actions while blending with normal admin traffic, evading signature-based detection.
Command-and-control (C2): Infrastructure—servers, domains, encrypted channels—that lets an attacker issue instructions to malware and receive stolen data. Identifying and blocking C2 is a primary containment action.
Beaconing: Regular, periodic outbound network calls from implanted malware to C2 infrastructure. Consistent timing intervals—every 60 seconds—reveal C2 channels during network traffic analysis.
Exfiltration / Data exfiltration: Unauthorized transfer of sensitive data out of the victim environment, typically to attacker-controlled cloud storage before ransomware detonation. Triggers separate regulatory notification obligations.
Supply-chain attack: Compromise of a trusted software vendor, update mechanism, or managed-service provider to reach downstream customers—exemplified by the 2020 SolarWinds SUNBURST intrusion affecting 18,000 organizations.
Ransomware: Malware that encrypts victim files or systems and demands cryptocurrency payment for the decryption key. Modern ransomware variants also exfiltrate data for double-extortion leverage. See ransomware response guide.
Double extortion: Ransomware tactic combining file encryption with threatened public release of stolen data on a leak site, giving attackers leverage even when victims restore operations from backup without paying.
Ransomware-as-a-Service (RaaS): Criminal affiliate model where ransomware developers license malware to affiliates who conduct attacks and split proceeds—typically 70% to affiliates, 30% to developers—enabling rapid scaling.
Business Email Compromise (BEC): Social-engineering fraud impersonating executives or vendors to redirect wire transfers. FBI IC3 2023: BEC caused $2.9 billion in reported losses, more than any other cybercrime category.
Advanced Persistent Threat (APT): Sophisticated, often state-sponsored threat actor conducting long-duration, stealthy intrusion campaigns to steal intelligence or pre-position for sabotage. MITRE ATT&CK catalogs over 130 known APT groups.
Zero-day: Vulnerability unknown to the software vendor or public, with no patch available. Exploitation leaves defenders without signature-based detection; organizations must rely on behavioral controls.
Golden ticket: Kerberos attack where an attacker forges a Ticket Granting Ticket using the stolen krbtgt account NTLM hash, granting persistent, stealthy domain-admin access valid for up to 10 years without password resets.
TTP (Tactics, Techniques and Procedures): The behavioral fingerprint of a threat actor: high-level goals (tactics), specific methods (techniques), and fine-grained implementation details (procedures) that enable attribution and detection rule writing.
MITRE ATT&CK: Globally accessible, community-maintained knowledge base of adversary tactics and techniques derived from real-world intrusions. Used to map forensic findings, assess detection coverage, and brief the board.
Cyber kill chain: Lockheed Martin's seven-stage intrusion model—Reconnaissance, Weaponization, Delivery, Exploitation, Installation, C2, Actions on Objectives—used to sequence forensic findings and identify defensive gaps.
Patient zero: The first host in an organization compromised during an incident—the forensic starting point for reconstructing the full attack timeline, initial access vector, and scope of lateral movement.
Attribution: Process of identifying the threat actor responsible for an intrusion using technical artifacts, infrastructure reuse, and TTP overlap. Rarely certain; often directional and conducted under attorney privilege.

What forensic and evidence terms do lawyers and IR firms use?

Forensic terminology governs how evidence is collected, preserved, and presented to regulators or courts. Getting these steps wrong—rebooting before imaging RAM, breaking chain of custody—can undermine both your legal defense and your ability to understand what happened. See the full data breach response process.

Chain of custody: Documented, unbroken record of who collected, handled, transferred, and stored digital evidence. Required to preserve evidentiary integrity for litigation, regulatory investigations, or criminal prosecution.
Forensic image: Bit-for-bit copy of a storage device—including deleted files and unallocated slack space—taken with write-blocking hardware to ensure the original medium remains unchanged.
Volatile data: Data that exists only while a system is powered on—running processes, active network connections, encryption keys in RAM. Lost permanently on shutdown or reboot; must be captured before containment.
Memory forensics: Acquisition and analysis of RAM contents to recover encryption keys, injected malicious code, attacker credentials, and command history not written to persistent storage.
Indicators vs. precursors: Indicators confirm a breach has already occurred (malware found on disk); precursors are signals an attack may be imminent (reconnaissance scan detected). Distinguishing them sets response urgency.
Scoping: Early IR phase that determines which systems, data types, and time windows are affected. Accurate scoping is critical for sizing the investigation, calculating notification obligations, and managing attorney privilege.
Containment: IR phase focused on limiting the spread of an incident—network segmentation, account disabling, host isolation—without destroying volatile evidence needed for forensic analysis.
Eradication: Removing all attacker footholds—malware, backdoors, rogue accounts, compromised credentials—after containment, and before systems are restored to production. Incomplete eradication causes reinfection.

What IR program and planning terms appear in policies and contracts?

IR program vocabulary covers the governance, contracts, and exercises that determine whether your organization can respond effectively before a crisis. These terms appear in cyber insurance applications, audit reports, and vendor proposals.

RTO (Recovery Time Objective): Maximum acceptable downtime for a system or process after a disruption. Drives architectural decisions around redundancy, failover, and hot/warm/cold site selection.
RPO (Recovery Point Objective): Maximum tolerable data loss expressed in time—an RPO of 4 hours requires backups no older than 4 hours at any point. Determines backup frequency and replication architecture.
Incident response plan (IRP): Documented procedures for detecting, containing, eradicating, and recovering from security incidents, including roles, escalation paths, communication templates, and regulatory notification timelines. See IR plan builder.
CSIRT / CIRT: Computer Security Incident Response Team: the internal or outsourced group responsible for coordinating breach response, preserving evidence, and communicating with regulators and insurers.
IR retainer: Pre-negotiated contract with an IR firm guaranteeing response SLAs and priority access when a breach occurs. Annual costs typically range $25,000–$150,000 depending on size and scope. See retainer pricing guide.
Tabletop exercise: Discussion-based simulation where key stakeholders walk through a hypothetical breach scenario to identify gaps in the IR plan without deploying technical resources. NIST recommends at least annually. See tabletop exercise guide.
Breach coach: Privacy attorney—typically engaged through cyber insurance—who provides privileged legal direction during breach response, manages regulatory notification strategy, and coordinates external IR vendors.
PCI PFI (Payment Card Industry Forensic Investigator): QSA-certified investigator approved by Visa and Mastercard to conduct mandatory forensic investigations after a payment card data breach. Required under card-brand rules; engagement initiated through the acquirer.
OFAC (Office of Foreign Assets Control): U.S. Treasury agency enforcing economic sanctions. Paying ransomware to a sanctioned entity—such as those on the SDN list—can result in civil penalties up to $1 million per transaction, even if unintentional. See ransomware negotiation guide.