Security Operations & Management Glossary

Acronym: APT

Definition: Advanced Persistent Threat: sophisticated, prolonged cyberattacks typically by nation-state actors. Characterized by stealth, persistence, targeted objectives.

Phishing Impact: 70-80% of APT campaigns begin with spear phishing. Nation-state APTs (APT28, APT29, Lazarus) use sophisticated phishing: extensive reconnaissance, personalized content, zero-days. Cofense tracks APT phishing campaigns. Organizations with APT-aware defenses detect nation-state phishing 50-70% faster.

Acronym: FPR

Definition: Detection accuracy metric. False Positive Rate: % alerts incorrectly identified as threats. Alert Fidelity: % that are true positives. Fidelity = 1 - FPR.

Phishing Impact: Industry avg FPR: 30-45%. Cofense achieves <10% through community-validated intelligence. High FPR wastes analyst time (40% FPR = 40% time on false alarms). Low FPR enables automated response confidence. Also impacts user reporting - users stop reporting if there are too many false alarms.

Definition: Productivity measure of analyst output: incidents handled per analyst or time per incident.

Phishing Impact: Manual triage: 8-12 incidents/analyst/day. Automated (Cofense): 40-60 incidents/day. 50% efficiency gain = 30-40% FTE reduction or 2x capacity. Automation enables focus on sophisticated threats vs. routine triage. Efficiency gains justify automation through labor cost savings.

Definition: Percentage of processes handled automatically without human intervention. Key indicator of operational efficiency and maturity.

Phishing Impact: Industry avg: 20-30% automation. Cofense customers: 80-95%. Each 10% increase reduces SOC labor costs 8-12%. Progression: L1(<20%), L2(20-50%), L3(50-75%), L4(75-90%), L5(>90%). Directly correlates with MTTR improvement and cost reduction.

Acronym: BSC

Definition: Strategic framework measuring performance across: Financial, Customer, Internal Process, Learning & Growth. Developed by Kaplan and Norton.

Phishing Impact: Phishing BSC demonstrates multi-dimensional value: Financial (ROI 275%, cost avoidance $750K), Customer (user satisfaction 85%, training engagement 92%), Process (MTTR -60%, automation 85%), Learning (resilience improvement 40%). Resonates with executives familiar with business operations metrics.

Definition: Comparing performance metrics against industry standards, competitors, or baselines. Provides context for evaluation.

Phishing Impact: Industry benchmarks: 33.1% click rate, 45% report rate, 4-6hrs MTTR, 60% manual triage. Top quartile: <10% click, >70% report, <1hr MTTR, >80% automation. Benchmarking justifies investment by showing gap to top performers. Demonstrates relative performance to executives.

Acronym: Impact scope

Definition: Scope of potential damage from successful attack. Includes affected users, systems, data, business processes.

Phishing Impact: Measures potential damage: recipients exposed, credentials compromised, data accessed. Fast MTTR limits radius: <1hr contains to initial victims, >6hrs allows lateral movement. Cofense automation limits blast radius through rapid quarantine. Executive phishing has higher potential due to privileges.

Acronym: CMMI

Definition: Framework assessing organizational capability across 5 levels: Initial, Managed, Defined, Quantitatively Managed, Optimizing. Developed by Carnegie Mellon SEI.

Phishing Impact: Cofense Phishing Security CMMI matures programs from reactive (L1) to optimized (L5). L1 orgs experience 3-5x more successful attacks than L4-5. Assessment quantifies maturity and justifies automation investments. Demonstrates clear ROI progression through maturity levels.

Acronym: COBIT 2019

Definition: IT governance framework with control objectives across: Align/Plan/Organize, Build/Acquire/Implement, Deliver/Service/Support, Monitor/Evaluate/Assess.

Phishing Impact: APO13 covers security awareness (phishing education). DSS05 addresses incident management (phishing response). COBIT governance shows more mature phishing programs with documented processes and executive oversight. Cofense supports compliance through governance reporting and audit evidence.

Acronym: COSO ERM

Definition: Comprehensive enterprise risk management framework from Committee of Sponsoring Organizations. Structure for risk governance, culture, strategy, performance.

Phishing Impact: Integrates phishing risk into enterprise risk management: governance (board oversight, risk appetite $500K), strategy (prevention, detection, response). Demonstrates phishing as enterprise business risk, not just IT. Enables board-level discussion using recognized framework.

Acronym: C2

Definition: Infrastructure attackers use to control compromised systems. Detection indicates active compromise. Blocking disrupts operations.

Phishing Impact: C2 detection after phishing indicates active control vs. failed attempt. Phishing-delivered malware establishes C2 for remote control, exfiltration, or ransomware. Organizations detecting C2 within hours limit attacker objectives. Network-based detection provides secondary defense layer.

Definition: Measure of how well security controls mitigate intended risks. Rated as effective, partially effective, or ineffective.

Phishing Impact: Metrics: click rate (awareness effectiveness), detection rate (technical effectiveness), MTTR (response effectiveness). Cofense measurement reveals: automated detection 92% effective, manual triage 65% effective, justifying automation investment. Testing required for audits.

Acronym: Data theft

Definition: Unauthorized data transfer to attacker. Final stage of many attacks. Requires monitoring outbound traffic.

Phishing Impact: Represents successful phishing outcome. Credential harvest enables direct data access. Average: 2-20GB sensitive data. Fast MTTR prevents exfiltration: <1hr prevents theft, >6hrs allows significant exfiltration. Triggers regulatory notification and realized breach impact.

Acronym: AI-generated media

Definition: AI-generated synthetic media (video, audio, images) impersonating real people. Emerging BEC threat using fake video/voice calls.

Phishing Impact: Deepfake-enabled BEC emerging: AI voice synthesis impersonates executives requesting wire transfers. Traditional verification (voice/video) no longer sufficient. Organizations experiencing 300%+ increase in attempts 2025-2026. Requires new verification protocols: code words, dual authentication, callbacks.

Acronym: Layered security

Definition: Architecture principle using multiple defensive layers so single control failure doesn't cause total failure. Redundant, overlapping controls.

Phishing Impact: Email gateway (70-80%), User awareness (40-60% click reduction), Cofense (catches remaining 15-25%), Endpoint protection (prevents payload), Network segmentation (limits lateral movement), MFA (prevents credential abuse). Organizations with 4+ layers: 85-95% lower breach rates than single layer.

Definition: Percentage of threats/attack techniques that can be detected. Often mapped to MITRE ATT&CK techniques.

Phishing Impact: Measures ability to detect T1566 variants: Attachment, Link, via Service (Teams/Slack). Organizations without comprehensive detection: 40-60% coverage (email only). Cofense: 85-95% coverage across email, collaboration, cloud. Coverage gaps = blind spots. Mature programs measure and improve quarterly.

Acronym: Tier escalation %

Definition: Percentage of incidents escalated from Tier 1 to Tier 2/3 analysts. Indicates triage effectiveness. High escalation = ineffective triage.

Phishing Impact: Industry avg: 25-40% escalation. Cofense automation reduces to 10-15% by handling routine cases automatically. High rate wastes expensive Tier 2/3 time on routine phishing. Low rate (with quality) = effective automated triage. Enables better resource allocation.

Acronym: FAIR

Definition: Risk quantification framework calculating risk as Loss Event Frequency × Loss Magnitude. Provides probability-based financial estimates.

Phishing Impact: Phishing FAIR model: Loss Event Frequency (15% annual BEC probability), Loss Magnitude ($2.7M avg BEC + $400K breach + $200K recovery) = $850K ALE. Cofense reduces ALE 65-80% through lower frequency. Translates abstract risk into CFO-friendly dollars. Enables rational cost-benefit analysis.

Acronym: ROI/ROSI/TCO/ALE

Definition: Critical financial metrics. ROI: (Gains-Costs)/Costs×100%. ROSI: (Risk Mitigation-Cost)/Cost×100%. TCO: Total cost over lifecycle. ALE: Annual Loss Expectancy.

Phishing Impact: ROI: Cofense customers 200-400% within first year through automation (60-80% labor savings) and prevented attacks. ROSI: Typical ALE $850K reduced to $150K = $700K mitigation value. TCO includes licensing, implementation, operations - still positive ROI. Conservative: 2-3 prevented BEC/year justifies $200K-300K investment.

Acronym: GRC

Definition: Governance, Risk, and Compliance: integrated approach to managing governance frameworks, risk programs, and compliance requirements.

Phishing Impact: Integrates phishing governance (board oversight, policies), phishing risk (quantification, treatment), compliance (ISO 27001, regulatory). Organizations with integrated GRC approach demonstrate 30% better maturity than siloed approaches. Cofense supports through control documentation and audit-ready reporting.

Definition: Analysis identifying differences between current and desired future state. Covers capability, coverage, process, or maturity gaps.

Phishing Impact: Reveals capability deficiencies across detection, triage, remediation, reporting, training. Common gaps: manual triage, reactive response, email-only detection, limited threat intelligence. Organizations conducting annual assessments progress 1.2 CMMI levels faster. Gaps prioritized by risk impact enable focused investment.

Acronym: IOCs

Definition: Indicators of Compromise: artifacts indicating probable compromise (IPs, hashes, domains) or attack behavior. Used for detection and intelligence.

Phishing Impact: Phishing IOCs: malicious domains, URLs, hashes, sender IPs, email headers. Cofense provides real-time IOCs from 35M+ users. Fresh IOCs (minutes-hours old) critical as campaigns evolve rapidly. Organizations consuming Cofense IOCs block 40-60% of campaigns before user clicks.

Acronym: ISO 27001:2022

Definition: International standard for Information Security Management Systems (ISMS). Requirements for establishing, implementing, maintaining, improving security controls.

Phishing Impact: Controls A.6.7 (awareness) and A.5.26 (incident response) address phishing. Recommends quarterly simulations and documented response procedures. Cofense helps meet requirements through automated detection, documented playbooks, audit-ready reporting. Certified orgs report 35% lower susceptibility.

Acronym: ITIL 4

Definition: Framework for IT service management: Incident Management, Problem Management, Change Management, Service Level Management. Version 4 current.

Phishing Impact: ITIL Incident Management provides structured phishing response workflow. Cofense integrates with ITIL-based ticketing (ServiceNow, Remedy). Organizations following ITIL report 40% faster phishing MTTR due to standardized workflows. Service Level Management enables phishing SLAs (<1hr remediation).

Acronym: Business impact assessment

Definition: Evaluation of potential consequences on business operations, finances, reputation, compliance. Informs risk prioritization.

Phishing Impact: Quantifies consequences: BEC = $125K wire fraud + $50K investigation + $30K regulatory + reputation. Credential compromise = $400K breach + notification + monitoring. Prioritizes executive protection (higher risk) over general user education. Cofense ROI modeling incorporates comprehensive impact analysis.

Acronym: MITRE ATT&CK TA0001

Definition: First stage of attack kill chain - gaining foothold. Phishing (T1566) is #1 initial access vector. Prevention here most cost-effective.

Phishing Impact: Phishing represents 90% of successful breaches. Preventing phishing initial access stops entire attack chain. $1 invested in phishing prevention saves $10-15 in breach response/recovery. Stopping at initial access avoids: lateral movement, exfiltration, ransomware, regulatory notification.

Acronym: KPI

Definition: Key Performance Indicator: quantifiable metrics measuring performance against strategic objectives. Divided into operational KPIs (efficiency) and strategic KPIs (outcomes).

Phishing Impact: Essential phishing KPIs: Click rate (industry avg 33%, target <10%), Report rate (target >70%), MTTR (<1hr), MTTD (<15min), False positive rate (<10%), Simulation resilience (>80%), Automated triage (>80%), Quarantine success (>95%). Cofense tracks all in unified dashboard with industry benchmarking.

Acronym: Cyber Kill Chain

Definition: Seven-stage attack lifecycle: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, C2, Actions on Objectives. Framework for defense-in-depth.

Phishing Impact: Phishing kill chain: Reconnaissance (target ID), Weaponization (phishing creation), Delivery (email send), Exploitation (user click), Installation (malware/credential theft), C2 (communication), Actions (fraud/theft). Cofense addresses Delivery, Exploitation, Installation. Multi-layer ensures disruption even if single control fails.

Acronym: Rumsfeld Matrix

Definition: Risk categorization: Known Unknowns (recognized gaps), Unknown Unknowns (unrecognized gaps). Framework for discussing visibility and blind spots.

Phishing Impact: Known Unknowns: recognized gaps like Teams/Slack phishing defense, deepfake BEC, AI-generated content detection. Unknown Unknowns: phishing threats not yet imagined. Framework justifies adaptive defenses vs. just addressing known threats. Cofense community intelligence reduces Unknown Unknowns through crowdsourced discovery.

Acronym: Post-compromise activity

Definition: Attacker movement through network after initial compromise. Uses legitimate credentials/tools to avoid detection.

Phishing Impact: Extends blast radius after phishing. Fast MTTR prevents lateral movement: <1hr contains to initial system, >4hrs allows reconnaissance and lateral spread. Phishing delivers low-value credentials; lateral movement targets high-value systems. Organizations detecting within 1hr prevent 80-90% of potential damage.

Acronym: ATT&CK

Definition: Knowledge base of adversary tactics and techniques based on real-world observations. T1566 covers phishing techniques including attachment, link, via service.

Phishing Impact: T1566 defines phishing as primary Initial Access. Sub-techniques: T1566.001 (Attachment), T1566.002 (Link), T1566.003 (via Service). Cofense coverage maps directly to T1566 variants. Organizations using ATT&CK for phishing achieve 45% better coverage than without structured threat modeling.

Acronym: NIST CSF

Definition: Comprehensive cybersecurity framework with 5 functions (Identify, Protect, Detect, Respond, Recover) and 5 maturity tiers. Version 2.0 released February 2024.

Phishing Impact: PR.AT-1 specifically addresses phishing awareness training. Organizations following NIST CSF report 40% lower phishing click rates. Cofense solutions map to Detect (detection/reporting), Respond (automated remediation), Recover (incident analysis). Required for federal contracts and many compliance regimes.

Definition: Ability to adapt to disruptions and continue operations under stress. Includes fault tolerance, recovery capability, graceful degradation under load.

Phishing Impact: Measures ability to maintain performance during high-volume attacks. Resilient programs maintain <1hr MTTR during 5-10x volume spikes. Cofense automation provides resilience through scalable architecture. Organizations lacking resilience: 1hr → 6+ hrs MTTR under stress. Demonstrates robust vs. fragile defense.

Definition: Extent of insight into security operations, threats, and assets through monitoring, logging, telemetry. Prerequisite for detection and response.

Phishing Impact: Spans email, collaboration platforms, endpoints, cloud services. Email-only visibility misses Teams/Slack phishing, on-premise-only misses cloud phishing. Cofense provides comprehensive visibility across channels. Organizations with comprehensive visibility detect 40-50% more campaigns than email-only.

Acronym: PDCA

Definition: Plan-Do-Check-Act: iterative four-step management method for continuous improvement. Plan (define), Do (implement), Check (measure), Act (adjust).

Phishing Impact: Provides structured approach to phishing improvement. Plan: Define objectives and KPIs. Do: Implement detection, training, response. Check: Measure click rates, MTTR, accuracy. Act: Refine rules, update training, optimize workflows. Quarterly PDCA cycles enable iterative maturity advancement. Organizations using PDCA show consistent 3-5% quarterly click rate improvement.

Acronym: Executive dashboard

Definition: Visual display of key metrics updated in real-time or near-real-time. Includes KPIs, trends, status indicators for at-a-glance monitoring.

Phishing Impact: Visualizes program effectiveness for executives. Key metrics: click rate trend, MTTR trend, report rate, automation rate, incidents prevented, cost savings, benchmark comparison. Cofense provides executive-ready dashboards. Real-time operational dashboards enable SOC monitoring. Essential for board reporting and value demonstration.

Definition: Percentage of incident types with documented, automated response playbooks. Indicates maturity of incident response automation.

Phishing Impact: Measures % of phishing variants with automated playbooks. Mature programs maintain playbooks for: reported phishing, unreported campaigns, executive-targeted, credential harvest, malware delivery, BEC. Organizations with >80% coverage achieve 2-3x faster MTTR than <50% coverage. Prerequisite for autonomous response.

Acronym: Cyber risk quantification

Definition: Process of expressing cybersecurity risk in financial terms (dollars). Uses frameworks like FAIR to calculate probable loss amounts vs. qualitative ratings.

Phishing Impact: Phishing FAIR: Loss Event Frequency (15% BEC probability), Loss Magnitude ($2.7M BEC + $400K breach + $200K recovery) = $850K ALE. Quantification justifies $200K program cost vs. $850K ALE = $650K reduction, ROSI 325%. Organizations using quantification secure 40-60% higher budgets than qualitative assessments.

Definition: Problem-solving methodology identifying fundamental cause of incidents or failures. Techniques include 5 Whys, fishbone diagrams, fault tree analysis.

Phishing Impact: Identifies why phishing attacks succeeded despite defenses. Common root causes: missing technical controls (SPF/DKIM/DMARC), training gaps, detection rule gaps, delayed response. RCA prevents recurrence: successful BEC due to missing dual authorization → implement transaction verification. Organizations conducting RCA reduce recurrence 60-75%.

Acronym: SPOF

Definition: Component whose failure causes entire system failure. Architecture anti-pattern. Risk management focuses on eliminating SPOFs through redundancy.

Phishing Impact: Email security SPOFs create vulnerability: single email gateway failure exposes organization to unfiltered phishing. Organizations with SPOFs experience 3-5x more successful phishing during outages. Redundant architecture: primary + secondary gateways with failover ensures continuous protection. Cofense integration with multiple gateways eliminates SPOF.

Acronym: DMAIC

Definition: Data-driven process improvement methodology targeting near-perfect quality (3.4 defects per million). Uses DMAIC cycle: Define, Measure, Analyze, Improve, Control.

Phishing Impact: Applied to phishing programs reduces false positives, speeds MTTR, improves detection accuracy. DMAIC: Define (detection quality problem), Measure (FPR 40%, MTTR 6hrs), Analyze (root causes: manual triage, outdated rules), Improve (ML detection, automation), Control (ongoing monitoring). Organizations applying Six Sigma achieve 60-75% reduction in process defects.

Acronym: MTTR/MTTD

Definition: Critical time-based metrics. MTTR (Mean Time to Respond): avg time detection to remediation. MTTD (Mean Time to Detect): avg time compromise to detection. Dwell Time: period attackers remain undetected.

Phishing Impact: Industry avg phishing MTTR: 4-6hrs; mature programs <1hr. MTTD avg 6+hrs without automation; Cofense reduces to <15min. Each hour delayed MTTR increases credential compromise risk 15-20%. Dwell time avg 24 

Acronym: TTPs

Definition: Tactics, Techniques, and Procedures: adversary behavior patterns mapped in MITRE ATT&CK. Tactics (why), Techniques (how), Procedures (specific implementation). More valuable than IOCs for detection.

Phishing Impact: Phishing TTPs (T1566) include tactics across attack lifecycle: Initial Access (spearphishing), Credential Access (credential harvesting), Collection (data theft). TTP-based detection more resilient than IOC-based as attackers change infrastructure (IOCs) more easily than tactics. Cofense detects phishing TTPs: urgency language patterns, executive impersonation behaviors, credential harvest page patterns. Organizations using TTP-based phishing detection achieve 30-40% better evasion resistance than IOC-only.

Acronym: Adversary

Definition: Individual or group conducting cyberattacks. Categories: Nation-state, cybercriminal, hacktivist, insider. Understanding actor informs defensive strategy.

Phishing Impact: Phishing threat actors span all categories: Nation-state APTs (highly targeted spear phishing), Cybercriminals (BEC, ransomware initial access), Hacktivists (politically-motivated), Insiders (social engineering). Actor attribution informs defense: nation-state requires advanced defenses, commodity cybercriminal addressed by automation. Cofense tracks threat actor phishing campaigns and TTPs.

Acronym: Actor identification

Definition: Process of identifying threat actor responsible for attack. Ranges from infrastructure attribution (easy) to actor/nation attribution (difficult). Informs response strategy.

Phishing Impact: Identifies threat actors behind campaigns: nation-state APTs, cybercriminal gangs, IABs. Attribution difficulty varies: infrastructure (easy - shared hosting), TTPs (medium - known patterns), nation (difficult - sophisticated false flags).

Acronym: Intelligence feeds

Definition: Continuous streams of threat intelligence (IOCs, TTPs, threat actors) from commercial, open-source, or community sources. Consumed by TIPs and SIEMs for automated detection.

Phishing Impact: Provide real-time campaign IOCs. Cofense operates largest community-sourced phishing threat feed (35M+ users). Feed freshness critical: phishing campaigns evolve hourly, yesterday's IOCs less effective. Organizations consuming real-time feeds block 40-60% of campaigns before user clicks. Feed quality varies, curated feeds (Cofense) vs. commodity feeds differ in false positive rates.

Definition: Proactive search for threats that evaded automated detection. Hypothesis-driven investigation using threat intelligence, behavioral analysis, anomaly detection.

Phishing Impact: Proactively searches for campaigns that evaded detection. Hunting hypotheses: unusual email volumes from specific domains, anomalous authentication patterns post-campaign, suspicious email forwarding rules. Organizations conducting phishing threat hunting discover 15-25% more campaigns than relying solely on automated detection. Cofense threat intelligence supports hunting with IOC feeds and campaign indicators.

Acronym: Intelligence operations process

Definition: Six-stage intelligence process: Direction (requirements), Collection, Processing, Analysis, Dissemination, Feedback. Framework for intelligence operations.

Phishing Impact: Phishing lifecycle: Direction (define phishing intelligence requirements), Collection (gather phishing reports, IOCs), Processing (normalize, deduplicate), Analysis (identify campaigns, TTPs), Dissemination (distribute IOCs to defenses), Feedback (measure effectiveness). Cofense automates Collection and Processing, enabling analyst focus on Analysis. Organizations following lifecycle achieve 40-60% better phishing intelligence maturity.

Acronym: TIP

Definition: Technology platform for aggregating, normalizing, analyzing, and sharing threat intelligence from multiple sources. Automates intelligence operations and enrichment.

Phishing Impact: TIP aggregates phishing threat intelligence from Cofense and other sources, enriches IOCs with context, automates detection rule updates. Organizations with TIP-integrated phishing defenses detect 35-50% more campaigns through enriched intelligence. Cofense integrates with major TIPs (ThreatConnect, Anomali, ThreatQuotient) for automated phishing intelligence distribution. TIP automates phishing IOC distribution to email gateways, SIEMs, firewalls.

Definition: Three tiers with different timeframes and uses. Tactical: short-term immediate threats (IOCs). Operational: medium-term TTPs and campaigns. Strategic: long-term trends and geopolitical factors.

Phishing Impact: Tactical: IOCs (domains, URLs, hashes) for immediate blocking. Operational: campaign TTPs, threat actor techniques, detection engineering. Strategic: AI phishing trends, geopolitical targeting, long-term defensive investments. Cofense provides all three tiers: tactical IOCs (hourly), operational TTPs (daily), strategic trends (quarterly). Organizations using all three achieve 50-70% better phishing defense than tactical-only. Different consumers: SOC (tactical), threat hunters (operational), CISOs (strategic).

Definition: Comprehensive view of current and emerging threats, including threat actors, attack vectors, vulnerabilities, and trends relevant to an organization or industry.

Phishing Impact: Phishing threat landscape evolving rapidly: 82.6% AI-generated attacks in 2026 (vs. 15% in 2024), deepfake-enabled BEC emerging, phishing-as-a-service commoditization. Understanding landscape informs defensive priorities and budgets. Organizations tracking phishing landscape allocate resources to emerging threats (AI phishing, deepfakes) vs. legacy controls. Cofense threat intelligence provides real-time phishing landscape awareness.