Back to Learning Center

The AI SOC glossary

A quick, simplified reference to the essential AI SOC vocabulary.

Core AI SOC platform concepts

  • Agentic AI: AI designed to act autonomously, reasoning across multiple models to detect, triage, and respond to threats while continuously improving.
  • AI SOC: A modern SOC approach where AI augments or automates every stage of the SOC lifecycle: detection, triage, investigation, response, and risk.
  • Session: A logical grouping of related events that share the same authorization context, such as a key or token, to represent activity from a single identity.
  • Identity: An entity (human, service, or application) that performs an action in a system or log event.
  • Resource: Any object within a system or environment, such as applications, devices, workloads, repositories, or instances.
  • Account: A container in which identities, resources, or configurations are created and managed.
  • Detection: A signal or alert generated by monitoring tools or analytics indicating potential suspicious or anomalous activity.
  • Data source: The origin of log, telemetry, or configuration data used for monitoring, detection, or analysis.
  • Workflow: A structured series of steps, often automated, to analyze, triage, or respond to alerts and findings.
  • Principal: The primary identity or resource associated with a given finding or action.
  • Action: An operation or activity performed by or on an identity or resource.
  • Actor: An external or internal entity performing or attempting actions within an environment.
  • Resolution: The determined outcome of a triage or investigation (e.g., true positive, false positive).
  • Recommendation: Guidance for handling or remediating a finding or misconfiguration.
  • Classification: The process of categorizing a finding, threat, or resource type for prioritization or analysis.
  • Publicly accessible: Indicates whether a resource can be accessed without restriction from external networks.

AI & analytics

  • Multi-model AI: Using different types of AI models (e.g., semantic, behavioral, knowledge-based) in combination for richer detection, triage, investigation, and response.
  • Semantic model: An AI model that interprets logs, alerts, and text for intent and meaning.
  • Behavioral model: An AI model that detects anomalies by analyzing user, system, or workload activity patterns.
  • Knowledge model: A generative AI model that enriches detections using context from historical data, frameworks, and external intelligence.
  • Risk rules: A set of rules to check configurations and logs to identify posture based risks such as misconfigurations, repository abuse, and secrets.

Identity concepts

  • Enterprise identity: A canonical representation of a human’s multiple accounts across applications and systems, used to simplify investigation and analysis.
  • Origin identity: The initial human or machine entity that initiated an action, even if actions are performed through assumed roles or proxies.
  • Ancestor/descendant: Terms describing chained role assumptions or delegations, where one role (ancestor) assumes another (descendant).
  • Auth chain: The sequence of role assumptions or delegations that leads from an origin identity to the effective identity performing an action.
  • Human/machine: A classification of identities based on whether they represent people or automated processes.
  • Admin: An identity with broad or privileged administrative access to resources or systems.
  • Third party: An external identity or entity that interacts with an environment from outside the organization.
  • Highly privileged: An identity capable of escalating to administrator rights or broad system control.
  • Over privileged: An identity granted more permissions than necessary for its intended use. Typically determined by having permissions not used in a long period of time (e.g., 90 days).

Security & findings

  • Threat finding: A finding suggesting malicious or harmful activity has occurred or is ongoing.
  • Risk finding: A finding highlighting a misconfiguration or condition that increases the likelihood of compromise.
  • Remediation: Actions taken to mitigate or resolve a threat or risk finding. Can be either manual or automated.

Security operations concepts

  • SOC (Security Operations Center): The people, processes, and technology responsible for monitoring and defending against cyber threats.
  • MDR (Managed Detection & Response): Outsourced SOC services that deliver continuous detection, investigation, and response.
  • MTTD (Mean Time to Detect): Average time taken to identify a threat. MTTD is calculated by taking the sum of the time differences between when each threat actually began and when it was first detected, then dividing by the total number of threats.
  • MTTI (Mean Time to Investigate): Average time taken to analyze and confirm a threat after detection. MTTI is calculated by summing the time differences between when each threat was detected and when the investigation was completed, then dividing by the total number of investigated threats.
  • MTTR (Mean Time to Respond/Recover): Average time to contain, remediate, and recover from a threat. MTTR is calculated by summing the time differences between when each threat was confirmed and when response or recovery was completed, then dividing by the total number of threats.
  • False positive rate: Proportion of alerts incorrectly flagged as threats. False positive rate is the proportion of alerts incorrectly flagged as threats out of the total alerts analyzed. Lowering this improves analyst focus.
  • Alert fatigue: Analyst burnout caused by high alert volumes and noise (such as false positives).

Data & visibility

  • Log ingestion: Collecting data from systems, applications, and networks for monitoring and analysis.
  • Detection coverage: The extent to which threats, environments, and attack techniques are monitored.
  • Data enrichment: Adding context (e.g., user identity, asset criticality, threat intel) to raw alerts to support faster decisions.
  • Noise reduction: Filtering irrelevant or redundant data to focus on meaningful signals.

Customer outcomes

  • Productivity Gain: A measure of how automation and AI augmentation increase the number of security investigations completed per analyst or per unit of time. It reflects the reduction of manual effort in tasks like log review, enrichment, and triage, allowing analysts to focus on higher-value decisions. Productivity gain is often expressed as a ratio (e.g., 2x more incidents handled per analyst) or as a percentage increase compared to a baseline without automation.
  • Cost efficiency: The ability to deliver the same or improved security outcomes with lower spend on infrastructure, tooling, and personnel. It is achieved by reducing unnecessary log storage and processing, filtering out false positives, and accelerating investigation and response through automation. Cost efficiency is often measured as a percentage reduction in operating costs or as cost avoided compared to traditional SOC approaches.
  • Scalability: The capacity for a security team to handle increasing alert volumes, environments, or complexity without a proportional increase in headcount or cost. With automation and AI augmentation, small or mid-sized teams can extend their operations to enterprise levels, including 24/7 monitoring and response, without needing to build a large traditional SOC. Scalability is often tracked by comparing incidents handled or coverage achieved against analyst hours or team size.
  • Operational resilience: The ability of a security program to sustain effective operations even under stress, such as high alert volumes, staff shortages, or resource constraints. It reflects how well a SOC can continue to detect, investigate, and respond to threats despite disruption. Key metrics include consistent MTTD/MTTR performance, continuity of monitoring, and the percentage of incidents successfully contained during periods of peak demand.

Industry & ecosystem

  • MITRE ATT&CK: A knowledge base of adversary tactics and techniques, often used to map detection coverage.
  • Threat intelligence: Data and context about adversary infrastructure, tools, and campaigns, used to strengthen detections and investigations.
  • Automation playbooks: Predefined sequences of automated actions for investigation or response (e.g., isolating a host, disabling a user account).
  • SOC metrics & KPIs: Quantitative measures like MTTD, MTTR, false positive rate, and analyst workload, used to benchmark SOC performance.

Table of contents

Share

Text LinkText Link

Explore how Exaforce can help transform your security operations

See what Exabots + humans can do for you

Request demo
Talk to MDR experts
No items found.
No items found.