Endpoint Security¶
Segment at a Glance
Market Size: ~$21 billion (2025) | projected ~$38 billion by 2030 (MarketsandMarkets) | ~7% CAGR Maturity: Mature Growth: Moderate Key Trend: EDR-to-XDR convergence, AI-native autonomous detection, agentic endpoint security
What It Is¶
Endpoint security protects the devices --- laptops, desktops, servers, mobile phones, and increasingly AI agents --- that connect to enterprise networks. The category has evolved through several generations:
- EPP (Endpoint Protection Platform): Traditional prevention-first approach combining antivirus signatures, host-based firewall, and device control. Focuses on blocking known threats before execution.
- NGAV (Next-Generation Antivirus): Uses machine learning and behavioral analysis rather than signature-only matching, catching zero-day and fileless attacks that legacy AV misses.
- EDR (Endpoint Detection and Response): Adds continuous telemetry recording, threat hunting, and investigation/response capabilities. Assumes prevention will sometimes fail and prioritizes visibility and rapid containment.
- XDR (Extended Detection and Response): Extends EDR telemetry across network, cloud, identity, and email to correlate alerts into cross-domain incidents, reducing alert fatigue and mean-time-to-respond.
Modern platforms increasingly combine all four layers into a single agent, with XDR becoming the strategic direction for every major vendor.
Buyer Profile¶
| Attribute | Detail |
|---|---|
| Primary Buyer | CISO, VP of Security Operations |
| Influencers | SOC analysts, IT operations, compliance teams |
| Org Size | All --- from SMB (100 endpoints) to enterprise (500K+) |
| Buying Triggers | Breach or near-miss, legacy AV contract renewal, compliance mandates (PCI DSS, HIPAA, CMMC), board-level pressure post-incident, replacing point tools with platform |
| Budget Range | $60--185/endpoint/year for top-tier EDR; Microsoft Defender often "free" for E5 license holders |
| Sales Cycle | 3--9 months (enterprise); 2--6 weeks (SMB via MSSP/channel) |
Market Landscape¶
Vendor Positioning¶
{
"$schema": "https://vega.github.io/schema/vega-lite/v5.json",
"description": "Endpoint Security Vendor Positioning (2025)",
"width": 500,
"height": 400,
"title": {
"text": "Endpoint Security Vendor Positioning (2025)",
"fontSize": 16,
"color": "#1B1F3B"
},
"config": {
"background": "transparent",
"axis": {
"labelColor": "#3D4166",
"titleColor": "#1B1F3B",
"gridColor": "#e5e8ee"
},
"text": {
"color": "#1B1F3B"
}
},
"layer": [
{
"mark": {
"type": "text",
"fontSize": 13,
"fontWeight": "bold",
"opacity": 0.15
},
"data": {
"values": [
{
"x": 0.75,
"y": 0.75,
"label": "Leaders"
},
{
"x": 0.25,
"y": 0.75,
"label": "Platform Players"
},
{
"x": 0.25,
"y": 0.25,
"label": "Emerging"
},
{
"x": 0.75,
"y": 0.25,
"label": "Specialists"
}
]
},
"encoding": {
"x": {
"field": "x",
"type": "quantitative"
},
"y": {
"field": "y",
"type": "quantitative"
},
"text": {
"field": "label",
"type": "nominal"
},
"color": {
"value": "#1B1F3B"
}
}
},
{
"mark": {
"type": "point",
"size": 150,
"filled": true
},
"data": {
"values": [
{
"x": 0.75,
"y": 0.92,
"label": "CrowdStrike"
},
{
"x": 0.88,
"y": 0.9,
"label": "Microsoft Defender"
},
{
"x": 0.65,
"y": 0.82,
"label": "SentinelOne"
},
{
"x": 0.85,
"y": 0.85,
"label": "Palo Alto Cortex XDR"
},
{
"x": 0.7,
"y": 0.75,
"label": "Trend Micro"
},
{
"x": 0.55,
"y": 0.7,
"label": "Sophos"
},
{
"x": 0.6,
"y": 0.65,
"label": "Trellix"
},
{
"x": 0.4,
"y": 0.68,
"label": "ESET"
},
{
"x": 0.35,
"y": 0.5,
"label": "Cybereason"
},
{
"x": 0.45,
"y": 0.4,
"label": "Cynet"
},
{
"x": 0.3,
"y": 0.35,
"label": "Huntress"
}
]
},
"encoding": {
"x": {
"field": "x",
"type": "quantitative",
"scale": {
"domain": [
0,
1
]
},
"axis": {
"title": "Niche Focus \u2192 Platform Breadth",
"format": ".0%"
}
},
"y": {
"field": "y",
"type": "quantitative",
"scale": {
"domain": [
0,
1
]
},
"axis": {
"title": "Emerging \u2192 Established",
"format": ".0%"
}
},
"color": {
"value": "#00C9A0"
},
"tooltip": [
{
"field": "label",
"type": "nominal",
"title": "Vendor"
},
{
"field": "x",
"type": "quantitative",
"title": "Platform Breadth"
},
{
"field": "y",
"type": "quantitative",
"title": "Established"
}
]
}
},
{
"mark": {
"type": "text",
"dy": -12,
"fontSize": 11
},
"data": {
"values": [
{
"x": 0.75,
"y": 0.92,
"label": "CrowdStrike"
},
{
"x": 0.88,
"y": 0.9,
"label": "Microsoft Defender"
},
{
"x": 0.65,
"y": 0.82,
"label": "SentinelOne"
},
{
"x": 0.85,
"y": 0.85,
"label": "Palo Alto Cortex XDR"
},
{
"x": 0.7,
"y": 0.75,
"label": "Trend Micro"
},
{
"x": 0.55,
"y": 0.7,
"label": "Sophos"
},
{
"x": 0.6,
"y": 0.65,
"label": "Trellix"
},
{
"x": 0.4,
"y": 0.68,
"label": "ESET"
},
{
"x": 0.35,
"y": 0.5,
"label": "Cybereason"
},
{
"x": 0.45,
"y": 0.4,
"label": "Cynet"
},
{
"x": 0.3,
"y": 0.35,
"label": "Huntress"
}
]
},
"encoding": {
"x": {
"field": "x",
"type": "quantitative"
},
"y": {
"field": "y",
"type": "quantitative"
},
"text": {
"field": "label",
"type": "nominal"
},
"color": {
"value": "#3D4166"
}
}
},
{
"mark": {
"type": "rule",
"strokeDash": [
4,
4
],
"color": "#6B6F8D"
},
"data": {
"values": [
{
"x": 0.5
}
]
},
"encoding": {
"x": {
"field": "x",
"type": "quantitative"
}
}
},
{
"mark": {
"type": "rule",
"strokeDash": [
4,
4
],
"color": "#6B6F8D"
},
"data": {
"values": [
{
"y": 0.5
}
]
},
"encoding": {
"y": {
"field": "y",
"type": "quantitative"
}
}
}
]
}
Key Vendors¶
| Vendor | Strengths | Weaknesses | Notable |
|---|---|---|---|
| CrowdStrike | Cloud-native architecture, massive threat intel graph, strong brand, 100% MITRE ATT&CK detection in 2024 eval | Premium pricing ($185/endpoint/yr at enterprise tier), July 2024 outage damaged trust, complex licensing | FY2025 revenue $3.95B (+29% YoY), $4.24B ARR (CrowdStrike IR) |
| SentinelOne | Autonomous AI-driven response, strong MITRE results, competitive pricing vs. CrowdStrike, Purple AI copilot | Smaller threat intel corpus, profitability still elusive, Android coverage generates false positives | Gartner MQ Leader 5 years running (SentinelOne) |
| Microsoft Defender for Endpoint | Bundled with M365 E5 (near-zero marginal cost), deep OS integration, massive telemetry, Copilot for Security | Multi-tenancy limitations, weaker reporting, "good enough" stigma, dependency on Microsoft ecosystem | ~40% market share by deployment (6sense); Gartner MQ Leader 6 consecutive years |
| Palo Alto Cortex XDR | True XDR integration with Prisma and NGFW, strong MITRE results, platformization strategy | Agent can be heavy, requires Palo Alto ecosystem buy-in, complex deployment | Acquiring Koi for $400M to secure agentic endpoints (Palo Alto Networks) |
| Trellix | Broad legacy install base (ex-McAfee + FireEye), strong in regulated industries | Integration debt from merger, innovation pace lags leaders, talent attrition | Private equity owned (Symphony Technology Group) |
| Sophos | Strong SMB/mid-market channel, MDR-integrated, 100% MITRE detection in 2025 eval | Limited enterprise traction, weaker XDR story | Acquired by Thoma Bravo (2020); strong MSP channel |
| Trend Micro | Deep server/workload protection, strong in APAC, Vision One XDR platform | UI/UX complaints, slower cloud-native pivot | Legacy presence in Japan and SE Asia |
| Cybereason | Strong MITRE results (100% detection, zero false positives in 2024 eval), behavioral detection engine | Trustwave merger collapsed (March 2025), uncertain future, funding constraints | Once valued at $3B, now in strategic limbo (CyberScoop) |
| ESET | Lightweight agent, strong SMB pricing, Gartner Peer Insights Customers' Choice 2025, excellent support | Limited XDR story, less brand recognition in US enterprise | 4.9/5.0 Gartner Peer Insights rating (ESET) |
Competitive Dynamics¶
Microsoft is the elephant in the room. With Defender for Endpoint bundled into M365 E5, Microsoft holds ~40% market share by deployment count. Many organizations adopt it as "good enough" endpoint protection, particularly those already committed to the Microsoft ecosystem. This forces pure-play vendors (CrowdStrike, SentinelOne) to justify premium pricing through superior detection fidelity, faster response, and cross-platform support.
CrowdStrike remains the market leader by revenue ($3.95B in FY2025) but the July 2024 outage --- which bricked 8.5 million Windows devices and caused an estimated $5.4 billion in Fortune 500 losses --- created an opening for competitors. SentinelOne and Palo Alto have both reported accelerated pipeline from CrowdStrike displacement evaluations, though actual churn has been modest.
Platformization is the strategic battleground. Every major vendor is racing from point EDR to full XDR/platform, with Palo Alto (Cortex + Prisma + NGFW), CrowdStrike (Falcon platform with 28+ modules), and Microsoft (Defender suite + Sentinel SIEM) leading the convergence. Standalone EDR is increasingly difficult to sell.
The mid-market squeeze. Vendors like Cybereason (Trustwave merger collapsed), Trellix (private equity cost-cutting), and other mid-tier players face existential pressure --- too small to build a platform, too expensive to compete on price with Microsoft. Expect further M&A or private equity take-privates in this tier.
Recent M&A and Funding¶
| Date | Deal | Details |
|---|---|---|
| Feb 2026 | Palo Alto Networks acquires Koi | ~$400M for agentic endpoint security startup (founded 2024, IDF 8200 alumni) (SecurityWeek) |
| Sep 2025 | Koi raises $48M | Pre-acquisition funding round for endpoint security startup (Fintech Global) |
| Mar 2025 | Cybereason-Trustwave merger collapses | Trustwave cancelled the acquisition; Cybereason future uncertain (MarketScreener) |
| 2025 | Cybersecurity funding surges | $14B total cybersecurity funding in 2025, up 47% from $9.5B in 2024 (SecurityWeek) |
Knowledge Gap
Specific 2025-2026 M&A deal values for mid-tier endpoint vendors (Trellix, Cybereason standalone) are not publicly confirmed. Watch for PE-driven consolidation plays targeting companies in the $2B--$10B valuation range.
Pricing Models¶
| Model | Typical Range | Used By |
|---|---|---|
| Per-endpoint/year | $60--$185 | CrowdStrike, SentinelOne, Sophos |
| Bundled with platform license | Included in E5 ($57/user/mo) | Microsoft Defender |
| Tiered packages | Core ($70) / Control ($80) / Complete ($180) | SentinelOne |
| Per-device + modules | Base + add-on modules | CrowdStrike Falcon |
| MSP/MSSP per-endpoint | $2--$8/endpoint/month | Huntress, Sophos, SentinelOne |
TCO friction points:
- Module creep: CrowdStrike's 28+ Falcon modules mean the "per-endpoint" price can double or triple once you add identity protection, cloud workload, and threat hunting.
- Microsoft "free" illusion: Defender for Endpoint is included in E5, but organizations often need Sentinel (SIEM), Entra ID P2, and Intune --- the true TCO is obscured across the Microsoft bundle.
- Hidden costs: Alert triage labor, tuning/false-positive management, and data ingestion fees (for XDR/SIEM correlation) often exceed license costs for mid-market buyers.
- Lock-in: Platform bundles create switching costs that compound over time, making future vendor changes prohibitively expensive.
Integration & Ecosystem¶
Endpoint telemetry is the foundational data source for the modern SOC:
- SIEM/XDR integration: EDR logs feed SIEM platforms (Splunk, Microsoft Sentinel, Google SecOps) and native XDR correlation engines. Data volume and ingestion costs are a major concern.
- Identity linkage: Modern EDR correlates endpoint events with identity signals (Azure AD/Entra ID sign-in risk, Okta session data) to detect credential-based attacks.
- Network correlation: NDR tools (Darktrace, Vectra, ExtraHop) cross-reference endpoint detections with network anomalies for higher-confidence alerts.
- SOAR playbooks: EDR APIs enable automated response --- isolate host, kill process, collect forensic package --- orchestrated by SOAR platforms.
- Cloud workload: EDR agents increasingly protect cloud VMs, containers, and serverless functions, blurring the line with CWPP (Cloud Workload Protection Platform).
SWOT Analysis¶
Strengths
- Endpoint is the most mature and well-understood security segment; buyers know what they need
- AI/ML detection has dramatically reduced reliance on signatures, catching novel threats
- Rich telemetry from endpoints provides the foundation for XDR, threat hunting, and forensics
- Strong competitive market drives continuous innovation and keeps pricing from runaway inflation
Weaknesses
- Agent fatigue: endpoints run multiple agents (EDR, DLP, UEBA, patching) competing for resources
- Alert volume overwhelms understaffed SOC teams --- median enterprise sees 11,000 alerts/day
- Kernel-level agents create systemic risk (CrowdStrike July 2024 outage proved this at scale)
- Pricing complexity and module creep make TCO unpredictable for buyers
Opportunities
- Agentic endpoint security: Protecting AI agents running on endpoints (new attack surface, Palo Alto's Koi acquisition signals market direction)
- Autonomous response: AI-driven containment that replaces Tier 1 SOC analysts for routine incidents
- Managed EDR for SMB: Massive underserved market; Huntress, Sophos MDR, and channel partners are early movers
- Linux/container endpoint: Server and cloud-native workload protection remains immature vs. Windows coverage
- Converged platform plays: Vendors who unify endpoint + identity + cloud under one console win consolidation deals
Threats
- Microsoft's bundling strategy commoditizes the market, compressing margins for pure-play vendors
- Platform fatigue: buyers increasingly resist "another platform" pitch, preferring consolidation
- Regulatory fragmentation (EU Cyber Resilience Act, DORA) increases compliance burden and testing requirements
- Adversaries adopting AI for evasion will erode current detection advantages faster than defenders can adapt
- Systemic risk from monoculture: a single vendor outage can paralyze global infrastructure (as demonstrated in July 2024)
Pain Points & Complaints¶
Common Complaints
Sourced from Gartner Peer Insights, practitioner forums, and vendor comparison reviews.
Alert fatigue and false positives:
- SentinelOne's behavioral AI is aggressive --- legitimate admin tools and custom applications frequently trigger false positives, especially on non-Windows platforms. "The AI is very sensitive to threats, which helps find new threats but can generate many false positives" (Cynet comparison).
- Tuning requires dedicated analyst time that SMB/mid-market teams do not have.
Licensing complexity and surprise costs:
- CrowdStrike's modular licensing is frequently cited: "complicated licensing and a lack of support for hybrid environments" (Gartner Peer Insights).
- Buyers report sticker shock when adding threat hunting, identity protection, or cloud modules to a base EDR contract.
Microsoft Defender limitations:
- Multi-tenancy needs "serious changes to catch up with competition" --- a blocker for MSSPs and multi-org enterprises.
- Reporting and dashboarding for security incidents described as "not as useful" compared to pure-play vendors.
- Requires significant Microsoft ecosystem investment (E5, Sentinel, Intune) to unlock full capability.
Agent performance and stability:
- Kernel-mode agents cause performance degradation on Windows and SQL servers (cited for multiple vendors).
- The CrowdStrike July 2024 outage (8.5M devices bricked, $5.4B in Fortune 500 losses) remains a cautionary tale about kernel-level access and single-vendor dependency.
Platform lock-in:
- Once deployed, switching EDR vendors requires re-agenting every endpoint --- a 6--18 month project for large enterprises that creates de facto lock-in.
Emerging Technologies & Trends¶
timeline
title Evolution of Endpoint Security
1990s : Signature AV
: Pattern matching
2010s : NGAV
: ML-based detection
: Fileless attack coverage
2015 : EDR
: Continuous telemetry
: Threat hunting
2020 : XDR
: Cross-domain correlation
: Unified console
2025 : AI-Native / Autonomous
: Agentic AI response
: Identity-aware endpoint
2027+ : Agentic Endpoint Security
: Protecting AI agents
: Zero Trust micro-segmentationKey trends shaping 2025--2027:
-
Agentic AI in endpoint security. The industry is moving from "AI copilots" that assist analysts to "agentic AI" that autonomously triages, investigates, and remediates threats without human intervention. SentinelOne's Purple AI and CrowdStrike's Charlotte AI are early implementations. Investors are aggressively funding startups in this space (Windsor Drake).
-
Securing the agentic endpoint. As AI agents (LLM-powered tools with deep system access) proliferate on enterprise endpoints, they create a new attack surface with "unrestricted permissions and the ability to perform nearly any action, yet bypass traditional security controls" (Palo Alto Networks). Palo Alto's $400M Koi acquisition signals that this is an emerging category.
-
80% of EDR deployments expected to transition to XDR by 2027 (MarketsandMarkets), driven by alert fatigue and the need for cross-domain correlation. Standalone EDR is becoming a commodity.
-
Identity-aware endpoint detection. Correlating endpoint behavior with identity signals (impossible travel, MFA failures, privilege escalation) to detect credential-based attacks that evade traditional EDR.
-
Kernel-to-userspace migration. Post-CrowdStrike outage, vendors and OS platforms (Microsoft, Apple) are re-examining kernel-level access for security agents, pushing toward eBPF-based and userspace architectures that reduce systemic risk.
Gaps & Underserved Areas¶
Market Gaps
- SMB endpoint security remains underserved --- most top-tier EDR is priced and designed for enterprises with dedicated SOC teams. Managed EDR (Huntress model) is addressing this but the market is nascent.
- Linux and container endpoint detection lags Windows coverage by 2--3 years across most vendors. Cloud-native workloads often run with minimal endpoint telemetry.
- macOS and mobile EDR capabilities are significantly weaker than Windows for most vendors, despite growing enterprise adoption of Apple devices.
- Agentic endpoint security (protecting AI agents and LLM tools on endpoints) is a greenfield category with no established players --- Koi was acquired before shipping a mature product.
Underserved
- OT/ICS endpoints: Industrial control systems and embedded devices lack modern EDR coverage; most vendors treat this as a separate market.
- Developer workstations: High-privilege, high-risk endpoints with unique tooling (Docker, IDEs, CLI tools) that generate excessive false positives under standard EDR policies.
- Offline/air-gapped endpoints: EDR solutions assume cloud connectivity for telemetry and threat intel; air-gapped environments (defense, critical infrastructure) need local detection models.
- Multi-vendor EDR orchestration: No good tooling exists for organizations running two or more EDR vendors (common during migrations or in M&A scenarios).
Geographic Notes¶
| Region | Characteristics |
|---|---|
| North America | Largest market (~65% of CrowdStrike revenue is US-based). CrowdStrike and SentinelOne dominate enterprise. Microsoft Defender growing rapidly via E5 adoption. Regulatory drivers: CMMC, SEC incident disclosure rules. |
| Europe | GDPR and DORA drive compliance-led buying. Preference for EU-headquartered or EU-sovereign cloud options. ESET (Slovakia), Bitdefender (Romania), F-Secure/WithSecure (Finland) have stronger presence. Data residency requirements complicate cloud-delivered EDR. |
| APAC | Trend Micro and Sophos have legacy strength in Japan and Australia respectively. Rapidly growing market driven by digital transformation and increasing threat activity. China market largely served by domestic vendors (Sangfor, Huorong). |
| Middle East / Africa | Growing adoption driven by national cybersecurity mandates (Saudi NCA, UAE NESA). Preference for managed security services over self-operated EDR. |
Open-Source Alternatives¶
| Tool | Description | Strengths | Limitations |
|---|---|---|---|
| Wazuh | Open-source XDR and SIEM platform, evolved from OSSEC. Agent-based endpoint monitoring with centralized management. | Unified SIEM + EDR, active community (24K+ GitHub stars), compliance mapping (PCI, HIPAA, GDPR), free | Limited autonomous response, requires significant tuning and operational expertise, no managed service option |
| OSSEC | Original host-based intrusion detection system (HIDS). Log analysis, file integrity monitoring, rootkit detection. | Mature and battle-tested, lightweight agent, good for compliance use cases | Development pace slowed (Wazuh fork is more active), limited EDR-style telemetry, dated UI |
| Velociraptor | Endpoint visibility, digital forensics, and incident response (DFIR) tool. VQL query language for hunting. | Exceptional forensic depth, scales to 50K+ endpoints, real-time hunting, integrates with Wazuh for detection-to-response pipeline | Not a full EDR replacement (no real-time prevention), steep learning curve, small community relative to commercial tools |
| osquery | SQL-powered endpoint telemetry. Query OS state as a relational database. | Lightweight, cross-platform, excellent for fleet visibility and compliance checks, used by Meta/Kolide at scale | Visibility only (no detection or response), requires external tooling for alerting, no prevention capability |
Open-Source Strategy
The strongest open-source endpoint stack combines Wazuh (detection + alerting) with Velociraptor (forensic investigation) and osquery (fleet visibility). This provides capabilities comparable to mid-tier commercial EDR for organizations with sufficient security engineering talent --- but requires 1--2 dedicated FTEs to operate effectively.
Sources & Further Reading¶
- MarketsandMarkets --- Endpoint Security Market (2025--2030)
- Mordor Intelligence --- Endpoint Security Market (2026--2031)
- The Insight Partners --- Endpoint Security Market to Surpass $144B by 2031
- CrowdStrike FY2025 Financial Results
- 6sense --- CrowdStrike Market Share in Endpoint Protection
- Microsoft --- Named Leader in 2025 Gartner MQ for EPP
- SentinelOne --- 2025 Gartner Magic Quadrant for EPP
- Palo Alto Networks --- Koi Acquisition Announcement
- SecurityWeek --- Palo Alto Acquires Koi for $400M
- CyberScoop --- Trustwave and Cybereason Merger Announcement
- MarketScreener --- Trustwave-Cybereason Merger Cancelled
- SecurityWeek --- $14B Cybersecurity Funding in 2025
- Wikipedia --- 2024 CrowdStrike-Related IT Outages
- MITRE ATT&CK Evaluations --- Enterprise 2024
- MITRE ATT&CK Evaluations --- Enterprise 2025
- Cybereason --- 100% Detection in 2024 MITRE Eval
- Sophos --- Best-Ever MITRE ATT&CK 2025 Results
- ESET --- 2025 Gartner Peer Insights Customers' Choice
- Gartner Peer Insights --- Endpoint Protection Platforms
- Windsor Drake --- EDR/XDR Valuation Q1 2026
- MarketsandMarkets --- XDR Market Emerging Trends
- Wazuh --- Open Source Security Platform
- Velociraptor --- Endpoint Visibility and DFIR
- Cynet --- SentinelOne vs CrowdStrike Comparison
- KatProTech --- Cost-Benefit Analysis: CrowdStrike, SentinelOne, Defender
Glossary¶
This glossary defines the acronyms and key terms used throughout the cybersecurity market research site. Use it as a quick reference when navigating segment analyses, pain-point discussions, and opportunity assessments.
A¶
| Term | Definition |
|---|---|
| ACL | Access Control List — rules determining which users/systems can access resources |
| APT | Advanced Persistent Threat — a prolonged, targeted cyberattack where an intruder gains and maintains unauthorized access |
| ASM | Attack Surface Management — continuous discovery, inventory, and risk assessment of an organization's external-facing assets |
| ASPM | Application Security Posture Management — unified visibility and risk management across the application lifecycle |
| AV | Antivirus — software designed to detect, prevent, and remove malware |
B¶
| Term | Definition |
|---|---|
| BAS | Breach and Attack Simulation — automated tools that simulate real-world attacks to test security controls |
| BEC | Business Email Compromise — a social-engineering attack targeting employees with access to company finances or data |
C¶
| Term | Definition |
|---|---|
| C2 | Command and Control — infrastructure used by attackers to communicate with compromised systems |
| CASB | Cloud Access Security Broker — a security policy enforcement point between cloud consumers and providers |
| CCPA | California Consumer Privacy Act — California state law granting consumers rights over their personal data |
| CIAM | Customer Identity and Access Management — managing and securing external customer identities and authentication |
| CIEM | Cloud Infrastructure Entitlement Management — managing identities and privileges in cloud environments |
| CTEM | Continuous Threat Exposure Management — a program for continuously assessing and prioritizing threat exposures |
| CNAPP | Cloud-Native Application Protection Platform — integrated security for cloud-native applications across the full lifecycle |
| CSPM | Cloud Security Posture Management — continuous monitoring of cloud infrastructure for misconfigurations and compliance risks |
| CWPP | Cloud Workload Protection Platform — security for workloads running in cloud environments (VMs, containers, serverless) |
| CVE | Common Vulnerabilities and Exposures — a standardized identifier for publicly known cybersecurity vulnerabilities |
D¶
| Term | Definition |
|---|---|
| DAST | Dynamic Application Security Testing — testing a running application for vulnerabilities by simulating attacks |
| DCS | Distributed Control System — a control system for managing industrial processes across multiple locations |
| DLP | Data Loss Prevention — tools and processes to prevent unauthorized data exfiltration or leakage |
| DORA | Digital Operational Resilience Act — EU regulation on ICT risk management for financial entities |
| DSPM | Data Security Posture Management — discovering, classifying, and protecting sensitive data across cloud environments |
E¶
| Term | Definition |
|---|---|
| EASM | External Attack Surface Management — discovering and monitoring internet-facing assets for exposures |
| EDR | Endpoint Detection and Response — tools that monitor endpoints for threats and provide investigation and response capabilities |
| EPP | Endpoint Protection Platform — integrated endpoint security combining prevention, detection, and response |
F/G¶
| Term | Definition |
|---|---|
| FAIR | Factor Analysis of Information Risk — a quantitative model for understanding, analyzing, and measuring information risk |
| GRC | Governance, Risk, and Compliance — integrated framework for aligning IT with business goals, managing risk, and meeting regulations |
| GDPR | General Data Protection Regulation — EU regulation on data protection and privacy for individuals |
H¶
| Term | Definition |
|---|---|
| HIPAA | Health Insurance Portability and Accountability Act — US law governing the privacy and security of health information |
I¶
| Term | Definition |
|---|---|
| IAB | Initial Access Broker — specialized cybercriminals who compromise networks and sell access to ransomware operators and other buyers |
| IAM | Identity and Access Management — framework for managing digital identities and controlling access to resources |
| ICS | Industrial Control System — control systems used in industrial production and critical infrastructure |
| IDS | Intrusion Detection System — a system that monitors network traffic for suspicious activity and alerts |
| ITDR | Identity Threat Detection and Response — detecting and responding to identity-based attacks and compromises |
| IoT | Internet of Things — network of physical devices embedded with sensors, software, and connectivity |
| IPS | Intrusion Prevention System — a system that monitors and actively blocks detected threats in network traffic |
L¶
| Term | Definition |
|---|---|
| LOTL | Living Off the Land — attack technique using legitimate, pre-installed system tools and binaries rather than custom malware to evade detection |
M¶
| Term | Definition |
|---|---|
| MaaS | Malware-as-a-Service — cybercrime business model where malware developers sell or rent their tools to other criminals |
| MDR | Managed Detection and Response — outsourced security service providing 24/7 threat monitoring, detection, and response |
| MITRE ATT&CK | MITRE Adversarial Tactics, Techniques, and Common Knowledge — a knowledge base of adversary behaviors and techniques |
| MSSP | Managed Security Service Provider — a third-party provider offering outsourced monitoring and management of security devices |
| MFA | Multi-Factor Authentication — requiring two or more verification factors to gain access to a resource |
N¶
| Term | Definition |
|---|---|
| NDR | Network Detection and Response — detecting and responding to threats by analyzing network traffic patterns |
| NERC CIP | North American Electric Reliability Corporation Critical Infrastructure Protection — security standards for the electric grid |
| NGAV | Next-Generation Antivirus — advanced antivirus using behavioral analysis, AI, and machine learning beyond signature-based detection |
| NIS2 | Network and Information Systems Directive 2 — updated EU directive on cybersecurity for essential and important entities |
| NIST CSF | National Institute of Standards and Technology Cybersecurity Framework — a voluntary framework for managing cybersecurity risk |
O¶
| Term | Definition |
|---|---|
| OT | Operational Technology — hardware and software that monitors and controls physical devices and processes |
| OWASP | Open Worldwide Application Security Project — a nonprofit focused on improving software security through open-source projects and guidance |
P¶
| Term | Definition |
|---|---|
| PAM | Privileged Access Management — securing, managing, and monitoring privileged accounts and access |
| PCI DSS | Payment Card Industry Data Security Standard — security standards for organizations that handle credit card data |
| PII | Personally Identifiable Information — any data that could identify a specific individual |
| PLC | Programmable Logic Controller — an industrial computer used to control manufacturing processes |
R¶
| Term | Definition |
|---|---|
| RaaS | Ransomware-as-a-Service — cybercrime business model where ransomware operators provide malware and infrastructure to affiliates who conduct attacks, splitting profits |
| RGB | Reconnaissance General Bureau — North Korea's primary intelligence agency responsible for clandestine operations including cyber operations |
S¶
| Term | Definition |
|---|---|
| SASE | Secure Access Service Edge — converged network and security-as-a-service architecture delivered from the cloud |
| SAST | Static Application Security Testing — analyzing source code for vulnerabilities without executing the application |
| SBOM | Software Bill of Materials — a formal inventory of components, libraries, and dependencies in a software product |
| SCA | Software Composition Analysis — identifying open-source components and known vulnerabilities in a codebase |
| SCADA | Supervisory Control and Data Acquisition — a system for monitoring and controlling industrial processes remotely |
| SD-WAN | Software-Defined Wide Area Network — a virtual WAN architecture that simplifies branch networking and optimizes traffic |
| SEG | Secure Email Gateway — a solution that filters inbound and outbound email to block threats and enforce policies |
| SIEM | Security Information and Event Management — aggregating and analyzing log data for threat detection and compliance |
| SOAR | Security Orchestration, Automation, and Response — tools that automate and coordinate security operations workflows |
| SOC | Security Operations Center — a centralized team and facility for monitoring, detecting, and responding to security incidents |
| SOX | Sarbanes-Oxley Act — US law mandating financial reporting and internal control requirements for public companies |
| SSE | Security Service Edge — the security component of SASE, delivering SWG, CASB, and ZTNA as cloud services |
| SWG | Secure Web Gateway — a solution that filters web traffic to enforce security policies and block threats |
T¶
| Term | Definition |
|---|---|
| TAM | Total Addressable Market — the total revenue opportunity available for a product or service |
| TCO | Total Cost of Ownership — the complete cost of acquiring, deploying, and operating a solution over its lifetime |
| TIP | Threat Intelligence Platform — a system for aggregating, correlating, and operationalizing threat intelligence data |
| TLS | Transport Layer Security — a cryptographic protocol that provides secure communication over a network |
| TTP | Tactics, Techniques, and Procedures — the patterns of behavior and methods used by threat actors to conduct cyber operations |
V¶
| Term | Definition |
|---|---|
| VM | Vulnerability Management — the ongoing process of identifying, evaluating, treating, and reporting security vulnerabilities |
X¶
| Term | Definition |
|---|---|
| XDR | Extended Detection and Response — unified threat detection and response across endpoints, network, cloud, and email |
Z¶
| Term | Definition |
|---|---|
| ZTNA | Zero Trust Network Access — a security model that grants access based on identity verification and least-privilege principles |