Plain definitions for a jargon-heavy field.
Security vendors hide behind vocabulary. Here is ours, defined the way a physicist would: short, specific, and without the fear. Terms are alphabetical; tags show which layer each one lives in.
Account takeover (ATO)
An attacker gains working control of a legitimate user account — usually via stolen credentials or a hijacked session — and operates as that user. Everything afterward looks like normal activity, which is why catching the takeover itself matters.
See: ITDR →Blast radius
Everything an attacker can reach from a given foothold: data, systems, other accounts. Containment is the art of shrinking the blast radius to zero before the foothold is used.
Business email compromise (BEC)
Fraud run from inside a real, compromised mailbox — invoice swaps, payroll redirects, vendor impersonation. It starts as an identity problem long before it becomes a finance problem.
Containment
The automated action that stops a detected threat from spreading: revoke the session, disable the account, block the destination. Detection without containment is a notification.
Credential stuffing
Replaying username/password pairs leaked from one service against another, at volume, until one works. Defeated by MFA — which is why attackers moved on to stealing sessions instead.
Dwell time
How long an attacker operates inside an environment before being detected and removed. The industry measures it in days. The goal is to measure it at the first particle.
EDR — Endpoint Detection & Response
Detection and response focused on what executes on devices: processes, files, memory. Complementary to ITDR, which watches who is signing in, from where, and with whose token.
Identity provider (IdP)
The service that authenticates your users and issues their sessions — Microsoft Entra ID, Google Workspace, Okta, and peers. The IdP sees every login, which makes it the richest place to catch an identity attack early.
Impossible travel
Two authentications from locations no human could travel between in the elapsed time. A classic early signal that a credential or session token is being used by someone other than its owner.
ITDR — Identity Threat Detection & Response
Detection and response for the identity layer: logins, sessions, tokens, and privilege changes across your identity providers. In the Atomburst platform, ITDR is The Detector — the instrument that sees the first particle.
See: ITDR — The Detector →Lateral movement
An attacker expanding from the first compromised account or machine to others. In our terms: everything after the first particle. Contain early and there is no lateral anything.
MDR — Managed Detection & Response
Detection and response operated for you by human analysts, around the clock, on top of the tooling. In the Atomburst platform, MDR is The Observatory — and it is optional, not mandatory.
See: MDR — The Observatory →MFA fatigue
An attacker who already has a valid password triggers authentication prompts until the user approves one out of exhaustion. Also called push bombing. The password was the first particle; the approval is the split.
MSP — Managed Service Provider
A company that runs IT — and increasingly security — for many client businesses at once. One MSP, many tenants, one console: that arithmetic shapes every tool an MSP can actually use.
Multi-tenancy
One platform, many isolated client environments, managed from one console with per-client policy. Either built in from the start or bolted on badly — there is no third option.
Session hijacking
Stealing an authenticated session token — via malware, phishing proxies, or an exposed cookie — and replaying it. It walks past the password and MFA entirely, because the token says the check already happened.
Shadow AI
AI tools that employees adopt without approval or oversight, taking company data with them prompt by prompt. Not malicious, usually — which is exactly why policy has to be enforced where the prompt happens: the browser.
See: DomainGuard →SIEM
Security Information and Event Management: a central store that collects and correlates security logs from many sources. Powerful, heavy, and only as fast as the humans reading it.
SOC — Security Operations Center
The team, internal or outsourced, that watches alerts and runs incident response around the clock. For most SMBs the realistic SOC is their MSP — which is who we build for.
URL filtering
Evaluating and blocking web destinations in real time, before the browser connects, based on risk and policy. The containment field for the web: the bad destination simply never loads.
See: DomainGuard →Zero trust
A security posture that treats every request as unauthenticated until proven otherwise — no network location is trusted by default. Less a product than a discipline; be wary of anyone selling it in a box.