Stop googling acronyms: Cybersecurity 101 glossary for 2026

Introduction

If you had to explain the difference between XDR and MDR in a vendor meeting right now, without checking your notes — what would you say?

Cybercrime is projected to cost the global economy $10.5 trillion annually by 2026. A significant share of that damage traces back to misconfigured tools, misapplied policies, and decisions made without full context. The terminology is where the gaps begin.

This cybersecurity glossary for 2026 covers the terms that matter — Zero Trust, PAM, XDR, CTEM, DSPM, PQC — organized by business function, not alphabetically. Every definition includes the business context that vendor datasheets leave out.

Key takeaways

  • IAM vs. PAM: IAM governs all user access; PAM specifically secures privileged (admin-level) accounts — the higher-value target.
  • EDR vs. XDR vs. MDR: EDR covers endpoints; XDR extends visibility across the full environment; MDR is a managed service where a vendor's team runs either.
  • SIEM vs. SOAR: SIEM aggregates and correlates logs to surface alerts; SOAR automates the response workflows those alerts trigger.
  • CTEM and DSPM are the two 2026 terms appearing most frequently in board-level security conversations — both are covered in full below.
  • Shadow AI and PQC are no longer future concerns. Both require policy decisions now.

Identity and access management

Identity is the new perimeter. With the average cost of a data breach reaching $4.44 million in 2025, the majority of incidents involve compromised credentials — making this category the foundation of any security program.

  • IAM (Identity and Access Management) — the overarching framework for managing who can access which resources, under what conditions. IAM covers authentication, authorization, and the lifecycle of user accounts across the organization. Every other term in this section is a subset or extension of IAM.
  • PAM (Privileged Access Management) — a specialized discipline within IAM focused on accounts with elevated permissions: domain admins, root users, service accounts. A single compromised admin credential gives an attacker full control over infrastructure. PAM tools enforce session recording, just-in-time access, and credential vaulting for these accounts. For a detailed breakdown, see the Passwork guide on privileged access management.
  • Zero Trust — an architecture principle, not a product. The core rule: every access request is verified regardless of origin, including requests from inside the corporate network. Zero Trust requires MFA, least-privilege access, and continuous session monitoring. Vendors sell "Zero Trust solutions" — what they mean is tools that help implement the principle.
  • MFA (Multi-Factor Authentication) and passkeys — MFA requires a second verification factor beyond a password. Passkeys go further: they replace passwords entirely with cryptographic key pairs stored on the user's device, making phishing structurally impossible. The shift toward passkeys is accelerating as FIDO2/WebAuthn adoption grows across enterprise platforms.
  • SSO (Single Sign-On) — a mechanism that lets users authenticate once — typically against a central identity provider (IdP) such as Okta, Azure AD, or Google Workspace — and access multiple applications without re-entering credentials. When combined with MFA, it reduces the number of authentication entry points an attacker can target — instead of dozens of app-level logins, there is one.
  • RBAC (Role-Based Access Control) — assigns permissions based on job role rather than individual identity. A finance analyst gets access to finance systems; a developer gets access to code repositories. RBAC is the standard model for enforcing least privilege at scale.
  • ABAC (Attribute-Based Access Control) — a access control model that grants permissions based on attributes — properties of the user (role, department, clearance level), the resource (classification, owner, type), and the environment (time of day, location, device state). Unlike RBAC, which assigns permissions to roles, ABAC evaluates a combination of attributes against a policy at the moment of each access request.

Threat detection and incident response

EDR, XDR, and MDR are the three most-searched confusing acronyms in cybersecurity. Here is the direct answer: EDR monitors endpoints, XDR extends that visibility across network, cloud, and email, MDR is a managed service where a third-party team operates EDR or XDR on your behalf. The distinction matters when you're evaluating vendors.

  • EDR (Endpoint Detection and Response) — monitors laptops, servers, and workstations for malicious behavior in real time. EDR tools detect threats that signature-based antivirus misses — fileless attacks, lateral movement, living-off-the-land techniques. The internal security team manages it.
  • XDR (Extended Detection and Response) — extends EDR's visibility across the full environment: network traffic, cloud workloads, email, and identity systems. XDR correlates signals from multiple sources to surface multi-stage attacks that would appear as isolated anomalies in siloed tools.
  • MDR (Managed Detection and Response) — EDR or XDR delivered as a managed service. The vendor's analysts handle detection, triage, and initial response. MDR is the answer for organizations that lack the internal headcount to staff a 24/7 SOC — a real constraint given the 4.8 million professional shortage in the global cybersecurity workforce.
  • SIEM (Security Information and Event Management) — aggregates and correlates logs from every system in the environment: firewalls, endpoints, identity providers, cloud platforms. SIEM surfaces anomalies and generates alerts. It does not act on them.
  • SOAR (Security Orchestration, Automation, and Response) — automates the response workflows that SIEM alerts trigger. When SIEM flags a suspicious login, SOAR can automatically disable the account, notify the analyst, and open a ticket — without human intervention. SIEM detects; SOAR acts.
  • SOC (Security Operations Center) — the team, internal or outsourced, that monitors SIEM alerts, investigates incidents, and coordinates response. A SOC without SOAR automation is a team drowning in alerts.
  • DevSecOps — a development practice that integrates security controls directly into the CI/CD pipeline rather than treating them as a separate phase after deployment. Static code analysis, dependency scanning, secrets detection, and container image checks run automatically at each stage of the build. The goal is to catch vulnerabilities at the point where they are cheapest to fix — in the code, before it reaches production.
  • TTP (Tactics, Techniques, and Procedures) — the behavioral fingerprint of a threat actor. TTPs describe how attackers operate, mapped to frameworks like MITRE ATT&CK. Sharing TTP intelligence between organizations is the foundation of threat intelligence programs.

Cloud security and data posture

Cloud environments dissolve the traditional network boundary. The terms in this section address how organizations protect data that lives outside their own data centers — and increasingly, data they didn't know they had.

  • CNAPP (Cloud-Native Application Protection Platform) — unifies cloud workload protection, container security, infrastructure-as-code scanning, and API security into a single platform. CNAPP replaces the previous generation of point tools (CSPM + CWPP) with an integrated view of cloud risk.
  • DSPM (Data Security Posture Management) — one of the defining security priorities of 2025–2026. DSPM discovers, classifies, and assesses risk for data across cloud and hybrid environments — including shadow data that organizations didn't know existed. Where CSPM asks "is the infrastructure configured securely?", DSPM asks "where is sensitive data, and who can reach it?"
  • CASB (Cloud Access Security Broker) — the security checkpoint between users and cloud services like Microsoft 365, Google Workspace, or Salesforce. CASB enforces data policies, detects anomalous access, and provides visibility into shadow IT application usage.
  • DLP (Data Loss Prevention) — monitors and blocks sensitive data from leaving the organization through email, file uploads, USB transfers, or cloud sync. DLP is the enforcement layer; DSPM is the discovery and classification layer.
  • CIEM (Cloud Infrastructure Entitlement Management) — manages and right-sizes permissions in cloud environments, where over-provisioned IAM roles are one of the most common misconfigurations. CIEM identifies which identities have access to what cloud resources — and flags permissions that exceed what's actually needed.

Emerging threats and AI security — the 2026 additions

87% of security leaders identify AI-related vulnerabilities as the fastest-growing cyber threat in 2026, according to the WEF Global Cybersecurity Outlook. The terms below are already appearing in board-level conversations and vendor pitches. Understanding them now prevents expensive course corrections later.

  • CTEM (Continuous Threat Exposure Management) — a five-stage framework coined by Gartner in 2022 for continuously discovering, prioritizing, and remediating exposure across the attack surface. CTEM replaces point-in-time penetration tests — which leave organizations exposed between assessments — with an ongoing process of scoping, discovery, prioritization, validation, and mobilization. Gartner projects that organizations with CTEM programs will suffer two-thirds fewer breaches by 2026.
  • Shadow AI — the unsanctioned use of generative AI tools (ChatGPT, Microsoft Copilot, Google Gemini) by employees without IT approval or governance. Sensitive data entered into consumer AI tools may be used for model training, retained by the vendor, or exposed in data leaks. 97% of organizations that reported an AI-related security incident lacked proper AI access controls or governance policies, per IBM's 2025 Cost of a Data Breach Report. Shadow AI is the 2026 equivalent of shadow IT — and requires the same policy response.
  • LLM Security — the discipline of securing large language model deployments against prompt injection attacks, training data leakage, and model poisoning. As organizations deploy AI-powered tools internally, LLM security becomes an operational concern, not a research topic.
  • MCP (Model Context Protocol) — an open standard developed by Anthropic for how AI agents interact with external systems, tools, and data sources. Organizations deploying AI-powered security tools or autonomous agents need to understand MCP as the emerging integration layer — and the new attack surface it introduces.
  • PQC (Post-Quantum Cryptography) — cryptographic algorithms designed to resist attacks from quantum computers, which would break current RSA and ECC encryption. NIST finalized the first PQC standards in 2024 (FIPS 203, 204, 205). Organizations don't need to panic — but they do need to begin a cryptographic inventory: identifying which systems rely on vulnerable algorithms and planning migration timelines.
  • QKD (Quantum Key Distribution) — a method of distributing encryption keys using quantum mechanical properties, making interception detectable. QKD is a complementary approach to PQC, currently deployed in high-security government and financial contexts.

Compliance and governance

Security frameworks and regulations drive purchasing decisions, audit requirements, and board-level reporting. Knowing the acronyms prevents compliance theater — checkbox activity that satisfies auditors without reducing actual risk.

  • GRC (Governance, Risk, and Compliance) — the integrated framework for aligning security programs with business objectives and regulatory obligations. GRC platforms aggregate risk data, track control effectiveness, and generate audit evidence across multiple frameworks simultaneously.
  • NIST CSF (NIST Cybersecurity Framework) — the U.S. government's voluntary framework for managing cybersecurity risk, organized around six functions: Identify, Protect, Detect, Respond, Recover, and Govern.
  • ISO 27001 — the international standard for information security management systems (ISMS). Certification requires documented policies, risk assessments, and evidence of control implementation. ISO 27001 is the baseline credential for enterprise security programs operating across multiple jurisdictions.
  • SOC 2 — an audit standard for service organizations demonstrating that security, availability, and confidentiality controls meet AICPA Trust Service Criteria. SOC 2 Type II reports cover a period of time (typically 6–12 months), not a point-in-time snapshot. Relevant for any SaaS vendor or cloud provider handling customer data.
  • NIS2 — the EU's updated Network and Information Security Directive, effective October 2024. NIS2 expands compliance obligations to 18 sectors (up from 7 under NIS1), introduces direct liability for C-level executives, and mandates 24-hour incident reporting to national authorities. Organizations operating in the EU that haven't assessed their NIS2 obligations are already behind.
  • GDPR / HIPAA — the two most-referenced data protection regulations. GDPR (General Data Protection Regulation) governs personal data handling for EU residents globally. HIPAA (Health Insurance Portability and Accountability Act) governs protected health information in the U.S. Both carry significant financial penalties and require documented access controls, breach notification procedures, and data minimization practices.

Conclusion

Conclusion

Knowing the terminology is the foundation — but the real work is implementation. The terms in this cybersecurity glossary for 2026 map directly to decisions: which tools to buy, which frameworks to adopt, which risks to prioritize in the next budget cycle.

The credential layer sits at the intersection of IAM, PAM, and Zero Trust — and it's where most breaches begin. Passwork addresses this layer directly: a self-hosted password manager with role-based access control, full audit logs, and zero-knowledge encryption, deployed entirely within your own infrastructure. For organizations with strict data sovereignty requirements, the self-hosted deployment model keeps all credential data under your control, with no dependency on third-party cloud services.

Passwork is ISO/IEC 27001 certified and compliant with GDPR and NIS2. Deploy it on your own infrastructure, keep full control over your data, and test all features free. Start your trial → passwork.pro

Frequently asked questions

Frequently asked questions

What is the difference between EDR, MDR, and XDR?

EDR monitors endpoints for threats and is managed by the internal security team. XDR extends that visibility across network, cloud, email, and identity systems, correlating signals into a unified view. MDR is a managed service where a third-party vendor's analysts operate EDR or XDR on your behalf, handling detection and initial response.

Why is PAM considered more critical than standard IAM?

PAM secures privileged accounts — admin credentials that grant full control over infrastructure. A single compromised admin account can enable complete network takeover, ransomware deployment, or data exfiltration at scale. Standard IAM governs all users; PAM governs the accounts where a breach causes maximum damage.

What does Zero Trust mean in practice?

Zero Trust means every access request is verified regardless of where it originates — including requests from inside the corporate network. In practice, implementation requires MFA on all accounts, least-privilege access policies, network microsegmentation, and continuous monitoring of active sessions for anomalous behavior.

What is CTEM and why is Gartner pushing it?

CTEM (Continuous Threat Exposure Management) is a five-stage framework for continuously assessing and reducing an organization's attack surface. Gartner recommends it because annual penetration tests leave organizations exposed for months between assessments. CTEM turns exposure management into an ongoing operational process rather than a periodic event.

What is Shadow AI and why is it a security risk?

Shadow AI refers to employees using generative AI tools — ChatGPT, Copilot, Gemini — without IT approval or data governance controls. Sensitive business data entered into consumer AI platforms may be retained, used for training, or exposed in breaches. IBM's 2025 data shows 97% of organizations with AI-related incidents lacked proper AI access controls.

What is the difference between SIEM and SOAR?

SIEM aggregates logs from all systems and correlates them to surface security alerts. SOAR automates the response actions those alerts require — disabling accounts, blocking IPs, creating tickets, notifying analysts. SIEM is the detection layer; SOAR is the response layer. Most modern security programs need both.

Is PQC something organizations need to worry about now?

Yes — not to deploy immediately, but to plan. NIST finalized the first post-quantum cryptography standards in 2024. Organizations should conduct a cryptographic inventory now: identify systems relying on RSA or ECC encryption and assess migration complexity. Quantum computers capable of breaking current encryption are not imminent, but migration timelines are long.

Password Manager Deployment Models: Cloud, Self-Hosted & Hybrid
Choosing where to run your password manager matters as much as choosing which one. This guide breaks down cloud, self-hosted, and hybrid deployment — with a compliance matrix for GDPR, HIPAA, and NIS2, and a clear look at the trade-offs each model carries.
Passwork BlogAlex Muntyan
What is a passkey? Guide to passwordless authentication
A passkey is a phishing-resistant credential stored on your device. Sign in with a biometric tap — no password to remember or steal. This guide covers the technical mechanics, platform setup, real-world performance data, and what the transition means for enterprise teams.
Passwork BlogAlex Muntyan
Five ways to make users love password security
Users don’t resist security — they resist friction. Five evidence-based strategies to update your password policy, drive password manager adoption, and build a security culture employees actually follow.
Passwork BlogAlex Muntyan