Plain-language definitions.

An AI SOC is a security operations center that uses AI agents to investigate alerts, gather context from existing security tools, and produce conclusions, replacing or augmenting the manual work traditionally done by human Tier-1 and Tier-2 analysts.

An AI SOC platform is software that uses AI agents to autonomously investigate security alerts, correlate data from multiple sources, and produce documented conclusions with supporting evidence, augmenting or replacing the work of human SOC analysts.

Agentic AI in cybersecurity refers to AI systems that reason, plan, decide, and act across security workflows with limited human intervention, going beyond single-prompt assistants to autonomous agents that carry out multi-step investigations and responses.

An agentic SOC is a security operations center architecture built around multiple autonomous AI agents that reason, plan, and act on security investigations, as opposed to rule-based automation or single-purpose AI tools.

An AI SOC agent is an autonomous AI system that takes specific investigative actions in a security operations workflow, for example, a phishing investigation agent, an identity context agent, or an alert triage agent.

An AI SOC analyst is an AI agent that performs the alert investigation work traditionally done by a human SOC analyst, receiving alerts, gathering context, correlating data, and producing a verdict with supporting evidence.

An AI SOC maturity model is a staged framework describing how a security operations center progressively adopts AI, typically moving from foundational readiness, through deploying ready-made agents, to customizing agents, and finally orchestrating multiple agents as a coordinated system.

An AI-ready data layer is a unified, normalized, context-enriched view of security telemetry that AI agents can reason over, the data foundation some vendors argue must exist before agentic security operations can work.

An autonomous SOC is a security operations center where AI agents independently complete most or all investigation work, receiving alerts, gathering evidence, producing verdicts, and triggering responses, with humans in oversight roles rather than execution roles.

Bounded autonomy is the principle that AI security agents operate independently only within explicitly defined limits, what they can access, which actions they can take, and under what conditions, set and enforced by the organization.

Human-in-control is a security operating model in which AI agents perform investigation and response work autonomously, but humans retain authority over scope, high-impact decisions, and oversight, distinct from "human-in-the-loop," which implies humans approve each individual step.

Multi-agent orchestration is the coordination of multiple specialized AI agents, triage, investigation, response, hunting, so they share context and hand off work across a security workflow, rather than operating in isolation.

Agent Zero is Command Zero's autonomous investigation agent, the AI persona that conducts end-to-end security investigations using Governed AI and the Question-based method, producing documented verdicts customers can audit, verify, and act on.

Direct-to-data is a security architecture pattern where the analyst tool queries data directly from its source, SIEM, EDR, identity provider, cloud platform, rather than retrieving it from a vendor-controlled intermediate store.

Encoded Expertise is Command Zero's framing for the practice of capturing senior SOC analyst knowledge as reusable investigation questions, turning individual expert intuition into organizational capability that scales across every analyst and every investigation.

A Federated Data Model is an architecture in which a security platform queries data directly from existing sources, SIEM, EDR, identity provider, email gateway, cloud, through read-only APIs, without ingesting, normalizing, or storing the data in a central repository.

The full investigation lifecycle is the complete path of a security investigation from the initial alert through final verdict, including Tier-1 triage, Tier-2 enrichment, Tier-3 root-cause analysis, and proactive threat hunting.

Governed AI is an AI system whose actions, decisions, and reasoning are visible, auditable, and reproducible, where the human operator retains explicit control over what the AI can and cannot do, and every step is traceable to its inputs.

Knowledge compounds is Command Zero's framing for the effect that occurs when investigation expertise is captured in reusable form, every new question, finding, and case adds permanent capability to the team rather than being lost to memory.

The Question-based method is Command Zero's approach to AI-driven security investigation, every investigation is structured as a sequence of expert-authored questions that AI agents execute against customer data sources, producing a transparent and reproducible verdict.

Agentic SOAR is a security orchestration and response approach that combines traditional rule-based playbooks with AI agents that reason about context and decide dynamically, positioned as the successor to playbook-only SOAR.

EDR (Endpoint Detection and Response) is a category of security software that monitors endpoint devices, laptops, desktops, servers, for malicious activity and provides investigation and response capabilities when threats are detected.

ITDR (Identity Threat Detection and Response) is a security category focused specifically on threats targeting identity infrastructure, credential theft, account takeover, privilege escalation, and identity-based lateral movement.

MDR (Managed Detection and Response) is a security service in which a vendor monitors, investigates, and responds to threats on the customer's behalf, providing the SOC function as an outsourced service rather than software.

An MSSP (Managed Security Service Provider) is a vendor that operates security tools and processes on the customer's behalf, typically including some combination of firewall management, vulnerability management, SIEM operation, and security monitoring.

A SIEM (Security Information and Event Management) is a security platform that ingests, normalizes, stores, and searches security log data from across an organization's infrastructure, providing the central detection and historical record for the SOC.

SOAR (Security Orchestration, Automation, and Response) is a category of security software that automates security workflows using customer-authored playbooks, scripted sequences that execute the same response steps each time a specific alert type appears.

UEBA (User and Entity Behavior Analytics) is a category of security analytics that establishes baseline patterns of normal behavior for users, devices, and applications, then flags deviations as potential threats.

XDR (Extended Detection and Response) is a security platform that combines telemetry from endpoint, network, identity, email, and cloud sources into a unified detection and investigation surface, typically delivered by a single vendor with proprietary detection content.

Detection engineering is the discipline of building, testing, tuning, and maintaining the rules, models, and analytics that produce security alerts, the upstream work that determines what the SOC sees and what it misses.

A SOC (security operations center) is a team, and the tools that team uses, responsible for detecting, investigating, and responding to cybersecurity threats targeting an organization.

A SOC analyst is a security professional who monitors, investigates, and responds to cybersecurity alerts, the human operator inside a security operations center who decides whether an alert represents a real threat and what to do about it.

A SOC Tier 1 analyst is the entry-level role in a security operations center, responsible for the initial triage of incoming security alerts, deciding which alerts represent real threats, dismissing false positives, and escalating cases that require deeper investigation.

A SOC Tier 2 analyst investigates the alerts escalated by Tier 1, performing deeper correlation across data sources, determining root cause, scoping the incident, and recommending response actions.

A SOC Tier 3 analyst is a senior security practitioner who handles the most complex investigations, advanced persistent threats, novel attack techniques, insider cases, breach response, and contributes to detection engineering, threat hunting, and SOC strategy.

The labor gap is the shortfall between the number of cybersecurity roles organizations need to fill and the available qualified workforce, estimated at more than 4 million unfilled positions globally, and widening each year.

The response gap is the widening difference between the speed at which adversaries operate and the speed at which human-driven security teams can detect, investigate, and contain, driven by breakout times now measured in under a minute.

The skills gap is the shortfall between the advanced expertise modern threats demand and the expertise most security teams actually possess, with a majority of organizations reporting their teams lack the depth to counter current attacks.

Alert fatigue is the cognitive and emotional exhaustion SOC analysts experience from triaging large volumes of low-quality security alerts, the dominant factor in SOC burnout, turnover, and missed threats.

Alert triage is the SOC process of evaluating incoming security alerts to determine which ones represent real threats, which are false positives, and which require deeper investigation, typically performed first by Tier-1 analysts.

CVE and exploitability analysis is the process of evaluating newly disclosed vulnerabilities (CVEs) against a specific environment, determining whether the vulnerability is present, whether a working exploit exists, and what business impact a successful exploit would have, to prioritize remediation.

Detection triage is the process of analyzing security detections to separate true threats from noise, classifying each detection, assessing its severity and context, and deciding whether it warrants escalation or can be dismissed.

A false positive is a security alert that turns out not to represent a real threat, the detection logic fired, but no malicious activity occurred. False positives consume analyst time and drive alert fatigue.

Incident response is the structured process a security team follows when a confirmed security incident is identified, containing the threat, eradicating the adversary, recovering affected systems, and learning from the event to prevent recurrence.

Malware analysis is the examination of malicious software to determine its behavior, capabilities, origin, and indicators, through static analysis (inspecting the file), dynamic analysis (detonating it in a sandbox), and correlation against known threat intelligence.

Threat hunting is the proactive search for active threats inside an environment, without waiting for an alert to fire, typically driven by a hypothesis about adversary behavior, a piece of threat intelligence, or an unexplained anomaly.

A true positive is a security alert that correctly identifies real malicious activity, the detection logic fired and the underlying threat exists, requiring response.

An insider threat is a security risk originating from someone with legitimate access to an organization's systems, an employee, contractor, or partner, who misuses that access intentionally or whose credentials are compromised by an external actor.

An IOC (Indicator of Compromise) is a piece of forensic evidence, a file hash, IP address, domain name, registry key, or behavior pattern, that indicates a system has been compromised or a specific adversary is present.

MITRE ATT&CK is a knowledge base of adversary tactics, techniques, and procedures (TTPs) maintained by the MITRE Corporation, the standard taxonomy security teams use to classify attack behavior and map detection coverage.

Prompt injection is an attack against AI systems in which an adversary embeds malicious instructions in content the AI processes, causing the AI to ignore its original instructions, leak data, or take unauthorized actions.

TTPs (Tactics, Techniques, and Procedures) are the patterns of behavior that describe how an adversary operates, the strategic goals (tactics), the methods used to achieve them (techniques), and the specific implementation details (procedures).

A YARA rule is a pattern-matching signature used to identify and classify malware based on textual or binary characteristics, enabling defenders to detect an entire malware family rather than a single sample.

Breakout time is the elapsed time between an adversary's initial compromise of one system and their first lateral movement to another, a key measure of how quickly defenders must respond to contain an intrusion before it spreads.

MTTD (mean time to detect) is the average elapsed time between the moment an adversary first compromises a system and the moment the security team becomes aware of the compromise, a primary measure of detection effectiveness.

MTTR (mean time to respond) is the average elapsed time between the moment a security team becomes aware of a confirmed incident and the moment containment is achieved, a primary measure of response effectiveness.