Security terms, in plain English.

An attack where a criminal impersonates a trusted party over email — a CEO, vendor, or finance lead — to trick someone into a fraudulent payment or data disclosure. There is usually no malware, which is why default M365/Workspace filters miss it. BEC and funds-transfer fraud are the single largest cyber-insurance claim category for SMBs.

Detecting and responding to threats against user identities — impossible travel, MFA fatigue, token theft, and risky OAuth grants — across identity providers like Entra ID, Google Workspace, and JumpCloud. Identity is now the primary intrusion surface, so ITDR catches the attacks that route around MFA.

Monitoring laptops and servers for malicious behavior — not just known-bad file signatures — and responding by isolating the machine, killing a process, or quarantining a file. EDR catches novel threats that signature antivirus misses, and is the endpoint control cyber-insurance carriers now require across Mac, Windows, and Linux.

EDR plus a team that watches it for you around the clock. MDR solves the problem that EDR generates alerts someone must triage at 3 a.m. The trade-off is cost and contract structure built for larger organizations — which is why an AI SOC analyst that provides MDR-style coverage at SMB economics has become the practical alternative.

Any service account, API key, or OAuth-granted application — including AI tools — that can access company data without a human logging in. NHIs are powerful, long-lived, and rarely watched, which makes them an attractive and growing target. Governing them requires an inventory, risk scoring, and periodic attestation.

AI tools used inside a company without IT’s knowledge or approval — pasting customer data into a public chatbot, wiring an AI app to a Drive or repo. It is shadow IT with a data-exfiltration engine attached. Shadow AI has been involved in a measurable share of breaches and adds materially to breach cost.

The channel malware uses to “phone home” to an attacker for instructions, payloads, and data exfiltration. Detecting C2 catches an intrusion in progress — after the foothold but before ransomware deploys. Much of it hides in DNS, where most SMB tools never look.

Malware checking in with its command-and-control server on a regular interval — every few seconds, minutes, or hours — often with deliberate jitter to look less robotic. The repetitive rhythm of these callouts is itself the detection signal, even when each individual beacon looks innocuous.

A technique where malware algorithmically generates large numbers of random-looking domain names to reach its C2 server, so defenders cannot simply block a single address. The resulting high-entropy domain lookups are a tell-tale sign of infection at the DNS layer.

An identity-threat signal where a single account signs in from two locations too far apart to have physically traveled between in the elapsed time — e.g., London and New York twenty minutes apart. A strong indicator that a credential has been stolen and is being used by an attacker.

An attack (MITRE T1621) where an attacker who has a valid password floods a user with repeated MFA approval prompts until they tap “approve” to make it stop. It is one of the main ways attackers defeat multi-factor authentication, and a key signal for ITDR to catch.

The presence of a user’s credentials in public breach dumps and dark-web markets. Because credential reuse is a top initial-access vector, continuous exposure monitoring lets you force a reset, step up MFA, or revoke sessions before stolen credentials are used against you.

A control that inspects and filters traffic to your web applications, blocking exploitation attempts and bots. Modern WAF orchestration classifies traffic against the OWASP Core Rule Set and analyzes CVE gaps to shield web apps from known and emerging attacks.

Continuously proving the security controls underwriters require — MFA, EDR, email security, identity threat detection, backups, IR plans, and logging — so a business passes its assessment and improves its terms. With 41% of SMB applications denied on first submission (Coalition 2026), readiness has become a top forcing function in SMB security.

The accumulation of many separate, single-purpose security tools — each with its own console, alerts, and blind spots. With most organizations running 10+ tools yet few reaching security maturity, sprawl creates gaps between products that attackers exploit. Consolidation onto one correlating platform is the response.