Endpoint Security Glossary: Key Terms and Definitions

Endpoint security encompasses a specialized vocabulary drawn from network architecture, threat intelligence, regulatory compliance, and incident response disciplines. This glossary defines the core terms used across the endpoint protection sector — from foundational concepts like agents and telemetry to advanced constructs like behavioral analytics and zero-trust segmentation. Professionals evaluating platforms, auditing controls, or interpreting compliance requirements will encounter these terms across vendor documentation, NIST publications, and regulatory guidance frameworks.

Definition and scope

The endpoint security domain operates across a defined technical and regulatory perimeter. Endpoints — the physical and virtual devices that connect to a network — are governed by controls described in standards such as NIST SP 800-53 Rev. 5 and the CIS Controls v8. The terms below are organized by functional category rather than alphabetical order, reflecting how practitioners encounter them in the context of endpoint security defined and related operational frameworks.

Core architectural terms:

Endpoint — Any device that communicates with a network: workstations, servers, mobile phones, tablets, IoT sensors, and operational technology (OT) nodes. NIST defines an endpoint as a "device that connects to and communicates over a network" (NIST SP 800-41, Rev. 1).
Agent — Lightweight software installed on an endpoint to collect telemetry, enforce policies, or execute response actions. Agentless architectures rely on network-level scanning rather than on-device software.
Telemetry — Structured data streams generated by an endpoint agent, including process execution logs, file modifications, registry changes, and network connections. Telemetry volume and fidelity directly affect detection latency.
Attack surface — The total set of exploitable vectors across all endpoints. The endpoint threat landscape expands the attack surface as device counts grow.
Threat vector — A specific pathway used to gain unauthorized access: phishing email links, USB media, unpatched vulnerabilities, or compromised credentials.

Detection and response terms:

EDR (Endpoint Detection and Response) — A class of security tools that continuously monitor endpoints, detect suspicious behavior, and enable investigation and containment. For a full breakdown, see Endpoint Detection and Response.
XDR (Extended Detection and Response) — An evolution of EDR that correlates telemetry from endpoints, networks, cloud workloads, and identity systems. For a comparison of the two models, see Extended Detection and Response.
EPP (Endpoint Protection Platform) — A baseline prevention-focused platform combining antivirus, firewall, device control, and policy enforcement. EPP and EDR are often contrasted; the distinction is covered in detail at Antivirus vs EDR vs XDR.
IOC (Indicator of Compromise) — A forensic artifact — such as a file hash, IP address, or registry key — that signals a known threat. IOCs are distributed via threat intelligence feeds following the STIX/TAXII standard maintained by OASIS.
IOA (Indicator of Attack) — Behavioral evidence of an active attack technique, regardless of whether a specific malware signature is present. IOAs are technique-focused rather than artifact-focused.

How it works

Endpoint security terminology maps directly to a layered operational sequence. NIST's Cybersecurity Framework (CSF), published by the National Institute of Standards and Technology, structures protection activities into five functions: Identify, Protect, Detect, Respond, and Recover. Glossary terms cluster within these phases:

Identify phase — Asset inventory, vulnerability enumeration, risk scoring. Terms: attack surface, asset register, CVE (Common Vulnerabilities and Exposures), CVSS score (the Common Vulnerability Scoring System, maintained by FIRST.org).
Protect phase — Hardening, patching, access control, encryption. Terms: endpoint hardening, least privilege, application whitelisting, full disk encryption (FDE), TPM (Trusted Platform Module).
Detect phase — Behavioral monitoring, signature matching, anomaly detection. Terms: behavioral analytics, UEBA (User and Entity Behavior Analytics), SIEM integration, telemetry pipeline, dwell time.
Respond phase — Containment, isolation, forensic triage. Terms: host isolation, remediation, playbook, SOAR (Security Orchestration, Automation, and Response), chain of custody.
Recover phase — Restoration, post-incident review, control updates. Terms: rollback, clean image deployment, lessons learned register.

Dwell time — the interval between initial compromise and detection — averaged 24 days in 2023 according to the Mandiant M-Trends 2023 Report. Reducing dwell time is a primary design objective for EDR and XDR architectures.

Common scenarios

Practitioners encounter endpoint security terminology across three recurring operational contexts:

Compliance audits — Frameworks such as HIPAA (enforced by the HHS Office for Civil Rights) and PCI DSS (maintained by the PCI Security Standards Council) require demonstrable endpoint controls. Terms like data loss prevention (DLP), audit logging, and access control list (ACL) appear directly in audit checklists. For sector-specific usage, see Endpoint Security for Healthcare and Endpoint Security for Financial Services.

Incident response engagements — Forensic analysts use terms like memory forensics, process injection, persistence mechanism, and lateral movement to describe attack progression. The MITRE ATT&CK framework, published by MITRE Corporation, provides a structured taxonomy of 14 tactic categories and over 400 named techniques applicable to endpoint investigations.

Vendor evaluation — Procurement teams reference terms like false positive rate, detection coverage, mean time to detect (MTTD), and mean time to respond (MTTR) when scoring platforms against defined SLAs. These metrics are addressed in Endpoint Security Metrics and KPIs.

Decision boundaries

Selecting appropriate terminology usage requires distinguishing between overlapping concepts:

EDR vs. EPP — EPP operates primarily on prevention (blocking known threats before execution); EDR operates on detection and response (monitoring behavior after execution begins). An EPP without EDR cannot support post-incident forensic investigation.

IOC vs. IOA — IOC-based detection fails against novel malware with no known signature. IOA-based detection identifies attack behavior patterns regardless of the tool used, making it effective against fileless malware and living-off-the-land techniques.

Agent vs. agentless — Agents provide deeper telemetry and local enforcement capabilities; agentless approaches reduce deployment overhead but limit visibility to network-observable events. The BYOD endpoint security policy context frequently forces agentless or hybrid deployments on personally owned devices.

Zero trust vs. perimeter security — Perimeter models assume internal network traffic is trusted; zero-trust models apply continuous verification to every endpoint session regardless of network location. NIST SP 800-207 defines zero trust architecture principles applicable to endpoint policy enforcement, described further at Zero Trust Endpoint Security.

Managed vs. unmanaged endpoints — Managed endpoints have an enrolled agent, policy baseline, and update cadence under IT control. Unmanaged endpoints — including shadow IT devices and contractor hardware — fall outside telemetry coverage and represent the highest residual risk category in most enterprise environments.

References

Explore This Site

Regulations & Safety Regulatory References Tools & Calculators Password Strength Calculator