The vocabulary of modern SOC operations, explained in one paragraph each. Linked from our blog posts and product pages so you can always find the canonical definition.
A Security Operations Centre where AI agents autonomously triage, investigate and enrich security alerts — then hand a high-confidence recommendation to a human analyst who approves any destructive action. Distinct from SOAR (fixed playbooks) and MDR (outsourced humans).
Full explainer →Software that uses large language models to plan, invoke tools and make multi-step decisions on events without waiting for a human prompt at each step. The agent receives a goal, decides which actions to take, reads the results, and chooses the next move.
Read: What Is Agentic AI in Cybersecurity? →A design pattern where an AI system investigates and recommends, but a human analyst approves every irreversible action. In a SOC, HITL typically gates session revoke, MFA reset, device isolation, account disable, and tenant-wide mailbox quarantine.
Read: What Is HITL in Cybersecurity? →An outsourced, human-led service where a third-party SOC monitors your alerts, investigates, and escalates what matters. Priced per seat or per tenant. Scales with headcount, not with software.
Software that automates security workflows as fixed, author-defined playbooks. Excellent at deterministic tasks (enrich, ticket, notify); brittle when an alert doesn't match the YAML.
A platform that ingests security logs, correlates events, and fires alerts. Microsoft Sentinel is the SIEM SocSage connects to most commonly.
Microsoft's cloud-native SIEM, sold inside the Azure and Defender families. SocSage connects to Sentinel over OAuth to triage its analytics-rule and incident output.
Read: Microsoft Sentinel Alert Fatigue →An open framework that catalogues adversary tactics (what an attacker is trying to achieve) and techniques (how they achieve it). Every SocSage investigation cites the ATT&CK technique it matched — e.g. T1078.004, Cloud Accounts.
An attack in which a threat actor takes over or impersonates a legitimate mailbox to divert payments, authorise wire transfers, or exfiltrate data. The #1 financial-loss threat vector for UK SMEs.
Read: BEC on Microsoft 365 →A rule that fires when a user signs in from two geographically distant locations within a time window that makes physical travel implausible. High signal in identity-led SOCs, but noisy on VPN-heavy users.
The analyst-productivity collapse that follows when a SOC queue exceeds the team's practical review capacity. Causes missed true-positives; the pattern that agentic triage was built to solve.
The average elapsed time between an alert being raised and a responsive action being taken. A core SOC KPI — typical human-only SOCs run at 45–120 minutes; SocSage's median is 62 seconds to triage plus analyst approval time on destructive actions.
The human-readable, step-by-step log of an agentic investigation: which tool each agent called, what it found, and how it reached a conclusion. Required for audit, for analyst trust, and for debugging the agents themselves.
The UK government's verified-assessment cyber security certification. Increasingly mandatory for suppliers to public-sector bodies, NHS trusts, and MOD contracts. For a Microsoft 365 shop, the gap is usually evidence rather than configuration.
Read: Cyber Essentials Plus for M365 →Missing a term? Email [email protected] and we'll add it.