Cloud Security Glossary
The cloud security industry loves acronyms. Here is every CNAPP term explained in plain English — what it means, why it matters, and how TigerGate covers it.
AI-SPM
AI Security Posture ManagementThe practice of discovering, inventorying, and securing AI/ML assets across your environment — models, training data, pipelines, and AI services. AI-SPM identifies misconfigured model endpoints, exposed training data, shadow AI usage, and risky AI supply chain dependencies before they become breaches.
API Security
Application Programming Interface SecurityProtecting REST, GraphQL, and SOAP APIs against the OWASP API Top 10 — broken authentication, BOLA/IDOR authorization flaws, injection, excessive data exposure, and missing rate limiting. Modern API security combines discovery (finding shadow and zombie APIs) with continuous testing and runtime protection.
ASM
Attack Surface ManagementContinuous discovery, inventory, and monitoring of every internet-facing asset your organization owns — domains, subdomains, IPs, cloud resources, and third-party services. ASM finds the shadow IT and forgotten infrastructure that attackers scan for daily, then prioritizes exposures by real-world exploitability.
ASPM
Application Security Posture ManagementA unified layer that aggregates, correlates, and prioritizes findings from all your AppSec tools — SAST, SCA, DAST, secrets, IaC — into one risk-ranked view. ASPM answers 'which of these 10,000 findings actually matter?' by adding runtime and business context to raw scanner output.
Attack Path Analysis
Attack Path & Exposure AnalysisGraph-based analysis that connects individual weaknesses — a public S3 bucket, an over-privileged role, an unpatched CVE — into the complete chains an attacker could follow to reach your crown jewels. Instead of thousands of isolated findings, you see the handful of toxic combinations that create real breach paths.
CDR
Cloud Detection & ResponseReal-time detection of active threats in cloud environments — compromised credentials, crypto mining, data exfiltration, lateral movement — and the ability to respond fast. CDR complements posture management (CSPM): posture tools prevent misconfigurations; CDR catches attackers who get in anyway.
CIEM
Cloud Infrastructure Entitlement ManagementManaging who (and what) can access which cloud resources. CIEM analyzes IAM users, roles, service accounts, and policies across AWS, Azure, and GCP to find over-privileged identities, unused permissions, and risky trust relationships — the raw material of most cloud breaches.
CNAPP
Cloud-Native Application Protection PlatformThe umbrella category that unifies CSPM, CWPP, KSPM, CIEM, IaC scanning, and container security into a single platform. Instead of stitching together five point tools, a CNAPP gives you one view from code to cloud to runtime — with shared context so findings can be correlated and prioritized.
CSPM
Cloud Security Posture ManagementContinuous scanning of cloud accounts (AWS, Azure, GCP, Oracle) for misconfigurations — public storage buckets, permissive security groups, unencrypted databases, missing MFA — mapped against benchmarks like CIS and frameworks like PCI-DSS, HIPAA, and SOC 2. CSPM is the foundation of cloud security.
CTEM
Continuous Threat Exposure ManagementA continuous program — not a tool — for managing exposure to attack: scope your attack surface, discover exposures, prioritize by real-world exploitability, validate which are actually attackable, and mobilize remediation. CTEM shifts security from periodic vulnerability scans to an always-on cycle focused on the exposures attackers would actually use.
CWPP
Cloud Workload Protection PlatformSecurity for the workloads themselves — VMs, containers, and serverless functions — regardless of where they run. CWPP covers vulnerability management, hardening, and runtime protection at the workload level, complementing CSPM's account-and-configuration view.
Container Security
Container & Image SecuritySecuring containers across their lifecycle: scanning images for CVEs, malware, and embedded secrets; enforcing admission policies before deployment; and monitoring container behavior at runtime. Includes SBOM generation and base-image hygiene.
DAST
Dynamic Application Security TestingTesting a running application from the outside, the way an attacker would — probing for SQL injection, XSS, SSRF, authentication flaws, and misconfigurations without access to source code. DAST finds exploitable issues that static analysis can only theorize about.
DSPM
Data Security Posture ManagementDiscovering and classifying sensitive data — PII, PHI, payment data, secrets — across cloud storage, databases, and data warehouses, then mapping who can access it and how it's protected. DSPM answers 'where is our sensitive data, and is it exposed?'
DevSecOps
Development, Security & OperationsEmbedding security into every stage of the software delivery lifecycle instead of bolting it on at the end. In practice: scanning in the IDE and CI/CD pipeline, policy-as-code, automated guardrails, and shared ownership of security between developers and security teams.
eBPF
Extended Berkeley Packet FilterA Linux kernel technology that runs sandboxed programs inside the kernel without kernel modules or code changes. eBPF gives security tools direct visibility into process execution, file access, and network activity with under 3% overhead — the foundation of TigerGate's runtime monitoring and enforcement agent.
IaC Security
Infrastructure-as-Code SecurityScanning Terraform, CloudFormation, Kubernetes manifests, Helm charts, and Dockerfiles for misconfigurations before they're deployed. Fixing a public bucket in code review costs minutes; fixing it in production after a breach costs much more.
KIEM
Kubernetes Infrastructure Entitlement ManagementCIEM applied to Kubernetes: analyzing RBAC roles, role bindings, service accounts, and cluster permissions to find over-privileged identities inside your clusters. Kubernetes RBAC misconfigurations — wildcard verbs, cluster-admin sprawl, unused service account tokens — are a leading path to full cluster compromise, and KIEM surfaces them before attackers do.
KSPM
Kubernetes Security Posture ManagementCSPM for Kubernetes: continuously auditing clusters against the CIS Kubernetes Benchmark — RBAC misconfigurations, privileged pods, missing network policies, exposed API servers, and insecure kubelet settings — across EKS, GKE, AKS, OpenShift, and self-managed clusters.
MDR
Managed Detection & ResponseA managed service where expert analysts monitor your environment 24/7, hunt for threats, triage alerts, and respond to incidents on your behalf. MDR gives you SOC-level capability without building an in-house security operations center.
SAST
Static Application Security TestingAnalyzing source code for vulnerabilities — SQL injection, command injection, XSS, path traversal, insecure deserialization, hardcoded secrets — without running the application. SAST runs in the IDE and CI pipeline, catching issues at the cheapest point to fix them.
SBOM
Software Bill of MaterialsA complete inventory of every component, library, and dependency inside your software — like an ingredients label. SBOMs (in SPDX or CycloneDX format) are increasingly required by regulation and let you answer 'are we affected?' within minutes when the next Log4Shell drops.
SCA
Software Composition AnalysisScanning open-source dependencies for known CVEs, malicious packages, license risks, and unmaintained projects. Since 70-90% of modern application code is open source, SCA is where most exploitable vulnerabilities actually live.
Secrets Detection
Secrets & Credential ScanningFinding hardcoded API keys, database passwords, cloud credentials, and private keys in source code, git history, container images, and config files. A single leaked AWS key can compromise an entire cloud account — secrets detection catches them before attackers do.
Serverless Security
Serverless & Function SecuritySecuring AWS Lambda, Azure Functions, and Cloud Functions: over-permissive execution roles, vulnerable dependencies, injection through event triggers, and secrets in environment variables. Serverless removes the server patching burden but introduces its own attack surface.
Shift Left
Shift-Left SecurityMoving security testing earlier ('left') in the development lifecycle — from production back to CI/CD, code review, and the IDE. The complementary practice, shift-right, adds runtime monitoring in production. Mature programs do both: shift left to prevent, shift right to detect.
SIEM
Security Information & Event ManagementA central system that aggregates logs and security events from across your environment, correlates them, and raises alerts for analysts to investigate. A SIEM is only as good as its inputs — TigerGate streams high-fidelity runtime events (process, file, and network activity from eBPF) and scanner findings into your SIEM, or pairs with MDR analysts who do the correlation for you.
Vulnerability Management
Risk-Based Vulnerability ManagementThe ongoing process of discovering, prioritizing, and remediating vulnerabilities across code, dependencies, containers, and cloud infrastructure. Modern vulnerability management prioritizes by exploitability (EPSS, known exploits) and reachability, not just CVSS score.
Zero Trust
Zero Trust ArchitectureA security model that assumes no user, device, or workload is trustworthy by default — every access request is verified, least privilege is enforced, and lateral movement is contained. Runtime enforcement and identity analysis are the practical building blocks of zero trust in cloud environments.
One platform for all of it
TigerGate unifies CSPM, CWPP, KSPM, DSPM, SAST, SCA, DAST, and runtime security in a single code-to-cloud platform — so you learn one tool, not fifteen acronyms.
Explore the TigerGate CNAPP