The QUANT LAB Glossary
120 plain-English definitions of the software engineering and cybersecurity terms our clients ask about most. No marketing fluff, no analyst jargon — just what the term means, why it matters, and how it shows up in actual engagements.
Half the difficulty of buying custom software or a security engagement is decoding the vocabulary. A founder is asked whether their app is multi-tenant, whether their API is REST or GraphQL, whether they need SOC 2 or just a SOC 2 letter, whether a pentest counts as a red team — and the honest answer to most of those questions is "it depends on what you mean by that word." This page tries to fix that. If you only have five minutes, skim the snippets. If you have an hour, the individual definitions go deeper — history, mechanics, examples, and how QUANT LAB actually works with each concept.
Software Engineering
CDN (Content Delivery Network)
A globally distributed network of servers that caches your content close to each visitor, cutting latency and offloading the origin.
CRM (Customer Relationship Management)
The system of record for every customer relationship — leads, deals, conversations, contracts, and revenue.
Design Sprint
A time-boxed, classically five-day process for solving a big problem by mapping, sketching, deciding, prototyping, and testing with real users before a full build.
Load Balancer
A component that spreads incoming traffic across multiple backend servers, improving capacity and reliability by routing each request to a healthy server.
Message Queue
A buffer that holds tasks sent by one part of a system until another is ready to process them, enabling asynchronous, decoupled, reliable communication.
Agile
An iterative approach to building software in small, frequent increments, guided by continuous customer feedback and a willingness to adapt the plan.
API (Application Programming Interface)
The contract that lets two pieces of software talk to each other — REST, GraphQL, webhooks, and SDKs all sit on top of this idea.
MVP (Minimum Viable Product)
The smallest version of a product that delivers real value, ships fast, and lets you learn from paying customers.
ORM (Object-Relational Mapping)
A library that maps database tables to objects in your language, letting you read and write data through native code instead of raw SQL.
ARR (Annual Recurring Revenue)
The annualized value of a subscription business's recurring revenue — the predictable income it expects over a twelve-month period, excluding one-time fees.
CI/CD (Continuous Integration / Continuous Delivery)
The practice of automatically building, testing, and deploying software on every change, so a small edit can reach production safely in minutes.
CAC (Customer Acquisition Cost)
The total sales and marketing spend required to win one new customer over a given period — salaries, ad spend, tools, and commissions included.
Customer Churn
The rate at which customers stop doing business with you over a period — canceling a subscription, ending a contract, or otherwise no longer paying.
Customer Lifetime Value (LTV)
The total revenue or gross profit a business expects to earn from a single customer over the entire span of their relationship, before they churn.
Database Indexing
A separate, ordered data structure that lets the database locate matching rows fast without scanning a whole table — trading storage for far faster reads.
Docker
A tool that packages an application with everything it needs into a portable, isolated container, so it runs identically on a laptop, a test server, and production.
Idempotency
The property of an operation whereby performing it many times produces the same result as performing it once — what makes retries safe in networked systems.
JAMstack Architecture
JavaScript, APIs, and prerendered Markup — the architecture pattern behind the fastest sites on the web.
Kubernetes
An open-source orchestration system that automatically deploys, scales, and heals containerized apps across a cluster of machines.
MRR (Monthly Recurring Revenue)
The total predictable revenue a subscription business expects every month, normalized so annual and multi-month plans show up as a single monthly figure.
Multi-Tenant SaaS
One application serving many customer organizations from shared infrastructure with strict data isolation.
Next.js
The React framework that powers the majority of modern production web apps — SSR, SSG, ISR, routing, and edge runtime.
Product-Market Fit
The stage at which a product satisfies strong market demand — when a defined group of customers value it enough to buy, stay, and refer others.
REST vs GraphQL
Two API paradigms — REST exposes resources at URLs, GraphQL exposes a typed schema clients query directly.
SaaS (Software as a Service)
Software delivered as a subscription over the web — no installs, no servers, just login and use.
Scrum
An Agile framework for delivering software in fixed-length sprints, structured around defined roles, a prioritized backlog, and a few recurring ceremonies.
Server-Side Rendering (SSR)
Generating HTML on the server for every request so users (and search engines) see content immediately.
Serverless Computing
A cloud execution model where the provider runs your code on demand, auto-provisioning and scaling the servers and billing only for the compute used.
Technical Debt
The implied future cost of choosing a quick solution now instead of a robust one — extra effort the team must spend later to extend or maintain the code.
Webhooks
HTTP callbacks — when something happens in System A, it POSTs JSON to a URL you own in System B.
WebSockets
A protocol that keeps a single persistent two-way connection open between browser and server, so either side can push messages instantly without re-polling.
Data Lake
A central store that holds raw structured and unstructured data at any scale, schema-applied-on-read, for analytics and machine learning.
Data Warehouse
A database optimized for analytics — structured, modeled, and tuned for fast reporting across large historical datasets.
Feature Store
A managed layer that stores, versions, and serves the engineered inputs machine-learning models use, keeping training and production consistent.
Monorepo
A single version-controlled repository that houses many projects or services, sharing tooling, dependencies, and atomic cross-cutting changes.
REST API
An HTTP interface that exposes resources as URLs and uses standard verbs (GET, POST, PUT, DELETE) to read and change them in a stateless way.
Service Mesh
A dedicated infrastructure layer that handles service-to-service traffic — routing, retries, encryption, and observability — without changing app code.
Tech Stack
The combined set of languages, frameworks, databases, and infrastructure a product is built and run on.
Vector Database
A database that stores high-dimensional embeddings and finds the nearest ones by similarity — the retrieval backbone of AI search and RAG.
VPC (Virtual Private Cloud)
A logically isolated section of a cloud provider's network where you control IP ranges, subnets, routing, and firewall rules for your resources.
API Gateway
A single entry point that routes, authenticates, rate-limits, and monitors requests to the services behind it.
Embedding
A numeric vector that represents text, images, or other data so that similar items sit close together — enabling semantic search and recommendations.
LLM (Large Language Model)
A neural network trained on vast text that predicts and generates language — the engine behind chatbots, copilots, and AI features.
API Versioning
The practice of evolving an API without breaking existing clients, by exposing distinct versions through the URL, header, or media type.
Blue-Green Deployment
A release strategy that runs two identical environments and switches traffic from the old (blue) to the new (green) for instant, reversible cutovers.
Caching
Storing the result of expensive work close to where it's needed so repeat requests are served fast instead of recomputed or refetched.
Chaos Engineering
Deliberately injecting failures into a system in controlled experiments to find weaknesses before they cause real outages.
CQRS (Command Query Responsibility Segregation)
An architecture pattern that separates the model that writes data from the model that reads it, so each can scale and evolve independently.
Database Sharding
Splitting one large database horizontally across many servers by a shard key, so each holds a slice of the data for scale.
Distributed Tracing
Following a single request as it hops across services, with timing at each step, to pinpoint where latency or errors come from.
DNS (Domain Name System)
The internet's address book — it translates human domain names into the IP addresses machines use to connect.
Domain-Driven Design
An approach that models software around the real business domain and its language, using bounded contexts to tame complexity.
ETL (Extract, Transform, Load)
The pipeline that pulls data from sources, reshapes and cleans it, and loads it into a warehouse for analytics.
Event Sourcing
Persisting every change as an immutable event, so current state is rebuilt by replaying the log — giving a full audit trail and time travel.
Feature Flagging
Wrapping features in runtime switches so you can ship code dark, roll out gradually, and turn things off without a redeploy.
Fine-Tuning
Further training a pretrained model on your own labeled examples so it specializes in your domain, tone, or task.
GraphQL
A query language for APIs that lets clients ask for exactly the fields they need in one request, instead of stitching together many REST endpoints.
gRPC
A high-performance RPC framework using HTTP/2 and Protocol Buffers for fast, strongly-typed service-to-service calls.
Infrastructure as Code
Defining servers, networks, and cloud resources in version-controlled files so environments are provisioned automatically and reproducibly.
Load Testing
Simulating realistic or peak traffic against a system to measure how it performs and where it breaks before real users do.
Long Polling
A technique where the server holds a request open until it has data, approximating real-time updates over plain HTTP when WebSockets aren't available.
Microservices Architecture
Structuring an application as small, independently deployable services that each own one capability and communicate over the network.
MLOps
The practices and tooling for deploying, monitoring, retraining, and governing machine-learning models reliably in production.
Observability
How well you can understand a system's internal state from its outputs — logs, metrics, and traces — to debug problems you didn't anticipate.
OpenAPI (Swagger)
A standard, machine-readable specification for describing REST APIs, powering interactive docs, client generation, and contract testing.
Product-Led Growth
A go-to-market strategy where the product itself drives acquisition, conversion, and expansion — often via free trials or freemium.
Rate Limiting
Capping how many requests a client can make in a window to protect a service from overload, abuse, and runaway costs.
Redis
An in-memory data store used for caching, sessions, queues, and real-time features where microsecond access matters.
RAG (Retrieval-Augmented Generation)
An AI pattern that retrieves relevant documents and feeds them to a language model, grounding answers in your own data and cutting hallucinations.
Terraform
A popular infrastructure-as-code tool that provisions and manages cloud resources declaratively across providers from versioned config files.
Cybersecurity & Compliance
CVE (Common Vulnerabilities and Exposures)
A unique, public ID assigned to a specific known security flaw, so every scanner, vendor, and defender refers to the same vulnerability by the same name.
Red Team
Goal-driven adversary simulation that tests not just your software but your people, processes, and detection capability.
Security Operations Center (SOC)
The people, processes, and technology whose full-time job is to watch your systems for attacks, investigate what looks wrong, and coordinate the response.
Vulnerability
A weakness in software, configuration, or process that an attacker can exploit to read, change, or take down something they should not be able to.
Web Application Firewall (WAF)
A reverse-proxy layer that inspects HTTP traffic and blocks common attacks before they hit your app.
Active Directory
Microsoft's identity directory — the backbone of most enterprise networks and the first thing internal pentesters target.
EDR (Endpoint Detection and Response)
Software on each laptop and server that records device behavior, detects malicious activity even from unseen threats, and lets responders contain attacks remotely.
Encryption at Rest
Scrambling your data while it sits in storage — on disk, in a database, in backups — so a stolen drive yields unreadable gibberish instead of your information.
HIPAA Compliance
US healthcare data law — the privacy, security, and breach notification rules that govern PHI.
MITRE ATT&CK Framework
The standard taxonomy of attacker tactics, techniques, and procedures — used by red teams, blue teams, and detection engineers.
Multi-Factor Authentication (MFA)
A login method that requires two or more independent kinds of proof, so an attacker who steals just your password still cannot get into your account.
OWASP Top 10
The community-maintained list of the ten most critical web application security risks — broken access control, injection, and friends.
PCI-DSS Compliance
The credit-card-industry security standard — twelve requirements every business that stores, processes, or transmits card data must follow.
Penetration Testing
A time-boxed, authorized, human-driven attempt to compromise your systems the way a real attacker would.
Phishing
A social-engineering attack that tricks a person into handing over passwords, money, or malware access by impersonating someone or something they trust.
SIEM (Security Information and Event Management)
The central platform that collects log and event data from across your environment, correlates it to spot patterns, and raises alerts for a security team.
SOC 2 Compliance
The AICPA's trust-services audit that mid-market and enterprise buyers ask for before signing a SaaS contract.
Threat Modeling
A structured exercise that diagrams what you are building, thinks like an attacker about how each piece could be abused, and decides what to do before code ships.
TLS (Transport Layer Security)
The cryptographic protocol that encrypts data in transit, proves you are talking to the real server, and detects tampering — the technology behind HTTPS.
Zero Trust Architecture
Never trust, always verify — the network security model that assumes the perimeter is already breached.
DDoS Attack
A distributed denial-of-service attack floods a target with traffic from many machines at once, aiming to exhaust capacity and knock it offline.
Man-in-the-Middle Attack
An attacker secretly relays or alters traffic between two parties who believe they're talking directly, intercepting credentials or injecting data.
Supply Chain Attack
An attack that compromises a trusted dependency, vendor, or build pipeline so malicious code reaches victims through software they already trust.
Zero-Day Exploit
An attack that targets a software flaw unknown to the vendor, leaving zero days to patch before it can be used in the wild.
ABAC (Attribute-Based Access Control)
An authorization model that grants access based on attributes of the user, resource, and context — role, department, time, location — rather than fixed roles alone.
IAM (Identity and Access Management)
The framework of policies and tools that controls who can authenticate and exactly what each identity is allowed to do.
JWT (JSON Web Token)
A signed, self-contained token that carries claims about a user, letting servers verify identity without a session lookup.
SOC 2 Report
An independent auditor's report on how well a service organization's controls meet the Trust Services Criteria for security, availability, and privacy.
Credential Stuffing
An attack that replays username-password pairs leaked from one breach against many other sites, banking on password reuse.
Cross-Site Scripting (XSS)
A web flaw where attacker-supplied script runs in another user's browser, letting it steal sessions, keystrokes, or page content.
CSRF (Cross-Site Request Forgery)
An attack that tricks a logged-in user's browser into sending an unwanted authenticated request, performing actions they never intended.
DevSecOps
Building security into every stage of the development pipeline — automated scanning, policy, and testing — rather than bolting it on at the end.
FIDO2
An open authentication standard that uses public-key cryptography and hardware or platform authenticators to replace passwords with phishing-resistant logins.
Hashing
A one-way function that turns any input into a fixed-length fingerprint — used to store passwords and verify data integrity without revealing the original.
OAuth 2.0
An authorization framework that lets an app access a user's data on another service via scoped tokens, without handling their password.
Passkey Authentication
A passwordless login that stores a cryptographic key on your device and unlocks it with biometrics, resisting phishing and credential reuse.
Patch Management
The disciplined process of tracking, testing, and deploying software updates so known vulnerabilities are closed before attackers exploit them.
Privilege Escalation
When an attacker or user gains rights beyond what they were granted — moving from limited access to admin or root control.
Prompt Injection
An attack that smuggles malicious instructions into an LLM's input, hijacking its behavior to leak data or ignore its guardrails.
PKI (Public Key Infrastructure)
The system of keys, certificates, and authorities that issues and verifies digital identities to enable encryption and trusted communication.
Ransomware
Malware that encrypts a victim's files or systems and demands payment for the key, often paired with threats to leak stolen data.
RBAC (Role-Based Access Control)
An authorization model that assigns permissions to roles and roles to users, so access is managed by job function rather than per person.
SAML SSO
An XML-based standard that lets users authenticate once with an identity provider and access many apps without logging in again.
Secrets Management
Securely storing, rotating, and granting access to credentials like API keys and database passwords instead of hard-coding them.
Social Engineering
Manipulating people — through phishing, pretexting, or urgency — into revealing information or taking actions that breach security.
SQL Injection
A flaw where untrusted input is concatenated into a database query, letting attackers read, alter, or destroy data.
Secure SDLC
A software development lifecycle with security built into every phase — threat modeling, secure coding, review, and testing — not just at the end.
Vulnerability Scanning
Automated probing of systems and code to find known weaknesses and misconfigurations, producing a prioritized list to fix.
Zero-Knowledge Architecture
A design where the service provider can never read user data because encryption and keys stay entirely on the client side.
Zero Trust Network Access (ZTNA)
A model that grants application access per verified identity and device context, replacing broad VPN network access with least-privilege connections.
Have a project? Skip the glossary
Definitions are useful, but a 30-minute conversation with the engineer who would actually do the work is more useful. If you have a CRM build, a SaaS platform, an API integration, or a pentest in your near future, book a no-pressure consultation and skip the buzzword phase entirely.