The QUANT LAB Glossary

Twenty plain-English definitions of the software engineering and cybersecurity terms our clients ask about most. No marketing fluff, no analyst jargon — just what the term means, why it matters, and how it shows up in actual engagements.

Half the difficulty of buying custom software or a security engagement is decoding the vocabulary. A founder is asked whether their app is multi-tenant, whether their API is REST or GraphQL, whether they need SOC 2 or just a SOC 2 letter, whether a pentest counts as a red team — and the honest answer to most of those questions is "it depends on what you mean by that word." This page tries to fix that. If you only have five minutes, skim the snippets. If you have an hour, the individual definitions go deeper — history, mechanics, examples, and how QUANT LAB actually works with each concept.

Software Engineering

• API (Application Programming Interface)

  The contract that lets two pieces of software talk to each other — REST, GraphQL, webhooks, and SDKs all sit on top of this idea.

• CRM (Customer Relationship Management)

  The system of record for every customer relationship — leads, deals, conversations, contracts, and revenue.

• JAMstack Architecture

  JavaScript, APIs, and prerendered Markup — the architecture pattern behind the fastest sites on the web.

• Multi-Tenant SaaS

  One application serving many customer organizations from shared infrastructure with strict data isolation.

• MVP (Minimum Viable Product)

  The smallest version of a product that delivers real value, ships fast, and lets you learn from paying customers.

• Next.js

  The React framework that powers the majority of modern production web apps — SSR, SSG, ISR, routing, and edge runtime.

• REST vs GraphQL

  Two API paradigms — REST exposes resources at URLs, GraphQL exposes a typed schema clients query directly.

• SaaS (Software as a Service)

  Software delivered as a subscription over the web — no installs, no servers, just login and use.

• Server-Side Rendering (SSR)

  Generating HTML on the server for every request so users (and search engines) see content immediately.

• Webhooks

  HTTP callbacks — when something happens in System A, it POSTs JSON to a URL you own in System B.

Cybersecurity & Compliance

• Active Directory

  Microsoft's identity directory — the backbone of most enterprise networks and the first thing internal pentesters target.

• HIPAA Compliance

  US healthcare data law — the privacy, security, and breach notification rules that govern PHI.

• MITRE ATT&CK Framework

  The standard taxonomy of attacker tactics, techniques, and procedures — used by red teams, blue teams, and detection engineers.

• OWASP Top 10

  The community-maintained list of the ten most critical web application security risks — broken access control, injection, and friends.

• PCI-DSS Compliance

  The credit-card-industry security standard — twelve requirements every business that stores, processes, or transmits card data must follow.

• Penetration Testing

  A time-boxed, authorized, human-driven attempt to compromise your systems the way a real attacker would.

• Red Team

  Goal-driven adversary simulation that tests not just your software but your people, processes, and detection capability.

• SOC 2 Compliance

  The AICPA's trust-services audit that mid-market and enterprise buyers ask for before signing a SaaS contract.

• Web Application Firewall (WAF)

  A reverse-proxy layer that inspects HTTP traffic and blocks common attacks before they hit your app.

• Zero Trust Architecture

  Never trust, always verify — the network security model that assumes the perimeter is already breached.

Have a project? Skip the glossary

Definitions are useful, but a 30-minute conversation with the engineer who would actually do the work is more useful. If you have a CRM build, a SaaS platform, an API integration, or a pentest in your near future, book a no-pressure consultation and skip the buzzword phase entirely.