This Glossary introduces common cloud-native, security, and Panther-specific terminology.



  • A brief and human-readable event that correlated to a programmed alarm rule to provide information about data breaches, exploits, or malicious behaviors.

  • The event triggered by Panther after the criteria on your rule, policy, or query is met. See Alerts & Destinations for more information.

Alert Destination

  • A designated location where a security alert is sent after being created.

  • Your selected services(s) where Panther alerts are sent, such as Jira, Slack, or PagerDuty. See Destinations for more information.

API (application programming interface)

  • A connection between computers or applications, which defines a specific set of rules for how they communicate and interact with one another.

Auxiliary Functions

Also known as "alert functions," these are Python functions that control analysis logic, generated alert title, event grouping, routing of alerts, and metadata overrides for Panther's detections. These functions are applicable to both Rules and Policies. Learn more on Writing Python Detections.


Beta (features)

Panther features may go through a closed beta, open beta, or both before becoming generally available. Features in beta phases will be identified as such in release notes and on their documentation pages.

  • Closed Beta: In this phase, a feature is enabled for a sub-set of customers for testing and feedback. Closed beta features may be enabled for additional customers if they request access.

  • Open Beta: In this phase, a feature is enabled for all customers but is still undergoing development. Feedback and bug reports are greatly appreciated during this period.


CI/CD (continuous integration/continuous deployment)

  • Continuous integration means work is constantly merged back into a central location, and generally includes automated testing for safety purposes. Continuous deployment or delivery means work is constantly deployed into production.

  • See Panther's CI/CD Onboarding Guides for information on managing detections with a CI/CD workflow.

CLI (command line interface)

  • A term for tools that you interact with from a command line, shell, virtual terminal, or similar interface.

  • In Panther’s context, CLI refers to tools like panther_analysis_tool and pantherlog, which are distributed by Panther and executed by customers locally on their own machines.


Cloud-native technologies empower organizations to build and run scalable applications in modern, dynamic environments such as public, private, and hybrid clouds. Containers, service meshes, microservices, immutable infrastructure, and declarative APIs exemplify this approach.

Source: CNCF

Cloud Account

In Panther context, an AWS account that you connect with Panther to use with Cloud Security Scanning. Accessible from the Cloud Accounts section of the Panther Console.

Cloud Resource

In Panther context, a Cloud Resource is an entity within your AWS account, such as an EC2 instance, S3 bucket, and IAM User. Cloud Resources are associated with an AWS account that you connected with Panther. Accessible from the Cloud Resources section of the Panther Console.


  • A time-based scheduler that executes one or more commands at specific dates and times.

  • In Panther's context, a Cron Expression is used to set a defined interval while running Scheduled Rules or Scheduled Searches.

Custom Webhook

  • Also known as web callbacks; a lightweight API that enables one system to forward data to another system when a specific event occurs.

  • Panther’s Custom Webhook Destination allows you to deliver alerts to selected third-party platforms that accept webhooks.

  • Panther's HTTP Source lets you ingest log events via a custom webhook URL.


Data Explorer

Data Explorer is a Panther tool where you can view your normalized data, select rule matches, perform SQL queries, search standard fields across data, load or schedule queries, and download sharable results in a CSV file.


In Panther, deduplication refers to the process of grouping suspicious events together into a single alert to prevent receiving duplicate alerts for the same behavior that may have multiple indicators. Any event that triggers a detection is grouped together with other events that triggered the same detection and subsequent deduplication string within the designated deduplication period. This is controlled by two aspects:

  • The deduplication string returned by the dedup function

  • The deduplication period configured on a detection

Detection-as-Code (DaC)

Detection-as-Code is a modern, flexible, and structured approach to writing security detections that applies software engineering best practices like version control systems (VCS) to manage detections, requires testing and manual reviews for detection changes, automatically enforces these testing and standards (CI), and automatically deploys these changes (CD).

Detection Pack

Panther’s Detection Packs logically group detections as well as enable detection updates via the Panther Console. Panther-provided packs are defined in this open-source repository: panther-labs/panther-analysis.


EDR (endpoint detection and response)

A cybersecurity solution that continuously monitors endpoint data and triggers rule-based automated responses.


Panther’s Enrichment features add important context to your detections and alerts for faster investigation workflows, enhanced detections, and reduced alert noise. Panther offers the following enrichment features: Custom Lookup Tables, Identity Provider Profiles, and Enrichment Providers.


Global Helper

  • A “helper” function performs one part of the computation of a larger function or program. This allows you to re-use logic defined in one place multiple times, in addition to logically separating code for better comprehension and testing.

  • In Panther, Global Helpers contain python code that can be used in other types of Panther detections (such as policies, rules, and data models). These Global Helpers serve as a library of common programming patterns that you can extend and use in any of the detections you write.


  • A company that collects, analyzes, and labels data on IPs that scan the internet and saturate security tools with noise


IOC (indicator of compromise)

Data collected that is likely to indicate a security breach or threat.


Log Normalization

Log normalization parses and normalizes your uploaded logs for IOC (indicator of compromise) fields like domains and IPs to support efficient and effective analysis, searches, and correlations across all log types.

Lookup Tables

Panther’s Lookup Tables allow you to add important context to your detections and alerts by enriching the events they process and contain. They help you save time by enhancing detections, reducing alert noise, and speeding up investigations for improved investigation workflows.


MDR (managed detection and response)

A cybersecurity service that continuously monitors all security data and thus allows for robust detection, monitoring, and response to limit malicious threats and breaches.


Panther-analysis repo

A public Github repository of all detections developed by Panther including rules, policies, and scheduled rules.

Panther Analysis Tool (PAT)

Also known as panther_analysis_tool; an open-source utility for testing, packaging, and deploying Panther detections from source code. PAT’s intent is to enable CI/CD workflows for customers.

Panther Console

Panther’s web application. Customers can log in at [customer-URL]

Panther Developer Workflows

Non-Panther Console workflows you can use to interact with your Panther account, including CI/CD, API, Terraform, the pantherlog tool, and the Panther Analysis Tool (PAT).

Panther-managed detection

A detection that has been written and is continuously maintained by Panther.


Panther's Policies are Python functions that scan and evaluate cloud infrastructure configurations to identify misconfigurations and subsequently generate alerts. Policies specifically apply to cloud resources, whereas Rules apply to security logs.

Pretty print

In JSON, pretty printing includes proper line breaks, indentation, white space, and overall structure.

Source: Datagy


RBAC (role-based access control)

An authorization method that assigns access based on user roles and user permissions.


Panther's Rules are Python functions for detecting suspicious security log activity and generating alerts.

  • Real-time rules, simply known as Rules, are used to analyze a point-in-time (single log)

  • Scheduled rules are used to analyze aggregated or statistical data sets (many logs)


Saved Search

A preserved search expression. A Saved Search can be turned into a Scheduled Search by setting it to run on a certain interval.

Scheduled Rule

A detection that's associated with a Scheduled Search. The data returned each time the search executes is run against the detection, alerting when matches are found.

A Saved Query that is scheduled to run on a designated interval. Scheduled Searches are typically associated with at least one Scheduled Rule. Scheduled Searches were formerly known as "Scheduled Queries."


  • Schemas inform Panther how to normalize data for downstream services like the detection engine and tables in the data lake.

Security Data Lake

Also known as a data lake or SDL. A centralized repository aimed at maintaining and managing all log or other data sources relevant to an organization’s security posture. An SDL can ingest data from myriad sources and can integrate with other security analytics tools to provide a single place for security data to be housed, searched, and utilized.

SIEM (security information and event manager)

A SIEM collects, stores, and analyzes security data across broad networks and data sources, allowing organizations to detect and respond to escalating threats.


A cloud-based Data Warehouse that integrates with Panther to provide unified, secure, and scalable security capabilities so businesses can eliminate blind spots and respond to threats at cloud-scale.

SOAR (security orchestration, automation, and response)

A collection of security management solutions that combine threat management with incident response and automated security operations.

SOC (security operations center)

Pronounced “sock.” A team of IT professionals tasked to monitor, analyze, and respond to security threats

SSO (single sign-on)

An authentication process that allows a user to log in with one ID credential to access multiple separate and independent applications and services.


XDR (extended detection and response)

A consolidation of data tools to give extended visibility, analysis, and response across multiple applications.

Last updated