Glossary
The MSP world is acronym-heavy. Hover any underlined term anywhere on the site for a quick definition; the full entries live here.
A
- AAAA record
DNS record mapping a name to an IPv6 address. The IPv6 equivalent of an A record.
- Able Moose Accounting
The recurring fictional MSP customer used across this site's lessons, a single company that scales from small business to mid-market to enterprise across the Beginner, Intermediate, and Advanced courses.
- addon domain
A second (or third) registered domain hosted inside the same ApisCP account. Has its own document root, DNS, and optional mailboxes; shares the account's login and resource quotas.
- allowlist
An explicit list of domains, IPs, applications, or senders that should be permitted even when broader rules would block them.
- anycast
A routing technique where the same IP address is announced from many physical locations, and the network sends each user to the nearest one.
- ApisCP
A self-hosted multi-tenant hosting control panel an MSP installs on its own RHEL-family servers. Customers get isolated accounts with mail, DNS, files, databases, and 1-click web apps; the MSP gets a Nexus admin app to operate every account.
- ApisCP plan
A named bundle of service defaults in ApisCP. When an account is created with -p plan-name, every unset service value falls through to the plan's value. Plans can inherit from a base plan.
- AppAware
DNSFilter's feature that maps DNS activity to known applications, surfacing app usage and shadow IT through the filter.
- Application allowlisting
A default-deny posture where only explicitly approved binaries are allowed to execute. Anything else (script, installer, dropped DLL) is blocked at the kernel before it runs.
- audit log
A record of every change made to a system, naming the actor, the time, the affected object, and (for edits) the before / after values, used to investigate incidents and demonstrate compliance.
- audit mode
A configuration mode where rules are evaluated and logged but NOT enforced. Lets you see what would happen before turning enforcement on.
- auth code
Per-domain secret that authorises an outbound registrar transfer. Generated by the losing registrar, supplied to the gaining registrar.
B
- B2BUA
A SIP element that terminates one dialog and originates another for the same logical call. Looks like two distinct dialogs on the wire (different Call-IDs, fresh tags) and typically bridges media as well as signalling.
- blocklist
An explicit list of domains, IPs, applications, or senders that should always be blocked regardless of broader category rules.
- Brand Kit
An Exclaimer asset library holding fonts, colours, logo, icon, banner, meeting background, and disclaimer text that signatures inherit from.
- BYOI
The Yeastar deployment model where the MSP runs YCM on their own infrastructure (their own cloud / colo / on-prem VMs) and uses it to create Cloud PBX instances for each customer.
C
- CAA record
A DNS record at the apex listing which Certificate Authorities are allowed to issue TLS certificates for the domain. CAs check it before issuing; competing CAs refuse.
- Campaign banner
An Exclaimer time-boxed banner image with a hyperlink and start/end dates, appended after a signature; one Campaign at a time, server-side only on Gmail.
- captive portal
The web page that public Wi-Fi networks force users through before letting their device reach the internet.
- category
A label DNSFilter (and similar tools) assigns to a domain so policies can block or allow whole groups of sites at once instead of one-by-one.
- ccTLD
Country-code top-level domain (.au, .uk, .ca, .de, etc.) operated under each registry's own policy, separate from ICANN.
- Cloud PBX
A P-Series Software Edition instance that YCM provisions and operates inside the MSP's infrastructure. Each customer's PBX is its own Cloud PBX, with its own URL, extensions, trunks, and capacity.
- CNAME
DNS record type that aliases one name to another. Cannot exist at a zone apex and cannot coexist with other record types on the same name.
- Codec
An algorithm that encodes audio for transmission. Voice codecs include G.711 (PCMA / PCMU, narrowband 64 kbps), G.722 (wideband 64 kbps), Opus (variable 6-510 kbps), and G.729 (legacy 8 kbps). Negotiated per call in SDP.
- cpcmd
The universal CLI for ApisCP. Every panel action is reachable from cpcmd via a module:function call. -d sets the site context, -u sets the user, --format=json switches output to JSON.
- custom domain
A domain you own and operate (e.g. *.pbx.contoso.com), substituted for a vendor's default wildcard domain so the customer's URL reflects your brand rather than the vendor's.
- Cyber Hero
ThreatLocker's 24/7 managed approval service. Cyber Hero engineers triage end-user approval requests on the customer's behalf, replying within ThreatLocker's published SLA.
D
- DID
Direct Inward Dial, a public phone number bound to a SIP trunk and routed by the PBX to an inbound destination (extension, queue, IVR, time condition). DIDs are added at YCM against a shared trunk and assigned per-Cloud-PBX.
- DID matching
The strategy PSE's inbound route uses to map a dialled DID to a destination. Four modes: DID Pattern (single destination), Match DID Pattern to Extensions (with placeholder), Match DID Range to Extension Range, and DID Number to Specific Extension.
- disclaimer
Plain-text legal text appended to outbound email after the signature, configurable as a standalone Disclaimer object, a Disclaimer signature element, or text inside the template.
- DKIM
An email signing scheme where the sending server signs each message with a private key, and the matching public key is published in DNS. Receivers verify the signature to confirm the message wasn't altered in transit.
- DMARC
A TXT record at _dmarc.<domain> that tells receiving mail servers what to do with messages that fail SPF or DKIM, and where to send aggregate reports. Makes SPF and DKIM enforceable.
- DNS
Domain Name System, the internet's phonebook. Translates human-readable names like "example.com" into IP addresses computers actually connect to.
- DNS filtering
Blocking risky or policy-violating domains at the DNS resolver layer, before a TCP connection is ever attempted.
- DNS over HTTPS
A DNS transport that wraps queries inside HTTPS, encrypting them and making them indistinguishable from normal web traffic.
- DNS resolver
The DNS server a device asks for name-to-IP lookups. Whoever controls the resolver controls (and sees) everything.
- DNSSEC
Cryptographic signing of DNS answers so resolvers can detect tampering. Requires the DNS host to sign the zone, and the registrar to publish a DS record pointing at the signing key.
- DOD
Direct Outward Dialling. The specific public number that appears in the From header (and on the called party's caller ID) when an extension dials out. Configured per-trunk and assigned to extensions, optionally with a short code for per-call selection.
- DS record
Record at the parent zone establishing the DNSSEC chain of trust into a child zone. Held at the registrar for a registered domain.
- DSCP
A 6-bit field in the IP header that marks a packet's traffic class. Voice typically uses EF (DSCP 46) for RTP and CS3 (24) or AF31 (26) for SIP, so network gear can prioritise voice in low-latency queues.
- DTLS-SRTP
SRTP key exchange via an in-band DTLS handshake on the RTP port. Keys never appear in SDP; SDP only carries `a=setup:` and `a=fingerprint:` for certificate verification. WebRTC's default.
- DTMF
Keypresses on a phone keypad. In SIP/VoIP carried three ways, RFC 4733 telephone-event over RTP (the standard), inband audio (broken by lossy codecs), or SIP INFO messages.
- Dynamic DNS
A service that maps a fixed hostname to an IP address that changes, typically used when a network's public IP isn't static.
E
- EDR
Endpoint Detection and Response, agent-based security that watches process, file, and network behaviour for malicious patterns and gives a SOC the ability to isolate or roll back.
- Elevation Control
Per-application local-admin elevation that lets a standard user run a specific approved app with admin rights, without giving the user admin rights generally.
F
G
- GDPR
2018 EU regulation on personal data handling. Drove the redaction of individual contact data in public WHOIS / RDAP responses for common gTLDs.
- GeoIP
A firewall pattern that maps source IP addresses to countries / regions and applies allow/deny rules at country granularity. Coarse but cheap; kills the bulk of opportunistic internet scanner traffic for a customer who only operates in a handful of countries.
- gTLD
Generic top-level domain (.com, .net, .org, .app, .dev, etc.) operated under ICANN policy.
H
- Host Isolation
An EDR containment action that cuts a compromised endpoint off from partner networks while keeping it reachable for SOC investigation. Limits an attacker's ability to spread laterally without losing forensic visibility.
- Hosting User
A subordinate YCM account with its own capacity slice (extensions, concurrent calls, recording minutes, AI minutes) carved out of the MSP's pool, used to model sub-resellers or scoped partner channels under the Super Administrator.
- Hot Standby
A two-server resilience topology where a Primary handles production load and a Secondary continuously syncs its state, taking over automatically when the Primary fails a heartbeat check. Same-LAN; covers server-level failure, not site-level.
I
- ICE
A procedure (RFC 8445) where endpoints gather candidate addresses (host, STUN-reflexive, TURN-relayed) and run connectivity checks to pick the best working pair. Standard for WebRTC; supported by some SIP softphones.
- ITDR
Identity Threat Detection and Response. Detection and response capabilities focused on the identity layer (Microsoft 365, Google Workspace), watching for compromised credentials, malicious inbox rules, suspicious sign-ins, and rogue OAuth apps.
J
- Jitter
The variance in inter-packet arrival time on an RTP stream. Reported by RTCP in RTP timestamp units; divide by 8 for narrowband-codec ms, by 48 for Opus. Below 20 ms is fine, above 50 is audibly bad.
- JWT
A signed, base64-encoded token format used to authenticate API calls and pass identity claims between systems.
L
- Learning Mode
A ThreatLocker maintenance state where the agent observes execution and auto-creates applications and policies for what it sees, without blocking anything yet.
- Linkus
Yeastar's end-user client suite for P-Series. Desktop on Windows and macOS, Web in the browser via WebRTC, Mobile on iOS and Android. Registers to PSE and gives the user a softphone, chat, presence, voicemail, and conferencing.
- Login-As
The ApisCP move that creates an authenticated session as a customer's admin user without password handoff. Reversible via Revert Login-As. Backed by the admin:hijack API call.
M
- MDR
A security service where humans (a SOC) actively monitor your EDR/SIEM and respond to incidents on your behalf, 24/7.
- Meeting Branding
An Exclaimer Pro feature that applies branded nametag overlays and backgrounds to user video calls in Microsoft Teams, Google Meet, and Zoom.
- MFA
Requiring a second factor (app code, hardware key, biometric) beyond the password to verify identity.
- Microsoft 365
Microsoft's bundled cloud productivity suite. Exchange Online, SharePoint, OneDrive, Teams, and the Office desktop apps, identity-anchored in Entra ID.
- Microsoft Graph permission
A scoped capability granted to an Azure / Entra application via Microsoft Graph. Two types: Application (acts as the org, no signed-in user) and Delegated (acts on behalf of a user). Revocable per-permission from the Enterprise Application page.
- MOS
A perceptual quality score for a call leg, 1.0 (terrible) to 5.0 (perfect). Derived from packet loss, jitter, and codec choice. PSE writes MOS per leg into CDR for analysis.
- MSP
Managed Service Provider, a company that delivers ongoing IT services to client businesses for a recurring fee, typically per-user or per-device.
- MX record
DNS record telling sending mail servers where to deliver mail for a domain. Lower priority value is preferred.
N
- nameserver
The server that holds and answers DNS queries for a zone. The "DNS host" for a domain is whoever runs its nameservers, identified by the NS delegation at the registrar.
- NAT traversal
The set of techniques that let SIP and RTP work through routers that translate addresses. Symmetric RTP, STUN, TURN, and ICE are the four main mechanisms; SIP ALG is the router feature that breaks it.
- Nexus
The admin-side ApisCP app that lists every customer account on the server and exposes the add / edit / suspend / delete / Login-As actions. The GUI front-end for AddDomain and friends.
O
- OAuth client credentials
An OAuth 2.0 grant type where an application authenticates itself (Client ID + Client Secret) to obtain an access token, with no end-user involvement; the right model for server-to-server API integrations like YCM provisioning scripts.
- OIDC
An identity layer on top of OAuth 2.0 that lets a relying app verify who a user is by trusting an external Identity Provider's token.
P
- PBXHub
The Yeastar cluster server that hosts the Cloud PBX instances themselves, plus their storage for system data and recording files. One PBXHub Server can host up to 100 Cloud PBXs and up to 2,000 extensions.
- pcap
A packet capture file (typically .pcap or .pcapng) containing raw network traffic. The ground truth for voice diagnostics; opened in Wireshark to analyse SIP dialogs, RTP streams, and call quality.
- pcapng
The modern Wireshark capture format. Supports multiple interfaces in one file, embedded comments, and per-packet metadata. Use over legacy `.pcap` unless interoperability with an older tool requires it.
- policy
A reusable bundle of rules, what to block, what to allow, what to log, applied to one or more groups of users, devices, or sites.
- print driver
The software that translates an application's print output into the printer's native command language.
- print queue
A logical destination on a computer that maps a printer name to a print driver and a target device, where jobs wait before they print.
- Printix Anywhere
A virtual print queue that lets a user roam between Printix-managed printers and release the same document at whichever one they walk up to.
- Printix Go
A vendor application that installs on a printer's touchscreen so users sign in with a card or ID code and release jobs without a phone.
- Process Insights
Huntress's process-monitoring service. The agent ships process activity to the platform; the SOC analyses it for malicious or suspicious behaviour using rules mapped against frameworks like MITRE ATT&CK.
- Provisioning Template
A YCM-held baseline of PBX-wide settings (allowed IPs, music on hold, distinctive caller ID, allowed country codes, contact visibility) that the MSP stamps onto a new Cloud PBX at creation, or pushes onto an existing one.
- PSA
Professional Services Automation, the ticketing, time-tracking, billing, and client/contract system of record for an MSP.
- PSE
Yeastar's PBX software. Each customer's PBX is a PSE instance; in the BYOI model, YCM creates and operates these as Cloud PBXs in the MSP's infrastructure.
R
- Rampart
ApisCP's default brute-force deterrent. Jail-based: each auth surface (panel, mail, FTP, terminal) has its own per-IP failure counter. Default is three failures in five minutes = ten-minute block.
- Ransomware Canaries
Decoy files Huntress drops on protected endpoints to detect ransomware. When a ransomware encryptor touches one, the agent fires an early signal before the encryptor reaches real customer data.
- RDAP
HTTPS/JSON successor to WHOIS, with structured output and standardised redaction for individual registrant data.
- re-INVITE
An INVITE sent inside an established SIP dialog to modify it. Common triggers are hold/resume (toggling `a=sendrecv` / `a=sendonly`), codec re-negotiation, network moves, and session-timer refreshes.
- recording rule
The PSE configuration that decides which calls get recorded. Scoped by trunk, extension, queue, conference, IVR, or paging. Combined with user role permissions that decide who can play, download, or delete the resulting files.
- registrant
The legal entity named on the domain lease, the person or company that actually owns the domain. Distinct from the registrar (the company selling the lease) and the technical / billing contacts.
- registrar
The company that sells and renews domain leases on behalf of a TLD's registry. Holds the customer-facing portal where domains are bought, configured, and transferred.
- ring strategy
How a queue or ring group decides which member to ring when a call arrives. Ring groups support Ring All, Ring Sequentially, Memory Hunt, Custom. Queues add Linear, Least Recent, Fewest Calls, Round Robin Memory, and Skill-Based.
- Ringfencing
Constraining what an allowed application can do. ThreatLocker's term for application-level boundaries on file access, network reach, registry, and child processes.
- RMM
Remote Monitoring & Management, agent-based software an MSP installs on every endpoint to inventory, patch, alert, automate, and run scripts at scale.
- RTP
The protocol that carries actual audio packets across the network during a call. Runs over UDP on dynamic high ports negotiated in the SIP SDP body; typically sends one packet every 20 ms per direction.
S
- SAT
Security Awareness Training. Scheduled training assignments and simulated phishing campaigns delivered to end users to reduce the human-error surface in a security stack.
- SBC
The Yeastar cluster server that handles customer-facing security and traffic. PBX web admin, SIP extension registration, Linkus client login and registration, and account-style trunks all traverse the SBC.
- SBC Proxy
The Yeastar cluster server that handles carrier-side and integration traffic. Register trunks, peer trunks (port-based and DID-based), and service ports for SSH / AMI / database grant traverse the SBC Proxy.
- Scope
ApisCP's unified read/write surface for platform configuration. cpcmd scope:get / scope:set / scope:list. Writes trigger configuration cascades; hand-editing config.ini does not, which is why Scopes exist.
- SD-WAN
A WAN-overlay architecture that uses a software control plane to build secure tunnels between sites without relying on dedicated MPLS lines or per-site public IPs. In the Yeastar context, used to connect PBXs across regions for cross-site disaster recovery.
- SDES
An SRTP key exchange mechanism that carries the encryption keys in SDP `a=crypto:` attributes. Confidential only when SIP itself is TLS-protected; plaintext SIP plus SDES is effectively plaintext SRTP.
- SDP
The body inside SIP INVITE and 200 OK messages that describes the audio session. Lists which codecs each side supports, which RTP port and IP it's listening on, and any session-level options.
- secure release
Hold a print job in a queue until the user authenticates at the printer, so the document only comes out when they are standing there.
- serverless print
Print infrastructure delivered without an on-prem print server, with drivers, queues, and routing handled in the cloud and a workstation agent.
- Session timer
A SIP heartbeat for an established dialog (RFC 4028). The named refresher sends a re-INVITE or UPDATE at half the agreed interval; if a refresh doesn't arrive in time, the other side BYEs with cause 408.
- Shared Trunk
A SIP trunk held at the MSP's YCM level and assigned to one or more Cloud PBXes. The MSP holds the carrier credentials once; assignments route the trunk to specific customers, with DIDs bound per-assignment.
- SIEM
A platform that ingests security-relevant logs from many sources (firewalls, endpoints, identity, OS event logs) for correlation, alerting, retention, and investigation.
- signature rule
A condition on an Exclaimer signature controlling whether it applies to a given email, evaluated across Senders, Exceptions, Recipients, Date/Time, and Advanced Rules tabs.
- Signatures Tester
An Exclaimer simulator that walks a chosen sender and recipient against every enabled signature and reports which rules passed or failed, without sending real mail.
- sinkhole
Returning a deliberately wrong answer (or a controlled IP) for a DNS query so the client never reaches the real (malicious) destination.
- SIP
The signalling protocol used to set up, modify, and tear down voice calls. Runs over UDP, TCP, or TLS on port 5060 (5061 for TLS). Carries no audio itself; that's RTP's job.
- SIP ALG
A router feature that inspects SIP traffic and tries to rewrite SDP and open RTP pinholes automatically. In practice on consumer routers it usually breaks more than it helps. Disable on customer routers and handle NAT at the PBX or SBC.
- SIP TLS
SIP signalling over TLS, encrypts the SIP messages (REGISTER, INVITE, etc.) between endpoints and the PBX. Independent of SRTP, which encrypts the audio.
- siteinfo
The ApisCP service class that holds an account's identity fields. Primary domain, admin username, contact email, the plan name. One siteinfo entry per account.
- SLA
A contracted commitment to a measurable response or resolution time, scoped by ticket priority and business hours.
- SNMP
A standardised protocol for monitoring network devices; an NMS polls device-side SNMP agents for metric values (Get) and receives unsolicited event notifications (Trap), with an MIB defining what each device exposes.
- SOC
A staffed team that monitors security telemetry around the clock, triages alerts, investigates suspected compromise, and contains active threats. The "managed" part of MDR / Managed EDR.
- SPF
A TXT record at the apex of a domain that lists which mail servers are authorised to send mail claiming that domain. Receivers check it to detect spoofing.
- split-tunnel VPN
A VPN configuration that routes only some traffic through the VPN and the rest directly through the local network.
- SRTP
Encrypted RTP. Encrypts the audio payload but leaves the RTP header (sequence, timestamp, SSRC, payload type) in cleartext, so flow direction, codec, loss, and jitter remain analysable without keys.
- SRV record
DNS record locating a service at a host and port, used by M365/Teams federation, SIP/VoIP, and some mail autodiscover setups.
- Storage Control
Granular access policy for removable media and file shares. Lets you allow specific USB device serials or specific UNC paths while denying the rest.
- STUN
A protocol (RFC 8489) that lets an endpoint discover its own public IP and port by asking an external STUN server. Used for NAT traversal in SIP softphones and WebRTC clients.
- sub-reseller
A reseller of an MSP's service that itself sits below the MSP in a YCM Hosting User hierarchy, with its own capacity allocation, its own customer base, and (often) its own further sub-tier.
T
- tenant
A logically-isolated customer environment inside a multi-tenant SaaS, your DNSFilter org, the client's M365 tenant, the RMM customer object.
- ThreatLocker Detect
ThreatLocker's telemetry-driven detection module. Rules evaluate event-log, network, and policy signals to fire alerts or automated responses when defined conditions appear.
- ticket
A unit of trackable work in the PSA, every customer interaction, alert response, or request becomes one.
- time condition
A rule that routes calls differently based on the time of day, day of week, or holiday status. PSE supports three modes (system-wide business hours, custom business hours, or custom time periods) and three destination buckets (business hours, outside business hours, holidays).
- TTL
Time To Live, the number of seconds a DNS resolver may cache a record before re-querying. Shorter TTLs make changes propagate faster but increase query load on the authoritative nameserver.
- TURN
A protocol (RFC 8656) that relays SIP / WebRTC media through a public server when STUN can't find a working direct path. Always works, but adds latency and bandwidth cost.
- Two-Factor Authentication
Login that requires both a password (something you know) and a second factor (something you have, usually a TOTP code from an authenticator app or an emailed one-time code). Reduces the impact of credential theft.
- TXT record
General-purpose DNS record carrying free-form text. Multiple TXT records on the same name are allowed and additive.
U
- Unified Audit
ThreatLocker's central activity log. Every policy match across every module (Application Control, Storage, Network, Elevation) lands here with a Permit, Deny, or Ringfenced verdict.
- Universal Allow / Block list
In DNSFilter, an organisation-wide allow or block list whose entries apply to every Filtering Policy in that organisation.
- Unwanted Access
Huntress ITDR feature for managing logins from unfamiliar countries and VPNs. Login events that don't match a user's Microsoft Entra usage location or an Expected rule become escalations the partner resolves by creating a rule.
W
- webhook
An HTTP-based callback an application registers with a service so the service pushes event notifications (POST requests with a JSON payload) to a URL the application controls, instead of the application polling.
- whitelabel
Reselling a service under your own brand, your logo, your domain, your customer-facing identity, with the underlying vendor invisible.
- WHOIS
Legacy protocol for querying domain registration data: registrar, creation/expiry dates, status flags, nameservers, and (often-redacted) registrant contacts.