cyber-101

What's the difference between Signals, Transactions, and Indicators?

Clarifying on some vague terminology

Mike Berggren

08 Aug 2025 — 2 min read

💡

This is part of an on-going series in cybersecurity foundations. Check the cyber 101 article tag index from time to time for more content.

It's common for cybersecurity marketing material to reference absolutely MASSIVE statistics. Sometimes though, the terms can blur together. In today's article, I want to take a moment to differentiate between three related terms: Signals, Transactions, and Indicators.

Signal - This is an individual data point (typically in a very raw or basic form). It could be virtually ANYthing. In geeky engineering speak, we can think of it as being physical or interrupt-based. Common examples include:
- A single log event
- A network packet
- A device being connected/disconnected
- The beginning of a query/operation (before any results or response comes back)
Transaction - This encompasses more of a complete activity or action. It could be a collection of multiple steps that need to happen for the transaction to be considered successful. We can think of it as being atomic and purposeful in nature. It has a clearly defined beginning and end. Examples of transactions include:
- Visiting a web page
- Uploading a file
- Receiving an email
Indicator - This is basically a piece of data that provides meaning, interest, or significance to a signal (or group of signals). The idea here is that SOMEthing about the signal warrants attention. Examples of indicators include:
- Network packets sent to (or from) known malicious IP addresses
- An unusual/unexpected protocol request
- A normal action happening at an unusual time of day (e.g. Bob's laptop trying to connect to corporate resources at 3 AM in the morning).