Cybersecurity terms, defined

The defensive security team responsible for detecting, responding to, and mitigating security incidents. Operates the SOC, investigates alerts, maintains security tools, and participates in exercises against red team engagements.

A program where researchers receive monetary rewards for reporting vulnerabilities in an organization's systems. Complements penetration testing by providing ongoing, crowdsourced security testing. Major platforms: HackerOne, Bugcrowd, Intigriti.

An authorized simulated attack against an organization's systems to evaluate security by actively attempting to exploit vulnerabilities. Distinct from vulnerability scanning in that penetration testing is manual, attempts real exploitation, and chains vulnerabilities into realistic attack paths.

A collaborative exercise between offensive (red) and defensive (blue) teams where attacks and defenses are coordinated in real time to improve detection coverage. More educational than adversarial. The goal is to tune detections against real attacker tradecraft.

An offensive security engagement that simulates an advanced persistent threat. Longer duration than a penetration test (weeks to months), broader scope including social engineering and physical security, and typically evaluates the blue team's detection and response capability rather than just finding vulnerabilities.

Systematic identification of known vulnerabilities in systems, typically using automated scanners. Identifies CVEs and known misconfigurations but does not attempt exploitation. Required alongside penetration testing by PCI DSS 4.0 (Requirement 11.3 for vulnerability scans, 11.4 for penetration testing).

A formal channel for external researchers to report security vulnerabilities. Unlike bug bounty, VDPs do not offer monetary rewards. CISA Binding Operational Directive 20-01 required federal agencies to have a VDP. Increasingly standard for enterprises.

US Department of Defense framework for certifying contractor cybersecurity. CMMC 2.0 final rule effective December 2024. Level 1 (17 practices, FCI) self-assessed. Level 2 (110 practices, NIST 800-171, CUI) requires C3PAO assessment. Level 3 (higher-threat CUI) government-assessed.

Email authentication standard that ties SPF and DKIM together with policy and reporting. Gmail and Microsoft require DMARC for bulk senders since 2024-2025. Policies: p=none (monitor), p=quarantine (spam folder failures), p=reject (outright reject failures).

US law governing protection of Protected Health Information (PHI). Security Rule (45 CFR 164.308-164.312) requires administrative, physical, and technical safeguards. Proposed 2024-2026 Security Rule update would mandate annual penetration testing, MFA, encryption, and faster breach notification.

The international standard for Information Security Management Systems (ISMS). Certification issued by accredited certification bodies. Covers 93 controls across Organizational, People, Physical, and Technological themes. More common internationally than SOC 2; often pursued alongside SOC 2 for global organizations.

New York Department of Financial Services cybersecurity regulation governing NY-licensed financial services entities. Requires designated CISO, annual penetration testing, MFA, encryption, risk-based controls, 72-hour incident notification, and annual certification of compliance. Class A Companies face additional requirements.

The Payment Card Industry Data Security Standard. Required for any organization that stores, processes, or transmits cardholder data. PCI DSS 4.0 became mandatory March 31, 2025 and introduced requirements for annual penetration testing (11.4), payment page script monitoring (6.4.3, 11.6.1), and phishing-resistant MFA (8.3).

An attestation report issued by a CPA firm evaluating an organization's controls against the AICPA Trust Services Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy). SOC 2 Type I is point-in-time; Type II covers a period (typically 6 months). Standard expectation for B2B SaaS serving enterprise customers.

A threat actor. Typically nation-state or well-resourced criminal. That maintains persistent, targeted access to a specific organization over extended time periods (months to years). Named examples: APT28 (Russia), APT29 (Russia), Volt Typhoon (China), Lazarus Group (North Korea), Scattered Spider (mixed affiliate).

Fraud schemes where attackers impersonate executives or vendors via email (often using a compromised account or spoofed domain) to trigger fraudulent wire transfers or data disclosure. FBI IC3 reports $2.9 billion in BEC losses for 2024 alone. Larger than all ransomware losses combined.

Malware that harvests credentials, session cookies, cryptocurrency wallets, and browser-stored data from compromised endpoints. Major families: RedLine, Raccoon, Lumma, StealC. Infostealers harvested an estimated 16 billion credentials in 2025. The pipeline between personal-device compromise and corporate ransomware attacks.

Malware that encrypts victim data and demands payment for decryption. 2024-2026 variants use double extortion (encrypt + threaten to leak exfiltrated data) and triple extortion (add DDoS or customer notification threats). Average payout in 2025: $1.8 million (Sophos State of Ransomware 2025).

Threat group responsible for 2023 MGM Resorts and Caesars Entertainment breaches. Specializes in help desk social engineering and identity provider (Okta, Entra ID) targeting. Active in 2026 with refined playbook combining rate-limit bypass and social engineering.

An attack targeting a trusted third party to compromise downstream consumers. Major examples: SolarWinds (2020), Kaseya (2021), MOVEit (2023), XZ Utils (2024), npm Axios (2026). Defense requires SBOM, dependency pinning, artifact signing (Sigstore), and verification of signed artifacts.

A vulnerability unknown to the vendor and for which no patch exists. Zero-day exploits have high value on the broker market. IOS zero-click chains $2M+, iMessage $500K, browser sandbox escape $100K-$1M. "N-day" refers to patched vulnerabilities attackers continue to exploit against un-updated systems.

Open authentication standards (FIDO Alliance + W3C) enabling phishing-resistant passwordless authentication via hardware security keys (YubiKey, Google Titan) or device-bound credentials (passkeys). Cryptographically binds authentication to the legitimate origin, defeating phishing.

Privileged access model where elevated permissions are granted temporarily on demand, rather than permanently assigned. Reduces standing privilege. Fewer accounts with persistent high-value credentials to compromise. Microsoft Entra PIM, Okta Workflows, Opal, Teleport are common implementations.

Network authentication protocol used in Active Directory and similar environments. Uses ticket-based authentication (TGT and service tickets). Common attack patterns: Kerberoasting (extracting service tickets and cracking offline), Golden Ticket (forging TGTs with a compromised KRBTGT hash), Silver Ticket (forging service tickets).

Authentication requiring two or more independent factors: something you know (password), something you have (device, hardware key), something you are (biometric). Phishing-resistant MFA (FIDO2/WebAuthn, passkeys) is the 2026 standard; SMS MFA is deprecated.

Authorization framework for delegated access. Letting an application access resources on behalf of a user without the user sharing credentials with the application. OAuth 2.1 (finalized 2026) mandates PKCE, removes implicit and password grants, and tightens redirect URI handling.

A phishing-resistant credential based on FIDO2/WebAuthn standards, stored in a device's secure enclave and authenticated biometrically. Bound to specific origins, so attackers cannot phish passkeys via lookalike sites. Apple, Google, Microsoft, and most major password managers support passkeys.

Controls and tools for managing privileged accounts (admins, service accounts, break-glass). Includes credential vaulting, session recording, just-in-time elevation, and audit logging. Major vendors: CyberArk, Delinea, BeyondTrust.

Authentication scheme letting users sign in once and access multiple applications without re-authenticating. Enterprise SSO typically uses SAML 2.0 or OIDC (OpenID Connect over OAuth 2.0). Primary identity providers: Okta, Microsoft Entra ID (formerly Azure AD), Google Workspace, Ping Identity.

Security model where no implicit trust is granted based on network location. Every request is authenticated and authorized per-resource with continuous verification of identity, device, and context. Defined in NIST SP 800-207. ZTNA (Zero Trust Network Access) is the product category that replaces traditional VPNs.

Product category for monitoring and enforcing security policies on SaaS application usage. Discovers shadow IT, enforces DLP in-stream, detects risky behavior. Often part of SSE platforms now.

Tools that continuously evaluate cloud infrastructure configurations (AWS, GCP, Azure) against security best practices and compliance frameworks. Major vendors: Wiz, Prisma Cloud, Orca, Lacework. Native: AWS Security Hub, Azure Defender, GCP Security Command Center.

Integrated platform combining CSPM + CWPP (workload protection) + CIEM (cloud infrastructure entitlement management) + DSPM (data security posture management). Wiz, Prisma Cloud, Orca Security are the leading CNAPP vendors.

Breaking out of a container's isolation to access the host node. Common vectors: privileged containers, hostPath mounts, capability abuse (SYS_ADMIN, NET_ADMIN), kernel exploits, exposed Docker socket. Admission controllers block most container escape prerequisites.

Cloud metadata endpoint providing credentials and instance information to workloads. AWS IMDSv1 is exploitable via SSRF; IMDSv2 requires session tokens and prevents common SSRF-to-credential-theft patterns. The Capital One breach (2019) exploited IMDSv1 and resulted in $190M in settlements.

Container orchestration platform. Common security concerns: RBAC misconfiguration, admission controllers missing, container escape via privileged pods, compromised service accounts with broad permissions, secrets mismanagement.

Gartner category combining ZTNA + Secure Web Gateway (SWG) + Cloud Access Security Broker (CASB) + sometimes DLP and browser isolation. Delivered as cloud service. Major vendors: Zscaler, Netskope, Cloudflare, Palo Alto Prisma, Cisco Umbrella, Cato.

Product category replacing traditional VPN with identity-aware per-application access policies. No network-wide trust. Major vendors: Zscaler, Cloudflare Access, Netskope, Palo Alto Prisma Access, Cato Networks, Tailscale, Twingate.

Vulnerability where untrusted content is rendered in a user's browser without proper encoding, allowing attacker JavaScript to execute in the victim's session context. Stored XSS persists in database; reflected XSS requires a crafted URL. CSP and output encoding are primary mitigations.

Security testing that runs against a deployed application, probing for vulnerabilities from the outside. Major tools: Burp Suite, OWASP ZAP, Invicti (Netsparker), StackHawk, Detectify. Complementary to SAST.

Vulnerability where an application uses user-supplied input to access resources without proper authorization checks. Classic example: changing ?invoice_id=123 to ?invoice_id=124 and seeing another customer's invoice. Often found via parameter tampering.

Vulnerability allowing an attacker to execute arbitrary code on a remote system. The highest-severity class of vulnerability. Common via deserialization flaws, command injection, template injection (SSTI), file upload + execution, memory corruption.

Security testing that analyzes source code (or compiled bytecode) without executing it, looking for patterns that indicate vulnerabilities. Major tools: Semgrep, Checkmarx, Veracode, Fortify, SonarQube, Snyk Code, GitHub CodeQL.

Tools that scan software dependencies for known vulnerabilities (CVEs). Essentially mandatory for modern applications where 80%+ of code is third-party. Major tools: Snyk Open Source, Dependabot, Sonatype, JFrog Xray, Semgrep Supply Chain.

Vulnerability where an application can be coerced into making arbitrary HTTP(S) requests on the attacker's behalf. Classic exploitation chain: application SSRF → cloud metadata service (IMDS) → credential theft → cloud account compromise. Mitigated by network egress controls and URL allowlisting.

Vulnerability where untrusted input is included in SQL queries without proper parameterization. Classic OWASP Top 10 issue. Mitigated by parameterized queries / prepared statements, ORM usage with safe defaults, and input validation.

Model where customer provides their own encryption keys to a cloud service instead of using provider-managed keys. Higher control (customer can revoke access by destroying the key) and often required for regulated data. Contrast with customer-managed keys (CMK) which are cloud-held but customer-controlled.

Physical device that generates, stores, and uses cryptographic keys in tamper-resistant hardware. Required for root CA signing keys, high-value TLS certificates, and financial services transaction signing. Major options: cloud HSMs (AWS CloudHSM, Azure Dedicated HSM), Thales / Gemalto, Utimaco.

Cloud-managed service for encryption key lifecycle. AWS KMS, Azure Key Vault, Google Cloud KMS. Supports customer-managed keys (CMK) for encryption-at-rest of cloud resources. Integrates with IAM for access control on encryption operations.

TLS configuration where both client and server present certificates for mutual authentication. Common in service mesh (Istio, Linkerd) and for API authentication. Prevents common credential theft because stolen bearer tokens cannot be used without the corresponding private key.

Cryptographic algorithms resistant to attacks by quantum computers. NIST finalized first PQC standards in 2024: ML-KEM (key encapsulation), ML-DSA (digital signatures), SLH-DSA (hash-based signatures). TLS, SSH, and VPN implementations are migrating now to defend against "harvest now, decrypt later" attacks.

Government-designated sensitive information that is not classified but requires protection. Governs federal contractor data handling under CMMC 2.0. Storage and transmission of CUI in cloud requires FedRAMP Moderate or equivalent (AWS GovCloud, M365 GCC High).

Controls and tools to detect and prevent unauthorized data exfiltration. Endpoint DLP monitors file operations; network DLP inspects egress traffic; cloud DLP (integrated in Microsoft Purview, Google DLP) monitors SaaS. Effectiveness depends on data classification accuracy.

Information that can identify a specific individual directly or combined with other data. Different privacy laws define PII differently. GDPR uses "personal data" broadly; CCPA defines it specifically. Sensitive PII subsets include Social Security numbers, financial account numbers, biometrics, precise geolocation.

Health information covered by HIPAA. Any individually identifiable health information in any medium (electronic, paper, oral). 18 HIPAA identifiers include names, dates, contact info, SSNs, medical record numbers, biometrics. ePHI is electronically stored or transmitted PHI.

Replacing sensitive data (credit card numbers, SSNs) with non-sensitive equivalents (tokens) that can be reversed only with access to the tokenization service. Used in payment processing. PCI DSS scope reduction because systems handling tokens are out of PCI scope.

Security tooling deployed on endpoints (laptops, servers) providing visibility into process execution, network connections, and file operations. Detects behavioral anomalies that signature-based antivirus misses. Major vendors: CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, Palo Alto Cortex XDR.

Evolution of EDR integrating endpoint, network, identity, email, and cloud telemetry for cross-domain correlation. Major platforms: CrowdStrike Falcon Insight XDR, Microsoft Defender XDR, Palo Alto Cortex XDR, SentinelOne Singularity XDR.

Organized approach to detecting, containing, investigating, and recovering from security incidents. Phases: preparation, detection, analysis, containment, eradication, recovery, post-incident review. Many organizations maintain IR retainers with external forensics firms for faster engagement.

Outsourced security operations service combining EDR/XDR tooling with 24x7 human analysts who triage alerts and respond to incidents. Alternative to building an in-house SOC. Major providers: Expel, Red Canary, Arctic Wolf, CrowdStrike Falcon Complete.

Platform that collects and correlates security logs from across an environment for detection, investigation, and compliance reporting. Major vendors: Splunk, Microsoft Sentinel, Google Chronicle, Sumo Logic, Elastic, Exabeam, IBM QRadar.

Platforms that automate incident response workflows. Ingesting alerts, running enrichment, executing containment actions. Major tools: Palo Alto XSOAR, Splunk SOAR, Tines, Torq, Swimlane.

Public identifier assigned to a specific disclosed vulnerability in the format CVE-YYYY-NNNNN. MITRE assigns CVE IDs through CNAs (CVE Numbering Authorities). National Vulnerability Database (NVD) adds severity scoring (CVSS) and impact analysis.

Industry-standard vulnerability severity scoring. CVSS 3.1 (and the newer 4.0) produces a 0-10 score with Critical (9.0-10.0), High (7.0-8.9), Medium (4.0-6.9), Low (0.1-3.9). Based on exploitability, impact, and environmental factors.

Classification system for software weaknesses. Each vulnerability maps to one or more CWEs. E.g., CWE-79 (XSS), CWE-89 (SQL injection), CWE-78 (Command injection). CWE Top 25 lists the most dangerous weaknesses.

Gathering intelligence from publicly available sources. Websites, social media, DNS records, code repositories, breach data, court records. Standard initial phase of penetration testing engagements. Tools: Shodan, Censys, Maltego, the Harvester, Recon-ng.

Manipulating humans to obtain unauthorized access or information. Common categories: phishing (email), vishing (voice), smishing (SMS), pretexting (invented scenario). Responsible for the majority of breaches. Scattered Spider, BEC actors, and most APTs rely heavily on social engineering.