Cybersecurity Glossary
150+ Security Terms, Plainly Defined
Plain-language definitions for the terms practitioners use every day. Each definition starts with a direct answer and includes the context that makes the term actionable. Covers attack techniques, cloud security, identity, detection engineering, malware, compliance frameworks, and more.
122 terms across 25 letters
A
Active Directory (AD)
Identity SecurityMicrosoft's directory service for Windows domain networks that centrally manages user accounts, computer accounts, group policies, and authentication. AD is the primary target for lateral movement in enterprise intrusions because Domain Admin privileges provide unrestricted access to all domain-joined systems. BloodHound is the standard tool for visualizing AD attack paths.
See guide: /blog/bloodhound-ad-attack-path-analysis-defenders-guide
Advanced Persistent Threat (APT)
Threat IntelligenceA nation-state or sophisticated criminal group that conducts prolonged, targeted intrusion campaigns against specific organizations. APT groups maintain long-term access to victim networks and prioritize stealth over speed, often dwelling undetected for months. MITRE ATT&CK catalogs the TTPs of over 100 named APT groups.
See guide: /blog/how-to-use-mitre-attack-framework-threat-reports
AiTM Attack (Adversary-in-the-Middle)
Attack TechniquesAn attack that proxies authentication sessions in real time to steal session cookies, bypassing MFA by intercepting the post-authentication token rather than the credential. AiTM frameworks like Evilginx2 create a reverse proxy that sits between the victim and the legitimate authentication page. Phishing-resistant MFA (FIDO2/passkeys) is the only reliable defense.
See guide: /blog/phishing-resistant-mfa-fido2-passkey-deployment
API Security
Application SecurityThe practice of protecting application programming interfaces from unauthorized access, injection attacks, broken authorization, and data exposure. The OWASP API Security Top 10 defines the most critical API risks including BOLA (Broken Object Level Authorization), excessive data exposure, and lack of rate limiting. API security testing requires specialized tooling distinct from traditional web app scanning.
Attack Surface
Vulnerability ManagementThe total set of entry points through which an attacker could attempt to gain unauthorized access to a system, including exposed network services, web application endpoints, user accounts, third-party integrations, and physical access points. Reducing attack surface is a foundational security principle: every service, port, or account that is not needed should be disabled. Attack Surface Management (ASM) tools continuously discover and inventory an organization's external attack surface.
See guide: /blog/vulnerability-management-program-best-practices
Attack Surface Management (ASM)
Vulnerability ManagementA continuous discovery and monitoring practice that maintains an up-to-date inventory of an organization's external-facing assets and identifies security exposures before attackers do. ASM tools use the same passive and active reconnaissance techniques as attackers to discover unknown internet-facing assets, shadow IT, and newly exposed services.
See guide: /blog/vulnerability-management-program-best-practices
AI Security
Emerging ThreatsThe practice of securing artificial intelligence and machine learning systems against adversarial attacks, data poisoning, model theft, and prompt injection, while also defending against AI-assisted threats such as deepfake social engineering, AI-generated phishing, and automated exploit generation. AI security encompasses both protecting AI systems (model integrity, training data security, inference API access controls) and defending against attackers who weaponize AI to scale and accelerate attacks. Prompt injection in LLM-integrated applications is the emerging vulnerability class most analogous to SQL injection in traditional web applications.
ASPM (Application Security Posture Management)
Application SecurityA tool category that aggregates, normalizes, and correlates findings from multiple application security testing tools (SAST, DAST, SCA, secrets scanning, IaC scanning) into a unified risk view, enabling security teams to prioritize application vulnerabilities by business criticality rather than managing separate tool dashboards. ASPM platforms ingest scan results from multiple sources, deduplicate findings that appear across tools, and provide a single pane of glass for application security risk. Veracode, Semgrep, and Cycode are representative ASPM platforms.
B
BloodHound
Offensive SecurityAn open-source tool that maps Active Directory relationships and visualizes attack paths from any user account to Domain Admin using graph theory. Security teams use BloodHound defensively to identify and remediate misconfigured permissions before attackers exploit them. SharpHound is the data collector that gathers AD relationship data for analysis in BloodHound.
See guide: /blog/bloodhound-ad-attack-path-analysis-defenders-guide
BOLA (Broken Object Level Authorization)
Application SecurityThe most common critical API vulnerability, where an API allows users to access objects belonging to other users by manipulating object identifiers in the request. BOLA is exploited by changing a user ID, order number, or document ID in an API request to retrieve another user's data. Testing for BOLA requires creating two accounts and verifying that account A cannot access account B's resources by ID manipulation.
Brute Force Attack
Attack TechniquesAn authentication attack that systematically tries all possible credential combinations until the correct one is found. Password spray (trying one common password against many accounts) is a variant that avoids account lockout by limiting attempts per account. Phishing-resistant MFA, account lockout policies, and login rate limiting are the primary defenses.
Buffer Overflow
Attack TechniquesA memory corruption vulnerability where a program writes data beyond the allocated buffer boundary, overwriting adjacent memory and potentially allowing an attacker to redirect execution to attacker-controlled shellcode. Stack-based buffer overflows are the classic form; heap overflows and integer overflows are related variants. Modern mitigations include ASLR, stack canaries, and NX/DEP.
See guide: /blog/cve-2021-3156-baron-samedit-sudo-heap-overflow
Business Email Compromise (BEC)
Social EngineeringA fraud scheme in which attackers impersonate a trusted party via email to manipulate an employee into wiring funds, changing payment account details, or disclosing sensitive information. BEC does not require malware and relies entirely on social engineering. Out-of-band verification via a known phone number before any wire transfer is the single most effective control.
Botnet
MalwareA network of internet-connected devices compromised by malware and controlled remotely by an attacker through a command-and-control (C2) infrastructure. Botnets are used for DDoS attacks, credential stuffing, spam and phishing distribution, cryptomining, and as proxy infrastructure to anonymize attack traffic. Individual compromised devices in a botnet are called bots or zombies. The Mirai botnet (2016) demonstrated that IoT devices with default credentials are highly susceptible to botnet recruitment and can generate record-breaking DDoS volumes.
See guide: /blog/how-to-detect-living-off-the-land-lolbin-attacks
C
C2 (Command and Control)
MalwareThe infrastructure and protocol used by malware to communicate with the attacker's server to receive instructions, exfiltrate data, and deliver additional payloads. Modern C2 frameworks (Cobalt Strike, Sliver, Havoc) use encrypted HTTPS traffic that blends with normal web traffic to evade detection. DNS-over-HTTPS and domain fronting are techniques used to obscure C2 traffic from network monitoring.
CASB (Cloud Access Security Broker)
Cloud SecurityA security control point positioned between users and cloud service providers to enforce security policies including DLP, access control, and threat detection for cloud application usage. CASBs operate in two modes: inline (traffic is proxied through the CASB) and API-based (the CASB connects to cloud services via API to audit activity). CASBs are a core component of SASE and SSE architectures.
CIS Controls
ComplianceA prioritized set of security best practices developed by the Center for Internet Security that organizations use to defend against the most pervasive cyberattacks. The 18 CIS Controls are organized into three Implementation Groups based on organizational maturity and risk profile. IG1 defines the minimum baseline of cyber hygiene for all organizations.
CNAPP (Cloud-Native Application Protection Platform)
Cloud SecurityA converged security platform that combines CSPM, CWPP, CIEM, and attack path analysis into a single tool for protecting cloud-native workloads from development through runtime. CNAPP emerged as organizations recognized that separate point tools for cloud posture, workload protection, and identity entitlements created blind spots at their intersections. Wiz, Orca Security, Prisma Cloud, and Lacework are leading CNAPP platforms.
Cobalt Strike
Offensive SecurityA commercial adversary simulation platform widely used in red team engagements that provides a C2 framework, beacon implant, and post-exploitation toolkit. Cracked versions of Cobalt Strike are used extensively by ransomware affiliates and nation-state actors as post-exploitation infrastructure. Detecting Cobalt Strike beacons via JARM fingerprinting, named pipe artifacts, and beacon configuration extraction is a core defensive skill.
Credential Stuffing
Attack TechniquesAn automated attack that uses large lists of stolen username and password pairs from prior data breaches to attempt authentication against other services, exploiting password reuse. Credential stuffing attacks are effective because a significant percentage of users reuse passwords across multiple services. Mitigations include MFA, device fingerprinting, CAPTCHA, and monitoring for authentication anomalies.
CSPM (Cloud Security Posture Management)
Cloud SecurityA tool category that continuously monitors cloud environments for security misconfigurations, policy violations, and excessive permissions compared to security benchmarks. CSPM tools identify issues like publicly accessible S3 buckets, disabled logging, open security groups, and overly permissive IAM roles without requiring agents on cloud resources. CSPM has largely been absorbed into CNAPP platforms that extend posture management to workload runtime and attack path analysis.
CVE (Common Vulnerabilities and Exposures)
Vulnerability ManagementA standardized identifier assigned to publicly disclosed cybersecurity vulnerabilities, maintained by MITRE and funded by CISA, using the format CVE-YEAR-NUMBER (e.g., CVE-2021-44228). Each CVE entry includes a description and references to advisories, patches, and technical analysis. The NVD (National Vulnerability Database) enriches CVE records with CVSS scores, CWE classifications, and CPE affected product lists.
CVSS (Common Vulnerability Scoring System)
Vulnerability ManagementA standardized numerical framework for rating the severity of security vulnerabilities on a 0-10 scale, with scores categorized as None (0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), and Critical (9.0-10.0). CVSS scores reflect technical characteristics of the vulnerability but not real-world exploitability or prevalence. EPSS and SSVC provide better prioritization signals than CVSS alone.
See guide: /blog/vulnerability-management-program-best-practices
Cyber Threat Intelligence (CTI)
Threat IntelligenceAnalyzed information about threat actors, their tactics and techniques, and the infrastructure they use, produced to inform defensive decisions and reduce response time during incidents. CTI is categorized as strategic (trends for executive decision-making), operational (campaign-level information for IR teams), and tactical (IOCs and TTPs for detection engineering). STIX/TAXII are the standard formats and protocols for sharing CTI between organizations.
Container Security
Cloud SecurityThe practices and tools for securing containerized applications throughout the software lifecycle: scanning container images for known vulnerabilities and embedded secrets before deployment, enforcing runtime protection to detect anomalous container behavior, and implementing Kubernetes RBAC and network policies to limit blast radius if a container is compromised. Container image scanning tools (Trivy, Grype, Snyk Container) check images against CVE databases before they reach production. Runtime security platforms (Falco, Sysdig, Aqua) monitor running container syscalls for behavior that deviates from a defined profile. Container security converges with CNAPP in modern cloud-native security architectures.
CWPP (Cloud Workload Protection Platform)
Cloud SecurityA security tool category that protects cloud workloads -- virtual machines, containers, and serverless functions -- at runtime through agent-based monitoring, vulnerability assessment, and behavioral detection. CWPPs monitor processes, file system activity, and network connections on cloud workloads and alert on behavior indicating compromise. CWPP has largely been absorbed into CNAPP platforms that integrate workload protection with cloud posture management and attack path analysis into a single platform. Prisma Cloud, Wiz, and Aqua Security provide CWPP capabilities as part of broader CNAPP offerings.
See guide: /blog/cloud-security-posture-management-cspm-implementation-guide
D
DAST (Dynamic Application Security Testing)
Application SecuritySecurity testing that attacks a running application to find vulnerabilities by sending malicious inputs and observing responses, without access to source code. DAST tools like Burp Suite, OWASP ZAP, and Nuclei can discover SQL injection, XSS, authentication flaws, and API vulnerabilities that static analysis misses. DAST complements SAST; neither covers all vulnerability classes alone.
DCSync
Attack TechniquesA post-exploitation technique that abuses Active Directory replication protocol rights to extract password hashes for all domain users, including the krbtgt account, without running code on a Domain Controller. An attacker with Replicating Directory Changes permissions can execute DCSync using tools like Mimikatz. Detection requires monitoring for anomalous DS-Replication-Get-Changes-All directory service access events.
See guide: /blog/dcsync-golden-ticket-detection-windows-event-logs
Defense in Depth
Security ArchitectureA security architecture strategy that layers multiple independent security controls so that the failure of any single control does not result in complete compromise. The layered approach ensures attackers must defeat multiple barriers to reach their objective. Defense in depth is a core principle in frameworks like NIST CSF, CIS Controls, and ISO 27001.
See guide: /blog/vulnerability-management-program-best-practices
DGA (Domain Generation Algorithm)
MalwareA malware technique that generates large numbers of pseudo-random domain names as potential C2 communication endpoints, making it difficult to block C2 traffic by blacklisting specific domains. Malware using DGAs generates hundreds or thousands of domains daily; only a few are registered by the attacker at any time. DGA detection uses statistical analysis of domain name entropy and linguistic patterns to identify algorithmically generated domains in DNS logs.
See guide: /blog/how-to-detect-living-off-the-land-lolbin-attacks
DLP (Data Loss Prevention)
Data SecurityA security technology that monitors, detects, and blocks the unauthorized transmission of sensitive data outside the organization's control. DLP policies can detect credit card numbers, Social Security numbers, health records, and custom sensitive data patterns in email, web uploads, USB transfers, and cloud application activity. Modern DLP is increasingly integrated into SASE, CASB, and endpoint security platforms rather than deployed as standalone appliances.
Dwell Time
Threat IntelligenceThe period between when an attacker first gains access to a network and when the intrusion is detected and contained. Lower dwell times mean less data exfiltrated and lower breach costs; the global median dwell time has declined from over 200 days in 2016 to approximately 16 days in 2023 according to Mandiant M-Trends data. Organizations with mature EDR and SIEM capabilities consistently detect intrusions faster than those relying on external notification.
Deception Technology
Detection EngineeringSecurity tools that deploy decoy assets (fake credentials, fake servers, fake files, honeytoken accounts) throughout an enterprise environment to detect attackers by observing their interaction with resources that have no legitimate use. Unlike perimeter-based detection, deception technology detects attackers who have already bypassed initial defenses and are performing reconnaissance or lateral movement. Any interaction with a decoy asset is a high-confidence detection signal because there is no legitimate reason to access it. Attivo Networks, Illusive, and TrapX are representative deception technology platforms.
DevSecOps
Application SecurityThe integration of security practices directly into the DevOps CI/CD pipeline, shifting security testing left so that vulnerabilities are found and fixed during development rather than discovered after production deployment. DevSecOps practices include SAST and SCA scanning in CI pipelines, secrets detection in code commits, IaC security scanning before infrastructure deployment, and developer security training. The goal is to make security a shared responsibility of development, operations, and security teams rather than a gating process at deployment time.
E
EDR (Endpoint Detection and Response)
Endpoint SecuritySecurity software that continuously records endpoint activity and uses behavioral analysis to detect, investigate, and respond to threats on laptops, servers, and workstations. EDR platforms provide visibility into process execution, network connections, file modifications, and registry changes, enabling retrospective investigation of incidents that bypassed prevention. Leading EDR platforms include CrowdStrike Falcon, SentinelOne Singularity, and Microsoft Defender for Endpoint.
See guide: /blog/crowdstrike-vs-sentinelone-edr-buyers-guide
EPSS (Exploit Prediction Scoring System)
Vulnerability ManagementA machine learning model maintained by FIRST that estimates the probability of a CVE being exploited in the wild within the next 30 days, expressed as a percentage. EPSS scores complement CVSS by adding an exploitability probability signal derived from threat intelligence feeds and real-world exploitation data. A vulnerability with EPSS 0.8 should be prioritized over a higher CVSS score with EPSS 0.01, regardless of theoretical severity.
See guide: /blog/vulnerability-management-program-best-practices
Exploit
Vulnerability ManagementCode or a technique that takes advantage of a software vulnerability to cause unintended behavior, typically to achieve code execution, privilege escalation, or authentication bypass. A proof-of-concept (PoC) exploit demonstrates that a vulnerability is exploitable; a weaponized exploit is reliable enough for use in attacks. The availability of a public exploit dramatically increases the risk of a vulnerability and should accelerate patching priority.
See guide: /blog/epss-vulnerability-prioritization-patching-workflow-guide
F
FIDO2 / Passkeys
Identity SecurityAn authentication standard developed by the FIDO Alliance and W3C that uses public-key cryptography to replace passwords with phishing-resistant credentials stored on a user's device. Unlike TOTP codes, FIDO2 credentials are cryptographically bound to the specific domain and cannot be used on a different site even if a user is tricked into visiting a phishing page. Passkeys are FIDO2 credentials that sync across devices via platform providers (Apple Keychain, Google Password Manager).
Firewall (NGFW)
Network SecurityA network security device that inspects and controls traffic based on application identity, user identity, and content in addition to traditional port and protocol rules. NGFWs integrate intrusion prevention, SSL inspection, URL filtering, and advanced threat prevention into a single platform. Palo Alto Networks, Fortinet, and Check Point are the leading NGFW vendors.
G
GDPR (General Data Protection Regulation)
ComplianceThe European Union's primary data protection law, effective May 2018, that establishes rights for EU residents regarding their personal data and obligations for organizations that process it. GDPR requires organizations to implement appropriate security measures, report data breaches to supervisory authorities within 72 hours, and obtain lawful basis for processing personal data. Penalties reach 4% of global annual turnover or 20 million euros, whichever is higher.
Golden Ticket Attack
Attack TechniquesA Kerberos attack where an attacker who has obtained the NTLM hash of the krbtgt account can forge TGTs for any user in the domain with any group membership. Golden Tickets remain valid until the krbtgt password is reset twice and can persist even after account password changes. Detection requires monitoring for anomalous Kerberos ticket characteristics such as unusual encryption types or lifetimes.
See guide: /blog/dcsync-golden-ticket-detection-windows-event-logs
H
HIPAA
ComplianceThe US Health Insurance Portability and Accountability Act, which establishes security and privacy requirements for covered entities and their business associates that handle protected health information (PHI). HIPAA's Security Rule requires administrative, physical, and technical safeguards for electronic PHI; the Breach Notification Rule requires notification to affected individuals within 60 days of discovering a breach.
Honeypot
Detection EngineeringA decoy system or resource intentionally deployed to attract and detect attacker activity, with no legitimate use that would explain access by authorized users. Any interaction with a honeypot is a high-fidelity detection signal because there is no legitimate reason to access it. Honeytoken credentials planted in accessible locations generate alerts when attackers try to use them.
I
IAM (Identity and Access Management)
Identity SecurityThe processes and technologies for managing digital identities and controlling user access to resources, encompassing user provisioning, authentication, authorization, and access review. In cloud environments, IAM policy misconfiguration is the leading cause of unauthorized access. IAM governance requires regular access reviews, principle of least privilege enforcement, and detection of anomalous API usage.
See guide: /blog/okta-vs-entra-id-identity-platform-buyers-guide
IaC Security
Cloud SecurityThe practice of scanning Infrastructure as Code templates (Terraform, CloudFormation, Bicep, Helm charts) for security misconfigurations before deployment. IaC scanning tools like Checkov, tfsec, KICS, and Trivy integrate into CI/CD pipelines to catch public buckets, open security groups, and unencrypted databases before they reach production. Fixing misconfigurations in IaC is free; fixing them after a breach is expensive.
See guide: /blog/terraform-iac-security-scanning-tfsec-checklist
IDS / IPS
Network SecurityIntrusion Detection Systems (IDS) monitor network traffic for malicious patterns and alert on suspicious activity; Intrusion Prevention Systems (IPS) do the same but can automatically block or drop malicious traffic in real time. Snort and Suricata are the leading open-source IDS/IPS engines, while commercial NGFWs embed IPS functionality. Detection accuracy depends heavily on the quality and freshness of the signature rule sets applied.
Incident Response (IR)
Incident ResponseThe structured process of detecting, containing, eradicating, and recovering from a cybersecurity incident while preserving forensic evidence for investigation and legal purposes. The NIST IR lifecycle has four phases: Preparation, Detection and Analysis, Containment/Eradication/Recovery, and Post-Incident Activity. Organizations without pre-established IR playbooks and retainer agreements consistently experience longer dwell times and higher breach costs.
IOC (Indicator of Compromise)
Threat IntelligenceObservable evidence that a system may have been compromised, including file hashes, IP addresses, domain names, registry keys, and network signatures associated with known malicious activity. IOCs are the lowest-fidelity intelligence because they are trivially changed by threat actors; TTPs provide more durable detection value. STIX format is the standard for sharing IOCs between organizations and platforms.
ITDR (Identity Threat Detection and Response)
Identity SecurityA security tool category focused on detecting and responding to identity-based attacks including credential theft, account takeover, privilege escalation, and lateral movement using compromised identities. ITDR platforms monitor identity infrastructure (Active Directory, Azure AD/Entra ID, Okta) for behavioral anomalies: unusual authentication times, impossible travel, new privileged account creation, and Kerberos ticket anomalies. ITDR emerged as a distinct category because traditional SIEMs and EDR tools have limited visibility into identity plane attacks, particularly techniques like DCSync, Golden Ticket, and AiTM session theft that operate entirely within legitimate authentication protocols.
J
JWT (JSON Web Token)
Application SecurityA compact, URL-safe token format used to represent claims between parties in web applications, typically for authentication and session management. JWT security vulnerabilities include the none algorithm attack, algorithm confusion (RS256 to HS256 downgrade), weak secret brute-forcing, and missing expiration validation. JWTs are signed but not encrypted by default, meaning sensitive data in the payload is base64-encoded and readable by anyone.
See guide: /blog/jwt-security-implementation-bugs-penetration-test
Just-in-Time (JIT) Access
Identity SecurityA PAM control that grants elevated permissions only for the duration of a specific task and automatically revokes them when the task is complete, eliminating persistent privileged accounts. JIT access reduces the attack surface of privileged credentials because a threat actor who compromises a JIT-enabled account cannot leverage elevated permissions after they expire. Azure AD PIM and CyberArk Alero are common JIT access implementations.
See guide: /blog/guide-finding-best-privileged-access-management-solutions
K
Kerberoasting
Attack TechniquesAn offline password cracking technique that targets Active Directory service accounts with Service Principal Names (SPNs) registered. Any authenticated domain user can request a Kerberos service ticket for these accounts; the ticket is encrypted with the account's password hash, which can be cracked offline. Detection requires monitoring for anomalous TGS-REQ (Event ID 4769) patterns.
KEV (CISA Known Exploited Vulnerabilities)
Vulnerability ManagementCISA's authoritative catalog of CVEs that have been confirmed as actively exploited in the wild, with mandatory remediation deadlines for US federal agencies and strongly recommended prioritization for all organizations. The KEV catalog is the single highest-signal prioritization input available to vulnerability management programs, as confirmed exploitation means threat actors have weaponized the vulnerability. Federal civilian agencies must patch KEV entries within specified timeframes (typically 2-3 weeks for critical issues).
See guide: /blog/epss-vulnerability-prioritization-patching-workflow-guide
Kubernetes Security
Cloud SecurityThe practice of securing Kubernetes container orchestration platforms, covering four primary domains: (1) workload security (Pod Security Standards, admission controllers, container image scanning); (2) network security (NetworkPolicies restricting inter-pod communication, Ingress controls); (3) identity and access (RBAC least privilege, service account restrictions, secrets management via external vaults rather than Kubernetes Secrets); and (4) supply chain security (signed images, verified registries, runtime anomaly detection). The CIS Kubernetes Benchmark defines the hardening baseline. Misconfigurations in Kubernetes RBAC and network policies are among the most common cloud security findings in enterprise environments.
L
Lateral Movement
Attack TechniquesThe techniques attackers use to progressively move through a network after initial compromise, accessing additional systems and escalating privileges toward their final objective. Common lateral movement techniques include Pass-the-Hash, Pass-the-Ticket, and use of remote management protocols (WMI, PSExec, RDP). Detecting lateral movement requires monitoring for anomalous authentication patterns, unusual remote execution, and unexpected inter-system connections.
Living off the Land (LotL)
Attack TechniquesAn attack technique where adversaries use legitimate system tools and binaries (LOLBins) already present on the target system rather than deploying custom malware, making detection more difficult because the activity resembles normal administrative operations. Common LotL tools include PowerShell, WMI, certutil, mshta, and regsvr32. Detecting LotL requires behavioral analytics and context-aware detection rules rather than signature-based detection.
See guide: /blog/how-to-detect-living-off-the-land-lolbin-attacks
LAPS (Local Administrator Password Solution)
Identity SecurityA Microsoft solution that automatically randomizes and manages unique local administrator passwords on each domain-joined Windows workstation and server, storing the passwords securely in Active Directory. Without LAPS, organizations often configure the same local administrator password across all machines, meaning an attacker who obtains one local admin credential can authenticate to every machine in the environment using Pass-the-Hash. LAPS eliminates this lateral movement vector by ensuring each machine has a unique, periodically rotated local admin password that is only readable by designated administrators.
Log4Shell (CVE-2021-44228)
Vulnerability ManagementA critical remote code execution vulnerability in the Apache Log4j Java logging library, rated CVSS 10.0 Critical, that allowed unauthenticated attackers to achieve RCE on any system running a vulnerable Log4j version by sending a specially crafted string that Log4j would log. The vulnerability exploited Log4j's JNDI lookup feature to trigger a remote class load from an attacker-controlled server. Log4Shell's impact was uniquely broad because Log4j is embedded in thousands of Java applications and products as a transitive dependency, making exposure inventory non-trivial. CISA rated Log4Shell as one of the most critical vulnerabilities in decades. The experience of Log4Shell drove the adoption of SBOM requirements and software supply chain security standards.
M
MDR (Managed Detection and Response)
Security OperationsA managed security service that combines technology (EDR, NDR, SIEM) with human expertise to provide 24x7 threat monitoring, detection, and incident response as an outsourced service. MDR differs from MSSP in that MDR providers take active containment actions, not just alert forwarding. Huntress, Arctic Wolf, Expel, and Rapid7 MDR are leading providers for mid-market organizations without the resources for a fully staffed internal SOC.
MFA (Multi-Factor Authentication)
Identity SecurityAn authentication requirement for two or more verification factors before granting access. MFA effectiveness varies significantly by type: FIDO2 passkeys and hardware security keys are phishing-resistant; authenticator app TOTP codes are vulnerable to AiTM proxy attacks; SMS codes are the weakest form and vulnerable to SIM swapping. CISA mandates phishing-resistant MFA for all federal systems and recommends it broadly.
See guide: /blog/phishing-resistant-mfa-fido2-passkey-deployment
Microsegmentation
Network SecurityA network security technique that divides a network into small, isolated zones with granular access controls between segments, limiting an attacker's ability to move laterally after compromising one system. Unlike traditional network segmentation, microsegmentation enforces policies at the workload level using software-defined networking. Zero trust network architectures rely on microsegmentation to eliminate implicit trust between systems on the same network.
MITRE ATT&CK
Threat IntelligenceA globally accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations of cyber attacks, maintained by MITRE Corporation. ATT&CK organizes adversary behavior into 14 tactics (reconnaissance through impact), with hundreds of specific techniques and sub-techniques documented under each. Security teams use ATT&CK to evaluate detection coverage, design purple team exercises, and communicate about threats using a common vocabulary.
N
NDR (Network Detection and Response)
Security OperationsA security tool category that analyzes network traffic to detect threats that endpoint and log-based tools miss, using machine learning and behavioral analytics on full packet capture or flow data. NDR is particularly valuable for detecting lateral movement, C2 communication, and data exfiltration because these activities generate distinctive network patterns even when endpoint visibility is limited. Darktrace, ExtraHop, and Vectra AI are leading NDR platforms.
See guide: /blog/ndr-network-detection-response-sensor-deployment
NIST CSF
ComplianceThe NIST Cybersecurity Framework, a voluntary framework for organizations to manage and reduce cybersecurity risk, organized around five core functions: Identify, Protect, Detect, Respond, and Recover. CSF 2.0 added a sixth function (Govern) and expanded guidance for supply chain risk management. The framework is widely adopted as a baseline for security program maturity assessment and board-level risk communication.
NIS2 Directive
ComplianceThe European Union's updated Network and Information Systems Directive (NIS2), effective October 18, 2024, which significantly expands cybersecurity requirements and enforcement across EU member states. NIS2 extends mandatory security obligations to 18 sectors (up from 7 under the original NIS Directive), introduces stricter incident reporting timelines (24-hour early warning, 72-hour notification to authorities), and adds personal liability for senior management of covered entities. Organizations in sectors including energy, transport, banking, healthcare, digital infrastructure, and managed service providers must implement security risk management measures, supply chain security assessments, and business continuity planning or face fines up to 10 million euros or 2% of global annual turnover.
NVD (National Vulnerability Database)
Vulnerability ManagementThe US government's repository of vulnerability data maintained by NIST, which enriches CVE records with CVSS scores, CWE weakness classifications, CPE affected product data, and references to patches and advisories. NVD is the primary data source for vulnerability scanners, asset management tools, and security information platforms. NVD processing delays mean that newly published CVEs may appear in the database without CVSS scores for days to weeks.
See guide: /blog/cvss-score-vs-exploitability-patch-prioritization
O
OSINT (Open Source Intelligence)
Threat IntelligenceIntelligence collected from publicly available sources including websites, social media, public records, DNS records, certificate transparency logs, code repositories, and leaked credential databases. Security teams use OSINT for threat actor research, attack surface discovery, and pre-engagement reconnaissance. Shodan, Censys, OSINT Framework, Maltego, and theHarvester are key OSINT tools.
OWASP Top 10
Application SecurityA regularly updated consensus list of the ten most critical web application security risks, published by the Open Web Application Security Project. The current OWASP Top 10 (2021) includes Broken Access Control, Cryptographic Failures, Injection, Insecure Design, Security Misconfiguration, Vulnerable and Outdated Components, Identification and Authentication Failures, Software and Data Integrity Failures, Security Logging Failures, and SSRF. The OWASP Top 10 is widely used as a baseline for web application security requirements.
OAuth 2.0
Identity SecurityAn authorization framework that allows users to grant third-party applications limited access to their accounts on another service without sharing passwords. OAuth 2.0 issues access tokens representing delegated permissions rather than exposing credentials. Security risks in OAuth 2.0 implementations include authorization code interception (mitigated by PKCE), open redirect token theft, insufficient scope validation, and token leakage via referrer headers. OAuth 2.0 is the underlying authorization layer for most modern SSO implementations; OIDC (OpenID Connect) builds on OAuth 2.0 to add identity verification.
OIDC (OpenID Connect)
Identity SecurityAn authentication layer built on top of OAuth 2.0 that adds a standardized identity verification layer, enabling clients to verify the identity of an authenticated end user and obtain basic profile information. OIDC introduces the ID token (a JWT containing claims about the authenticated user) alongside OAuth 2.0's access token. OIDC is the standard protocol underlying modern enterprise SSO implementations across cloud services, replacing older SAML federation scenarios for new application integrations. Security teams should validate OIDC ID token signatures and claims (issuer, audience, expiration) in any application integrating third-party identity providers.
See guide: /blog/guide-finding-best-identity-access-management-solutions
P
PAM (Privileged Access Management)
Identity SecurityA security discipline and tool category for managing, monitoring, and controlling access to privileged accounts including local administrator accounts, service accounts, domain admin accounts, and cloud root accounts. PAM solutions provide password vaulting, session recording, just-in-time access, and credential rotation. CyberArk, BeyondTrust, and Delinea are the enterprise PAM market leaders. Uncontrolled privileged accounts are the primary mechanism for lateral movement escalation in enterprise intrusions.
See guide: /blog/guide-finding-best-privileged-access-management-solutions
Pass-the-Hash (PtH)
Attack TechniquesA lateral movement technique where an attacker uses a captured NTLM password hash to authenticate to other systems without knowing the plaintext password. PtH exploits the NTLM authentication protocol's ability to authenticate using the hash directly rather than the password. Mitigations include disabling NTLM where possible, implementing Credential Guard, and deploying Local Administrator Password Solution (LAPS) to ensure unique local admin passwords per machine.
PCI DSS
ComplianceThe Payment Card Industry Data Security Standard, a set of security requirements for organizations that process, store, or transmit payment card data. PCI DSS 4.0 requires network segmentation separating the cardholder data environment, encryption of cardholder data at rest and in transit, MFA for all CDE access, and annual penetration testing. Non-compliance can result in fines, increased transaction fees, and loss of card processing privileges.
Penetration Testing
Offensive SecurityAn authorized simulated attack against a system, network, or application conducted by security professionals to identify exploitable vulnerabilities before real attackers do. Penetration tests are scoped engagements with defined rules of engagement; they differ from red team assessments in that they focus on finding technical vulnerabilities rather than simulating a complete adversary campaign. The PTES (Penetration Testing Execution Standard) defines the standard methodology phases.
Phishing
Social EngineeringA social engineering attack that uses fraudulent emails, text messages, or websites designed to look legitimate in order to steal credentials, deliver malware, or trick users into taking harmful actions. Spear phishing targets specific individuals with personalized content; whaling targets senior executives. Phishing-resistant MFA (FIDO2) and email security gateways with advanced attachment sandboxing are the primary technical defenses.
Privilege Escalation
Attack TechniquesThe process by which an attacker gains higher-level permissions than they were initially granted, either by exploiting vulnerabilities (vertical escalation: user to admin) or accessing permissions belonging to another account at the same level (horizontal escalation). Common vectors include kernel exploits, unquoted service paths, misconfigured SUDO rules, DLL hijacking, and token impersonation. Detection focuses on monitoring for unexpected use of high-privilege APIs and anomalous process privilege changes.
See guide: /blog/cve-2021-3156-baron-samedit-sudo-heap-overflow
Patch Management
Vulnerability ManagementThe systematic process of identifying, acquiring, testing, and deploying software patches and updates to eliminate security vulnerabilities, fix bugs, and maintain system stability. An effective patch management program defines SLAs by severity tier (e.g., CISA KEV entries within 24 hours, Critical CVEs within 72 hours, High within 7 days, others within 30 days), uses a testing ring before broad deployment to catch compatibility issues, and maintains documented exceptions for systems that cannot be patched within SLA. Unpatched known vulnerabilities -- not zero-days -- account for the majority of successful enterprise compromises.
See guide: /blog/vulnerability-management-program-best-practices
Purple Team
Offensive SecurityA collaborative security exercise format that runs red team (offensive) and blue team (defensive) activities simultaneously and interactively, with the goal of directly improving detection and response capabilities rather than only measuring them. Unlike a traditional red team assessment (where defenders are unaware), purple team exercises pause after each adversary technique to verify whether detection fired, tune detection rules if it did not, and confirm remediation before moving to the next technique. Purple team exercises are most effective when driven by a specific threat actor playbook (a MITRE ATT&CK group profile) and produce measurable improvements in detection coverage.
R
Ransomware
MalwareMalware that encrypts a victim's files or systems and demands payment for the decryption key, often combined with data theft to enable double extortion. Modern ransomware attacks are typically operated as Ransomware-as-a-Service (RaaS), where criminal groups lease infrastructure and tools to affiliates who conduct the intrusions and split the ransom payment. CISA, the FBI, and most security practitioners advise against paying ransomware demands.
RBAC (Role-Based Access Control)
Identity SecurityAn access control model where permissions are assigned to roles rather than directly to users, and users are assigned to roles based on their job function. RBAC simplifies access management at scale by ensuring that all users in a given role have consistent permissions. ABAC (Attribute-Based Access Control) extends RBAC by evaluating dynamic attributes like time, location, and device posture in access decisions.
See guide: /blog/guide-finding-best-identity-access-management-solutions
RCE (Remote Code Execution)
Vulnerability ManagementA vulnerability class where an attacker can execute arbitrary code on a target system over a network without prior authentication or with only low-privilege access. RCE vulnerabilities are the highest-severity class because successful exploitation grants the attacker full control of the affected system. RCE CVEs receive the highest CVSS base scores and appear most frequently on CISA's KEV catalog when exploited in the wild.
Red Team
Offensive SecurityA full-scope adversary simulation engagement where a team of security professionals attempts to achieve specific objectives using real-world threat actor TTPs, without restrictions on attack path. Red team exercises test detection and response capabilities, not just technical vulnerabilities. They differ from penetration tests in scope, duration, and objective: a pentest enumerates vulnerabilities; a red team tests whether defenders can detect and stop a realistic attack.
RaaS (Ransomware-as-a-Service)
MalwareA criminal business model where a ransomware development group (the operator) provides encryption software, victim negotiation infrastructure, and leak sites to criminal affiliates who conduct the actual intrusions and extortion in exchange for a percentage of each ransom payment (typically 20-30%). RaaS lowered the technical barrier to ransomware attacks by separating ransomware engineering from initial access and lateral movement skills. LockBit, BlackCat/ALPHV, and Cl0p operated as RaaS platforms. Law enforcement takedowns of RaaS platforms disrupt individual operations but do not eliminate ransomware because affiliates migrate to competing platforms.
RASP (Runtime Application Self-Protection)
Application SecurityA security technology embedded directly within an application that monitors application execution at runtime and can detect and block attacks in real time, without requiring changes to the application's network environment. RASP agents intercept calls between the application and the underlying platform (database queries, file system access, OS commands) and block execution when the call pattern matches an attack signature. RASP complements WAF protection: a WAF inspects HTTP traffic at the network edge while RASP operates inside the application process, providing protection against attacks that bypass network-layer controls.
S
SAML (Security Assertion Markup Language)
Identity SecurityAn XML-based open standard for exchanging authentication and authorization data between identity providers and service providers, enabling single sign-on across different security domains. SAML vulnerabilities include XML signature wrapping attacks, where an attacker manipulates the structure of a SAML response to authenticate as a different user. SAML has largely been supplemented by OIDC/OAuth 2.0 for newer applications but remains dominant in enterprise SSO scenarios.
See guide: /blog/guide-finding-best-identity-access-management-solutions
SAST (Static Application Security Testing)
Application SecuritySecurity testing that analyzes application source code, bytecode, or binary without executing the program to find vulnerabilities like SQL injection, XSS, buffer overflows, and insecure cryptography. SAST tools integrate into CI/CD pipelines and IDEs to provide developers with real-time feedback. False positive rates vary significantly between tools and require tuning to avoid developer alert fatigue.
See guide: /blog/snyk-vs-veracode-application-security-comparison
SASE (Secure Access Service Edge)
Network SecurityA cloud-delivered security architecture that converges networking (SD-WAN) and security functions (SWG, CASB, ZTNA, FWaaS) into a single cloud service, eliminating the need for on-premises security appliances for remote and distributed workforces. Gartner coined the SASE term in 2019. SSE (Security Service Edge) is the security-only subset of SASE without the SD-WAN component, offered by vendors like Zscaler and Netskope.
SCA (Software Composition Analysis)
Application SecurityA security testing technique that identifies open-source and third-party components used in an application and checks them against vulnerability databases for known CVEs. SCA addresses supply chain risk: most modern applications are 70-90% open-source code, and unpatched dependencies are a leading source of application vulnerabilities. Snyk Open Source, Dependabot, and OWASP Dependency-Check are common SCA tools.
See guide: /blog/snyk-vs-veracode-application-security-comparison
SIEM (Security Information and Event Management)
Security OperationsA platform that aggregates, normalizes, and correlates log and event data from across the security infrastructure to detect threats and support incident investigation. SIEMs apply correlation rules and behavioral analytics to identify attack patterns across multiple data sources that would not be detectable in any single source. Splunk Enterprise Security, Microsoft Sentinel, IBM QRadar, and Elastic SIEM are the leading enterprise platforms.
Sigma Rules
Detection EngineeringA generic, vendor-agnostic format for writing SIEM detection rules that can be converted to queries for Splunk, Elastic, Microsoft Sentinel, QRadar, and other platforms using the sigma-cli converter. Sigma rules describe detection logic using log source specifications, field matches, and detection conditions in YAML format. The SigmaHQ community repository contains thousands of free detection rules covering MITRE ATT&CK techniques.
SOAR (Security Orchestration, Automation and Response)
Security OperationsA platform that automates repetitive security operations tasks and orchestrates workflows across security tools, enabling SOC teams to respond to alerts faster and at higher volume without proportional analyst headcount. SOAR playbooks automate tasks like enriching alerts with threat intel, isolating compromised endpoints, blocking malicious IPs, and creating incident tickets. Splunk SOAR, Palo Alto XSOAR, Tines, and Torq are leading platforms.
SOC 2
ComplianceAn auditing framework developed by the AICPA that evaluates a service organization's controls related to security, availability, processing integrity, confidentiality, and privacy. SOC 2 Type II reports cover a period of time (typically 6-12 months) and provide evidence that controls are operating effectively, not just designed correctly. SOC 2 certification is increasingly required by enterprise customers as a vendor security baseline.
SSRF (Server-Side Request Forgery)
Attack TechniquesA vulnerability that allows an attacker to induce a server to make HTTP requests to unintended destinations, including internal services, cloud metadata endpoints, and other systems not directly accessible from the internet. SSRF against cloud instance metadata services (169.254.169.254 on AWS IMDSv1) can steal cloud credentials. SSRF is #10 on the OWASP Top 10 and a significant cloud security risk.
SSVC (Stakeholder-Specific Vulnerability Categorization)
Vulnerability ManagementA decision tree framework for vulnerability prioritization that considers exploitability, mission impact, and whether exploitation would have systemic consequences, rather than assigning a single universal score. SSVC produces prioritization outcomes (Defer, Scheduled, Out-of-cycle, Immediate) that are more actionable than numeric CVSS scores. CISA has published an SSVC decision tree for federal agencies.
See guide: /blog/vulnerability-management-program-best-practices
Supply Chain Attack
Attack TechniquesAn attack that compromises software, hardware, or services delivered through a trusted third party to gain access to the third party's customers. The SolarWinds Orion attack (2020) and 3CX supply chain compromise (2023) demonstrated how a single compromised software vendor can provide access to thousands of downstream customers. Software supply chain security requires SBOM management, code signing verification, and vendor security assessment.
SBOM (Software Bill of Materials)
Application SecurityA formal, machine-readable inventory of all software components included in a product, including open-source libraries, commercial components, and their transitive dependencies, along with version information and licensing data. SBOMs enable organizations to rapidly identify affected systems when a critical vulnerability (like Log4Shell) is disclosed in a widely used component. The US Executive Order 14028 on Improving the Nation's Cybersecurity (2021) made SBOM production a requirement for software sold to US federal agencies. CycloneDX and SPDX are the two primary SBOM standard formats.
Secret Scanning
Application SecurityAutomated scanning of code repositories, CI/CD pipelines, and container images to detect hardcoded secrets including API keys, database passwords, private keys, and access tokens before they are committed to version control or deployed to production. Secrets committed to Git repositories are frequently indexed by automated scanning tools and exposed publicly, even in private repositories that were briefly made public. GitHub Advanced Security, Trufflehog, Gitleaks, and GitGuardian are common secret scanning tools. Secret scanning should be implemented as a pre-commit hook and as a CI pipeline check.
See guide: /blog/github-secret-scanning-push-protection-deployment-guide
Shadow IT
Security ArchitectureTechnology systems, software, or services used within an organization without the knowledge, approval, or management of the IT or security department, creating visibility gaps, unmanaged data flows, and compliance risks. Common examples include employees using personal cloud storage for business files, unauthorized SaaS applications for collaboration, and development teams standing up cloud infrastructure outside IT governance. Shadow IT dramatically expands attack surface because these systems bypass the security controls applied to approved technology. CASB and SSPM tools provide visibility into SaaS shadow IT by monitoring identity provider logs for OAuth authorizations to unrecognized applications.
Silver Ticket Attack
Attack TechniquesA Kerberos attack where an attacker who has obtained a service account's NTLM hash can forge Kerberos service tickets (TGS) for that specific service, granting access to the service without needing to contact the Domain Controller. Unlike a Golden Ticket (which uses the krbtgt hash and grants access to any service), a Silver Ticket is scoped to a single service but is harder to detect because it does not generate Domain Controller authentication events. Detection requires enabling PAC validation on services and monitoring for Kerberos tickets with anomalous characteristics (unusual encryption types, ticket lifetimes outside the standard range).
SIM Swapping
Social EngineeringA social engineering attack targeting mobile carriers where an attacker convinces a carrier's customer service representative to transfer a victim's phone number to a SIM card controlled by the attacker, intercepting all SMS messages and phone calls intended for the victim. SIM swapping is primarily used to bypass SMS-based two-factor authentication, enabling account takeover of banking, email, and cryptocurrency exchange accounts. SIM swapping is why security practitioners recommend against SMS as an MFA factor and advocate for authenticator app TOTP or phishing-resistant FIDO2 keys instead.
See guide: /blog/phishing-resistant-mfa-fido2-passkey-deployment
SOC (Security Operations Center)
Security OperationsA dedicated team or facility staffed around the clock to monitor, detect, investigate, and respond to cybersecurity incidents across an organization's technology environment. SOC analysts use SIEM platforms, EDR consoles, and threat intelligence feeds to triage alerts, escalate confirmed incidents, and coordinate containment with IT operations and incident response teams. SOC maturity ranges from Level 1 (alert triage and escalation) to Level 3 (advanced threat hunting and custom detection development). Organizations without internal SOC resources commonly supplement or replace them with Managed Detection and Response (MDR) services.
Spear Phishing
Social EngineeringA highly targeted variant of phishing where attackers research specific individuals and personalize attack content using information about their job role, colleagues, recent activity, or known business relationships to make the attack appear credible. Spear phishing emails may reference specific projects, upcoming events, or real colleagues' names to establish legitimacy. Nation-state actors and ransomware operators frequently use spear phishing for initial access against high-value targets. Spear phishing is significantly more effective than generic phishing and is not reliably caught by email security filters that pattern-match on known malicious content.
T
Threat Hunting
Detection EngineeringA proactive security practice where analysts search for hidden attacker activity in an environment based on hypotheses about adversary TTPs, rather than waiting for automated alerts to fire. Threat hunting operates on the assumption of breach and is most effective when starting with a specific ATT&CK technique hypothesis and querying endpoint telemetry and logs for behavioral indicators.
TTP (Tactics, Techniques, and Procedures)
Threat IntelligenceThe behavioral fingerprint of a threat actor: Tactics describe the high-level goal (e.g., Persistence, Lateral Movement), Techniques describe how the goal is achieved (e.g., Scheduled Task/Job), and Procedures are the specific implementation used by a particular actor. TTPs are more valuable for detection than IOCs because threat actors change their infrastructure frequently but change their TTPs rarely. MITRE ATT&CK is the standard TTP taxonomy.
See guide: /blog/how-to-use-mitre-attack-framework-threat-reports
Threat Modeling
Security ArchitectureA structured process for identifying, analyzing, and prioritizing security threats to a system or application during the design phase, before code is written. Threat modeling identifies what assets need protection, what could go wrong (threats), the likelihood and impact of each threat, and what controls should be implemented. STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) is the most widely used threat modeling methodology. OWASP's Threat Modeling Cheat Sheet and the Threat Modeling Manifesto provide practitioner guidance. Security teams that perform threat modeling during design consistently find vulnerabilities earlier and at lower remediation cost than teams that rely only on post-development testing.
Token Hijacking
Attack TechniquesAn attack that steals authentication tokens or session cookies to impersonate an authenticated user without needing their credentials, bypassing password-based authentication and MFA entirely. Modern web applications issue session tokens or JWT access tokens after successful authentication; if an attacker obtains these tokens (via XSS, info-stealer malware, AiTM proxy, or network interception), they can replay them to access the application as the victim. Token hijacking is particularly dangerous when targeting long-lived tokens with broad permissions, such as OAuth refresh tokens or cloud provider service account credentials. Defenses include short token lifetimes, token binding, and continuous authentication posture checks.
See guide: /blog/detect-session-token-hijacking-entra-id-azure-ad-kql
U
UEBA (User and Entity Behavior Analytics)
Detection EngineeringA security analytics capability that establishes behavioral baselines for users and entities (devices, applications) and generates alerts when observed behavior deviates significantly from the baseline. UEBA is effective for detecting insider threats, compromised accounts, and attackers who use legitimate credentials because it focuses on behavior rather than known-bad signatures. Modern SIEMs like Microsoft Sentinel and Splunk ES incorporate UEBA capabilities.
V
Vulnerability Management
Vulnerability ManagementThe continuous process of identifying, evaluating, prioritizing, remediating, and verifying security vulnerabilities across an organization's technology assets. Effective vulnerability management requires a complete asset inventory, regular authenticated scanning, risk-based prioritization incorporating EPSS and KEV status, defined SLAs by severity tier, and metrics tracking mean time to remediation.
See guide: /blog/vulnerability-management-program-best-practices
VPN (Virtual Private Network)
Network SecurityA technology that creates an encrypted tunnel between a user's device and a corporate network gateway, extending the corporate network perimeter to remote users. Traditional VPNs grant broad network access once authenticated, creating lateral movement risk if a user's device is compromised. Zero Trust Network Access (ZTNA) is the recommended replacement for VPN in modern security architectures.
Vishing (Voice Phishing)
Social EngineeringSocial engineering attacks conducted by phone call or voice message where attackers impersonate IT support staff, financial institutions, government agencies, or executives to trick victims into revealing credentials, transferring funds, or installing remote access tools. Vishing campaigns often follow data breaches to add authenticity: calling victims while referencing their real account details obtained from a leak. AI-generated voice cloning has made vishing significantly more dangerous by enabling convincing impersonation of known individuals. Multi-step vishing attacks often combine an initial email (establishing context) with a follow-up phone call (the actual attack), making them more effective than either vector alone.
See guide: /blog/shinyhunters-medtronic-adt-vishing-salesforce-breach
W
WAF (Web Application Firewall)
Application SecurityA security control that monitors and filters HTTP/HTTPS traffic to and from a web application, blocking common web attacks including SQL injection, cross-site scripting, and OWASP Top 10 vulnerabilities. WAFs operate in detection mode (logging only) or prevention mode (actively blocking). Cloud WAF services from Cloudflare, AWS WAF, and Akamai provide scalable protection without on-premises hardware. WAFs are not a substitute for secure code and cannot compensate for fundamental application security flaws.
Wiper Malware
MalwareDestructive malware designed to permanently destroy data by overwriting files, Master Boot Records, or storage media rather than encrypting it for ransom. Wiper attacks have been used in nation-state operations to cause operational disruption: NotPetya (2017), WhisperGate (2022 Ukraine), and HermeticWiper (2022 Ukraine) are prominent examples. Unlike ransomware, wipers provide no recovery path and the primary defense is offline backups that cannot be reached by network-connected systems.
Watering Hole Attack
Attack TechniquesA targeted attack where adversaries compromise websites or online resources frequently visited by a specific target group (a professional community, government employees, or industry sector), then use the compromised site to deliver malware to visitors. Watering hole attacks are effective because they exploit the trust relationship between the target and a legitimate site they already visit. Nation-state threat actors (APT32, Lazarus Group) have used watering hole attacks to target specific industries by compromising trade association websites and professional forums. Browser zero-day exploits are commonly deployed via watering hole attacks to achieve drive-by code execution.
Web Shell
Attack TechniquesA malicious script uploaded to a compromised web server that provides the attacker with persistent backdoor access to the server via HTTP, enabling file system access, command execution, and lateral movement even after the initial vulnerability is patched. Web shells are commonly deployed after exploiting file upload vulnerabilities, RCE in web applications, or path traversal flaws. Common web shell formats include PHP files (China Chopper), ASP/ASPX (used against Exchange and IIS), and JSP (used against Java application servers). Web shell detection requires monitoring for new or modified files in web application directories and unexpected process execution from web server processes.
Whaling
Social EngineeringA highly targeted spear phishing attack directed specifically at senior executives, board members, and other high-value individuals within an organization, exploiting their authority to authorize large financial transactions, access sensitive data, or override security controls. Whaling attacks are distinguished from general spear phishing by their specific targeting of individuals with elevated financial or organizational authority. Common whaling lures impersonate board meeting invitations, M&A communications, legal notices, and executive signature requests. Business Email Compromise (BEC) frequently combines whaling with email account compromise or domain spoofing to impersonate a known executive.
X
XDR (Extended Detection and Response)
Security OperationsA security platform that integrates and correlates telemetry from multiple security controls (endpoint, network, email, cloud, identity) into a unified detection and response platform, reducing the manual correlation work required when using separate EDR, NDR, and SIEM tools. XDR aims to provide broader detection coverage than EDR alone by connecting attack activity across different environments. Microsoft Defender XDR, Palo Alto Cortex XDR, and CrowdStrike Falcon XDR are leading platforms.
XSS (Cross-Site Scripting)
Application SecurityA web application vulnerability where an attacker injects malicious scripts into content delivered to other users' browsers, executing in the victim's browser context to steal session cookies, redirect to phishing pages, or perform actions on the user's behalf. Stored XSS persists in the application database; Reflected XSS is triggered via a malicious URL; DOM-based XSS is processed client-side. Output encoding and Content Security Policy (CSP) headers are the primary mitigations.
XXE (XML External Entity)
Application SecurityA vulnerability in XML parsers that allows an attacker to inject malicious external entity references, leading to local file disclosure, SSRF, or denial of service. XXE vulnerabilities exist in applications that process XML input without disabling external entity processing. OWASP rates XXE as a critical web application vulnerability. Mitigation: disable external entity processing in XML parser configuration.
Y
YARA
Detection EngineeringA pattern-matching language used to identify malware families and suspicious files based on strings, byte patterns, and logical conditions. YARA rules are shared widely in the threat intelligence community to enable rapid detection of newly discovered malware across organizations. Tools like Loki and THOR use YARA for forensic scanning, while EDR platforms and sandboxes support YARA rule deployment for file detection.
Z
Zero Day
Vulnerability ManagementA vulnerability that is unknown to the vendor or has no available patch at the time of exploitation, giving defenders zero days to remediate before attacks begin. True zero days are rare and valuable; most vulnerabilities exploited in attacks are n-days (known vulnerabilities with available patches that organizations have not yet applied). CISA's KEV catalog lists both zero days and n-days confirmed as actively exploited.
See guide: /blog/epss-vulnerability-prioritization-patching-workflow-guide
Zero Trust
Security ArchitectureA security model based on the principle 'never trust, always verify,' eliminating implicit trust based on network location and requiring continuous verification of identity, device posture, and authorization for every access request. Zero Trust architectures replace perimeter-based security with identity-aware access controls, microsegmentation, and continuous monitoring of user and device behavior. NIST SP 800-207 defines the federal Zero Trust Architecture standard.
ZTNA (Zero Trust Network Access)
Network SecurityA security technology that provides secure remote access to specific applications based on identity and device posture, without granting broad network access, replacing traditional VPN architecture. ZTNA enforces the zero trust principle at the access layer: users connect to individual applications, not the network, and the connection is established only after verifying identity, device health, and authorization policy. Zscaler ZPA, Cloudflare Access, and Palo Alto Prisma Access are leading ZTNA solutions.
These terms show up in real attacks, every morning.
Get the daily threat intel that puts them in context. Free.
Published by Eric Bang, CISSP via Decryption Digest is practitioner cybersecurity intelligence. Definitions draw on primary sources including CISA advisories, NIST publications, MITRE ATT&CK, and vendor security documentation.