Cybersecurity Glossary

An Advanced Persistent Threat (APT) is a stealthy, prolonged cyberattack in which an intruder gains unauthorized access to a network and remains undetected for an extended period.

Adversarial Machine Learning is the discipline of attacking and defending machine-learning models against intentional manipulation — including evasion attacks (adversarial inputs that cause misclassification), poisoning (corrupting training data), model extraction, and membership inference.

Agentic AI security is the discipline of securing AI agents — autonomous systems that plan, reason, and execute multi-step actions across tools, APIs, and environments — against misuse, hijacking, and unsafe behavior.

AI red teaming is the practice of systematically attacking AI and machine-learning systems — particularly large language models (LLMs) and agentic AI — to discover safety, security, and ethical failures before deployment.

AI Security Posture Management (AI-SPM) is an emerging category of security tooling that discovers, inventories, and continuously assesses AI models, datasets, and pipelines for risk — analogous to CSPM for cloud.

API Security is the practice of protecting application programming interfaces (APIs) from misuse, abuse, and attacks throughout their lifecycle.

An attack surface is the sum of all points (digital, physical, and human) where an unauthorized user can attempt to enter, extract data from, or compromise a system.

Authentication is the process of verifying that a user, device, or system is who or what it claims to be — typically using a password, biometric, hardware token, or cryptographic key.

A blue team is the defensive cybersecurity function within an organization — analysts, engineers, threat hunters, and incident responders responsible for detecting, investigating, and responding to attacks.

A botnet is a network of internet-connected devices infected with malware and remotely controlled by an attacker (the botmaster).

A brute force attack systematically tries every possible combination of passwords, encryption keys, or other secrets until the correct one is found.

A bug bounty is a program in which an organization invites independent security researchers to find and responsibly disclose vulnerabilities in exchange for monetary rewards.

A Cloud Access Security Broker (CASB) is a security policy enforcement point between cloud-service users and cloud applications.

Cloud Infrastructure Entitlement Management (CIEM) is a category of security tooling that discovers, analyzes, and rightsizes identities and permissions across cloud environments.

Cloud Security Posture Management is the continuous practice and tooling for assessing cloud accounts and resources for misconfigurations, compliance violations, and risky exposures across AWS, Azure, GCP, and Oracle Cloud.

A Cloud-Native Application Protection Platform (CNAPP) is an integrated security platform that consolidates CSPM, CWPP, CIEM, container security, IaC scanning, and Kubernetes security posture management into a single product.

Container security is the practice of protecting containerized applications throughout their lifecycle — from base-image selection and build-time scanning through runtime detection and Kubernetes posture management.

Credential stuffing is a cyberattack in which attackers use lists of leaked username and password pairs from one breach to attempt logins on other websites — exploiting the fact that users frequently reuse passwords.

Cryptojacking is the unauthorized use of someone else's computer, server, or cloud workload to mine cryptocurrency.

Cloud Security Posture Management (CSPM) is a category of security tooling that continuously assesses cloud accounts (AWS, Azure, GCP, OCI) for misconfigurations, compliance violations, and risky resource exposures.

CVE (Common Vulnerabilities and Exposures) is a public catalog of known cybersecurity vulnerabilities, each assigned a unique identifier (e.g., CVE-2024-3094) by MITRE.

A Cloud Workload Protection Platform (CWPP) protects server workloads — virtual machines, containers, serverless functions, and Kubernetes pods — across hybrid and multi-cloud environments.

The dark web is a portion of the internet that is intentionally hidden and accessible only through anonymizing software like Tor or I2P.

Dynamic Application Security Testing (DAST) is the practice of testing running applications from the outside — like an attacker would — to discover vulnerabilities in deployed code.

A data breach is a security incident in which sensitive, confidential, or protected information is accessed, copied, or stolen by an unauthorized party.

Data Loss Prevention (DLP) is a category of security tools and policies designed to detect and prevent unauthorized transmission, sharing, or exfiltration of sensitive data — whether intentional (malicious insider) or accidental.

A Distributed Denial-of-Service (DDoS) attack overwhelms a target system, network, or application with malicious traffic from many distributed sources — typically a botnet — to make it unavailable to legitimate users.

Deepfake detection is the practice of identifying AI-generated or manipulated synthetic media — voice clones, face swaps, fully fabricated video — used in fraud, disinformation, social engineering, and identity verification bypass.

DevSecOps is the practice of integrating security throughout the entire software development lifecycle (SDLC) — shifting security "left" into developer workflows rather than bolting it on at the end.

Digital forensics is the discipline of identifying, preserving, analyzing, and presenting digital evidence from computers, phones, networks, and cloud systems — typically following a security incident, fraud investigation, or legal matter.

DNS spoofing (also called DNS cache poisoning) is an attack in which corrupted Domain Name System data is introduced into a DNS resolver's cache, causing it to return an incorrect IP address.

Endpoint Detection and Response (EDR) is a security technology that continuously monitors endpoints (laptops, servers, workstations) for suspicious activity, records detailed telemetry, and enables analysts to investigate and respond to threats at the host level.

Encryption is the process of converting readable data (plaintext) into an unreadable ciphertext using a cryptographic algorithm and key, so that only authorized parties holding the corresponding decryption key can recover the original data.

An exploit is a piece of code, data, or sequence of commands that takes advantage of a software vulnerability to cause unintended behavior — typically remote code execution, privilege escalation, or denial of service.

A firewall is a network security device or software that monitors and filters incoming and outgoing network traffic based on predefined security rules.

A honeypot is a decoy system, service, or asset deliberately exposed to attract, detect, and study attackers.

Identity and Access Management (IAM) is the discipline and tooling for managing digital identities and controlling who can access what resources within an organization.

Interactive Application Security Testing (IAST) is a hybrid approach that instruments running applications with sensors to detect vulnerabilities by observing internal application behavior during functional testing.

Incident Response (IR) is the structured process of detecting, containing, eradicating, and recovering from a cybersecurity incident, while preserving evidence and learning lessons.

An insider threat is a cybersecurity risk originating from within the organization — including current and former employees, contractors, and trusted partners — who may intentionally or accidentally cause harm to systems, data, or operations.

An Intrusion Detection System (IDS) monitors network traffic or host activity for signs of malicious behavior, policy violations, or known attack patterns — and generates alerts when detections fire.

An Intrusion Prevention System (IPS) inspects network traffic in real time and actively blocks malicious packets, connections, or sessions matching attack signatures or behavioral patterns.

IoT Security is the practice of protecting Internet of Things devices — smart sensors, cameras, industrial controllers, medical devices, and consumer gadgets — from cyber threats.

A keylogger (or keystroke logger) is a piece of software or hardware that records every key pressed on a keyboard, capturing passwords, messages, credit card numbers, and other sensitive input.

Kubernetes security is the practice of protecting Kubernetes clusters, workloads, and the broader cloud-native stack from misconfiguration, compromise, and runtime threats.

Lateral movement is the technique attackers use to progressively move through a network after initial compromise — pivoting from the first foothold to additional systems, accounts, and resources.

The Principle of Least Privilege (PoLP) is a foundational security concept stating that every user, process, or system should have only the minimum permissions necessary to perform its function — and no more.

Malware (malicious software) is any program or code intentionally designed to damage, disrupt, gain unauthorized access to, or exfiltrate data from a computer system.

A Man-in-the-Middle (MITM) attack is a cyberattack in which an adversary secretly intercepts and potentially alters communications between two parties who believe they are directly communicating with each other.

Managed Detection and Response (MDR) is a security service that combines technology (typically EDR/XDR/SIEM platforms) with 24/7 expert analyst monitoring, threat hunting, and incident response.

MITRE ATT&CK is a globally accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations.

Multi-Factor Authentication (MFA) requires users to present two or more independent verification factors — something you know (password), something you have (token, phone), and something you are (biometric) — before granting access.

Network Detection and Response (NDR) is a security category that uses behavioral analytics and machine learning to detect threats, anomalies, and lateral movement across network traffic — including encrypted flows.

Network segmentation is the security practice of dividing a network into smaller isolated zones to limit the blast radius of any compromise and slow lateral movement.

The NIST Cybersecurity Framework (CSF) is a voluntary, risk-based framework developed by the U.S.

Non-Human Identities (NHIs) are digital identities used by services, applications, AI agents, scripts, and devices rather than human users — including service accounts, API keys, OAuth tokens, certificates, and Kubernetes service accounts.

The OWASP Top 10 is a regularly updated standard awareness document published by the Open Web Application Security Project, listing the most critical web application security risks.

Patch management is the process of identifying, acquiring, testing, and deploying software updates that address security vulnerabilities, bug fixes, and feature improvements.

Penetration testing (pen testing) is an authorized simulated cyberattack against an organization's systems, applications, or networks to identify and demonstrate exploitable vulnerabilities.

Phishing is a social engineering attack in which an adversary impersonates a trusted entity — via email, SMS (smishing), voice (vishing), QR code (quishing), or chat — to trick victims into revealing credentials, transferring money, or installing malware.

Post-Quantum Cryptography (PQC) is the family of cryptographic algorithms designed to remain secure against attacks by future quantum computers — particularly Shor's algorithm, which would break RSA, ECC, and Diffie-Hellman.

Privilege escalation is a category of attack in which an adversary gains elevated permissions beyond what was initially granted — moving from a low-privileged user to administrator, root, or domain admin.

A purple team is a collaborative security exercise in which red-team attackers and blue-team defenders work together in real time — attackers execute specific TTPs, and defenders observe whether their detections fire, then jointly tune controls.

Ransomware is a type of malware that encrypts a victim's files, systems, or data and demands a ransom payment (typically in cryptocurrency) for decryption.

Ransomware-as-a-Service (RaaS) is a cybercrime business model in which ransomware operators (developers) lease their malware platform to affiliates (operators) who conduct the actual attacks, with proceeds split between the parties.

A red team is a group of security professionals who simulate real-world adversaries — including their tactics, techniques, and procedures — to test an organization's detection and response capabilities.

Reverse engineering in cybersecurity is the process of analyzing compiled software, malware, or hardware to understand its internal logic, behavior, or design — typically without access to source code.

A rootkit is a stealthy form of malware designed to maintain persistent, privileged access to a computer while actively hiding its presence from users, administrators, and security tools.

A sandbox is an isolated execution environment where untrusted code, files, or applications can run safely without affecting the host system.

Secure Access Service Edge (SASE) is a cloud-delivered architecture that converges networking (SD-WAN) and security services (SWG, CASB, ZTNA, FWaaS) into a single, identity-aware platform.

Static Application Security Testing (SAST) is the analysis of source code, bytecode, or binaries to identify security vulnerabilities without executing the program.

A Software Bill of Materials (SBOM) is a formal, machine-readable inventory of all software components, libraries, and dependencies that make up a piece of software — including transitive dependencies, versions, and licenses.

Software Composition Analysis (SCA) is the practice of identifying and analyzing third-party and open-source dependencies in an application to detect known vulnerabilities, license risks, and supply-chain threats.

Secrets management is the discipline and tooling for securely storing, distributing, rotating, and auditing sensitive credentials — API keys, database passwords, certificates, OAuth tokens, encryption keys — used by applications, scripts, and CI/CD pipelines.

Shadow IT refers to information technology — software, hardware, SaaS applications, cloud accounts, AI tools — used within an organization without the knowledge, approval, or oversight of the IT or security teams.

Security Information and Event Management (SIEM) is a category of security tooling that aggregates log data from across an organization's infrastructure, normalizes and correlates events, detects threats through rules and analytics, and supports incident response.

Security Orchestration, Automation, and Response (SOAR) is a category of security tooling that automates repetitive SOC tasks, orchestrates workflows across security tools, and codifies incident response playbooks.

A Security Operations Center (SOC) is a centralized team and facility responsible for continuously monitoring, detecting, analyzing, and responding to cybersecurity threats across an organization.

Social engineering is the manipulation of people — through deception, persuasion, urgency, or authority — to gain unauthorized access to systems, data, or facilities.

Spear phishing is a targeted phishing attack tailored to a specific individual or small group using personal details — name, role, recent activity, business relationships — to make the lure highly believable.

Spoofing is a class of attack in which an adversary impersonates a trusted entity by falsifying data — sender address, IP, domain, MAC address, GPS signal, biometric, or caller ID — to deceive systems or users.

SQL injection (SQLi) is a web application vulnerability in which an attacker inserts malicious SQL fragments into application inputs that are concatenated into database queries — manipulating query logic to bypass authentication, exfiltrate data, modify records, or execute commands on the database server..

SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are cryptographic protocols that provide encryption, integrity, and authentication for network communications.

A supply chain attack compromises a target organization indirectly by attacking a trusted third party — software vendor, open-source maintainer, hardware manufacturer, or service provider — whose products or access are then weaponized against downstream customers.

A tabletop exercise (TTX) is a discussion-based simulation of a cybersecurity incident in which participants — often executives, IR team, legal, communications, IT, and external partners — talk through how they would respond to a hypothetical scenario.

Threat hunting is the proactive, hypothesis-driven search for adversaries already operating inside an environment that have evaded automated detections.

Threat intelligence (CTI) is curated, contextualized information about cyber threats — adversaries, their tactics, infrastructure, motivations, and active campaigns — that helps defenders make better decisions about prevention, detection, and response.

Threat modeling is a structured process for identifying potential threats to a system, application, or process — and the corresponding mitigations — early in the design lifecycle.

A trojan horse (or simply trojan) is a type of malware that disguises itself as a legitimate, useful program to trick users into installing it — granting the attacker access while appearing harmless.

Two-Factor Authentication (2FA) is a specific form of Multi-Factor Authentication that requires exactly two independent verification factors — typically a password plus a second factor like a one-time code, push notification, or hardware key.

Typosquatting is the practice of registering domain names or package names that closely resemble legitimate, popular targets — relying on user typos, look-alike characters, or homoglyphs — to deliver phishing pages, malware, or counterfeit content.

A Virtual Private Network (VPN) creates an encrypted tunnel between a user's device and a remote server, protecting traffic from eavesdropping and masking the user's IP address.

A vulnerability in cybersecurity is a weakness in a system, application, configuration, or process that an adversary can exploit to compromise confidentiality, integrity, or availability.

A vulnerability assessment is a systematic review of an organization's IT environment to identify, quantify, and prioritize security weaknesses — typically using automated scanners combined with expert analysis.

A Web Application Firewall (WAF) is a security tool that monitors, filters, and blocks HTTP/S traffic to and from a web application — defending against attacks like SQL injection, cross-site scripting, and OWASP Top 10 risks.

A worm is a type of malware that self-replicates across networks without requiring user interaction — exploiting vulnerabilities or weak credentials to spread automatically from system to system.

Extended Detection and Response (XDR) is a security platform category that unifies detection and response across endpoints, identities, networks, cloud workloads, email, and SaaS applications.

Cross-Site Scripting (XSS) is a web vulnerability that lets attackers inject malicious JavaScript into pages viewed by other users — enabling session hijacking, credential theft, account takeover, defacement, and delivery of further exploits.

Zero Trust is a security model and architecture based on the principle "never trust, always verify" — assuming no user, device, or network location is inherently trustworthy.

A zero-day (or 0-day) vulnerability is a software flaw that is unknown to the vendor and has no patch available — giving defenders "zero days" to prepare before exploitation.