Plain-English definitions of 101 cybersecurity terms and acronyms. Each entry links to the related knowledge base article when one exists.
The practice of protecting application programming interfaces from abuse, data leakage, and unauthorised access. API security covers authentication, authorisation, rate limiting, schema validation, and detection of common attacks against REST, GraphQL, and gRPC endpoints.
A well-resourced, often nation-state-aligned threat actor that pursues a specific target over months or years rather than spraying attacks for opportunistic gain. APT groups typically have custom malware, established TTPs, and dedicated mission objectives that go beyond financial motivation.
MITRE's framework cataloguing real-world adversary behaviour, organised by tactic (the why) and technique (the how). ATT&CK has become the de facto language for describing what attackers do, and most modern detection and threat intel tooling maps findings back to its identifiers.
A specific sequence of steps an attacker can chain together to move from an initial entry point to a high-value target. Attack path analysis is what separates a list of vulnerabilities from a meaningful picture of risk; one critical CVE matters far more if it sits on a path to your customer database than if it sits on an isolated dev box.
Every system, port, certificate, exposed credential, and digital asset an attacker can see or interact with. The external attack surface is the subset visible from the public internet without insider access. Modern security increasingly treats attack surface as a discoverable, monitored thing rather than a static asset list.
The method or pathway an attacker uses to gain access. Phishing emails, exploited CVEs, stolen credentials, and supply chain compromises are all distinct attack vectors. The same vulnerability can be exploited via different vectors, and the same vector can deliver different payloads.
Automated platforms that run real attacker techniques (often ATT&CK-mapped) against your environment to test whether your controls actually work. BAS is the empirical answer to the question 'would this attack succeed against us today?', as distinct from a one-off pen test.
A category of fraud where attackers impersonate executives, suppliers, or trusted parties via email to redirect payments or extract sensitive information. BEC accounts for several billion dollars of annual losses according to FBI IC3 reporting and rarely requires malware to succeed.
An email standard that lets verified brands display their logo next to messages in supporting mail clients. BIMI requires DMARC enforcement and a Verified Mark Certificate, and exists primarily to give recipients a visual signal that an email is genuinely from the claimed sender.
The defensive side of security operations: detection, response, hardening, hunting. Blue team work is generally less glamorous than red team work and considerably more important. Most organisations have a permanent blue team and engage red teams only periodically.
A programme that pays external security researchers for responsibly reporting vulnerabilities. Bug bounties supplement internal security testing and create economic incentives that align researchers with defenders rather than with criminal markets.
Adversary simulation run continuously against an environment using live threat intelligence, rather than as an annual point-in-time engagement. CART is what BAS evolved into when it picked up TTP mapping, attack chaining, and threat-intel-driven scenario selection.
A control point between users and cloud services that enforces policy on what data can move where. CASBs grew up to address the visibility gap when business units adopted SaaS faster than central IT could keep up.
An obligation under Australia's Security of Critical Infrastructure (SOCI) Act requiring designated entities to maintain a documented risk management programme covering cyber, personnel, supply chain, and physical security. Annual CIRMP reports are submitted to sector regulators.
The executive accountable for an organisation's information security programme. The role spans strategy, regulatory engagement, incident response, vendor management, and increasingly board-level reporting on cyber risk in business terms.
An exposure caused by deploying cloud resources with unsafe defaults or permissive settings, rather than by exploiting a software vulnerability. Public S3 buckets, overly broad IAM roles, and unauthenticated APIs are classic examples. Misconfigurations are the most common cause of large cloud-era breaches.
The automated reuse of username and password combinations leaked from one site to attempt logins on other sites. Credential stuffing works because users reuse passwords; it is one of the most common reasons MFA on consumer accounts matters.
A category of tools that continuously assess cloud environments for misconfigurations, policy violations, and compliance drift. CSPM is the cloud-native answer to the visibility problem traditional vulnerability scanners struggle with in dynamic, account-based infrastructure.
Gartner's framework for managing security exposure as an ongoing programme rather than a periodic scan. CTEM has five stages (scoping, discovery, prioritisation, validation, mobilisation) and explicitly moves the conversation from 'which CVEs do we have' to 'what could an attacker actually do'.
Curated, contextual information about threats relevant to your environment. Useful CTI tells you who is targeting your sector, what they are likely to try, and what indicators to watch for. Useless CTI is a long list of IOCs without context.
The naming standard for publicly disclosed software vulnerabilities, run by MITRE. Each CVE has a unique identifier (e.g. CVE-2024-12345) and brief description. CVE numbers do not by themselves indicate severity or whether a vulnerability is being exploited.
A 0-to-10 severity score for vulnerabilities, intended to give a comparable measure of impact and exploitability. CVSS is widely used and widely criticised, mostly because it scores the vulnerability in isolation and ignores whether anything in your environment makes it exploitable in practice.
Security testing that runs against a live, deployed application by sending real requests and analysing responses. DAST finds runtime issues that source code review cannot see, but misses problems that only manifest with insider knowledge of the codebase.
An attack that overwhelms a target with traffic from many sources, with the goal of taking the service offline. DDoS attacks come in volumetric (raw bandwidth), protocol (resource exhaustion), and application-layer (carefully crafted requests that consume server CPU) flavours.
An email authentication standard that lets the sending domain cryptographically sign messages. Receiving servers check the signature against a public key in DNS. DKIM proves a message was authorised by the claimed domain and has not been altered in transit.
Tools and processes that detect and block sensitive data leaving an environment through email, file uploads, copy-paste, or removable media. DLP is most useful when paired with reasonable data classification; without that, DLP tends to generate volume, not signal.
An email policy framework built on top of SPF and DKIM that tells receiving servers what to do with messages that fail authentication and provides feedback reporting back to the domain owner. DMARC at p=reject is the only configuration that meaningfully blocks domain spoofing.
EU regulation that imposes ICT risk management, third-party oversight, incident reporting, and threat-led penetration testing obligations on financial sector entities. DORA's TLPT requirements have driven significant interest in TIBER-EU and equivalent intelligence-led testing methodologies.
A small piece of malware whose only job is to deliver a larger payload. Droppers exist because keeping the initial-stage code small and innocuous makes detection harder; the heavier malware downloads only after the initial foothold is established.
A category of tools that discover where sensitive data lives across cloud services and assess whether it is appropriately protected. DSPM is the data-centric counterpart to CSPM: where is my customer PII, who can access it, and is anything misconfigured?
The continuous discovery, inventory, and monitoring of internet-facing assets belonging to an organisation. EASM tools find shadow IT, forgotten subdomains, dangling DNS records, and exposed services that traditional asset management often misses.
An endpoint security category that combines real-time monitoring with response capabilities (isolating a host, killing processes, collecting forensic data). EDR is what antivirus grew into once defenders accepted that prevention alone fails.
A FIRST-maintained scoring model that predicts the probability a CVE will be exploited in the wild within the next 30 days. EPSS is one of the more useful additions to vulnerability prioritisation because it is empirically grounded rather than purely theoretical.
The act of moving stolen data out of a compromised environment. Exfiltration techniques range from simple HTTPS uploads to DNS tunnelling, and modern detection focuses on unusual outbound data volumes and connections to unfamiliar destinations.
Code or technique that takes advantage of a vulnerability to produce some unintended behaviour, typically code execution, privilege escalation, or data disclosure. The existence of a CVE does not mean an exploit exists; the existence of an exploit does not mean it is being used in the wild.
A toolkit, usually rented or sold on criminal markets, that automates exploitation of common vulnerabilities to drop malware. Exploit kits had their heyday in the browser-vulnerability era and have largely been displaced by stealer malware delivered through social engineering.
The function inside an organisation that maintains policies, runs risk assessments, and demonstrates compliance with regulations and frameworks. GRC tooling tends to be document-heavy and is increasingly augmented by continuous monitoring data.
Cyber operations motivated by political, ideological, or social objectives rather than financial gain. Hacktivist groups range in sophistication from website defacement to coordinated campaigns aligned with state interests.
A domain spoofing technique that uses non-Latin Unicode characters that visually resemble Latin letters to register lookalike domains (e.g. using a Cyrillic 'а' in place of a Latin 'a'). Modern browsers mitigate but do not fully prevent these attacks.
The set of processes and tools that govern who can access what, when, and how. IAM spans authentication (proving who you are), authorisation (what you are allowed to do), and lifecycle management (provisioning and deprovisioning).
A system that monitors network or host activity for signs of malicious behaviour and alerts when patterns match known indicators. The difference between IDS and IPS is that an IDS detects and alerts, while an IPS detects and blocks.
The first foothold an attacker establishes inside a target environment. Initial access today is most commonly obtained through phishing, exposed remote services, exploited vulnerabilities, or purchased credentials and stealer logs from underground markets.
A criminal specialist who breaks into organisations and then sells the access (rather than monetising it directly). IABs feed the broader criminal ecosystem, particularly ransomware affiliates who pay for ready-to-use access into target networks.
Risk that originates from someone with authorised access: a current employee, former employee, contractor, or partner. Insider threats can be malicious (deliberate theft or sabotage) or negligent (mishandled data, fallen for phishing). Both deserve serious attention.
A piece of forensic data (a hash, IP address, domain, file path) that suggests a system or network has been compromised. Useful IOCs are timely and contextual; stale IOC feeds without context tend to drown defenders rather than help them.
A system that detects malicious activity and actively blocks it, rather than just alerting. IPS tooling sits inline in the traffic path and trades latency and false-positive risk for the ability to stop attacks at the wire.
The phase of an attack where the adversary, having achieved initial access, expands across the environment toward target assets. Lateral movement involves credential reuse, exploitation of trust relationships, and abuse of legitimate administrative tools.
An attacker tradecraft pattern of using legitimate tools already present in the environment (PowerShell, WMI, scheduled tasks, native admin utilities) rather than dropping custom malware. Living-off-the-land techniques evade signature-based detection because the binaries themselves are not malicious.
A service in which a third-party SOC monitors your environment, investigates alerts, and responds to incidents on your behalf. MDR exists for organisations that have detection telemetry but not enough analyst hours to act on it.
Authentication that requires at least two factors from different categories (something you know, something you have, something you are). MFA blocks most credential-only attacks but is bypassable through session theft, MFA fatigue, and SIM swap.
A US federal agency whose cybersecurity publications (the Cybersecurity Framework, SP 800 series, FIPS standards) are widely adopted globally as practical guidance. NIST is influential well beyond US federal compliance use cases.
Intelligence collected from publicly available sources: search engines, social media, certificate transparency logs, public registries, code repositories. Modern attack surface and threat intelligence work is heavily OSINT-driven.
Technology that controls physical processes: industrial control systems, SCADA, building management, manufacturing equipment. OT security has different priorities from IT security (availability and safety often trump confidentiality), and IT/OT convergence has created new attack vectors.
A non-profit foundation that publishes widely cited application security resources, most famously the OWASP Top 10 for web applications and the OWASP API Security Top 10. OWASP material has effectively become baseline curriculum for application security.
Tools and processes for controlling, monitoring, and auditing access to high-privilege accounts (domain admins, root, cloud root, database admins). PAM typically includes credential vaulting, session recording, just-in-time access, and approval workflows.
A FIDO2 credential bound to a device or platform that replaces passwords for authentication. Passkeys are phishing-resistant by design because the private key never leaves the device and is bound to the legitimate origin domain.
An attack pattern where the attacker tries a small number of common passwords against a large number of accounts, the inverse of brute-force where a single account is hammered with many passwords. Spraying evades lockout policies that focus on per-account failures.
A focused, time-boxed authorised attack against a defined scope, intended to identify exploitable weaknesses. Pen tests are typically narrower and more goal-oriented than red team engagements, and broader and more skills-driven than vulnerability scans.
A social engineering attack delivered most often by email but increasingly by SMS, voice call, and chat platforms, designed to trick the recipient into revealing credentials, transferring money, or executing malware. Phishing remains the dominant initial access vector.
Information that can identify an individual, either alone or in combination with other data. PII definitions vary by jurisdiction (the GDPR definition is broader than US definitions), and the practical category for security operations usually focuses on what would create incident-notification obligations if exposed.
An attacker phase where existing access is leveraged to gain higher privileges within the environment. Local privilege escalation moves from a standard user to admin on a single machine; horizontal privilege escalation moves to other accounts at the same level.
A collaborative model in which red and blue teams work together rather than in opposition, with the red team showing what it does in real time and the blue team adjusting detections and controls in response. Purple teaming is often more productive than pure red versus blue exercises.
An economic model in which ransomware operators rent or licence their tooling and infrastructure to affiliates, who carry out attacks and split the proceeds. RaaS is what turned ransomware from a cottage industry into the structured criminal economy it is today.
Malware that encrypts data and demands payment for decryption, typically combined with data exfiltration and a public leak threat (double extortion). Modern ransomware operations are professionalised criminal enterprises with negotiation teams, leak sites, and affiliate programmes.
An authorisation model where permissions are attached to named roles and users are assigned to roles. RBAC scales better than direct user-to-permission assignments and remains the dominant access control model in most enterprise systems.
An offensive engagement that simulates a realistic adversary against a target organisation, typically with a defined objective and a longer time frame than a pen test. Red team work tests not just whether the attack succeeds but whether the defenders detect and respond.
Software delivered as a managed service over the internet rather than installed on customer infrastructure. From a security standpoint, SaaS shifts where the data lives but does not eliminate responsibility; the customer typically still owns data classification, identity, and access policy.
Security analysis of source code without executing it. SAST catches issues that runtime testing cannot see (insecure coding patterns, hardcoded secrets) but tends toward higher false-positive rates because it lacks runtime context.
A formal inventory of all components (open source libraries, dependencies, third-party modules) included in a piece of software. SBOMs became regulatory requirements in several jurisdictions following supply chain incidents like Log4Shell and SolarWinds.
Tooling that scans software builds for known-vulnerable open source dependencies. SCA is the practical control most organisations use to address supply chain CVEs in their own products.
A platform that ingests logs and security telemetry from across the environment, correlates events, and produces alerts. SIEMs are the central nervous system of most SOCs, though their value depends heavily on the quality of detection content built on top.
Phishing delivered via SMS rather than email. Smishing has grown alongside two-factor SMS codes and the general shift of attention to mobile devices.
A platform category that automates SOC workflows: enriching alerts, executing playbooks, coordinating across tools. SOAR delivers value when paired with well-defined playbooks and degrades into expensive shelfware when bolted onto undefined processes.
The team and capability responsible for monitoring, detecting, and responding to security incidents on an ongoing basis. SOCs range from a single analyst-on-call to multi-tier follow-the-sun operations.
Manipulating people into taking actions or disclosing information that benefits the attacker. Phishing, BEC, vishing, pretexting, and baiting all sit under the social engineering umbrella. Most major breaches have a social engineering component somewhere in the chain.
Targeted phishing aimed at a specific individual or small group, often using personal information gathered from public sources to make the lure more convincing. Spear phishing typically has higher success rates than mass phishing and is correspondingly more dangerous.
An email authentication standard that lets a domain publish a DNS record listing which servers are authorised to send mail on its behalf. SPF is the oldest of the email authentication trio (SPF, DKIM, DMARC) and is necessary but not sufficient for stopping spoofing.
An authentication arrangement where a user signs in once to a central identity provider and is granted access to multiple applications without separate logins. SSO concentrates authentication risk: compromise of the identity provider compromises everything connected to it.
A structured dump of credentials, cookies, and other sensitive data exfiltrated from a single infected machine by infostealer malware. Stealer logs are sold on dark web markets within days of theft and have become the dominant initial access vector for serious attacks.
An attack in which the adversary compromises a supplier (a vendor, a build pipeline, a software dependency) to reach the eventual target through a trust relationship. SolarWinds, 3CX, and the XZ Utils backdoor are all canonical examples.
A person, group, or organisation that conducts or sponsors malicious cyber activity. Threat actors are categorised by motivation (financial, espionage, hacktivist, destructive), capability (sophistication, resources), and target focus (opportunistic versus targeted).
Proactive, hypothesis-driven search through telemetry for signs of attacker activity that automated detection has missed. Threat hunting assumes that some threats are evading current controls and focuses on finding them before they cause damage.
A European Central Bank framework for threat intelligence-led penetration testing of financial entities, now incorporated into DORA's TLPT requirements. TIBER-EU is the most prescriptive of the major TLPT frameworks and emphasises regulatory oversight throughout the engagement.
Either the organisation supplying threat intelligence (provider) or the platform that aggregates and operationalises threat intelligence (platform). In TLPT contexts, TIP usually means the threat intelligence provider in the engagement, distinct from the red team that executes.
A handling protocol for threat intelligence sharing using colour codes (RED, AMBER, GREEN, CLEAR) to indicate how widely a piece of information can be shared. TLP is universal across CERTs, ISACs, and threat intelligence platforms.
A category of regulated red team engagement built around real threat intelligence about adversaries targeting the test sponsor. TIBER-EU, iCAST, TIBAS, FEER, and CBEST are all TLPT frameworks. The defining feature is that scenarios derive from intelligence, not generic checklists.
A structured way of describing adversary behaviour: tactics (the why, the goal), techniques (the how, the method), and procedures (the specific implementation). MITRE ATT&CK is the most widely adopted catalogue of TTPs.
Registering a domain name that closely resembles a legitimate one to phish users who mistype URLs or trust autocompleted suggestions. Typosquatting is one of the cheapest, most reliable phishing vectors in the modern attacker toolkit.
A formalised public commitment that an organisation will accept and act on vulnerability reports from external researchers, with stated rules of engagement and safe harbour. VDPs do not pay (that is what bug bounties are for) but legitimise good-faith research.
Phishing delivered via voice call, often impersonating IT helpdesk, banks, or executives. Vishing has grown with the increasing use of voice deepfakes and remains effective because phone calls feel more personal and harder to ignore than emails.
A tunnelled connection that gives a remote user network-level access to internal resources. VPNs were ubiquitous before cloud-first and zero-trust architectures emerged; their decline corresponds with the move toward identity-aware proxies and ZTNA.
A weakness in software, configuration, or process that could be exploited to violate security properties. Not every vulnerability has an exploit, not every exploit is being used, and not every exploited vulnerability matters in your environment. Prioritisation is the work.
A security control that inspects HTTP traffic to a web application and blocks common attack patterns (injection, XSS, request smuggling). WAFs are useful for blocking commodity attacks and buying time against newly disclosed CVEs while patching is in progress.
Spear phishing that specifically targets senior executives. The lures are typically more sophisticated and the potential payoff (executive access, wire transfer authority, board-level information) much higher than mass phishing.
Malware that destroys data rather than encrypting it for ransom. Wipers are typically deployed in destructive operations with geopolitical motivation rather than financial gain. NotPetya is the canonical example.
An evolution of EDR that correlates telemetry across endpoints, network, identity, email, and cloud rather than focusing on endpoint alone. XDR vendors typically offer it as a tightly integrated platform; the integration is what justifies the X in the name.
A vulnerability that is exploited before a patch or formal disclosure exists. Zero days are rare and valuable to attackers. The much more common case is the n-day: a known-vulnerable, patchable issue that organisations have not yet fixed.
An architectural philosophy that assumes no implicit trust based on network location and instead verifies every access request based on identity, device posture, and context. Zero trust is a direction of travel rather than a product, and most real-world implementations are hybrid for years.
An access model that grants access to specific applications based on identity and context, rather than network-level access via a VPN. ZTNA hides applications from anyone not authorised to use them, reducing the attack surface for unauthenticated probing.