Cybersecurity Glossary A-Z

A

Access Control: Security mechanisms that regulate who can view or use resources in a computing environment. Access controls include authentication (verifying identity) and authorization (verifying permissions).
Advanced Persistent Threat (APT): A prolonged and targeted cyberattack in which an adversary gains unauthorized access to a network and remains undetected for an extended period. APTs are typically conducted by nation-state actors or well-funded criminal groups with specific objectives such as espionage or intellectual property theft.
Attack Surface: The total number of points where an unauthorized user can attempt to enter or extract data from a system. A larger attack surface means more potential vulnerabilities. Reducing the attack surface is a fundamental security practice.
Authentication: The process of verifying the identity of a user, device or system. Common authentication methods include passwords, multi-factor authentication (MFA), biometrics and certificate-based authentication.

B

Backdoor: A hidden method of bypassing normal authentication to gain unauthorized access to a system. Backdoors can be installed by attackers after an initial compromise or may exist as undocumented features in software.
Blue Team: The defensive security team responsible for protecting an organization from cyberattacks. Blue teams monitor networks, respond to incidents, maintain security controls and work to detect and contain threats.
Botnet: A network of compromised computers (bots) controlled remotely by an attacker. Botnets are used to launch distributed denial-of-service attacks, send spam, mine cryptocurrency and conduct credential stuffing campaigns.
Brute Force Attack: An attack method that systematically tries every possible combination of passwords or encryption keys until the correct one is found. Strong passwords and account lockout policies mitigate brute force attacks.

C

Chain of Custody: The documented chronological history of evidence handling from collection through presentation in court. A proper chain of custody proves that evidence has not been altered or tampered with and is essential for admissibility in legal proceedings.
CVSS (Common Vulnerability Scoring System): An industry-standard framework for rating the severity of security vulnerabilities on a scale from 0.0 to 10.0. CVSS scores consider attack complexity, privileges required, user interaction and impact on confidentiality, integrity and availability. See NIST CVSS documentation.
Credential Stuffing: An automated attack that uses stolen username and password pairs from previous data breaches to gain unauthorized access to accounts on other services. Credential stuffing exploits the widespread practice of password reuse across multiple platforms.

D

Data Breach: An incident in which sensitive, protected or confidential data is accessed, disclosed or stolen by an unauthorized party. Data breaches may involve personal information, financial records, health data or intellectual property.
DDoS (Distributed Denial of Service): An attack that overwhelms a target server, service or network with traffic from multiple distributed sources to make it unavailable to legitimate users. DDoS attacks are often launched using botnets.
Deepfake: Synthetic media generated using artificial intelligence to create convincing fake audio, video or images of real people. Deepfakes are used in social engineering attacks, fraud schemes and disinformation campaigns. Forensic detection of deepfakes requires specialized analysis of compression artifacts, facial inconsistencies and metadata anomalies.
Digital Forensics: The scientific process of identifying, preserving, analyzing and presenting digital evidence from computers, mobile devices, networks and cloud systems. Digital forensics follows strict methodological standards to ensure evidence integrity and court admissibility.

E

eDiscovery: The process of identifying, collecting, processing and producing electronically stored information (ESI) in response to legal proceedings. eDiscovery follows the Electronic Discovery Reference Model (EDRM) and is a standard component of modern litigation.
Encryption: The process of converting data into an encoded format that can only be read by someone who has the decryption key. Encryption protects data at rest (stored data) and data in transit (data being transmitted across networks).
Endpoint: Any device that connects to a network including laptops, desktops, smartphones, tablets, servers and IoT devices. Endpoints are common targets for cyberattacks and require dedicated security controls such as endpoint detection and response (EDR) solutions.
Exploit: A piece of code, software or technique that takes advantage of a vulnerability to gain unauthorized access, escalate privileges or cause unintended behaviour in a system. Exploits may be publicly known or privately held as zero-days.

F

Firewall: A network security device or software that monitors and controls incoming and outgoing network traffic based on predetermined security rules. Firewalls establish a barrier between trusted internal networks and untrusted external networks.
Forensic Image: A bit-for-bit copy of a digital storage device that captures every sector including deleted files, slack space and unallocated areas. Forensic images are verified using cryptographic hash values and serve as the basis for forensic examination without altering the original evidence.

G

GDPR (General Data Protection Regulation): European Union regulation governing the collection, processing and storage of personal data. GDPR applies to any organization that processes data of EU residents regardless of where the organization is located. Non-compliance can result in fines of up to 4% of annual global revenue.
Grey Box Testing: A penetration testing approach where the tester is given limited knowledge about the target such as user credentials or partial network documentation. Grey box testing simulates an insider threat or an attacker who has gained initial access.

H

Hash: A fixed-length string of characters produced by a cryptographic hash function from input data of any size. Hash values (such as MD5, SHA-1 or SHA-256) are used in digital forensics to verify evidence integrity and in security to store passwords securely.
Honeypot: A decoy system designed to attract and detect attackers. Honeypots mimic legitimate services to lure adversaries, collect intelligence about their tools and techniques and provide early warning of malicious activity on the network.

I

Incident Response: The organized approach to addressing and managing a security incident. Incident response includes preparation, detection, containment, eradication, recovery and post-incident review. The goal is to limit damage, reduce recovery time and prevent recurrence.
Indicator of Compromise (IoC): Observable evidence that a system has been compromised. IoCs include suspicious IP addresses, malicious file hashes, unusual network traffic patterns, registry modifications and unauthorized account activity.
Intrusion Detection System (IDS): A system that monitors network or host activity for malicious behaviour or policy violations. IDS can be network-based (monitoring traffic) or host-based (monitoring system logs and file changes). Unlike an intrusion prevention system (IPS) an IDS alerts but does not block traffic.

J

JSON Web Token (JWT): A compact, URL-safe token format used for securely transmitting claims between parties. JWTs are commonly used for API authentication and session management. Improperly validated JWTs are a frequent source of authentication bypass vulnerabilities in web applications.

K

Keylogger: Software or hardware that records keystrokes on a computer to capture sensitive information such as passwords, credit card numbers and personal messages. Keyloggers may be installed through malware, physical access or supply chain compromise.
Kill Chain: A model describing the stages of a cyberattack from initial reconnaissance through exploitation to objective completion. Understanding the kill chain helps defenders identify and disrupt attacks at each stage. The Lockheed Martin Cyber Kill Chain and MITRE ATT&CK framework are widely used models.

L

Lateral Movement: Techniques an attacker uses to move through a network after gaining initial access. Lateral movement typically involves compromising additional credentials, exploiting trust relationships between systems and escalating privileges to reach high-value targets.
LLM (Large Language Model): An artificial intelligence model trained on large volumes of text data to generate human-like text. LLMs introduce new security risks including prompt injection, training data leakage, model extraction and the generation of malicious content. See OWASP Top 10 for LLM Applications.

M

Malware: Malicious software designed to damage, disrupt or gain unauthorized access to computer systems. Categories of malware include viruses, worms, trojans, ransomware, spyware and rootkits.
MFA (Multi-Factor Authentication): An authentication method that requires two or more verification factors: something you know (password), something you have (security token) or something you are (biometric). MFA significantly reduces the risk of unauthorized access from compromised credentials.
MITRE ATT&CK: A globally accessible knowledge base of adversary tactics, techniques and procedures (TTPs) based on real-world observations. Security teams use ATT&CK to understand attacker behaviour, improve detection capabilities and evaluate security controls.

N

NIST (National Institute of Standards and Technology): A U.S. federal agency that develops cybersecurity standards, guidelines and best practices. The NIST Cybersecurity Framework and National Vulnerability Database (NVD) are widely referenced by security professionals worldwide.
Network Segmentation: The practice of dividing a network into smaller segments to limit the impact of a breach. Segmentation prevents an attacker who compromises one segment from freely accessing other segments containing sensitive data or critical systems.

O

OSINT (Open Source Intelligence): Intelligence gathered from publicly available sources including websites, social media, public records, DNS data and code repositories. OSINT is a critical component of the reconnaissance phase in penetration testing and is used by both attackers and defenders.
OWASP (Open Web Application Security Project): A nonprofit foundation that produces freely available resources for web application security. The OWASP Top 10 is the most widely referenced standard for web application security risks. OWASP also publishes testing guides, cheat sheets and tools used by security professionals.

P

Penetration Test: An authorized simulated cyberattack against an organization's systems to identify exploitable vulnerabilities before real adversaries do. Penetration tests go beyond automated scanning by actively exploiting weaknesses to demonstrate real-world business impact.
Phishing: A social engineering attack that uses fraudulent emails, messages or websites to trick individuals into revealing sensitive information, clicking malicious links or downloading malware. Spear phishing targets specific individuals while whaling targets senior executives.
PIPEDA: Canada's federal privacy law governing the collection, use and disclosure of personal information by private-sector organizations. PIPEDA requires mandatory breach reporting to the Office of the Privacy Commissioner and notification of affected individuals when a breach creates a real risk of significant harm.
Privilege Escalation: The act of exploiting a vulnerability to gain elevated access to resources that are normally restricted. Vertical privilege escalation gains higher-level permissions (such as administrator access) while horizontal privilege escalation accesses resources of other users at the same level.
Prompt Injection: An attack against large language models (LLMs) where malicious instructions are embedded in user input to override the model's intended behaviour. Direct prompt injection targets the model through its input interface while indirect prompt injection hides instructions in external data sources the model retrieves.

R

Ransomware: Malware that encrypts a victim's files or systems and demands payment (usually in cryptocurrency) for the decryption key. Modern ransomware operations often include data exfiltration and the threat of public data release to increase pressure on victims.
Red Team: An offensive security team that simulates real-world adversary tactics, techniques and procedures to test an organization's detection and response capabilities. Red team engagements are objective-based and often have fewer constraints than standard penetration tests.
Rootkit: Malicious software designed to provide continued privileged access to a system while hiding its presence from detection tools. Rootkits can modify the operating system kernel, intercept system calls and conceal malicious processes, files and network connections.

S

SIEM (Security Information and Event Management): A platform that collects, normalizes and analyzes security log data from across an organization's IT infrastructure. SIEM systems provide real-time monitoring, threat detection, correlation of security events and compliance reporting.
Social Engineering: The manipulation of people into performing actions or divulging confidential information. Social engineering attacks exploit human psychology rather than technical vulnerabilities. Common techniques include phishing, pretexting, baiting and tailgating.
SOC 2: An auditing framework developed by the American Institute of CPAs (AICPA) that evaluates an organization's controls related to security, availability, processing integrity, confidentiality and privacy. SOC 2 reports are commonly required by enterprise customers evaluating service providers.
SQL Injection: An attack that inserts malicious SQL code into application queries to manipulate or extract data from a database. SQL injection can allow attackers to bypass authentication, read sensitive data, modify or delete records and in some cases execute commands on the underlying server.
Supply Chain Attack: An attack that targets an organization by compromising a trusted third-party vendor, software provider or service partner. Supply chain attacks exploit the trust relationships between organizations and their suppliers to distribute malware or gain unauthorized access.

T

Threat Intelligence: Evidence-based knowledge about existing or emerging threats that can be used to make informed security decisions. Threat intelligence includes information about threat actors, their motivations, capabilities, attack patterns and indicators of compromise.
TLS (Transport Layer Security): A cryptographic protocol that provides secure communication over computer networks. TLS encrypts data in transit between clients and servers and is the security foundation for HTTPS, secure email and VPN connections. TLS replaced the older SSL protocol.
Two-Factor Authentication (2FA): A specific implementation of multi-factor authentication that requires exactly two verification factors. Common 2FA methods include password plus SMS code, password plus authenticator app or password plus hardware security key.

V

VPN (Virtual Private Network): A technology that creates an encrypted connection over a less secure network. VPNs protect data in transit and allow remote users to securely access internal network resources. Misconfigured VPNs are a common target in penetration testing engagements.
Vulnerability: A weakness in a system, application or process that could be exploited by a threat actor to gain unauthorized access or cause harm. Vulnerabilities may exist in software code, system configurations, network architecture or human processes.

W

WAF (Web Application Firewall): A security solution that filters, monitors and blocks HTTP traffic to and from a web application. WAFs protect against common web attacks such as SQL injection, cross-site scripting and cross-site request forgery by applying security rules to HTTP conversations.
Whaling: A targeted phishing attack directed at senior executives or high-value individuals within an organization. Whaling attacks typically impersonate other executives, board members or external authorities and often involve urgent requests for wire transfers or confidential information.

X

XSS (Cross-Site Scripting): A web application vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. XSS can be used to steal session cookies, redirect users to malicious sites, deface web pages or capture keystrokes. Types include reflected XSS, stored XSS and DOM-based XSS.

Z

Zero-Day: A vulnerability that is unknown to the software vendor and has no available patch at the time of discovery. Zero-day exploits are highly valuable to attackers because there is no defence against them until the vendor develops and releases a fix. Zero-day vulnerabilities are tracked by the NIST National Vulnerability Database.
Zero Trust: A security model based on the principle of "never trust, always verify." Zero trust assumes that threats exist both outside and inside the network and requires strict identity verification for every user and device attempting to access resources regardless of their location on the network.

A

B

C

D

E

F

G

H

I

J

K

L

M

N

O

P

R

S

T

V

W

X

Z

Need help securing your organization?

Have a Security Question?