Cybersecurity glossary

A list of common cybersecurity terms.

2FA/MFA (Two-Factor/Multi-Factor Authentication) Authentication requiring multiple verification methods. Significantly reduces credential theft risk.

Account Enumeration Technique to identify valid usernames or accounts on a system. Used in reconnaissance phase.

Account Takeover (ATO) Unauthorized access to a user’s account through stolen credentials, phishing, or other malicious methods. Often leads to financial fraud or data theft.

Advanced Persistent Threat (APT) A prolonged and targeted cyberattack where an intruder gains access to a network and remains undetected for an extended period. Typically state-sponsored or highly organized criminal groups.

Adversary-in-the-Middle Modern term for man-in-the-middle attacks emphasizing active adversary role. More accurate terminology.

AES (Advanced Encryption Standard) Widely used symmetric encryption algorithm. Industry standard for data protection.

Akira Ransomware A ransomware operation that emerged in 2023, known for targeting VMware ESXi servers and using double extortion tactics. Notable for rapid victim turnaround.

AlphaBay Largest dark web marketplace before its 2017 takedown. Relaunched in 2021 under new management.

API (Application Programming Interface) A set of protocols that allows different software applications to communicate. Exposed or poorly secured APIs can leak sensitive data.

API Exposure Unintended disclosure of API endpoints, keys, or data that can be exploited by attackers. A leading cause of data breaches.

Attack Surface The total number of points where an unauthorized user can try to enter or extract data from an environment. Includes networks, applications, and cloud services.

Attack Surface Management (ASM) The continuous discovery, inventory, classification, and monitoring of an organization’s external attack surface. Helps identify vulnerabilities before attackers do.

Babuk Ransomware A ransomware-as-a-service operation known for targeting enterprise networks and leaking stolen data. Active since 2021.

BEC (Business Email Compromise) Sophisticated phishing attack targeting businesses to authorize fraudulent wire transfers or data disclosure. Often impersonates executives or vendors.

Black Basta A ransomware group that emerged in 2022, known for double extortion tactics and rapid encryption. Suspected to have ties to disbanded Conti group.

Black Hat Hacker Cybercriminal who breaks into systems for malicious purposes or personal gain. Opposite of white hat ethical hackers.

Blockchain Analysis Techniques for tracing cryptocurrency transactions to identify criminal activity. Increasingly used by law enforcement and threat intelligence.

Botnet A network of compromised computers controlled remotely to conduct malicious activities like DDoS attacks or spam distribution. Often created through malware infections.

Brand Impersonation Creating fake websites, social media accounts, or emails pretending to be a legitimate brand. Used for phishing and fraud.

Brand Protection Strategies and tools used to protect a company’s brand from impersonation, counterfeiting, and reputation damage. Includes monitoring for fake domains and social media accounts.

Breach An incident where unauthorized parties gain access to sensitive, protected, or confidential data. Can result from hacking, malware, or human error.

BreachForums A dark web forum where stolen databases, credentials, and hacking tools are traded. Successor to RaidForums.

Brute Force Attack Attempting all possible password combinations until finding the correct one. Effective against weak passwords.

Bug Bounty Programs rewarding security researchers for discovering and reporting vulnerabilities. Increasingly popular with enterprises.

BYOD (Bring Your Own Device) Policy allowing employees to use personal devices for work. Creates security challenges.

C2 (Command and Control) Infrastructure used by attackers to communicate with compromised systems. Critical to detect and block.

C99 Shell A popular web shell used by attackers to maintain persistent access to compromised web servers. Provides file management and command execution capabilities.

Certificate Authority (CA) Trusted entity issuing digital certificates for encrypted communications. Foundation of PKI.

CISO (Chief Information Security Officer) Executive responsible for organization’s cybersecurity strategy and operations. C-suite position.

Cl0p (Clop) Ransomware A ransomware gang known for exploiting zero-day vulnerabilities in enterprise software. Famous for the MOVEit Transfer attacks.

Cloud Security Posture Management (CSPM) Tools and practices for identifying misconfigurations in cloud environments. Essential for cloud security.

Combolists Lists of username and password combinations leaked from data breaches. Sold on dark web forums and used for credential stuffing.

Compromised Credentials Stolen or leaked usernames and passwords. Most common initial access method.

Container Security Protecting containerized applications and their runtime environments. Critical for modern DevOps.

Conti Ransomware Prolific ransomware gang that disbanded in 2022. Members formed new groups like Black Basta.

Credential Harvesting Collecting usernames and passwords through phishing, keylogging, or database breaches. Precursor to account takeover.

Credential Intelligence The process of monitoring and analyzing leaked or stolen credentials across the dark web and other sources. Helps prevent account takeovers.

Credential Stuffing An automated attack where stolen username-password pairs are tested across multiple websites. Exploits password reuse habits.

Critical Infrastructure Systems essential to society’s functioning (power, water, transportation). Prime targets for nation-state actors.

Cryptocurrency Digital currency using cryptography, often used in ransomware payments. Bitcoin most common in cybercrime.

Crypto Wallet A digital tool for storing cryptocurrency keys and conducting transactions. Often targeted by thieves on the dark web.

CVE (Common Vulnerabilities and Exposures) Standardized identifier for publicly known cybersecurity vulnerabilities. Used for tracking and patching.

CVSS (Common Vulnerability Scoring System) Framework for rating vulnerability severity from 0-10. Helps prioritize patching.

Cyber Due Diligence Security assessments conducted during mergers and acquisitions to identify cyber risks and liabilities. Critical for valuation.

Cyber Espionage State-sponsored or organized criminal activities aimed at stealing sensitive information from governments or corporations. Often conducted by APT groups.

Cyber Insurance Insurance coverage for losses related to cyber incidents. Increasingly required by boards.

Cyber Jihad Cyberattacks conducted in support of Islamic extremist causes. Often targets Western organizations.

Cyber Kill Chain A framework developed by Lockheed Martin describing the stages of a cyberattack from reconnaissance to data exfiltration. Used for defense planning.

Cyber Resilience Act EU regulation establishing cybersecurity requirements for products with digital elements. Aims to improve security throughout product lifecycles.

Cyber Threat Intelligence (CTI) See Threat Intelligence.

Cybersquatting Registering domain names similar to established brands with intent to profit or damage reputation. Also called domain squatting.

Dark Web Encrypted portion of the internet not indexed by search engines, requiring specific software like Tor to access. Used for both legitimate privacy and criminal activities.

Dark Web Monitoring Continuous surveillance of dark web forums, marketplaces, and channels for mentions of your organization, leaked data, or planned attacks. Critical for threat intelligence.

Darknet Overlay networks requiring specific software, configurations, or authorization to access. Includes dark web and other anonymized networks.

Data Exfiltration Unauthorized transfer of data from a computer or network. Key objective of many breaches.

Data Loss Prevention (DLP) Tools and strategies to prevent sensitive data from leaving the organization. Monitors data in motion, at rest, and in use.

Data Processing Policy Documentation of how an organization collects, uses, and protects personal data. Required by GDPR and similar regulations.

Database Leak Unauthorized exposure of database contents, often containing personal information, credentials, or sensitive business data. Can result from misconfiguration or breach.

DDoS (Distributed Denial of Service) An attack that overwhelms a target system with traffic from multiple sources, making it unavailable to legitimate users. Often used for extortion or disruption.

DDOSia A DDoS tool used by the NoName057(16) hacktivist group to conduct coordinated attacks. Distributed through Telegram channels.

Deep Web Parts of the internet not indexed by standard search engines but not necessarily encrypted. Includes password-protected sites and databases.

Deepfake AI-generated synthetic media that convincingly manipulates audio or video. Increasingly used for fraud, impersonation, and misinformation.

DeSnake The alleged administrator who relaunched the AlphaBay dark web marketplace in 2021. Identity remains unconfirmed.

DevSecOps Integration of security practices into DevOps processes. Shifts security left in development lifecycle.

Digital Footprint Trail of data created by online activities. Can be exploited for reconnaissance.

Digital Risk Protection (DRP) Services that identify and mitigate cyber threats across the digital landscape. Includes dark web monitoring, brand protection, and attack surface management.

Digital Vigilance Ongoing monitoring and awareness of digital threats. Proactive security posture.

DNS (Domain Name System) System translating domain names to IP addresses. Critical internet infrastructure and common attack vector.

DNS Spoofing An attack that corrupts DNS cache to redirect traffic to malicious websites. Also called DNS cache poisoning.

Domain Generation Algorithm (DGA) Technique used by malware to generate random domain names for C2 communications. Evades blocklists.

Domain Impersonation Creating domains that closely resemble legitimate brands to deceive users. Used for phishing and fraud.

Domain Squatting See Cybersquatting.

DORA (Digital Operational Resilience Act) EU regulation requiring financial entities to strengthen their ICT risk management and resilience. Compliance required by 2025.

Double Extortion Ransomware tactic where attackers both encrypt data and threaten to leak it publicly. Increases pressure on victims to pay.

Doxxing Publishing private information about individuals online without consent, often with malicious intent. Can lead to harassment or physical threats.

DragonForce A ransomware-as-a-service group known for targeting healthcare and manufacturing sectors. Active since 2023.

EASM (External Attack Surface Management) See Attack Surface Management focused specifically on externally facing assets.

Emotet A sophisticated banking trojan turned malware distributor. Known for spreading through spam emails with malicious attachments.

Encryption Converting data into code to prevent unauthorized access. Foundation of data protection.

Endpoint Detection and Response (EDR) Security solution monitoring endpoint devices for threats. Essential for modern security stack.

Exploit Code or technique that takes advantage of a security vulnerability to gain unauthorized access or cause unintended behavior. Can be zero-day or known vulnerabilities.

Exploit Kit Automated tool for delivering exploits to vulnerable systems. Often delivered via malicious websites.

Exposed Database A database accessible without proper authentication, often due to misconfiguration. Major source of data breaches.

False Positive Alert incorrectly identifying benign activity as malicious. Reduces SOC efficiency.

Fileless Malware Malicious software that operates in memory without installing files on disk, making it harder to detect. Often uses legitimate system tools.

Firewall Network security system monitoring and controlling traffic based on security rules. Basic security control.

Forensics Investigation and analysis of cyber incidents. Critical for incident response and prosecution.

GDPR (General Data Protection Regulation) EU regulation on data protection and privacy. Severe penalties for non-compliance.

Google Dorking Using advanced Google search operators to find sensitive information exposed online. Also called Google Hacking.

Google Hacking Database (GHDB) A repository of Google dork queries used to discover vulnerabilities and exposed data. Maintained by security researchers.

Gray Hat Hacker Security researcher operating in legal gray areas without malicious intent. Between white and black hat.

Hacker Forum Online communities where hackers exchange tools, techniques, and stolen data. Like BreachForums and XSS.

Hacktivism Hacking activities conducted for political or social causes rather than financial gain. Groups like Anonymous and NoName057(16) engage in hacktivism.

Hansa Market A major dark web marketplace shut down by law enforcement in 2017 during Operation Bayonet. Was operated as a honeypot before seizure.

Harvest (Now, Decrypt Later) A cyber threat where adversaries steal encrypted data now with the expectation of decrypting it when quantum computing becomes capable. Also called HNDL.

Hash Fixed-size string generated from data, used to verify integrity. One-way cryptographic function.

Honeypot A decoy system designed to attract and detect attackers. Used for research and to divert threats from production systems.

Incident Response Organized approach to addressing security breaches or attacks. Includes preparation, detection, containment, and recovery.

Indicator of Compromise (IoC) Forensic evidence of a potential intrusion on a system or network. Includes malicious IP addresses, file hashes, and URLs.

Infostealer Malware designed to harvest sensitive information like credentials, financial data, and personal information from infected systems. Often sold on dark web forums.

Insider Threat Security risk posed by employees, contractors, or partners with authorized access. Difficult to detect and prevent.

Intrusion Detection System (IDS) Monitors network traffic for suspicious activity. Passive detection compared to IPS.

Intrusion Prevention System (IPS) Actively blocks detected threats in network traffic. More proactive than IDS.

IoT (Internet of Things) Network of physical devices connected to the internet. Often poorly secured and vulnerable to attacks.

IoT Cybersecurity Security practices and technologies designed to protect internet-connected devices. Critical as IoT adoption grows.

IP Spoofing Falsifying source IP address in packets. Used to hide attacker identity or impersonate trusted systems.

Kerberoasting Technique to extract service account credentials from Active Directory. Common privilege escalation method.

Keylogger Software or hardware that records keystrokes to capture sensitive information like passwords. Common component of spyware.

Kill Chain See Cyber Kill Chain.

Lapsus$ Cybercrime group known for social engineering and extortion. Targeted Microsoft, Nvidia, and Okta.

Lateral Movement Techniques attackers use to progressively move through a network after initial compromise. Critical phase in advanced attacks.

Leak Site Websites operated by ransomware groups to publish stolen data from victims who refuse to pay. Used as extortion leverage.

Living Off the Land (LOTL) Technique using legitimate system tools for malicious purposes. Harder to detect than custom malware.

LockBit A prominent ransomware-as-a-service operation known for speed and efficiency. Subject of major law enforcement takedown in 2024.

Logic Bomb Malicious code triggered by specific conditions. Often used by insider threats.

Lumma Stealer An infostealer malware-as-a-service that targets browser credentials, cryptocurrency wallets, and 2FA tokens. Highly active in 2024-2025.

Lynx Ransomware A ransomware variant using double extortion tactics. Emerged in late 2024 targeting various industries.

Machine Learning in Cybersecurity AI techniques for threat detection and response automation. Improving defense capabilities.

Macro Malware Malicious code embedded in document macros. Common delivery method for trojans.

Malware Malicious software designed to damage, disrupt, or gain unauthorized access to computer systems. Includes viruses, trojans, and ransomware.

Malware-as-a-Service (MaaS) Business model where malware developers sell or lease their creations to cybercriminals. Lowers barrier to entry for attacks.

Managed Security Service Provider (MSSP) Third-party company providing outsourced security monitoring and management. Common for smaller organizations.

Man-in-the-Middle (MitM) An attack where communications between two parties are intercepted and potentially altered without their knowledge. Often targets unencrypted connections.

Memory Forensics Analysis of RAM contents to detect malware and attacker activities. Effective against fileless malware.

Misconfiguration Incorrectly configured security settings that create vulnerabilities. Leading cause of cloud data breaches.

MITRE ATT&CK A globally accessible knowledge base of adversary tactics and techniques based on real-world observations. Used for threat modeling and detection.

NIS2 Directive EU cybersecurity directive expanding requirements across critical sectors. Effective October 2024.

NIST CSF (Cybersecurity Framework) A framework developed by the National Institute of Standards and Technology for managing cybersecurity risks. Version 2.0 released in 2024.

NIST CSF 2.0 Latest version of the NIST Cybersecurity Framework, adding a “Govern” function and updated guidance. More aligned with other frameworks like DORA.

NoName057(16) A pro-Russian hacktivist group conducting DDoS attacks against Western targets. Known for using DDOSia tool and Telegram coordination.

Obfuscation Technique to make code or communications difficult to understand. Used by malware to evade detection.

Onion Routing Encryption technique used by Tor network to anonymize internet traffic. Routes communications through multiple relays.

Operational Technology (OT) Hardware and software controlling industrial operations. Increasingly targeted by cyberattacks.

OSINT (Open Source Intelligence) Intelligence gathered from publicly available sources. Used for reconnaissance by both defenders and attackers.

Patch Management Process of applying software updates to fix vulnerabilities. Critical but often delayed.

Penetration Testing Authorized simulated attack to evaluate security posture. Identifies weaknesses before real attacks.

Persistence Techniques attackers use to maintain access after initial compromise. Critical phase in advanced attacks.

Personally Identifiable Information (PII) Data that can identify a specific individual, such as social security numbers, addresses, or biometric data. Highly regulated and valuable to criminals.

Phishing Fraudulent attempts to obtain sensitive information by disguising as a trustworthy entity in electronic communications. Most common initial attack vector.

PII Leakage Unintended exposure of personally identifiable information through insecure systems or human error. Subject to regulatory penalties.

Pikabot A malware loader that emerged in 2023, used to deploy additional payloads like ransomware. Known for stealthy delivery methods.

Play Ransomware A ransomware group targeting critical infrastructure and large enterprises. Known for rapid encryption and data exfiltration.

Postman A popular API development platform. Security concerns arose from exposed API keys and sensitive data in public workspaces.

Privilege Escalation Exploiting vulnerabilities to gain higher access levels. Often follows initial compromise.

Proxy Intermediary server separating end users from destinations. Can provide anonymity or filtering.

Qilin Ransomware A ransomware operation using double extortion tactics, active since 2022. Notable for targeting healthcare and critical infrastructure.

Quantum-Safe Cryptography Encryption methods designed to resist attacks from quantum computers. Critical for long-term data protection.

Quishing (QR Phishing) Phishing attacks using malicious QR codes to direct victims to fraudulent websites. Growing threat in 2024-2025.

Ragnar Locker A ransomware family known for highly targeted attacks against enterprise networks. Notable for CWT Global incident.

RansomHub A ransomware-as-a-service platform that emerged as a major threat in 2024. Uses double extortion tactics.

Ransomware Malware that encrypts victim’s data and demands payment for decryption keys. Often includes data theft for additional extortion.

Ransomware Negotiator Professional mediating between ransomware victims and attackers. Controversial practice.

Ransomware-as-a-Service (RaaS) Business model where ransomware developers lease their malware to affiliates. Affiliates conduct attacks and share profits.

Red Flag Indicator of potential security incident requiring investigation. Part of security awareness.

Red Team Security professionals who simulate real-world attacks to test an organization’s defenses. Opposite of Blue Team (defenders).

Remediation The process of fixing security vulnerabilities or responding to incidents. Critical component of security operations.

Remote Access Trojan (RAT) Malware that gives attackers remote control over infected systems. Used for surveillance, data theft, and further infection.

Reveton Early ransomware that disguised itself as law enforcement warnings. Pioneered the ransomware business model.

Rootkit Malware providing privileged access while hiding its presence. Very difficult to detect and remove.

Ryuk Ransomware A targeted ransomware strain known for demanding large ransoms from enterprises and healthcare organizations. Often deployed after initial Emotet or TrickBot infection.

Salt Typhoon A Chinese APT group that targeted US telecommunications infrastructure in 2024. Known for sophisticated espionage operations.

SCADA Supervisory Control and Data Acquisition systems used in critical infrastructure. High-value targets with often outdated security.

Scattered Spider A cybercrime group known for social engineering tactics and targeting identity providers. Linked to MGM Resorts breach.

Shadow IT IT systems, devices, or software used within an organization without explicit approval. Creates unmonitored security risks.

SIEM (Security Information and Event Management) Platform collecting and analyzing security logs from across infrastructure. Central to SOC operations.

Silent Ransomware Ransomware that encrypts data quietly without displaying ransom notes. Designed to evade detection and maximize damage.

Silk Road First major dark web marketplace, shut down by FBI in 2013. Set template for future dark web markets.

SMBv1 Legacy version of Server Message Block protocol with known vulnerabilities. Exploited by WannaCry and NotPetya.

Smishing Phishing attacks conducted via SMS text messages. Increasingly common with mobile device usage.

SOAR (Security Orchestration, Automation and Response) Platform automating incident response workflows. Enhances SOC efficiency.

SOC (Security Operations Center) Centralized unit that monitors, detects, and responds to cybersecurity incidents. Operates 24/7 in mature organizations.

Social Engineering Psychological manipulation to trick people into revealing confidential information or performing actions. Most effective attack method.

Spear Phishing Targeted phishing attacks directed at specific individuals or organizations. Uses personalized information for credibility.

Spoofing Falsifying data to disguise the source of communication or identity. Includes email, IP, and DNS spoofing.

SQL Injection Attack that inserts malicious SQL code into application inputs to manipulate databases. Common web application vulnerability.

Supply Chain Attack Compromise of a trusted vendor or supplier to reach the ultimate target. Exemplified by SolarWinds breach.

Supply Chain Vulnerability Security weaknesses in third-party vendors, software, or services. Increasingly exploited by sophisticated attackers.

Swatting Making false reports to emergency services to provoke armed response at victim’s location. Dangerous form of harassment.

Telegram Encrypted messaging platform widely used by cybercriminals for coordination and data sales. Hosts numerous hacking channels.

Third-Party Risk Security and operational risks introduced through vendors, suppliers, and business partners. Major source of breaches.

Threat Actor Individual or group responsible for malicious cyber activity. Ranges from script kiddies to nation-states.

Threat Hunting Proactive search for threats that evaded existing security controls. Advanced SOC function.

Threat Intelligence Information about potential or current threats used to inform security decisions. Can be strategic, tactical, or operational.

Threat Surface See Attack Surface.

Tor (The Onion Router) Software enabling anonymous communication by routing traffic through worldwide relay network. Required to access dark web.

TrickBot Banking trojan evolved into modular malware framework. Often used to deliver ransomware like Ryuk and Conti.

Triple Extortion Ransomware tactic adding DDoS attacks or contacting customers/partners to the double extortion model. Maximum pressure on victims.

Trojan Malware disguised as legitimate software that gives attackers unauthorized access. Named after the Greek myth.

TTP (Tactics, Techniques, and Procedures) Patterns of behavior used by threat actors. Framework from MITRE ATT&CK.

Typosquatting Registering misspelled domain names of popular sites to capture misdirected traffic. Used for phishing and ad fraud.

Uncensored AI/LLM Large language models without content restrictions, often used for malicious purposes. Increasingly accessible on dark web.

Virus Self-replicating malware that spreads by inserting copies into other programs or files. One of the oldest malware types.

Vishing Phishing attacks conducted via voice calls or VoIP. Often impersonates technical support or law enforcement.

Volt Typhoon Chinese APT group focused on pre-positioning for potential disruption of US critical infrastructure. Major concern for national security.

VPN (Virtual Private Network) Encrypted connection over public internet providing privacy and security. Common for remote work.

Vulnerability A weakness in software, hardware, or processes that can be exploited by threats. Rated by CVSS scores.

WannaCry Global ransomware attack in 2017 exploiting SMBv1 vulnerability. Affected over 200,000 computers across 150 countries.

Watering Hole See Watering Hole Attack.

Watering Hole Attack Compromising websites frequently visited by target organizations. Relies on infecting legitimate sites to reach specific victims.

Web Shell Scripts uploaded to web servers providing remote access and control. Common persistence mechanism after initial compromise.

Whaling Spear phishing attacks specifically targeting senior executives or high-value individuals. Named for “big fish” targets.

White Hat Hacker Ethical security professional who tests systems with permission to improve security. Opposite of black hat hackers.

Wiper Malware Malicious software designed to permanently destroy data rather than encrypt it. Often used in nation-state attacks.

Worm Self-replicating malware that spreads automatically across networks without user interaction. More aggressive than viruses.

XDR (Extended Detection and Response) Security solution that integrates multiple security products into a cohesive system. Evolution beyond EDR covering more attack vectors.

XSS (Cross-Site Scripting) Web security vulnerability allowing attackers to inject malicious scripts into trusted websites. Can steal session cookies and credentials.

XXE (XML External Entity) Injection attack against applications parsing XML input. Can expose files, execute remote requests, or cause DoS.

Yara Rules Pattern matching tool used to identify and classify malware samples. Essential for malware research and threat hunting.

Zero-Day Previously unknown vulnerability exploited before vendor develops a patch. Most dangerous type of vulnerability.

Zero-Day Exploit Attack leveraging a zero-day vulnerability. Highly valuable on dark web marketplaces.

Zero Trust Architecture Security model assuming no implicit trust regardless of network location. Requires verification for every access request.

Zloader Banking trojan and malware loader descended from Zeus trojan. Used to deploy ransomware and steal credentials.

Zombie A compromised computer controlled by an attacker without the owner’s knowledge. Building blocks of botnets.

Zoom Bombing Unauthorized intrusion into video conferences to disrupt meetings or share inappropriate content. Peaked during COVID-19 pandemic.

ZPH (Zero-Day Protection Hypothesis) Security strategy assuming zero-day vulnerabilities exist and implementing layered defenses. Proactive rather than reactive approach.