120+ Security Terms, Plainly Defined

Microsoft's directory service for Windows domain networks that centrally manages user accounts, computer accounts, group policies, and authentication. AD is the primary target for lateral movement in enterprise intrusions because Domain Admin privileges provide unrestricted access to all domain-joined systems. BloodHound is the standard tool for visualizing AD attack paths.

A nation-state or sophisticated criminal group that conducts prolonged, targeted intrusion campaigns against specific organizations. APT groups maintain long-term access to victim networks and prioritize stealth over speed, often dwelling undetected for months. MITRE ATT&CK catalogs the TTPs of over 100 named APT groups.

An attack that proxies authentication sessions in real time to steal session cookies, bypassing MFA by intercepting the post-authentication token rather than the credential. AiTM frameworks like Evilginx2 create a reverse proxy that sits between the victim and the legitimate authentication page. Phishing-resistant MFA (FIDO2/passkeys) is the only reliable defense.

The practice of protecting application programming interfaces from unauthorized access, injection attacks, broken authorization, and data exposure. The OWASP API Security Top 10 defines the most critical API risks including BOLA (Broken Object Level Authorization), excessive data exposure, and lack of rate limiting. API security testing requires specialized tooling distinct from traditional web app scanning.

The total set of entry points through which an attacker could attempt to gain unauthorized access to a system, including exposed network services, web application endpoints, user accounts, third-party integrations, and physical access points. Reducing attack surface is a foundational security principle: every service, port, or account that is not needed should be disabled. Attack Surface Management (ASM) tools continuously discover and inventory an organization's external attack surface.

A continuous discovery and monitoring practice that maintains an up-to-date inventory of an organization's external-facing assets and identifies security exposures before attackers do. ASM tools use the same passive and active reconnaissance techniques as attackers to discover unknown internet-facing assets, shadow IT, and newly exposed services.

See guide: /blog/vulnerability-management-program-best-practices

An open-source tool that maps Active Directory relationships and visualizes attack paths from any user account to Domain Admin using graph theory. Security teams use BloodHound defensively to identify and remediate misconfigured permissions before attackers exploit them. SharpHound is the data collector that gathers AD relationship data for analysis in BloodHound.

The most common critical API vulnerability, where an API allows users to access objects belonging to other users by manipulating object identifiers in the request. BOLA is exploited by changing a user ID, order number, or document ID in an API request to retrieve another user's data. Testing for BOLA requires creating two accounts and verifying that account A cannot access account B's resources by ID manipulation.

An authentication attack that systematically tries all possible credential combinations until the correct one is found. Password spray (trying one common password against many accounts) is a variant that avoids account lockout by limiting attempts per account. Phishing-resistant MFA, account lockout policies, and login rate limiting are the primary defenses.

A memory corruption vulnerability where a program writes data beyond the allocated buffer boundary, overwriting adjacent memory and potentially allowing an attacker to redirect execution to attacker-controlled shellcode. Stack-based buffer overflows are the classic form; heap overflows and integer overflows are related variants. Modern mitigations include ASLR, stack canaries, and NX/DEP.

A fraud scheme in which attackers impersonate a trusted party via email to manipulate an employee into wiring funds, changing payment account details, or disclosing sensitive information. BEC does not require malware and relies entirely on social engineering. Out-of-band verification via a known phone number before any wire transfer is the single most effective control.

See guide: /blog/business-email-compromise-defense-guide

The infrastructure and protocol used by malware to communicate with the attacker's server to receive instructions, exfiltrate data, and deliver additional payloads. Modern C2 frameworks (Cobalt Strike, Sliver, Havoc) use encrypted HTTPS traffic that blends with normal web traffic to evade detection. DNS-over-HTTPS and domain fronting are techniques used to obscure C2 traffic from network monitoring.

A security control point positioned between users and cloud service providers to enforce security policies including DLP, access control, and threat detection for cloud application usage. CASBs operate in two modes: inline (traffic is proxied through the CASB) and API-based (the CASB connects to cloud services via API to audit activity). CASBs are a core component of SASE and SSE architectures.

See guide: /blog/netskope-vs-zscaler-sase-sse-comparison

A prioritized set of security best practices developed by the Center for Internet Security that organizations use to defend against the most pervasive cyberattacks. The 18 CIS Controls are organized into three Implementation Groups based on organizational maturity and risk profile. IG1 defines the minimum baseline of cyber hygiene for all organizations.

See guide: /blog/cis-controls-v8-implementation-guide

A converged security platform that combines CSPM, CWPP, CIEM, and attack path analysis into a single tool for protecting cloud-native workloads from development through runtime. CNAPP emerged as organizations recognized that separate point tools for cloud posture, workload protection, and identity entitlements created blind spots at their intersections. Wiz, Orca Security, Prisma Cloud, and Lacework are leading CNAPP platforms.

See guide: /blog/wiz-vs-orca-security-cspm-comparison

A commercial adversary simulation platform widely used in red team engagements that provides a C2 framework, beacon implant, and post-exploitation toolkit. Cracked versions of Cobalt Strike are used extensively by ransomware affiliates and nation-state actors as post-exploitation infrastructure. Detecting Cobalt Strike beacons via JARM fingerprinting, named pipe artifacts, and beacon configuration extraction is a core defensive skill.

An automated attack that uses large lists of stolen username and password pairs from prior data breaches to attempt authentication against other services, exploiting password reuse. Credential stuffing attacks are effective because a significant percentage of users reuse passwords across multiple services. Mitigations include MFA, device fingerprinting, CAPTCHA, and monitoring for authentication anomalies.

A tool category that continuously monitors cloud environments for security misconfigurations, policy violations, and excessive permissions compared to security benchmarks. CSPM tools identify issues like publicly accessible S3 buckets, disabled logging, open security groups, and overly permissive IAM roles without requiring agents on cloud resources. CSPM has largely been absorbed into CNAPP platforms that extend posture management to workload runtime and attack path analysis.

See guide: /blog/cspm-tools-comparison

A standardized identifier assigned to publicly disclosed cybersecurity vulnerabilities, maintained by MITRE and funded by CISA, using the format CVE-YEAR-NUMBER (e.g., CVE-2021-44228). Each CVE entry includes a description and references to advisories, patches, and technical analysis. The NVD (National Vulnerability Database) enriches CVE records with CVSS scores, CWE classifications, and CPE affected product lists.

A standardized numerical framework for rating the severity of security vulnerabilities on a 0-10 scale, with scores categorized as None (0), Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), and Critical (9.0-10.0). CVSS scores reflect technical characteristics of the vulnerability but not real-world exploitability or prevalence. EPSS and SSVC provide better prioritization signals than CVSS alone.

See guide: /blog/vulnerability-management-program-best-practices

Analyzed information about threat actors, their tactics and techniques, and the infrastructure they use, produced to inform defensive decisions and reduce response time during incidents. CTI is categorized as strategic (trends for executive decision-making), operational (campaign-level information for IR teams), and tactical (IOCs and TTPs for detection engineering). STIX/TAXII are the standard formats and protocols for sharing CTI between organizations.

See guide: /blog/best-osint-tools-threat-intelligence

Security testing that attacks a running application to find vulnerabilities by sending malicious inputs and observing responses, without access to source code. DAST tools like Burp Suite, OWASP ZAP, and Nuclei can discover SQL injection, XSS, authentication flaws, and API vulnerabilities that static analysis misses. DAST complements SAST; neither covers all vulnerability classes alone.

See guide: /blog/burp-suite-vs-owasp-zap-comparison

A post-exploitation technique that abuses Active Directory replication protocol rights to extract password hashes for all domain users, including the krbtgt account, without running code on a Domain Controller. An attacker with Replicating Directory Changes permissions can execute DCSync using tools like Mimikatz. Detection requires monitoring for anomalous DS-Replication-Get-Changes-All directory service access events.

A security architecture strategy that layers multiple independent security controls so that the failure of any single control does not result in complete compromise. The layered approach ensures attackers must defeat multiple barriers to reach their objective. Defense in depth is a core principle in frameworks like NIST CSF, CIS Controls, and ISO 27001.

A malware technique that generates large numbers of pseudo-random domain names as potential C2 communication endpoints, making it difficult to block C2 traffic by blacklisting specific domains. Malware using DGAs generates hundreds or thousands of domains daily; only a few are registered by the attacker at any time. DGA detection uses statistical analysis of domain name entropy and linguistic patterns to identify algorithmically generated domains in DNS logs.

A security technology that monitors, detects, and blocks the unauthorized transmission of sensitive data outside the organization's control. DLP policies can detect credit card numbers, Social Security numbers, health records, and custom sensitive data patterns in email, web uploads, USB transfers, and cloud application activity. Modern DLP is increasingly integrated into SASE, CASB, and endpoint security platforms rather than deployed as standalone appliances.

The period between when an attacker first gains access to a network and when the intrusion is detected and contained. Lower dwell times mean less data exfiltrated and lower breach costs; the global median dwell time has declined from over 200 days in 2016 to approximately 16 days in 2023 according to Mandiant M-Trends data. Organizations with mature EDR and SIEM capabilities consistently detect intrusions faster than those relying on external notification.

Security software that continuously records endpoint activity and uses behavioral analysis to detect, investigate, and respond to threats on laptops, servers, and workstations. EDR platforms provide visibility into process execution, network connections, file modifications, and registry changes, enabling retrospective investigation of incidents that bypassed prevention. Leading EDR platforms include CrowdStrike Falcon, SentinelOne Singularity, and Microsoft Defender for Endpoint.

See guide: /blog/crowdstrike-vs-sentinelone-edr-buyers-guide

A machine learning model maintained by FIRST that estimates the probability of a CVE being exploited in the wild within the next 30 days, expressed as a percentage. EPSS scores complement CVSS by adding an exploitability probability signal derived from threat intelligence feeds and real-world exploitation data. A vulnerability with EPSS 0.8 should be prioritized over a higher CVSS score with EPSS 0.01, regardless of theoretical severity.

See guide: /blog/vulnerability-management-program-best-practices

Code or a technique that takes advantage of a software vulnerability to cause unintended behavior, typically to achieve code execution, privilege escalation, or authentication bypass. A proof-of-concept (PoC) exploit demonstrates that a vulnerability is exploitable; a weaponized exploit is reliable enough for use in attacks. The availability of a public exploit dramatically increases the risk of a vulnerability and should accelerate patching priority.

An authentication standard developed by the FIDO Alliance and W3C that uses public-key cryptography to replace passwords with phishing-resistant credentials stored on a user's device. Unlike TOTP codes, FIDO2 credentials are cryptographically bound to the specific domain and cannot be used on a different site even if a user is tricked into visiting a phishing page. Passkeys are FIDO2 credentials that sync across devices via platform providers (Apple Keychain, Google Password Manager).

See guide: /blog/passkeys-enterprise-deployment-guide

A network security device that inspects and controls traffic based on application identity, user identity, and content in addition to traditional port and protocol rules. NGFWs integrate intrusion prevention, SSL inspection, URL filtering, and advanced threat prevention into a single platform. Palo Alto Networks, Fortinet, and Check Point are the leading NGFW vendors.

See guide: /blog/palo-alto-vs-fortinet-ngfw-comparison

The European Union's primary data protection law, effective May 2018, that establishes rights for EU residents regarding their personal data and obligations for organizations that process it. GDPR requires organizations to implement appropriate security measures, report data breaches to supervisory authorities within 72 hours, and obtain lawful basis for processing personal data. Penalties reach 4% of global annual turnover or 20 million euros, whichever is higher.

See guide: /blog/data-breach-response-notification-guide

A Kerberos attack where an attacker who has obtained the NTLM hash of the krbtgt account can forge TGTs for any user in the domain with any group membership. Golden Tickets remain valid until the krbtgt password is reset twice and can persist even after account password changes. Detection requires monitoring for anomalous Kerberos ticket characteristics such as unusual encryption types or lifetimes.

The US Health Insurance Portability and Accountability Act, which establishes security and privacy requirements for covered entities and their business associates that handle protected health information (PHI). HIPAA's Security Rule requires administrative, physical, and technical safeguards for electronic PHI; the Breach Notification Rule requires notification to affected individuals within 60 days of discovering a breach.

See guide: /blog/data-breach-response-notification-guide

A decoy system or resource intentionally deployed to attract and detect attacker activity, with no legitimate use that would explain access by authorized users. Any interaction with a honeypot is a high-fidelity detection signal because there is no legitimate reason to access it. Honeytoken credentials planted in accessible locations generate alerts when attackers try to use them.

The processes and technologies for managing digital identities and controlling user access to resources, encompassing user provisioning, authentication, authorization, and access review. In cloud environments, IAM policy misconfiguration is the leading cause of unauthorized access. IAM governance requires regular access reviews, principle of least privilege enforcement, and detection of anomalous API usage.

See guide: /blog/okta-vs-entra-id-identity-platform-buyers-guide

The practice of scanning Infrastructure as Code templates (Terraform, CloudFormation, Bicep, Helm charts) for security misconfigurations before deployment. IaC scanning tools like Checkov, tfsec, KICS, and Trivy integrate into CI/CD pipelines to catch public buckets, open security groups, and unencrypted databases before they reach production. Fixing misconfigurations in IaC is free; fixing them after a breach is expensive.

Intrusion Detection Systems (IDS) monitor network traffic for malicious patterns and alert on suspicious activity; Intrusion Prevention Systems (IPS) do the same but can automatically block or drop malicious traffic in real time. Snort and Suricata are the leading open-source IDS/IPS engines, while commercial NGFWs embed IPS functionality. Detection accuracy depends heavily on the quality and freshness of the signature rule sets applied.

See guide: /blog/snort-vs-suricata-ids-ips-comparison

The structured process of detecting, containing, eradicating, and recovering from a cybersecurity incident while preserving forensic evidence for investigation and legal purposes. The NIST IR lifecycle has four phases: Preparation, Detection and Analysis, Containment/Eradication/Recovery, and Post-Incident Activity. Organizations without pre-established IR playbooks and retainer agreements consistently experience longer dwell times and higher breach costs.

See guide: /blog/ransomware-incident-response-playbook

Observable evidence that a system may have been compromised, including file hashes, IP addresses, domain names, registry keys, and network signatures associated with known malicious activity. IOCs are the lowest-fidelity intelligence because they are trivially changed by threat actors; TTPs provide more durable detection value. STIX format is the standard for sharing IOCs between organizations and platforms.

A compact, URL-safe token format used to represent claims between parties in web applications, typically for authentication and session management. JWT security vulnerabilities include the none algorithm attack, algorithm confusion (RS256 to HS256 downgrade), weak secret brute-forcing, and missing expiration validation. JWTs are signed but not encrypted by default, meaning sensitive data in the payload is base64-encoded and readable by anyone.

A PAM control that grants elevated permissions only for the duration of a specific task and automatically revokes them when the task is complete, eliminating persistent privileged accounts. JIT access reduces the attack surface of privileged credentials because a threat actor who compromises a JIT-enabled account cannot leverage elevated permissions after they expire. Azure AD PIM and CyberArk Alero are common JIT access implementations.

An offline password cracking technique that targets Active Directory service accounts with Service Principal Names (SPNs) registered. Any authenticated domain user can request a Kerberos service ticket for these accounts; the ticket is encrypted with the account's password hash, which can be cracked offline. Detection requires monitoring for anomalous TGS-REQ (Event ID 4769) patterns.

See guide: /blog/detect-lateral-movement-active-directory

CISA's authoritative catalog of CVEs that have been confirmed as actively exploited in the wild, with mandatory remediation deadlines for US federal agencies and strongly recommended prioritization for all organizations. The KEV catalog is the single highest-signal prioritization input available to vulnerability management programs, as confirmed exploitation means threat actors have weaponized the vulnerability. Federal civilian agencies must patch KEV entries within specified timeframes (typically 2-3 weeks for critical issues).

The techniques attackers use to progressively move through a network after initial compromise, accessing additional systems and escalating privileges toward their final objective. Common lateral movement techniques include Pass-the-Hash, Pass-the-Ticket, and use of remote management protocols (WMI, PSExec, RDP). Detecting lateral movement requires monitoring for anomalous authentication patterns, unusual remote execution, and unexpected inter-system connections.

See guide: /blog/detect-lateral-movement-active-directory

An attack technique where adversaries use legitimate system tools and binaries (LOLBins) already present on the target system rather than deploying custom malware, making detection more difficult because the activity resembles normal administrative operations. Common LotL tools include PowerShell, WMI, certutil, mshta, and regsvr32. Detecting LotL requires behavioral analytics and context-aware detection rules rather than signature-based detection.

A managed security service that combines technology (EDR, NDR, SIEM) with human expertise to provide 24x7 threat monitoring, detection, and incident response as an outsourced service. MDR differs from MSSP in that MDR providers take active containment actions, not just alert forwarding. Huntress, Arctic Wolf, Expel, and Rapid7 MDR are leading providers for mid-market organizations without the resources for a fully staffed internal SOC.

See guide: /blog/edr-vs-xdr-vs-mdr-comparison

An authentication requirement for two or more verification factors before granting access. MFA effectiveness varies significantly by type: FIDO2 passkeys and hardware security keys are phishing-resistant; authenticator app TOTP codes are vulnerable to AiTM proxy attacks; SMS codes are the weakest form and vulnerable to SIM swapping. CISA mandates phishing-resistant MFA for all federal systems and recommends it broadly.

A network security technique that divides a network into small, isolated zones with granular access controls between segments, limiting an attacker's ability to move laterally after compromising one system. Unlike traditional network segmentation, microsegmentation enforces policies at the workload level using software-defined networking. Zero trust network architectures rely on microsegmentation to eliminate implicit trust between systems on the same network.

A globally accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations of cyber attacks, maintained by MITRE Corporation. ATT&CK organizes adversary behavior into 14 tactics (reconnaissance through impact), with hundreds of specific techniques and sub-techniques documented under each. Security teams use ATT&CK to evaluate detection coverage, design purple team exercises, and communicate about threats using a common vocabulary.

See guide: /blog/how-to-write-sigma-rules-threat-detection

A security tool category that analyzes network traffic to detect threats that endpoint and log-based tools miss, using machine learning and behavioral analytics on full packet capture or flow data. NDR is particularly valuable for detecting lateral movement, C2 communication, and data exfiltration because these activities generate distinctive network patterns even when endpoint visibility is limited. Darktrace, ExtraHop, and Vectra AI are leading NDR platforms.

The NIST Cybersecurity Framework, a voluntary framework for organizations to manage and reduce cybersecurity risk, organized around five core functions: Identify, Protect, Detect, Respond, and Recover. CSF 2.0 added a sixth function (Govern) and expanded guidance for supply chain risk management. The framework is widely adopted as a baseline for security program maturity assessment and board-level risk communication.

See guide: /blog/nist-csf-2-implementation-guide

The US government's repository of vulnerability data maintained by NIST, which enriches CVE records with CVSS scores, CWE weakness classifications, CPE affected product data, and references to patches and advisories. NVD is the primary data source for vulnerability scanners, asset management tools, and security information platforms. NVD processing delays mean that newly published CVEs may appear in the database without CVSS scores for days to weeks.

Intelligence collected from publicly available sources including websites, social media, public records, DNS records, certificate transparency logs, code repositories, and leaked credential databases. Security teams use OSINT for threat actor research, attack surface discovery, and pre-engagement reconnaissance. Shodan, Censys, OSINT Framework, Maltego, and theHarvester are key OSINT tools.

See guide: /blog/best-osint-tools-threat-intelligence

A regularly updated consensus list of the ten most critical web application security risks, published by the Open Web Application Security Project. The current OWASP Top 10 (2021) includes Broken Access Control, Cryptographic Failures, Injection, Insecure Design, Security Misconfiguration, Vulnerable and Outdated Components, Identification and Authentication Failures, Software and Data Integrity Failures, Security Logging Failures, and SSRF. The OWASP Top 10 is widely used as a baseline for web application security requirements.

See guide: /blog/api-security-testing-checklist

A security discipline and tool category for managing, monitoring, and controlling access to privileged accounts including local administrator accounts, service accounts, domain admin accounts, and cloud root accounts. PAM solutions provide password vaulting, session recording, just-in-time access, and credential rotation. CyberArk, BeyondTrust, and Delinea are the enterprise PAM market leaders. Uncontrolled privileged accounts are the primary mechanism for lateral movement escalation in enterprise intrusions.

A lateral movement technique where an attacker uses a captured NTLM password hash to authenticate to other systems without knowing the plaintext password. PtH exploits the NTLM authentication protocol's ability to authenticate using the hash directly rather than the password. Mitigations include disabling NTLM where possible, implementing Credential Guard, and deploying Local Administrator Password Solution (LAPS) to ensure unique local admin passwords per machine.

See guide: /blog/detect-lateral-movement-active-directory

The Payment Card Industry Data Security Standard, a set of security requirements for organizations that process, store, or transmit payment card data. PCI DSS 4.0 requires network segmentation separating the cardholder data environment, encryption of cardholder data at rest and in transit, MFA for all CDE access, and annual penetration testing. Non-compliance can result in fines, increased transaction fees, and loss of card processing privileges.

See guide: /blog/pci-dss-4-compliance-technical-guide

An authorized simulated attack against a system, network, or application conducted by security professionals to identify exploitable vulnerabilities before real attackers do. Penetration tests are scoped engagements with defined rules of engagement; they differ from red team assessments in that they focus on finding technical vulnerabilities rather than simulating a complete adversary campaign. The PTES (Penetration Testing Execution Standard) defines the standard methodology phases.

See guide: /blog/penetration-testing-phases-methodology

A social engineering attack that uses fraudulent emails, text messages, or websites designed to look legitimate in order to steal credentials, deliver malware, or trick users into taking harmful actions. Spear phishing targets specific individuals with personalized content; whaling targets senior executives. Phishing-resistant MFA (FIDO2) and email security gateways with advanced attachment sandboxing are the primary technical defenses.

See guide: /blog/phishing-simulation-program-setup-guide

The process by which an attacker gains higher-level permissions than they were initially granted, either by exploiting vulnerabilities (vertical escalation: user to admin) or accessing permissions belonging to another account at the same level (horizontal escalation). Common vectors include kernel exploits, unquoted service paths, misconfigured SUDO rules, DLL hijacking, and token impersonation. Detection focuses on monitoring for unexpected use of high-privilege APIs and anomalous process privilege changes.

Malware that encrypts a victim's files or systems and demands payment for the decryption key, often combined with data theft to enable double extortion. Modern ransomware attacks are typically operated as Ransomware-as-a-Service (RaaS), where criminal groups lease infrastructure and tools to affiliates who conduct the intrusions and split the ransom payment. CISA, the FBI, and most security practitioners advise against paying ransomware demands.

See guide: /blog/ransomware-incident-response-playbook

An access control model where permissions are assigned to roles rather than directly to users, and users are assigned to roles based on their job function. RBAC simplifies access management at scale by ensuring that all users in a given role have consistent permissions. ABAC (Attribute-Based Access Control) extends RBAC by evaluating dynamic attributes like time, location, and device posture in access decisions.

A vulnerability class where an attacker can execute arbitrary code on a target system over a network without prior authentication or with only low-privilege access. RCE vulnerabilities are the highest-severity class because successful exploitation grants the attacker full control of the affected system. RCE CVEs receive the highest CVSS base scores and appear most frequently on CISA's KEV catalog when exploited in the wild.

A full-scope adversary simulation engagement where a team of security professionals attempts to achieve specific objectives using real-world threat actor TTPs, without restrictions on attack path. Red team exercises test detection and response capabilities, not just technical vulnerabilities. They differ from penetration tests in scope, duration, and objective: a pentest enumerates vulnerabilities; a red team tests whether defenders can detect and stop a realistic attack.

See guide: /blog/penetration-testing-phases-methodology

An XML-based open standard for exchanging authentication and authorization data between identity providers and service providers, enabling single sign-on across different security domains. SAML vulnerabilities include XML signature wrapping attacks, where an attacker manipulates the structure of a SAML response to authenticate as a different user. SAML has largely been supplemented by OIDC/OAuth 2.0 for newer applications but remains dominant in enterprise SSO scenarios.

Security testing that analyzes application source code, bytecode, or binary without executing the program to find vulnerabilities like SQL injection, XSS, buffer overflows, and insecure cryptography. SAST tools integrate into CI/CD pipelines and IDEs to provide developers with real-time feedback. False positive rates vary significantly between tools and require tuning to avoid developer alert fatigue.

See guide: /blog/snyk-vs-veracode-application-security-comparison

A cloud-delivered security architecture that converges networking (SD-WAN) and security functions (SWG, CASB, ZTNA, FWaaS) into a single cloud service, eliminating the need for on-premises security appliances for remote and distributed workforces. Gartner coined the SASE term in 2019. SSE (Security Service Edge) is the security-only subset of SASE without the SD-WAN component, offered by vendors like Zscaler and Netskope.

See guide: /blog/netskope-vs-zscaler-sase-sse-comparison

A security testing technique that identifies open-source and third-party components used in an application and checks them against vulnerability databases for known CVEs. SCA addresses supply chain risk: most modern applications are 70-90% open-source code, and unpatched dependencies are a leading source of application vulnerabilities. Snyk Open Source, Dependabot, and OWASP Dependency-Check are common SCA tools.

See guide: /blog/snyk-vs-veracode-application-security-comparison

A platform that aggregates, normalizes, and correlates log and event data from across the security infrastructure to detect threats and support incident investigation. SIEMs apply correlation rules and behavioral analytics to identify attack patterns across multiple data sources that would not be detectable in any single source. Splunk Enterprise Security, Microsoft Sentinel, IBM QRadar, and Elastic SIEM are the leading enterprise platforms.

See guide: /blog/splunk-vs-elastic-siem-comparison

A generic, vendor-agnostic format for writing SIEM detection rules that can be converted to queries for Splunk, Elastic, Microsoft Sentinel, QRadar, and other platforms using the sigma-cli converter. Sigma rules describe detection logic using log source specifications, field matches, and detection conditions in YAML format. The SigmaHQ community repository contains thousands of free detection rules covering MITRE ATT&CK techniques.

See guide: /blog/how-to-write-sigma-rules-threat-detection

A platform that automates repetitive security operations tasks and orchestrates workflows across security tools, enabling SOC teams to respond to alerts faster and at higher volume without proportional analyst headcount. SOAR playbooks automate tasks like enriching alerts with threat intel, isolating compromised endpoints, blocking malicious IPs, and creating incident tickets. Splunk SOAR, Palo Alto XSOAR, Tines, and Torq are leading platforms.

See guide: /blog/siem-vs-soar-comparison-guide

An auditing framework developed by the AICPA that evaluates a service organization's controls related to security, availability, processing integrity, confidentiality, and privacy. SOC 2 Type II reports cover a period of time (typically 6-12 months) and provide evidence that controls are operating effectively, not just designed correctly. SOC 2 certification is increasingly required by enterprise customers as a vendor security baseline.

See guide: /blog/soc-2-type-2-certification-guide

A vulnerability that allows an attacker to induce a server to make HTTP requests to unintended destinations, including internal services, cloud metadata endpoints, and other systems not directly accessible from the internet. SSRF against cloud instance metadata services (169.254.169.254 on AWS IMDSv1) can steal cloud credentials. SSRF is #10 on the OWASP Top 10 and a significant cloud security risk.

A decision tree framework for vulnerability prioritization that considers exploitability, mission impact, and whether exploitation would have systemic consequences, rather than assigning a single universal score. SSVC produces prioritization outcomes (Defer, Scheduled, Out-of-cycle, Immediate) that are more actionable than numeric CVSS scores. CISA has published an SSVC decision tree for federal agencies.

See guide: /blog/vulnerability-management-program-best-practices

An attack that compromises software, hardware, or services delivered through a trusted third party to gain access to the third party's customers. The SolarWinds Orion attack (2020) and 3CX supply chain compromise (2023) demonstrated how a single compromised software vendor can provide access to thousands of downstream customers. Software supply chain security requires SBOM management, code signing verification, and vendor security assessment.

A proactive security practice where analysts search for hidden attacker activity in an environment based on hypotheses about adversary TTPs, rather than waiting for automated alerts to fire. Threat hunting operates on the assumption of breach and is most effective when starting with a specific ATT&CK technique hypothesis and querying endpoint telemetry and logs for behavioral indicators.

See guide: /blog/how-to-write-sigma-rules-threat-detection

The behavioral fingerprint of a threat actor: Tactics describe the high-level goal (e.g., Persistence, Lateral Movement), Techniques describe how the goal is achieved (e.g., Scheduled Task/Job), and Procedures are the specific implementation used by a particular actor. TTPs are more valuable for detection than IOCs because threat actors change their infrastructure frequently but change their TTPs rarely. MITRE ATT&CK is the standard TTP taxonomy.

A security analytics capability that establishes behavioral baselines for users and entities (devices, applications) and generates alerts when observed behavior deviates significantly from the baseline. UEBA is effective for detecting insider threats, compromised accounts, and attackers who use legitimate credentials because it focuses on behavior rather than known-bad signatures. Modern SIEMs like Microsoft Sentinel and Splunk ES incorporate UEBA capabilities.

The continuous process of identifying, evaluating, prioritizing, remediating, and verifying security vulnerabilities across an organization's technology assets. Effective vulnerability management requires a complete asset inventory, regular authenticated scanning, risk-based prioritization incorporating EPSS and KEV status, defined SLAs by severity tier, and metrics tracking mean time to remediation.

See guide: /blog/vulnerability-management-program-best-practices

A technology that creates an encrypted tunnel between a user's device and a corporate network gateway, extending the corporate network perimeter to remote users. Traditional VPNs grant broad network access once authenticated, creating lateral movement risk if a user's device is compromised. Zero Trust Network Access (ZTNA) is the recommended replacement for VPN in modern security architectures.

See guide: /blog/zero-trust-vs-vpn-comparison

A security control that monitors and filters HTTP/HTTPS traffic to and from a web application, blocking common web attacks including SQL injection, cross-site scripting, and OWASP Top 10 vulnerabilities. WAFs operate in detection mode (logging only) or prevention mode (actively blocking). Cloud WAF services from Cloudflare, AWS WAF, and Akamai provide scalable protection without on-premises hardware. WAFs are not a substitute for secure code and cannot compensate for fundamental application security flaws.

Destructive malware designed to permanently destroy data by overwriting files, Master Boot Records, or storage media rather than encrypting it for ransom. Wiper attacks have been used in nation-state operations to cause operational disruption: NotPetya (2017), WhisperGate (2022 Ukraine), and HermeticWiper (2022 Ukraine) are prominent examples. Unlike ransomware, wipers provide no recovery path and the primary defense is offline backups that cannot be reached by network-connected systems.

A security platform that integrates and correlates telemetry from multiple security controls (endpoint, network, email, cloud, identity) into a unified detection and response platform, reducing the manual correlation work required when using separate EDR, NDR, and SIEM tools. XDR aims to provide broader detection coverage than EDR alone by connecting attack activity across different environments. Microsoft Defender XDR, Palo Alto Cortex XDR, and CrowdStrike Falcon XDR are leading platforms.

See guide: /blog/edr-vs-xdr-vs-mdr-comparison

A web application vulnerability where an attacker injects malicious scripts into content delivered to other users' browsers, executing in the victim's browser context to steal session cookies, redirect to phishing pages, or perform actions on the user's behalf. Stored XSS persists in the application database; Reflected XSS is triggered via a malicious URL; DOM-based XSS is processed client-side. Output encoding and Content Security Policy (CSP) headers are the primary mitigations.

A vulnerability in XML parsers that allows an attacker to inject malicious external entity references, leading to local file disclosure, SSRF, or denial of service. XXE vulnerabilities exist in applications that process XML input without disabling external entity processing. OWASP rates XXE as a critical web application vulnerability. Mitigation: disable external entity processing in XML parser configuration.

A pattern-matching language used to identify malware families and suspicious files based on strings, byte patterns, and logical conditions. YARA rules are shared widely in the threat intelligence community to enable rapid detection of newly discovered malware across organizations. Tools like Loki and THOR use YARA for forensic scanning, while EDR platforms and sandboxes support YARA rule deployment for file detection.

See guide: /blog/how-to-write-sigma-rules-threat-detection

A vulnerability that is unknown to the vendor or has no available patch at the time of exploitation, giving defenders zero days to remediate before attacks begin. True zero days are rare and valuable; most vulnerabilities exploited in attacks are n-days (known vulnerabilities with available patches that organizations have not yet applied). CISA's KEV catalog lists both zero days and n-days confirmed as actively exploited.

A security model based on the principle 'never trust, always verify,' eliminating implicit trust based on network location and requiring continuous verification of identity, device posture, and authorization for every access request. Zero Trust architectures replace perimeter-based security with identity-aware access controls, microsegmentation, and continuous monitoring of user and device behavior. NIST SP 800-207 defines the federal Zero Trust Architecture standard.

See guide: /blog/zero-trust-vs-vpn-comparison

A security technology that provides secure remote access to specific applications based on identity and device posture, without granting broad network access, replacing traditional VPN architecture. ZTNA enforces the zero trust principle at the access layer: users connect to individual applications, not the network, and the connection is established only after verifying identity, device health, and authorization policy. Zscaler ZPA, Cloudflare Access, and Palo Alto Prisma Access are leading ZTNA solutions.

See guide: /blog/zero-trust-vs-vpn-comparison