Glossary

Cybersecurity & Privacy

466 terms in this category.

Two-Factor Authentication — requires two verification methods: something you know (password) + something you have (TOTP

Abuse Detection

Identifying misuse of services or platforms by users or bots

Access Control List

ACL — a list specifying which users or systems are granted or denied access to resources. File ACLs, network ACLs, and c

Access Management

Controlling who can access what resources.

Periodic verification of user permissions for compliance

Short-lived credential for API access. OAuth access tokens. JWT common format.

Account Lockout

Disabling account after failed login attempts. Prevents brute force.

Account Recovery

Regaining access to locked account. Email verification, security questions.

Account Takeover

Attacker gaining control of user account.

Active Directory

Microsoft directory service managing network identities and policies

Adaptive Authentication

Adjusting auth requirements by risk. New device requires 2FA.

Advanced Persistent Threat

APT long-term targeted attack by nation-states.

Threat actor: script kiddies, hacktivists, organized crime, nation-states.

Physically isolating a network from the internet. Used for critical infrastructure, military systems, and cold cryptocur

Explicitly permitted items. IP, application, email allowlists. Default deny.

Techniques used to evade or disrupt digital forensic investigation

Software detecting various malware types. Broader than antivirus.

Technologies detecting and blocking phishing attempts.

Filtering unwanted bulk email messages before delivery

Software detecting, preventing, and removing malware. Signature-based and behavioral detection. Windows Defender, ClamAV

A simple authentication token identifying the calling application. Passed in headers or query params. Less secure than O

Protecting APIs from abuse: authentication (OAuth, API keys), rate limiting, input validation, and encryption. OWASP API

Application Firewall

WAF protecting web apps from attacks.

Application Security

Securing apps throughout lifecycle. SAST, DAST, code review.

Application Whitelisting

Only pre-approved applications allowed to execute on systems

Asset Classification

Categorizing assets by sensitivity and business criticality

Asset Inventory

Complete catalog of IT assets. Can't protect what you don't know about.

Security posture assuming network is compromised.

Asymmetric Encryption

Public/private key pair. Public encrypts, private decrypts. RSA, Ed25519.

The total number of points where an attacker could enter a system. Minimizing attack surface through hardening, closing

Hierarchical model of potential attacks. Visual threat analysis tool.

The method an attacker uses to breach a system. Email (phishing), web (XSS), network (MITM), physical (USB drops). Under

Attribute-Based Access Control

ABAC permissions based on user and resource attributes

A chronological record of system activities. Who did what, when, and from where. Required for compliance (SOC 2, GDPR).

Authentication credential proving identity. Session tokens, JWTs, API keys.

The process of verifying a user's identity. Methods: password, biometrics, magic link, passkeys. OAuth and OIDC are stan

Authentication Factor

Evidence proving identity: knowledge, possession, inherence, location.

Authentication Protocol

Standardized method for verifying identity like Kerberos

The process of determining what actions an authenticated user can perform. RBAC (role-based), ABAC (attribute-based), an

Authorization Code

OAuth grant type. Server exchange code for token. Most secure flow.

Secret method bypassing auth. Planted by attackers or devs. Code review detects.

Backup Encryption

Encrypting backup data. Protect against backup theft.

An access token included in the Authorization header (Bearer xyz...). The server trusts whoever bears the token. JWTs ar

Behavioral Analysis

Detecting threats by anomalous behavior patterns.

Binary Analysis

Examining compiled software without source. IDA Pro, Ghidra.

Physical measurements for identity. Fingerprints, face geometry, iris patterns.

Authentication based on physical characteristics: fingerprint, facial recognition, iris. Touch ID and Face ID are biomet

An encryption algorithm processing fixed-size blocks. AES encrypts 128-bit blocks. Modes of operation (CBC, GCM) handle

Block Cipher Mode

Algorithm using block cipher on data. CBC, GCM, CTR modes.

Explicitly denied items. IP, domain blocklists. Less secure than allowlists.

The defensive security team responsible for protecting systems. Monitors, detects, and responds to threats. Opposite of

Identifying automated requests. CAPTCHA, behavioral analysis, fingerprinting.

A network of compromised devices controlled by an attacker. Used for DDoS attacks, spam, and cryptocurrency mining. Mira

Breach Notification

Informing parties after data breach. GDPR: 72 hours. Varies by jurisdiction.

Break Glass Procedure

Emergency access bypassing normal security controls

Bring Your Own Device

BYOD policy allowing personal devices on corporate network

Browser Fingerprinting

Identifying users by browser characteristics without cookies.

Brute Force Attack

Trying every possible combination to crack a password or key. Rate limiting, account lockout, and long passwords mitigat

Buffer Overflow

Writing beyond allocated memory. Classic C vulnerability. Memory-safe langs prevent.

A program rewarding ethical hackers for reporting vulnerabilities. HackerOne and Bugcrowd are platforms. Google, Apple,

Business Continuity

Plans for critical functions during disruption. DR, communication, alt sites.

Business Email Compromise

Targeted email fraud impersonating executives

Certificate Authority — a trusted entity issuing digital certificates. Let's Encrypt (free), DigiCert, and Sectigo. Brow

A hidden tripwire that alerts when accessed. Fake credentials, documents, or DNS entries. When an attacker uses them, yo

Techniques for defeating CAPTCHA automated bot challenges

Cloud Access Security Broker controlling cloud access.

California Consumer Privacy Act for data protection rights

Digital document binding identity to public key. X.509 format. TLS certs.

Certificate Authority

CA trusted entity that issues digital certificates

Certificate Pinning

Associating a specific certificate or public key with a domain, rejecting all others. Prevents MITM attacks with fraudul

Certificate Transparency

A public log of all issued SSL certificates. Detects rogue or misissued certificates. Certificate monitors alert domain

Chain of Custody

Documentation tracking evidence handling in forensics.

Challenge-Response

Auth where server sends challenge, client proves knowledge.

Classless Inter-Domain Routing — IP address notation specifying network ranges. 10.0.0.0/24 means 256 addresses. Used in

IP address range notation like 10.0.0.0/24 for 256 addresses

Algorithm for encryption/decryption. Block (AES) and stream (ChaCha20).

Combined algorithms for TLS. Key exchange, encryption, MAC.

Unencrypted readable data. Never store passwords in cleartext.

Tricking users into clicking hidden elements by overlaying transparent iframes. X-Frame-Options and CSP frame-ancestors

Cloud Access Broker

CASB — security policy between cloud and users. Visibility, compliance, protection.

Protecting cloud infra and data. Shared responsibility model.

Cloud Workload Protection

Securing cloud compute workloads.

Malicious input altering execution. SQL, OS command, LDAP injection.

Code Review (Security)

Reviewing code specifically for vulnerabilities.

Offline storage for highly sensitive data or cryptocurrency. Hardware wallets, air-gapped systems, and offline backups.

Cold Storage (Security)

Offline storage for sensitive keys and backup data

Common Weakness Enumeration

CWE standardized software weakness catalog.

Conformity with regulations and standards: GDPR, SOC 2, ISO 27001, HIPAA. Involves policies, audits, and technical and o

Compliance Audit

Formal verification of regulatory requirement adherence

Container Escape

Breaking out of container isolation to access host system

Container Security

Securing containerized applications. Image scanning (Trivy), runtime protection, network policies, and least-privilege.

Isolating compromised systems during incident.

Content Filtering

Blocking inappropriate or malicious content.

Content Security Policy

CSP — an HTTP header controlling which resources a page can load. Prevents XSS by whitelisting script sources. Strict CS

Cookie Security

Securing cookies. Secure, HttpOnly, SameSite, short expiration.

Credential Rotation

Regularly changing passwords and access keys.

Credential Stuffing

Using stolen credentials from one breach on other services.

Requests between different domains, protocols, or ports. Same-origin policy blocks them by default. CORS headers selecti

Cross-Site Scripting

XSS — injecting scripts into web pages. Reflected, stored, DOM-based.

Study of breaking cryptographic systems and ciphers

Ability to quickly switch crypto algorithms. Post-quantum readiness.

Cryptographic Key

A piece of data used with an algorithm to encrypt/decrypt data. Symmetric (shared secret) or asymmetric (public/private

Unauthorized crypto mining using computing resources.

Cross-Site Request Forgery — an attack forcing an authenticated user to perform unwanted actions. CSRF tokens and SameSi

Common Vulnerabilities and Exposures — a standardized identifier for known security vulnerabilities. CVE-2021-44228 is L

Vulnerability severity scoring 0-10. Critical 9+, High 7-8.9, Medium 4-6.9.

Cyber Insurance

Insurance covering financial losses from cyberattacks.

Cyber Kill Chain

Lockheed Martin's model of cyberattack stages: reconnaissance, weaponization, delivery, exploitation, installation, comm

Simulated environment for security training.

Part of the internet accessible only via Tor. Illegal markets but also secure communication for journalists and activist

Data Anonymization

Removing personally identifiable information from datasets

Stored data on disk. Encrypt with AES-256.

Data at Rest Encryption

Protecting stored data with AES-256 encryption

Unauthorized access to sensitive data. Mandatory notification under GDPR (72h). Equifax, Yahoo, and LinkedIn suffered ma

Data Classification

Categorizing data by sensitivity: public, internal, confidential, restricted. Determines handling, storage, and access r

Data Destruction

Securely erasing data beyond recovery.

Data Encryption at Rest

Encrypting stored data on disk. AES-256 is standard. Full disk encryption (LUKS, BitLocker) and database-level encryptio

Data Encryption in Transit

Encrypting data during transmission. TLS/SSL for web, SSH for terminal, WireGuard for VPN. Prevents eavesdropping on net

Data Exfiltration

Unauthorized transfer of data out of a system. Via email, USB, cloud uploads, or DNS tunneling. DLP (Data Loss Preventio

Data in Transit

Data moving between systems. TLS protects. Unencrypted can be intercepted.

Data in memory being processed. Most vulnerable state. Confidential computing.

Data Loss Event

Incident where sensitive data is lost or exposed.

Data Loss Prevention

DLP tools preventing sensitive data from leaving organization

Replacing sensitive data with realistic but fake values. Production data masked for dev/test environments. PII like name

Data Minimization

Collecting only necessary data. GDPR principle. Reduces breach impact.

Data Protection

Safeguarding personal and sensitive data. Encryption, access control, retention.

Data Sanitization

Cleaning data to prevent injection attacks.

Distributed Denial of Service. Overwhelming target with traffic from many sources.

Distributed Denial of Service — overwhelms a server with massive traffic from multiple sources. Cloudflare and AWS Shiel

DDoS Mitigation

Defending against DDoS. Rate limiting, traffic scrubbing, CDN absorption.

Deception Technology

Fake systems detecting attackers. Honeypots, honey tokens, canary files.

Fake resource designed to detect or delay attackers.

Converting encrypted data back to plaintext. Requires correct key.

Deep Packet Inspection

Examining packet content beyond headers. Firewalls, IDS.

Internet content not indexed by search engines: emails, databases, content behind logins. ~96% of the internet. Differen

Default Credentials

Factory-set login credentials. Must change.

Defense in Depth

Layered security approach where multiple controls protect assets. If one layer fails, others still provide protection. N

Denial of Service

Attack overwhelming service to make it unavailable

Verifying device security posture before access.

Integrating security into DevOps. Security in CI/CD. Everyone responsible.

Dictionary Attack

A brute force variant using common passwords and words. 'password123' and 'qwerty' are tried first. Strong, unique passw

Fixed-size output of hash function. SHA-256 produces 256-bit digest.

Digital Certificate

An electronic document validating a website's identity and enabling HTTPS. Issued by Certificate Authorities. Let's Encr

Digital Forensics

Investigating cybercrimes by collecting, preserving, and analyzing digital evidence. Disk imaging, memory analysis, and

Digital Signature

Cryptographic proof of authenticity. Private key signs, public key verifies.

Directory Traversal

Accessing files outside intended dirs using ../. Sanitize inputs.

Disaster Recovery Plan

Procedures for restoring systems after catastrophe. RTO and RPO targets.

Disclosure Policy

Rules for vulnerability reporting. Responsible disclosure gives vendors time.

DomainKeys Identified Mail — email authentication adding a digital signature to outgoing emails. Receiving servers verif

Data Loss Prevention — tools and policies preventing sensitive data from leaving the organization. Monitors email, file

Domain-based Message Authentication, Reporting, and Conformance. Builds on SPF and DKIM. Tells receivers what to do with

Demilitarized Zone — network between internal and internet. Public servers here.

Blocking malicious domains at DNS level.

DoH — encrypting DNS queries over HTTPS. Prevents ISP and network snooping on browsing activity. Cloudflare 1.1.1.1 and

Corrupting DNS cache with fraudulent address records

Protecting DNS infrastructure. DNSSEC, DoH, DoT, monitoring.

DNS Security Extensions — adds cryptographic signatures to DNS records. Prevents DNS spoofing and cache poisoning. Valid

Domain Fronting

Technique hiding true destination of network traffic

Downgrade Attack

Forcing system to use weaker vulnerable protocol version

Requiring two people for sensitive operations.

Dynamic Analysis

Testing running software for vulnerabilities.

Endpoint Detection and Response. Monitoring devices.

Egress Filtering

Controlling outbound traffic. Prevents exfiltration and C2.

Math structure for modern crypto. ECDSA, Ed25519. Smaller keys, same security.

Email Encryption

Encrypting email content. S/MIME, PGP.

Email Filtering

Blocking unwanted or malicious email. Spam filters, phishing detection.

SPF, DKIM, DMARC prevent spoofing. Anti-phishing filters.

Encrypted Backup

Backup data protected by encryption.

Encrypted Communication

Messages protected from eavesdropping. Signal protocol, TLS.

The science of protecting information by transforming it into an unreadable format. Symmetric (AES) uses one key; asymme

Encryption Key Rotation

Regularly changing encryption keys to limit exposure from compromised keys. Automated rotation with services like AWS KM

Any device connecting to the network: laptops, smartphones, servers, IoT. Endpoint security protects these devices again

Endpoint Detection

EDR continuously monitoring endpoints for threat indicators

Endpoint Security

Protecting devices connecting to network. EDR, antivirus, device management.

A measure of randomness in data. High entropy = truly random, good for cryptographic keys. Low entropy passwords are eas

Removing threat from compromised system.

Ethical Hacking

Authorized testing of security. Bug bounties, pen testing. Legal and contracted.

Event Correlation

Linking related security events for analysis.

Code exploiting vulnerability. RCE, privilege escalation.

Multiple vulnerabilities used together for access.

Exposure Management

Identifying and reducing attack surface.

System denying access when security check fails.

System allowing access when security check fails.

Security alert that's not actually a threat. Wastes analyst time. Tuning reduces.

Fast Identity Online 2 — passwordless authentication standard. WebAuthn and CTAP protocols. Hardware security keys (Yubi

File Encryption

Encrypting individual files for protection.

File Integrity Monitoring

Detecting unauthorized file changes. AIDE, OSSEC.

A system filtering network traffic based on security rules. Network firewalls (iptables, nftables) and application firew

Firmware Security

Protecting firmware. UEFI Secure Boot. Supply chain risk.

Forensic Analysis

Investigating digital evidence after incident.

Fraud Detection

Identifying fraudulent activity using pattern analysis

Full Disk Encryption

Encrypting entire device. LUKS, BitLocker, FileVault.

General Data Protection Regulation — EU data protection regulation. Right to be forgotten, consent, and portability. Fin

The process of reducing a system's attack surface. Disabling unnecessary services, patching, secure configuration, and p

Hardware Security Module

HSM — tamper-resistant device for cryptographic operations.

A function transforming data into a fixed-size string. Irreversible and deterministic. SHA-256, bcrypt, and Argon2 are u

Fixed output from any input. One-way, deterministic. SHA-256, BLAKE3.

Random data added to password before hashing for uniqueness

Hashing Algorithm

A function producing a fixed-size output from variable input. MD5 (broken), SHA-256 (standard), bcrypt/Argon2 (passwords

US healthcare data protection law. PHI safeguards, breach notification.

Homomorphic Encryption

Computing on encrypted data without decrypting it. The result, when decrypted, matches computation on plaintext. Enables

Decoy system attracting attackers. Detects intrusions, gathers intelligence.

A fake system deliberately exposed to attract and study attackers. Collects intelligence about adversary tactics, techni

Emergency patch for critical vulnerability.

HTTP Strict Transport Security — a header telling browsers to only use HTTPS. Prevents downgrade attacks and cookie hija

HTTP Security Headers

HSTS, CSP, X-Content-Type-Options. Easy security wins.

Identity Governance

Policies managing identity lifecycle and access.

Identity Management

Managing user identities and access. IAM systems, provisioning.

Identity Provider

Service authenticating users. Okta, Auth0, Keycloak. SAML, OIDC.

Intrusion Detection System — monitors network traffic for suspicious activity. Signature-based (known patterns) and anom

Immutable Audit Log

Append-only audit trail that cannot be modified

A security event requiring response. Data breach, malware, DDoS, unauthorized access.

Incident Commander

Person leading incident response efforts.

Incident Response

Structured approach to handling security breaches: preparation, identification, containment, eradication, recovery, and

Incident Response Plan

Documented steps for handling security incidents

Incident Timeline

Chronological record of incident events.

Indicator of Compromise

IOC — breach evidence. Malicious IPs, file hashes, domains.

Information Security

Protecting info: CIA triad — confidentiality, integrity, availability.

Input Sanitization

Cleaning input to prevent injection. Server-side mandatory. DOMPurify.

Insecure Deserialization

A vulnerability where untrusted data is deserialized, potentially executing arbitrary code. OWASP Top 10 item. Validate

Risk from people within org. Intentional or negligent.

Restricting access to specific approved IP addresses

Denying network access from specific IP addresses.

Forging source IP address in network packets.

Intrusion Prevention System — like IDS but actively blocks detected threats. Inline with network traffic. Can drop malic

International standard for information security management

Separating compromised systems from network.

JSON Web Encryption

JWE — encrypted JWT. Protects token payload contents.

Stealing data or installing malware through public USB charging ports. Use charge-only cables or portable batteries. USB

Just-In-Time Access

Granting temporary elevated permissions on request.

Network authentication protocol using tickets and trusted third party

Securely establishing shared keys. Diffie-Hellman, ECDHE. TLS handshake.

Practices for handling cryptographic keys throughout their lifecycle: generation, distribution, storage, rotation, and d

Public and private key together. SSH keys, TLS certs, PGP.

Malware recording all keystrokes. Captures passwords, messages, and sensitive data. Can be software or hardware. 2FA mit

Stages of cyberattack from recon to action.

Emergency mechanism to immediately disable compromised system

Lateral Movement

An attacker moving through a network after initial breach, accessing additional systems. Network segmentation and zero t

Least Functionality

Disabling unnecessary features and services.

Least Privilege

Security principle granting minimum permissions needed for a task. Reduces blast radius of compromised accounts. Apply t

Lessons Learned

Post-incident review of what could be improved.

Brazil's General Data Protection Law — the Brazilian version of GDPR. Regulates collection, use, and storage of personal

Examining logs for patterns and anomalies. SIEM, Splunk, ELK.

Ensuring logs cannot be tampered with.

Logging (Security)

Recording security events for analysis. Centralized, tamper-proof.

Unique hardware network identifier. 48-bit hex. Can be spoofed.

MAC Address Spoofing

Changing hardware network identifier to impersonate device

Passwordless authentication via one-time email link

Software designed to harm systems or steal data.

Malicious software designed to damage or gain unauthorized access. Includes viruses, trojans, spyware, adware, and ranso

Malware Analysis

Examining malicious software. Static and dynamic analysis.

Physical security with two interlocking doors for access control

Man-in-the-Browser

An attack using browser malware to modify web pages and transactions in real-time. Different from MITM — the attack is i

Man-in-the-Middle

Attack intercepting communication between two parties

Man-in-the-Middle Attack

An attacker intercepts communication between two parties without their knowledge. HTTPS and VPNs prevent MITM. Public Wi

Managed Detection

MDR outsourced threat monitoring and response.

Mean Time to Detect

MTTD average time to identify security incident.

Mean Time to Respond

MTTR average time to resolve security incident.

Protection against buffer overflows and use-after-free errors

Multi-Factor Authentication. 2+ factors from different categories.

Micro Segmentation

Granular network segmentation at workload level. Limits lateral movement.

Knowledge base of adversary tactics and techniques. Industry standard.

Monitoring (Security)

Continuous security observation. SOC, SIEM, SOAR, EDR.

Mutual TLS — both client and server authenticate with certificates.

Multi-Factor Authentication

MFA requires 2+ verification factors from different categories: something you know (password), have (TOTP/key), or are (

mTLS — both client and server authenticate each other with certificates. Used in service-to-service communication, zero

Network Access Control

NAC — controlling device network access. 802.1X auth.

Network Forensics

Capturing and analyzing traffic. tcpdump, Wireshark.

Network Monitor

Tool observing network traffic for anomalies.

Network Segmentation

Dividing a network into isolated segments. Limits blast radius of breaches — an attacker in one segment can't reach othe

Hardware capturing network traffic for analysis.

Next-Gen Firewall

NGFW combining traditional firewall with IPS, DPI.

Cybersecurity framework: Identify, Protect, Detect, Respond, Recover.

A number used once in cryptographic communication. Prevents replay attacks. Used in authentication protocols, encryption

Authorization framework. Delegated access. Grant types for different scenarios.

Permissions in OAuth. read:user, write:repo. Least privilege.

Making code difficult to understand. Anti-reverse.

Certificate revocation checking. OCSP stapling reduces latency.

OpenID Connect. Identity layer on OAuth 2.0. ID tokens, userinfo endpoint.

One-Time Password

OTP — single-use password. TOTP (Google Auth), HOTP.

A vulnerability where the app redirects to an attacker-controlled URL. Used in phishing. Validate redirect URLs against

Open Source Intelligence — gathering information from publicly available sources. Social media, DNS records, company fil

Open Web Application Security Project — publishes the Top 10 web vulnerabilities. Injection, Broken Auth, and XSS consis

Most critical web security risks. Injection, broken auth, XSS, etc.

Packet Filtering

Firewall examining packet headers to allow or block traffic

Capturing network packets. Wireshark, tcpdump.

Privileged Access Management for admin accounts.

A FIDO2-based passwordless credential stored on your device. Replaces passwords with biometrics or device PIN. Synced vi

Long memorable password more secure than short complex ones

Password Cracking

Attempting to recover passwords from hashes.

Hashed password storage. bcrypt, Argon2. Salt prevents rainbow tables.

Password Manager

Software generating and storing unique, strong passwords for every account. 1Password, Bitwarden, and KeePass. Essential

Password Policy

Rules for passwords. Modern: long passphrases over complex short.

Trying common passwords against many accounts. Avoids lockout.

A software update fixing bugs or vulnerabilities. Patch management is critical — most attacks exploit vulnerabilities th

Patch Management

Identifying and applying patches. Most breaches exploit known vulns.

Microsoft monthly security update release.

Payload (Security)

Malicious component of exploit or malware.

Payment Card Industry Data Security Standard — requirements for handling credit card data. 12 requirements covering netw

Penetration Test

An authorized simulation of an attack to discover vulnerabilities. White-hat hackers use tools like Burp Suite, Metasplo

Penetration Testing

Authorized simulated attack testing security. White/black/gray box.

Perfect Forward Secrecy

New key per session so past sessions stay secure

Authorization to perform specific action. Read, write, execute, admin.

Personally Identifiable Information

PII — data identifying individual. Name, email, SSN.

Pretty Good Privacy — encryption system for email and files. Public key encryption and digital signatures. GPG is the op

A social engineering attack where the attacker impersonates a legitimate entity to steal credentials. Fake emails, clone

A pre-built package for creating phishing sites. Sold on dark web. Includes cloned login pages, credential capture, and

Phishing Simulation

Testing employees with fake phishing. Measures awareness.

Physical Security

Protecting physical assets. Access controls, surveillance.

Personally Identifiable Information like name email or SSN

System evaluating access requests against rules.

Probing a server to discover open network ports and running services. Nmap is the standard tool. Used in reconnaissance

Post-Exploitation

Actions after gaining access. Privilege escalation, lateral movement.

Analysis after incident. What happened, why, how to prevent.

Post-Quantum Cryptography

Algorithms resistant to quantum computer attacks

Principle of Least Authority

Components given minimum capabilities needed

Right to control personal information. GDPR, CCPA, LGPD.

Privacy by Design

Integrating privacy into system design from start. GDPR mandates.

Privilege Escalation

Gaining higher access than authorized. Vertical (user to admin) or horizontal (accessing another user's data). Proper RB

Privileged Access Management

PAM controlling and auditing admin access

Protected Health Information

PHI — HIPAA-regulated health data. Encrypted, access-controlled.

Public Key Infrastructure

PKI — system managing digital certificates and public key encryption. CAs issue certificates, browsers verify trust chai

Combined offensive and defensive security exercises

A precomputed table mapping hashes to passwords for fast cracking. Salting passwords makes rainbow tables useless as eac

Malware that encrypts files and demands payment to decrypt. WannaCry and LockBit are notorious examples. Regular backups

Ransomware Prevention

Backups, training, patching, segmentation, endpoint protection.

Rate Limiting (Security)

Throttling requests to prevent brute force.

Role-Based Access Control. Permissions assigned via roles.

First attack phase — gathering target information. OSINT techniques.

RPO maximum acceptable data loss in time.

RTO maximum acceptable downtime after failure.

Offensive security team simulating real attacks to test defenses. Ethical hackers finding vulnerabilities through the at

Long-lived token for obtaining new access tokens. Stored securely.

Regulatory Compliance

Adhering to laws and regulations governing data handling

Intercepting and retransmitting valid data to trick a system. Timestamps, nonces, and sequence numbers prevent replays.

Reverse Engineering

Analyzing software or hardware to understand its design without source code. Decompilers, debuggers, and disassemblers.

Right to Be Forgotten

GDPR right to request personal data deletion.

Risk Assessment

Systematic process identifying, analyzing, and evaluating security risks. Likelihood × impact = risk score. Prioritizes

Risk Management

Identifying, assessing, mitigating security risks.

Root Cause Analysis

Determining fundamental reason for incident.

Foundation component trusted by all other security components.

Malware gaining privileged (root) access and hiding from the OS. Extremely difficult to detect. Can persist after OS rei

USB device that emulates keyboard to inject malicious commands

Runbook (Security)

Step-by-step incident response procedures.

Runtime Security

Protecting during execution. Anomaly detection, exploit blocking. Falco.

Random data added to a password before hashing. Makes identical passwords produce different hashes. Each user gets a uni

Security Assertion Markup Language. Enterprise SSO. XML-based.

An isolated environment for running potentially malicious code without affecting the system. Browsers use sandboxing for

Sandbox (Security)

Isolated environment for running untrusted code safely.

Breaking out of isolated execution environment.

Software Bill of Materials — a complete inventory of components in software. Required by US executive order for federal

SBOM Compliance

Meeting requirements for software component transparency

Rules defining vulnerability scan scope and frequency.

Security Content Automation Protocol. Compliance checks.

System for Cross-domain Identity Management — standard for automating user provisioning. Create, update, and delete user

Symmetric encryption key. Must remain confidential. KMS protects.

Secret Scanning

Automatically detecting exposed credentials in code repositories. GitHub secret scanning, GitGuardian, and TruffleHog. C

Firmware verification of boot software integrity. UEFI feature.

Writing code resistant to attacks. Input validation, output encoding.

Secure Development Lifecycle

SDL integrating security into each dev phase

Cryptographically secure random number generator. /dev/urandom, crypto.randomBytes.

Security Architecture

Design of security controls. Segmentation, auth flows, encryption.

Systematic evaluation of an organization's security posture. Reviews policies, configurations, and controls. Internal or

Security Awareness Training

Educating employees on threats. Phishing, passwords.

Security Baseline

Minimum security configurations. CIS Benchmarks.

Security by Design

Integrating security from the start of development, not as an afterthought. Threat modeling during design, secure defaul

Security Champion

Developer advocate for security practices within team

Security Clearance

Authorization level for classified information.

Security Control

Measure reducing risk. Preventive, detective, corrective, deterrent.

Security Group (Detail)

Cloud virtual firewall. Inbound/outbound rules.

Security Headers

HTTP response headers improving security: HSTS, CSP, X-Content-Type-Options, X-Frame-Options, Referrer-Policy. Easy wins

Security Incident

Event compromising confidentiality, integrity, availability.

Security Information and Event Management

SIEM collecting and analyzing security data.

Security Information Management

SIEM collecting and analyzing security data

Security Monitoring

Continuous observation of systems for security events

Security Operations

Day-to-day monitoring and response. SOC analysts, SIEM, SOAR.

Security Orchestration

SOAR automating security workflows.

Software update fixing vulnerability.

Security Policy

Document defining security rules. Acceptable use, access control.

Security Posture

Overall security strength of organization.

Security Questionnaire

Assessment evaluating vendor or partner security practices

Security Review

Systematic evaluation of system security.

Security Scanning

Automated vulnerability identification.

Security Standards

Frameworks like ISO 27001, NIST, CIS Benchmarks.

Physical or digital credential. Hardware tokens, software tokens, smart cards.

Information requiring protection. PII, PHI, financial.

Separation of Duties

No single person controls entire critical process.

Server Hardening

Securing server by removing unnecessary services.

Session Fixation

Attack forcing known session ID on user.

Session Hijacking

Stealing a user's session token to impersonate them. Via XSS, network sniffing, or session fixation. Secure cookies (Htt

Session Management

Creating, maintaining, destroying user sessions securely.

Unique identifier maintaining user state. Cookies or storage.

Side Channel Attack

Exploiting implementation leaks like timing or power usage

Security Information and Event Management — a platform aggregating and analyzing security logs from across the infrastru

Signature-Based Detection

Identifying threats by known patterns.

Fraudulently transferring phone number to attacker SIM

SSO — one authentication for multiple services. SAML, OIDC.

Smishing Attack

Phishing conducted through SMS text messages

Security Orchestration Automation and Response.

Security Operations Center — a team and infrastructure dedicated to monitoring, detecting, and responding to security in

System and Organization Controls 2 — audit framework for service organizations. Trust principles: security, availability

Audit evaluating security controls effectiveness over time

Social Engineering

Psychological manipulation to obtain confidential information or access. Phishing, pretexting, baiting, and tailgating a

Software Vulnerability

Weakness exploitable by attackers. Buffer overflow, injection, logic flaws.

Targeted phishing aimed at specific individuals.

Sender Policy Framework — email authentication specifying which mail servers can send email for a domain. DNS TXT record

DNS record specifying authorized email sending servers

Impersonating a legitimate entity. IP spoofing, DNS spoofing, email spoofing, and caller ID spoofing. SPF, DKIM, and DMA

Software secretly monitoring user activity. Collects browsing history, passwords, and personal data. Pegasus is the most

Injection of malicious SQL code through unsanitized inputs. Can read, modify, or delete data. Prepared statements and OR

Secure Shell — encrypted protocol for remote server access. Key-based authentication preferred over passwords. SSH tunne

Encrypted channel through SSH for secure data transfer

Protocols encrypting network communication. TLS 1.3 current standard.

Static Analysis (Security)

SAST scanning source code for vulnerabilities.

Hiding data within other data — images, audio, or video. A message invisible to the eye can be encoded in pixel values.

Encrypts data bit-by-bit. ChaCha20, RC4 (broken). Fast for streaming.

Subdomain Takeover

Claiming abandoned subdomain through DNS misconfiguration

Subresource Integrity

SRI — verifies that fetched resources (CDN scripts) haven't been tampered with. The HTML includes a hash of the expected

Supply Chain Attack

Compromising software by targeting its dependencies or build process. SolarWinds and npm package attacks are examples. L

Suspicious Activity

Behavior indicating potential security threat.

Symmetric Encryption

Same key for encrypt and decrypt. AES. Faster than asymmetric.

Tabletop Exercise

Simulated incident scenario for team practice.

Third-Party Risk

Security risk from vendors and partners.

Entity attempting to compromise systems.

Proactively searching for hidden threats.

Threat Intelligence

Collection and analysis of cyberthreat information. IOCs (Indicators of Compromise), TTPs, and threat feeds inform proac

Threat Modeling

Identifying potential threats to a system during design. STRIDE framework: Spoofing, Tampering, Repudiation, Information

Total exposure to potential attacks.

TOTP code changing every 30 seconds. Google Auth.

The process establishing a secure connection. Client and server negotiate cipher suite, exchange certificates, and deriv

Token-Based Auth

Using tokens instead of sessions. JWT, API keys. Stateless.

Replacing sensitive data with non-sensitive tokens. Payment tokens replace card numbers. Different from encryption as it

Transport Security

Encrypting data in transit. TLS, SSH.

Malware disguised as legitimate software. When executed, opens backdoors, steals data, or installs more malware. Named a

Trusted Platform Module

TPM — hardware security chip. Key storage, attestation, boot integrity.

Two-Factor Authentication

2FA — two different auth factors. Password + TOTP/SMS/hardware key.

Registering domains with common typos (gooogle.com) to capture mistyped traffic. Used for phishing, malware distribution

Blocking access to malicious or inappropriate URLs. Web proxy, DNS filtering.

User Activity Monitoring

Tracking user actions for security.

User Permission

Specific action a user is authorized to perform. Granted via roles.

Malware that self-replicates by attaching to other programs

Voice phishing via phone calls.

Securing virtual LANs. VLAN hopping prevention, ACLs, private VLANs.

Virtual Private Network — creates an encrypted tunnel between device and remote server. Protects privacy and allows acce

Vulnerability Assessment

Systematic identification of weaknesses.

Vulnerability Disclosure

Process for reporting found vulnerabilities.

Vulnerability Management

Continuous process of finding and fixing vulns.

Vulnerability Scanner

Automated tool identifying known vulnerabilities in systems. Nessus, Qualys, and OpenVAS scan networks. Trivy and Snyk s

Web Application Firewall — filters HTTP traffic to protect web apps. Blocks XSS, SQL injection, and DDoS at the applicat

An attack compromising a website frequently visited by targets. The attacker infects the site, which then infects visito

Watering Hole Attack

Compromising website frequently visited by target group

Web Application Firewall

WAF filtering malicious web application traffic

Controlling web access. Category blocking, URL filtering, malware scanning.

Web Security Scanner

Automated tool testing web app security.

Phishing targeting senior executives.

List of explicitly allowed items. IPs, applications, email senders.

Wireless Security

Protecting wireless networks. WPA3, hidden SSID.

Self-replicating malware spreading without user interaction. Network propagation.

Extended Detection and Response — unified security platform correlating data across endpoints, networks, cloud, and emai

Cross-Site Scripting — injection of malicious code into web pages executing in other users' browsers. Input sanitization

Browser or WAF mechanism blocking cross-site scripting

Pattern matching rules for malware identification.

Unknown vulnerability with no available patch. Most dangerous. Detection based defense.

Zero Knowledge Proof

Cryptographic method proving knowledge of something without revealing it. Used in privacy-preserving authentication and

A security model that trusts no user or device by default, even inside the network. Continuously verifies: never trust,

A vulnerability unknown to the vendor with no patch available. Extremely valuable to attackers. Zero-day exploits are so

Advertise with Us

Put your brand in front of 10,000+ tech professionals

Native placements that feel like recommendations. Newsletter, articles, banners, and directory features.

Stay ahead of the tech curve

Join 10,000+ professionals who start their morning smarter. No spam, no fluff — just the most important tech developments, explained.