Cybersecurity Glossary

79 terms — A to Z definitions covering the essential vocabulary of offensive and defensive security.

#

2FA (Two-Factor Authentication): An authentication method that requires a user to supply two distinct factors — typically something they know (password) and something they have (OTP code or hardware key) — before access is granted. It significantly reduces account-takeover risk even when passwords are leaked.

A

AES (Advanced Encryption Standard): A symmetric block cipher standardised by NIST in 2001, supporting 128-, 192-, and 256-bit keys. AES is the most widely deployed encryption algorithm on the planet, used in everything from HTTPS to full-disk encryption.
APT (Advanced Persistent Threat): A prolonged, stealthy cyber-intrusion campaign — typically state-sponsored or well-resourced — in which an attacker gains and maintains unauthorised access to a network over months or years to exfiltrate data or pre-position for destructive action.
Authentication: The process of verifying that an entity (user, device, or service) is who it claims to be, typically via credentials such as passwords, certificates, or biometrics. Authentication is the first gate before authorisation decisions are made.
Authorization: The process of determining what actions or resources an already-authenticated principal is permitted to access. Authorization is distinct from authentication: you can be successfully identified but still be denied access to specific operations.

B

Backdoor: A covert method of bypassing normal authentication or security controls in a system, often planted by an attacker after initial compromise or embedded by a malicious insider during software development.
Botnet: A network of internet-connected devices ("bots") infected with malware and controlled remotely by a threat actor ("bot herder"). Botnets are commonly used to launch DDoS attacks, send spam, mine cryptocurrency, or distribute additional malware.
Brute Force: An attack strategy that exhaustively tries every possible combination of passwords, keys, or inputs until the correct value is found. Rate-limiting, account lockouts, and high-entropy passwords are primary mitigations.
Buffer Overflow: A memory-corruption vulnerability in which a program writes more data to a buffer than it was allocated, overwriting adjacent memory. Exploited correctly, this allows an attacker to redirect execution to arbitrary code.

C

CIA Triad: The foundational model of information security comprising Confidentiality (data is accessible only to authorised parties), Integrity (data is accurate and unaltered), and Availability (systems and data are accessible when needed).
Command & Control (C2): The infrastructure — servers, protocols, or peer-to-peer channels — used by an attacker to remotely issue commands to compromised hosts and receive exfiltrated data. Disrupting C2 communication is a key step in incident containment.
CORS (Cross-Origin Resource Sharing): A browser security mechanism that restricts cross-origin HTTP requests using HTTP headers. Misconfigured CORS policies — such as allowing arbitrary origins with credentials — can let attacker-controlled sites read sensitive API responses.
Cryptography: The mathematical science of securing information through techniques such as encryption, digital signatures, and key exchange. Modern cryptography underpins virtually every security protocol, from HTTPS to code signing.
CSRF (Cross-Site Request Forgery): An attack that tricks an authenticated user's browser into sending a forged HTTP request to a web application, causing unintended state changes (e.g., password change, fund transfer) without the user's knowledge. Mitigated via anti-CSRF tokens and SameSite cookies.
CVE (Common Vulnerabilities and Exposures): A publicly disclosed identifier for a specific software vulnerability, maintained by MITRE and the NVD. Each CVE entry includes a description, affected versions, and a CVSS severity score to aid prioritisation.
CVSS (Common Vulnerability Scoring System): An open framework for communicating the severity of software vulnerabilities using a 0–10 numeric score derived from exploitability, scope, and impact metrics. CVSS scores guide patch prioritisation and SLA decisions.

D

DDoS (Distributed Denial of Service): An attack that floods a target — server, network, or service — with traffic originating from many sources simultaneously, rendering it unavailable to legitimate users. Botnets, amplification attacks, and volumetric floods are common DDoS vectors.
DKIM (DomainKeys Identified Mail): An email authentication protocol that uses public-key cryptography to sign outgoing messages, allowing recipient mail servers to verify the message was not tampered with in transit and originated from the claimed domain.
DMARC (Domain-based Message Authentication, Reporting & Conformance): An email authentication policy that builds on SPF and DKIM, instructing mail receivers how to handle messages that fail authentication (quarantine or reject) and providing aggregate reports back to the domain owner.
DNS (Domain Name System): The internet's distributed naming system that translates human-readable domain names into IP addresses. DNS is a common attack surface: DNS hijacking, cache poisoning, and DNS tunnelling are all well-documented threat vectors.
DNS Tunnelling: A covert channel technique that encodes arbitrary data (often C2 traffic or exfiltrated files) inside DNS query and response packets to bypass firewalls that permit DNS but block other outbound protocols.

E

Encryption: The process of transforming plaintext into ciphertext using a cryptographic algorithm and key, making the data unintelligible to anyone without the corresponding decryption key. Encryption protects confidentiality in transit and at rest.
Endpoint: Any device that connects to a network and can serve as an entry point for threats — laptops, desktops, smartphones, servers, and IoT devices are all endpoints. Endpoint security tools (EDR/AV) focus on detecting and containing threats at this layer.
Exploit: Code, data, or a sequence of commands that takes advantage of a vulnerability to cause unintended or unanticipated behaviour in software or hardware — typically to achieve code execution, privilege escalation, or data access.

F

Firewall: A network security device or software that monitors and controls incoming and outgoing traffic based on predefined rules, forming a barrier between trusted internal networks and untrusted external ones. Next-generation firewalls (NGFW) add deep packet inspection and application awareness.
Fuzzing: An automated software-testing technique that feeds malformed, unexpected, or random data into a program's inputs to discover crashes, memory corruption, and unhandled exceptions that may indicate exploitable vulnerabilities.

H

Hash / Cryptographic Hash Function: A one-way mathematical function that maps arbitrary-length input to a fixed-length digest (e.g., SHA-256 produces 256 bits). Hashes are used for password storage, file integrity verification, and digital signatures — they cannot feasibly be reversed.
Honeypot: A decoy system or resource intentionally designed to attract attackers, allowing defenders to observe attack techniques, collect threat intelligence, and detect intrusions without risk to production assets.
HSTS (HTTP Strict Transport Security): An HTTP response header that instructs browsers to only communicate with a site over HTTPS for a specified duration, preventing SSL-stripping attacks and accidental plaintext connections even when a user types HTTP.
HTTP / HTTPS: HyperText Transfer Protocol is the foundation of web communication. HTTPS wraps HTTP in TLS, providing encryption and server authentication. Sites that serve sensitive data over plain HTTP expose users to eavesdropping and MITM attacks.

I

IAM (Identity and Access Management): A framework of policies and technologies for ensuring the right entities access the right resources at the right times. IAM encompasses user provisioning, role management, multi-factor authentication, and access reviews.
IDS / IPS (Intrusion Detection / Prevention System): Security systems that monitor network or host activity for malicious patterns. An IDS alerts on detected intrusions; an IPS goes further by actively blocking or dropping offending traffic in real time.
Incident Response (IR): The structured process an organisation follows when a security breach or attack is detected. Typical IR phases include Preparation, Detection & Analysis, Containment, Eradication, Recovery, and Post-Incident Review (per NIST SP 800-61).
Injection: A class of vulnerabilities in which untrusted user input is included in a command or query without proper sanitisation, causing the interpreter to execute attacker-controlled instructions. SQL injection, OS command injection, and LDAP injection are common variants.

J

JWT (JSON Web Token): A compact, URL-safe token format consisting of a Base64-encoded header, payload, and cryptographic signature, commonly used for stateless authentication and API authorisation. Weak signing algorithms (e.g., "alg: none") and secret brute-forcing are known JWT attack vectors.

K

Keylogger: Malware or hardware that silently records every keystroke on a device, capturing passwords, credit card numbers, and other sensitive input before the user submits it. Software keyloggers often operate at the kernel or user level.

L

Lateral Movement: Post-compromise techniques an attacker uses to progressively move through a network from their initial foothold toward higher-value targets, often by exploiting trust relationships, stolen credentials, or unpatched internal services.
Least Privilege: A security principle stating that every user, process, or system should be granted only the minimum permissions required to perform its function. Enforcing least privilege limits the blast radius of a compromised account or process.
LFI / RFI (Local / Remote File Inclusion): Web vulnerabilities in which attacker-controlled input is used to include files in the application's execution context. LFI reads files from the server's local filesystem; RFI fetches and executes a file from a remote URL.

M

Malware: Any software intentionally designed to disrupt, damage, or gain unauthorised access to systems. The category includes viruses, worms, trojans, ransomware, spyware, adware, rootkits, and botnets.
MFA (Multi-Factor Authentication): An authentication scheme requiring two or more independent factors from different categories: knowledge (password/PIN), possession (hardware token/OTP app), or inherence (biometrics). MFA is one of the highest-impact controls against credential-based attacks.
MITM (Man-in-the-Middle): An attack in which a threat actor secretly intercepts and potentially alters communications between two parties who each believe they are communicating directly. ARP spoofing, SSL stripping, and rogue Wi-Fi are common MITM enablers.
MITRE ATT&CK: A globally-accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) observed in real-world attacks, maintained by MITRE. It is widely used for threat modelling, red-team planning, and detection engineering.

N

NIST (National Institute of Standards and Technology): A U.S. federal agency that publishes widely adopted cybersecurity frameworks and standards, including the NIST Cybersecurity Framework (CSF), SP 800-53, and SP 800-61. NIST publications are frequently referenced in compliance and risk management programmes.

O

OSINT (Open-Source Intelligence): The collection and analysis of information gathered from publicly available sources — websites, social media, WHOIS, Shodan, job listings — to build intelligence about a target. OSINT is a core activity in both red-team reconnaissance and threat intelligence.
OWASP (Open Worldwide Application Security Project): A non-profit foundation that produces free, openly available web-application security resources, most famously the OWASP Top 10 — a regularly updated list of the most critical web application security risks.

P

Patch: A software update that fixes security vulnerabilities or bugs in an application, operating system, or firmware. Timely patch management is one of the most effective controls against known exploits — the majority of breaches exploit vulnerabilities for which patches already existed.
Penetration Testing: An authorised, simulated cyberattack against a system, network, or application to evaluate its security posture and uncover exploitable vulnerabilities before real attackers do. Pentest findings are documented in a report with remediation guidance.
Phishing: A social-engineering attack that uses deceptive emails, messages, or websites to trick recipients into revealing credentials, downloading malware, or performing actions that benefit the attacker. Spear phishing targets specific individuals with personalised lures.
PKI (Public Key Infrastructure): A system of hardware, software, policies, and procedures used to create, manage, distribute, and revoke digital certificates. PKI underpins TLS, code signing, and email encryption by binding public keys to verified identities.
Port Scanning: A reconnaissance technique that probes a host's network ports to identify which services are listening and potentially vulnerable. Tools such as Nmap are standard for both legitimate network auditing and attacker reconnaissance.
Privilege Escalation: The act of exploiting a bug, misconfiguration, or design flaw to gain elevated permissions beyond what was initially granted — typically from a standard user to an administrator or from a container to the host OS.
Proxy: An intermediary server that relays requests between a client and a destination. Proxies are used for anonymisation, content filtering, and traffic inspection. Attackers use proxies to hide their origin; defenders use transparent proxies to inspect and log traffic.

R

Ransomware: Malware that encrypts a victim's files and demands payment (ransom) for the decryption key. Modern ransomware operations often also exfiltrate data before encrypting, threatening public release to increase pressure — a tactic known as double extortion.
RBAC (Role-Based Access Control): An access-control model where permissions are associated with roles rather than individual users. Users are assigned roles, inheriting the permissions of those roles, making large-scale permission management significantly more maintainable and auditable.
Red Team: A group of security professionals who simulate real-world adversary tactics to test an organisation's detection and response capabilities. Unlike standard pentesting, red team engagements are often covert and objective-driven (e.g., reach a specific data store).
Reverse Engineering: The process of analysing a binary, firmware, or system to understand its design, functionality, or vulnerabilities without access to source code — using tools such as disassemblers (Ghidra, IDA Pro) and debuggers.
Rootkit: A stealthy collection of software tools that conceals the presence of malware or an attacker's activities on a compromised system by subverting the OS kernel, bootloader, or hypervisor. Rootkits are notoriously difficult to detect and remove.
RSA: An asymmetric cryptographic algorithm based on the mathematical difficulty of factoring large integers, named after its inventors Rivest, Shamir, and Adleman. RSA is used for key exchange, digital signatures, and encrypting small payloads; modern usage requires at least 2048-bit keys.

S

SIEM (Security Information and Event Management): A platform that aggregates and correlates log and event data from across an organisation's IT environment in real time, generating alerts for suspicious activity and providing forensic data for incident investigations.
SMB (Server Message Block): A network file-sharing protocol primarily used in Windows environments. SMB vulnerabilities — most infamously EternalBlue (MS17-010), exploited by WannaCry — have enabled some of the most damaging network-spreading malware campaigns in history.
Social Engineering: The manipulation of people into performing actions or divulging confidential information by exploiting human psychology rather than technical vulnerabilities. Phishing, vishing (voice), smishing (SMS), and pretexting are all social engineering techniques.
SPF (Sender Policy Framework): An email authentication protocol that allows domain owners to publish a DNS record listing the mail servers authorised to send email on their behalf. Receiving servers can reject mail from unlisted sources, reducing domain spoofing.
Spyware: Malware that covertly collects information about a user's activities — browsing history, keystrokes, screenshots, location data — and transmits it to a third party. Commercial spyware (e.g., stalkerware) is also used for surveillance in non-criminal contexts.
SQL Injection (SQLi): A code injection attack in which malicious SQL statements are inserted into an input field to manipulate a backend database — enabling data exfiltration, authentication bypass, or in some cases, OS command execution. SQLi has topped vulnerability charts for decades.
SSL / TLS (Secure Sockets Layer / Transport Layer Security): Cryptographic protocols that provide secure communication over a network by authenticating servers (and optionally clients) and encrypting traffic. SSL is deprecated; TLS 1.2 and 1.3 are the current standards. HTTPS is HTTP transported over TLS.
SSRF (Server-Side Request Forgery): A vulnerability in which an attacker causes a server to make HTTP requests to arbitrary destinations — including internal services, cloud metadata endpoints (e.g., 169.254.169.254), or other backend systems — that are not directly accessible from the internet.
Supply Chain Attack: An attack that targets a less-secure element in the software supply chain — such as a third-party library, build pipeline, or update mechanism — to compromise downstream consumers. The SolarWinds and XZ Utils incidents are prominent examples.

T

Threat Model: A structured process for identifying, categorising, and prioritising potential threats to a system by analysing assets, attacker capabilities, and attack surfaces. Common frameworks include STRIDE and PASTA. Threat modelling is ideally performed during the design phase.
Token: In authentication contexts, a portable credential — such as a session cookie, OAuth access token, or JWT — that proves a user or service has been authenticated. Tokens can be stolen (session hijacking) or forged if signing keys are weak or exposed.
Tor (The Onion Router): An anonymity network that routes internet traffic through a series of encrypted relays, obscuring a user's IP address and location. Tor is legitimately used by journalists and activists but is also exploited by attackers for anonymous C2 and dark-web markets.
Trojan: Malware disguised as legitimate software that, once executed, performs malicious actions — installing backdoors, exfiltrating data, or downloading additional payloads — without the user's knowledge. Unlike viruses, trojans do not self-replicate.

V

VPN (Virtual Private Network): A technology that creates an encrypted tunnel between a device and a VPN server, masking the user's IP address and protecting traffic on untrusted networks. Enterprise VPNs extend private network access to remote workers; consumer VPNs focus on privacy.
Vulnerability: A weakness in software, hardware, configuration, or process that can be exploited by a threat actor to cause harm. The risk posed by a vulnerability is a function of its exploitability, the value of the affected asset, and the availability of compensating controls.

W

WAF (Web Application Firewall): A security appliance or cloud service that inspects HTTP(S) traffic between a web application and the internet, blocking requests that match known attack patterns (SQL injection, XSS, etc.). WAFs are a compensating control, not a substitute for secure coding.
Worm: Self-replicating malware that spreads automatically across networks by exploiting vulnerabilities or misconfigurations, without requiring user interaction. WannaCry and Conficker are well-known worms that caused widespread global damage.

X

XSS (Cross-Site Scripting): A client-side injection vulnerability in which an attacker injects malicious scripts into web pages viewed by other users. Stored XSS persists in the database; reflected XSS is embedded in a URL; DOM XSS manipulates the page's DOM without server involvement.

Z

Zero Day: A vulnerability in software or hardware that is unknown to the vendor and for which no patch exists. Zero-day exploits are highly valuable because defenders cannot apply a fix before attackers use them; they are common commodities in nation-state cyber-espionage.
Zero Trust: A security model that operates on the assumption that no user, device, or network segment should be trusted by default — whether inside or outside the perimeter. Access is continuously verified, least-privilege is enforced, and all traffic is inspected and logged.

↑ Back to top