Pen-Tester's Glossary
Our glossary offers clear and concise explanations of essential terms, concepts, and acronyms that form the foundation of cybersecurity.
AAA (authentication, authorization, and accounting)

Security concept where a centralized platform verifies subject identification, ensures the subject is assigned relevant permissions, and then logs these actions to create an audit trail.

ABAC (attribute-based access control)

Access control decisions based on the attributes of the user, the resource to be accessed, and other contextual information. Rules or policies define how those attributes need to interact to grant access.

access control
Acceptable Use Policy (AUP)

Internal policy that details how company resources, such as company-owned devices, can be used.

account policies

Set of rules governing user security information, such as password expiration and uniqueness, which can be set globally.

ACL (Access Control List)

Collection of access control entries (ACEs) that determines which subjects (user accounts, host IP addresses, and so on) are allowed or denied access to the object and the privileges given (read only, read/write, and so on).

active defense

Practice of responding to a threat by destroying or deceiving a threat actor's capabilities.

adversarial AI (adversarial artificial intelligence)

Practice of using AI to identify vulnerabilities and attack vectors to circumvent security systems.

AES (Advanced Encryption Standard)

Symmetric 128-, 192-, or 256-bit block cipher based on the Rijndael algorithm developed by Belgian cryptographers Joan Daemen and Vincent Rijmen and adopted by the U.S. government as its encryption standard to replace DES.

encryption, security
Agile model (Agile)

Software development model that focuses on iterative and incremental development to account for evolving requirements and expectations.

AH (authentication header)

IPSec protocol that provides authentication for the origin of transmitted data as well as integrity and protection against replay attacks.

air gap

Type of network isolation that physically separates a network from all other networks.


Suite of tools for 802.11 wireless network security assessments. It focuses on areas like monitoring, attacking, testing, and cracking. Aircrack-ng allows users to assess WiFi network security by capturing data packets and exploiting vulnerabilities in wireless security protocols such as WEP and WPA.

wireless security, network testing
AIS (Automated Indicator Sharing)

Threat intelligence data feed operated by the DHS.

ALE (annual loss expectancy)

Total cost of a risk to an organization on an annual basis. This is determined by multiplying the SLE (single loss expectancy) by the ARO (annual rate of occurrence).

AP (access point)

Device that provides a connection between wireless devices and can connect to wired networks. Also known as WAP (wireless access point).

API (application programming interface)

Library of programming utilities used, for example, to enable software developers to access functions of the TCP/IP network stack under a particular operating system.

application aware firewall

Layer 7 firewall technology that inspects packets at the Application layer of the OSI (Open Systems Interconnection) model.

application firewall

Software designed to run on a server to protect a particular application such as a web server or SQL server.

APT (advanced persistent threat)

Type of attacker's ability to obtain, maintain, and diversify access to network systems using exploits and malware.


Open-source platform producing programmable circuit boards (CPU, RAM and ROM) for education and industrial prototyping. No OS required.

ARO (annual rate of occurrence)

In risk calculation, an expression of the probability/likelihood of a risk as the number of times per year a particular loss is expected to occur.

risk calculation
ARP inspection

Optional security feature of a switch that prevents excessive ARP replies from flooding a network segment.

ARP poisoning / spoofing

Network-based attack where an attacker with access to the target local network segment redirects an IP address to the MAC address of a computer that is not the intended recipient. This can be used to perform a variety of attacks, including DoS, spoofing, and Man-in-the-Middle.


Any evidence or traces that are left behind by the incident. Artifacts can be either physical or digital.

digital forensics
asymmetric algorithm (Public Key)

Cipher that uses public and private keys. The keys are mathematically linked, using either Rivel, Shamir, Adleman (RSA) or elliptic curve cryptography (ECC) algorithms, but the private key is not derivable from the public one. An asymmetric key cannot reverse the operation it performs, so the public key cannot decrypt what it has encrypted, for example. Also known as Elliptic Curve Cryptography or ECC.

ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge)

Knowledge base maintained by the MITRE Corporation for listing and explaining specific adversary tactics, techniques, and procedures.

attack surface

Points at which a network or application receives external connections or inputs/outputs that are potential vectors to be exploited by a threat actor.

attack vector

Specific path by which a threat actor gains unauthorized access to a system. Also known as vector.


Validation technique that compares the identifiers of hardware, such as a mobile phone, against authorized identifiers to allow or deny access to a network or resource.


A port-based network access control (PNAC) switch or router that activates EAPoL and passes a supplicant's authentication data to an authenticating server, such as a RADIUS server.


Using scripts and APIs to provision and deprovision systems without manual intervention.


GUI sitting on top of TSK (The Sleuth Kit) that also provides a case management/workflow tool.


Fundamental security goal of ensuring that computer systems operate continuously and that authorized persons can access data that they need.

BAS (building automation system)

Components and protocols that facilitate the centralized configuration and monitoring of mechanical and electrical systems within offices and data centers.

baseband radio

Chip and firmware in a smartphone that acts as a cellular modem.

baseline configuration

Collection of security and configuration settings that are to be applied to a particular system or network in the organization.

bash (bourne again shell)

Command shell and scripting language for Unix-like systems.

bastion host

(also known as jump box) Server typically found in a DMZ that is configured to provide a single service to reduce the possibility of compromise.

behavioral analysis

Network monitoring system that detects changes in normal operating data sequences and identifies abnormal sequences. Also known as behavior-based detection.

BIA (business impact analysis)

Systematic activity that identifies organizational risks and determines their effect on ongoing, mission critical operations.

birthday attack

Type of password attack that exploits weaknesses in the mathematical algorithms used to encrypt passwords, in order to take advantage of the probability of different password inputs producing the same encrypted output.

block cipher

Type of symmetric encryption that encrypts data one block at a time, often in 64-bit blocks. It is usually more secure, but is also slower, than stream ciphers.


Concept in which an expanding list of transactional records listed in a public ledger is secured using cryptography.

blue team

Defensive team in a penetration test or incident response exercise.


Bluetooth connection has been breached and unsolicited messages are sent to a device.


Bluetooth attack where an attacker gains access to unauthorized information on a device.

boot attestation

Report of boot state integrity data that is signed by a tamper-proof TPM key and reported to a network server.


Set of hosts that has been infected by a control program called a bot that enables attackers to exploit the hosts to mount attacks. Also known as zombie.

BPA (business partnership agreement)

Agreement by two companies to work together closely, such as the partner agreements that large IT companies set up with resellers and solution providers.

BPDU guard (Bridge Protocol Data Unit guard)

Switch port security feature that disables the port if it receives BPDU notifications related to spanning tree. This is configured on access ports where any BPDU frames are likely to be malicious.

broadcast storm

When broadcast or multicast signals are amplified as they traverse a network, which can overwhelm a network. Using loop protection, STP (Spanning Tree Protocol), and rate-limiters (or TTL) can reduce the risk and likelihood of a broadcast storm.

brute force attack

Type of password attack where an attacker uses an application to exhaustively try every possible alphanumeric combination to crack encrypted passwords.

buffer overflow

Attack in which data goes past the boundary of the destination buffer and begins to corrupt adjacent memory. This can allow the attacker to crash the system or execute arbitrary code.

bug bounty

Reward scheme operated by software and web services vendors for reporting vulnerabilities.

BYOD (bring your own device)

Security framework and tools to facilitate use of personally-owned devices to access corporate networks and data.

device deployment model
C&C (command and control)

Infrastructure of hosts and services with which attackers direct, distribute, and control malware over botnets. Also known as C2.

CA (certificate authority)

Server that guarantees subject identities by issuing signed digital certificate wrappers for their public keys. The online CA is the certificate authority that actively generates certificates using an intermediate CA. The offline CA is responsible for the safe storage of the root certificate of the CA and is only accessed when necessary.

cable lock

Devices can be physically secured against theft using cable ties and padlocks. Some systems also feature lockable faceplates, preventing access to the power switch and removable drives.

CAC (common access card)

Smart card that provides certificate-based authentication and supports two-factor authentication. A CAC is produced for Department of Defense employees and contractors in response to a Homeland Security Directive.

CAN bus (controller area network bus)

Serial network designed to allow communications between embedded programmable logic controllers.

CAPTCHA (completely automated public turing test to tell computers and humans apart)

Image of text characters or audio of some speech that is difficult for a computer to interpret. CAPTCHAs are used for purposes such as preventing bots from creating accounts on web forums and social media sites to spam them.

captive portal

Web page or website to which a client is redirected before being granted full network access.

capture the flag

Training event where learners must identify a token within a live network environment.

card cloning/skimming

Duplicating a smart card by reading (skimming) the confidential data stored on it. Also known as skimming.


Process of extracting data from a computer when that data has no associated file system metadata.

CASB (cloud access security broker)

Enterprise management software designed to mediate access to cloud services by users across all types of devices.

cat command

Linux command to view and combine (concatenate) files.

CBC (cipher block chaining)

Encryption mode of operation where an exclusive or (XOR) is applied to the first plaintext block

CCM (Cloud Controls Matrix)

Standards, best practices, and applicable regulations pertaining to the cloud environment produced by the Cloud Security Alliance (CSA).

CCMP (counter mode with cipher block chaining message authentication code protocol)

Encryption protocol used for wireless LANs that addresses the vulnerabilities of the WEP protocol.

CE (cryptographic erase)

Method of sanitizing a self-encrypting drive by erasing the media encryption key.


Custom Word List Generator, creates word lists from the content of web pages.

kali command, password cracking
chain of custody

Record of evidence history from collection to presentation in court, to disposal. A chain of custody form is a document created to track the movement of a piece of evidence from collection to presentation in court.

change control

Process by which the need for change is recorded and approved.

change management

Process through which changes to the configuration of information systems are implemented, as part of the organization's overall configuration management efforts.

CHAP (Challenge Handshake Authentication Protocol)

Authentication scheme developed for dial-up networks that uses an encrypted three-way handshake to authenticate the client to the server. The challenge-response is repeated throughout the connection (though transparently to the user) to guard against replay attacks.


Output of a hash function.


A fast TCP/UDP tunnel, transported over HTTP, secured via SSH.

tunneling, pivot, networking, kali command

Linux command for managing file permissions.

kali command
CIA triad (confidentiality, integrity, and availability)

The three principles of security control and management. Also known as the information security triad. or AIC triad.

CI/CD pipeline (continuous integration and continuous delivery pipeline)

Automates the processes of integrating code changes from multiple contributors into a shared project and deploying them to production environments, promoting more frequent, consistent, and reliable software releases. [step 1] continuous integration, [step 2] continuous delivery, [step 3] continuous deployment and [step 4] continuous monitoring.

circuit-level stateful inspection firewall

Layer 5 firewall technology that tracks the active state of a connection, and can make decisions based on the contents of network traffic as it relates to the state of the connection.

CIS (Center for Internet Security)

Not-for-profit organization (founded partly by SANS). It publishes the well-known "Top 20 Critical Security Controls" (or system design recommendations).

clean desk policy

Organizational policy that mandates employee work areas be free from potentially sensitive information; sensitive documents must not be left out where unauthorized personnel might see them.


Deceptive technique where an attacker tricks a user into clicking on something different from what the user perceives, potentially revealing confidential information or taking control of their computer.

client-side execution

Data that is processed on a local machine. An internet web browser is a good example of something that relies on client-side execution.

cloud deployment model

Classifying the ownership and management of a cloud as public, private, community, or hybrid.

deployment model
cloud service model

Classifying the provision of cloud services and the limit of the cloud service provider's responsibility as software, platform, infrastructure, and so on. clustering A load balancing technique where a group of servers are configured as a unit and work together to provide network services.

CN (common name)

X500 attribute expressing a host or user name, also used as the subject identifier for a digital certificate.

COBO (corporate owned, business only)

Enterprise mobile device provisioning model where the device is the property of the organization and personal use is prohibited.

device deployment model
code of conduct

Professional behavior depends on basic ethical standards, such as honesty and fairness. Some professions may have developed codes of ethics to cover difficult situations; some businesses may also have a code of ethics to communicate the values it expects its employees to practice. Also known as ethics.

code reuse

Potentially unsecure programming practice of using code originally written for a different context.

code signing

Method of using a digital signature to ensure the source and integrity of programming code.

cold site

Predetermined alternate location where a network can be rebuilt after a disaster.


Network appliance that gathers or receives log and/or state data from other network systems.


Act of two different plaintext inputs producing the same exact ciphertext output.

community cloud

Cloud that is deployed for shared use by cooperating tenants.

compensating control

Security measure that takes on risk mitigation when a primary control fails or cannot completely meet expectations.


Fundamental security goal of keeping information and communications private and protecting them from unauthorized access.


Security method that separates specified storage and data from other data contained on a device. The container can be configured with additional access controls, encryption, or use controls, among others.

content filter

Software application or gateway that filters client requests for various types of internet content (web, FTP, IM, and so on).

context-aware authentication

Access control scheme that verifies an object's identity based on various environmental factors, like time, location, and behavior.

continuous delivery

Software development method in which app and platform requirements are frequently tested and validated for immediate availability.

ci/cd pipeline step 2 of 4
continuous deployment

Software development method in which app and platform updates are committed to production rapidly.

ci/cd pipeline step 3 of 4
continuous integration

Software development method in which code updates are tested and committed to a development or build server/code repository rapidly.

ci/cd pipeline step 1 of 4
continuous monitoring

Technique of constantly evaluating an environment for changes so that new risks may be more quickly detected and business operations improved upon. Also known as continuous security monitoring or CSM.

ci/cd pipeline step 4 of 4
continuous validation

Process that allows code to be checked after each change during development.

refer to CI/CD pipeline
control risk

Risk that arises when a control does not provide the level of mitigation that was expected.

COOP (Continuity Of Operations Planning)

Program that provides an outline or guidelines for disaster recovery and business continuity for an organization in the case of a major incident.

COPE (corporate owned, personally enabled)

Enterprise mobile device provisioning model where the device remains the property of the organization, but certain personal use, such as private email, social networking, and web browsing, is permitted.

device deployment model
corrective control

Type of security control that acts after an incident to eliminate or minimize its impact. correlation Function of log analysis that links log and state data to identify a pattern that should be logged or alerted as an event.


Automates security assessments of large Active Directory networks post-exploitation.

networking, active-directory, kali command
credential stuffing

Brute force attack in which stolen user account names and passwords are tested against multiple websites.

credentialed scan

Vulnerability scan that uses verified credential to access all parts of a network, unlike an uncredentialed scan, which is only able to scan the publicly accessible portions of a network.

CRL (certificate revocation list)

List of certificates that were revoked before their expiration date.

crossover error rate

Biometric evaluation factor expressing the point at which FAR (false acceptance rate) and FRR (false rejection rate) meet, with a low value indicating better performance.


Generates wordlists for use in password cracking, allowing customization of the character set.

password cracking, kali command

Unauthorized use of someone else’s computer to mine cryptocurrency

CSA (Cloud Security Alliance)

Industry body providing security guidance to CSPs, including enterprise reference architecture and security controls matrix. Produces the Cloud Controls Matrix (CCM), which provides users with standards, best practices, and applicable regulations pertaining to the cloud environment.

CSC (Critical Security Controls)

Cybersecurity framework published by the Center for Internet Security (CIS) and used for strengthening an entity’s cybersecurity posture. Equivalent to Australia’s Essential 8.

CSP (cloud service provider)

Vendor offering public cloud service models, such as PaaS, IaaS, or SaaS.

CSR (certificate signing request)

Base64 ASCII file that a subject sends to a CA (Certificate Authority) to get a certificate.

CTI (cyber threat intelligence)

Process of investigating, collecting, analysing, and disseminating information about emerging threats and threat sources. Also known as threat intelligence.

CTM (counter mode)

Encryption mode of operation where a numerical counter value is used to create a constantly changing IV. Also referred to as CM (counter mode).


Malware analysis tool that automatically sandboxes identified malware threats for analysis and reporting. Source:

curl command

Utility for command-line manipulation of URL-based protocol requests.

CVE (Common Vulnerabilities and Exposures)

Scheme for identifying vulnerabilities developed by MITRE and adopted by NIST.

CVSS (Common Vulnerability Scoring System)

Risk management approach to quantifying vulnerability data and then considering the degree of risk to different types of systems or information.

Cyber Kill Chain®

Model developed by Lockheed Martin that describes the stages by which a threat actor progresses a network intrusion. Stages: (1) reconnaissance, (2) weaponization, (3) delivery, (4) exploitation, (5) installation, (6) command and control, (7) actions of objectives.

CYOD (choose your own device)

Enterprise mobile device provisioning model where employees are offered a selection of corporate devices for work and, optionally, private use.

device deployment model
DAC (discretionary access control)

The owner of a resource (e.g., a file or folder) has the discretion to specify who can access the resource and what actions they can perform on it.

access control
data at rest

Information that is primarily stored on specific media, rather than moving from one medium to another.

data protection
data breach

When confidential or private data is read, copied, or changed without authorization. Data breach events may have notification and reporting requirements.

data controller

Entity that dictates the reasons and methods for collecting, storing, and using personal data in privacy regulations.

privacy regulations
data custodian

Individual who is responsible for managing the system on which data assets are stored, including being responsible for enforcing access control, encryption, and backup/recovery measures.

privacy regulations
data exfiltration

Process by which an attacker takes data that is stored inside of a private network and moves it to an external network.

data exposure

Software vulnerability where an attacker can circumvent access controls and retrieve confidential or sensitive data from the file system or database.

data governance

Overall management of the availability, usability, and security of the information used in an organization.

data protection
data in processing

Information that is present in the volatile memory of a host, such as system memory or cache.

data in transit

Information that is being transmitted between two hosts, such as over a private network or the Internet. Also known as data in motion.

data protection
data masking

Deidentification method where generic or placeholder labels are substituted for real data while preserving the structure or format of the original data.

data protection
data minimization

Principle that only necessary and sufficient personal information can be collected and processed for the stated purpose.

data protection
data owner

Senior (executive) role with ultimate responsibility for maintaining the confidentiality, integrity, and availability of an information asset.

privacy regulations
data processor

Entity trusted with a copy of personal data to perform storage and/or analysis on behalf of the data collector.

privacy regulations
data remnant

Leftover information on a storage medium even after basic attempts have been made to remove that data. Also known as remnant.

data sovereignty

Principle that countries and states may impose individual requirements on data collected or stored within their jurisdiction.

data protection
data steward

Individual who is primarily responsible for data quality, ensuring data is labeled and identified with appropriate metadata and that data is collected and stored in a format and with values that comply with applicable laws and regulations.

privacy regulations
dd command

Linux command that makes a bit-by-bit copy of an input file, typically used for disk imaging. Example: dd if=/dev/sdb1 of =/dev/sdc1 creates an image of the specified drive or file (if) in a specified output location (of)

DDoS attack (distributed denial of service attack)

Attack that uses multiple compromised hosts (a botnet) to overwhelm a service with request or response traffic.

dead code

Code that is redundant, forgotten or no longer called within the logic of the program flow.


Spoofing frames to disconnect a wireless station to try to obtain authentication data to crack.

deception and disruption

Cybersecurity resilience tools and techniques to increase the cost of attack planning for the threat actor.

default account

Default administrative and guest accounts configured on servers and network devices are possible points of unauthorized access.

defense in depth

Security strategy that positions the layers of network security as network traffic roadblocks; each layer is intended to slow an attack's progress, rather than eliminating it outright.


Process of rendering a storage drive inoperable and its data unrecoverable by eliminating the drive's magnetic charge.


Methods and technologies that remove identifying information from data before it is distributed.

data protection

Process of removing an application from packages or instances.

DER (distinguished encoding rules)

Method for encoding a data object based on its ASN.1 specification. Commonly used for encoding X.509 certificates in binary form.

digital certificate
detective control

Type of security control that acts during an incident to identify or record that it is happening.

deterrent control

Type of security control that discourages intrusion attempts.

DH (Diffie-Hellman)

Cryptographic technique that provides secure key exchange.

DHCP snooping

Network configuration option that enables a switch to inspect DHCP traffic to prevent MAC spoofing. Note that DHCP does not have a specific secure protocol. To secure a DHCP server, you must layer security around the server and monitor and audit the server for anomalies.

DHCP spoofing (Dynamic Host Configuration Protocol spoofing)

Attack in which an attacker responds to a client requesting address assignment from a DHCP server.

Diamond Model

Relationship-based framework for analyzing cybersecurity incidents. Focuses on the relationship between elements and events that occur during an intrusion.

dictionary attack

Type of password attack that compares encrypted passwords against a predetermined list of possible password values.

differential backup

Backup type in which all selected files that have changed since the last full backup are backed up.


The Differentiated Services Code Point (DSCP) field is used to indicate a priority value for a layer 3 (IP) packet to facilitate Quality of Service (QoS) or Class of Service (CoS) scheduling.

digital signature

Message digest encrypted using the sender's private key that is appended to a message to authenticate the sender and prove message integrity.


Web content scanner designed to discover existing and hidden files, directories, and scripts on web servers. By launching a dictionary-based attack against a web server and analyzing the response, Dirb helps identify potential security risks associated with exposed files and directories.

web scanning, directory bruteforce

Java application designed to brute force directories and file names on web and application servers. It employs a multithreaded approach to speed up the scanning process and is able to discover hidden resources that are not linked (or listed) on the webpage.

web discovery, directory bruteforce
directory service

Network service that stores identity information about all the objects in a particular network, including users, groups, servers, client computers, and printers.

directory traversal

Application attack that allows access to commands, files, and directories that may or may not be connected to the web document root directory. Example: .../…/…/


Cybersecurity resilience strategy that increases attack costs by provisioning multiple types of controls, technologies, vendors, and crypto implementations.

DLP (data loss/leak prevention)

Provide monitoring of data throughout its lifecycle in all connected locations from endpoints to servers as well as policy implementation, auditing, and reporting.

DMZ (demilitarized zone)

Network segment isolated from the rest of a private network by one or more firewalls that accepts connections from the Internet over designated ports.

DNAT (destination network address translation)

NAT service where private internal addresses are mapped to one or more public addresses to facilitate Internet connectivity for hosts on a local network via a router.

DNS hijacking (Domain Name System hijacking)

Attack in which an attacker modifies a computer's DNS configurations to point to a malicious DNS server.

DNS poisoning (Domain Name System poisoning)

Network-based attack where an attacker exploits the traditionally open nature of the DNS system to redirect a domain name to an IP address of the attacker's choosing.


Sets up covert channels using DNS queries and responses.

exfiltration, kali command

A lightweight server tool that offers DNS caching and DHCP services.

networking, kali command
DNSSEC (Domain Name System Security Extensions)

Security protocol that provides authentication of DNS data and upholds DNS data integrity. Note that DNSSEC only validates the authenticity of the DNS query response, it does not provide confidentiality for the requesting party.

domain hijacking

Type of hijacking attack where the attacker steals a domain name by altering its registration information and then transferring the domain name to another entity. Sometimes referred to as brandjacking.

DoS attack (denial of service attack)

Any type of physical, application, or network attack that affects the availability of a managed resource.

downgrade attack

Cryptographic attack where the attacker exploits the need for backward compatibility to force a computer system to abandon the use of encrypted messages in favor of plaintext messages.

DPO (data privacy officer)

Institutional data governance role with responsibility for compliant collection and processing of personal and sensitive data.

DRP (disaster recovery plan)

Documented and resourced plan showing actions and responsibilities to be used in response to critical incidents.

DSA (Digital Signature Algorithm)

Public key encryption standard used for digital signatures that provides authentication and integrity verification for messages.

dump file

File containing data captured from system memory.

dumpster diving (Dumpster)

Social engineering technique of discovering things about an organization (or person) based on what it throws away.


Procedures and tools to collect, preserve, and analyze digital evidence.

EAP (Extensible Authentication Protocol)

Framework for negotiating authentication methods that enables systems to use hardware-based identifiers, such as fingerprint scanners or smart card readers, for authentication.

eap architecture
east-west traffic

Design paradigm accounting for the fact that data center traffic between servers is greater than that passing in and out (north-south).

ECC (elliptic curve cryptography)

Asymmetric encryption algorithm that leverages the algebraic structures of elliptic curves over finite fields to derive public/private key pairs.

edge computing

Provisioning processing resource close to the network edge of IoT devices to reduce latency.

EDR (endpoint detection and response)

Software agent that collects system data and logs for analysis by a monitoring system to provide early detection of threats.

EF (exposure factor)

Percentage of an asset's value that would be lost during a security incident or disaster scenario.

risk calculation

The property by which a computing environment can instantly react to both increasing and decreasing demands in workload.


A measure of disorder. Cryptographic systems should exhibit high entropy to better resist brute force attacks.

EOL (end of life)

Product life cycle phase where sales are discontinued and support options reduced over time.

EOSL (end of service life)

Product life cycle phase where support is no longer available from the vendor.

EPP (endpoint protection platform)

A software agent and monitoring system that performs multiple security tasks.

ERM (enterprise risk management)

The comprehensive process of evaluating, measuring, and mitigating the many risks that pervade an organization.

error handling

Coding methods to anticipate and deal with exceptions thrown during execution of a process.


In key management, the storage of a backup key with a third party.

ESP (Encapsulating Security Protocol)

IPSec(layer 3) sub-protocolthat enables encryption and authentication of the header and payload of a data packet.

evil twin

A WAP (wireless access point) that deceives users into believing that it is a legitimate network access point.

execution control

The process of determining what additional software may be installed on a client or server beyond its baseline to prevent the use of unauthorized software.

exploitation framework

Suite of tools (e.g., Metasploit) designed to automate delivery of exploits against common software and firmware vulnerabilities.


A private network that provides some access to outside parties, particularly vendors, partners, and select customers.


A technique that ensures a redundant component, device, or application can quickly and efficiently take over the functionality of an asset that has failed.

fake telemetry

Deception strategy that returns spoofed data in response to network probes.

false negative

In security scanning, a case that is not reported when it should be.

false positive

In security scanning, a case that is reported when it should not be.

FAR (false acceptance rate)

Biometric assessment metric that measures the number of unauthorized users who are mistakenly allowed access.

Faraday cage

A wire mesh container that blocks external electromagnetic fields from entering into the container.

FC (Fibre Channel)

High speed network communications protocol used to implement SANs.

FDE (full disk encryption)

Encryption of all data on a disk (including system files, temporary files, and the pagefile) can be accomplished via a supported OS, third-party software, or at the controller level by the disk device itself.


A process that provides a shared login capability across multiple systems and enterprises. It essentially connects the identity management services of multiple systems.

FIM (file integrity monitoring)

A type of software that reviews system files to ensure that they have not been tampered with.

fingerprint scanner

Biometric authentication device that can produce a template signature of a user's fingerprint then subsequently compare the template to the digit submitted for authentication.

first responder

The first experienced person or team to arrive at the scene of an incident.

FPGA (field programmable gate array)

A processor that can be programmed to perform a specific function by a customer rather than at the time of manufacture.

FRP (functional recovery plan)

Provides an enterprise with the steps to restore the basics required for functionality, while a DRP (disaster recovery plan) is designed to return an enterprise to full, pre-disaster functionality.

FRR (false rejection rate)

Biometric assessment metric that measures the number of valid subjects who are denied access.

FTK (Forensic Toolkit)

A commercial digital forensics investigation management and utilities suite, published by AccessData.


A type of FTP using TLS for confidentiality.

full backup

A backup type in which all selected files, regardless of prior state, are backed up. full tunnel VPN configuration where all traffic is routed via the VPN gateway.


A dynamic code analysis technique that involves sending a running application random and unusual input so as to evaluate how the app responds.

gait analysis

Biometric mechanism that identifies a subject based on movement pattern.

GCM (Galois/Counter Mode)

A mode of block chained encryption that provides message authenticity for each block.

GDPR (General Data Protection Regulation)

Provisions and requirements protecting the personal data of European Union (EU) citizens. Transfers of personal data outside the EU Single Market are restricted unless protected by like-for-like regulations, such as the US's Privacy Shield requirements.


The practice of creating a virtual boundary based on real-world geography.


Identifies geographical information of IP addresses.

networking, kali command, osint

The identification or estimation of the physical location of an object, such as a radar source, mobile phone, or Internet-connected computing device.


Tool written in Go that is used to brute-force URIs (directories and files) in web sites and DNS subdomains (with wildcard support). It uses a wordlist to guide its search, making it highly effective for discovering hidden directories and files that are not typically found through standard enumeration techniques.

directory bruteforce, dns enumeration, kali command
GPO (Group Policy Object)

On a Windows domain, a way to deploy per-user and per-computer settings such as password policy, account restrictions, firewall status, and so on.

grep command

Linux command for searching and filtering input. This can be used as a file search tool when combined with ls.

group account

A group account is a collection of user accounts that are useful when establishing file permissions and user rights because when many individuals need the same level of access, a group could be establishedcontaining all the relevant users.

guessing entropy

Measures the difficulty for an attacker to correctly guess a password or cryptographic key. It typically estimates the average number of attempts an attacker might need to make to guess the correct password or key.

access control
HA (high availability)

The property that defines how closely systems approach the goal of providing data availability 100 percent of the time while maintaining a high level of system performance.


The process of making a host or app configuration secure by reducing its attack surface, through running only necessary services, installing monitoring software to protect against malware and intrusions, and establishing a maintenance schedule to ensure the system is patched to be secure against software exploits.


Command-line tool used to perform brute force and dictionary attacks against password hashes.

password cracking, kali command

A function that converts an arbitrary length string input to a fixed length string output. A cryptographic hash function does this in a way that reduces the chance of collisions, where two different inputs produce the same output. Also known as message digest.

head command

Linux utility for showing the first lines in a file.

heat map

In a Wi-Fi site survey, a diagram showing signal strength at different locations.

heuristic analysis

A method that uses feature comparisons and likenesses rather than specific signature matching to identify whether the target of observation is malicious.

HIPS (host-based intrusion prevention system)

Same as HIDS but with added ability to prevent and remediate intrusion.

HMAC (hash-based message authentication code)

A method used to verify both the integrity and authenticity of a message by combining a cryptographic hash of the message with a secret key.

homomorphic encryption

Method that allows computation of certain fields in a dataset without decrypting it.

Honeypot (-net or -file)

Host, network, or file set up with the purpose of luring attackers away from assets of actual value and/or discovering attack strategies and weaknesses in the security configuration.

horizontal privilege escalation

When a user accesses or modifies specific resources that they are not entitled to.

host-based firewall

A software application running on a single host and designed to protect only that host. Also known as personal firewall.

hot/cold aisle

Arrangement of server racks to maximize the efficiency of cooling systems. Also known as cold/hot aisle.

hot site

A fully configured alternate network that can be online quickly after a disaster.

HOTP (HMAC-based One-time Password)

An algorithm that generates a one-time password using a hash-based authentication code to verify the authenticity of the message.

hping command

Linux & Windows command that provides the functionality to create custom packets as well as spoofed originating IPs. Example: send a custom packet with a spoofed IP address to find the latency of a target system’s response

HSM (hardware security module)

An appliance for generating and storing cryptographic keys. This sort of solution may be less susceptible to tampering and insider threats than software-based storage.


Using features of HTML5 to implement remote desktop/VPN connections via browser software (clientless).

hybrid cloud

Cloud deployment that uses both private and public elements.

deployment model

Quickly cracks network logins for various services.

kali command, password cracking
IA (impact assessment)

Occurs after an incident occurs to analyse all aspects of the life cycle of the incident and can be used to provide insight into future occurrences.

IaaS (Infrastructure as a Service)

Provides the user with the highest levels of control over their infrastructure by providing only the hardware needed to craft an infrastructure in the cloud.

IaC (infrastructure as code)

Provisioning architecture in which deployment of resources is performed by scripted automation and orchestration.

IAM (identity and access management)

Security process that provides identification, authentication, and authorization mechanisms for users, computers, and other entities to work with organizational assets like networks, operating systems, and applications.

ICS (industrial control system)

Network managing embedded devices (computer systems that are designed to perform a specific, dedicated function).

identity fraud

Invention of fake personal information or the theft and misuse of an individual's personal information.

IdP (identity provider)

In a federated network, the service that holds the user account and performs authentication.

IDS (intrusion detection system)

Software and/or hardware system that scans, audits, and monitors the security infrastructure for signs of attacks in progress.

IEEE 802.1X

Standard for encapsulating EAP communications over a LAN (EAPoL) to implement port-based authentication.

eap architecture
IKE (Internet Key Exchange)

Framework for creating a Security Association (SA) used with IPSec. An SA establishes that two hosts trust one another (authenticate) and agree secure protocols and cipher suites to use to exchange data.


Provides Python classes for interacting with network protocols.

implicit deny

A basic principle of security stating that unless something has explicitly been granted access, it should be denied access.

incremental backup

A backup type in which all selected files that have changed since the last full or incremental backup (whichever was most recent) are backed up.

industrial camouflage

Methods of disguising the nature and purpose of buildings or parts of buildings.

inherent risk

Risk that an event will pose if no controls are put in place to mitigate it.

input validation

Any technique used to ensure that the data entered into a field or variable in an application is handled appropriately by that application. Whitelists or blacklists may be used.

insecure object reference

Coding vulnerability where unvalidated input is used to select a resource object, such as a file or database.

insider threat

A type of threat actor who is assigned privileges on the system that cause an intentional or unintentional incident.

integer overflow

Attack in which a computed result is too large to fit in its assigned storage space, which may lead to crashing or data corruption, and may trigger a buffer overflow.


The fundamental security goal of keeping organizational information accurate, free of errors, and without unauthorized modifications.

intelligence fusion

In threat hunting, using sources of threat intelligence data to automate detection of adversary IoCs and TTPs.


A private network that is only accessible by the organization's own personnel.

IoC (indicator of compromise)

A sign that an asset or network has been attacked or is currently under attack.

IPAM (IP address management)

Software consolidating management of multiple DHCP and DNS services to provide oversight into IP address allocation across an enterprise network.

IPFIX (IP Flow Information Export)

Layer 3 collection and analysis (also called bandwidth monitor). Standards-based version of the Netflow framework.

IPS (intrusion prevention system)

An IDS that can actively block attacks.

IPSec (Internet Protocol Security)

Set of open, non-proprietary layer 3 standards used to secure data through authentication and encryption as the data travels across the network or the Internet.

IRP (incident response plan)

Specific procedures that must be performed if a certain type of event is detected or reported. Step of incident response: (1) preparation, (2) identification, (3) containment, (4) eradication, (5) recovery, (6) lessons learned

ISAC (Information Sharing and Analysis Center)

Not-for-profit group set up to share sector-specific threat intelligence and security best practices amongst its members.

ISO/IEC 27K (International Organization for Standardization 27000 Series)

A comprehensive set of standards for information security, including best practices for security and risk management, compliance, and technical implementation.

ISO/IEC 31K (International Organization for Standardization 31000 Series)

A comprehensive set of standards for enterprise risk management.

IV attack (Initialization Vector Attack)

Wireless attack where the attacker is able to predict or control the IV of an encryption process, thus giving the attacker access to view the encrypted data that is supposed to be hidden from everyone else except the user or network.


Attack in which radio waves disrupt 802.11 wireless signals.

job rotation

The policy of preventing any one individual performing the same role or tasks for too long. This deters fraud and provides better oversight of the person's duties.

John the Ripper

Password cracking tool that is popular among penetration testers and security auditors. It automatically detects password hash types and includes several cracking modes to handle different ciphertexts and encryption standards.

password cracking, cryptography
Journalctl command

Linux command showing systemd journal records.

jump server

A hardened server that provides access to other hosts. Also known as jumpbox.

KBA (Knowledge-Based Authentication)

Method that leverages the individual’s knowledge to properly identify the user, such as a previous address or vehicle associated with the user.


A single sign-on authentication and authorization service that is based on a time-sensitive ticket-granting system.


Malicious software or hardware that can record user keystrokes.


Detects networks and devices, functioning as a sniffer and intrusion detection system.

networking, kali command
L2TP (Layer 2 Tunneling Protocol)

VPN protocol for tunneling PPP sessions across a variety of network protocols such as IP, Frame Relay, or ATM.

lateral movement

Process by which an attacker is able to move from one part of a computing environment to another.

LDAP injection

Application attack that targets web-based applications by fabricating LDAP statements that are typically created by user input. For example, *,[ ],&, and" " could be inputted into the username space on a login page.

LDAP (Lightweight Directory Access Protocol)

A network protocol used to access network directory databases, which store information about authorized users and their privileges, as well as other organizational information.

LDAPS (Lightweight Directory Access Protocol Secure)

A method of implementing LDAP using SSL/TLS encryption.

LEAP (Lightweight Extensible Authentication Protocol)

See EAP for reference table.

eap architecture
least privilege

A basic principle of security stating that something should be allocated the minimum necessary rights, privileges, or information to perform its role.

lightweight cryptography

Cryptographic algorithms with reduced compute requirements that are suitable for use in resource-constrained environments, such as battery-powered devices.


Simplifies penetration testing in restricted environments with reverse tunneling.

kali command, pen-testing
LLR (lessons learned report)

An analysis of events that can provide insight into how to improve response processes in the future. Also known as after action report or AAR.

load balancer

A type of switch or router that distributes client requests between different resources, such as communications links or similarly-configured servers. This provides fault tolerance and improves throughput.

logger command

Linux utility that writes data to the system log.

logic bomb

A malicious program or script that is set to run under particular circumstances or in response to a defined event.

loop protection

If broadcast traffic is allowed to continually loop around a network, the number of broadcast packets increases exponentially, crashing the network. Loop protection in switches such as STP (Spanning Tree Protocol), and in routers, TTL (Time To Live) for instance, is designed to prevent this.

MaaS (monitoring as a service)

Cloud service providing ongoing security and availability monitoring of on-premises and/or cloud-based hosts and services.

MAC cloning (Media Access Control cloning)

Attack in which an attacker falsifies the factory-assigned MAC address of a device's network interface. Also known as MAC spoofing.

MAC filtering (Media Access Control filtering)

Applying an access control list to a switch or access point so that only clients with approved MAC addresses can connect to it.

MAC flooding (Media Access Control flooding)

Variation of an ARP poisoning attack where a switch's cache table is inundated with frames from random source MAC addresses.

MAC (Mandatory Access Control)

Access to resources is determined by system-defined policies, typically involving labels (often referred to as security classifications: Public, Confidential, Critical) on both users and data objects. Users with certain clearance levels can access data with corresponding classification labels.

access control
MAC (Message Authentication Code)

Proving the integrity and authenticity of a message by combining its hash with a shared secret.

MAM (mobile application management)

Enterprise management function that enables control over apps and storage for mobile devices and other endpoints.

managerial control

A category of security control that gives oversight of the information system.

mandatory vacations

The principle that states when and how long an employee must take time off from work so that their activities may be subjected to a security review.


In threat hunting, the concept that threat actor and defender may use deception or counterattacking strategies to gain positional advantage.

mantrap (access control vestibule)

A secure entry system with two gateways, only one of which is open at any one time.


Scans entire Internet in minutes to detect open ports.

network analysis, kali command
MD5 (Message Digest Algorithm v5)

A cryptographic hash function producing a 128-bit output.

MDM (mobile device management)

The process and supporting technologies for tracking, controlling, and securing the organization's mobile infrastructure.

measured boot

UEFI feature that measures (or checks) the components being loaded during the boot process and logs the measurements to a TPM (Trusted Platform Module) chip. The TPM can then be queried later to determine what has been loaded and run on the system. However, as opposed to secure boot, measuring doesn't prevent the system from booting with unauthorized or malicious software. It simply notes what was booted.

MEF (mission essential function)

A business or organizational activity that is too critical to be deferred for anything more than a few hours, if at all.

memdump command

Linux utility developed as part of the Coroner's Toolkit to dump system memory data to a file.

memory leak

Software vulnerability that can occur when software does not release allocated memory when it is done using it, potentially leading to system instability.


Information stored or recorded as a property of an object, state of a system, or transaction.


Set of tools designed to assist in attacking a target device or network. Source:

MFA (multifactor authentication)

Authentication scheme that requires the user to present at least two different factors as credentials, from something you know, something you have, something you are, something you do, and somewhere you are. Specifying two factors is known as 2FA.


Software architecture where components of the solution are conceived as highly decoupled services not dependent on a single platform type or technology.


Type of RAID that using two hard disks, providing the simplest way of protecting a single disk against failure. Data is written to both disks and can be read from either disk.

MitB attack (Man-in-the-Browser attack)

Attack when the web browser is compromised by installing malicious plug-ins or scripts, or intercepting API calls between the browser process and DLLs. Tools like the Browser Exploitation Framework (BeEF) facilitate such attacks.

MitM attack (Man-in-the-Middle attack)

Form of eavesdropping where the attacker makes an independent connection between two victims and steals information to use fraudulently.


Refer to ATT&CK. Technique based framework, MITTRE ATT&CK is a comprehensive digest of tactics and techniques used for adversarial activity throughout the threat lifecycle.

MMS (multimedia messaging service)

Extension to SMS allowing digital data (picture, video, or audio) to be sent over a cellular data connection.

mode of operation

Implementation of a block symmetric cipher, with some modes allowing secure encryption of a stream of data, with or without authentication for each block.

MoU (memorandum of understanding)

Usually a preliminary or exploratory agreement to express an intent to work together that is not legally binding and does not involve the exchange of money.

MPLS (Multiprotocol Label Switching)

Developed by Cisco from ATM as a means of providing traffic engineering (congestion control), Class of Service, and Quality of Service within a packet switched, rather than circuit switched, network.

MSA (measurement systems analysis)

Evaluates the data collection and statistical methods used by a quality management process to ensure they are robust.


Integrates payload creation and encoding for exploit development.

kali command, metasploit, payload
MSSP (managed security service provider)

Third-party provision of security configuration and monitoring as an outsourced service.

MTBF (mean time between failures)

Rating on a device or component that predicts the expected time between failures.

MTD (maximum tolerable downtime)

Longest period a business can be inoperable without causing irrevocable business failure.

MTTF (mean time to failure)

Average time a device or component is expected to be in operation.

MTTR (mean time to repair/replace/recover)

Average time taken for a device or component to be repaired, replaced, or otherwise recover from a failure.


Model where cloud consumer uses multiple public cloud services.

deployment model

Overprovisioning controllers and cabling so that a host has failover connections to storage media.

NAC (network access control)

General term for the collected protocols, policies, and hardware that authenticate and authorize access to a network at the device level. NAC is designed to evaluate the security stance of network-attached devices and can be done pre-admission or post-admission.


Low-power cellular networks designed to provide data connectivity to IoT devices.

NAT (network address translation)

Routing mechanism that conceals internal addressing schemes from the public Internet by translating between a single public address on the external side of a router and private, non-routable addresses internally.


Utility for reading and writing raw data over a network connection. Also known as netcat.

NDA (non-disclosure agreement)

Agreement that stipulates that entities will not share confidential information, knowledge, or materials with unauthorized third parties.


One of the best-known commercial vulnerability scanner, produced by Tenable Network Security. Source:

reconnaissance tool

Layer 3 collection and analysis. Cisco-developed means of reporting network flow (also called bandwidth monitor) information to a structured database. Allows better understanding of IP traffic flows as used by different network applications and hosts. Source:

NFC (Near Field Communication)

Standard for peer-to-peer (2-way) radio communications over very short (around 4") distances, facilitating contactless payment and similar technologies. NFC is based on RFID.

NFV (network functions virtualization)

Provisioning virtual network appliances, such as switches, routers, and firewalls, via VMs and containers.

NGFW (next generation firewall)

Advances in firewall technology, from app awareness, user-based filtering, and intrusion prevention to cloud inspection. Also known as layer 7 firewall.

NISP (network-based intrusion prevention system)

Monitors network traffic and identifies typical behaviour patterns (heuristic). The NIPS acts when traffic deviates from these behaviour patterns.


Versatile port scanner used for topology, host, service, and OS discovery and enumeration. Source:


Security goal of ensuring that the party that sent a transmission or created data remains associated with that data and cannot deny sending or creating that data.


Arbitrary number used only once in cryptographic communication, often to prevent replay attacks.


Routine that applies a common consistent format to incoming data so that it can be processed safely. Normalization is referred to in the context of log collection and software coding.

NTLM authentication (NT LAN Manager authentication)

Challenge-response authentication protocol created by Microsoft for use in its products.


Open-source tool that provides aggregation and syslog centralization, as well as log generation in multiple formats. Can also be integrated with SIEM systems. Source:

OATH (Initiative for Open Authentication)

Industry body comprising the main PKI providers, such as Verisign and Entrust, that was established with the aim of developing an open, strong authentication framework.

OAuth (Open Authorization)

Federated identity management protocol used for authentication and authorization in RESTful APIs, enabling users to share resources between sites without sharing passwords, and it supports various grant types for different contexts.

OAuth & OpenID

Technique that essentially "hides" or "camouflages" code or other information so that it is harder to read by unauthorized users.

OCSP (online certificate status protocol)

Provides information on certificates that have been prematurely revoked. Contrarily to the (CRL) certificate revocation list, the OCSP allows for the process to be automated with a real-time check process.


Process of ensuring that all HR and other requirements are covered when an employee leaves an organization. Also known as exit interview.

offline CA (offline certificate authority)

In PKI, a CA (typically the root CA) that has been disconnected from the network to protect it from compromise. The online CA is the certificate authority that actively generates certificates using an intermediate CA. The offline CA is responsible for the safe storage of the root certificate of the CA and is only accessed when necessary.

OID (object identifier)

Numeric schema used for attributes of digital certificates.

OIDC (OpenID Connect)

Method of authentication that sits on top of the OAuth 2.0 authorization protocol and provides a decentralized third-party credential verification process that turns the validating party, into the identity provider (IdP). E.g., sign in using his Facebook or Google account.

OAuth & OpenID

Process of bringing in a new employee, contractor, or supplier.

OOB (out-of-band management)

Accessing the administrative interface of a network appliance using a separate network from the usual data network. This could use a separate VLAN or a different kind of link, such as a dial-up modem.


Standards for implementing device encryption on storage devices. operational control A category of security control that is implemented by people.


Automation of multiple steps in a deployment process.

order of volatility

Order in which volatile data should be recovered from various storage locations and devices after a security incident occurs. Example for a laptop: (1) routing tables, (2) swap space, (3) hard disk, (4) remote logs. Explanation: the routing table is a temporary table and should be collected first, followed by the swap space. The onboard hard disk would come next, since it is physically connected to the laptop, followed by the remote logs, which are stored in an offsite location, making them more stable.

OSI model (Open Systems Interconnection)

Conceptual framework used to understand network interactions in seven distinct layers, from physical transmission to application processes. Layers: (1) Physical, (2) Data Link, (3) Network, (4) Transport, (5) Session, (6) Presentation, (7) Application. Mnemonic method: Please Do Not Throw Sausage Pizza Away.

OSINT (open-source intelligence)

Publicly available information plus the tools used to aggregate and search it.

OT (operational technology)

Communications network designed to implement an industrial control system rather than data networking.

OTA (over the air)

Firmware update delivered on a cellular data connection.

output encoding

Coding methods to sanitize output created from user input.

OWASP (Open Web Application Security Project)

Charity and community publishing several secure application development resources.

P12 (Public Key Cryptography Standard #12)

Binary file format that allows a private key to be exported along with its digital certificate. Known as PFX by Windows users.

digital certificate
P2P (Point-to-Point) / P2MP (Point-to Multipoint Topology)

Point-to-point topology is one where two nodes have a dedicated connection to one another. In a point-to-multipoint topology, a central node mediates links between remote nodes.

P7B (Public Key Cryptography Standard #7B)

Text file format for transmitting a chain of digital certificates.

digital certificate
PaaS (Platform as a Service)

Provides less control to the user than IaaS by providing the computing platform in the cloud, which the user can use to create applications.

PAM (pluggable authentication module)

Framework for implementing authentication providers in Linux.

passive scan

Enumeration or vulnerability scan that analyzes only intercepted network traffic rather than sending probes to a target. More generally, passive reconnaissance techniques are those that do not require direct interaction with the target.

PAT (port address translation)

Maps private host IP addresses onto a single public IP address. Each host is tracked by assigning it a random high TCP port for communications. Also known as network address port translation (NAPT) or NAT overloading.

patch management

Identifying, testing, and deploying OS and application updates. Patches are often classified as critical, security-critical, recommended, and optional.

PCI DSS (Payment Card Industry Data Security Standard)

Information security standard for organizations that process credit or bank card payments.

PDU (power distribution unit)

Advanced strip socket that provides filtered output voltage. A managed unit supports remote administration.

PEAP (Protected Extensible Authentication Protocol)

See EAP for reference table.


eap architecture
PEM (privacy-enhanced mail)

Widely used text format for cryptographic keys and certificates. For use with OpenSSH. It isessentially a base64 encoded version ofbinary data, typically used for DER-encoded certificates. PEM formatted files are easily identifiable by their characteristic "BEGIN"and"END" delimiters (e.g., "-----BEGIN CERTIFICATE-----"and"-----END CERTIFICATE-----"). They can containprivate keys, public keys, certificates, and even entire certificate chains.

penetration testing

Test that uses active tools and security utilities to evaluate security by simulating an attack on a system. A pen test will verify that a threat exists, then will actively test and bypass security controls, and will finally exploit vulnerabilities on the system. Also known as pentest.

percent encoding

Mechanism for encoding characters as hexadecimal values delimited by the percent sign.


In load balancing, the configuration option that enables a client to maintain a connection with a load-balanced server over the duration of the session. Also referred to as sticky sessions.

load balancing

Ability of a threat actor to maintain covert access to a target host or network.

PFS (perfect forward secrecy)

A characteristic of transport encryption that ensures if a key is compromised the compromise will only affect a single session and not facilitate recovery of plaintext data from other sessions. Note that WPA3-Enterprise is designed to provide perfect forward secrecy between the client and server.

PFX (personal information exchange)

Windows version of P12 to store private key and certificate data. The file is binary and can be password-protected.

digital certificate
PGP (Pretty Good Privacy)

Data encryption and decryption program that provides cryptographic privacy and authentication for data communication.


An impersonation attack in which a request for a website, typically an e-commerce site, is redirected to a similar-looking, but fake, website.

dns exploit, attack
PHI (protected/personal health information)

Information that identifies someone as the subject of medical and insurance records, plus associated hospital and laboratory test results.


A type of email-based social engineering attack, in which the attacker sends email from a supposedly reputable source, such as a bank, to try to elicit private information from the victim.

physical control

A type of security control that acts against in-person intrusion attempts.

PII (personally identifiable information)

Data that can be used to identify or contact an individual (or in the case of identity theft, to impersonate them).


Portable router equipped with software designed for network security testing and attacks. It allows security researchers and hackers to easily perform man-in-the-middle attacks by creating a fake WiFi network or mimicking legitimate networks to intercept communications, capture credentials, and manipulate traffic.

network testing, wifi

A deprecated method of trusting digital certificates that bypasses the CA hierarchy and chain of trust to minimize man-in-the-middle attacks.

PIV card (personal identity verification card)

A smart card that meets the standards for FIPS 201, in that it is resistant to tampering and provides quick electronic authentication of the card's owner.

PKCS (public key cryptography standards)

Series of standards defining the use of certificate authorities and digital certificates.

PKI (public key infrastructure)

Framework of certificate authorities, digital certificates, software, services, and other cryptographic components deployed for the purpose of validating subject identities.

Trust model

A checklist of actions to perform to detect and respond to a specific type of incident PLC (programmable logic controller) A type of computer designed for deployment in an industrial or outdoor setting that can automate and monitor mechanical systems.

PNAC (port-based network access control)

A switch (or router) that performs some sort of authentication of the attached device before activating the port.

pointer dereferencing

Software vulnerability that can occur when code attempts to read a memory location specified by a pointer, but the memory location is null. Also known as dereferencing.

port forwarding

A process in which a router takes requests from the Internet for a particular application (such as HTTP) and sends them to a designated host on the LAN. Also known as destination network address translation or DNAT.

port mirroring

Copying ingress and/or egress communications from one or more switch ports to another port. This is used to monitor communications passing over the switch. Also known as switched port analyzer or SPAN.

port security

Preventing a device attached to a switch port from communicating on the network unless it matches a given MAC address or other protection profile.


Anticipating challenges to current cryptographic implementations and general security issues in a world where threat actors have access to significant quantum processing capability.


A command shell and scripting language built on the .NET Framework.

PPK (PuTTY Private Key)

Proprietary format for private keys used by the PuTTY SSH client. PuTTY doesn't natively support OpenSSH's default key format, so it uses PPK format for private keys. The companion utility "PuTTYgen" can be used to generate these keys and also to convert between OpenSSH and PPK formats.

PPP (Point to Point Protocol)

Dial-up protocol working at layer 2 (Data Link) used to connect devices remotely to networks.


Security concept that advises granting users, systems, or processes the minimum levels of access - or permissions - necessary to perform their functions or tasks, but no more. This minimizes the risk of unauthorized access or the spread of a security breach by ensuring that entities have only the essential rights they need to operate.

access control, iam
private cloud

A cloud that is deployed for use by a single entity.

deployment model
private key

the private key is known only to the holder and is linked to, but not derivable from, a public key distributed to those with which the holder wants to communicate securely. A private key can be used to encrypt data that can be decrypted by the linked public key or vice versa.

asymmetric encryption
privilege access management

Use of authentication and authorization mechanisms to provide an administrator with centralized or decentralized control of user and group role-based privilege management.

privilege escalation

Practice of exploiting flaws in an operating system or other application to gain a greater level of access than was intended for the user or application.


Ability to trace the source of evidence to a crime scene and show that it has not been tampered with.

digital forensics
proxy server

Server that mediates the communications between a client and another server. It can filter and often modify communications, as well as provide caching services to improve performance. Also known as forward proxy.


Enforces TCP connections to pass through proxies like TOR, SOCKS4, SOCKS5, or HTTP(S)

anonymity, networking, tunneling

Removing personal information from a data set to make identification of individuals difficult, even if the data set is combined with other sources.

data protection
PSK (pre-shared key)

Passphrase-based mechanism to allow group authentication to a wireless network. The passphrase is used to derive an encryption key.

PtH attack (pass the hash attack)

Network-based attack where the attacker steals hashed user credentials and uses them as-is to try to authenticate to the same network the hashed credentials originated on.

public cloud

Cloud that is deployed for shared use by multiple independent tenants.

deployment model
public key

During asymmetric encryption, this key is freely distributed and can be used to perform the reverse encryption or decryption operation of the linked private key in the pair.

PUP (potentially unwanted program)

Software that cannot definitively be classed as malicious, but may not have been chosen by or wanted by the user.

purple team

Mode of penetration testing where red and blue teams share information and collaborate throughout the engagement. purpose limitation In data protection, the principle that personal information can be collected and processed only for a stated purpose to which the subject has consented.

push notification

Messages that are generated by an application based on preset criteria and sent to a user with a prompt request are push notifications. This differs from short message service (SMS) and authentication applications due to its application-based generation.


High-level programming language that is widely used for automation.

QA (quality assurance)

Policies, procedures, and tools designed to ensure defect-free development and delivery.

QoS (quality of service)

Systems that differentiate data passing over the network that can reserve bandwidth for particular applications. A system that cannot guarantee a level of available bandwidth is often described as Class of Service (CoS).

qualitative analysis

Method that uses opinions and reasoning to measure the likelihood and impact of risk.

risk analysis
quantitative analysis

Method that is based on assigning concrete values to factors.

risk analysis
quantum cryptography

Using quantum computing for cryptographic tasks, such as distributing keys or cracking (traditional) cryptographic systems. Quantum computing works on the principle that its units (qubits) have more properties than the bits used in "classical" computers, notably (and very crudely) that a qubit can have a probability of being 1 or 0 and that inspecting the value of one qubit can instantly determine that of others (entanglement).

RA (recovery agent)

In PKI, an account or combination of accounts that can copy a cryptographic key from backup or escrow and restore it to a subject host or user.

RA (registration authority)

In PKI, an authority that accepts requests for digital certificates and authenticates the entities making those requests.

race condition

Situation where the behavior of a system depends on the relative timing of events, leading to unpredictable or undesirable outcomes. TOCTOU (Time of Check to Time of Use) is a specific type of race condition where the vulnerability arises between the time a system checks a condition and the time it uses the results of that check.

RADIUS (Remote Authentication Dial-in User Service)

A standard protocol used to manage remote and wireless authentication infrastructures. While OpenID can validate users with a single credential, a RADIUS federation can limit access to members in the federation.

RAID (redundant array of independent/ inexpensive disks)

Specifications that support redundancy and fault tolerance for different configurations of multiple-device storage systems.

rainbow table

Tool for speeding up attacks against Windows passwords by precomputing possible hashes. Salting is the most appropriate method for protecting against rainbow attacks.


Malware that tries to extort money from the victim by blocking normal operation of a computer and/or encrypting the victim’s files and demanding payment.

Raspberry Pi

Open-source platform producing programmable circuit boards for education and industrial prototyping.

RAT (remote access Trojan)

Malware that creates a backdoor remote administration channel to allow a threat actor to access and control the infected host.

RBAC (role-based access control)

Access permissions are based on the roles assigned to users within an organization. Users are granted permissions based on their role, and not directly based on their individual identity.

access control
RCA (risk control assessment)

Evaluation of a company’s security posture and preparedness, designed for a higher-level risk evaluation than the RCSA, and can be done in-house or by a third party.

RCS (rich communication services)

Platform-independent advanced messaging functionality designed to replace SMS and MMS.

RCSA (risk control self-assessment)

Evaluation of a company’s security posture and preparedness, focused primarily on the specifics of risk response controls and is commonly done in-house.

red team

The "hostile" or attacking team in a penetration test or incident response exercise. regex (regular expression) A group of characters that describe how to execute a specific search pattern on a given text.

replay attack

On-path attack where the attacker intercepts some authentication data and reuses it to try to re-establish a session.


Automatically copying data between two processing systems either simultaneously on both systems (synchronous) or from a primary to a secondary location (asynchronous).

residual risk

Risk that remains even after controls are put into place.

retention policy

Dictates for how long information needs to be kept available on backup and archive systems. This may be subject to legislative requirements.

reverse proxy

Type of proxy server that protects servers from direct contact with client requests.

reverse shell

Maliciously spawned remote command shell where the victim host opens the connection to the attacking host.


Method of recovering by setting the system back to a previous state.

risk acceptance

Response of determining that a risk is within the organization's appetite and no countermeasures other than ongoing monitoring is needed.

risk avoidance

Practice of ceasing activity that presents risk.

risk mitigation
risk-based framework

In ESA, a framework that uses risk assessment to prioritize security control selection and investment.

risk deterrence

Response of deploying security controls to reduce the likelihood and/or impact of a threat scenario. Also known as risk reduction.

risk mitigation
risk matrix/heat map

Graphical table indicating the likelihood and impact of risk factors identified for a workflow, project, or department for reference by stakeholders.

risk mitigation

Response of reducing risk to fit within an organization's risk appetite.

risk register

Document highlighting the results of risk assessments in an easily comprehensible format (such as a "traffic light" grid). Its purpose is for department managers and technicians to understand risks associated with the workflows that they manage.

risk transference

Response of moving or sharing the responsibility of risk to another entity, such as by purchasing cybersecurity insurance.

risk mitigation
robot sentry

Remote-controlled or autonomous robot capable of patrolling site premises or monitoring gateways.

root CA (root certificate authority)

In PKI, a CA that issues certificates to intermediate CAs in a hierarchical structure. The online CA is the certificate authority that actively generates certificates using an intermediate CA. The offline CA is responsible for the safe storage of the root certificate of the CA and is only accessed when necessary.

route security

Monitors the routing protocols used by a network for possible vulnerabilities such as on-path attacks, loops, and congestion.

router firewall

Hardware device that has the primary function of a router, but also has firewall functionality embedded into the router firmware.

routing protocols

Rules that govern how routers communicate and forward traffic between networks.

RPO (recovery point objective)

Longest period that an organization can tolerate lost data being unrecoverable.

RSA (Rivest Shamir Adelman)

Named for its designers, Ronald Rivest, Adi Shamir, and Len Adelman, the first successful algorithm for public key encryption with a variable key length and block size.

RTBH (remote triggered black hole)

Using a trigger device to send a BGP route update that instructs routers to drop traffic that is suspected of attempting DDoS.

RTO (recovery time objective)

Length of time it takes after an event to resume normal business operations and activities.

RTOS (real-time operating system)

Type of OS that prioritizes deterministic execution of operations to ensure consistent response for time-critical tasks.

RTP (Real-time Transport Protocol)

Opens a data stream for video and voice applications over UDP. The data is packetized and tagged with control information (sequence numbering and time-stamping).

RuBAC (Rule-Based Access Control)

Access is granted or denied based on a set of rules defined by a system administrator. The rules can encompass various conditions, such as time of access, network location, type of access method, etc. (e.g., MS365 Conditional Access)

access control

Automated version of a playbook that leaves clearly defined interaction points for human analysis.

S/MIME (Secure/Multipurpose Internet Mail Extensions)

Email encryption standard that adds digital signatures and public key cryptography to traditional MIME communications.

SaaS (Software as a Service)

Most limiting cloud environment (compared to IaaS and PaaS), providing the user with predefined software that can be used but not altered.

SAE (Simultaneous Authentication of Equals)

WPA3 increased security by instituting the use of SAE which validates between a client and a network rather than using a preshared key (WPA-PSK)for validation.


Security countermeasure that mitigates the impact of a rainbow table attack by adding a random value to (Salting) each plaintext input.

SAML (Security Assertion Markup Language)

XML-based data format used to exchange authentication information between a client and a service.

SAN (subject alternative name)

Field in a digital certificate allowing a host to be identified by multiple host names/subdomains.


Computing environment that is isolated from a host system to guarantee that the environment runs in a controlled, secure fashion. Communication links between the sandbox and the host are usually completely prohibited.


Process of thorough and completely removing data from a storage medium so that file remnants cannot be recovered.

SAS (Serial Attached Small Computer Systems Interface)

Developed from parallel SCSI, SAS represents the highest performing hard disk interface available.

SCADA (Supervisory Control and Data Acquisition)

Type of industrial control system that manages large-scale, multiple-site devices and equipment spread over geographically large areas.


Property by which a computing environment is able to gracefully fulfill its ever-increasing resource needs.


Utility that runs port scans from outside the network through third-party websites to evade detection. Netcat, netstat, and Nmap are all used within the network.

SCAP (Security Content Automation Protocol)

A NIST framework that outlines various accepted practices for automating vulnerability scanning.

screened host

Dual-homed proxy/gateway server used to provide Internet access to other network nodes, while protecting them from external attack.

screened subnet

Network segmentation method that locates a designated portion of a network, typically for external use, away from the primary network. While the screened subnet is still on the network, it has extremely limited access to the primary network.

script kiddie

Inexperienced, unskilled attacker that typically uses tools or scripts created by others.

SDK (software development kit)

Coding resources provided by a vendor to assist with development projects that use their platform or API.

secure coding technique
SDN (software defined networking)

APIs and compatible hardware/virtual appliances allowing for programmable network appliances and systems.

SDV (software defined visibility)

API technology that provides network visibility throughout an entire network, integrating and collaborating between various technologies and vendors to provide a single visible network.

SE (secure erase)

Method of sanitizing a drive using the ATA command set.

SEAndroid (Security-Enhanced Android)

Since version 4.3, Android has been based on Security-Enhanced Linux, enabling granular permissions for apps, container isolation, and storage segmentation.


Searches through exploits and shellcodes in Exploit-DB via command line.

vulnerability, metasploit
SECaaS (Security as a Service)

Computing method that enables clients to take advantage of information, software, infrastructure, and processes provided by a cloud vendor in the specific area of computer security.

secure boot

UEFI feature that ensures that only signed and trusted software can boot on the system. It establishes a chain of trust from the firmware up through the boot process. If any software in the boot process doesn't have the correct signature (i.e., it isn't trusted), the UEFI will stop and prevent the system from booting.

security control

Technology or procedure put in place to mitigate vulnerabilities and risk and to ensure the confidentiality, integrity, and availability (CIA) of information.

SED (self-encrypting drive)

Disk drive where the controller can automatically encrypt data that is written to it.


Portion of a network where all attached hosts can communicate freely with one another.

SEH (structured exception handler)

Mechanism to account for unexpected error conditions that might arise during code execution. Effective error handling reduces the chances that a program could be exploited.

self-signed certificate

Digital certificate that has been signed by the entity that issued it, rather than by a CA.

digital certificate
sentiment analysis

Devising an AI/ML algorithm that can describe or classify the intention expressed in natural language statements SIEM tools provide many capabilities, including sentiment analysis to identify opinion and emotion patterns in data.

separation of duties

Concept that states that duties and responsibilities should be divided among individuals to prevent ethical conflicts or abuse of powers.

server certificate

Digital certificate that guarantees the identity of e-commerce sites and other websites that gather and store confidential information.

digital certificate

In a web application, input data that is executed or validated as part of a script or process running on the server.


Software architecture that runs functions within virtualized runtime containers in a cloud rather than on dedicated server instances.

deployment model
service account

Host or network account that is designed to run a background service, rather than to log on interactively.

session affinity

Scheduling approach used by load balancers to route traffic to devices that have already established connections with the client in question. Also known as source IP affinity.

session hijacking

Type of spoofing attack where the attacker disconnects a host then replaces it with his or her own machine, spoofing the original host's IP address.


Provides data collection and analysis (also called bandwidth monitor) from Layer 2 to 7, while both NetFlow and IPFIX only provide Layer 3 collection and analysis. Source:

SFTP (Secure File Transfer Protocol)

Secure version of the File Transfer Protocol that uses a Secure Shell (SSH) tunnel as an encryption method to transfer, access, and manage files.

SHA (Secure Hash Algorithm)

Cryptographic hashing algorithm created to address possible weaknesses in MDA. The current version is SHA-2.

shadow IT

Computer hardware, software, or services used on a private network without authorization from the system owner.

shared account

Account with no credential (guest) or one where the credential is known to multiple persons.


Lightweight block of malicious code that exploits a software vulnerability to gain initial access to a victim system.


Process of developing and implementing additional code between an application and the OS to enable functionality that would otherwise be unavailable.

shoulder surfing

Social engineering tactic to obtain someone's password or PIN by observing him or her as he or she types it in.

SID (security identifier)

The value assigned to an account by Windows and that is used by the operating system to identify that account.

SIEM (security information and event management)

Central security-monitoring tool used to collect and aggregate log data.A solution that provides real-time or near-real-time analysis of security alerts generated by network hardware and applications.

signature-based detection

Network monitoring system that uses a predefined set of rules provided by a software vendor or security personnel to identify events that are unacceptable.

SIM (subscriber identity module)

Small chip card that identifies the user and phone number of a mobile device, via an IMSI (International Mobile Subscriber Identity).


DoS attack mitigation strategy that directs the traffic that is flooding a target IP address to a different network for analysis.

SIP (Session Initiation Protocol)

Used to establish, disestablish, and manage VoIP and conferencing communications sessions. It handles user discovery (locating a user on the network), availability advertising (whether a user is prepared to receive calls), negotiating session parameters (such as use of audio/ video), and session management and termination.

SLA (service level agreement)

Operating procedures and standards for a service contract.

SLE (single loss expectancy)

Amount that would be lost in a single occurrence of a particular risk factor.

risk calculation
smart card

Similar to a credit card that can store authentication information, such as a user's private key, on an embedded microchip.

smart meter

Utility meter that can submit readings to the supplier without user intervention.


Form of phishing that uses SMS text messages to trick a victim into revealing information.


Software utility designed for penetration testing reporting and evidence gathering that can also run automated test suites. Source:

reconnaissance tool
SNMP (Simple Network Management Protocol)

Protocol for monitoring and managing network devices. SNMP works over UDP ports 161 and 162 by default.

SOA (service-oriented architecture)

Software architecture where components of the solution are conceived as loosely coupled services not dependent on a single platform type or technology.

SOAP (Simple Object Access Protocol)

XML-based web services protocol that is used to exchange messages.

SOAR (security orchestration, automation, and response)

Class of security tools that facilitates incident response, threat hunting, and security configuration by orchestrating automated runbooks and delivering data enrichment.

SOC (System and Organization Controls) reports

Evaluations of the controls and processes of a service organization, particularly those relevant to user entities. These reports are issued by external auditors and provide valuable insights into the organization's control environment. There are different types of SOC reports, and they vary based on the kind of information they provide and their intended audience.

SoC (system-on-chip)

Processor that integrates the platform functionality of multiple logical controllers onto a single chip. E.g., Apple Silicon with CPU, GPU and RAM on same chip.

spear phishing

Email-based or web-based form of phishing which targets specific individuals.

SPIM (spam over internet messaging)

Spam attack that is propagated through instant messaging rather than email.

split tunnel

VPN configuration where only traffic for the private network is routed via the VPN gateway.

SPoF (single point of failure)

Component or system that would cause a complete interruption of a service if it failed.

SQL injection (Structured Query Language injection

Attack that injects a database query into the input data directed at a server by accessing the client-side of the application. Example: or 1=1

SSAE SOC (Statements on Standards for Attestation Engagements Service Organization Control)

Audit specifications designed to ensure that cloud/hosting providers meet professional standards. A SOC2 (Type II) report is created for a restricted audience, while SOC3 reports are provided for general consumption.

SSH (Secure Shell)

Remote administration and file-copy program that supports VPNs by using port forwarding, and that runs on TCP port 22.

SSID (service set identifier)

Character string that identifies a particular wireless LAN (WLAN).

SSO (single sign-on)

Authentication technology that enables a user to authenticate once and receive authorizations for multiple services.

SSRF (server-side request forgery)

Attack that attempts to exploit the trust relationship between a user and a server to get the user to execute commands against the server or vice versa. Request forgeries can originate from either the client side via a SSRF or the server side via a CSRF/XSRF (cross-site request forgery).

SSTI (server-side template injection)

SSTIs occur when user input is embedded in a template in an unsafe manner and results in remote code execution on the server. Any features that support advanced user-supplied markup may be vulnerable to SSTI including wiki-pages, reviews, marketing applications, CMS systems etc. Some template engines employ various mechanisms (eg. sandbox, whitelisting, etc.) to protect against SSTI.

SSTP (Secure Socket Tunneling Protocol)

Protocol that uses the HTTP over SSL protocol and encapsulates an IP packet with a PPP header and then with an SSTP header.

standard naming convention

Applying consistent names and labels to assets and digital resources/identities within a configuration management system.


Mechanism used to mitigate performance and privacy issues when requesting certificate status from an OCSP responder.

state actor

Type of threat actor that is supported by the resources of its host country's military and security services. Also known as nation state actor.

state table

Information about sessions between hosts that is gathered by a stateful firewall.

stateful inspection

Technique used in firewalls to analyse packets down to the application layer rather than filtering packets only by header information, enabling the firewall to enforce tighter and more security.

stateless firewall

Type of firewall provides the least amount of capabilities.

static code

Authentication method that provides a one-time, pre-set authentication verifier, such as a password or code, that is not limited by a set time frame.


Technique for obscuring the presence of a message, often by embedding information within a file or other entity.

STIX (Structured Threat Information eXpression)

Framework for analyzing cybersecurity incidents.

stored procedure

Small applications that use Structured Query Language (SQL) statements that can manipulate data in a relational database management system.

STP (Spanning Tree Protocol)

Switching protocol that prevents network loops by dynamically disabling links as needed.

stream cipher

Type of symmetric encryption that combines a stream of plaintext bits or bytes with a pseudorandom stream initialized by a secret key.

stress test

Software testing method that evaluates how software performs under extreme load.


Device requesting access to the network.

eap architecture

SMTP testing tool with scripting capabilities.

network testing
SWG (secure web gateway)

An appliance or proxy server that mediates client connections with the Internet by filtering spam and malware and enforcing access restrictions on types of sites visited, time spent, and bandwidth consumed.

symmetric encryption

A two-way encryption scheme in which encryption and decryption are both performed by the same key. Also known as shared-key encryption.


A protocol enabling different appliances and software applications to transmit logs or event records to a central server.

TACACS+ (Terminal Access Controller Access Control System Plus)

An AAA protocol developed by Cisco that is often used to authenticate to administrator accounts for network appliance management.

tail command

Linux utility for showing the last lines in a file.


Social engineering technique to gain access to a building by following someone who is unaware of their presence.

TAP (test access port)

Hardware device inserted into a cable to copy frames for analysis.


Tape media provides robust, high-speed, high-capacity backup storage. Tape drives and autoloader libraries can be connected to the SATA and SAS buses or accessed via a SAN.

TAXII (Trusted Automated eXchange of Indicator Information)

A protocol for supplying codified information to automate incident detection and analysis.

tcpdump command

Command-line packet sniffing utility.

tcpreplay command

Command-line utility that replays packets saved to a file back through a network adapter.

technical control

Category of security control that is implemented as a system (hardware, software, or firmware). Technical controls may also be described as logical controls.


Using the cellular data plan of a mobile device to provide Internet access to a laptop or PC. The PC can be tethered to the mobile by USB, Bluetooth, or Wi-Fi (a mobile hotspot). Also known as hotspot.


Utility for gathering results from open-source intelligence queries. Source:

reconnaissance tool
thin AP

Access point that requires a wireless controller to function.

third-party risks

Vulnerabilities that arise from dependencies in business relationships with suppliers and customers.

threat actor

Person or entity responsible for an event that has been identified as a security incident or as a risk.

threat hunting

Cybersecurity technique designed to detect presence of threats that have not been discovered by normal security monitoring.

threat map

Animated map showing threat sources in near real-time.

time of day restrictions

Policies or configuration settings that limit a user's access to resources.

time offset

Identifying whether a time zone offset has been applied to a file's time stamp.

digital forensics

Tool that shows the sequence of file system events within a source image in a graphical format.

digital forensics
TKIP (Temporal Key Integrity Protocol)

Mechanism used in the first version of WPA to improve the security of wireless encryption mechanisms, compared to the flawed WEP standard.

TLS (Transport Layer Security)

Security protocol that uses certificates for authentication and encryption to protect web communication.

TOCTOU (Time of Check to Time of Use)

Vulnerability where the state of a system changes between a check and its use, representing a specific type of race condition.


Physical or virtual item that contains authentication and/or authorization data, commonly used in multifactor authentication.


Deidentification method where a unique token is substituted for real data.

data protection
TOTP (Time-based One-time Password)

Improvement on HOTP that forces one-time passwords to expire after a short period of time.

TPM (Trusted Platform Module)

Specification for hardware-based storage of digital certificates, keys, hashed passwords, and other user and platform identification information. transit gateway In cloud computing, a virtual router deployed to facilitate connections between VPC subnets and VPN gateways.

trend analysis

Process of detecting patterns within a dataset over time, and using those patterns to make predictions about future events or better understand past events.


Malicious software program hidden within an innocuous-seeming piece of software. Usually, the Trojan is used to try to compromise the security of the target computer. Also known as Trojan.


Analyzes network traffic via command line, based on Wireshark.

network analysis
TSK (The Sleuth Kit)

Open-source collection of command line and programming libraries for disk imaging and file analysis. Autopsy sits as a GUI on top of TSK.

TTP (tactics, techniques, and procedures)

Analysis of historical cyber-attacks and adversary actions.


Attack in which an attacker registers a domain name with a common misspelling of an existing domain, so that a user who misspells a URL is taken to the attacker's website. Also known as URL hijacking.

UEBA (user and entity behavior analytics)

System that can provide automated identification of suspicious activity by user accounts and computer hosts.

UEM (unified endpoint management)

Enterprise software for controlling device settings, apps, and corporate data storage on all types of fixed, mobile, and IoT computing devices.

uncredentialed scan

Vulnerability scan which is only able to scan the publicly accessible portions of a network (contrarily to the credentialed scan).

USB data blocker (Universal Serial Bus data blocker)

Hardware plug to prevent malicious data transfer when a device is plugged into a USB charging point.

UTM (unified threat management)

All-in-one security appliances and agents that combine the functions of a firewall, malware scanner, intrusion detection, vulnerability scanner, data loss prevention, content filtering, and so on.


Secure room with walls and gateway hardened against physical assault.

VBA (Visual Basic for Applications)

Programming languages used to implement macros and scripting in Office document automation.

VDE (virtual desktop environment)

User desktop and software applications provisioned as an instance under VDI.

VDI (virtual desktop infrastructure)

Networking technology that provides secure access to the corporate space through a virtual desktop hosted on the corporate hypervisor.

device deployment model
vendor management

Policies and procedures to identify vulnerabilities and ensure security of the supply chain. It is important to have vendor management when managing third-party risk. Issues can be promptly found and fixed with a strong vendor-management program. The proper channels can be followed when a security breach is detected, and it can be addressed much more quickly. A weak vendor-management program can lead to increased downtime and policies not being followed adequately.


Code designed to infect computer files (or disks) when it is activated.


Human-based attack where the attacker extracts information while speaking over the phone or leveraging IP-based voice messaging services (VoIP).

VLAN (virtual local area network)

Logically separate network, created by using switching technology. Even though hosts on two VLANs may be physically connected to the same cabling, local traffic is isolated to each VLAN so they must use a router to communicate.

VM escaping (virtual machine escaping)

Attack where malware running in a VM is able to interact directly with the hypervisor or host kernel.

VM sprawl (virtual machine sprawl)

Configuration vulnerability where provisioning and deprovisioning of virtual assets is not properly authorized and monitored.

VPC (virtual private cloud)

Private network segment made available to a single cloud consumer on a public cloud.

VPN (virtual private network)

Secure tunnel created between two endpoints connected via an unsecure network (typically the Internet).


Weakness that could be triggered accidentally or exploited intentionally to cause a security breach.

vulnerability assessment

Evaluation of a system's security and ability to meet compliance requirements based on the configuration state of the system, as represented by information collected from the system.

WAF (web application firewall)

Firewall designed specifically to protect software running on web servers and their back-end databases from code injection and DoS attacks.

war driving

Practice of using a Wi-Fi sniffer to detect WLANs and then either making use of them (if they are open/unsecured) or trying to break into them (using WEP and WPA cracking tools).

warm site

Location that is dormant or performs noncritical functions under normal conditions, but which can be rapidly converted to a key operations site if needed.

watering hole attack

Attack in which an attacker targets specific groups or organizations, discovers which websites they frequent, and injects malicious code into those sites.

WEP (Wired Equivalent Privacy)

Legacy mechanism for encrypting data sent over a wireless connection.


Email-based or web-based form of phishing which targets senior executives or wealthy individuals.


Identifies technologies used on websites.

web discovery
white team

Staff administering, evaluating, and supervising a penetration test or incident response exercise.


Forensics tool for Windows that allows collection and inspection of binary code in disk and memory images.


Network protocol analyzer that lets users capture and interactively browse the traffic running on a computer network. It provides detailed information about network traffic and can be used for network troubleshooting, analysis, software and protocol development, and education.

network analysis, traffic monitoring

Type of malware that replicates in system memory and can spread over network connections rather than infecting files.

WPA (Wi-Fi Protected Access)

Standards for authenticating and encrypting access to Wi-Fi networks. Also known as WPA2, WPA3.

WPS (Wi-Fi Protected Setup)

Feature of WPA and WPA2 that allows enrollment in a wireless network based on an 8-digit PIN.

XaaS (anything as a service)

Expressing the concept that most types of IT requirements can be deployed as a cloud service model.

XML injection

Attack method where malicious XML is passed as input to exploit a vulnerability in the target app.

XML XEE (XML External Entity)

Type of attack against an application that parses XML input. Occurs when XML input containing a reference to an external entity is processed by a weakly configured XML parser. This attack may lead to the disclosure of confidential data, denial of service, server side request forgery, port scanning from the perspective of the machine where the parser is located, and other system impacts.

XOR (exclusive OR)

Operation that outputs to true only if one input is true and the other input is false.

XSRF (cross-site request forgery)

Malicious script hosted on the attacker's site that can exploit a session started on another site in the same browser. Also known as client-side request forgery or CSRF.

XSS (cross-site scripting)

Malicious script hosted on the attacker's site or coded in a link injected onto a trusted site designed to compromise clients browsing the trusted site, circumventing the browser's security model of trusted zones. Example: <SCRIPT> and </SCRIPT>


Low-power wireless communications protocol used primarily for home automation. Z-Wave uses radio frequencies in the high 800 to low 900 MHz and a mesh topology.


Vulnerability in software that is unpatched by the developer or an attack that exploits such a vulnerability.


Method of sanitizing a drive by setting all bits to zero.

zero trust

Security design paradigm where any request (host-to-host or container-to-container) must be authenticated before being allowed.


Low-power wireless communications open source protocol used primarily for home automation. ZigBee uses radio frequencies in the 2.4 GHz band and a mesh topology.