Cybersecurity glossary

A

Account takeover (ATO)

The compromise of a legitimate user account, typically via credential stuffing, phishing, or session hijacking. The most common initial access vector in modern Australian breach data.

Adversary-in-the-middle (AiTM)

A modern phrasing of what used to be called man-in-the-middle. Often describes phishing attacks that proxy a real-time authentication flow to bypass MFA. Replaces "MITM" in current threat-actor reporting.

AESCSF

Australian Energy Sector Cyber Security Framework. Sector-specific maturity framework operated by AEMO for electricity, gas, and liquid fuel operators. Aligns with NIST CSF and SOCI Act requirements. Tested in OT cybersecurity engagements.

Agent (AI) / AI agent

A software system built on top of a language model that can take actions: call APIs, read and write files, send messages, or execute code. Distinguished from a chatbot by autonomy and tool use. Security assessment of AI agents is a core Cyber Node offering. See AI and cloud security.

Agentic AI

Systems where AI agents make decisions and take actions with limited human oversight. The fastest-growing security frontier in 2026. Exposed agent endpoints, weak prompt validation, and over-permissioned tool calls are the recurring failure modes.

Air gap

Physical or logical isolation of a system from untrusted networks. Common in OT, defence, and critical infrastructure. Air-gapped systems still get compromised via removable media, supply chain, or insider access. See OT cybersecurity.

APRA CPS 234

Prudential standard from the Australian Prudential Regulation Authority requiring regulated entities to maintain information security capabilities commensurate with the size and extent of threats. Penetration testing is one of the evidence mechanisms used to demonstrate compliance. See FinTech penetration testing.

ASD Essential Eight

Australian Signals Directorate maturity model defining eight mitigation strategies: application control, patch applications, configure Microsoft Office macro settings, user application hardening, restrict administrative privileges, patch operating systems, multi-factor authentication, and regular backups. Three maturity levels apply. See Essential Eight technical assessments. Also known as "Essential 8" or "E8". Canonical source: cyber.gov.au.

Authentication bypass

Any vulnerability that allows an attacker to access authenticated functionality without valid credentials. Common in poorly implemented JWT handling, session management, and OAuth flows. Tested for in manual penetration testing.

B

BEC (Business Email Compromise)

Fraud that uses spoofed or compromised email accounts to manipulate someone into transferring funds, paying false invoices, or sharing sensitive data. The single highest-cost cyber attack category for Australian SMBs. Email authentication failures (SPF, DKIM, DMARC) make BEC trivially easy. See Cyber Exposure Snapshot for the email auth check.

Black box testing

Penetration testing performed without prior knowledge of the internal workings of the target. Simulates an external attacker with no insider information. Cyber Node engagements can be scoped as black box, grey box, or white box.

BOLA

Broken Object Level Authorisation. An API vulnerability where an authenticated user can access objects belonging to other users by manipulating identifiers. Number one entry on the OWASP API Security Top 10. Surfaces routinely in API penetration testing.

C

CES (Cyber Exposure Snapshot)

Cyber Node’s external exposure scan product. A single automated assessment of a domain’s public attack surface including open ports, certificates, DNS, and exposed services. See Cyber Exposure Snapshot.

CISA KEV (Known Exploited Vulnerabilities)

A catalogue maintained by the US Cybersecurity and Infrastructure Security Agency listing CVEs known to be actively exploited in the wild. Used to prioritise patching by exploitation evidence rather than CVSS alone.

CNAPP

Cloud Native Application Protection Platform. A category that combines CSPM, CWPP, container security, and identity into one product. Vendor-driven term for what most organisations cobble together from point tools. See cloud security assessments.

Container escape

A vulnerability that allows code running inside a container to break out and access the host or other containers. Real risk in misconfigured Kubernetes clusters and shared-tenant environments. Tested in cloud security engagements.

Credential stuffing

Automated reuse of credentials harvested from one breach against unrelated services. Powered by leaked password databases. Almost always succeeds against any service that allows password authentication without rate limiting or MFA. Surfaces routinely in Cyber Exposure Snapshot findings.

CSRF

Cross-Site Request Forgery. An attack that forces an authenticated user’s browser to perform unwanted actions on an application they’re logged into. Tested for in web application penetration tests.

CVSS

Common Vulnerability Scoring System. A numeric score (0 to 10) assigned to a vulnerability based on exploitability and impact metrics. Cyber Node rates findings by real-world impact, not CVSS alone. See how we report findings.

D

DCS (Distributed Control System)

Industrial control architecture where controllers are distributed throughout the plant. Common in continuous processes like refining, LNG, and chemical production. See OT cybersecurity.

DNS rebinding

An attack that abuses short TTL DNS records to bypass the browser’s same-origin policy, often used to reach internal network services from a victim’s browser. Tested in internal network and web application engagements.

E

EPSS (Exploit Prediction Scoring System)

A probabilistic score (0 to 1) estimating the likelihood that a CVE will be exploited within 30 days. Maintained by FIRST. Often used alongside CVSS to triage patching backlogs. See how Cyber Node prioritises findings.

Essential Eight

See ASD Essential Eight or Essential Eight technical assessments.

Exploit chain

A sequence of individually lower-severity findings combined to achieve an outcome more serious than any one step alone. Chained exploits are where manual testing consistently outperforms automated scanning.

F

FinTech Australia

The peak industry body for Australian FinTech firms. Cyber Node is a member. See FinTech penetration testing.

G

GraphQL injection

Vulnerabilities in GraphQL APIs where attacker-controlled queries access objects, enumerate schemas, or trigger expensive operations. Distinct from SQL injection in scope but with similar root causes. Tested in API penetration testing.

I

IAM

Identity and Access Management. The policies and technical controls that govern who can do what within a cloud environment. Misconfigured IAM is the single most common serious finding in AWS penetration tests.

ICS (Industrial Control System)

Umbrella term for the computing systems that monitor and control industrial processes, including SCADA, DCS, and PLCs. See OT cybersecurity.

IDOR

Insecure Direct Object Reference. Accessing objects by manipulating identifiers in a request when authorisation checks are missing or incomplete. A near-universal finding in API penetration tests.

IEC 62443

International standard for industrial automation and control systems security. Defines zones, conduits, security levels, and lifecycle requirements. The dominant reference for OT cybersecurity programmes. See OT cybersecurity.

Indirect prompt injection

A class of LLM attack where adversarial instructions are smuggled into the model context via untrusted content (a webpage, document, email, or tool response) rather than entered directly by the user. The AI agent reads the malicious instruction and follows it. Tested in AI security assessments.

IRAP

Information Security Registered Assessors Program. Australian Signals Directorate scheme for assessing systems against the ISM. Required for Commonwealth ICT systems handling PROTECTED data and above. Cyber Node refers IRAP assessment work to ASD-endorsed assessors.

ISM (Information Security Manual)

Australian Signals Directorate’s foundational government cybersecurity standard. The control set that IRAP assessments measure against. Updated quarterly. See compliance frameworks.

J

Jailbreak (LLM)

Adversarial input that bypasses an LLM’s safety alignment, causing it to produce content or take actions its training was supposed to prevent. Distinct from prompt injection in that jailbreaks target the model’s safety layer rather than its instruction-following. Tested in AI security assessments.

L

LLM

Large Language Model. The class of AI model underlying modern chatbots and AI copilots. Security assessment of LLM-integrated applications is a core Cyber Node offering. See AI and cloud security.

M

MCP (Model Context Protocol)

An open protocol for connecting language models to tools, data, and other systems. Introduced in late 2024 and widely adopted across LLM products. Security review of MCP-enabled agents is a fast-growing engagement type. See AI security.

MFA

Multi-Factor Authentication. Requiring two or more independent authentication factors. Cyber Node regularly finds MFA bypasses in enterprise SSO implementations. Required by the Essential Eight and most modern compliance frameworks.

MFA fatigue

A social engineering technique where an attacker triggers repeated MFA push notifications until the target accepts one out of frustration or confusion. Largely solved by number matching and FIDO2 hardware tokens.

O

OT (Operational Technology)

Hardware and software that monitors or controls physical devices and processes in industrial environments. Distinguished from IT by uptime requirements and the consequences of failure. See OT cybersecurity.

OWASP LLM Top 10

A list of the most common security risks specific to applications using large language models, maintained by OWASP. Covers prompt injection, training data poisoning, sensitive information disclosure, insecure output handling, model denial of service, supply chain risk, and others. Used as a baseline for AI security testing.

OWASP Top 10

A list of the ten most common web application security risks, maintained by the Open Web Application Security Project. A starting point for web app testing, not an end point. Manual penetration tests use OWASP as a baseline and go further.

P

PCI DSS

Payment Card Industry Data Security Standard. Required for any organisation that processes, stores or transmits cardholder data. Mandates penetration testing on a defined cadence. See PCI DSS penetration testing.

Penetration test

An authorised simulated attack on a system to evaluate its security posture. Cyber Node conducts penetration tests manually, with scanner output used as a supporting tool rather than the output itself. See services or how we test.

PLC

Programmable Logic Controller. The industrial computer that actually runs the process in most OT environments. Tested in OT engagements.

Post-quantum cryptography (PQC)

Cryptographic algorithms designed to resist attack by quantum computers. NIST finalised initial standards in 2024. Most organisations are years away from migration; the immediate security question is "harvest now, decrypt later" risk for long-lived secrets.

Prompt injection

An attack on LLM-based applications where adversarial input overrides the model’s system instructions, often leading to data exfiltration or unauthorised action. Tested in AI security assessments.

Purdue Model

Reference architecture for OT networks that segments by function: enterprise (Level 4–5), supervisory (Level 3), control (Level 1–2), and physical process (Level 0). The conceptual basis for IEC 62443 zone and conduit design. See OT cybersecurity.

R

RAG (Retrieval-Augmented Generation)

A pattern where an LLM retrieves relevant documents from a knowledge store at inference time and includes them in its context. Introduces new attack surface: poisoned retrieval, context window manipulation, and indirect prompt injection via retrieved content. Tested in AI security assessments.

Ransomware-as-a-Service (RaaS)

A criminal business model where ransomware operators license their malware and infrastructure to affiliates who carry out attacks. The dominant ransomware delivery model in 2026. Lowers the technical bar to launching attacks and accelerates the pace of incidents.

RCE

Remote Code Execution. A vulnerability class allowing an attacker to execute arbitrary code on a target system. Almost always a critical-severity finding. Surfaced regularly in manual penetration testing.

Red team

An engagement that simulates a realistic adversary across multiple vectors, including social engineering, physical access, and technical exploitation. Broader in scope than a penetration test. Cyber Node engagements can be scoped as red team or focused penetration test.

S

SBOM (Software Bill of Materials)

A machine-readable inventory of all components, libraries, and dependencies in a software product. Increasingly mandated for government and critical infrastructure procurement. Formats include SPDX and CycloneDX.

SCADA

Supervisory Control and Data Acquisition. The layer of OT architecture responsible for operator visibility and control of industrial processes. See OT cybersecurity.

Shadow AI

Unauthorised use of AI tools by employees, often by pasting sensitive data into public LLM products without organisational oversight. The 2026 equivalent of "shadow IT". Surfaces routinely in vCISO engagements as a discovered exposure.

SOC 2

Service Organization Control 2. An auditing standard for how service providers manage customer data. SaaS vendors often require penetration testing as part of SOC 2 attestation. See SOC 2 penetration testing.

SOCI Act

Security of Critical Infrastructure Act 2018 (Australia). Imposes mandatory cybersecurity obligations on operators of critical infrastructure assets across 11 sectors including energy, water, transport, and healthcare. Includes incident reporting and risk management programme requirements.

SQLi

SQL Injection. A vulnerability class where attacker-controlled input is interpreted as part of a database query. Still present in modern codebases despite decades of awareness. Tested for in web application penetration tests.

SSRF

Server-Side Request Forgery. A vulnerability allowing an attacker to make the server send requests to unintended destinations, often used to reach cloud metadata services. Tested in web application engagements and cloud security assessments.

Subdomain takeover

A vulnerability where an attacker gains control of a subdomain by claiming a dangling DNS reference to a deprovisioned cloud resource. A recurring finding in Cyber Exposure Snapshot scans.

Supply chain attack

Compromise of a target by first compromising a software vendor, dependency, or service provider that the target trusts. SolarWinds, MOVEit, and 3CX are well-known examples. Increasingly common as direct attacks become harder.

V

vCISO

Virtual Chief Information Security Officer. A fractional CISO engagement providing strategic security leadership without a full-time hire. See services.

Vulnerability assessment

An automated or semi-automated scan identifying known vulnerabilities. Distinct from a penetration test, which attempts exploitation to prove impact. Cyber Node services include both.

X

XDR (Extended Detection and Response)

A security platform category that ingests telemetry from endpoints, networks, cloud, and identity for unified detection and response. Successor to SIEM in vendor marketing; in practice most XDR products are repackaged EDR plus integrations.

XSS

Cross-Site Scripting. A vulnerability where attacker-controlled script executes in another user’s browser in the context of a trusted site. Tested for in web application penetration tests.

XXE

XML External Entity. A vulnerability in XML parsers allowing disclosure of internal files or SSRF. Surfaces in XML-handling web app tests.

Z

Zero day

A vulnerability unknown to the vendor or with no available patch. Cyber Node engagements occasionally encounter zero days in custom software, and responsibly disclose them.

Zero Trust

A security architecture principle that treats every request as untrusted regardless of network location, requiring continuous verification of identity and device posture. The opposite of perimeter-based security. The term is widely overused; few organisations actually implement it consistently.

Zone (OT)

A segment of an OT network separated by enforced security boundaries. A core concept in IEC 62443 network architecture. Tested in OT cybersecurity engagements.