Security Glossary

A security model based on the principle of "never trust, always verify." It requires strict identity verification for every person and device trying to access resources, regardless of whether they're inside or outside the network perimeter.

A security mechanism that requires users to provide two or more verification factors to gain access to a resource. These factors typically include something you know (password), something you have (phone/token), and something you are (biometrics).

A solution that collects, analyzes, and correlates security data from across an organization's IT infrastructure to detect threats, ensure compliance, and manage security incidents.

Security solutions that monitor endpoints (computers, phones, servers) for suspicious activities, providing visibility, threat detection, investigation, and response capabilities.

An evolution of EDR that integrates data from multiple security layers (endpoint, network, cloud, email) to provide a unified view of threats and enable coordinated response across the entire security stack.

A framework of policies and technologies for ensuring that the right users have appropriate access to technology resources. It includes user provisioning, authentication, authorization, and identity governance.

Security solutions that manage and monitor privileged accounts and access to critical systems. PAM helps organizations protect against threats that exploit privileged credentials.

Tools that automate the identification and remediation of risks across cloud infrastructures, including IaaS, SaaS, and PaaS. CSPM helps ensure cloud environments comply with security best practices and regulatory requirements.

Platforms that combine incident response, orchestration, automation, and threat intelligence to help security teams respond to incidents more efficiently and consistently.

A security practice where privileged access is granted only when needed and for the minimum time necessary. This reduces the attack surface by eliminating standing privileged accounts.

A centralized unit that deals with security issues on an organizational and technical level. SOC teams monitor, detect, investigate, and respond to cyber threats around the clock.

A sophisticated, sustained cyberattack in which an intruder establishes an undetected presence in a network to steal sensitive data over an extended period. APTs are typically nation-state or state-sponsored groups.

A publicly disclosed cybersecurity vulnerability database. Each CVE has a unique identifier (CVE-YYYY-NNNNN) that security professionals use to reference specific vulnerabilities.

Pieces of forensic data that identify potentially malicious activity on a system or network. IOCs include IP addresses, file hashes, domain names, and behavioral patterns associated with threats.

A key performance metric measuring the average time it takes to discover a security incident or breach. Lower MTTD indicates more effective threat detection capabilities.

A metric measuring the average time from detection of a security incident to its resolution. Reducing MTTR is critical for minimizing the impact of security breaches.

An access control method that assigns permissions to users based on their role within an organization. Users can only access the information and resources necessary for their job functions.

An authentication scheme that allows users to log in with a single ID to multiple related but independent software systems. SSO improves user experience while maintaining security.

A cloud architecture that combines network security functions (SWG, CASB, FWaaS, ZTNA) with WAN capabilities to support secure access needs of organizations with distributed users and resources.

Security solutions that sit between cloud service consumers and providers to enforce security policies, providing visibility, compliance, data security, and threat protection for cloud applications.

A set of tools and processes used to ensure sensitive data is not lost, misused, or accessed by unauthorized users. DLP solutions detect and prevent data breaches and exfiltration.

A type of phishing attack where criminals impersonate executives or trusted business partners to trick employees into transferring money or revealing sensitive information.

The practice of managing and provisioning computing infrastructure through machine-readable configuration files rather than manual processes. Enables version control, testing, and consistent deployments.

A program that continuously and consistently evaluates an organization's attack surface to identify, prioritize, and address the most critical security gaps before attackers can exploit them.

The continuous discovery, inventory, classification, and monitoring of an organization's IT infrastructure to identify all potential entry points that attackers could exploit.

A formal, machine-readable inventory of software components and dependencies, including libraries, modules, and their versions. Critical for supply chain security and vulnerability management.

A security framework that provides secure remote access to applications and services based on defined access control policies. Unlike VPNs, ZTNA grants access only to specific applications rather than entire networks.

A cybersecurity service that combines technology and human expertise to perform threat hunting, monitoring, and response. MDR providers act as an extension of an organization's security team.

The patterns of activities and methods associated with specific threat actors or groups. Understanding TTPs helps defenders anticipate and counter adversary behavior.

A globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. Used as a foundation for threat models and defensive methodologies.

Techniques attackers use to progressively move through a network after gaining initial access, searching for sensitive data and high-value assets while avoiding detection.

An attack where stolen username/password pairs from data breaches are automatically tested against other websites, exploiting password reuse to gain unauthorized access.

A cyberattack that targets less-secure elements in a supply chain to compromise a primary target. Attackers may inject malicious code into software updates or compromise third-party vendors.

A security concept requiring that users, programs, and processes be granted only the minimum access rights needed to perform their functions, reducing the attack surface.

An open standard for exchanging authentication and authorization data between parties, particularly between an identity provider and a service provider for SSO implementations.

An authorization framework that enables applications to obtain limited access to user accounts on third-party services without exposing credentials. Commonly used for delegated authorization.

The practice of protecting containerized applications and their infrastructure throughout the development lifecycle, including image scanning, runtime protection, and orchestration security.

An open-source container orchestration platform that automates deployment, scaling, and management of containerized applications. Security includes RBAC, network policies, and secrets management.

The practice of integrating security testing and practices earlier in the software development lifecycle, catching vulnerabilities during development rather than in production.

Security testing that analyzes source code, bytecode, or binaries without executing the program. Identifies vulnerabilities like SQL injection, XSS, and buffer overflows during development.

Security testing that analyzes running applications by simulating attacks. Unlike SAST, DAST tests the application in its deployed state to find runtime vulnerabilities.

A simulated cyberattack against a system to evaluate its security. Ethical hackers attempt to exploit vulnerabilities to identify weaknesses before malicious actors can.

Security exercises where a Red Team simulates real-world attacks while a Blue Team defends. Purple Team exercises combine both for collaborative improvement of security posture.

A social engineering attack using fraudulent communications (typically email) that appear to come from reputable sources to steal sensitive data or deploy malware.

Malware that encrypts victim's files or systems, demanding payment (usually cryptocurrency) for the decryption key. Modern variants also exfiltrate data for double extortion.

An open framework for communicating the severity of software vulnerabilities. Scores range from 0-10, with 9.0+ considered critical. Used to prioritize remediation efforts.

A structured approach to identifying and prioritizing potential threats to a system. Common frameworks include STRIDE, PASTA, and attack trees to systematically analyze risks.

A security strategy employing multiple layers of controls throughout an IT system. If one layer fails, others continue to provide protection, creating redundancy in security measures.

An approach where security is built into products and systems from the beginning rather than added as an afterthought. Includes secure defaults, fail-safe mechanisms, and minimal attack surface.

A security solution that monitors, filters, and blocks HTTP traffic to and from web applications. Protects against attacks like SQL injection, XSS, and CSRF by inspecting application layer traffic.

A system that monitors network traffic for suspicious activity and known threats, alerting administrators when potential intrusions are detected. Can be network-based (NIDS) or host-based (HIDS).

The protection of data stored on disks, databases, or other storage media by encrypting it when not actively being used. Ensures data remains protected even if physical storage is compromised.

The protection of data as it moves between systems or networks using protocols like TLS/SSL. Prevents eavesdropping and man-in-the-middle attacks during data transmission.

The organized approach to addressing and managing the aftermath of a security breach or cyberattack. Includes preparation, detection, containment, eradication, recovery, and lessons learned.

The process of creating systems and procedures to ensure critical business functions can continue during and after a disaster. Includes disaster recovery (DR) for IT systems.

The maximum acceptable amount of data loss measured in time. An RPO of 1 hour means systems must be able to recover all data up to 1 hour before a disaster.

The maximum acceptable time to restore systems after a disaster. An RTO of 4 hours means systems must be operational within 4 hours of an incident.

An attack against AI/LLM systems where malicious instructions are embedded in user input to manipulate the model's behavior, bypass safety controls, or extract sensitive information from the system prompt or training data.

The practice of securing Large Language Model deployments, including protecting against prompt injection, data poisoning, model theft, and ensuring safe outputs. Key concerns include hallucination risks, data leakage, and supply chain attacks on model weights.

The practice of adversarially testing AI systems to discover vulnerabilities, biases, and failure modes before deployment. Includes testing for jailbreaks, harmful outputs, and misuse scenarios that traditional security testing may miss.

AI-generated synthetic media (video, audio, images) that convincingly depicts people saying or doing things they never did. Used in social engineering, fraud, and disinformation campaigns. Detection requires specialized AI forensics tools.

A passwordless authentication standard using public-key cryptography. Credentials are stored securely on devices (phone, laptop, security key) and never transmitted to servers, eliminating phishing and credential theft risks.

Security solutions that manage identities and access entitlements in cloud environments. CIEM helps organizations discover, monitor, and remediate excessive permissions that create security risks across multi-cloud deployments.

The practice of securely storing, distributing, and rotating sensitive credentials like API keys, passwords, certificates, and tokens. Tools like HashiCorp Vault and AWS Secrets Manager prevent secrets from being hardcoded or exposed.

The practice of defining and managing security and compliance policies in code, enabling version control, automated testing, and consistent enforcement. Tools like Open Policy Agent (OPA) and Sentinel enable declarative policy definitions.

Using extended Berkeley Packet Filter (eBPF) technology for security observability and enforcement at the Linux kernel level. Enables deep visibility into system calls, network traffic, and runtime behavior without modifying application code.

A dedicated infrastructure layer for managing service-to-service communication in microservices architectures. Provides mTLS encryption, traffic management, and observability. Popular implementations include Istio, Linkerd, and Consul Connect.