122 essential terms across 24 domains — from Attack Types and Malware to SIEM, SOC, Zero Trust, and Compliance. Every entry includes a precise definition and a real-world incident example.
No terms match your search.
Try a different keyword or acronym.
The policies, procedures, and mechanisms that restrict access to systems, data, and physical spaces to only authorized users or processes.
A hospital system enforces role-based access so nurses can view patient records but cannot prescribe medications — only physicians with that role can.
A prolonged, targeted cyberattack in which an intruder gains and maintains unauthorized access to a network, often remaining undetected for months or years. Typically nation-state or organized crime actors.
APT29 (Cozy Bear) maintained undetected access inside SolarWinds customer networks for 9+ months, quietly exfiltrating emails from US government agencies.
A state in which security analysts become desensitized to high alert volumes, resulting in missed detections and delayed responses due to repetitive or low-quality alerts.
A Tier 1 analyst handling 800 alerts per shift begins dismissing medium-severity alerts after the first hour — causing a real intrusion to go unnoticed for 14 hours.
Software that uses signature-based and heuristic detection to identify and block known malware such as viruses, worms, trojans, and spyware.
Legacy AV blocks a known ransomware strain by its hash, but fails on a polymorphic variant that rewrites its own code on each infection — highlighting AV's limitations.
The total number of different points where an unauthorized user can attempt to enter or extract data from an environment. Expanding cloud adoption, remote work, and third-party integrations all increase attack surface.
A company that deploys a new customer portal, allows BYOD devices, and opens RDP to the internet triples its attack surface — creating three new entry points for attackers.
The specific path or mechanism used by a threat actor to gain unauthorized access to a system or network.
The Colonial Pipeline breach attack vector was a single compromised VPN account password with no MFA — granting full network access to the attackers.
A chronological, tamper-resistant record of all actions performed in a system — who did what, when, and from where. Essential for forensic investigation and regulatory compliance.
An audit trail shows a privileged user accessed 12,000 customer records at 2:17am outside business hours — providing the evidence needed to initiate an insider threat investigation.
The process of verifying the identity of a user, device, or system before granting access. Can be based on knowledge (password), possession (token), or inherence (biometrics).
A banking app requires a password plus a one-time code from an authenticator app before allowing fund transfers — implementing two-factor authentication.
The process of granting or denying specific permissions to a verified user or system, determining what actions they are allowed to perform after authentication.
After authenticating successfully, a developer is authorized to deploy code to the staging environment but not to production — enforcing separation of duties.
The CIA triad pillar ensuring that systems, data, and services are accessible to authorized users when needed. Availability attacks aim to deny access rather than steal data.
A DDoS attack floods a hospital's patient portal with 2 Tbps of traffic, making it unavailable to clinical staff for 4 hours — a critical availability failure.
A covert method for bypassing normal authentication and gaining unauthorized remote access to a system. Often installed by attackers after initial compromise to maintain persistent access.
After compromising a web server via SQL injection, an attacker uploads a PHP web shell hidden in an image file — creating a backdoor that survives system reboots.
A social engineering attack in which a threat actor impersonates a trusted executive or partner via email to defraud organizations of money or sensitive data.
An attacker compromises a CEO's email account and sends an urgent wire transfer request to the CFO. $1.3M is transferred to an overseas account before the fraud is detected.
Regular, scheduled outbound network communications from a compromised system to a C2 server. Beacons signal the implant's availability and receive new instructions from the attacker.
A workstation sends an HTTPS POST request to an unknown IP every 57 seconds, jittered by ±15 seconds. RITA detects the periodic pattern as a beaconing signature.
A network of internet-connected devices infected with malware and controlled remotely by a threat actor (botmaster), used to launch DDoS attacks, send spam, or conduct credential stuffing.
The Mirai botnet infected 600,000 IoT devices (cameras, routers) by guessing default credentials, using them to launch the 2016 DDoS attack that took down Dyn DNS and disrupted Twitter, Netflix, and Reddit.
An attack method that systematically tries every possible combination of passwords or encryption keys until the correct one is found. Made feasible by automated tools and weak passwords.
An attacker uses Hydra to attempt 10,000 password combinations against an SSH service. The account uses 'Password1' and is compromised in 6 seconds.
A vulnerability in which a program writes more data to a memory buffer than it can hold, corrupting adjacent memory. Attackers exploit this to inject shellcode and gain code execution.
MS Blaster (2003) exploited a buffer overflow in Windows DCOM RPC, spreading to millions of systems without any user interaction — a classic remote code execution via buffer overflow.
The infrastructure and protocols used by threat actors to remotely communicate with, direct, and exfiltrate data from compromised systems. Disrupting C2 is a primary goal of incident response.
An attacker hosts their Cobalt Strike C2 server behind Cloudflare Workers, making the malicious domain appear legitimate and bypassing basic domain reputation blocking.
The foundational model of information security comprising Confidentiality (data accessible only to authorized parties), Integrity (data accuracy and completeness), and Availability (data accessible when needed).
Ransomware attacks all three CIA pillars: it violates Confidentiality by stealing data, Integrity by encrypting files, and Availability by locking organizations out of their systems.
A prioritized set of 18 cybersecurity best practices from the Center for Internet Security, organized into Implementation Groups (IG1-IG3) based on organizational maturity and resources.
A CISO uses the CIS Controls to build a security roadmap: start with IG1 (basic hygiene — inventory, patching, MFA), then progressively implement IG2 and IG3 controls.
The set of policies, controls, and technologies used to protect cloud-based systems, data, and infrastructure from threats. Covers IaaS, PaaS, and SaaS environments.
A misconfigured S3 bucket exposes 100GB of customer PII publicly. Cloud security posture management (CSPM) tools would have detected the public access setting in real time.
The CIA triad pillar protecting sensitive information from unauthorized disclosure. Achieved through encryption, access controls, and data classification.
A healthcare organization encrypts all PHI (Protected Health Information) at rest using AES-256, ensuring that even if storage media is stolen, patient data cannot be read.
An alternative security safeguard implemented when a required primary control cannot be applied due to technical or operational constraints. Must be documented and approved.
A legacy ICS system cannot be patched (it would break industrial operations). A compensating control isolates it in a network segment with no internet access and enhanced monitoring.
An automated attack that uses stolen username/password pairs from one breach to attempt login to other services, exploiting users who reuse passwords across multiple accounts.
After the LinkedIn breach exposed 117M credentials, attackers used automated tools to test those credentials against Netflix, Spotify, and PayPal — successfully accessing accounts where passwords were reused.
The mathematical science of securing communications and data by transforming plaintext into unreadable ciphertext using algorithms and keys.
TLS 1.3 uses asymmetric cryptography (RSA/ECDH) to exchange a session key, then switches to symmetric AES-256-GCM for the actual data transfer — balancing security with performance.
Tools that continuously monitor cloud infrastructure for misconfigurations, compliance violations, and security risks across multi-cloud environments.
CSPM detects that a developer accidentally made an Azure Blob container publicly accessible during testing. An automated alert and remediation policy instantly reverts it to private.
A publicly maintained list of disclosed security vulnerabilities, each assigned a unique identifier (e.g., CVE-2021-44228). Maintained by MITRE and used universally across the security industry.
Log4Shell (CVE-2021-44228) became the most critical CVE of 2021 — affecting millions of Java applications and requiring emergency patching globally within days of disclosure.
A standardized, vendor-agnostic system for rating the severity of cybersecurity vulnerabilities on a scale of 0.0–10.0, based on exploitability and impact metrics.
Log4Shell received a CVSS 3.1 score of 10.0 — the highest possible — due to network-accessible remote code execution with no authentication or user interaction required.
Lockheed Martin's model describing the seven sequential stages of a cyberattack: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, C2, and Actions on Objectives.
An analyst maps an APT intrusion to the kill chain: LinkedIn scraping (Recon) → spear phishing (Delivery) → macro execution (Exploitation) → Cobalt Strike (C2) → data theft (Actions).
The process of categorizing data by sensitivity level (e.g., Public, Internal, Confidential, Restricted) to determine appropriate handling, storage, and access controls.
An organization classifies its customer PII as Restricted, triggering automatic encryption, strict RBAC enforcement, and DLP rules that prevent the data from leaving the corporate network.
An attack that overwhelms a target's infrastructure with traffic from thousands or millions of sources, rendering services unavailable to legitimate users.
The 2016 Mirai DDoS attack on Dyn DNS peaked at 1.2 Tbps, disrupting Twitter, GitHub, Netflix, and Reddit for hours — demonstrating how IoT botnets can take down critical internet infrastructure.
A security strategy that employs multiple layers of complementary controls so that if one control fails, others still protect the asset. Also known as the 'castle approach.'
A layered defense protects email: spam filter → AV scan → sandbox detonation → EDR on endpoint → SIEM correlation → analyst review. An attacker must bypass all six layers.
The combined discipline of collecting, preserving, and analyzing digital evidence from systems (forensics) while simultaneously containing and remediating active security incidents (IR).
After a ransomware alert, the DFIR team uses Velociraptor to image the infected endpoint and capture memory before isolation — preserving forensic evidence while also beginning containment.
Technology that monitors and controls the transfer of sensitive data across endpoints, networks, email, and cloud services to prevent unauthorized exfiltration.
A DLP rule blocks a contractor from uploading a file containing 500+ credit card numbers to personal Google Drive, generates an alert, and notifies the security team automatically.
A technique that encodes data within DNS queries and responses to exfiltrate information or communicate with C2 servers, bypassing firewalls that allow unrestricted DNS traffic.
Malware on an air-gapped finance network encodes stolen data as Base64 in DNS subdomain queries to attacker.com. The firewall allows DNS traffic, so the exfiltration goes undetected for weeks.
The duration between an attacker's initial compromise of a network and the detection of that intrusion. Shorter dwell times correlate directly with reduced breach impact and cost.
The SolarWinds SUNBURST backdoor had an average dwell time of 9–14 months across affected organizations. Some victims were compromised for over a year before detection.
Network traffic flowing laterally between systems within the same data center, cloud environment, or internal network — as opposed to north-south traffic flowing between internal and external networks.
An attacker who compromised a developer's workstation moves east-west to a build server on the same VLAN by reusing credentials — never crossing a perimeter firewall.
Security software deployed on endpoints that continuously monitors for malicious activity, records behavioral telemetry, and enables automated or analyst-driven response actions.
An EDR agent detects cmd.exe spawning from a suspicious parent process, captures the full process tree and memory, automatically quarantines the process, and alerts the SOC — all within milliseconds.
The transformation of plaintext data into unreadable ciphertext using a cryptographic algorithm and key, ensuring only authorized parties with the correct key can read the data.
A laptop containing customer PII is stolen from an employee. Because the disk is encrypted with BitLocker (AES-256), the attacker cannot access any data without the decryption key.
Any physical device that connects to a network and serves as an entry point — including desktops, laptops, mobile devices, servers, and IoT devices.
Every employee laptop, corporate smartphone, and IoT sensor on the factory floor is an endpoint. Unmanaged endpoints (e.g., personal phones accessing corporate email) represent a significant blind spot.
The defined workflow specifying when and how security incidents are elevated from Tier 1 to Tier 2 to Tier 3 analysts, and when to invoke executive-level or legal response.
A Tier 1 analyst cannot determine if a PowerShell alert is malicious after 20 minutes. Per the escalation path, they immediately escalate to Tier 2 with full context documented.
The unauthorized transfer of data from a victim's environment to an attacker-controlled destination. Often the ultimate objective of an intrusion.
Attackers compress and encrypt stolen database records, then exfiltrate 47GB to an attacker-controlled AWS S3 bucket over HTTPS — blending with legitimate cloud traffic to avoid detection.
Code, data, or a sequence of commands that takes advantage of a software or hardware vulnerability to cause unintended behavior — typically gaining unauthorized access or code execution.
EternalBlue exploited CVE-2017-0144 in Windows SMBv1 to achieve unauthenticated remote code execution. It was weaponized in both WannaCry and NotPetya ransomware.
A security failure in which malicious activity occurs but is not detected by security controls. False negatives represent undetected threats — arguably more dangerous than false positives.
A sophisticated rootkit modifies kernel data structures to hide its processes from the EDR agent. The EDR reports no threats (false negative) while the attacker operates freely.
An alert generated by a security tool that incorrectly identifies legitimate activity as malicious. High false-positive rates cause alert fatigue and erode analyst trust in tooling.
A SIEM rule fires every time an admin uses PowerShell for legitimate patch management, generating 300 false positives per week and causing analysts to tune out the rule entirely.
A network security device or software that monitors and filters incoming and outgoing traffic based on predefined security rules, acting as a barrier between trusted and untrusted networks.
A next-generation firewall (NGFW) identifies Cobalt Strike HTTPS traffic by its JA3 TLS fingerprint and blocks the connection — even though it uses legitimate HTTPS port 443.
The practice of collecting, preserving, and analyzing digital evidence from devices and networks in a scientifically rigorous way that maintains evidentiary integrity for legal proceedings.
After a data breach, forensic analysts recover deleted files using Autopsy, analyze memory for injected malware with Volatility, and reconstruct the attacker's exact timeline of actions.
An open authentication standard that enables passwordless and phishing-resistant authentication using hardware security keys or biometrics, eliminating the risk of stolen passwords.
After a wave of phishing attacks stealing passwords, an organization deploys YubiKey hardware tokens for all employees. FIDO2 authentication stops phishing-based account takeovers entirely.
An integrated framework for managing an organization's governance structures, risk management processes, and compliance with regulatory requirements.
A CISO implements a GRC platform to track ISO 27001 controls, manage risk exceptions, and demonstrate compliance to auditors — replacing manual spreadsheet-based tracking.
A one-way cryptographic function that produces a fixed-length output (digest) from any input. Used to verify data integrity and store passwords securely.
An analyst compares the SHA-256 hash of a suspicious file against VirusTotal's database and finds a match with known ransomware — confirming malicious intent without executing the file.
A decoy system or resource intentionally deployed to attract and detect attackers, providing early warning of intrusion attempts and intelligence about attacker techniques.
A honeypot server running fake SMB shares triggers an alert when an attacker (who gained access via phishing) attempts to spread laterally and accesses the decoy — revealing the intrusion immediately.
Security software running on individual hosts that monitors system activity — files, logs, processes, and registry — for signs of malicious behavior or policy violations.
Wazuh (HIDS) detects that a critical Windows system binary (svchost.exe) has been modified, triggers an alert, and logs the file hash change — indicating a potential rootkit installation.
The complete framework for managing digital identities — creating, maintaining, and deactivating user accounts — and controlling their access to systems and data throughout the identity lifecycle.
When an employee is terminated, the IAM system automatically disables Active Directory, revokes SSO sessions, removes MFA devices, and audits all active sessions within 5 minutes.
A system that passively monitors network traffic or host activity for suspicious patterns and generates alerts — without actively blocking traffic. Contrast with IPS.
Suricata running in IDS mode detects a pattern matching a known Metasploit payload in network traffic and logs an alert — but does not block the packet, leaving response to analysts.
The organized approach to addressing and managing the aftermath of a security breach or cyberattack, following a structured lifecycle: Prepare, Detect, Contain, Eradicate, Recover, and Learn.
After detecting ransomware, the IR team follows their playbook: isolate affected hosts → preserve forensic images → identify patient zero → remove malware → restore from backups → conduct RCA.
A security risk originating from current or former employees, contractors, or business partners who misuse their authorized access — intentionally or accidentally — to harm the organization.
A departing sales rep downloads the entire customer database to personal storage three days before resignation. UEBA detects the anomalous bulk data access and alerts the security team.
The CIA triad pillar ensuring that data remains accurate, complete, and unmodified by unauthorized parties throughout its lifecycle.
File Integrity Monitoring (FIM) detects that /etc/passwd on a Linux server was modified at 3:12am without a corresponding change management ticket — indicating unauthorized system modification.
Observable evidence that suggests a system or network may have been compromised, including malicious IP addresses, file hashes, domain names, registry keys, and unusual process names.
After analyzing a phishing email, the SOC extracts the C2 domain, attachment hash, and sending IP as IOCs. These are ingested into MISP and blocked across all security controls within 30 minutes.
An active security system that monitors network traffic or host activity and automatically blocks detected threats in real time — an evolution of passive IDS.
Suricata configured as an IPS drops a packet containing a known Cobalt Strike malleable C2 profile signature — blocking the C2 beacon before it reaches the implant on the compromised host.
An internationally recognized standard for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS).
A fintech company achieves ISO 27001 certification after implementing 93 controls across 11 clauses — demonstrating to enterprise clients that their security program meets global standards.
A method for fingerprinting TLS client behavior based on the parameters used in the SSL/TLS handshake. Used to identify malicious tools by their TLS signature even on encrypted traffic.
The Cobalt Strike C2 beacon has a distinctive JA3 fingerprint. Even when C2 traffic uses legitimate HTTPS, network security tools can identify and block it by its TLS handshake pattern.
Malware that records every keystroke made on a victim's device, capturing passwords, credit card numbers, personal messages, and other sensitive input.
A banking trojan's keylogger module records credentials when the victim logs into their online bank. The captured data is sent to the C2 server every 30 minutes in encrypted chunks.
Lockheed Martin's model of the sequential stages of a cyberattack. Breaking any link in the chain prevents the attack from achieving its objective.
SOC analysts detect the attack at the Delivery stage when the phishing email is flagged by the mail gateway. By pulling the email before the user clicks, they break the kill chain before Exploitation.
Post-compromise techniques used by attackers to progressively move through a network, pivoting from host to host to access higher-value targets.
After compromising a developer's workstation via phishing, an attacker uses Mimikatz to extract cached credentials, then uses those to RDP into the build server — moving laterally without triggering new alerts.
The security principle that every user, process, or system should have only the minimum access rights required to perform its intended function — nothing more.
A web application's database service account has only SELECT permissions on the tables it needs. When the account is compromised, the attacker cannot modify or delete data.
The systematic collection, storage, normalization, and analysis of log data from across the IT environment to support security monitoring, compliance, and forensic investigation.
A centralized log management platform (ELK Stack) aggregates 50GB of logs per day from 300 sources. Without it, correlating an attack spanning 12 different systems would take weeks.
A broad category of malicious software designed to disrupt, damage, or gain unauthorized access to computer systems. Includes viruses, worms, trojans, ransomware, spyware, and rootkits.
Emotet malware arrived via phishing emails, downloaded additional payloads (TrickBot, QakBot), and ultimately deployed ransomware — using a modular architecture to evade detection.
An authentication method requiring users to verify their identity using two or more factors: something they know (password), have (token), or are (biometric). The most effective single control against credential theft.
Despite a successful phishing attack capturing a user's password, the attacker cannot access the account because they cannot approve the Duo push notification on the user's enrolled mobile device.
A security technique that divides networks into small, isolated zones with granular firewall policies between them — limiting an attacker's ability to move laterally after compromise.
In a micro-segmented AWS environment, a compromised web server cannot reach the database tier because host-based firewall rules allow only port 443 inbound — blocking all east-west database connections.
An open-source threat intelligence platform enabling organizations to share, correlate, and act on structured threat data including IOCs, TTPs, and threat actor profiles.
A healthcare ISAC publishes new ransomware IOCs to MISP after an attack on a member hospital. All subscribing organizations automatically ingest and block the IOCs within minutes.
A globally accessible, continuously updated knowledge base of real-world adversary tactics (the why) and techniques (the how), organized into a matrix by attack phase.
After an incident, the SOC maps the attacker's behavior: T1566.001 (Spear Phishing), T1059.001 (PowerShell), T1003.001 (LSASS Dump), T1041 (Exfiltration over C2). This creates a complete detection gap analysis.
The average time between when a security incident begins and when the security team first detects it. A primary KPI for SOC effectiveness and a predictor of breach severity.
Before SIEM tuning, MTTD averaged 21 days. After implementing behavioral detection rules and 24/7 coverage, MTTD dropped to 4 hours — dramatically limiting attacker dwell time.
The average time from initial detection of an incident to full containment and remediation. Automation and well-practiced playbooks are the most effective levers for reducing MTTR.
A SOAR playbook automatically isolates the compromised host, resets user credentials, and creates a P1 ticket in 45 seconds — reducing MTTR from hours to under a minute for this incident type.
Security solutions that analyze network traffic using behavioral analytics, ML, and threat intelligence to detect threats — particularly east-west traffic that endpoint agents cannot see.
NDR detects unusual SMB connections from a workstation to 47 internal hosts in 90 seconds — a pattern consistent with EternalBlue scanning. No EDR alert fired because the scanning tool was fileless.
A voluntary, risk-based framework from the National Institute of Standards and Technology organizing cybersecurity activities into five core functions: Identify, Protect, Detect, Respond, Recover.
A CISO uses NIST CSF to present the board a heat map: green on Protect, yellow on Identify, red on Detect and Respond — justifying a $2M investment in SIEM and SOC capabilities.
The US government's repository of vulnerability management data, enriching CVE information with CVSS scores, affected product lists, and remediation guidance.
After a vulnerability scanner discovers an unpatched Apache server, the analyst checks NVD for CVE-2021-41773 to confirm the CVSS score (9.8 — critical) and identify the exact patch required.
Intelligence gathered from publicly available sources including social media, news, public records, code repositories, and dark web forums to identify threats or vulnerabilities.
A threat intelligence team uses OSINT to discover that an attacker group is discussing targeting their organization on a dark web forum — enabling proactive defensive measures before an attack occurs.
A nonprofit organization producing freely available resources on web application security. Best known for the OWASP Top 10 — a consensus list of the most critical web application risks.
The OWASP Top 10 guides a development team's security review: they discover the new API lacks authentication on two endpoints (Broken Access Control — #1 on the list) and remediate before launch.
A cybersecurity strategy and technology for securing, controlling, and monitoring access to critical systems by privileged accounts such as administrators, service accounts, and root users.
When an admin needs database access, the PAM system issues a one-time, time-limited credential. The full session is recorded, and the password is rotated automatically after it expires.
The systematic process of identifying vulnerable systems, testing patches, deploying fixes, and verifying remediation — governed by risk-based SLAs (e.g., Critical = 24hr, High = 7 days).
Log4Shell drops on a Friday afternoon. The patch management process identifies 847 vulnerable instances by Saturday morning and confirms full remediation across all systems within the 24-hour critical SLA.
An authorized simulated cyberattack against a system or organization to identify exploitable vulnerabilities before real attackers do. Distinct from vulnerability scanning — pen testing actively exploits vulnerabilities.
An external pen test discovers that an internet-facing admin panel accepts default credentials and has no IP allowlisting — a critical finding that the vulnerability scanner missed entirely.
Techniques used by attackers to maintain their foothold on a compromised system across reboots, credential resets, or other interruptions — ensuring continued access.
After compromising a Windows server, an attacker creates a scheduled task that runs at startup and re-downloads the implant from a GitHub Gist if it's removed — ensuring persistence survives routine EDR cleanup.
A social engineering attack using deceptive emails, messages, or websites to trick victims into revealing credentials, installing malware, or authorizing fraudulent transactions. Spear phishing targets specific individuals.
A convincing email appearing to be from Microsoft IT Support asks an employee to verify their account. The linked page is a pixel-perfect replica of the Microsoft login — capturing credentials on submission.
The system of hardware, software, policies, and procedures for creating, distributing, managing, and revoking digital certificates used in asymmetric cryptography.
A PKI system issues digital certificates to all corporate devices. When a device certificate expires or is revoked, the device is automatically denied access to corporate Wi-Fi and VPN.
A documented, tested, step-by-step response procedure for a specific incident type — designed to ensure consistent, fast, and repeatable security responses.
The phishing playbook automatically triggers on alert: extract URLs → query VirusTotal → detonate attachment in sandbox → block IOCs → pull email from all mailboxes → ticket analyst. All in 90 seconds.
A structured, blameless review conducted after a security incident to analyze what happened, why controls failed, and what process or technical improvements will prevent recurrence.
The ransomware post-mortem reveals the root cause: an unpatched internet-facing Citrix server (CVE-2019-19781) that was missed in vulnerability scanning. Emergency scan coverage is immediately expanded.
A technique in which an attacker gains higher-level system permissions than initially obtained, moving from standard user to admin or SYSTEM/root privileges.
An attacker with a low-privilege web shell exploits PrintNightmare (CVE-2021-34527) to gain SYSTEM privileges on the server — escalating from limited code execution to full control.
Malware that encrypts victim files or systems and demands payment for decryption. Modern ransomware operations use double extortion: encrypting data AND threatening to publish it.
The Kaseya VSA supply chain attack delivered REvil ransomware to 1,500 businesses simultaneously. The $70M ransom demand was the largest at the time of the attack.
Malware that opens a covert remote control channel to the attacker, enabling full control of the victim's system including keylogging, screen capture, file access, and webcam activation.
AsyncRAT installed via phishing provides the attacker with real-time video of the victim's screen, a file manager, and a keylogger — giving complete visibility into the victim's activity.
An access control model assigning permissions to roles rather than individuals — users receive access by being assigned to roles corresponding to their job function.
All members of the 'Finance' role can read financial reports but only 'Finance Manager' can approve transfers. When an employee moves teams, their role changes and access is automatically adjusted.
A group of security professionals authorized to simulate real-world adversary attacks against an organization to test the effectiveness of its defenses, detection, and response capabilities.
A red team spends 6 weeks attempting to access the crown jewels database. They succeed via: phishing → lateral movement → credential dump → database access. Detection never fired — a critical finding.
The level of risk that remains after security controls have been applied. Residual risk must be formally accepted by a risk owner or further mitigated.
After implementing MFA, patching, and network segmentation, a residual risk of ransomware remains due to a legacy system that cannot be patched. The CISO formally accepts this residual risk with the board's sign-off.
The continuous process of identifying, assessing, prioritizing, and treating cybersecurity risks based on their likelihood and potential business impact.
A risk assessment identifies that a critical SCADA system has internet exposure rated Critical likelihood and Critical impact. The risk register prioritizes immediate remediation above all other projects.
The translation of cybersecurity risks into financial terms (Annual Loss Expectancy) to enable business-level decision-making and prioritization of security investments.
Using the FAIR framework, the security team quantifies the ALE of an unpatched internet-facing RDP server at $3.8M/year — justifying a $40K remediation project to the CFO in financial terms.
Malware designed to conceal itself and other malicious software from security tools by operating at the kernel level or modifying OS components.
The UEFI-level LoJax rootkit survives complete disk wipes and OS reinstallation by hiding in firmware — requiring physical replacement of the motherboard to fully remediate.
A systematic method to identify the fundamental reason a security incident occurred — looking beyond symptoms to the underlying process, technical, or configuration failures.
RCA after a breach reveals the root cause is not the phished employee — but the absence of phishing-resistant MFA for all remote access. FIDO2 rollout becomes the corrective action.
A detailed operational procedure for routine, repeatable SOC tasks — typically written at a technical level that a Tier 1 analyst can execute without senior guidance.
The 'Wazuh High Alert Triage' runbook walks a Tier 1 analyst through 18 decision steps to determine if an alert is a true positive, false positive, or requires Tier 2 escalation.
A platform that centralizes log collection, normalization, correlation, and alerting across the entire environment — enabling detection of complex multi-stage attacks that no single tool would catch.
The SIEM correlates three events from different sources: failed VPN login (10:01pm) + successful login from a new country (10:07pm) + large file download (10:12pm) = account takeover alert.
A centralized team and facility dedicated to monitoring, detecting, analyzing, and responding to cybersecurity threats on a continuous basis, often operating 24/7.
A mature SOC operates in three tiers: Tier 1 (alert triage), Tier 2 (investigation), Tier 3 (threat hunting and forensics) — with clear escalation paths and handoffs between each level.
A platform that connects and automates security tools and workflows, enabling consistent, fast, and scalable incident response without requiring manual analyst intervention for each step.
A SOAR playbook detects a ransomware IOC, auto-isolates the infected host via EDR API, resets user credentials via AD API, blocks the C2 domain via firewall API, and files a P1 ticket — in 90 seconds.
Psychological manipulation of people into performing actions or divulging confidential information, bypassing technical controls by exploiting human trust, fear, or urgency.
An attacker calls the IT helpdesk claiming to be the CTO locked out before an important board meeting. Pressured by urgency, the tech resets MFA without proper verification — granting account access.
Malware that covertly monitors a victim's activity — browsing history, keystrokes, screen content, and communications — and transmits the collected data to a remote attacker.
Pegasus spyware silently exploited zero-click iOS vulnerabilities to monitor journalists and activists, capturing messages, calls, and camera footage without any user interaction.
An authentication scheme allowing users to authenticate once and access multiple applications without re-entering credentials. Centralized access control but creates a high-value single point of compromise.
A compromised SSO session cookie gives an attacker simultaneous access to email, HR systems, GitHub, and cloud storage — demonstrating why SSO accounts require the strongest possible MFA protection.
An attack targeting a less-secured vendor, software supplier, or managed service provider to gain access to their downstream customers — compromising many targets through one initial breach.
The SolarWinds SUNBURST attack injected malicious code into a legitimate software update that was digitally signed and distributed to 18,000 organizations — making it nearly impossible to detect.
A discussion-based simulation where stakeholders walk through a realistic incident scenario to test response plans, identify gaps, and build muscle memory — without involving live systems.
A ransomware tabletop reveals that no one knows the backup restoration procedure during a crisis. This gap leads to documented runbooks and quarterly backup restoration drills.
A cryptographic protocol providing secure, encrypted communication over a network. TLS 1.3 is the current standard, used to protect HTTPS, email, VPN, and many other protocols.
A MITM attacker positioned on a hotel Wi-Fi network cannot read HTTPS traffic to a banking site because TLS 1.3 provides end-to-end encryption with forward secrecy.
Proactive, analyst-driven investigation of environments to detect threats that have evaded automated controls. Hypothesis-based: hunters formulate a theory and gather evidence to prove or disprove it.
A threat hunter hypothesizes that an APT is using Living-off-the-Land techniques. They query the SIEM for certutil.exe spawning from Word — and find an active infection that fired no alerts.
Analyzed, contextualized information about current or potential threats — enabling organizations to make informed, proactive defensive decisions rather than purely reactive ones.
A threat intelligence feed alerts the SOC on Sunday that a new ransomware group is targeting manufacturing firms via unpatched VPNs. Monday morning, emergency patches are applied before any attack.
A structured design-time process for identifying potential threats, attack vectors, and required controls before a system is built — shifting security left in the development lifecycle.
During API design, threat modeling identifies that the payment endpoint lacks rate limiting and input validation — critical vulnerabilities that are fixed before a single line of production code is written.
Malware disguised as legitimate or desirable software. When the user installs the trojan, it executes its malicious payload. Unlike worms, trojans do not self-replicate.
A cracked version of expensive software on a torrent site installs a banking trojan alongside the legitimate application. The user gets their software; the attacker gets their banking credentials.
The behavioral profile of a threat actor — their strategic goals (tactics), methods of achieving them (techniques), and the specific tools and workflows they use (procedures).
Lazarus Group's TTPs include T1566.002 (Spear Phishing Link), T1059.001 (PowerShell), and T1041 (Exfiltration over C2 Channel) — a fingerprint used to attribute attacks and build targeted detections.
Security analytics technology that establishes normal behavioral baselines for users and systems, then generates alerts when behavior deviates significantly — indicating compromise or insider threat.
UEBA detects that a user downloaded 4,000 documents in 2 hours — 80x their normal baseline — two days before their resignation. The security team is alerted and an investigation is opened.
A social engineering attack conducted over phone or VoIP calls, in which an attacker impersonates a trusted authority (IT support, bank, government) to extract sensitive information.
An attacker calls employees claiming to be from the IT helpdesk conducting a 'security audit,' convincing them to share their VPN credentials and MFA codes over the phone.
A weakness in a system, application, network, or process that could be exploited by a threat actor to gain unauthorized access, cause damage, or disrupt operations.
An outdated version of Apache with a known RCE vulnerability sits exposed on the DMZ. This unpatched vulnerability is the entry point for a subsequent data breach costing $4.2M.
An automated tool that identifies known vulnerabilities in systems, applications, and networks by comparing configurations and software versions against vulnerability databases.
Running OpenVAS against the DMZ identifies 12 critical vulnerabilities — including an unpatched Apache server (CVE-2021-41773, CVSS 9.8). The finding is escalated for emergency patching.
A security control that inspects and filters HTTP/HTTPS traffic to and from web applications, blocking common web attacks such as SQL injection, XSS, and CSRF.
A WAF rule blocks an HTTP request containing ' UNION SELECT 1,username,password FROM users-- from reaching the application database — stopping a SQL injection attack before any data is exposed.
Destructive malware designed to permanently destroy data on infected systems, with no financial motivation — used primarily in nation-state attacks to cause maximum disruption.
HermeticWiper was deployed against Ukrainian organizations hours before Russia's 2022 invasion, overwriting Master Boot Records and corrupting partition tables — rendering thousands of systems unbootable.
Self-replicating malware that spreads across networks without user interaction by exploiting network vulnerabilities — distinct from viruses (which require a host file) and trojans (which require user execution).
WannaCry used the EternalBlue exploit to self-replicate across unpatched Windows networks in 2017, infecting 300,000 systems in 150 countries within 24 hours — requiring no user interaction.
A unified security platform integrating telemetry from endpoints, network, cloud, email, and identity into a single correlated detection and response capability.
XDR correlates three signals from different layers: phishing email (email layer) → malicious macro execution (endpoint layer) → C2 beacon (network layer) — creating one high-fidelity incident instead of three separate low-confidence alerts.
A web application vulnerability in which an attacker injects malicious scripts into content delivered to other users' browsers, enabling session hijacking, credential theft, or malware delivery.
An attacker injects JavaScript into a forum comment field: when other users view the post, their browsers execute the script, which silently exfiltrates their session cookies to the attacker.
A security architecture principle stating that no user, device, or network segment is inherently trusted — every access request must be explicitly verified regardless of location or prior authentication.
An employee on the corporate network is not automatically trusted. Zero Trust requires device health verification, strong MFA, least-privilege access per application, and continuous session monitoring for every request.
A previously unknown software vulnerability for which no vendor patch exists. Exploits targeting zero-days are particularly dangerous because defenders have zero days to prepare a fix.
The Stuxnet worm weaponized four simultaneous Windows zero-days to spread to Iranian nuclear facilities, demonstrating the devastating potential of zero-day exploit chains in nation-state attacks.
An open-source network traffic analyzer (formerly Bro) that generates rich connection logs and enables powerful scripted detection — widely used as the foundation for network threat hunting.
Zeek logs reveal a workstation making connections to 60 different internal IPs over port 445 within 2 minutes — a pattern consistent with SMB lateral movement scanning, triggering a Tier 2 investigation.