Reference
Cybersecurity Glossary
Over 100 essential cybersecurity terms defined at practitioner level. Built as a working reference for security teams, IT leaders, and anyone who needs precise, no-nonsense definitions without the marketing fluff.
A
Access Control
The set of policies, mechanisms, and technologies that restrict who or what can view, use, or modify resources in a computing environment. Implementations include role-based access control (RBAC), attribute-based access control (ABAC), and mandatory access control (MAC). Effective access control is foundational to least-privilege architectures.
Advanced Persistent Threat (APT)
A prolonged, targeted cyberattack in which a threat actor gains unauthorized access to a network and remains undetected for an extended period. APT groups are typically nation-state-sponsored or well-funded criminal organizations with specific intelligence or financial objectives. They use sophisticated TTPs and adapt to defensive measures.
Attack Surface
The total set of points where an unauthorized user can attempt to enter or extract data from an environment. Includes network services, web applications, APIs, user endpoints, cloud interfaces, physical access points, and human factors. Reducing the attack surface is a core security engineering objective.
Attack Vector
The specific method or pathway an attacker uses to gain access to a target system. Common vectors include phishing emails, exploitation of unpatched vulnerabilities, compromised credentials, supply chain compromise, and removable media. Understanding prevalent attack vectors informs both defensive priorities and assessment scoping.
Authentication
The process of verifying the identity of a user, device, or system before granting access. Methods include passwords, biometrics, hardware tokens, certificates, and multi-factor combinations. Authentication is distinct from authorization (which determines what an authenticated entity is allowed to do).
Authorization
The process of determining what actions, resources, or data an authenticated entity is permitted to access. Authorization mechanisms enforce policies such as role-based access control (RBAC), attribute-based access control (ABAC), and policy-based access. Distinct from authentication, which verifies identity — authorization governs what that identity can do.
B
Backdoor
A covert method of bypassing normal authentication or encryption to gain unauthorized access to a system. Backdoors can be installed by attackers as persistence mechanisms after initial compromise, or they can exist as intentional (sometimes undocumented) features in software. Detection typically requires malware analysis and forensic investigation.
Blue Team
The defensive security team responsible for detecting, responding to, and mitigating threats within an organization. Blue team activities include security monitoring, incident response, threat hunting, vulnerability management, and security architecture. In exercises, the blue team defends against simulated attacks from the red team.
Botnet
A network of compromised computers (bots or zombies) controlled remotely by a threat actor through command-and-control infrastructure. Botnets are used for DDoS attacks, spam distribution, credential stuffing, cryptocurrency mining, and as distribution platforms for additional malware. Modern botnets use peer-to-peer communication to resist takedown.
Brute Force Attack
An attack method that systematically attempts every possible combination of passwords or encryption keys until the correct one is found. Variations include dictionary attacks (using wordlists), hybrid attacks (combining words with character substitution), and credential stuffing (using credentials leaked from other breaches). Mitigated by account lockout policies, rate limiting, and MFA.
Business Email Compromise (BEC)
A targeted social engineering attack where an attacker impersonates a trusted party (typically an executive, vendor, or partner) via email to trick victims into transferring funds, revealing sensitive data, or performing unauthorized actions. BEC is one of the highest-impact cybercrime categories by financial loss, often requiring no malware.
C
C2 (Command and Control)
The infrastructure and communication channels an attacker uses to maintain control over compromised systems. C2 can operate over HTTP/S, DNS, social media, cloud services, or custom protocols. Identifying and disrupting C2 communication is a primary objective during incident containment.
CERT (Computer Emergency Response Team)
An organization or team responsible for coordinating the response to cybersecurity incidents. National CERTs (e.g., CERT.be in Belgium, CERT-EU for EU institutions) provide advisories, coordinate vulnerability disclosure, and assist with incident handling. Organizational CERTs serve the same function within individual enterprises.
CISO (Chief Information Security Officer)
The senior executive responsible for establishing and maintaining an organization's security strategy, policies, and operations. The CISO bridges technical security capabilities and business risk management, reporting typically to the CIO, CEO, or board. NIS2 places direct accountability for cybersecurity risk management on organizational leadership.
Cloud Security Posture Management (CSPM)
A category of security tools that continuously monitor cloud infrastructure for misconfigurations, compliance violations, and security risks. CSPM solutions evaluate configurations against security benchmarks (CIS, provider best practices) and alert on deviations. Essential for organizations with multi-cloud or rapidly changing cloud environments.
Containment
The incident response phase focused on preventing an attack from spreading further while preserving evidence. Includes short-term actions (network isolation, account disabling) and long-term measures (credential resets, enhanced monitoring). Effective containment balances speed with evidence preservation. See our IR checklist for detailed containment procedures.
Credential Stuffing
An automated attack that uses lists of username/password pairs obtained from previous data breaches to attempt login across other services. Exploits the widespread practice of password reuse. Distinguishable from brute force by its use of known-valid credentials. Mitigated by MFA, breach-credential monitoring, and rate limiting.
Cross-Site Scripting (XSS)
A web application vulnerability that allows an attacker to inject malicious client-side scripts into pages viewed by other users. Types include stored XSS (persisted in the application), reflected XSS (included in a crafted URL), and DOM-based XSS (executed entirely client-side). Commonly found during penetration tests.
CVSS (Common Vulnerability Scoring System)
An open framework for rating the severity of software vulnerabilities on a 0.0-10.0 scale. CVSS scores consider attack vector, complexity, privileges required, user interaction, and impact on confidentiality, integrity, and availability. Widely used in assessment reports but should be interpreted alongside business context, not used as the sole prioritization metric.
Cyber Kill Chain
A framework developed by Lockheed Martin describing the stages of a cyberattack: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. Useful for mapping defensive capabilities to each stage and identifying where detection and prevention controls are weakest.
Certificate Transparency (CT)
A framework of public, append-only logs that record all TLS/SSL certificates issued by participating Certificate Authorities. CT enables domain owners to detect mis-issued or unauthorized certificates for their domains. Monitoring CT logs is a valuable OSINT technique for discovering shadow IT, phishing infrastructure, and unauthorized subdomains.
D
Dark Web
The portion of the internet accessible only through overlay networks such as Tor, I2P, or Freenet, requiring specialized software and configurations. In cybersecurity, the dark web is monitored for leaked credentials, stolen data for sale, threat actor communications, and emerging exploit marketplaces. Dark web monitoring is a component of comprehensive threat intelligence programs.
Data Breach
An incident in which sensitive, protected, or confidential data is accessed, disclosed, or exfiltrated by an unauthorized party. Breaches trigger notification obligations under GDPR (72 hours to supervisory authority), NIS2, and sector-specific regulations. Breach scope determination is a critical early step in incident response.
Data Loss Prevention (DLP)
Technologies and policies designed to detect and prevent unauthorized transmission of sensitive data outside the organization. DLP solutions monitor data at rest, in transit, and in use, applying rules based on content classification, context, and user behavior. Effective DLP requires accurate data classification and tuned policies to avoid excessive false positives.
DDoS (Distributed Denial of Service)
An attack that overwhelms a target system, service, or network with traffic from multiple distributed sources, rendering it unavailable to legitimate users. Attack types include volumetric (bandwidth saturation), protocol (exploiting network protocol weaknesses), and application layer (targeting specific services). Mitigation typically requires upstream filtering or CDN-based protection.
Defense in Depth
A security strategy that layers multiple defensive mechanisms so that if one control fails, others continue to provide protection. Layers typically span physical security, network security, endpoint security, application security, data security, and user training. Based on the military principle that multiple defensive lines are harder to breach than a single strong line.
DFIR (Digital Forensics and Incident Response)
The combined discipline of collecting, preserving, and analyzing digital evidence (forensics) and managing the detection, containment, and recovery from security incidents (incident response). DFIR practitioners bridge investigative and operational roles, often working under time pressure and legal scrutiny. ForgeWork's DFIR Assist platform supports these workflows.
DNS Spoofing
An attack that corrupts DNS resolution to redirect traffic from legitimate destinations to attacker-controlled systems. Methods include cache poisoning (injecting forged DNS responses), compromising DNS servers, or performing man-in-the-middle attacks on DNS queries. DNSSEC provides cryptographic verification of DNS responses but adoption remains incomplete.
E
EDR (Endpoint Detection and Response)
Security solutions deployed on endpoints (workstations, servers, mobile devices) that continuously monitor for suspicious activity, provide real-time threat detection, enable investigation, and support automated or manual response actions. Modern EDR records detailed telemetry (process trees, file operations, network connections, registry changes) critical for forensic analysis.
Encryption
The process of converting plaintext data into ciphertext using a cryptographic algorithm and key, rendering it unreadable without the corresponding decryption key. Applied to data at rest (disk encryption, database encryption), data in transit (TLS, VPN), and increasingly data in use (homomorphic encryption, secure enclaves). Key management is typically the hardest part.
Escalation
The process of raising an incident, alert, or issue to a higher level of authority or expertise for resolution. In incident response, escalation criteria define when and how to involve senior analysts, management, legal counsel, or external resources. Well-defined escalation paths prevent bottlenecks and ensure appropriate resources are engaged early.
Exploit
Code, a technique, or a sequence of commands that takes advantage of a vulnerability to cause unintended behavior in a system, such as gaining unauthorized access, executing arbitrary code, or causing a denial of service. Exploits range from publicly available proof-of-concept code to sophisticated zero-day exploits developed by nation-states.
Exfiltration
The unauthorized transfer of data from a compromised environment to an attacker-controlled location. Exfiltration methods include direct network transfer, DNS tunneling, steganography, encrypted channels, removable media, and abuse of legitimate cloud services. Detecting exfiltration requires monitoring for unusual data flows, volume anomalies, and connections to known-bad infrastructure.
Email Security Gateway
A security solution that filters inbound and outbound email traffic to block spam, phishing, malware, and data loss. Modern email gateways use reputation filtering, sandboxing, URL rewriting, attachment analysis, and machine learning to detect threats. A critical control given that email remains the dominant initial access vector for both commodity and targeted attacks.
F
Firewall
A network security device or software that monitors and controls incoming and outgoing network traffic based on predefined security rules. Types include packet-filtering firewalls, stateful inspection firewalls, application-layer firewalls (WAFs), and next-generation firewalls (NGFWs) that integrate IPS, application awareness, and threat intelligence.
Forensic Image
A bit-for-bit copy of a storage device that preserves all data, including deleted files, unallocated space, and file system metadata. Created using write-blocking hardware or software to ensure the original evidence is not modified. Forensic images are the foundation of digital forensics investigations and must maintain chain of custody documentation.
Fuzzing
An automated software testing technique that provides invalid, unexpected, or random data as input to a program to discover vulnerabilities such as buffer overflows, crashes, and memory leaks. Modern fuzzers use coverage-guided mutation (e.g., AFL, libFuzzer) to intelligently explore code paths. Widely used in vulnerability research and secure development lifecycles.
G
Governance, Risk, and Compliance (GRC)
An integrated approach to managing an organization's governance structure, risk management processes, and compliance with regulations and standards. In cybersecurity, GRC encompasses policy management, risk assessments, audit coordination, regulatory compliance (NIS2, GDPR, PCI DSS), and reporting to leadership on security posture.
GDPR (General Data Protection Regulation)
The EU regulation governing the processing and protection of personal data. For cybersecurity teams, GDPR mandates breach notification to supervisory authorities within 72 hours, requires appropriate technical and organizational security measures, and can impose fines up to 4% of global annual turnover or 20 million euros. GDPR compliance intersects heavily with incident response and data loss prevention programs.
H
Hash
A fixed-length string produced by a cryptographic hash function (MD5, SHA-1, SHA-256) that uniquely represents input data. In cybersecurity, hashes are used to verify file integrity, identify known malware samples, store passwords securely, and detect unauthorized modifications. File hashes are a primary type of indicator of compromise (IOC).
Honeypot
A deliberately vulnerable system or resource deployed to attract, detect, and study attackers. Honeypots generate high-fidelity alerts (any interaction is suspicious by definition), collect threat intelligence on attacker tools and techniques, and can serve as early warning systems for intrusions. Honeynets extend this concept to entire network segments.
Hardening
The process of reducing a system's attack surface by removing unnecessary services, applying secure configurations, disabling default accounts, and implementing security controls. Hardening guides (CIS Benchmarks, DISA STIGs, vendor security baselines) provide configuration standards for operating systems, applications, and network devices. A core security engineering activity.
I
IDS/IPS (Intrusion Detection/Prevention System)
Security systems that monitor network traffic or system activity for malicious patterns. An IDS detects and alerts on suspicious activity; an IPS additionally takes automated action to block or prevent it. Detection methods include signature-based (matching known patterns), anomaly-based (deviating from baselines), and behavioral analysis.
Incident Response
The structured process for detecting, analyzing, containing, eradicating, and recovering from security incidents. An effective IR program includes documented plans, trained teams, tested procedures, and established relationships with external resources. The NIST SP 800-61 framework is widely adopted. See our incident response checklist for a practical guide.
Indicator of Compromise (IOC)
Observable artifacts that indicate a system or network may have been compromised. IOCs include file hashes, IP addresses, domain names, URLs, registry keys, email addresses, mutex names, and behavioral patterns. IOCs are shared via threat intelligence feeds and used by security tools (SIEM, EDR, firewalls) to detect known threats.
Insider Threat
A security risk originating from individuals within the organization — employees, contractors, or business partners — who have legitimate access to systems and data. Insider threats can be malicious (intentional data theft, sabotage) or unintentional (accidental data exposure, falling for phishing). Detection requires monitoring user behavior, access patterns, and data movement.
ISO 27001
The international standard for information security management systems (ISMS). ISO 27001 provides a framework for establishing, implementing, maintaining, and continually improving an organization's approach to managing information security risks. Certification requires an independent audit and demonstrates compliance with 93 controls organized across organizational, people, physical, and technological domains.
Identity and Access Management (IAM)
The framework of policies, processes, and technologies that manage digital identities and control access to resources. IAM encompasses user provisioning, authentication, authorization, single sign-on, privileged access management, and identity governance. In cloud environments, IAM misconfigurations are among the most common causes of security incidents.
J
JSON Web Token (JWT)
A compact, URL-safe token format used for securely transmitting claims between parties, commonly for authentication and authorization in web applications and APIs. JWTs consist of a header, payload, and signature. Common security issues include weak signing algorithms (e.g., accepting none), secret key brute-forcing, and improper token validation.
K
Kerberos
A network authentication protocol that uses symmetric key cryptography and a trusted third party (Key Distribution Center) to authenticate users and services. The default authentication protocol in Active Directory environments. Common attack techniques include Kerberoasting (extracting service ticket hashes for offline cracking), AS-REP roasting, and golden/silver ticket attacks.
Keylogger
Malware or hardware that records keystrokes on a compromised system, capturing passwords, messages, and other sensitive input. Software keyloggers may operate at the kernel level, API level, or within specific applications. Hardware keyloggers are physical devices placed between a keyboard and computer. Commonly delivered as a component of broader malware infections.
Kill Chain
See Cyber Kill Chain. The term is also used generically to describe any sequential model of attack phases. Disrupting any link in the kill chain can prevent an attack from achieving its objective. Defensive strategies mapped to kill chain stages help identify where visibility and control gaps exist.
L
Lateral Movement
Techniques attackers use to move through a network after initial compromise, accessing additional systems and escalating privileges toward their ultimate objective. Common methods include pass-the-hash, pass-the-ticket, remote service exploitation, RDP, WMI, PsExec, and SSH. Detecting lateral movement is a primary focus of threat hunting and EDR/NDR solutions.
Least Privilege
The security principle that users, processes, and systems should operate with the minimum level of access required to perform their functions. Implementing least privilege limits the blast radius of compromised accounts, reduces insider threat risk, and is a foundational requirement of zero trust architectures and most compliance frameworks.
Log Management
The practice of collecting, storing, analyzing, and retaining log data from systems, applications, and network devices. Effective log management enables security monitoring, incident investigation, compliance auditing, and forensic analysis. Key considerations include log sources, collection architecture, retention periods, integrity protection, and correlation capabilities through SIEM.
Living off the Land (LotL)
An attack technique where adversaries use legitimate, pre-installed tools and system features (PowerShell, WMI, certutil, mshta) rather than deploying custom malware to achieve their objectives. LotL techniques are harder to detect because the tools used are trusted and expected in the environment. Detecting LotL attacks requires behavioral analysis and command-line auditing rather than signature-based detection.
M
Machine Learning in Security
The application of machine learning algorithms to cybersecurity tasks such as anomaly detection, malware classification, user behavior analytics, phishing detection, and threat prediction. ML models can identify patterns invisible to rule-based systems but require quality training data, careful tuning, and human oversight to avoid excessive false positives and adversarial evasion.
Malware
Software designed to disrupt, damage, or gain unauthorized access to computer systems. Categories include viruses, worms, trojans, ransomware, spyware, adware, rootkits, and wipers. Modern malware often combines multiple capabilities and uses sophisticated evasion techniques. Analysis techniques are covered in depth at the Malware Analysis Academy.
Memory Forensics
The analysis of a computer's volatile memory (RAM) to extract artifacts such as running processes, network connections, encryption keys, injected code, and evidence of rootkits. Memory forensics reveals activity that disk forensics cannot — including fileless malware and in-memory-only payloads. Tools like Volatility and Rekall are standard. A critical skill taught in malware analysis training.
Man-in-the-Middle (MitM)
An attack where the adversary secretly intercepts and potentially alters communication between two parties who believe they are communicating directly. Enables eavesdropping, credential theft, and session hijacking. MitM attacks target protocols lacking mutual authentication or encryption. TLS certificate validation and certificate pinning are primary defenses.
MDR (Managed Detection and Response)
A managed security service that provides continuous monitoring, threat detection, investigation, and response capabilities delivered by an external provider. MDR combines technology (EDR, SIEM, NDR) with human expertise (security analysts, threat hunters) to detect and respond to threats that automated tools alone would miss. Particularly valuable for organizations lacking a 24/7 in-house SOC.
MITRE ATT&CK
A globally accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. Organized into matrices (Enterprise, Mobile, ICS) with tactics (the "why") mapped to techniques (the "how"). Used for threat modeling, detection engineering, red team planning, and assessing security coverage gaps. The de facto common language for describing adversary behavior.
Multi-Factor Authentication (MFA)
An authentication method requiring two or more independent verification factors: something you know (password), something you have (hardware token, phone), or something you are (biometric). MFA significantly reduces the risk of account compromise from credential theft. Phishing-resistant MFA (FIDO2/WebAuthn) is the strongest implementation, as it resists adversary-in-the-middle attacks.
N
NDR (Network Detection and Response)
Security solutions that monitor network traffic to detect threats that evade endpoint-based controls. NDR uses behavioral analysis, machine learning, and signature detection to identify anomalous traffic patterns, lateral movement, data exfiltration, and C2 communications. Provides visibility in environments where endpoint agents cannot be deployed (IoT, OT, legacy systems).
NIS2 Directive
The EU's updated directive on security of network and information systems, significantly expanding the scope and requirements of the original NIS Directive. NIS2 imposes cybersecurity risk management obligations on essential and important entities, mandates incident reporting (24-hour early warning, 72-hour notification), and introduces personal liability for management. Applies broadly across sectors including energy, transport, health, digital infrastructure, and ICT service management.
NIST Cybersecurity Framework
A voluntary framework developed by the U.S. National Institute of Standards and Technology providing standards, guidelines, and best practices for managing cybersecurity risk. Organized around five core functions: Identify, Protect, Detect, Respond, and Recover. Widely adopted internationally as a structure for building and evaluating security programs regardless of regulatory jurisdiction.
O
OSINT (Open Source Intelligence)
Intelligence collected from publicly available sources including websites, social media, public records, domain registration data, code repositories, paste sites, and dark web forums. In cybersecurity, OSINT is used for threat intelligence gathering, attack surface discovery, social engineering reconnaissance, and investigating threat actors. An essential skill for both offensive and defensive practitioners.
OWASP (Open Web Application Security Project)
A nonprofit organization producing freely available resources for web application security. Best known for the OWASP Top 10, a regularly updated list of the most critical web application security risks. OWASP also publishes testing guides, development cheat sheets, and tools (ZAP, Dependency-Check) used extensively in security assessments and secure development programs.
P
Patch Management
The process of identifying, acquiring, testing, and deploying software updates (patches) to remediate vulnerabilities and fix bugs. Effective patch management balances speed (reducing the window of exposure) with stability (avoiding patches that break functionality). Unpatched vulnerabilities remain one of the most common initial access vectors in security incidents.
Penetration Test
An authorized simulated cyberattack that evaluates the security of a system by actively exploiting vulnerabilities. Unlike vulnerability assessments, penetration tests demonstrate real-world impact by chaining vulnerabilities, escalating privileges, and pursuing specific objectives. Results include proof-of-concept demonstrations and risk-rated remediation recommendations. See our assessment guide for details on scoping and preparation.
Persistence
Techniques an attacker uses to maintain access to a compromised system across reboots, credential changes, and other disruptions. Common persistence mechanisms include scheduled tasks, registry run keys, startup folders, WMI event subscriptions, DLL hijacking, web shells, and backdoor accounts. Thorough eradication of persistence is critical during incident response.
Phishing
A social engineering attack that uses deceptive communications (typically email) to trick recipients into revealing credentials, installing malware, or performing unauthorized actions. Variants include spear phishing (targeted), whaling (targeting executives), smishing (SMS-based), and vishing (voice-based). Remains the most common initial access vector across virtually all threat landscapes.
Privilege Escalation
The exploitation of a vulnerability, design flaw, or configuration error to gain elevated access beyond what was initially authorized. Vertical escalation moves from a lower-privilege account to a higher one (e.g., user to admin). Horizontal escalation accesses another user's resources at the same privilege level. A standard phase in both real attacks and penetration tests.
Purple Team
A collaborative security exercise where the red team (attackers) and blue team (defenders) work together in real-time. The red team executes adversary techniques while the blue team attempts to detect and respond, with both sides sharing information to iteratively improve defensive capabilities. More cost-effective than sequential red/blue engagements for organizations focused on measurably improving detection. Learn more about our training exercises.
Playbook
A documented, structured set of procedures for responding to a specific type of security event or incident. Playbooks typically include trigger conditions, investigation steps, containment actions, communication requirements, and escalation criteria. More detailed than runbooks, playbooks often integrate with SOAR platforms for automated execution of defined response workflows.
R
Ransomware-as-a-Service (RaaS)
A business model in which ransomware developers license their malware and infrastructure to affiliates who carry out attacks, sharing the ransom payments. RaaS has lowered the barrier to entry for ransomware operations, enabling less technically skilled actors to conduct sophisticated attacks. Major RaaS operations function like legitimate SaaS businesses with customer support and affiliate programs.
Ransomware
Malware that encrypts a victim's files or systems and demands payment (typically in cryptocurrency) for the decryption key. Modern ransomware operations employ double extortion (encryption plus data theft), triple extortion (adding DDoS or contacting customers), and operate as ransomware-as-a-service (RaaS). Ransomware incidents require specialized incident response including negotiation considerations, decryption analysis, and regulatory reporting.
Reconnaissance
The initial phase of an attack in which the threat actor gathers information about the target. Passive reconnaissance (OSINT, DNS lookups, public records) leaves no trace on the target. Active reconnaissance (port scanning, vulnerability scanning, social engineering) directly interacts with target systems. Understanding adversary reconnaissance techniques helps defenders minimize their exposed information and detect pre-attack activity.
Red Team
A group of security professionals authorized to simulate real-world adversary attacks against an organization using the full spectrum of tactics — technical exploitation, social engineering, and physical access. Unlike penetration testing, red team engagements test organizational resilience holistically, including people, processes, and detection/response capabilities, with minimal prior knowledge of defenses.
Remediation
The process of addressing identified security vulnerabilities or weaknesses through patching, configuration changes, architectural improvements, or compensating controls. Effective remediation goes beyond applying patches — it considers root cause, verifies the fix, and confirms that detection capabilities exist for similar issues. Our assessment guide covers remediation planning in detail.
Risk Assessment
A systematic process for identifying, analyzing, and evaluating cybersecurity risks to an organization. Considers the likelihood and impact of threats exploiting vulnerabilities, accounting for existing controls. Risk assessments inform security investment decisions, compliance requirements, and organizational risk appetite. Required by NIS2, ISO 27001, and most regulatory frameworks.
Rootkit
Malware designed to provide persistent, privileged access to a system while actively concealing its presence from detection tools. Rootkits can operate at the user level, kernel level, bootloader level (bootkit), or firmware level. Kernel and firmware rootkits are particularly difficult to detect and remove, often requiring full system rebuilds. Analysis requires specialized forensic techniques.
Runbook
A documented set of procedures for handling specific, recurring operational or security tasks. In security operations, runbooks provide step-by-step instructions for responding to common alert types, performing routine investigations, and executing containment actions. Runbooks ensure consistency, reduce response time, and enable junior analysts to handle situations that would otherwise require escalation.
S
Sandbox
An isolated environment used to execute and analyze suspicious code without risking the production environment. Security sandboxes detonate potential malware samples and observe their behavior — file system changes, network communications, registry modifications, and process activity. Used in both automated malware analysis pipelines and manual reverse engineering workflows.
SIEM (Security Information and Event Management)
A platform that aggregates, normalizes, and correlates security event data from across the enterprise to provide real-time monitoring, alerting, and investigation capabilities. SIEMs ingest logs from firewalls, EDR, identity systems, cloud platforms, and applications. Effective SIEM operation requires tuned detection rules, maintained data sources, and skilled analysts to triage alerts.
SOAR (Security Orchestration, Automation, and Response)
Technology that enables organizations to automate security operations workflows, orchestrate actions across multiple security tools, and standardize incident response procedures through playbooks. SOAR platforms reduce mean time to respond (MTTR), minimize repetitive analyst tasks, and ensure consistent execution of response procedures across incidents.
SOC (Security Operations Center)
A centralized function (team, processes, and technology) responsible for continuously monitoring, detecting, analyzing, and responding to cybersecurity threats. SOCs operate on a tiered model: Tier 1 (alert triage), Tier 2 (investigation), and Tier 3 (threat hunting and advanced analysis). Can be operated in-house, outsourced, or in a hybrid model.
Social Engineering
Manipulation techniques that exploit human psychology to trick individuals into divulging information, granting access, or performing actions that compromise security. Techniques include pretexting, baiting, quid pro quo, tailgating, and various forms of phishing. Often the most effective attack vector because it bypasses technical controls entirely.
Spear Phishing
A targeted phishing attack directed at a specific individual or organization, using personalized information gathered through reconnaissance to increase credibility. Spear phishing emails reference the target's name, role, projects, colleagues, or recent activities. Significantly more effective than bulk phishing campaigns and a primary initial access vector for APT groups and BEC operations.
SQL Injection
A web application vulnerability that allows an attacker to inject malicious SQL statements into queries executed by the database. Can lead to unauthorized data access, data modification, authentication bypass, and in some cases command execution on the database server. Prevented through parameterized queries, input validation, and least-privilege database accounts. One of the OWASP Top 10.
Supply Chain Attack
An attack that targets an organization by compromising a trusted third party in its supply chain — software vendors, service providers, hardware manufacturers, or open-source dependencies. The compromised component is then delivered to the ultimate target through normal distribution channels. Notable examples include SolarWinds and Kaseya. Defending against supply chain attacks requires vendor risk management, software composition analysis, and integrity verification.
Secure Development Lifecycle (SDL)
A framework that integrates security practices into every phase of software development — requirements, design, implementation, testing, deployment, and maintenance. SDL activities include threat modeling, secure coding standards, static and dynamic analysis, dependency scanning, and penetration testing. Shifting security left reduces the cost and frequency of vulnerabilities in production.
Segmentation
The practice of dividing a network into isolated segments to limit lateral movement and contain the blast radius of a compromise. Implementations include VLANs, firewall zones, microsegmentation (host-level policies), and software-defined networking. Effective segmentation is one of the most impactful controls against ransomware propagation and insider threats.
T
Tabletop Exercise (TTX)
A discussion-based exercise that walks participants through a simulated security incident scenario to test and improve incident response plans, communication procedures, and decision-making. No actual systems are affected. TTXs reveal gaps in plans, unclear roles, and communication breakdowns in a low-risk environment. ForgeWork's IR TTX Training platform provides structured exercise facilitation.
Threat Actor
An individual or group that conducts cyberattacks. Categorized by motivation and capability: nation-state actors (espionage, disruption), cybercriminals (financial gain), hacktivists (ideological), insider threats (varied motivations), and script kiddies (notoriety). Understanding which threat actors are relevant to your organization informs defensive priorities and threat modeling.
Threat Hunting
The proactive, hypothesis-driven search for threats that have evaded existing detection mechanisms. Threat hunters use knowledge of adversary TTPs, threat intelligence, and anomaly analysis to identify suspicious activity that automated tools missed. Requires access to rich telemetry data (EDR, network, logs), analytical skills, and understanding of normal vs. abnormal behavior in the environment.
Threat Intelligence
Evidence-based knowledge about existing or emerging threats, including context, mechanisms, indicators, implications, and actionable recommendations. Categorized as strategic (high-level trends for leadership), tactical (TTPs for security teams), operational (details of specific campaigns), and technical (IOCs for security tools). Effective threat intelligence is timely, relevant, and actionable.
Threat Modeling
A structured process for identifying potential threats, vulnerabilities, and attack vectors relevant to a system or application during design or review. Methodologies include STRIDE (Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege), PASTA, and attack trees. Threat modeling helps prioritize security controls before code is written or infrastructure is deployed.
TTP (Tactics, Techniques, and Procedures)
The behavioral patterns that describe how threat actors conduct attacks. Tactics represent the adversary's goals (e.g., initial access, persistence, exfiltration). Techniques are the methods used to achieve those goals. Procedures are the specific implementation details. TTPs are more durable indicators than IOCs — attackers change infrastructure frequently but evolve techniques slowly. MITRE ATT&CK is the standard taxonomy.
V
Vulnerability
A weakness in a system, application, configuration, or process that could be exploited by a threat actor to gain unauthorized access, escalate privileges, or cause harm. Vulnerabilities can be technical (unpatched software, misconfiguration) or procedural (weak processes, insufficient training). Managed through vulnerability management programs that include scanning, prioritization, remediation, and verification.
Vulnerability Assessment
A systematic process of identifying, quantifying, and prioritizing vulnerabilities in systems and applications. Combines automated scanning with manual analysis to validate findings, eliminate false positives, and assess risk in context. Provides a baseline security posture measurement and remediation roadmap. See our security assessment guide for preparation and interpretation guidance.
VPN (Virtual Private Network)
A technology that creates an encrypted tunnel between a user's device and a network, protecting data in transit and enabling secure remote access to internal resources. VPN implementations include IPsec, SSL/TLS-based (OpenVPN, WireGuard), and vendor-specific solutions. In zero trust architectures, VPNs are increasingly being replaced by identity-aware proxies and software-defined perimeters.
W
Watering Hole Attack
A targeted attack that compromises a website frequently visited by members of a specific organization or industry, then uses it to deliver malware to visitors. The attacker profiles the target group's browsing habits, compromises a trusted site, and embeds exploit code that selectively targets visitors matching desired criteria. Difficult to defend against because it exploits trust in legitimate websites.
Web Application Firewall (WAF)
A security solution that monitors, filters, and blocks HTTP/HTTPS traffic to and from web applications. WAFs protect against common web attacks including SQL injection, cross-site scripting, file inclusion, and request forgery. Can be deployed as network appliances, cloud services, or host-based modules. WAFs complement but do not replace secure coding practices and regular security testing.
X
XDR (Extended Detection and Response)
A security platform that integrates and correlates data from multiple security layers — endpoints, network, cloud, email, and identity — to provide unified threat detection, investigation, and response. XDR extends EDR capabilities by breaking down data silos between security tools, enabling analysts to see the full attack chain rather than isolated alerts from individual products.
Z
Zero-Day
A vulnerability that is unknown to the vendor or for which no patch or mitigation exists. "Zero-day" refers to the fact that developers have had zero days to address the issue. Zero-day exploits are highly valued by both threat actors and legitimate vulnerability researchers. Defending against zero-days requires layered security, behavioral detection, and rapid response capabilities when exploitation is detected.
Zero Trust Architecture
A security model based on the principle of "never trust, always verify." Zero trust eliminates implicit trust based on network location and instead requires continuous verification of every user, device, and connection attempting to access resources. Core principles include least-privilege access, microsegmentation, strong authentication, continuous monitoring, and assuming breach. Represents a fundamental shift from perimeter-based security.
Put this knowledge to work
This glossary is a starting point. For deeper dives, explore our Insights blog where we publish detailed analyses of emerging threats, incident response techniques, and security strategy. If your team needs hands-on expertise, ForgeWork offers security services from incident response to security engineering.