Advanced Persistent Threat (APT)
Intel
aka e.g. APT28, APT29, Lazarus
A well-resourced, typically state-aligned adversary that maintains long-dwell access to a target for espionage, sabotage, or strategic intelligence gathering. APTs are characterized by patience, custom tooling, and operational security — not flashy ransomware.
Adversary Emulation
Warfare
aka TTP-driven red teaming
A red-team engagement scoped to mimic the tradecraft of a specific named threat actor — not just generic offensive testing. Emulation plans are typically derived from MITRE ATT&CK mappings and threat-intel reporting.
AI Red Teaming
AI
Structured testing of an AI system — LLMs, classifiers, agents — to surface harmful, deceptive, or unsafe behaviors before deployment. Distinct from traditional security testing in that the surface includes prompts, training data, and agentic side-effects.
Allowlisting
SOC
aka formerly “whitelisting”
A control posture where only explicitly approved binaries, scripts, or network destinations are permitted to execute or connect. The inverse of denylisting. Effective against unknown malware but operationally heavy.
Artifact
DFIR
In forensics, any digital trace left by user or attacker activity — registry keys, prefetch entries, shellbags, browser caches, journal records, log lines. Artifacts are the raw material of investigation.
Attack Surface
Governance
The sum of all points where an attacker can attempt entry — exposed services, applications, identities, supply-chain dependencies, and human targets. Attack-surface management (ASM) is the continuous discovery and reduction of this exposure.
Attribution
Intel
The analytic judgment that a specific actor — group, government, or individual — is responsible for an intrusion. Strong attribution requires convergent technical, operational, and strategic evidence; loose attribution is rumor.
Audit Log
SOC
A tamper-resistant record of significant events on a system — logins, privilege changes, configuration edits, data access. The substrate for both detection engineering and forensic reconstruction.
Backdoor
DFIR
A persistent mechanism that lets an attacker re-enter a compromised system, bypassing normal authentication. Backdoors range from custom implants to abused legitimate services (RMM tools, scheduled tasks, AD trusts).
Beacon
Hunt
aka e.g. Cobalt Strike beacon
A piece of attacker code that calls back to command-and-control on an interval. Beaconing patterns — cadence, jitter, host, user-agent — are a primary hunt signal.
Blue Team
SOC
The defensive side of a security organization — SOC analysts, hunters, IR, detection engineers. The day-to-day operators who build, run, and tune defenses.
Bridge (Cross-chain)
Blockchain
A protocol that moves assets between blockchains, typically by locking on one chain and minting on another. Bridges hold large pooled balances and have been the single largest target class in DeFi history.
Business Email Compromise (BEC)
DFIR
Fraud executed by hijacking or impersonating a legitimate business email account — typically to redirect a wire transfer or invoice payment. Frequently the highest-loss incident category for non-ransomware victims.
Chain of Custody
DFIR
The documented trail of who handled evidence, when, and how — from acquisition through analysis to courtroom. A break in chain of custody can render technically sound forensic findings legally inadmissible.
CISO
Governance
aka Chief Information Security Officer
The executive accountable for an organization’s information-security posture. Modern CISOs operate at the intersection of risk, regulation, engineering, and increasingly, board governance and personal liability.
Command and Control (C2)
Hunt
aka C&C
The infrastructure attackers use to send instructions to and receive data from compromised hosts. Modern C2 hides in legitimate cloud services, social platforms, and DNS tunnels to evade blocking.
Compromise Assessment
Hunt
A point-in-time investigation of an environment to determine whether a breach has occurred or is ongoing. Hypothesis-light, telemetry-heavy — often run when an organization has reason to suspect something but no firm alert.
Containment
DFIR
The IR phase where the immediate spread of an incident is halted — isolating hosts, disabling accounts, blocking infrastructure — without yet remediating the underlying access. Containment buys time for eradication.
Credential Stuffing
Offensive
Automated login attempts using credentials leaked or breached from other services, exploiting password reuse. Defended via MFA, rate limiting, and breach-corpus checks at signup.
Cryptanalysis
Offensive
The study of weaknesses in cryptographic systems — protocols, primitives, or implementations — with the goal of recovering plaintext, keys, or signatures without the secret. Distinct from cryptography (the design side).
Data Exfiltration
Hunt
aka exfil
The unauthorized transfer of data out of a network. Modern exfil hides in cloud storage uploads, compressed archives, and DNS queries; bandwidth alone is no longer a reliable signal.
DDoS
Warfare
aka Distributed Denial of Service
An attack that overwhelms a target’s capacity — bandwidth, sessions, or compute — from many sources. Increasingly used as cover for more targeted intrusions or as extortion leverage.
DeFi
Blockchain
aka Decentralized Finance
Smart-contract-based financial primitives — lending, swapping, derivatives — running without traditional intermediaries. Composability is its strength and its largest source of systemic risk.
Detection Engineering
SOC
The discipline of writing, testing, and maintaining the rules and analytics that turn telemetry into alerts. Treats detections as code: version-controlled, tested, instrumented, decommissioned.
DFIR
DFIR
aka Digital Forensics & Incident Response
The combined practice of investigating computer-based incidents and the legal-grade collection of evidence about them. The two halves are inseparable in serious cases — what you cannot prove, you cannot prosecute.
DLP
Governance
aka Data Loss Prevention
Controls and tooling that detect or block movement of sensitive data — PII, source code, financial records — out of authorized boundaries. Effective when paired with data classification; theatrical without it.
DNS Tunneling
Hunt
Smuggling C2 traffic or exfiltrated data inside DNS queries and responses, exploiting DNS’s near-universal egress. A persistent hunt target; defenders look for query length, entropy, and unusual record types.
Dwell Time
Intel
The interval between an attacker’s initial compromise and their detection. Measured in days for ransomware, months or years for state-aligned espionage. Reducing dwell time is a primary outcome metric for SOCs.
EDR
SOC
aka Endpoint Detection & Response
Endpoint agents that record process, file, and network telemetry, run detection logic locally, and enable remote investigation and response actions. The single most consequential defensive technology of the last decade.
Eradication
DFIR
The IR phase where attacker access and tooling are fully removed from the environment — not just contained. Requires confidence in scope; partial eradication is how organizations get re-breached within weeks.
Exploit
Offensive
Code, technique, or sequence that takes advantage of a specific vulnerability to achieve attacker-controlled effect — code execution, privilege escalation, information disclosure. Distinct from the vulnerability itself.
Forensic Image
DFIR
aka bit-for-bit copy
A complete, hashed copy of a storage device or memory range, suitable for analysis without altering the original. The atomic unit of evidence in computer forensics.
Fuzzing
Offensive
Automated input mutation against a target program to find inputs that crash, hang, or produce unexpected behavior — often surfacing memory-safety or logic bugs. Modern fuzzers are coverage-guided.
Governance, Risk & Compliance (GRC)
Governance
The administrative discipline of aligning security activity with organizational risk appetite, regulatory obligation, and policy. Done well, GRC informs operators; done poorly, it generates paperwork that protects no one.
Hashing
DFIR
A one-way mathematical function (e.g. SHA-256) that produces a fixed-length fingerprint of input data. Used to verify forensic-image integrity, identify known-bad files, and confirm tamper status of evidence.
Hunt Hypothesis
Hunt
A specific, falsifiable statement about adversary activity that drives a hunt — e.g. “An attacker has used WMI for lateral movement to a finance server in the past 30 days.” Without a hypothesis, hunting is browsing.
Implant
Hunt
Persistent attacker code installed on a compromised host to provide ongoing access, command execution, and data collection. Implants are the modern term for what used to be called backdoors or RATs.
Incident Response (IR)
DFIR
The structured process of detecting, containing, eradicating, and recovering from a security incident — while preserving evidence and meeting legal and regulatory obligations.
Indicator of Compromise (IOC)
Intel
An observable artifact — hash, IP, domain, registry key — correlated with malicious activity. IOCs age fast; TTPs outlast them.
Initial Access
Hunt
The first foothold an attacker establishes in a target environment — phishing, exposed RDP, exploited public app, compromised credential. The first ATT&CK tactic; the most contested ground.
Insider Threat
Governance
A risk originating from a person with legitimate access — employee, contractor, partner. Splits into malicious (intentional theft, sabotage) and negligent (mistakes, policy violations).
ISO/IEC 27001
Governance
International standard for information-security management systems (ISMS). A certification target for organizations that need to demonstrate systemic security governance to enterprise customers and regulators.
Jailbreak
AI
Adversarial input that causes an AI system — typically an LLM or aligned model — to produce content or take actions its safety training was meant to refuse. Often combined with role-play, encoding, or context manipulation.
Kerberoasting
Offensive
An Active Directory attack that extracts and offline-cracks the password hashes of service accounts by abusing how Kerberos issues tickets. A staple of internal penetration tests against Windows estates.
Kill Chain
Intel
aka Lockheed Martin Cyber Kill Chain
A model that breaks an intrusion into sequential phases — recon, weaponize, deliver, exploit, install, C2, actions on objectives. Useful as a teaching frame; superseded operationally by ATT&CK.
Lateral Movement
Hunt
Attacker activity that pivots from an initial foothold to additional hosts and identities inside the environment — pass-the-hash, RDP, WMI, SSH, abuse of trust relationships. Where most dwell time accrues.
Living off the Land (LotL)
Hunt
aka LOLBins
Attacker tradecraft that uses tools already present on the operating system — PowerShell, certutil, wmic, BITSAdmin — instead of dropped malware. Bypasses naive AV but leaves behavioral signal.
Log4Shell
Offensive
aka CVE-2021-44228
A 2021 critical RCE in the Log4j Java logging library that affected an estimated several hundred million systems. The defining vulnerability of the modern software-supply-chain era.
Malware Analysis
DFIR
The reverse-engineering of malicious code to determine functionality, capability, and indicators — statically (without execution) or dynamically (in instrumented sandboxes). Output feeds detections and attribution.
MFA
Governance
aka Multi-Factor Authentication
Authentication that requires two or more independent factors — knowledge, possession, inherence. Phishing-resistant MFA (FIDO2/passkeys) raises the bar far higher than push-based MFA, which remains widely bypassed.
MITRE ATT&CK
Intel
A curated knowledge base of adversary tactics, techniques, and procedures observed in real intrusions, organized as a matrix. The de facto common language between detection, intel, and offensive teams.
NIST CSF
Governance
aka NIST Cybersecurity Framework
A voluntary framework from the US National Institute of Standards and Technology organizing cybersecurity activity into Govern, Identify, Protect, Detect, Respond, Recover. The lingua franca of US enterprise security programs.
OPSEC
Intel
aka Operational Security
The practice of protecting information about an operation — sources, methods, identities, schedules — from adversary collection. Originally a military discipline; equally critical in offensive engagements and intel work.
Oracle (Blockchain)
Blockchain
A service that supplies external data to a smart contract — price feeds, weather, identity. Oracle manipulation is a recurring root cause of large DeFi exploits.
Penetration Test
Offensive
aka pentest
A scoped, time-boxed offensive engagement that attempts to compromise specified assets to surface exploitable weaknesses. Distinct from red teaming (broader, stealthier, objective-driven) and vuln scanning (automated).
Persistence
Hunt
The mechanisms attackers use to survive reboots, log-offs, and credential resets — scheduled tasks, services, registry run keys, AD object abuse, OAuth grants. ATT&CK’s most populated tactic.
Phishing
DFIR
Social-engineering delivery via email, SMS (smishing), or voice (vishing) designed to harvest credentials, deploy malware, or initiate fraud. Despite a decade of defense investment, still the modal initial-access vector.
Playbook
SOC
A documented response procedure for a specific incident type or alert — prerequisites, steps, decision points, escalation paths. The unit of operational maturity in SOC and IR.
Prompt Injection
AI
Adversarial content — in user input, retrieved documents, or tool outputs — that hijacks an LLM’s instructions. Direct injection comes from the user; indirect injection comes through context the model trusts.
Purple Team
Warfare
A collaborative engagement where red operators and blue defenders work side-by-side — running attacks, observing detection, tuning controls in real time. Faster feedback loop than serial red-then-debrief.
Ransomware
DFIR
Malware that encrypts data and demands payment for decryption. Modern ransomware groups also exfiltrate data first (double extortion) and target backups, hypervisors, and identity infrastructure.
Red Team
Warfare
An offensive engagement scoped against an organization’s full kill chain — people, process, technology — with stealth and an objective (e.g. crown-jewel data, domain admin, payment system). Distinct from a pentest.
Reverse Engineering
Offensive
The systematic disassembly of compiled software to recover its design and behavior. In security: malware analysis, vulnerability research, compatibility, IP investigation.
Risk
Governance
In security, the product of likelihood and impact for a defined threat scenario, modulated by control effectiveness. The unit of executive conversation; the bridge between operators and the board.
Sandbox
DFIR
An isolated execution environment instrumented to observe a binary or script’s behavior — system calls, network, file changes — without risk to production. The first stop for unknown samples.
SBOM
Governance
aka Software Bill of Materials
A formal inventory of components — libraries, modules, dependencies — in a piece of software. Required for serious supply-chain risk management and increasingly mandated by procurement and regulation.
Side-Channel Attack
Offensive
An attack that recovers secrets by observing physical or implementation-level effects of computation — timing, power draw, EM emissions, cache behavior — rather than cryptographic weakness in the algorithm itself.
SIEM
SOC
aka Security Information & Event Management
A platform that aggregates, normalizes, and analyzes log and telemetry data from across the environment to enable detection, alerting, and investigation. Increasingly fused with SOAR and data-lake architectures.
Smart Contract
Blockchain
Code deployed to a blockchain that executes deterministically when called. Once deployed, often immutable; bugs in smart-contract logic have caused multi-billion-dollar losses.
SOAR
SOC
aka Security Orchestration, Automation & Response
Tooling that codifies playbooks — enrich, decide, act — across the security stack. Effective on high-volume, well-defined alerts; oversold for novel investigations.
SOC
SOC
aka Security Operations Center
The team and tooling responsible for continuous monitoring, triage, and initial response to security events. Modern SOCs blend tier-1/2/3 analysts, threat hunters, detection engineers, and IR.
SOC 2
Governance
An attestation report (Type I or Type II) on the design and operating effectiveness of an organization’s controls against the AICPA Trust Services Criteria. The default enterprise-customer security ask in the US.
Supply Chain Attack
Intel
An intrusion that reaches its target by compromising a trusted upstream component — a software vendor, a library, a build system, a hardware OEM. SolarWinds, 3CX, and XZ are reference cases.
Telemetry
SOC
The structured event data generated by endpoints, networks, identities, and applications — the raw input to detection, hunt, and forensics. Coverage and quality of telemetry, more than tooling, determine defensive ceiling.
Threat Actor
Intel
An individual, group, or nation-state engaged in malicious cyber activity. Categorized by sophistication, motivation (financial, espionage, disruption, hacktivism), and tradecraft.
Threat Hunting
Hunt
The proactive, hypothesis-driven search through telemetry for adversary activity that has evaded automated detection. The discipline that finds what the SIEM missed.
Threat Intelligence
Intel
The collection, analysis, and dissemination of finished knowledge about adversaries, their capabilities, and their intentions — structured to inform decisions at strategic, operational, and tactical levels.
Threat Model
Governance
A structured analysis of what could go wrong for a given system — assets, actors, entry points, mitigations. STRIDE, PASTA, and attack trees are common formalisms. Done early; not done late.
Timeline
DFIR
In forensics, the chronologically ordered sequence of artifacts — file timestamps, log entries, registry writes, journal records — that reconstructs activity on a system. The narrative spine of an investigation.
TTP
Intel
aka Tactics, Techniques & Procedures
The behavioral patterns of an adversary — what they aim to accomplish (tactic), how they do it (technique), and the specific way they implement it (procedure). The most durable layer of attribution.
UEBA
SOC
aka User & Entity Behavior Analytics
Detection technique that baselines normal behavior of users and entities and surfaces statistical deviations — impossible travel, unusual data access, off-hours activity. Effective against insider and credential-theft scenarios.
Vulnerability
Offensive
A weakness in design, implementation, or configuration that an attacker can use to violate an explicit or implicit security policy. Tracked publicly via CVE identifiers; exists on a spectrum from theoretical to weaponized.
Watering Hole
Intel
A targeted attack that compromises a website or service known to be visited by a victim community — an industry forum, a vendor portal — and uses it to deliver exploits to that audience selectively.
XDR
SOC
aka Extended Detection & Response
A platform category that correlates detections across endpoint, identity, network, email, and cloud telemetry into unified incidents. XDR’s real value is correlation; the “X” without unified data is marketing.
YARA
Hunt
A pattern-matching language for identifying and classifying malware via textual and binary signatures. The shared currency of detection engineers, malware analysts, and CTI teams.
Zero Day
Offensive
aka 0day
A vulnerability exploited before the vendor has issued a patch — or, sometimes, before the vendor knows it exists. The most expensive end of the offensive-tool market and the highest-impact category of incident.
Zero Trust
Governance
An architectural posture that grants no implicit trust to any user, device, network, or workload — access is continuously verified, least-privileged, and policy-evaluated per request. A program, not a product.