● 163 entries

Defense & Operations

Active DefenseA defensive strategy that goes beyond passive monitoring to engage, mislead, and disrupt adversaries inside the defender's own network and assets.
Aircrack-ngAn open-source Wi-Fi auditing suite used to capture 802.11 traffic and recover WEP and WPA/WPA2 pre-shared keys from handshakes.
Alert FatigueThe desensitization of analysts caused by excessive, low-value, or repetitive security alerts that erodes attention and slows real incident response.
Antivirus (AV)Endpoint software that detects and removes malicious files using signature databases, file scanning, and basic heuristics — the historical foundation of endpoint security.
Application Allowlisting (Whitelisting)A defensive control that permits only explicitly approved executables, scripts, and libraries to run on an endpoint, blocking everything else by default.
APT GroupA named, tracked threat actor (usually state-sponsored) that conducts targeted, long-term, well-resourced intrusion campaigns against specific organisations or sectors.
Asset ManagementThe continuous discovery, inventory, classification, and lifecycle tracking of every hardware, software, cloud, and data asset that the security program must protect.
Assume BreachA security operating philosophy that designs controls, monitoring, and architecture around the premise that an adversary is already inside the environment, prioritizing detection, containment, and recovery alongside (not instead of) prevention.
Attack FlowA MITRE Engenuity Center for Threat-Informed Defense language and toolset for describing how adversaries chain techniques into multi-step operations, complementing ATT&CK's per-technique catalog with sequencing and decision logic.
Attack PatternA reusable description of how attackers exploit a class of weaknesses, used to map techniques, build detections, and harden systems against threats.
Attack Surface Management (ASM)Continuous discovery, inventory, classification, and monitoring of all assets that expose an organization to potential cyberattack.
Behavioral DetectionA detection approach that identifies malicious activity from the runtime behavior of processes, users, and network flows rather than from static file signatures.
Black Hat HackerA malicious threat actor who breaks into systems without authorization for personal gain, ideology, or harm, in violation of computer-crime laws.
BlackCat / ALPHVA Rust-based ransomware-as-a-service operation active from late 2021 to 2024, notable for cross-platform encryptors and aggressive multi-stage extortion.
BloodHoundAn open-source tool that uses graph theory to map and analyze Active Directory and Azure AD attack paths to high-value targets like Domain Admin.
Blue TeamThe defensive security group responsible for monitoring, detecting, responding to, and continuously improving defenses against attacks.
Burp SuiteAn intercepting web proxy and testing toolkit by PortSwigger, used to discover, manipulate, and exploit vulnerabilities in HTTP and HTTPS applications.
Business Impact Analysis (BIA)A structured analysis that identifies critical business processes, their dependencies, and the operational, financial and reputational impact of their disruption.
CensysAn internet-wide scanning platform that publishes structured data on hosts and TLS certificates, used for attack-surface management and infrastructure pivoting.
Certificate TransparencyAn ecosystem of append-only public logs of TLS certificates, defined by RFC 6962 and 9162, that lets anyone audit which certificates exist for any domain.
Change ManagementStructured process to propose, review, approve, schedule, implement, and review changes to IT systems with controlled risk and clear traceability.
Cobalt StrikeA commercial adversary-simulation platform widely used for red-team operations and frequently abused by threat actors for post-exploitation and command-and-control.
Collection (MITRE Tactic)The MITRE ATT&CK tactic (TA0009) covering techniques used to gather information of interest before it is exfiltrated.
Compensating ControlsAlternative safeguards that provide an equivalent level of protection when a primary or required control cannot be implemented.
Configuration ManagementThe discipline of establishing, recording, and enforcing the desired state of systems and applications so configurations remain known, consistent, and secure.
Container Image ScanningThe practice of analyzing OCI/Docker images for known vulnerabilities, secrets, malware, and policy violations before they are deployed to a container runtime.
Conti RansomwareA Russian-speaking ransomware operation active 2020-2022 that ran one of the highest-volume double-extortion programmes before disbanding after major internal leaks.
Corrective ControlsSecurity measures that act after an incident to limit damage, eradicate threats, and restore systems to a known-good state.
Credential AccessThe MITRE ATT&CK tactic (TA0006) that covers techniques used to steal account names, passwords, tokens, and other secrets.
Crown Jewels AnalysisA MITRE-popularized methodology that identifies the small set of mission-critical assets whose loss would unacceptably harm the organization, then concentrates protection, monitoring, and IR investment there.
Cyber Kill ChainLockheed Martin's seven-stage model that describes how a targeted intrusion progresses from reconnaissance to actions on objectives.
Cyber Threat Intelligence (CTI)Evidence-based knowledge about adversaries, their motivations, and methods, used to inform defensive decisions and prioritize controls.
Cybercrime-as-a-Service (CaaS)An underground service model in which specialised criminal vendors sell tooling, infrastructure, or expertise so customers can run cyber attacks without building capabilities themselves.
Database Activity Monitoring (DAM)A security control that continuously observes database queries, privileged-user actions, and schema changes to enforce policy and detect data abuse in real time.
Database FirewallAn inline security appliance or proxy that inspects SQL traffic against an allow-list policy and blocks injection, privilege misuse, and unauthorized statements before they hit the database.
Deception TechnologyA defensive approach that deploys decoys, breadcrumbs, and fake assets across the environment to detect, mislead, and study attackers with high fidelity.
Defense EvasionThe MITRE ATT&CK tactic (TA0005) covering techniques attackers use to avoid detection, disable security tools, and hide their activity on a target system.
Detection EngineeringThe discipline of designing, testing, deploying, and maintaining security detections as code, with measurable coverage of adversary techniques.
Detective ControlsSecurity measures designed to identify and alert on malicious activity, policy violations, or anomalies after they occur in an environment.
Diamond Model of Intrusion AnalysisAn intrusion analysis framework that ties every malicious event to four linked vertices: adversary, capability, infrastructure, and victim.
Discovery (MITRE Tactic)The MITRE ATT&CK tactic (TA0007) covering techniques attackers use to learn about a compromised environment after gaining access.
Dwell TimeThe interval between an adversary's initial compromise of an environment and the defender's detection of that compromise — a headline industry metric reported annually by IR firms such as Mandiant.
eBPF SecurityThe use of extended Berkeley Packet Filter (eBPF) programs running in the Linux kernel to provide deep observability and policy enforcement for processes, networking, and syscalls.
EDR (Endpoint Detection and Response)An endpoint security technology that continuously records process, file, registry and network activity to detect, investigate and respond to threats on hosts.
Elastic Stack (ELK)An open-source platform from Elastic N.V. combining Elasticsearch, Logstash, Kibana, and Beats for ingesting, indexing, searching, and visualizing security and operational logs at scale.
Endpoint IsolationAn EDR response action that severs a compromised host's network connectivity except to the security tooling, so attackers cannot move laterally while responders investigate.
EPP (Endpoint Protection Platform)A preventive endpoint security suite that combines antivirus, anti-malware, host firewall and exploit protection to block threats before they execute on a device.
Ethical HackerA security professional authorized to use offensive techniques against systems to identify weaknesses and help owners remediate them before adversaries exploit them.
Execution (MITRE Tactic)The MITRE ATT&CK tactic (TA0002) covering techniques that run adversary-controlled code on a local or remote system.
ExfiltrationThe MITRE ATT&CK tactic (TA0010) covering techniques used to transfer stolen data out of a victim network to an attacker-controlled location.
External Attack Surface Management (EASM)Continuous discovery and monitoring of all internet-facing assets that belong to an organization, viewed from an outside-in attacker perspective.
FalcoAn open-source cloud-native runtime security engine that detects abnormal container, host, and Kubernetes behavior by streaming syscalls and audit events through a rules engine.
False NegativeMalicious activity that a detection failed to flag, leaving the threat unnoticed and allowing the attacker to continue without alerting defenders.
False PositiveA security alert that flags benign activity as malicious, costing analyst time and eroding trust in the detection that produced it.
File Integrity Monitoring (FIM)A security control that detects unexpected changes to critical operating-system, application, and configuration files by comparing them to a known-good cryptographic baseline.
FIN Threat GroupA Mandiant-style designation for a financially motivated threat group whose intrusions target payment systems, retailers, hospitality, and financial institutions.
Google Chronicle SecOpsGoogle Cloud's cloud-native SIEM and SOAR (formerly Backstory) that stores petabyte-scale telemetry at a flat per-employee price and queries it with the YARA-L detection language.
Grey Hat HackerA hacker who operates between ethical and unethical extremes, often probing systems without explicit authorization but typically with the intent to disclose, not harm.
Hack-BackOffensive retaliatory action by a private victim against an attacker's infrastructure, generally illegal under most national computer-misuse laws.
HackerA person with deep technical curiosity who uses creative problem-solving to understand, modify, or break systems, software, networks, or hardware.
HacktivistA threat actor who carries out cyber attacks to advance a political, social, or ideological cause rather than for financial gain or state intelligence objectives.
HashcatAn open-source, GPU-accelerated password-recovery tool that cracks hundreds of hash and authentication algorithms using dictionary, rule, mask, and hybrid attacks.
Heuristic DetectionA detection method that uses rule-of-thumb indicators — suspicious code patterns, packers, anomalous strings, and API call combinations — to flag likely-malicious files without an exact signature.
Honey AccountA decoy credential or account — often without a full identity persona — designed to trigger alerts when attempted by an attacker.
HoneyfileA decoy document planted in storage to trigger an alert if an attacker or insider reads, copies, or exfiltrates it.
HoneyuserA fake identity provisioned in directory services and HR systems so that any login attempt or enumeration immediately reveals an attacker.
Impact (MITRE Tactic)The MITRE ATT&CK tactic (TA0040) covering techniques whose goal is to disrupt availability or integrity of systems, data, or business processes.
Indicator of Attack (IoA)Behavioral evidence that an attacker is attempting an intrusion right now, focused on intent and technique rather than after-the-fact artifacts.
Indicator of Compromise (IoC)An observable artifact — such as a file hash, IP, domain, URL, or registry key — that suggests a system has been or is being compromised.
Initial AccessThe MITRE ATT&CK tactic (TA0001) that covers techniques attackers use to first establish a foothold inside a target environment.
Initial Access Broker (IAB)A cybercrime specialist who obtains unauthorised access to corporate networks and sells that access to other criminals, especially ransomware affiliates.
Insider ThreatThe risk that a current or former employee, contractor, or partner with authorised access misuses it to cause harm, intentionally or by negligence.
Kali LinuxA Debian-based Linux distribution from OffSec that pre-packages hundreds of penetration testing, red-teaming, and digital forensics tools.
Lateral MovementThe MITRE ATT&CK tactic (TA0008) covering techniques that let an attacker pivot from one compromised host to others across the environment.
LockBitA Russian-speaking ransomware-as-a-service operation that became the most prolific ransomware brand globally between 2022 and 2024 before being heavily disrupted by Operation Cronos.
Log AggregationThe collection, normalization, and centralized storage of event logs from many systems into a single platform for search, analysis, and retention.
Log CorrelationJoining events from multiple log sources by shared fields, time windows, or sequence to reveal multi-stage activity that individual logs cannot show.
MDR (Managed Detection and Response)A managed service in which an external provider operates detection, threat hunting and incident response on behalf of a customer, typically using EDR/XDR and SIEM telemetry.
Mean Time to Contain (MTTC)The average time between detecting a security incident and reaching a state where the threat can no longer spread, exfiltrate, or cause further damage.
Mean Time to Detect (MTTD)The average elapsed time between the start of a security incident and the moment defenders identify it.
Mean Time to Recover (MTTR)The average time required to restore affected systems and services to normal operation after a security incident or outage.
Mean Time to Respond (MTTR)The average time between detecting a security incident and initiating an effective response action against it.
MetasploitAn open-source exploitation framework that bundles exploits, payloads, and post-exploitation modules into a single platform for penetration testers and researchers.
Microsoft SentinelA cloud-native SIEM and SOAR service from Microsoft running on Azure, querying logs with Kusto Query Language (KQL) and integrating natively with Microsoft 365 Defender and Azure data sources.
MimikatzAn open-source Windows post-exploitation tool that extracts plaintext passwords, hashes, Kerberos tickets, and other credentials from memory and LSASS.
MISPMISP is an open-source threat intelligence platform for collecting, storing, correlating, and sharing structured indicators and analyst context across trusted communities.
mitmproxyAn open-source interactive TLS-capable proxy used by security and QA engineers to intercept, inspect, modify, and replay HTTP and HTTPS traffic.
MITRE CalderaAn open-source adversary emulation platform from MITRE that automates the execution of ATT&CK techniques against a target environment via lightweight agents, supporting red-team operations and detection-engineering exercises.
MITRE EngageAn adversary engagement framework from MITRE that codifies deception, denial, and engagement activities for defenders, superseding the earlier MITRE Shield knowledge base.
Nation-State ActorA government-sponsored or government-aligned threat actor that conducts cyber operations to pursue strategic, intelligence, military, or economic objectives.
NDR (Network Detection and Response)A network security technology that analyses traffic — including decrypted, metadata and flow data — using behavioral analytics and ML to detect threats and orchestrate response.
NessusA commercial vulnerability scanner from Tenable that identifies missing patches, misconfigurations, and exposed services across networks, endpoints, and cloud workloads.
NetFlowA Cisco-originated flow-record protocol, and its successors sFlow and IPFIX, that exports summarized metadata about every conversation crossing a network device.
Next-Generation Antivirus (NGAV)Endpoint protection that augments signature scanning with machine-learning models, behavioral analytics, and exploit prevention to stop unknown and fileless threats.
NmapAn open-source network scanner used to map hosts, enumerate open ports and services, and fingerprint operating systems on IP networks.
Operational Threat IntelligenceMid-term intelligence about specific campaigns, threat actors, and their TTPs, used to prepare defenders, hunt threats, and prioritize controls.
osqueryAn open-source endpoint instrumentation framework, originally from Facebook, that exposes operating-system state — processes, sockets, files, users, kernel modules — as a SQL-queryable virtual database for inventory, detection, and IR.
OSSECA free, open-source host-based intrusion detection system that performs log analysis, file integrity monitoring, rootkit detection, and active response on Linux, Windows, macOS, and Solaris.
OTXOTX is an open, community-driven threat intelligence exchange — originally AlienVault, now LevelBlue OTX — where researchers publish indicators bundled into Pulses.
Passive DNSA historical database of observed DNS resolutions that lets investigators look up which IPs a domain pointed to and which domains shared an IP over time.
Patch ManagementThe end-to-end process of identifying, testing, deploying, and verifying software updates that fix vulnerabilities or bugs.
PCAPA binary packet-capture file format produced by libpcap, tcpdump, and Wireshark that stores network packets exactly as they were seen on the wire.
Penetration TestingAn authorized, simulated cyberattack against systems, applications, or people to identify exploitable weaknesses before real adversaries do.
PersistenceThe MITRE ATT&CK tactic (TA0003) covering techniques that let an attacker maintain access to a system across reboots, credential changes, and incident response.
Post-MortemA blameless review held after an incident to capture the timeline, contributing factors, and concrete actions that will prevent or detect the issue next time.
Preventive ControlsControls designed to stop a security event from occurring in the first place by removing the opportunity or capability to act.
Purple TeamA collaborative engagement model in which red and blue teams work openly together to improve detection and response in near real time.
Pyramid of PainA model by David Bianco that ranks indicators of compromise by how painful it is for adversaries when defenders detect or block them.
Quarantine (Endpoint)An endpoint security action that moves a suspected-malicious file out of its original location into a controlled, neutered store so it cannot execute but can still be analyzed or restored.
Ransomware GangA financially motivated cybercriminal group that develops, operates, or distributes ransomware to extort organisations through file encryption and data leak threats.
ReconnaissanceThe first phase of an attack, in which adversaries gather information about a target's people, technology, and exposure before launching intrusion attempts.
Recovery Point Objective (RPO)The maximum acceptable amount of data loss, expressed as a time window, that a business can tolerate after a disruption.
Recovery Time Objective (RTO)The maximum acceptable duration that a business process or system can be unavailable after a disruption before unacceptable consequences occur.
Red TeamAn offensive security group that emulates real adversaries end-to-end to test how an organization detects, contains, and responds to attacks.
REvil / SodinokibiA Russian-speaking ransomware-as-a-service operation active 2019-2021, known for double extortion and the high-impact Kaseya VSA supply-chain attack.
Sandbox / Emulator DetectionAnti-analysis techniques in malware that recognize when the host is an analysis sandbox, emulator, or virtual machine and then refuse to detonate to evade detection.
Sandbox EscapeA vulnerability or exploit chain that lets code break out of an isolating sandbox — browser, VM, or hypervisor — to gain code execution in the surrounding host environment.
Script KiddieAn unskilled attacker who uses pre-made tools, scripts, or services written by others to perform attacks without understanding the underlying techniques.
Security BaselineA documented, minimum-acceptable security configuration that all systems of a given type must meet before being placed into production.
Security ControlsSafeguards or countermeasures — technical, administrative, or physical — used to prevent, detect, or respond to threats against information assets.
Security OnionA free, open-source Linux distribution for threat hunting, network security monitoring, and log management, created by Doug Burks and maintained by Security Onion Solutions.
Security Operations Center (SOC)A centralized team and facility that continuously monitors, detects, investigates and responds to cybersecurity incidents across an organization's IT estate.
Security PlaybookA documented, repeatable procedure that tells responders exactly what to do, in what order, for a specific type of security alert or incident.
Security PostureThe overall strength of an organization's cybersecurity defences, expressed as its ability to predict, prevent, detect, respond to and recover from threats.
Service Level Agreement (SLA)A formal contract that defines the expected level of service between a provider and its customer, including measurable performance and security commitments.
ShodanA search engine that continuously scans the internet and indexes service banners so users can query exposed devices, ports, software versions, and certificates.
SIEMA platform that aggregates, normalizes and correlates security telemetry from across the enterprise to enable detection, investigation, compliance and reporting.
SIEM Rule TuningThe continuous process of adjusting detection rules in a SIEM to reduce false positives, close gaps, and align with the organisation's threat model.
Sigma RuleA vendor-neutral, YAML-based detection signature for log events that can be converted into queries for SIEM, EDR, or XDR back-ends.
Snort RuleA signature in the Snort intrusion-detection rule language that describes network traffic patterns to alert on or block in IDS or IPS mode.
SOARA platform that automates and orchestrates SOC workflows by chaining detections, enrichments and response actions into playbooks executed across security tools.
SOC Maturity ModelA framework that scores a Security Operations Center across people, process, technology, and services to guide a multi-year improvement roadmap.
Splunk Enterprise SecurityA commercial SIEM solution from Splunk Inc. (acquired by Cisco in 2024) that ingests, indexes, and correlates machine data using the Splunk Processing Language (SPL) for security monitoring and investigation.
Splunk SPL QueryA search written in Splunk's Search Processing Language to filter, transform, correlate, and visualise machine data for detection, hunting, and reporting.
STIXSTIX is an OASIS standard that defines a structured, machine-readable language for representing and exchanging cyber threat intelligence between organizations and tools.
Strategic Threat IntelligenceHigh-level, long-term intelligence about the threat landscape, adversary intent, and geopolitical context that informs executive and board-level decisions.
SuricataAn open-source, high-performance network IDS, IPS, and security-monitoring engine maintained by the Open Information Security Foundation (OISF).
SysmonA Microsoft Sysinternals Windows driver that emits rich event-log telemetry about process, network, file, registry, and image-load activity for security monitoring.
System HardeningReducing the attack surface of a system by removing unnecessary features, tightening configurations, and enforcing secure defaults.
Tactical Threat IntelligenceShort-lived, technical intelligence about adversary tools, indicators, and signatures, consumed by SOC analysts and security tooling to detect and block attacks.
Tactics, Techniques and Procedures (TTPs)A layered description of how a threat actor operates: tactics (the why), techniques (the how), and procedures (the specific implementation).
TAXII ProtocolTAXII is an OASIS application-layer protocol over HTTPS for publishing, discovering, and consuming cyber threat intelligence — typically STIX content — between organizations.
Threat ActorAn individual or group that intentionally causes or attempts to cause harm to information systems, organisations, or people through cyber operations.
Threat HuntingProactive, hypothesis-driven search through telemetry to uncover threats that have evaded existing detections.
Threat IntelligenceEvidence-based knowledge about threats and threat actors — including indicators, TTPs and context — used to guide security decisions and detection.
TLPTLP is a simple labeling scheme maintained by FIRST that signals how sensitive shared cyber information is and with whom it may be redistributed.
TrivyAn open-source, single-binary scanner from Aqua Security that finds CVEs, misconfigurations, secrets, SBOM data, and license issues in container images, file systems, Git repos, and Kubernetes clusters.
UBA (User Behavior Analytics)An analytics technology that establishes baselines of normal user activity and flags anomalies to detect account misuse, insider threats and compromised credentials.
UEBA (User and Entity Behavior Analytics)A detection technology that profiles normal behavior of users and entities, then surfaces statistical or machine-learning anomalies that may indicate compromise or insider risk.
UNC Cluster (Uncategorized)A Mandiant tracking label for a set of related intrusions whose actor, motivation, or sponsor has not yet been confirmed enough to graduate to APT or FIN.
UTM (Unified Threat Management)An all-in-one network security appliance that combines firewall, IPS, web filtering, antivirus and VPN in a single device, primarily targeted at SMBs and branch offices.
VERIS FrameworkVerizon's Vocabulary for Event Recording and Incident Sharing — an open schema for describing security incidents in a structured, comparable way.
Vulnerability AssessmentA systematic review of an environment to identify, classify, and prioritize security weaknesses, typically without active exploitation.
Vulnerability ScanningAutomated process that probes systems, applications, or containers against known vulnerability signatures to produce a list of potential weaknesses.
WazuhAn open-source XDR and SIEM platform — a 2015 fork of OSSEC — that unifies endpoint, cloud, and container telemetry with built-in dashboards on the Wazuh Indexer and Dashboard.
White Hat HackerA security professional who uses offensive skills only with explicit authorization, to find and report vulnerabilities so defenders can fix them.
White TeamNeutral facilitators who design, oversee, and arbitrate cybersecurity exercises and competitions to keep them safe, fair, and aligned with objectives.
WHOIS LookupA query against the WHOIS or RDAP database that returns the registration details of a domain or IP, including registrar, registrant, dates, and name servers.
WiresharkAn open-source network protocol analyzer that captures and inspects packets in real time for troubleshooting, security analysis, and education.
XDR (Extended Detection and Response)A security platform that unifies telemetry from endpoint, network, identity, email and cloud sensors to deliver correlated detections and integrated response actions.
YARA RuleA textual signature in the YARA language that describes byte, string, or behavioral patterns used to classify and detect malware samples and files.
Yellow TeamThe builders — developers, architects, and DevOps engineers — who design and ship the systems that red and blue teams attack and defend.
ZeekAn open-source network security monitor (formerly Bro) that turns network traffic into structured, protocol-aware logs and scripts for threat detection.