Reference

Cybersecurity Glossary

Plain-English definitions of the terms you'll meet across this platform and in modern threat intelligence. 26 terms and counting.

A B C D E I K L M P R S T W Z

Advanced Persistent ThreatAPT: A sophisticated, often state-sponsored adversary that gains and maintains long-term, stealthy access to a network to steal data or stage disruption, rather than seeking immediate financial gain.
Attack Surface: The total set of points where an unauthorized user could try to enter or extract data from an environment — internet-facing apps, APIs, devices, accounts, and people.
Business Email CompromiseBEC: A social-engineering scam in which attackers impersonate executives or partners to trick staff into transferring funds or sensitive data, frequently using urgency and secrecy.
Command and ControlC2: The infrastructure and channels attackers use to communicate with and control compromised systems, often disguised within legitimate traffic such as DNS or HTTPS.
Common Vulnerabilities and ExposuresCVE: A standardized identifier for a publicly known security vulnerability, enabling consistent tracking across vendors and tools (e.g., CVE-2024-3400).
Credential Stuffing: An attack that uses username/password pairs leaked from one breach to attempt logins on other services, exploiting password reuse.
Data Exfiltration: The unauthorized transfer of data out of an organization, often staged slowly over covert channels to avoid triggering volume-based alerts.
DMARC: Domain-based Message Authentication, Reporting and Conformance — an email policy that builds on SPF and DKIM to prevent attackers from spoofing your domain.
Endpoint Detection and ResponseEDR: Software that continuously monitors endpoints (laptops, servers) for malicious behavior and enables investigation and containment of threats.
Incident ResponseIR: The structured process of preparing for, detecting, containing, eradicating, and recovering from a cybersecurity incident — and learning from it afterward.
Indicator of CompromiseIOC: An artifact — such as a malicious IP, file hash, or domain — that suggests a system may have been breached, used to detect and hunt threats.
Known Exploited VulnerabilitiesKEV: CISA's authoritative catalog of CVEs confirmed to be actively exploited in the wild, used to prioritize patching of the most dangerous flaws first.
Lateral Movement: The techniques attackers use to move from an initial foothold to other systems and accounts inside a network, expanding access toward high-value targets.
Living off the LandLOTL: Attacker tradecraft that abuses legitimate, pre-installed tools (PowerShell, WMI, RMM software) to evade detection, since no obvious malware is deployed.
MITRE ATT&CK: A globally adopted knowledge base of adversary tactics and techniques based on real-world observations, used to map detections and assess coverage.
Multi-Factor AuthenticationMFA: A login control requiring two or more independent factors (something you know, have, or are). Phishing-resistant MFA (e.g., FIDO2 keys) is strongly preferred.
Phishing: Fraudulent messages designed to trick recipients into revealing credentials, transferring funds, or running malware. AI now makes lures fluent and personalized.
Ransomware: Malware that encrypts data and demands payment for decryption, increasingly paired with data theft (double extortion). Tested offline backups are the key defense.
Security Information and Event ManagementSIEM: A platform that centralizes logs from across an environment, correlates events, and generates alerts to support detection and investigation.
Security Operations CenterSOC: The team and tooling responsible for continuous monitoring, detection, and response to cybersecurity threats — in-house, managed, or hybrid.
Server-Side Request ForgerySSRF: A vulnerability that lets an attacker coerce a server into making requests on their behalf, often to reach internal services or cloud metadata endpoints.
Supply Chain Attack: An attack that compromises a trusted third party — software vendor, library, or service provider — to reach that vendor's downstream customers.
Threat Intelligence: The collection, analysis, and application of information about current and emerging threats to inform defensive decisions; most actionable when regionally contextualized.
Wiper: Destructive malware designed to permanently erase data or render systems unbootable, sometimes disguised as ransomware to mislead victims and responders.
Zero Trust: A security model that assumes no implicit trust based on network location, continuously verifying identity, device posture, and least-privilege access for every request.
Zero-Day: A vulnerability unknown to the vendor (or unpatched) at the time it is exploited, leaving defenders no patch and a narrow window to mitigate.

Want these concepts applied to your environment? Talk to the Cyronix team or explore the threat intelligence blog.

Plain-English definitions of the terms you'll meet across this platform and in modern threat intelligence. 26 terms and counting.

Advanced Persistent ThreatAPT

A sophisticated, often state-sponsored adversary that gains and maintains long-term, stealthy access to a network to steal data or stage disruption, rather than seeking immediate financial gain.

Attack Surface

The total set of points where an unauthorized user could try to enter or extract data from an environment — internet-facing apps, APIs, devices, accounts, and people.

Business Email CompromiseBEC

A social-engineering scam in which attackers impersonate executives or partners to trick staff into transferring funds or sensitive data, frequently using urgency and secrecy.

Command and ControlC2

The infrastructure and channels attackers use to communicate with and control compromised systems, often disguised within legitimate traffic such as DNS or HTTPS.

Common Vulnerabilities and ExposuresCVE

A standardized identifier for a publicly known security vulnerability, enabling consistent tracking across vendors and tools (e.g., CVE-2024-3400).

Credential Stuffing

An attack that uses username/password pairs leaked from one breach to attempt logins on other services, exploiting password reuse.

Data Exfiltration

The unauthorized transfer of data out of an organization, often staged slowly over covert channels to avoid triggering volume-based alerts.

DMARC

Domain-based Message Authentication, Reporting and Conformance — an email policy that builds on SPF and DKIM to prevent attackers from spoofing your domain.

Endpoint Detection and ResponseEDR

Software that continuously monitors endpoints (laptops, servers) for malicious behavior and enables investigation and containment of threats.

Incident ResponseIR

The structured process of preparing for, detecting, containing, eradicating, and recovering from a cybersecurity incident — and learning from it afterward.

Indicator of CompromiseIOC

An artifact — such as a malicious IP, file hash, or domain — that suggests a system may have been breached, used to detect and hunt threats.

Known Exploited VulnerabilitiesKEV

CISA's authoritative catalog of CVEs confirmed to be actively exploited in the wild, used to prioritize patching of the most dangerous flaws first.

Lateral Movement

The techniques attackers use to move from an initial foothold to other systems and accounts inside a network, expanding access toward high-value targets.

Living off the LandLOTL

Attacker tradecraft that abuses legitimate, pre-installed tools (PowerShell, WMI, RMM software) to evade detection, since no obvious malware is deployed.

MITRE ATT&CK

A globally adopted knowledge base of adversary tactics and techniques based on real-world observations, used to map detections and assess coverage.

Multi-Factor AuthenticationMFA

A login control requiring two or more independent factors (something you know, have, or are). Phishing-resistant MFA (e.g., FIDO2 keys) is strongly preferred.

Phishing

Fraudulent messages designed to trick recipients into revealing credentials, transferring funds, or running malware. AI now makes lures fluent and personalized.

Ransomware

Malware that encrypts data and demands payment for decryption, increasingly paired with data theft (double extortion). Tested offline backups are the key defense.

Security Information and Event ManagementSIEM

A platform that centralizes logs from across an environment, correlates events, and generates alerts to support detection and investigation.

Security Operations CenterSOC

The team and tooling responsible for continuous monitoring, detection, and response to cybersecurity threats — in-house, managed, or hybrid.

Server-Side Request ForgerySSRF

A vulnerability that lets an attacker coerce a server into making requests on their behalf, often to reach internal services or cloud metadata endpoints.

Supply Chain Attack

An attack that compromises a trusted third party — software vendor, library, or service provider — to reach that vendor's downstream customers.

Threat Intelligence

The collection, analysis, and application of information about current and emerging threats to inform defensive decisions; most actionable when regionally contextualized.

Wiper

Destructive malware designed to permanently erase data or render systems unbootable, sometimes disguised as ransomware to mislead victims and responders.

Zero Trust

A security model that assumes no implicit trust based on network location, continuously verifying identity, device posture, and least-privilege access for every request.

Zero-Day

A vulnerability unknown to the vendor (or unpatched) at the time it is exploited, leaving defenders no patch and a narrow window to mitigate.