Cybersecurity terms often vary in interpretation across teams, which makes clear definitions important. Having a shared vocabulary supports smoother communication between security, risk, IT, and compliance groups. This resource offers:
- Clear definitions of foundational cybersecurity terms
- Explanations that prioritize context and usability
- Clarifications for terms that are often misunderstood or misused
Feel free to use this glossary for training, writing, or as a consistent reference point across your organization.
ACCESS CONTROL
Access control involves the policies, procedures, and technologies used to restrict access to information systems and resources.
It plays a fundamental role in maintaining data confidentiality and integrity by ensuring that users can only access systems, files, or applications appropriate to their permissions.
Common implementations include role-based access control (RBAC), which assigns access based on job functions, and attribute-based access control (ABAC), which considers user attributes and environment variables.
ADVANCED PERSISTENT THREAT (APT)
An advanced persistent threat is a type of cyberattack in which unauthorized users gain access to a system and remain undetected for an extended period.
APTs involve multiple phases, including initial access, lateral movement, data harvesting, and exfiltration, and they require persistent effort to detect and remove.
ADVANCED THREAD PROTECTION (ATP)
Advanced Threat Protection refers to a set of security solutions and practices designed to detect, block, and respond to sophisticated cyberattacks.
ATP typically includes tools like sandboxing, behavioral analysis, endpoint monitoring, and threat intelligence. These solutions work together to provide defense-in-depth against zero-day threats, advanced malware, and targeted attacks.
ADWARE
Adware is software designed to automatically deliver advertisements to a user, typically in the form of pop-ups or banners.
While some adware is bundled with free software and functions legally, malicious adware may track user behavior, redirect browsers, or create vulnerabilities in the system. It can degrade user experience and performance while posing privacy risks.
ANTIVIRUS
Antivirus software is a foundational tool in endpoint security designed to detect, prevent, and remove malicious programs, including viruses, worms, and trojans. It uses techniques such as signature-based detection, heuristic analysis, and behavioral monitoring.
ASSET INVENTORY
An asset inventory is a comprehensive list of all IT assets owned or used by an organization, including hardware, software, cloud services, and data repositories.
Maintaining an up-to-date inventory allows security teams to identify vulnerable systems, monitor configurations, ensure compliance, and respond effectively to incidents. It also supports risk assessments and lifecycle management.
ATTACK VECTOR
An attack vector is the specific method or pathway an attacker uses to gain unauthorized access to a system. Vectors may exploit technical vulnerabilities, social engineering, or misconfigurations.
Examples include phishing emails, unpatched software, infected USB drives, or exposed APIs. Understanding attack vectors is essential for building effective defense strategies.
AUTHENTICATION
Authentication is the process of confirming the identity of a user, device, or system before granting access to resources. It forms the first line of defense in security architectures.
Common methods include password-based logins, biometrics (like fingerprint or facial recognition), hardware tokens, and one-time codes sent via mobile devices.
AUTHORIZATION
Authorization defines what actions an authenticated user is permitted to take within a system. It ensures that users only access resources necessary for their roles and responsibilities.
This principle supports the broader concept of least privilege, minimizing the potential damage from compromised accounts or insider threats. Authorization rules are enforced through permissions, roles, and policies.
BACKDOOR
A backdoor is a hidden method of bypassing normal security controls to gain unauthorized access to a system or data.
It can be intentionally created by developers for maintenance or debugging, or it can be inserted by attackers to maintain long-term access after exploiting a vulnerability.
BOTNET
A botnet is a network of compromised devices, often referred to as "bots" or "zombies," that are controlled remotely by a cybercriminal. These devices, which may include personal computers, servers, and IoT gadgets, are typically infected through malware.
BRUTE FORCE ATTACK
A brute force attack is a method for cracking passwords or encryption keys by systematically trying all possible combinations until the correct one is found. It is a time-consuming approach, but still effective against weak credentials.
BYOD (BRING YOUR OWN DEVICE)
Bring Your Own Device (BYOD) is a policy that allows employees to use personal laptops, smartphones, and tablets for work purposes.
While it increases flexibility and reduces hardware costs, BYOD introduces risks such as inconsistent security controls, unpatched devices, and data leakage.
CLOUD SECURITY
Cloud security refers to a broad set of technologies, policies, and procedures used to protect data, applications, and infrastructure hosted in cloud environments. Key concerns include data breaches, misconfigurations, account hijacking, and insecure APIs.
Security responsibilities are shared between the cloud provider and the customer, depending on the service model (IaaS, PaaS, SaaS).
CREDENTIAL STUFFING
Credential stuffing is an automated attack that uses stolen username and password combinations, often leaked from other breaches, to gain unauthorized access to accounts. Since many users reuse credentials across services, attackers can achieve high success rates.
CYBER HYGIENE
Cyber hygiene includes the routine activities and best practices individuals and organizations should follow to maintain system health and security. It involves keeping software and firmware updated, using strong and unique passwords, backing up data, and monitoring account activity.
CYBER THREAT INTELLIGENCE (CTI)
Cyber threat intelligence involves collecting, processing, and analyzing information about threats to inform security decisions.
It helps organizations understand attacker behaviors, indicators of compromise, and emerging risks. CTI is often categorized into strategic (high-level trends), tactical (tools and methods), and operational (real-time threats).
DATA BREACH
A data breach occurs when sensitive, protected, or confidential data is accessed or disclosed without authorization. Breaches may result from hacking, insider misuse, weak security controls, or accidental exposure.
The impact can include regulatory fines, reputational damage, and financial loss. Organizations are expected to report breaches under many compliance frameworks.
DATA LOSS PREVENTION (DLP)
Data Loss Prevention refers to the policies, tools, and techniques used to prevent sensitive data from being leaked, stolen, or misused, whether intentionally or accidentally.
DLP solutions monitor data in use, in transit, and at rest to enforce rules and prevent unauthorized transfers. These tools are particularly critical for protecting intellectual property and personally identifiable information (PII).
DDoS (DISTRIBUTED DENIAL OF SERVICE)
A Distributed Denial of Service (DDoS) attack overwhelms a target system or network with traffic from multiple sources, rendering it slow or entirely unavailable.
Attackers may use botnets to flood services with bogus requests. DDoS attacks can disrupt operations, damage reputations, and incur significant costs. Mitigation involves traffic filtering, rate limiting, and specialized DDoS protection services.
DECRYPTION
Decryption is the process of converting encrypted data (ciphertext) back into its original readable format (plaintext). Only users or systems with the correct decryption key can access the protected data.
While encryption protects confidentiality, decryption enables secure access by authorized parties. Cybercriminals may attempt to bypass encryption through key theft or cryptanalysis.
DEEP PACKET INSPECTION (DPI)
Deep Packet Inspection is a form of network packet filtering that examines the full content of data packets, including headers and payloads. It allows security systems to identify malicious traffic, enforce policies, and detect applications.
DIGITAL CERTIFICATE
A digital certificate is a file issued by a Certificate Authority (CA) that verifies the ownership of a public key.
It is a critical component of Public Key Infrastructure (PKI) and is used to establish secure communications over the internet. Common uses include enabling HTTPS on websites, signing software, and encrypting email.
ENCRYPTION
Encryption is the process of converting plaintext into ciphertext to prevent unauthorized access. It ensures data confidentiality both at rest and in transit.
Symmetric encryption uses the same key for encryption and decryption, while asymmetric encryption uses a pair of public and private keys.
ENDPOINT DETECTION AND RESPONSE (EDR)
Endpoint Detection and Response refers to security tools designed to monitor endpoint devices (such as computers and mobile phones) for suspicious activity.
EDR systems collect data continuously, detect threats using advanced analytics, and enable rapid investigation and remediation.
EXPLOIT
An exploit is a piece of code or a method that takes advantage of a vulnerability in software, hardware, or configuration to perform unauthorized actions.
These can be used to escalate privileges, steal data, or deploy malware. Exploits may target unpatched systems and are often included in attack kits.
FILELESS MALWARE
Fileless malware is a type of malicious code that doesn’t rely on traditional files to infect a system. Instead, it operates in memory and uses legitimate system tools, like PowerShell or Windows Management Instrumentation (WMI), to execute commands.
Because it leaves little trace on disk, fileless malware is difficult to detect using traditional antivirus methods.
FIREWALL
A firewall is a security system—hardware, software, or both—that monitors and controls incoming and outgoing network traffic based on predefined rules. It serves as a barrier between trusted and untrusted networks, such as an internal corporate network and the internet.
HASHING
Hashing is the process of converting data into a fixed-length string using a mathematical algorithm. Unlike encryption, hashing is one-way and cannot be reversed to recover the original input. It’s commonly used to store passwords securely and to verify data integrity by comparing hash values.
HONEYPOT
A honeypot is a decoy system or resource intentionally designed to attract cyber attackers. It mimics legitimate targets to gather information about attack methods, tools, and behavior without putting real assets at risk.
Honeypots help organizations detect threats early, develop defenses, and study threat actors—but if not isolated properly, they can pose risks themselves.
IDENTITY AND ACCESS MANAGEMENT (IAM)
Identity and Access Management is the framework of policies and technologies that ensures the right individuals have appropriate access to organizational resources.
IAM covers user authentication, role-based permissions, and lifecycle management of identities. A strong IAM system helps enforce the principle of least privilege and supports regulatory compliance.
INCIDENT RESPONSE
Incident response is the structured process an organization follows to address and manage a cybersecurity event. The goal is to contain the threat, minimize damage, and restore normal operations.
Typical phases include preparation, detection, containment, eradication, recovery, and post-incident analysis.
INDICATORS OF COMPROMISE (IOC)
Indicators of Compromise are pieces of forensic evidence that suggest a system may be under attack or has already been compromised.
Examples include unusual IP addresses, file hashes, domain names, or registry changes. Security analysts use IOCs to detect, investigate, and respond to potential breaches.
INSIDER THREAT
An insider threat arises when someone within an organization—such as an employee, contractor, or partner—misuses access to cause harm, intentionally or accidentally.
Malicious insiders may steal data or sabotage systems, while accidental insiders might expose information through careless actions.
IoT (INTERNET OF THINGS)
The Internet of Things refers to physical devices, beyond traditional computers, that are connected to the internet and capable of sending or receiving data. This includes smart home gadgets, industrial sensors, medical devices, and more.
The rapid expansion of IoT has increased the attack surface for organizations, highlighting the need for strong endpoint security and network segmentation.
INTRUSION DETECTION SYSTEM (IDS)
An Intrusion Detection System monitors network or system activity for signs of malicious behavior or policy violations.
IDS tools alert administrators to suspicious events but don’t take automatic action. They are often paired with Intrusion Prevention Systems (IPS), which actively block threats.
.png)
KEYLOGGER
A keylogger is a type of surveillance software or hardware that records every keystroke made on a device. Cybercriminals use keyloggers to capture login credentials, credit card numbers, or confidential messages.
MALWARE
Malware is a broad term for malicious software designed to damage, disrupt, or gain unauthorized access to systems. This includes viruses, worms, trojans, ransomware, spyware, and more.
Malware is typically delivered through email attachments, infected websites, removable media, or compromised software updates.
MAN-IN-THE-MIDDLE (MITM) ATTACK
A man-in-the-middle attack occurs when a malicious actor secretly intercepts and possibly alters communications between two parties.
The attacker may relay or manipulate messages to gain access to sensitive data, such as login credentials or payment information. MITM attacks often exploit insecure networks or compromised certificates.
MFA (MULTI-FACTOR AUTHENTICATION)
Multi-Factor Authentication enhances account security by requiring users to provide two or more verification factors. These factors usually fall into categories: something you know (like a password), something you have (a token or smartphone), or something you are (biometrics).
MITRE ATT&CK FRAMEWORK
The MITRE ATT&CK Framework is a publicly accessible knowledge base of tactics, techniques, and procedures (TTPs) used by threat actors. It’s widely used by defenders, threat hunters, and red teams to classify behaviors, assess risk, and improve detection.
ATT&CK supports a shared understanding of adversary behavior across the cybersecurity community.
NETWORK Segmentation
Network segmentation involves dividing a computer network into smaller, isolated segments to limit how far an attacker can move if access is gained.
Segmentation improves security by containing breaches and protecting sensitive systems. It also helps enforce compliance and streamline monitoring.
PATCH MANAGEMENT
Patch management is the process of identifying, acquiring, testing, and deploying software updates to fix security vulnerabilities or bugs.
Prompt patching is critical for closing known weaknesses that attackers can exploit. Organizations often rely on automated patch management tools to ensure timely updates across their environments.
PENETRATION TESTING
Penetration testing (or pen testing) is a simulated cyberattack conducted by ethical hackers to identify security weaknesses. Testers may use black-box (no knowledge), white-box (full knowledge), or gray-box (partial knowledge) methods.
PHISHING
Phishing is a social engineering tactic where attackers impersonate trusted sources to trick users into revealing sensitive information.
Phishing attacks can occur through email, SMS (smishing), or voice calls (vishing). The goal is often to steal credentials or install malware.
PRIVILEGE ESCALATION
Privilege escalation occurs when a user gains higher access rights than they’re supposed to have. This can happen through exploiting system flaws or misconfigurations.
Vertical escalation grants admin-level access, while horizontal escalation allows access to other users' data.
RANSOMWARE
Ransomware is a type of malware that encrypts a victim’s data and demands payment—often in cryptocurrency—to restore access. Attackers may threaten to leak data if the ransom isn’t paid.
It typically spreads through phishing emails or vulnerable services like Remote Desktop Protocol (RDP).
RISK ASSESSMENT
Risk assessment is the process of identifying, evaluating, and prioritizing risks to an organization’s assets and operations. It includes analyzing threats, vulnerabilities, likelihoods, and potential impacts.
ROOTKIT
A rootkit is a form of malware that hides its presence and grants unauthorized access at a deep level of the operating system—often in the kernel or firmware.
Rootkits are difficult to detect and remove, allowing attackers to persist and avoid detection. Detection typically requires behavioral analysis or forensic tools.
SIEM (SECURITY INFORMATION AND EVENT MANAGEMENT)
SIEM platforms collect, correlate, and analyze logs and security events across an organization’s infrastructure. They help identify anomalies, detect threats, and support compliance reporting.
SIEM tools are central to Security Operations Centers (SOCs) and are often integrated with threat intelligence feeds and incident response workflows.
SOAR (SECURITY ORCHESTRATION, AUTOMATION, AND RESPONSE)
SOAR platforms combine security tools, workflows, and data sources to automate low-level tasks and streamline incident response.
By integrating with SIEM, EDR, and ticketing systems, SOAR helps teams respond faster, reduce alert fatigue, and improve consistency in handling threats. It’s increasingly adopted by modern SOCs for operational efficiency.
SOCIAL ENGINEERING
Social engineering refers to manipulative tactics used to deceive individuals into revealing confidential information or granting access. Common methods include phishing, baiting, pretexting, and tailgating.
These attacks exploit human behavior rather than technical vulnerabilities, which is why user education is one of the most effective defenses.
SOC (SECURITY OPERATIONS CENTER)
A Security Operations Center is a centralized team that monitors, detects, and responds to cybersecurity incidents.
Staffed with analysts, engineers, and incident responders, SOCs use tools like SIEM, EDR, and threat intelligence to protect assets in real time. Mature SOCs operate 24/7 and play a key role in enterprise security.
SOFTWARE SUPPLY CHAIN ATTACK
A software supply chain attack targets the development or delivery process of software to compromise end users before the software is even installed.
High-profile incidents like SolarWinds demonstrate how attackers can insert malicious code into updates or packages. Vetting vendors, code signing, and monitoring dependencies are essential precautions.
SPEAR PHISHING
Spear phishing is a targeted form of phishing aimed at specific individuals or organizations. Unlike broad phishing campaigns, these attacks use personalized details, like a person’s name, role, or known contacts, to appear credible.
The goal is often to steal credentials, deploy malware, or trick the recipient into approving fraudulent transactions.
SPOOFING
Spoofing involves falsifying information to appear as a trusted source. Attackers may spoof email addresses, IP addresses, or DNS records to gain access or mislead victims.
These tactics often facilitate phishing, man-in-the-middle attacks, or denial-of-service campaigns. Verification tools like SPF, DKIM, and DNSSEC help detect and block spoofed communications.
SPYWARE
Spyware is software that secretly gathers information about a person or organization without their consent. It can capture keystrokes, screenshots, browser activity, and more.
Spyware often arrives bundled with legitimate-looking software or through phishing attacks. Symptoms may include slow performance or unusual behavior, and removal often requires dedicated tools.
THREAT HUNTING
Threat hunting is the proactive search for threats and indicators of compromise within an organization’s environment. Unlike reactive approaches, it involves manually analyzing logs, behavior patterns, and system anomalies to uncover hidden threats.
Threat hunters work alongside SOC teams and often use custom scripts and threat intel feeds to surface stealthy attacks.
THREAT INTELLIGENCE
Threat intelligence refers to data and context about current and emerging threats, gathered from internal and external sources. It’s used to inform detection rules, response plans, and strategic decision-making.
Intelligence can be tactical (like IP addresses or malware hashes) or strategic (such as attacker motivations and trends).
TROJAN HORSE
A Trojan horse is a type of malware disguised as legitimate software. Users are tricked into installing it, believing it serves a benign purpose. Once active, it can create backdoors, steal data, or deliver additional malware.
Because it relies on deception rather than exploits, awareness and software integrity checks are key to prevention.
VPN (VIRTUAL PRIVATE NETWORK)
A VPN establishes a secure, encrypted connection between a device and a remote network, often over the internet. It’s commonly used to protect data on public Wi-Fi or to provide secure access to corporate resources.
VULNERABILITY
A vulnerability is a weakness in software, hardware, or processes that can be exploited by threat actors to gain unauthorized access or cause harm.
Vulnerabilities may result from coding errors, configuration issues, or outdated systems. Regular scanning and patching help organizations identify and mitigate vulnerabilities before they are exploited.
WAF (WEB APPLICATION FIREWALL)
A Web Application Firewall is a security solution that filters and monitors HTTP traffic between a user and a web application.
WAFs protect against common web-based attacks like SQL injection, cross-site scripting (XSS), and file inclusion vulnerabilities. They are an essential layer of defense for public-facing websites and APIs.
ZERO TRUST
Zero Trust is a cybersecurity model that operates on the principle of “never trust, always verify.”
It requires strict identity verification for every person and device trying to access resources, regardless of whether they are inside or outside the network perimeter.
Know Your Cybersecurity Vocabulary
Cybersecurity language doesn’t need to be complicated. Having clear, accessible definitions gives your team a stronger foundation for making informed decisions.
This glossary helps you stay informed and bring clarity to the conversations happening between technical and non-technical teams.
Need help translating technical expertise into content that informs, ranks, and converts? Amplifyed is here to help cybersecurity companies create a winning marketing strategy. Schedule a call today.
