Extended Glossary of Security Operations¶
This glossary provides definitions for 400+ terms spanning all domains of advanced security operations, offensive security, threat intelligence, digital forensics, cloud security, and applied cryptography. Terms are organized alphabetically within domain sections.
A¶
Access Control List (ACL) — A set of rules specifying which users or system processes are granted access to objects (files, network resources), and what operations they may perform.
Access Token — A Windows security object containing the security identity of a process or thread, including the user SID, group SIDs, privileges, and integrity level. Stolen tokens enable privilege escalation.
Account Takeover (ATO) — An attack in which a threat actor gains unauthorized access to a legitimate user's account, typically through credential stuffing, phishing, or SIM swapping.
Active Directory (AD) — Microsoft's directory service for Windows domain networks, providing authentication and authorization services. Central target in enterprise intrusions due to its privileged role.
Adversary Emulation — A red team engagement that replicates the specific TTPs of a named threat actor to test whether existing defenses would detect or prevent that actor's methods.
Adversary Simulation — Broader than adversary emulation; encompasses creating realistic attack scenarios that may not be tied to a specific actor but test defense capabilities holistically.
Agent-Based EDR — Endpoint detection and response solutions that require a software agent installed on each endpoint to collect telemetry and enforce policy.
Agentless Scanning — Vulnerability or configuration scanning without installing software on the target, using protocols like WMI, SSH, or cloud APIs.
AI-Generated Phishing — Spearphishing content created with large language models to produce highly personalized, grammatically perfect lures at scale.
AiTM (Adversary-in-the-Middle) — A phishing technique using a reverse proxy to sit between the victim and legitimate service, capturing session tokens to bypass MFA. Tools include Evilginx2 and Modlishka.
Alert Fatigue — Desensitization of security analysts to alerts due to excessive volume, leading to missed genuine threats. A primary driver of false negative outcomes in SOC operations.
Almgren-Chriss Model — A market impact model estimating the cost of executing large orders, used in algorithmic trading and security operations to model the cost of adversarial infrastructure acquisition.
Ambient Authority — A security principle flaw where a principal's permissions are determined by their identity rather than by explicit delegation, enabling confused deputy attacks.
Anomaly Detection — Identifying patterns that deviate significantly from established baselines. In security, used to detect unusual user behavior, network traffic, or system activity.
Anti-Forensics — Techniques used by attackers to frustrate forensic investigation, including log deletion, timestamp manipulation, data encryption, and disk wiping.
ASLR (Address Space Layout Randomization) — A security technique that randomizes memory addresses used by processes, making it harder for attackers to predict the location of code or data to exploit.
AS-REP Roasting — An Active Directory attack that targets accounts with Kerberos pre-authentication disabled. The attacker requests TGTs for these accounts and cracks them offline without needing credentials.
ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) — MITRE's knowledge base of adversary behavior based on real-world observations, organized into tactics and techniques used across the attack lifecycle.
Attack Path — The sequence of techniques, vulnerabilities, and misconfigurations that allows an attacker to move from initial access to their objective.
Attack Surface — The total set of different points where an attacker can attempt to enter or extract data from an environment, including exposed services, APIs, user interfaces, and physical access points.
Audit Trail — A chronological record of system activities that provides evidence sufficient to reconstruct, review, and examine the sequence of events.
Authentication Bypass — Exploiting a flaw to access a protected system without providing valid credentials; examples include SQL injection in login forms or JWT signature validation failures.
Autonomous System Number (ASN) — A unique number assigned to a collection of IP networks under a single administrative domain, used in BGP routing and OSINT investigations.
B¶
Backdoor — A covert method for bypassing normal authentication or encryption, installed by attackers to maintain persistent access to a compromised system.
Baseline — A documented, approved configuration or behavioral pattern against which deviations are measured to identify anomalies.
BEC (Business Email Compromise) — A financially motivated attack that uses email fraud to manipulate employees into transferring money or sensitive data. Often targets CFOs and finance departments.
Beacon — In C2 contexts, a lightweight implant that periodically checks in with the C2 server to receive commands. Cobalt Strike's beacon is the canonical example.
Behavioral Analytics — Analysis of patterns in user and entity activity over time to identify deviations that may indicate threat activity; core component of UEBA platforms.
Binary Diffing — Comparing two binary files to identify changes, used in vulnerability research to identify security patches and their associated vulnerabilities.
BIOS/UEFI Implant — Malware that persists in system firmware, surviving OS reinstalls and disk replacement. Example: LoJax (APT28), CosmicStrand (Chinese APT).
BloodHound — An open-source AD attack path analysis tool using graph theory to identify privilege escalation paths from any user to Domain Admin.
Blue Team — The defensive security team responsible for protecting, monitoring, detecting, and responding to attacks. Operates the SOC and implements security controls.
Botnet — A network of compromised systems (bots) controlled by an attacker (botmaster), used for DDoS attacks, spam distribution, cryptocurrency mining, or credential stuffing.
Brute Force Attack — An attack that systematically tries all possible combinations of passwords or encryption keys until the correct one is found.
Buffer Overflow — A memory safety vulnerability where a program writes data beyond a buffer's allocated size, potentially allowing arbitrary code execution.
Bug Bounty — A program offered by organizations where security researchers can receive recognition and compensation for reporting security vulnerabilities.
C¶
C2 (Command and Control) — Infrastructure used by attackers to communicate with compromised systems, issue commands, and exfiltrate data. Also called C&C.
CAPEC (Common Attack Pattern Enumeration and Classification) — MITRE's catalog of common cyber attack patterns used in vulnerability assessment and threat modeling.
Certificate Pinning — Associating a host with its expected SSL certificate or public key to prevent MITM attacks using unauthorized certificates.
Certificate Transparency (CT) — A framework for monitoring and auditing TLS certificates through public, append-only logs. Used in OSINT and attack surface monitoring.
Chain of Custody — Documentation of the seizure, custody, control, transfer, analysis, and disposition of physical or digital evidence, ensuring its integrity for legal proceedings.
Checkov — An open-source static analysis tool for infrastructure as code (Terraform, CloudFormation, Kubernetes), identifying security misconfigurations before deployment.
CI/CD Pipeline — Continuous Integration/Continuous Deployment automated workflows that build, test, and deploy software; a critical attack surface in supply chain security.
CIS Controls — The Center for Internet Security Controls; a prioritized set of actions to protect against cyber attacks, widely used as a security baseline.
CISA KEV (Known Exploited Vulnerabilities) — CISA's authoritative catalog of CVEs with confirmed in-the-wild exploitation, used to prioritize patching.
Cloud Access Security Broker (CASB) — Security policy enforcement point between cloud service consumers and providers, providing visibility and control over cloud usage.
Cloud Native — Applications and infrastructure built and run using cloud services, designed to exploit cloud flexibility, scalability, and resilience.
Cloud Security Posture Management (CSPM) — Tools that continuously monitor cloud infrastructure for misconfigurations and compliance violations. Examples: Prisma Cloud, Wiz, AWS Security Hub.
Cobalt Strike — A commercial adversary simulation platform widely used by red teams and widely abused by threat actors; features a modular beacon with malleable C2 profiles.
Code Injection — Inserting malicious code into a vulnerable program for execution, including SQL injection, OS command injection, and LDAP injection.
Compliance — Adherence to laws, regulations, standards, and policies governing information security.
Container Escape — A technique by which malicious code running inside a container gains access to the host system by exploiting misconfigurations or kernel vulnerabilities.
Containment — The incident response phase focused on limiting the spread and impact of a security incident while preserving evidence.
Correlation Rule — Logic in a SIEM that combines multiple events or conditions to detect attack patterns that individual events would not reveal.
Credential Dumping — Extracting authentication credentials from operating system memory or storage. Techniques include LSASS dump, SAM database extraction, and NTDS.dit parsing.
Credential Stuffing — Using lists of compromised username/password pairs (obtained from breaches) to gain access to user accounts across different services via automated login attempts.
Cross-Site Request Forgery (CSRF) — An attack that tricks a user's browser into sending unauthorized requests to a site where the user is authenticated.
Cross-Site Scripting (XSS) — Injection of malicious scripts into web pages viewed by other users; enables session hijacking, credential theft, and malware delivery.
CrowdStrike Falcon — A cloud-native EDR/XDR platform providing endpoint protection, threat intelligence, and incident response capabilities.
CryptoPP — A C++ library providing cryptographic implementations, used in both legitimate and malicious software.
CVSS (Common Vulnerability Scoring System) — A framework for rating the severity of software vulnerabilities on a 0–10 scale using base, temporal, and environmental metrics.
CWE (Common Weakness Enumeration) — MITRE's categorization of software weakness types, providing a common language for describing vulnerabilities.
Cyber Kill Chain — Lockheed Martin's model of the stages of a targeted cyber attack: Reconnaissance → Weaponization → Delivery → Exploitation → Installation → C2 → Actions on Objectives.
Cyber Threat Intelligence (CTI) — Evidence-based knowledge about adversary capabilities, infrastructure, motivations, and intentions used to inform defensive decisions.
D¶
D3FEND — MITRE's knowledge graph of cybersecurity countermeasures, providing a defensive complement to ATT&CK.
DAST (Dynamic Application Security Testing) — Testing running applications for vulnerabilities by simulating attacks, without access to source code.
Data Classification — Categorizing data by sensitivity and criticality to determine appropriate protection levels (e.g., Public, Internal, Confidential, Restricted).
Data Exfiltration — Unauthorized transfer of data from a target environment to attacker-controlled infrastructure.
Data Loss Prevention (DLP) — Technology and policies that detect and prevent unauthorized access, use, or transmission of sensitive information.
DCSync — An Active Directory attack that abuses the MS-DRSR protocol to replicate password hashes from a domain controller, requiring DS-Replication permissions.
Dead Drop — In OSINT/tradecraft, using public web services (Pastebin, GitHub Gist, social media) as C2 channels, making network detection harder.
Deception Technology — Security tools such as honeypots, honeytokens, and deceptive credentials designed to detect attackers and gather intelligence.
Deep Packet Inspection (DPI) — Network traffic analysis examining packet payloads (not just headers) to identify protocols, detect threats, and enforce policies.
Defense Evasion — MITRE ATT&CK tactic covering techniques used to avoid detection, including obfuscation, timestomping, process injection, and disabling security tools.
DEP (Data Execution Prevention) — A security feature that marks memory regions as either executable or writable (not both), preventing shellcode execution from data regions.
Detection Engineering — The practice of designing, building, testing, and maintaining detection logic (rules, models, signatures) to identify malicious activity.
DevSecOps — Integrating security practices and tools into the DevOps development and deployment pipeline to identify and remediate vulnerabilities early.
DFIR (Digital Forensics and Incident Response) — The combination of collecting, preserving, and analyzing digital evidence and managing security incidents.
Diamond Model — A threat intelligence framework modeling adversary activity across four elements: Adversary, Infrastructure, Capability, and Victim.
DKIM (DomainKeys Identified Mail) — An email authentication method adding a digital signature to messages, allowing receivers to verify the sender's domain.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) — An email validation protocol that builds on SPF and DKIM, specifying how receivers should handle authentication failures.
DNS over HTTPS (DoH) — Encrypting DNS queries over HTTPS to prevent eavesdropping; used by both privacy-conscious users and attackers for C2 channel obfuscation.
DNS Tunneling — Encoding arbitrary data within DNS queries and responses to create a covert channel, bypassing network controls that allow DNS traffic.
Domain Fronting — Routing HTTPS traffic through a CDN or cloud provider such that external observers see the CDN domain while traffic is actually destined for attacker infrastructure.
Domain Generation Algorithm (DGA) — Malware technique generating a large number of pseudo-random domain names to use as C2, making it difficult to block all C2 domains.
Double Extortion — Ransomware operation model that exfiltrates data before encryption, threatening to publish stolen data if the ransom is not paid.
Drive-by Download — Malware installation that occurs when a user visits a compromised website without explicit user action, exploiting browser or plugin vulnerabilities.
Dropper — A type of malware whose primary purpose is to install another malicious payload, often unpacking and executing it from memory to avoid file-based detection.
Dynamic Analysis — Analyzing malware or suspicious code by executing it in a controlled environment and observing its behavior.
E¶
EDGAR (Electronic Data Gathering, Analysis, and Retrieval) — The SEC's public filing system, used in OSINT and insider trading investigations via Form 4 and Form 144 monitoring.
EDR (Endpoint Detection and Response) — Security software providing continuous monitoring and collection of endpoint data, combined with detection, investigation, and response capabilities.
EICAR Test File — A standard test file used to verify antivirus/EDR functionality without using real malware; not malicious but detected by all AV products.
Encryption-in-Transit — Encrypting data as it travels across networks using protocols like TLS, preventing interception by network eavesdroppers.
Enterprise Key Management (EKM) — Centralized management of cryptographic keys throughout their lifecycle, covering generation, distribution, storage, rotation, and destruction.
EPSS (Exploit Prediction Scoring System) — A probability score (0–1) predicting the likelihood a vulnerability will be exploited in the wild within 30 days, used for prioritization alongside CVSS.
Evasion — Techniques used to avoid detection by security controls, including signature evasion, behavioral evasion, and sandbox evasion.
Evidence Preservation — The process of securing digital evidence to prevent alteration, ensuring its admissibility and integrity for investigation or legal proceedings.
Exploit — Code or technique that takes advantage of a vulnerability in software, hardware, or human processes to cause unintended behavior.
Exploit Chain — A series of individual exploits used together to achieve a result not possible with any single exploit; common in mobile and browser attacks.
Exploit Kit — Automated web-based attack tools that probe visitors' browsers for vulnerabilities and deliver appropriate exploits; examples include Angler, Blackhole, RIG.
External Attack Surface Management (EASM) — Continuous discovery and monitoring of internet-exposed assets to identify unknown assets, misconfigurations, and vulnerabilities.
F¶
False Negative (FN) — A security event that is not detected when it should have been; a missed attack. Key metric in detection engineering quality assessment.
False Positive (FP) — An alert generated for benign activity incorrectly classified as malicious; a major source of analyst alert fatigue.
FIDO2 — The latest generation of the FIDO authentication standard, combining WebAuthn (W3C spec) and CTAP2 (client-to-authenticator protocol) to enable phishing-resistant passwordless authentication.
File Integrity Monitoring (FIM) — Technology that monitors and detects changes to files, particularly in critical system directories, alerting on unauthorized modifications.
Fileless Malware — Malware that operates entirely in memory without writing files to disk, leveraging legitimate tools like PowerShell, WMI, and certutil to evade file-based detection.
FIPS 140-2/3 — US government standard for cryptographic modules; required for products used in federal systems.
Firewall — Network security device controlling incoming and outgoing traffic based on predefined rules; generations include packet filter, stateful, NGFW, and WAF.
Firmware Analysis — Extracting and analyzing embedded device firmware to identify vulnerabilities, backdoors, or hardcoded credentials using tools like binwalk and firmwalker.
FLOSS (FLARE Obfuscated String Solver) — A FireEye tool that automatically deobfuscates strings in malware samples, including stack strings and encoded strings.
Forensic Artifacts — Digital traces left by system activity that can be recovered and analyzed during an investigation; examples include prefetch files, shellbags, LNK files, and browser history.
Forensic Copy — A bit-for-bit duplicate of digital storage media, including unallocated space, that preserves all evidence for analysis.
Forensic Triage — The initial, rapid assessment of a potentially compromised system to determine scope, severity, and evidence priority without conducting a full investigation.
FQDN (Fully Qualified Domain Name) — The complete domain name specifying an exact location in the DNS hierarchy, used in certificate validation and network analysis.
Fuzzing — Automated testing technique that provides invalid, unexpected, or random data as inputs to detect crashes, vulnerabilities, and undefined behavior.
G¶
GAP Analysis — Assessment comparing current security controls against a desired framework or standard to identify areas needing improvement.
Ghidra — NSA's free and open-source reverse engineering tool supporting disassembly, decompilation, and analysis of binaries across multiple platforms.
GNSS Spoofing — Transmitting false GPS/navigation signals to deceive receivers about their location; relevant in OT security for timing attacks on power grids.
Golden Ticket — A forged Kerberos TGT (Ticket Granting Ticket) created using the krbtgt account's NTLM hash, providing persistent domain admin access.
GPO (Group Policy Object) — Active Directory configuration objects controlling security settings and software deployment across Windows endpoints. Abused for lateral movement in ransomware attacks.
Guardrails — Controls ensuring AI/LLM systems behave safely and within intended parameters, preventing misuse, hallucination, and prompt injection attacks.
H¶
Hardening — The process of reducing a system's attack surface by disabling unnecessary services, applying security configurations, and removing default credentials.
Hash Function — A one-way mathematical function mapping data of arbitrary size to a fixed-size digest; used for integrity verification, password storage, and digital signatures.
Heap Spray — An exploit technique that fills heap memory with shellcode to increase the probability of successful execution when control flow is redirected to a heap address.
Honeypot — A decoy system designed to attract and trap attackers, providing early warning of attacks and intelligence about adversary techniques.
Honeytoken — Fake credentials, files, or data placed in a system to detect unauthorized access; any use of a honeytoken indicates compromise.
HTTPS Inspection — Decrypting and inspecting HTTPS traffic at a network security device; requires trust anchor insertion on clients and raises privacy considerations.
Hunting — Proactive searching through network and endpoint data to detect threats that have evaded automated security controls. Distinguished from reactive alert triage.
Hybrid Encryption — Using asymmetric cryptography to exchange a symmetric key, which is then used for bulk data encryption; standard in TLS and ransomware implementations.
I¶
IAB (Initial Access Broker) — Threat actor specializing in gaining initial access to networks and selling that access to other groups (e.g., ransomware affiliates).
IAM (Identity and Access Management) — Policies, processes, and technology for managing digital identities and their access to resources; core security control in enterprise and cloud environments.
ICS (Industrial Control System) — Systems used in industrial operations including supervisory control and data acquisition (SCADA), distributed control systems (DCS), and programmable logic controllers (PLCs).
IDA Pro — The most widely used commercial disassembler and debugger for binary analysis, considered the industry standard in professional reverse engineering.
Identity Governance and Administration (IGA) — Comprehensive management of digital identities across their lifecycle including provisioning, access certification, and de-provisioning.
Indicator of Compromise (IOC) — Forensic artifact suggesting a system has been compromised; includes IP addresses, domain names, file hashes, registry keys, and behavioral patterns.
INetSim — A Linux tool simulating common internet services (HTTP, DNS, SMTP, FTP) in an isolated environment, used in malware analysis to provide fake internet responses.
Injection Attack — Class of attacks inserting malicious data into queries, commands, or code to alter intended execution; includes SQL, OS command, LDAP, and code injection.
Integer Overflow — A vulnerability where arithmetic operations produce values outside the range representable by the data type, potentially enabling memory corruption.
Integrity Level — Windows mechanism assigning trust levels (Untrusted, Low, Medium, High, System) to processes and objects, implementing mandatory integrity control.
Intrusion Detection System (IDS) — A system monitoring network or host activity for malicious behavior and policy violations, generating alerts without actively blocking traffic.
Intrusion Prevention System (IPS) — An IDS that can also take action to block or prevent detected attacks, providing active defense.
IOA (Indicator of Attack) — Behavioral signatures indicating an attack is in progress, as opposed to IOCs which indicate past compromise; enables earlier detection.
IPFIX (IP Flow Information Export) — A protocol for exporting network flow information from routers and sensors to collection infrastructure; used in network security monitoring.
J¶
JIT (Just-in-Time) Access — A PAM capability granting privileged access only when needed and for only as long as needed, reducing standing privilege exposure.
JWT (JSON Web Token) — A compact, URL-safe means of representing claims between parties, commonly used for API authentication. Vulnerabilities include algorithm confusion and signature bypass.
Jump Server (Bastion Host) — A hardened system providing controlled access to systems in a secure network zone, creating a single audited entry point.
K¶
Kerberoasting — An Active Directory attack requesting TGS tickets for service accounts with SPNs, then cracking them offline to recover service account passwords.
Kerberos — The default authentication protocol in Windows Active Directory, using tickets to allow nodes to prove their identity over non-secure networks.
Key Exchange — A cryptographic protocol allowing two parties to establish a shared secret over an insecure channel; examples include Diffie-Hellman and ECDH.
Keylogger — Malware recording keystrokes to steal credentials, credit card numbers, and other sensitive input.
Kill Chain — A military-derived concept mapping attack phases to enable defenders to identify and disrupt attacks at the earliest possible stage.
KQL (Kusto Query Language) — Microsoft's query language used in Azure Sentinel/Microsoft Defender for log analysis and hunting.
L¶
Lateral Movement — Techniques attackers use to progressively move through a network after initial access to reach their target systems.
LDAP (Lightweight Directory Access Protocol) — Protocol for accessing and maintaining distributed directory information services; foundation of Active Directory.
Least Privilege — Security principle granting users and processes only the minimum permissions necessary to perform their functions.
Living Off the Land (LotL) — Attacker technique using legitimate system tools (LOLBins) like PowerShell, WMI, certutil, and mshta to execute malicious actions without deploying custom tools.
Log Management — The collection, aggregation, storage, and retention of security-relevant log data from across the environment.
LOLBAS (Living Off the Land Binaries and Scripts) — Legitimate Windows executables and scripts that can be abused by attackers to execute malicious actions while evading detection.
LSASS (Local Security Authority Subsystem Service) — Windows process managing authentication; targeted for credential dumping by tools like Mimikatz.
M¶
Malicious Macro — VBA macro code embedded in Office documents used to deliver malware when enabled by the user or via policy bypass.
Malleable C2 — Cobalt Strike feature allowing operators to customize beacon communication patterns to mimic legitimate application traffic and evade network detection.
Malware — Software designed to disrupt, damage, or gain unauthorized access to systems; includes viruses, worms, Trojans, ransomware, spyware, and adware.
Man-in-the-Middle (MitM) — Attack intercepting communications between two parties without their knowledge, enabling eavesdropping or tampering.
Memory Forensics — Analysis of volatile memory (RAM) captures to recover running processes, network connections, injected code, and decrypted data.
Mimikatz — An open-source Windows credential extraction tool widely used in penetration testing and abused in attacks to dump NTLM hashes, Kerberos tickets, and plaintext passwords.
MISP (Malware Information Sharing Platform) — Open-source threat intelligence platform for collecting, storing, distributing, and sharing indicators and threat intelligence.
MITRE ATT&CK — See ATT&CK.
ML-KEM (Module Lattice Key Encapsulation Mechanism) — NIST FIPS 203 standard for post-quantum key encapsulation, replacing classical Diffie-Hellman for key exchange.
Mnemonic — A pattern, seed phrase, or memory aid; in blockchain/crypto contexts, a BIP-39 seed phrase recovering cryptocurrency wallets.
Monero (XMR) — Privacy-focused cryptocurrency using ring signatures and stealth addresses; favored by ransomware groups for ransom payments due to its enhanced anonymity.
MFA (Multi-Factor Authentication) — Authentication requiring two or more verification factors from: something you know, something you have, something you are.
Mutex (Mutual Exclusion Object) — A Windows synchronization object preventing concurrent process execution; malware often creates unique mutexes as anti-reinfection marks, serving as IOCs.
N¶
Network Segmentation — Dividing a network into separate zones to limit attacker movement and contain breaches.
NGFW (Next-Generation Firewall) — Firewall incorporating application awareness, user identity awareness, SSL inspection, and integrated IPS capabilities.
NIST CSF (Cybersecurity Framework) — NIST's voluntary framework providing a common language for managing cybersecurity risk across five functions: Identify, Protect, Detect, Respond, Recover.
NTLM (NT LAN Manager) — A Windows authentication protocol suite; older and weaker than Kerberos, vulnerable to pass-the-hash and relay attacks.
NULL Session — An unauthenticated connection to Windows resources allowing enumeration of users, shares, and policies; disabled in modern Windows by default.
O¶
OAuth 2.0 — An authorization framework enabling third-party applications to obtain limited access to user accounts without exposing passwords.
OPSEC (Operations Security) — Process of protecting information that could be used by adversaries to plan or conduct operations against you; both offensive and defensive concept.
Order of Volatility — Forensic principle prioritizing evidence collection by how quickly data changes or disappears: RAM > network connections > running processes > disk.
OSINT (Open-Source Intelligence) — Intelligence gathered from publicly available sources including internet, social media, public records, and academic publications.
OT (Operational Technology) — Hardware and software detecting or causing changes through direct monitoring and control of physical devices and processes.
P¶
Packet Capture (PCAP) — A recording of network traffic data, fundamental to network forensics and incident investigation.
PAM (Privileged Access Management) — Solutions controlling, monitoring, and auditing privileged account usage across enterprise environments.
Pass-the-Hash (PtH) — Using a captured NTLM hash to authenticate without knowing the actual password.
Pass-the-Ticket (PtT) — Using a stolen Kerberos ticket to authenticate as that principal without knowing the password.
Passive DNS — Historical DNS resolution data showing what IP addresses a domain has resolved to over time; invaluable in threat intelligence and attribution.
Password Spraying — Attempting a single common password against many accounts to avoid lockout, as opposed to brute force targeting a single account.
Patch Management — The process of identifying, acquiring, testing, and installing patches to fix security vulnerabilities in software and firmware.
PE (Portable Executable) — The standard Windows executable file format (.exe, .dll, .sys); analyzed in malware triage to understand capabilities and packing.
Penetration Testing — Authorized simulated attack on a system to evaluate its security; distinct from vulnerability scanning in that exploitation is performed.
Persistence — Attacker techniques ensuring continued access after system restarts or credential changes; examples include registry run keys, scheduled tasks, and backdoor accounts.
Phishing — Social engineering attack delivered via email designed to steal credentials, install malware, or initiate fraudulent transactions.
PKI (Public Key Infrastructure) — The framework of policies, procedures, hardware, software, and people needed to create, manage, distribute, use, store, and revoke digital certificates.
PLC (Programmable Logic Controller) — Industrial computer controlling manufacturing and operational processes; primary target in OT/ICS attacks.
Post-Quantum Cryptography (PQC) — Cryptographic algorithms believed to be secure against attacks by quantum computers; NIST finalized FIPS 203/204/205 in 2024.
Privilege Escalation — Gaining elevated permissions beyond those initially granted, either vertically (user to admin) or horizontally (one user to another).
Prowler — Open-source AWS/Azure/GCP security scanning tool checking compliance with CIS benchmarks, NIST, GDPR, and hundreds of security checks.
Purple Team — Collaborative exercise where red team and blue team work together in real-time to improve detection and response capabilities.
Q¶
Quantum Key Distribution (QKD) — Method using quantum mechanics to securely distribute cryptographic keys; any eavesdropping attempt disturbs the quantum state and is detectable.
Query Language — Specialized syntax for retrieving and analyzing data from security data stores; examples include KQL (Sentinel), SPL (Splunk), EQL (Elastic), and YARA.
R¶
RaaS (Ransomware-as-a-Service) — Business model where ransomware operators provide tools, infrastructure, and support to affiliates who conduct attacks in exchange for a revenue share.
RAM Scraping — Malware technique reading process memory to extract sensitive data such as credit card numbers, passwords, and encryption keys.
Ransomware — Malware encrypting victim files or locking systems and demanding payment for decryption.
Reconnaissance — The ATT&CK tactic of gathering information to plan future adversary operations, divided into active and passive techniques.
Red Team — A group that simulates adversary attacks against an organization's defenses to identify vulnerabilities and test detection/response capabilities.
REMnux — A Linux distribution purpose-built for malware analysis, pre-installed with hundreds of reverse engineering and forensics tools.
Resource Development — ATT&CK tactic covering adversary actions to establish resources to support operations, including acquiring infrastructure, malware, and tool capabilities.
Reverse Shell — A type of shell in which the target machine initiates a connection back to the attacker's machine, bypassing inbound firewall rules.
Risk Acceptance — A deliberate decision by management to acknowledge a risk and not implement additional controls, accepting the potential consequence.
Risk Register — A document recording identified risks, their likelihood, impact, current controls, and treatment decisions.
Rootkit — Malware designed to conceal itself and other processes by hooking OS functions; can operate at user mode (ring 3) or kernel mode (ring 0).
ROP (Return-Oriented Programming) — An exploitation technique chaining small code sequences ending in RET instructions ("gadgets") to bypass DEP/NX without injecting shellcode.
S¶
SAML (Security Assertion Markup Language) — An XML-based open standard for exchanging authentication and authorization data between an identity provider and a service provider.
Sandbox — An isolated environment used to safely execute and analyze potentially malicious code without risk to production systems.
SASE (Secure Access Service Edge) — An architecture converging network security functions (SWG, CASB, ZTNA, FWaaS) with WAN capabilities in a cloud-delivered service.
SAST (Static Application Security Testing) — Analyzing source code or binaries without execution to identify vulnerabilities.
SBOM (Software Bill of Materials) — A formal, machine-readable inventory of software components and their dependencies, enabling supply chain risk assessment.
Security Information and Event Management (SIEM) — A platform providing real-time analysis of security alerts generated by applications and network hardware.
Shellcode — Machine code payload typically injected into a vulnerable process to spawn a shell or execute arbitrary commands.
SIM Swapping — Social engineering attack convincing a carrier to transfer a victim's phone number to an attacker-controlled SIM, bypassing SMS-based MFA.
Silver Ticket — A forged Kerberos service ticket (TGS) created using a service account's NTLM hash; more targeted than a Golden Ticket, harder to detect.
SLSA (Supply chain Levels for Software Artifacts) — A security framework providing guidance for improving software supply chain integrity through four levels of assurance.
SOAR (Security Orchestration, Automation, and Response) — Technology enabling automated workflows that combine security event data with threat intelligence and security controls.
Social Engineering — Psychological manipulation of individuals into performing actions or divulging confidential information.
SPF (Sender Policy Framework) — An email authentication method specifying which mail servers are authorized to send email on behalf of a domain.
SPN (Service Principal Name) — A unique identifier for a service instance in Active Directory; accounts with SPNs are targets for Kerberoasting.
Splunk — A widely used log management and SIEM platform using the Search Processing Language (SPL) for data analysis and correlation.
SQL Injection (SQLi) — Inserting malicious SQL code into application queries to manipulate databases, bypass authentication, or exfiltrate data.
SSRF (Server-Side Request Forgery) — A vulnerability allowing attackers to cause the server to make requests to unintended locations, including internal cloud metadata endpoints (IMDS).
STARTTLS — Protocol command upgrading a plaintext connection to an encrypted one using TLS; vulnerable to downgrade attacks if not enforced.
StealBit — Data exfiltration tool developed by the LockBit ransomware group, used in double extortion campaigns.
Supply Chain Attack — Compromising software or hardware in the supply chain to distribute malware to downstream customers via trusted update mechanisms.
T¶
Tabletop Exercise — A discussion-based IR exercise where team members walk through simulated scenarios to test response procedures and identify gaps.
Tactics, Techniques, and Procedures (TTPs) — The behavior patterns of threat actors; tactics are the goals, techniques are the methods, procedures are the specific implementations.
Threat Actor — An individual or group involved in malicious cyber activity; classified as nation-state, cybercriminal, hacktivist, or insider.
Threat Hunting — Proactive search through network and endpoint data for attacker activity that has evaded automated detection.
Threat Intelligence Platform (TIP) — Software aggregating, normalizing, and sharing threat intelligence from multiple sources to support security operations.
Threat Modeling — Structured process identifying potential threats to a system and determining countermeasures to prevent or mitigate their effects. Frameworks include STRIDE and PASTA.
TLS (Transport Layer Security) — Cryptographic protocol providing secure communications over a network; current version is TLS 1.3 (RFC 8446).
Token Impersonation — Windows attack technique using access tokens from higher-privileged processes to execute code with elevated permissions.
TTL (Time to Live) — In DNS, the duration a record is cached; attackers use low TTLs for fast-flux infrastructure to rapidly rotate IP addresses.
U¶
UEBA (User and Entity Behavior Analytics) — Analytics detecting anomalous behavior by users and entities through machine learning and statistical baselines.
Unicode Smuggling — Using invisible Unicode characters or look-alike characters to bypass security controls or deceive users; used in BEC and supply chain attacks.
Unpacking — The process of decompressing or decrypting packed malware to reveal the actual malicious payload for analysis.
Use Case — In SIEM/SOC context, a specific detection scenario combining data sources, correlation logic, and response procedures to detect a particular threat.
V¶
Vishing — Voice phishing; social engineering attacks conducted via phone calls, including IT helpdesk impersonation and executive pretexting.
Volatility — An advanced memory forensics framework supporting acquisition and analysis of memory images from Windows, Linux, and macOS systems.
VPN (Virtual Private Network) — Encrypted tunnel extending a private network across the internet; being displaced by ZTNA for zero trust architectures.
Vulnerability — A weakness in software, hardware, or process that could be exploited to cause harm.
Vulnerability Disclosure Policy (VDP) — A structured program defining how an organization receives, processes, and responds to external vulnerability reports.
W¶
WAF (Web Application Firewall) — Appliance or service filtering HTTP/HTTPS traffic to web applications, blocking common attacks like SQLi and XSS.
Watering Hole Attack — Compromising a website frequented by the intended target, waiting for targets to visit and serving them exploits.
WebAuthn — W3C standard enabling strong, public-key-based authentication in browsers; component of FIDO2 providing phishing-resistant MFA.
Whaling — Highly targeted phishing attacks against senior executives or other high-value individuals.
Wiper Malware — Destructive malware overwriting or encrypting data without providing a recovery mechanism; examples include NotPetya, Shamoon, and AcidRain.
Write-Blocker — Hardware or software device preventing writes to forensic evidence media, ensuring integrity during acquisition.
X¶
XDR (Extended Detection and Response) — Unified security incident detection and response platform integrating and correlating data across endpoints, networks, cloud, and identity.
XML External Entity (XXE) — A vulnerability in XML parsers allowing attackers to access files, perform SSRF, or execute denial-of-service attacks through malicious XML input.
XOR Encoding — A simple symmetric cipher operation; frequently used by malware for obfuscating strings and payloads due to its simplicity and reversibility.
Y¶
YARA — A pattern-matching tool used to identify and classify malware samples based on strings, byte sequences, and behavioral rules.
YARA Rule — A structured rule file defining conditions that identify specific malware families or malicious patterns in files, processes, or network traffic.
Z¶
Zero Day (0-day) — A vulnerability unknown to the software vendor with no available patch; exploitation before a patch is available is a zero-day attack.
Zero Trust — A security model based on "never trust, always verify" — no user, device, or network is trusted by default, requiring continuous validation.
Zero Trust Network Access (ZTNA) — Replaces VPN with identity-aware, least-privilege access to specific applications based on user identity, device posture, and context.
Zerologon (CVE-2020-1472) — Critical vulnerability in the Netlogon protocol allowing unauthenticated domain controller compromise; one of the most impactful Windows vulnerabilities in recent years.
ZTNA (Zero Trust Network Access) — See Zero Trust Network Access.
Domain-Specific Glossaries¶
Active Directory & Identity¶
| Term | Definition |
|---|---|
| ACE (Access Control Entry) | Individual permission entry within an ACL specifying a trustee and the access rights granted or denied |
| ADCS (Active Directory Certificate Services) | Microsoft PKI implementation within AD; vulnerable to multiple escalation paths (ESC1–ESC8) |
| AdminSDHolder | AD object protecting members of privileged groups by resetting ACLs hourly; abused for persistence |
| AS-REP Roasting | Attacks accounts without Kerberos pre-authentication required, extracting crackable hashes |
| Azure AD (Entra ID) | Microsoft's cloud identity platform; separate attack surface from on-premises AD |
| Constrained Delegation | Kerberos delegation limiting which services a service account can request tickets for |
| DCSync | Replicates domain password database using DS-Replication rights |
| Delegated Authentication | Kerberos mechanism allowing services to authenticate to other services on behalf of users |
| Distinguished Name (DN) | Full path identifying an object in the AD directory tree |
| Domain Trust | Relationship allowing authentication between domains; cross-domain trusts are attack vectors |
| ESC1–ESC8 | ADCS misconfiguration categories identified by SpecterOps enabling privilege escalation |
| Fine-Grained Password Policy | AD feature applying different password policies to different groups or users |
| Forest | Collection of one or more AD domains sharing a common schema, configuration, and GC |
| Global Catalog (GC) | Partial replica of all AD objects in a forest, used for cross-domain authentication |
| gMSA (Group Managed Service Account) | Service account with automatic 240-character password rotation; immune to Kerberoasting |
| Kerberos Bronze Bit | CVE-2020-17049; allows modifying the forwardable flag in service tickets |
| krbtgt | Special AD account whose hash is used to sign all Kerberos tickets; compromise = Golden Ticket |
| LDAP Injection | Inserting malicious LDAP statements into queries to manipulate directory searches |
| NTDS.dit | Active Directory database file storing all user objects and password hashes |
| OU (Organizational Unit) | Container in AD used to organize objects and apply Group Policy |
| Overpass-the-Hash | Converting NTLM hash to a Kerberos TGT, enabling Kerberos attacks from hash |
| PAC (Privilege Attribute Certificate) | Component of Kerberos tickets encoding authorization data; forgeable in certain attacks |
| Protected Users Group | High-security AD group disabling NTLM, DES/RC4, unconstrained delegation for members |
| SID History | AD attribute enabling migrated users to retain old SID access rights; abusable for persistence |
| Unconstrained Delegation | Kerberos delegation allowing a service to request tickets for any service; dangerous misconfiguration |
Cloud Security¶
| Term | Definition |
|---|---|
| ARN (Amazon Resource Name) | Unique identifier for AWS resources used in IAM policies |
| AssumeRole | AWS STS API call to obtain temporary credentials for an IAM role |
| Azure Managed Identity | Azure service providing automatic credential management for services without manual secrets |
| CloudTrail | AWS service logging API calls; disabling it is a key attacker anti-forensics step |
| CSPM | Cloud Security Posture Management; continuous monitoring for cloud misconfigurations |
| ECS Task Role | IAM role granting AWS permissions to containerized workloads in ECS |
| GCP Service Account | Identity for GCP workloads; key file exfiltration = account compromise |
| IAM Policy | Document defining permissions for AWS principals; over-permissive policies = privilege escalation |
| IMDS (Instance Metadata Service) | Cloud service providing credentials to EC2/compute instances; primary SSRF target |
| IMDSv2 | Token-based IMDS version requiring a session token, mitigating SSRF attacks |
| Pacu | AWS exploitation framework for privilege escalation and post-exploitation |
| Resource Policy | AWS policy attached to a resource controlling cross-account and cross-service access |
| SCPs (Service Control Policies) | AWS Organizations guardrails restricting what member accounts can do |
| Security Hub | AWS cloud-native CSPM and security findings aggregation service |
| Terraform | Infrastructure-as-Code tool; misconfigured state files can expose secrets |
| Wiz | Cloud security platform providing attack path analysis across AWS/Azure/GCP/K8s |
Malware Analysis¶
| Term | Definition |
|---|---|
| Anti-Analysis | Techniques evading analysis: anti-debugging, anti-VM, anti-sandbox, sleep calls |
| Code Cave | Empty space in a PE section used to inject shellcode |
| DLL Hijacking | Exploiting search order to load a malicious DLL instead of a legitimate one |
| DLL Injection | Forcing a process to load a malicious DLL into its address space |
| DLL Sideloading | Placing a malicious DLL alongside a legitimate executable that loads it |
| Dynamic-Link Library (DLL) | Windows shared library; core target for injection and hijacking techniques |
| Entropy | Measure of randomness in data; high entropy (>7.0) in PE sections indicates packing/encryption |
| Import Address Table (IAT) | PE structure listing functions the binary imports from DLLs; target for hooking |
| Memory Injection | Technique writing code into another process's memory space for execution |
| Packer | Tool compressing or encrypting malware to evade signature detection; common: UPX, Themida |
| Process Hollowing | Creating a suspended process then replacing its code with malicious payload |
| Process Injection | Generic term for techniques running code in the address space of another process |
| Reflective Loading | Injecting a DLL into memory without touching disk, using custom PE loader |
| Registry Persistence | Storing malware path in registry Run keys for automatic execution at startup |
| Sandbox Evasion | Detecting and behaving normally in analysis environments to avoid detection |
| Section Entropy | Entropy of individual PE sections; .text entropy >7.0 = likely packed or encrypted code |
| Shellcode Injection | Writing raw shellcode into target process memory and executing it |
| Stage 1/2/3 | Multi-stage malware delivery where each stage downloads the next; reduces initial detection |
| Timestomping | Modifying file metadata timestamps to hinder forensic timeline analysis |
Network Security¶
| Term | Definition |
|---|---|
| ARP Poisoning | Sending falsified ARP messages to link attacker's MAC with legitimate IP, enabling MitM |
| BGP Hijacking | Malicious advertisement of IP prefixes to redirect internet traffic |
| CDN (Content Delivery Network) | Distributed server network; abused for domain fronting C2 |
| Deep Packet Inspection | Examining packet content beyond headers for policy enforcement and threat detection |
| DNS Rebinding | Changing DNS resolution to bypass same-origin policy, enabling browser-based attacks on internal services |
| Firewall Egress Filtering | Controlling outbound traffic; critical for detecting C2 callbacks and data exfiltration |
| IDS/IPS Evasion | Techniques bypassing intrusion detection: fragmentation, encoding, timing |
| MPLS (Multiprotocol Label Switching) | Network routing technology used in enterprise WANs; lateral movement consideration |
| Network Tap | Hardware device passively copying network traffic for monitoring |
| PCAP Analysis | Examining packet captures to reconstruct network sessions and identify malicious activity |
| Port Knocking | Covert method of opening firewall ports by sending packets to specific port sequences |
| Promiscuous Mode | NIC mode capturing all traffic on the segment, not just traffic addressed to the NIC |
| SMB (Server Message Block) | Windows file sharing protocol; widely abused for lateral movement (EternalBlue, PsExec) |
| SPAN Port (Port Mirroring) | Switch feature copying traffic to a monitoring port for passive network analysis |
| VLAN Hopping | Exploiting switch misconfigurations to access VLANs beyond intended access |
| WPA3 | Latest Wi-Fi security protocol with Simultaneous Authentication of Equals (SAE) |
| Zeek | Network analysis framework generating high-fidelity logs from network traffic; foundation of NSM |
OT/ICS Security¶
| Term | Definition |
|---|---|
| Claroty | Industrial cybersecurity platform providing OT/ICS asset visibility and threat detection |
| CIP (Common Industrial Protocol) | EtherNet/IP application layer protocol used in industrial automation |
| Cyber-Physical System (CPS) | System integrating computation with physical processes; includes ICS and IoT |
| DCS (Distributed Control System) | Industrial control system distributing control across multiple nodes |
| Dragos | ICS-focused threat intelligence and monitoring platform; tracks activity groups like ELECTRUM |
| EWS (Engineering Workstation) | Primary configuration and programming station for ICS/SCADA systems |
| Fieldbus | Industrial network protocol connecting sensors and actuators to PLCs |
| HMI (Human-Machine Interface) | Operator interface for monitoring and controlling industrial processes |
| Historian | Industrial database storing time-series process data; valuable intelligence target |
| Modbus | Serial communication protocol used in ICS; no built-in authentication |
| NERC CIP | Reliability standards for protecting bulk electric systems from cyber threats |
| OPC UA | Platform-independent service-oriented architecture for industrial communication |
| Purdue Model | Reference architecture for ICS security layering IT and OT networks with DMZ separation |
| RTU (Remote Terminal Unit) | Field device monitoring equipment and communicating with SCADA master |
| SCADA | Supervisory Control and Data Acquisition; large-scale monitoring and control system |
| Safety Instrumented System (SIS) | Independent system preventing or mitigating hazardous events; target of TRITON malware |
This glossary covers 400+ terms across all major security domains. For the core glossary (150 terms), see Glossary. For specific chapter context, terms are also defined inline throughout the textbook.