Account harvesting

Account harvesting is the process of gathering user accounts from a system, service, or database using a variety of methods, such as malware or phishing.

Account hijacking

Account hijacking is the process of taking over user online accounts, such as email and social media accounts.

Address bar

An address bar is the text box in your web browser that displays the web page URL or IP address. At times, it functions as a search bar if the user entered text that is an invalid URL.

Address Resolution Protocol (ARP)

An address resolution protocol (ARP) is the system or process of mapping or finding a physical address belonging to an IP address in the local network.

Advanced Encryption Standard (AES)

Developed by the National Institute of Standards and Technology (NIST), Advanced Encryption Standard (AES) is a block cipher that provides fast, strong, and secure encryption of classified data. AES was created as an alternative to the Data Encryption Standard (DES), because it became vulnerable to brute-force attacks. Synonym(s): Rijndael Block Cipher

Advanced persistent threat (APT)

An advanced persistent threat (APT) is a prolonged, targeted attack on a specific entity or entities with the intention of compromising their systems and gaining information from or about them.

Alert fatigue

Alert fatigue in cybersecurity is when IT professionals are overwhelmed by the number of alerts they receive from their range of security tools and systems across their organization. Alert fatigue results in decreased productivity due to overload and stress and a waste of human resources and time. In some cases, security teams may miss genuine threats due to this phenomenon.   


Android is Google’s flagship operating system for smartphones and tablets. Manufacturers have adapted Android in televisions, smart-watches, cars, and many other electronic devices.

Anomaly detection

Anomaly detection is identifying irregularities or deviations in patterns, data points, events, or observations that do not conform to the norm or the expectations of businesses or groups. Not all detected anomalies are malicious. Synonym: Outlier detection


Anti-ransomware is software specifically designed to combat ransomware. Such software could make use of specific techniques that general security tools don’t deploy.

Anti-virus (AV) killer

An AV killer is malicious code that disables the user’s anti-virus software to avoid detection. Sometimes, this term is used for malware that disables firewalls.


Antivirus is an antiquated term used to describe security software that detects, protects against, and removes malware. Synonyms: anti-malware.

Application programming interface (API)

An application programming interface (API), in simple terms, is a means for different software to talk to one another. It is the code that governs its server’s access points. APIs have many uses and take many forms.

Application security

Application security is the practice of applying security measures to the software application. This has to be done to defend against threats and attacks from the outside that attempt to exploit the app.

Artificial intelligence (AI)

AI is a system’s or an application’s ability to correctly interpret and learn from data to achieve specific goals and tasks. Synonym: Machine intelligence

Attack vector

An attack vector refers to the technique used to obtain unauthorized access to a system or network. It is an integral part of vulnerability research to know which attack vector is or might be used.


Attribution is the practice of taking forensic artifacts of a cyberattack and matching them to known threats against targets with a profile matching a particular organization.


In computing, authentication is the process of verifying the identity of a user or process. Other forms: Auth



A backdoor is a type of Trojan that allows a threat actor access to a system by bypassing its security. This term can also refer to the method of gaining access to user systems undetected. Other forms: backdooring

Banking Trojan

A banking Trojan is a type of Trojan specifically created to harvest credentials and other sensitive financial and personal information stored and processed through online banking systems.


BIOS stands for “basic input/output system”. It is firmware used by the computer’s microprocessor to initialize the computer when the user physically turns it on.


In computing, a blacklist usually refers to a list of domains and/or IP addresses that are known or suspected malicious servers and/or domains. These lists are used to protect users from receiving mail from the blacklisted servers or from browsing to dangerous sites hosted on these domains/IP addresses.


Bluetooth is a wireless technology mainly used for short distance connections between devices due to its low power signal. Communication is done at a bandwidth around 2.45 GHz. It doesn’t need a line of sight to establish a connection.


The word “bot” is a derivative of “robot.” It usually pertains to (1) one or more compromised machines controlled by a botmaster or herder to spam or launch DDoS attacks, or (2) an automated program coded with particular instructions to follow, which includes interacting with websites and humans via web interfaces (e.g., IMs). A collective of bots is called a botnet. Synonym: zombie machine


A botnet is a collection of bots. The term also refers to the malware run on a connected device to turn it into a bot. Synonym: zombie network

Brute force attack

Brute force attacks involve criminals systematically attempting all possible combinations of passwords or encryption keys until the correct one is found.

Business email compromise (BEC)

A business email compromise (BEC) is an attack wherein an employee, who is usually the CFO or someone from the Finance department, is socially engineered into wiring a large sum of money to a third-party account.


California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) gives California residents more control over the personal information that businesses collect about them, and the CCPA regulations provide guidance on how to implement the laws.


US-CERT, the United States Computer Emergency Readiness Team, is responsible for analyzing and reducing cyber threats, vulnerabilities, disseminating cyber threat warning information, and coordinating incident response activities.

Children’s Online Privacy Protection Act (COPPA)

The Children’s Online Privacy Protection Act, or COPPA, is a privacy law that protects children under the age of 13. It was first passed in 1998. The Federal Trace Commission (FTC) manages COPPA.

Children’s Internet Protection Act (CIPA)

The Children’s Internet Protection Act (CIPA) was enacted by Congress in 2000 to address concerns about children’s access to obscene or harmful content over the Internet at schools and libraries.


Clickjacking is a type of attack that tricks a user into clicking a website element that is either invisible or disguised as another element. This hijacks a user’s click meant for one thing but leads to another. For example: instead of clicking a button to reply, a clickjacking attack on a Twitter user can make them re-tweet a malicious domain to followers instead. This is typically seen as browser security issue. However, such an attack can also take place in mobile applications. Clickjacking has different types, such as likejacking. Synonyms: User interface (UI) redress attack, UI redressing

Cloud computing

Cloud computing refers to the delivery of services that are hosted over the internet to computers and other computing devices.

Cloud phishing

Cloud phishing refers to a phishing trend that uses the guise of cloud computing services to get users to click malicious links. Campaigns of this kind usually start off in emails and social media posts. See also: spear phishing.

Cloud security

Cloud security involves practices, policies, and controls to protect cloud-based data, applications, and infrastructure from cyber intrusions.

Cobalt Strike

Cobalt Strike is a legitimate tool used in penetration testing and threat emulation. While it is popular among pen testers, underground criminals are notorious for abusing the tool. They do this by making the tool a part of their attack campaigns.

Command & control (C&C)

Command & control, also called C&C or C2, is a centralized server or computer that online criminals use to issue commands to control malware and bots as well as to receive reports from them.   
Learn more: Hacker Malware Botnet  

Credential stuffing

Credential stuffing is a popular tactic of attempting to access online accounts using username-password combinations acquired from breached data. This is usually done using an automated tool.

Cross-site scripting (XSS)

Cross-site scripting is a type of injection attack wherein a vulnerability in web applications is exploited that allows a threat actor to inject malicious script into the site’s content. Affected trusted sites are made to deliver the malicious script to visitors.


Cryptojacking is the surreptitious use of computing devices to mine cryptocurrency.

CVE identifier

A Common Vulnerabilities and Exposure (CVE) identifier is a unique number assigned to publicly known software vulnerabilities. It follows the format: CVE + year + at least 4 sequence number digits Vendors and researchers alike consider CVE identifiers as standard for identifying vulnerabilities. For example, CVE-2014-0160 is the CVE ID for the vulnerability commonly known as Heartbleed. Synonyms: CVE names, CVE IDs, CVE numbers, CVEs, vulnerability identifier

Cyber Essentials

Developed by the UK government, Cyber Essentials provides a clear set of basic security controls to help organizations protect themselves against the most common cyber threats.

Cyber espionage

Cyber espionage involves a threat actor or unauthorized cybercriminal who steals, damages, or exposes classified data with the intent to harm an individual or organization causing reputational destruction.


Cyberbullying is the act of threatening and intimidating others via electronic and digital means.


Cybercrime is the term referring to crimes that are related to computers and networks, including traditional crimes like fraud, blackmail, and identity theft that are done over the Internet or by using computing devices.


In today’s interconnected world, cybersecurity stands as the cornerstone of digital safety. It encompasses an array of methodologies, technologies, and practices dedicated to shielding digital systems, networks, and data from malicious incursions, unauthorized access, and data breaches. From personal devices to corporate networks and critical infrastructure, cybersecurity plays an indispensable role in fortifying the digital frontier against an ever-evolving landscape of cyber threats.

Cybersecurity and Infrastructure Security Agency (CISA)

The Cybersecurity and Infrastructure Security Agency (CISA) is a component of the United States Department of Homeland Security (DHS) responsible for cybersecurity and infrastructure protection across all levels of government, coordinating cybersecurity programs with U.S. states, and improving the government’s cybersecurity protections against private and nation-state hackers.

Cybersecurity Maturity Model Certification (CMMC)

In an era dominated by digital technologies, cybersecurity has become a top priority for organizations across all sectors. The increasing frequency and sophistication of cyber threats pose significant risks to sensitive data, intellectual property, and critical infrastructure. In response to these challenges, the U.S. Department of Defense (DoD) has introduced the Cybersecurity Maturity Model Certification (CMMC), a unified standard for assessing and enhancing the cybersecurity posture of defense contractors and their supply chains.


Data breach

A data breach happens when data deemed sensitive, protected, or confidential were illegally accessed or disclosed. Individuals may have viewed, copied, transmitted, stolen, or used such data accidentally or deliberately.

Data exfiltration

Data exfiltration is an act of retrieving, copying, and transferring data, such as user credentials, about individuals or organizations without authorization. Synonym: Siphoning

Data loss prevention (DLP)

Data Loss Prevention (DLP) is a comprehensive strategy that involves tools and processes designed to prevent unauthorized access, disclosure, use, modification, deletion, or destruction of sensitive data.

Data mining

Data mining is the process of sifting through large data sets to identify patterns or generate new information.

Data Protection

Data protection refers to the process of safeguarding critical information from corruption, compromise, or loss. It involves implementing various security measures to ensure the privacy, integrity, and availability of data. The primary goal is to prevent unauthorized access and data breaches, which can lead to financial loss, reputational damage, and legal consequences.


A decryptor is a tool used to transform unreadable data back to its original, unencrypted form. This is typically used by those affected by ransomware to restore their files.


A “deepfake” refers to recreated media of a person’s appearance (on a video or image) or voice by an artificial intelligence (AI).

Device control

Device control refers to the set of policies, procedures, and technologies used to regulate and monitor the use of external devices, such as USB drives, external hard drives, smartphones, and other peripherals, that connect to endpoint devices like computers, servers, and mobile devices. The primary goal of device control is to prevent unauthorized devices from accessing sensitive data and ensure that only approved devices can interact with the network.

Dictionary attack

A dictionary attack is an act of penetrating password-protected computer systems or servers using large sets of words in a dictionary. This attack usually works as many users still use ordinary words for their passwords. See also brute force attack

DNS filtering

DNS filtering, also known as DNS blocking, is a cybersecurity method in which end users are denied access to nefarious content with a goal in stopping web-based threats at the DNS (Domain Name System) level.

DNS Hijacking

DNS hijacking is a malicious activity where attackers redirect DNS queries to fraudulent websites by altering DNS settings on a device, router, or through man-in-the-middle attacks. DNS poisoning, also known as cache poisoning, involves corrupting the cache of a DNS resolver with incorrect entries, causing it to return wrong IP addresses and redirect users to malicious sites. Both techniques are used to facilitate phishing, malware distribution, and service disruption.

DNS over HTTPS (DoH)

DNS over HTTP (DoH) is an alternative to DNS over TLS (DoT). It is a work-in-progress, network security protocol wherein DNS requests and responses are encrypted and sent via HTTP or  HTTPS protocols instead of directly over UDP. This is to increase user privacy and security.

DNS over TLS (DoT)

DNS over TLS (DoT) is a network security protocol wherein DNS requests and responses are encrypted and not tampered with using the TLS security protocol. This is done to increase user security and privacy. DNS over HTTPS (DoH) is an alternative to DoT.

Domain Name System (DNS)

A Domain Name System, abbreviated as DNS, is an Internet protocol that translates user-friendly, readable URLs, such as, to their numeric IP addresses, allowing the computer to identify a web server without the user having to remember and input the actual IP address of the server. Name Servers, or Domain Name Servers, host these translations. They are part of the overall Domain Name System. To learn how threat actors can abuse DNS protocols, read up on DNS hijackers, a type of malware that modifies users’ DNS settings.

Domain Name System Security Extensions (DNSSEC)

Domain Name System Security Extensions, abbreviated as DNSSEC, is a set of extensions that add extra security to the DNS protocol.


A dropper, or Trojan downloader, is a type of malware that installs other malware on the affected system. The other malware is part of the same executable, which is usually in compressed form.

Dwell time

Dwell time refers to the amount of time passed from when malware has initially infiltrated a system to when it has been detected and removed.


Email security

Email security encompasses the policies, procedures, and technologies implemented to protect email communication from cyber threats, unauthorized access, and data breaches. It involves securing both inbound and outbound email traffic, as well as the underlying infrastructure used to send, receive, and store emails.


Emotet was originally designed as a banking malware that attempted to sneak onto your computer and steal sensitive and private information. Later versions of the software saw the addition of spamming and malware delivery services—including other banking Trojans.


Encryption is the process of changing data in a way that can not (easily) be undone (or decrypted) by parties that don’t have the decryption key.

Endpoint detection and response (EDR)

Endpoint Detection and Response (EDR) refers to a set of integrated cybersecurity technologies designed to monitor and respond to threats on endpoint devices in real time. Endpoints include any device connected to a network, such as computers, servers, mobile devices, and even IoT devices. EDR solutions are essential for identifying, investigating, and mitigating malicious activities on these endpoints.

Endpoint Protection Platform (EPP)

An Endpoint Protection Platform (EPP) is a comprehensive solution designed to secure endpoints such as computers, mobile devices, and servers from cyber threats.

Endpoint Security

Endpoint security protects devices such as desktops, laptops, mobile devices and servers from unauthorized access, malware attacks, data breaches, and other security risks.


EternalBlue is one of the handful of “exploitation tools” leaked by a group called The Shadow Brokers (TSB) that take advantage of weaknesses in how Windows implemented the Server Message Block (SMB) protocol. The WannaCry and NotPetya ransomware strains used this exploit to target unpatched systems. For more information, see this blog post on how threat actors are using SMB vulnerabilities in their attack campaigns.


EternalChampion is one of the handful of “exploitation tools” leaked by a group called The Shadow Brokers (TSB) that take advantage of weaknesses in how Windows implemented the Server Message Block (SMB) protocol. EternalChampion particularly exploits a race condition in how SMB handles a transaction. TrickBot is an infamous banking Trojan known to use EternalChampion to spread laterally.


EternalRomance is one of the handful of “exploitation tools” leaked by a group called The Shadow Brokers (TSB) that take advantage of weaknesses in how Windows implemented the Server Message Block (SMB) protocol. Successful exploitation results in a remote code execution (RCE) attack. The ransomware strain known as BadRabbit has used EternalRomance in its campaign.

An ELF file is an executable file format for the Linux and Unix platforms. Its known file extensions are .axf.bin.elf.o.prx.puff.ko.mod, and .so.


Exploits are a type of malware that takes advantage of bugs and vulnerabilities in a system in order to allow the exploit’s creator to take control.

Exploit kit

An exploit kit is a packaged collection of exploits for use by criminal gangs in spreading malware. Synonym: Exploit pack


Family Educational Rights and Privacy Act (FERPA)

The Family Educational Rights and Privacy Act (FERPA) is a federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.

File type

A file type is a name given to a specific kind of file. For example, a Microsoft Excel sheet file and a Python script file are two different file types. A file type is not the same as a file format.

File-based attack

A file-based attack is an attack where threat actors use certain file types, usually those bearing document file extensions like .DOCX and .PDF, to entice users to open them. The file in question is embedded with malicious code; thus, once opened, this code is also executed.


Fingerprinting refers to the process of gathering information about a system at first contact. It is commonly used by malware to determine whether a system is vulnerable to certain attacks.

Financial Industry Regulatory Authority (FINRA)

FINRA (Financial Industry Regulatory Authority) is a not-for-profit organization that oversees U.S. broker-dealers with a focus on protecting investors and ensuring the integrity of the market.


A firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization’s previously established security policies. Essentially, it acts as a barrier between a trusted internal network and untrusted external networks, such as the internet, to prevent unauthorized access and cyberattacks.


Firmware is software that is written to a hardware device’s memory. It is used to run user programs on said devices.

Foothold expansion

Foothold expansion is the act of creating backdoors that are used to re-enter a network after its initial infiltration.


Fraudulent websites appear to be one thing, like a tech support site, a dating site, or a shopping site with illegal products or great deals, but they’re really scams to try to steal your information or credit card details.


Freeware is software that comes without a cost. Some freeware may give the option of voluntary payments to the developer, which is typically be called donationware.



GandCrab ransomware is a type of malware that encrypts a victim’s files and demands ransom payment in order to regain access to their data. GandCrab targets consumers and businesses with PCs running Microsoft Windows.

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a regulation in EU law on data privacy and security. It applies to organizations anywhere in the world that process the personal data of individuals residing in the European Union (EU) and the European Economic Area (EEA).

Gramm-Leach-Bliley Act (GLBA)

The Gramm-Leach-Bliley Act requires financial institutions – companies that offer consumers financial products or services like loans, financial or investment advice, or insurance – to explain their information-sharing practices to their customers and to safeguard sensitive data.


Graymail is bulk solicited email that users opted-in to receiving at first, but after losing interest, just accumulates in the inbox until recipients decide to opt-out or report them as spam.


Hash value

A hash value is an alphanumeric string that uniquely identifies data or files. MD5, SHA-1, and SHA-2 are three of its known algorithms. Synonym: Hash code


Heartbleed is the term used to refer to a vulnerability in some OpenSSL implementations. This vulnerability’s official identifier is CVE-2014-0160. For more information, see this blog post on systems still unpatched five years after Heartbleed’s discovery.


HermeticWiper first appeared in late February 2022, targeting organizations in Ukraine. It falls under the category of “wiper” malware, meaning its primary function is to erase critical data and render systems inoperable. Unlike ransomware that encrypts data for ransom, HermeticWiper aims for complete destruction.

Heuristic analysis

Heuristic analysis is a scanning technique used by many antivirus programs wherein they look for certain malicious behaviors from potentially new and undetected variants. Other forms: Heuristics


A hijacker is a type of malware that modifies a web browser’s settings without users’ permission, usually to inject unwanted ads into the browser or redirect to scam sites. Synonyms: browser hijacker


The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.


The HITECH Act (Health Information Technology for Economic and Clinical Health Act) is a law passed in 2009 that complements HIPAA by emphasizing electronic health records (EHRs) and the advancement of healthcare information technology. This act extends HIPAA’s privacy and security requirements and encourages healthcare organizations to invest in strong cybersecurity measures.

Homograph attacks

A homograph attack is a method of deception wherein a threat actor leverages on the similarities of character scripts to create and register phony domains of existing ones to fool users and lure them into visiting. Synonym: homoglypth attacks, Punycode attack, script spoofing, homograph domain name spoofing

Hyper-Text Transfer Protocol (HTTP)

The Hyper-Text Transfer Protocol is a set of underlying rules used in the World Wide Web, defining how files are transferred and formatted, and how web servers and internet browsers should respond to specific commands.

Hyper-Text Transfer Protocol Secure (HTTPS)

In a nutshell, Hyper-Text Transfer Protocol Secure is secure HTTP. This means that file transference and communication over the network is protected due to encryption on both the server side and the client side.


Identity and access management (IAM)

Identity and access management (IAM) is a collective term pertaining to processes, services, and technologies that allow the right individuals and groups to access the right resources within a network.

Identity theft

Identity theft is an electronic and real-world crime of deliberately using someone else’s information to commit fraud. Usually, identity thieves are financially motivated, consequently disadvantaging their target.

Indicator of Attack (IOA)

Indicators of attack (IOA) is defined as the intentions motivating a cyberattack and focuses on the techniques bad actors use to accomplish objectives.

Indicator of compromise (IOC)

Indicators of compromise, or IOC, can be found after a system intrusion. These indicators can be IP addresses, domains, hashes of malware files, virus signatures, and similar artifacts.

Infection vector

In cybersecurity, an infection vector refers to the transmission channel of a malware. To know this, ask “How did the malware arrive on my computer/network?”   Learn more: Malware Antivirus  

Initial access brokers (IABs)

Initial access brokers (IABs) are a type of cybercriminal group that sell unauthorized access to corporate networks. IAB attacks target organizations through phishing, password guessing, and exploiting vulnerabilities.

Injection attacks

Injection attacks is a broad term referring to a certain attack vector. Usually, malicious code is used in such attacks; but generally speaking, attackers provide input that, once interpreted, alters the execution or outcome of a program. Injection attacks have several types. They include:

Internationalized domain names (IDN)

Internationalized domain names, or IDN, is a domain name containing at least one non-ASCII character. They enable internet users from all over the world can create and register domain names using their own native language.

International Organization for Standardization (ISO)

The International Organization for Standardization (ISO) is a globally recognized entity that plays a crucial role in establishing and maintaining standards across various industries and sectors.

Internet of things (IoT)

The internet of things, or IoT, represents a host of internet-connected devices that do not require direct human input.

IP address

An IP address is a number assigned to each system that is participating in a network using the Internet Protocol, such as the World Wide Web.



In computing, to jailbreak means to modify a device, usually a smartphone, by removing any restrictions imposed by the device manufacturer, such as the downloading and installation of unauthorized software or apps from third-party markets.



In the context of malware, a keylogger is a type of Trojan spyware that is capable of stealing or recording user keystrokes. Other forms: keylogger, keylogging Synonyms: keystroke logger, system monitor


Lateral movement

Lateral movement refers to various techniques and/or tactics that threat actors use that allow them to move through a network to access or search for critical assets and data within a network. At times, they employ this to control remote systems.


MAC address

A MAC address is your computer hardware’s unique number. MAC stands for Media Access Control.

Machine learning (ML)

Machine learning is a form or subset of artificial intelligence (AI) where computers make use of large data sets and statistical techniques to improve at specific tasks without being manually reprogrammed.


Malvertising, or “malicious advertising,” is the use of online advertising to distribute malware with little to no user interaction required.


Malware, or “malicious software,” is an umbrella term that refers to any malicious program or code that is harmful to systems.

Man-in-the-Middle (MitM)

In cybersecurity, a Man-in-the-Middle (MitM) attack happens when a threat actor manages to intercept and forward the traffic between two entities without either of them noticing. In addition, some MitM attacks alter the communication between parties, again without them realizing. To pull this off, the attacker should not only be convincing in their impersonation  but also be able to follow and influence the conversation between two or more parties. A MitM attack can be done between browser and Internet, for example, or between a Wi-Fi hotspot and an Internet user.

Managed Detection and Response (MDR)

MDR, or Managed Detection and Response, is a cybersecurity service that acts as an extension of your internal security team. Security experts continuously monitor your endpoints for suspicious activity. When a potential threat is identified, the MDR team investigates, analyzes, and takes decisive action to contain and neutralize it, minimizing damage.

Managed service provider (MSP)

A managed service provider (MSP) is a company that proactively offers remote support to a client’s IT infrastructure or endpoints. Oftentimes, this term is used interchangeably with “cloud service provider”.


Metadata is data about data. It gives background information, such as origin, relevance, and creation, about data. Examples are geotags in media files (say, where was a photograph taken) and author and data modified in document files.


Miner is also known as cryptocurrency miner. This is a form of malware that uses the resources of an infected system to mine cryptocurrency (e.g. Bitcoins) for the threat actor.

MITRE ATT&CK Framework

MITRE ATT&CK stands for MITRE Adversarial Tactics, Techniques, and Common Knowledge. MITRE ATT&CK framework serves as a public resource and guidance library for enterprises to better understand adversarial behavior and how the most effective and prolific attack groups infiltrate networks.

Mobile Device Management (MDM)

Mobile device management (MDM) is software that allows IT administrators to control, set, and configure policies covering mobile devices that connect to your business’ network. These devices include smartphones (Android and iPhone), tablets, laptops, and other portable endpoint devices.

Mobile Device Security

Mobile device security is a comprehensive approach to protecting mobile devices, ensuring they remain secure and prevent unauthorized access to corporate data.

Multi-factor authentication (MFA)

Multi-factor authentication (MFA) suggests using two or more authentication protocols. The most well-known MFA is two-factor authentication (2FA). Both represent the combination of more than one method of gaining access to a resource.


Muti-tenancy refers to a software architecture in which a single instance of software running in a server can cater to multiple users. A tenant is referred to here as the user.


National Cyber Security Centre (NCSC)

The National Cyber Security Centre (NCSC) is an organization in the United Kingdom that gives cyber security guidance and support to the public and private sectors. Its headquarters is in London.

National Security Agency (NSA)

The National Security Agency (NSA) is an intelligence agency of the US Department of Defense that monitors, processes, and collects information and data for the purpose of foreign and domestic intelligence and counterintelligence.

Next Generation Antivirus (NGAV)

Next-generation antivirus (NGAV) refers to a more advanced approach to antivirus software that goes beyond traditional signature-based detection methods. NGAV solutions typically incorporate a range of advanced technologies such as machine learning, behavioral analysis, artificial intelligence, and threat intelligence to detect and respond to modern cyber threats more effectively.

NIS2 Directive

NIS2, also referred to as the NIS2 Directive, stands for the “Network and Information Security Directive” of the European Union. NIS2 emphasizes proactive risk management, mandating that essential entities implement a series of measures to enhance their cybersecurity protection.

NIST (National Institute of Standards and Technology)

The National Institute of Standards and Technology (NIST) is an agency of the United States Department of Commerce whose mission is to promote American innovation and industrial competitiveness.



Obfuscation is when malware deliberately tries to obscure its true intent to potential victims, and/or attempts to hide portions of code from malware researchers performing analysis.


OpenSSL is a popular software cryptographic library for applications designed for secure communication over computer networks. It provides an open source implementation of the Secure Sockets Layer (SSL) and Transport Layer Security (TLS) protocols.

Operating system (OS)

An operating system (OS) is software that supports a computer’s basic functions, such as executing applications, controlling peripherals, and scheduling tasks. The most well-known operating systems are Microsoft Windows, Linux, Apple macOS and iOS, Android, and Google’s Chrome OS.


Patch Management

Patch management is the process of identifying, acquiring, testing, and deploying software patches to all devices within a network. It’s a continuous cycle that ensures your systems are up-to-date and protected from potential threats.


In cybersecurity, a payload is malware that the threat actor intends to deliver to the victim. For example, if a cybercriminal sent out an email with a malicious Macro as the attachment and the victim gets infected with ransomware, then the ransomware is the payload (and not the email or document).

Payment Card Industry Data Security Standard (PCI DSS)

The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements intended to ensure that all companies that process, store, or transmit credit card information maintain a secure environment.

Personally Identifiable Information (PII)

Personally Identifiable Information (PII) is the term used for data that can be tracked back to one specific user. Examples of PII are names, social security numbers, biometrics, and other information that, in combination with other data, could be enough to identify a user. “Personally Identifiable Information” also has a legal definition, depending on the country and its laws. Personally Identifiable Information in one state may not include the same type of information as “personal information” or “personal data” in another state, but the purpose of these laws is often the same—to protect the types of data that could reveal a person’s identity.


Phishing scams attempt to obtain your information by presenting themselves as legitimate websites, then asking for your password, credit card details, or other sensitive information. Also: catfishing.

Point-of-sale (PoS) malware

Point-of-sale (PoS) malware usually targets payment terminals and card readers to compromise payment data and send it to criminals.


In the context of malware terminology, polymorphism is the ability of code to change its identifiable features while maintaining its functionality. Because of this ability, polymorphic malware like Emotet are difficult to detect.


PowerShell is a configuration management framework that allows system administrators and power-users to perform administrative tasks via a command line.


A pretexting attack is a type of social engineering attack where threat actors leverage a pretext to trick a target in order to commit a cybercrime. The pretext is usually a totally fictional scenario, and sometimes hackers chain pretexting with other types of attacks.

Privilege escalation

An act or event that occurs when a threat actor or unauthorized user achieves full access to normally restricted resources on a computing device’s operating system (OS) it has gained access to.

Professional Service Automation (PSA)

A PSA is software that allows companies to manage their resources efficiently. It is used from start to finish of a project’s lifecycle, which usually begins from assigning people up to billing the client once the project is done.


In malware research, a protector is software intended to prevent tampering and reverse engineering of programs. The methods used can—and usually will—include both packing and encrypting. This combination, plus added features, makes what is usually referred to as a protector. Researchers are then faced with protective layers around the payload, making reverse engineering difficult. A completely different approach, which also falls under the umbrella of protectors, is code virtualization, which uses a customized and different virtual instruction set every time you use it to protect your application. Of these protectors, there are professional versions that are used in the gaming industry against piracy. More information about this and related subjects can be found in our blog post, Explained: Packer, Crypter, and Protector


A PUM (potentially unwanted modification) is an alteration made to a computer’s registry (or other settings), which either damages the computer or changes its behavior, without knowledge of the user. Such unwanted alterations can be done by legitimate software, malware, grayware, or PUP (potentially unwanted program).


PUPs (potentially unwanted programs) are programs that may include advertising, toolbars, and pop-ups that are unrelated to the software you downloaded. PUPs often come bundled with other software that you installed.



In computing terms, to quarantine is when a potentially malicious file is placed into a “safe” location by the onboard security software, so that it can do no harm while the user decides what to do with it.



Ransomware is a type of malicious software (malware) specifically designed to hold a victim’s data hostage. Imagine a digital kidnapper – attackers deploy ransomware that encrypts your valuable files, rendering them inaccessible. The attackers then demand a ransom payment, typically in cryptocurrency like Bitcoin, to provide the decryption key needed to unlock your data.


Is abbreviated as RaaS. This is a form of software-as-a-service (SaaS) catered by underground vendors to threat actors by providing them a ransomware platform tool.


In computing, this is the process or method of correcting system changes, regardless of severity, on the affected system. Mitigation usually precedes remediation.

Remote code execution (RCE) attack

A remote code execution (RCE) attack happens when a threat actor illegally accesses and manipulates a computer or server without authorization from its owner. A system can be taken over using malware.

Remote desktop protocol (RDP)

Remote desktop protocol (RDP) is a network communications protocol that allows remote management of assets. Network administrators normally use RDP to diagnose problems on the endpoint.

Remote monitoring and management (RMM)

Remote monitoring and management (RMM) refers to the process of managing and controlling systems within a networking remotely via a specialized software, which is often referred to as RMM software. MSPs usually perform RMM for their clients.


Is software, generally classified as malware, that provides the attacker with administrator privileges on the infected system and actively hides. They also hide from other software on the system, often even from the operating system.

Ryuk ransomware

Ryuk, a name once unique to a fictional character in a popular Japanese comic book and cartoon series is now a name for one of the nastiest ransomware families to ever plague systems worldwide.


Sandbox solution

A type of solution wherein IT administers run a program in a controlled environment to determine whether it is safe to deploy within their network or not.

Sarbanes-Oxley (SOX) Act

The Sarbanes–Oxley (SOX) Act of 2002 is a United States federal law that mandates certain practices in financial record keeping and reporting for corporations.

Secure Sockets Layer (SSL)

A Secure Sockets Layer (SSL) is an encryption protocol that secures connections between clients and servers over the internet. This protocol has been deprecated in 2015 and replaced by the Transport Layer Security (TLS) protocol.

Security awareness training

Security awareness training is the process of educating people about the different kinds of cybersecurity threats that impact accounts, devices, systems, and networks, and how to manage them. Organizations invest in security awareness training to mitigate the risk of data breaches, identity theft, industrial espionage, sabotage, and financial crimes. Security awareness training also helps companies stay compliant with privacy laws.

Security information and event management (SIEM)

Security information and event management (SIEM) is a system that pulls event log data from various security tools to help security teams and businesses achieve holistic visibility over threats in their network and attack surfaces.


In computer security, a signature is a specific pattern that allows cybersecurity technologies to recognize malicious threats, such as a byte sequence in network traffic or known malicious instruction sequences used by families of malware. Signature-based detection, then, is a methodology used by many cybersecurity companies to detect malware that has already been discovered in the wild and cataloged as part of a database.


SIMjacking is the method of assuming control of a target’s mobile number. Fraudsters do this in a number of ways. One way is porting the target’s phone number from one mobile service provider to another. Other forms: SIM jacking, SIM-jacking Synonyms: SIM splitting, SIM swapping, SIM swap scam, port-out scam


Skimming is a type of fraud targeting automated teller machine (ATM) and point-of-sale (POS) terminals wherein a device (called a skimmer) or malware is used to steal information from your credit or debit card’s magnetic strip.

SMS phishing (Smishing)

Smishing, short for SMS phishing, is a type of phishing on mobile devices. It is carried out via SMS text messaging.

SOAR Security Orchestration, Automation, and Response

SOAR stands for Security Orchestration, Automation, and Response. It is a suite of tools and technologies designed to improve an organization’s ability to detect, investigate, and respond to cybersecurity incidents. SOAR integrates with various security tools, centralizing and automating routine security operations tasks, thus reducing the workload on security analysts.


Stands for Security Operations Center and is a centralized unit of personnel, processes and technology that guard the security and investigate security breaches for a bigger entity, usually a company or a network. A SOC does not necessarily have to be part of an organization, they can be hired externally.


SOC 2, which stands for System and Organization Controls 2, is a compliance framework developed by the American Institute of Certified Public Accountants (AICPA). It focuses on the controls relevant to the security, availability, processing integrity, confidentiality, and privacy of customer data. Unlike other compliance frameworks that might be prescriptive in nature, SOC 2 is more flexible, allowing organizations to design their own controls to meet the criteria.

Social engineering

Social engineering is the description of methods that attackers use to get the victims to breach security protocol or give up private information. There are many tactics that lead to this goal, and they rely on psychological manipulation, such as seducing the victims by playing to their greed, vanity, or their willingness to help someone.

Software vulnerability

Refers to a weakness or flaw in software, which leaves it open to be exploited by threat actors.


Spam is an undesired communication, often an email or call, that gets sent out in bulk. Spam wastes time and resources, so many communication tools have built-in ways of minimizing it.


A program designed to build mailing lists to send unsolicited emails to by harvesting email addresses from websites, newsgroups, and even chat room conversations.

Spear phishing

Spear phishing is a method of deceiving users via online messages, usually email, into giving up important data. Such attacks are targeted at a particular user or group of users (e.g. employees of one company). The intended victim(s) will be asked to fill out forms or lured into installing data-gathering malware on their system.


Spyware is a type of malware that gathers information on a device and sends it to a third-party actor or organization that wouldn’t normally have access. In the past, this term was also used for adware and cookies.

SQL injection

An SQL injection is a type of injection attack wherein a threat actor introduces a malicious SQL code into a database as a way to circumvent web application security measures to reveal sensitive information, destroy it, or tamper with it. This is usually done on vulnerable sites that accept user entries, such as a search box.

SSL certificate

An SSL certificate is installed to a web server, providing the means to make payments and send communications securely without fear of eavesdropping.

Supply-chain attack

A type of attack that targets the weakest or most vulnerable element in a business’s or organization’s supply chain network. There are several ways this can be done: one, cybercriminals can continuously attack the system through hacking; another is by embedding malware into a manufacturer’s software. However this is done, the purpose of a supply chain attack is to gain access to sensitive data repositories and damage the company.

Suspicious activity

In our ThreatDown product, “possible suspicious activity” encompasses a variety of behaviors that are commonly attributed to technical support scams, cryptojacking, browser hijacking, and other types of harmful or potentially unwanted programs (PUPs).


The United States Computer Emergency Readiness Team (US-CERT)

The US Computer Emergency Readiness Team (US-CERT) is a branch of the Office of Cybersecurity and Communications’ (CS&C) National Cybersecurity and Communications Integration Center (NCCIC). It was created to protect the country’s internet infrastructure, improve the US’s cybersecurity posture, coordinate information sharing, and reduce the risk of cyber threats proactively. US-CERT also educates consumers and businesses about data security, and assist security organizations in terms of threat detection and management among others.

Third party

Is a term used to describe an entity that is involved in a deal, but not directly as one of the entities that close the deal. In privacy policies, the term is often used to avoid being blamed, as the publisher, for something any third party might do to the user. For example, additional software that is included in a bundler, will usually be referred to as “third-party software”.

Third party patch management

Third party application patch management (or 3rd party patch management) is the process of applying patch updates to third-party programs installed on your company’s endpoints (desktops, laptops, servers, and other devices). Third-party patch management fixes vulnerabilities that, if exploited, can compromise software security and functionality. Learn more about ThreatDown Patch Management.

Threat actor

In cybersecurity, a threat actor is a group or person behind a malicious incident. As it is sometimes unclear whether an attack was done by one person or whether there is a group or organization involved, we use this as a general term to describe the responsible entity.

Threat Detection and Response (TDR)

Threat detection and response focuses on monitoring suspicious cyber activity and providing contextual alerts. These alerts help to quicken the investigation process in an effort to prioritize and eliminate threats before vulnerabilities are exploited, the pinnacle of cybersecurity maturity.

Threat hunting

Threat hunting in cyber security is a proactive method involving threat hunters who sleuth networks, endpoint devices, and systems for malicious activity and suspicious threat anomalies. Cyber threat hunting can help stop and prevent cyberattacks from causing irreversible damage to organizations.

Threat intelligence

Cyber threat intelligence is data that has been collected, processed, and analyzed to understand threat actor behavior and stop intrusions.

Transport Layer Security (TLS)

Transport Layer Security (TLS) is an encryption protocol that authenticates the communication of two computing applications. It also ensures that the channel is private and the data exchanged is uncorrupted and can only be viewed by authorized parties. TLS is the successor of Secure Sockets Layer (SSL).


Trojans are programs that claim to perform one function but actually do another, typically malicious. Trojans can take the form of attachments, downloads, and fake videos/programs and, once active on a system, may do a number of things, including stealing sensitive data or taking control of the device.


Ubiquitous computing (ubicomp)

Ubiquitous computing (ubicomp) is the technological trend of adding computational capability into everyday electronic devices by embedding a microprocessor. This allow them to communicate effectively and perform tasks that lessens the user’s need to interact with computers as computers. Examples of ubiquitous computing are laptops, tablets, smartphones, and wearable devices. Synonym(s): pervasive computing, everyware, ambient intelligence


Pronounced as oo-boon-too. It is a Linux distro that is based on the Debian architecture. It was designed for use on personal computers; however, it can be used on network servers as well. In fact, it is the most used OS in hosted environments, i.e., the cloud, and it’s also arguably the most famous distro.


Unicode is a global standard for character encoding. It provides a unique number to every character in existence, which comprises of scripts and symbols. As such, it simplifies the localization of software and supports multilingual text processing. The Unicode Consortium maintains, develops, and promotes the use of the Unicode standard. External link(s):

Universal serial bus (USB)

The USB is an industry standard establishing a common way for connections between devices and peripherals.


UNIX is a modular operating system developed in the 1970s, leading to widespread academic and commercial use over time.


Stands for Uniform Resource Locator and is a method to find resources located on the World Wide Web. A URL consists of (at least) a protocol (i.e. HTTP) and either a domain or an IP address. They can also include a path on the server to point to a particular file or site.

USB attack

Refers to an attack where threat actors use a USB drive to spread malware. In a targeted attack, infected USB drives are deliberately dropped in public locations, such as parking lots, to entice victims to picking it up and opening it using their computers.

USB boot

A USB boot is booting up a computer using an OS or recovery program located on a USB stick as opposed to the computer’s hard drive.



Often refers to closely related malware strains or types of malware that are in the same family. Usually, it is a version of an existing malware family with modifications.

Virtual machine

A software computer or application environment that runs on another computer or OS. User experience with virtual machines is the same as they would have on dedicated hardware.

Virtual private network (VPN)

A virtual private network is a virtual extension of a private network over the internet. It is often used to allow employees that are not in the physical office to connect to resources on the intranet as if they were in the office. But there are also commercial VPNs that can be used to anonymize your internet traffic.


A virus is malware attached to another program (such as a document) which can replicate and spread after an initial execution on a target system where human interaction is required. Many viruses are harmful and can destroy data, slow down system resources, and log keystrokes.


Short for voice phishing. It is a phishing tactic that uses voice, either via VoIP or phone, to steal information from call recipients.

Visual spoofing

Is a type of threat vector where the similarities of characters and letters from different languages are used (deliberately or accidentally) to confuse and/or trick users.


A software vulnerability is a bug or error found in a cybersecurity system and is a point of weakness which can be exploited by cybercriminals. These bad actors gain unauthorized access through network vulnerabilities and carry out cyberattacks. Learn more about vulnerability management and ThreatDown Vulnerability Assessment.


Watering hole attack

A watering hole attack is a targeted attack strategy in which attackers infect a website they know their intended victim(s) will visit, or lure them to a website of their own making. The attacker may single out intended targets, or infect anyone who visits the website unprotected. Watering hole attacks include a mix of social engineeringhacking, and drive-by infections.

Web application security

This deals with the security of websites, Web applications, and Web services. It aims to address and/or fulfill the four principles of security, which are confidentiality, integrity, availability, and nonrepudiation.

Web content filtering

Web content filtering is a kind of process or technology based on software or hardware that restricts access to specific content on the Internet. Organizations such as enterprises, libraries, colleges, and schools use web content filtering to prevent users from accessing potentially inappropriate material for various purposes, including protecting user sensibilities, boosting cybersecurity, enhancing regulatory compliance, and improving productivity. 

Website spoofing

Website spoofing happens when an attacker creates an imitation website designed to look like the real thing. Threat actors may use real company logos, design, and URLs similar to the target website to enhance the spoof and make it more convincing.


Also known as whale phishing. It’s a type of fraud or phishing scheme that targets high-profile end-users, usually C-level businessmen, politicians, and celebrities. Fraudsters behind whaling campaigns aim to trick targets into giving out their personal information and/or business credentials. Whaling is usually done through social engineering efforts.


In computing, it is a list of resources and destinations that we decided to trust. Application whitelisting is a method that allows only specific software and applications to run in order to maintain security. This is more restrictive than blacklisting processes, which has pros and cons. Whitelisting is more secure yet time-consuming to manage.


Pronounced “who is”. This is not an abbreviation; however, it stands for “Who is responsible for this domain name?” It’s an internet service used to look up information about domain names.


Worms are a type of malware similar to viruses, but they do not need to be attached to another program in order to spread.



Extended Detection and Response (XDR) is a cybersecurity approach that consolidates multiple security products into a cohesive system. Unlike traditional security solutions that operate in silos, XDR unifies and correlates data across various security layers that can include endpoint, network, server, email, and more, providing a holistic view of the threat landscape.



Zbot is a known family of Trojans capable of stealing user information, such as banking credentials, using man-in-the-browser (MiTB) keystroke logging and form grabbing. Synonym: Zeus/ZeuS


A zero-day vulnerability is an exploitable vulnerability in software that has not been disclosed yet. Zero days sarcastically stands for the time the software creator has then left to patch the vulnerability.


Zero-trust is a security model wherein no one inside or outside a network is trusted by default, thus requiring users to verify themselves when they want to use a network’s resource.


Is the description for systems that have been infected by a Trojan that added the system to a botnet. The term is used because the system is taken out of control of its owner, and now obeys the botherder like a zombie.