Quick Cybersecurity Glossary
1. CTEM (Continuous Threat Exposure Management)
A continuous approach to managing threat exposure, combining asset discovery, vulnerability assessment, attack simulation, and cyber threat intelligence (CTI). It enables dynamic prioritisation of business risks, going beyond one-off audits.
2. Red Team
An offensive team responsible for simulating realistic cyberattacks — often in black-box mode — to assess an organisation’s resilience against advanced threats. Red Teams typically use TTPs inspired by real-world APTs (e.g. MITRE ATT&CK).
3. Blue Team
A defensive team focused on continuous monitoring, incident response, and threat detection. It leverages tools like SIEM, EDR, network logs, and threat hunting methods to contain and neutralise active compromises.
4. Purple Team
A collaborative model combining Red Team and Blue Team efforts. It aligns offensive TTPs with defensive capabilities through rapid feedback loops, with the goal of improving detection efficiency and SOC responsiveness.
5. CVE (Common Vulnerabilities and Exposures)
A unique identifier assigned to publicly documented software vulnerabilities. Managed by MITRE, each CVE is rated using the CVSS scoring system.
6. CVSS (Common Vulnerability Scoring System)
A numerical scoring system (0 to 10) used to assess the severity of a vulnerability. It considers factors such as exploitability, impact, complexity, and environmental context.
7. MITRE ATT&CK
A framework describing the tactics, techniques, and procedures (TTPs) used by attacker groups. It structures attack campaigns and is widely used in threat hunting, red teaming, and tools like XDR or SIEM.
8. SIEM (Security Information and Event Management)
A platform for centralising and correlating logs, used for incident detection and analysis. A core component of SOCs, it powers alerts, dashboards, and post-incident investigations.
9. SOAR (Security Orchestration, Automation and Response)
A tool that automates incident response. SOAR systems trigger playbooks (e.g. isolation, alerting, access shutdown) based on events correlated by the SIEM or CTI indicators.
10. XDR (Extended Detection and Response)
An evolution of EDR, XDR correlates security data from multiple sources (endpoints, network, email, cloud) to enable cross-domain threat detection and integrated response.
11. APT (Advanced Persistent Threat)
A highly structured threat group, often state-sponsored or backed by organised actors, operating over the long term with objectives such as espionage, sabotage, or intellectual property theft. APTs are known for their stealth and persistence.
12. OSINT (Open Source Intelligence)
The collection of publicly available information for intelligence or pre-attack reconnaissance purposes. OSINT includes domain names, metadata, social media content, leaked data, and more.
13. Initial Access Broker (IAB)
An actor specialised in the initial compromise of systems (e.g. via VPN, RDP, or phishing), who then resells this access to other cybercriminals (e.g. ransomware groups). A key player in the modern compromise chain.
14. Passive Reconnaissance
The early phase of an attack during which the attacker gathers information on the target without direct interaction — using WHOIS lookups, OSINT, leaked data, or DNS/TLS fingerprinting.
15. Command and Control (C2/C&C)
The infrastructure used by malware or APTs to control malicious payloads and exfiltrate data. C2 traffic is often hidden within legitimate protocols such as DNS, HTTPS, or even Slack.
16. Lateral Movement
A post-compromise technique allowing attackers to move from one system to another to reach critical resources. Often uses native tools such as PowerShell, RDP, or SMB.
17. Privilege Escalation
The act of gaining elevated privileges on a system (e.g. moving from a standard account to admin/root). A key step in exploitation chains to maintain or broaden access.
18. Data Exfiltration
The discreet extraction of sensitive data from an organisation’s environment. This can occur via HTTP, DNS tunnelling, Dropbox, GitHub, or encrypted protocols. Often the final step in an APT or ransomware campaign.
19. Breach and Attack Simulation (BAS)
An automated tool that simulates real-world attacks on production environments to validate the effectiveness of security controls (SIEM, EDR, WAF, etc.). Used as a complement to traditional penetration testing.
20. CTI (Cyber Threat Intelligence)
The analysis of data related to current or emerging threats (IoCs, TTPs, APT groups). CTI feeds detection systems (SIEM, XDR), informs preventive measures (hardening), and supports response (playbooks).
21. Vulnerability Management
An ongoing process aimed at identifying, assessing, prioritising, and remediating vulnerabilities within an information system. It relies on scanning tools, threat intelligence (CTI), and business risk analysis.
22. Vulnerability Scanner
An automated tool that analyses systems, applications, and networks to identify known vulnerabilities (CVE). Examples include Nessus, Qualys, and OpenVAS. Scans can be authenticated or unauthenticated.
23. Authenticated Scan
A vulnerability scan performed using valid credentials, allowing for deeper and more accurate analysis of the target system, particularly its internal configurations.
24. Unauthenticated Scan
An external scan performed without credentials, simulating the perspective of an attacker who has not yet breached the system. It provides a basic mapping of the exposed attack surface.
25. Exploit
A piece of code or method used to take advantage of a software or configuration vulnerability. Exploits can be public (known) or private (zero-day), and may be local or remote.
26. Zero-Day Vulnerability
A flaw unknown to the software vendor and the public at the time of its discovery. It represents a highly valuable weapon for attackers, as it is unpatched and undetectable by conventional means.
27. Common Weakness Enumeration (CWE)
A structured taxonomy of software weaknesses that often lead to vulnerabilities (e.g. CWE-79 for XSS, CWE-89 for SQL injection). Used to categorise recurring development flaws.
28. Remote Code Execution (RCE)
A critical vulnerability that allows attackers to execute arbitrary code remotely. It can lead to full system compromise. Notable examples include Log4Shell and ProxyShell.
29. Local Privilege Escalation (LPE)
A vulnerability that enables a local user (or one already present on the machine) to gain elevated privileges (admin/root). Commonly used during post-exploitation phases.
30. Misconfiguration
A system, service, or application misconfiguration that creates a security risk. Examples include open ports, public S3 buckets, or disabled WAF protections.
31. Patch Management
The process of managing software updates to fix identified vulnerabilities. It includes monitoring, testing, deployment, and post-patch verification to ensure systems remain secure and stable.
32. Exploit Database (ExploitDB)
A public repository of known exploits, often associated with CVEs. Widely used by penetration testers, red teams, and CTI analysts to understand how vulnerabilities are weaponised.
33. Proof of Concept (PoC)
A code sample or method demonstrating that a vulnerability is exploitable. PoCs are often published alongside CVEs to validate the risk and guide remediation.
34. CVE Chaining
A technique that involves combining multiple vulnerabilities—sometimes minor on their own—to achieve a more critical objective. Example: access to an admin panel + LPE = full compromise.
35. Vulnerability Prioritisation
The process of ranking vulnerabilities based on their real-world risk to the organisation (not just their CVSS score). This may include factors such as internet exposure, business context, or presence of known exploits.
36. Attack Surface Management (ASM)
Continuous monitoring of an organisation’s exposed attack surface on the internet — including domain names, open ports, active services, and underlying technologies. Complements traditional vulnerability scanning.
37. NVD (National Vulnerability Database)
The official U.S. database of CVE vulnerabilities, enriched with metadata such as CVSS scores, CWE classifications, and links to patches. It powers many vulnerability management tools.
38. Vulnerability Disclosure Programme (VDP)
A structured process that enables researchers or ethical hackers to report vulnerabilities to an organisation. VDPs may be private or public, with or without a bug bounty.
39. Threat-Based Vulnerability Management
An approach that correlates detected vulnerabilities with active threats observed “in the wild”. It enables more targeted, risk-informed remediation based on real attacker activity.
40. Scanner as Code
The integration of vulnerability scanners directly into CI/CD pipelines (DevSecOps) to detect flaws as early as the development or deployment stage.
41. Penetration Test (Pentest)
A controlled simulation of a cyberattack aimed at identifying exploitable vulnerabilities in systems, networks, or applications. Pentests follow rigorous methodologies (e.g. OSSTMM, PTES, NIST SP 800-115) and typically result in actionable reports for IT and risk teams.
42. Pentest-as-a-Service (PtaaS)
A delivery model for penetration testing via a SaaS platform. PtaaS enables real-time visibility, direct collaboration with pentesters, frequent retesting, and integration with ticketing and DevSecOps tools. Examples: Cobalt, Bugcrowd, or tailored services like those offered by Safercy.
43. Black Box Testing
A pentesting methodology where the tester has no prior knowledge of the target system. The red team operates like an external attacker to simulate realistic threats.
44. White Box Testing
A methodology in which the tester has full access to the system (source code, configuration, credentials). It allows for exhaustive analysis and broader vulnerability coverage.
45. Grey Box Testing
A hybrid approach between black box and white box testing. The tester has partial knowledge or access (e.g. user credentials or partial documentation), simulating insider or limited-access attacker scenarios.
46. Rules of Engagement (RoE)
A contractual document that defines the scope, boundaries, schedules, and communication channels of a pentest. It provides legal and operational guidelines to prevent side effects and misunderstandings.
47. Exploitation Chain
A sequence of steps involving multiple vulnerabilities or misconfigurations used to reach a final objective — such as data exfiltration, persistence, or system takeover. Often uncovered in advanced pentesting.
48. VOC (Vulnerability Operations Center)
An operational centre dedicated to the continuous management of vulnerabilities. Unlike a SOC, it focuses on detection, qualification, prioritisation, and remediation of vulnerabilities from scans, CTI, or pentests. Often complements the SOC in large organisations.
49. SOC (Security Operations Center)
A security operations centre responsible for real-time detection, investigation, and response to security incidents. A SOC relies on tools like SIEM, SOAR, and specialised analysts. It serves as the backbone of an organisation’s operational defence.
50. Red Teaming vs. Pentest
A pentest is a technical, time-bound test focused on identifying specific vulnerabilities. Red teaming is a longer-term, strategic engagement simulating real-world adversaries (e.g. APTs) and aiming to bypass all layers of defence — human, physical, and technical.
51. Ransomware
A type of malicious software that encrypts a victim’s files and demands a ransom to restore access. Modern ransomware campaigns often use double extortion: encryption of data plus threats to publish it on the dark web.
52. Double Extortion
A tactic used by ransomware groups involving the theft of data prior to encryption. If the ransom is not paid, the stolen data is published on a leak site — increasing pressure on the victim and amplifying the visibility of the attack.
53. Data Breach
The unauthorised access to or disclosure of sensitive information (e.g. PII, credentials, customer databases, internal documents). A breach can result from ransomware, insider threats, or misconfigurations.
54. Leak Site
A website operated by ransomware groups (e.g. LockBit, AlphV) to publicly expose stolen data from victims who refuse to pay. These sites are typically hosted on the dark web (via Tor).
55. Dark Web Monitoring
The continuous surveillance of dark web forums, marketplaces, Telegram channels, and leak sites to detect data leaks, attack claims, or access sales. A core feature of SaferFind.
56. Initial Access Broker (IAB)
A cybercriminal or group specialised in the initial compromise of systems (via VPN, RDP, credentials) who resells access to ransomware groups or other threat actors. These accesses are often sold on dark web forums.
57. Data Leak Intelligence (DLI)
A subcategory of Cyber Threat Intelligence (CTI) focused on the collection, analysis, and correlation of data leaks observed on the dark web or underground channels. It helps identify exposures and the risk of reuse.
58. Ransomware-as-a-Service (RaaS)
A business model in which a group of developers provides ready-to-use ransomware kits to affiliates in exchange for a share of the ransom payments. Example groups: LockBit, BlackCat.
59. Incident Response (IR)
A structured set of technical and organisational procedures deployed after a security breach, including containment, investigation, remediation, and regulatory notification. Incident response follows an IR playbook and involves coordination between technical, legal, and communication teams.
60. TLP (Traffic Light Protocol)
A classification system used for sharing sensitive information between security teams. For instance, a CTI report marked TLP:AMBER indicates restricted sharing with specific stakeholders only.
61. Data Exfiltration
The process by which an attacker copies or extracts sensitive data from a compromised environment. It typically precedes extortion or resale on the dark web.
62. Telegram Threat Channels
Telegram channels used by malicious actors to sell access, leak data, or discuss intrusion techniques. These have partially replaced traditional dark web forums.
63. Compromised Credentials
Login/password combinations that have been stolen or publicly exposed, often due to a breach or malware. They are frequently resold in large database dumps.
64. Paste Site (e.g. Pastebin, Ghostbin)
Websites used to discreetly publish stolen data, attack instructions, or proof-of-concept code. Often serve as temporary drop points before leaks are publicised.
65. Exposure Timeline
A chronology outlining the public or covert exposure of compromised data. It helps trace the origin (e.g. first appearance on a forum, sale, publication on a leak site) and assess the threat level.
66. PKI (Public Key Infrastructure)
A system of technologies, policies, and services that enables the management of digital certificates and public/private key pairs. It relies on certificate authorities (CAs), X.509 certificates, and revocation mechanisms (CRL, OCSP).
67. SSL/TLS Certificate
An X.509 digital certificate used to secure communications between a client and server via HTTPS. It verifies the server’s identity and encrypts data using TLS (Transport Layer Security).
68. CSR (Certificate Signing Request)
A file generated when creating a certificate, containing the public key and identity details. It is submitted to a CA for signature and precedes certificate issuance.
69. CA (Certificate Authority)
An organisation (internal or trusted third party) that issues, signs, and validates digital certificates. Examples include Let’s Encrypt, DigiCert, and ANSSI (in the context of RGS).
70. Root Certificate
A self-signed certificate at the top of the trust chain. It is pre-installed in operating systems and browsers. If compromised, it undermines the entire chain of trust.
71. Intermediate Certificate
A certificate signed by the root, used to sign end-entity certificates. It allows for delegated signing while protecting the root certificate.
72. Wildcard Certificate
A TLS certificate that secures all subdomains under a domain (e.g. *.safercy.com). It simplifies management but increases the exposure surface.
73. SAN Certificate (Subject Alternative Name)
A multi-domain certificate that secures several DNS names within a single certificate — useful for complex infrastructures.
74. EV Certificate (Extended Validation)
A highly validated SSL certificate. Requires thorough legal verification of the organisation and enables the company name to appear in the browser address bar.
75. eIDAS Certificate
A certificate compliant with the EU’s eIDAS regulation, providing a high level of security for electronic identification and qualified electronic signatures.
76. RGS Certificate (Référentiel Général de Sécurité)
A French government standard issued by ANSSI defining certificate requirements for public administrations and service providers. Certificates are classified by trust levels (e.g. RGS 1 star, 2 stars, etc.).
77. CRL (Certificate Revocation List)
A list of certificates that have been revoked before their expiry date. Regularly published by CAs to prevent the use of compromised certificates.
78. OCSP (Online Certificate Status Protocol)
A real-time protocol used to check whether a certificate is still valid. Often replaces CRLs in modern infrastructures.
79. Hashing
A cryptographic technique that produces a unique, fixed-length fingerprint from arbitrary data. Used to ensure integrity, verify passwords, or digitally sign files.
80. SHA-256
A secure hashing algorithm (Secure Hash Algorithm – 256 bits), used in TLS, digital signatures, and SSL certificates. A more robust successor to SHA-1.
81. SHA-1
An older hashing algorithm now deprecated due to its vulnerability to collisions. It is gradually being phased out in modern security infrastructures.
82. MD5
A fast but insecure hashing algorithm vulnerable to collisions. Still used in some internal applications, but strongly discouraged for any critical use.
83. RSA (Rivest–Shamir–Adleman)
The most widely used asymmetric encryption algorithm for generating key pairs. Used in TLS certificates, digital signatures, and key exchange.
84. ECC (Elliptic Curve Cryptography)
A lightweight and efficient alternative to RSA, offering equivalent security with smaller key sizes. Commonly used in embedded or mobile systems.
85. Digital Signature
A cryptographic mechanism that ensures the integrity, authenticity, and non-repudiation of a file or message. It uses the sender’s private key and can be verified using the corresponding public key.