Glossary
Every key term, with the chapter that first defines it. Terms are listed alphabetically.
802.1X — An IEEE standard for port-based network access control that keeps a switch port (or wireless association) closed to general traffic until the connecting device authenticates, using the supplicant / authenticator / authentication-server model.
A
Access certification / access review — The periodic process (also called attestation) in which a manager or resource owner reviews who has access to what and explicitly confirms each grant is still appropriate or flags it for removal; a hard requirement of compliance regimes such as SOX, PCI-DSS, and GLBA, and the control that catches what lifecycle automation misses.
Access control list — An ordered set of permit/deny rules applied to traffic at an interface, evaluated top-to-bottom with the first matching rule taking effect, so that rule order is semantically significant.
Access control matrix — A conceptual model of permissions as a grid with subjects (or roles) on one axis and resources (or objects) on the other, each cell holding the operations that subject may perform on that resource; stored in practice as access control lists (per-resource) or capabilities (per-subject).
Access control model — The underlying scheme that governs how access decisions are made and who is allowed to grant access to what; the four classic models are discretionary (DAC), mandatory (MAC), role-based (RBAC), and attribute-based (ABAC) access control.
Accounting — The process of recording what entities actually do (logs, audit trails, records of access and activity); the third A of AAA and the foundation of detection and investigation. Also called auditing or accountability.
Adversarial machine learning — The study of attacks that deliberately manipulate machine-learning systems, and of the defenses against them; treats a model as a target an intelligent adversary studies and defeats, with the two principal attacks being data poisoning and model evasion (catalogued by MITRE ATLAS).
AES — The Advanced Encryption Standard, the standard symmetric block cipher (NIST FIPS 197), used with 128-, 192-, or 256-bit keys; the default choice for symmetric encryption.
AI-enabled attack — Any attack that uses artificial intelligence (typically generative models) to increase its scale, believability, or sophistication — machine-generated spear-phishing, deepfake voice and video used for fraud, and AI-assisted malware or reconnaissance; it rarely invents new attacks but makes existing ones cheaper and more convincing.
Air gap — The belief, or the design goal, that a network is safe because it has no connection to other networks. In practice air gaps are porous — defeated by removable media, vendor laptops, the supply chain, or forgotten connections (as the Stuxnet worm demonstrated) — so an air gap should be treated as a boundary to monitor and enforce, not a guarantee of isolation.
Alert fatigue — The desensitization and degraded performance that occur when analysts face a volume of alerts (especially false positives) too high to investigate meaningfully; a predictable systems failure and the most common reason a SOC misses a real attack it technically detected.
Analyst burnout (organizational) — The chronic exhaustion, cynicism, and reduced effectiveness that result when the volume, monotony, and stress of security operations outstrip a team's capacity and sustainability over time; an organizational-layer problem (fixed by staffing, automation, career ladders, sane on-call, and leadership) distinct from but causally linked to SIEM-level alert fatigue.
Annualized loss expectancy (ALE) — The expected yearly cost of a risk, computed as single loss expectancy times annualized rate of occurrence ($ALE = SLE \times ARO$); the per-year figure used to compare a risk against the annual cost of a control.
Annualized rate of occurrence (ARO) — The number of times a given risk event is expected to occur in a year (e.g., 2.0 = twice a year; 0.1 = once a decade); the frequency factor in annualized loss.
Anomaly detection — Detection that establishes a baseline of normal behavior and alerts on statistically significant deviations from it; able to catch novel attacks with no prior signature but characteristically noisy (high false-positive rate).
Anti-forensics — The set of techniques attackers use to hinder investigation by destroying, hiding, or falsifying evidence, including log clearing, timestomping (altering file timestamps), secure deletion of tools, encryption, and living-off-the-land use of built-in system tools.
API key — A static secret string that authenticates a caller to an application programming interface; a common, easily-leaked machine credential (e.g., an AWS access key beginning AKIA).
AppArmor — A Linux mandatory access control implementation (default on Ubuntu/SUSE) that confines each application with a path-based profile specifying the files it may read/write and the capabilities it may use, enforced by the kernel.
Application allowlisting — A control that permits only explicitly approved applications to execute and denies all others by default (the default-deny posture applied to program execution); strong against unknown malware but operationally demanding to maintain. Historically called "whitelisting."
APT (Advanced Persistent Threat) — A sophisticated, well-resourced adversary (often nation-state) that gains and maintains long-term, stealthy access to a target and pursues its objective with patience; advanced in technique, persistent in access, a genuine threat.
ARP spoofing — A Layer 2 attack in which an adversary on the local network sends forged Address Resolution Protocol messages associating their own MAC address with another host's IP (usually the gateway), so traffic is diverted to them; the unauthenticated nature of ARP makes it the engine of most local man-in-the-middle attacks. Also called ARP poisoning.
Artifact — A single concrete piece of audit evidence, such as a policy document, configuration export, screenshot, log sample, ticket, or signed access-review record.
Artifact signing — Cryptographically signing a build artifact (a binary, container image, or package) so its authenticity and integrity can be verified before it is deployed or run; it proves origin and that the artifact was unaltered after signing, but not that the artifact is safe.
Asset — Anything of value that an organization seeks to protect, such as data, systems, money, reputation, or the availability of a service.
Asymmetric encryption — Encryption using a mathematically linked key pair — a public key that may be shared freely and a private key kept secret — where data encrypted with one key can only be decrypted with the other; also called public-key cryptography.
Attack surface — The sum of all points, including the connections between systems, where an attacker could attempt to enter an environment or extract data.
Attack surface management — The continuous discovery and inventory of all the assets an organization exposes, especially internet-facing ones it may not know it owns; feeds the Discover stage of the lifecycle, because the assets nobody remembers are the ones that get breached.
Attack surface reduction — The practice of systematically eliminating exposed functionality — services, ports, accounts, interpreters, drivers, protocols — so that there is less for an attacker to reach, abuse, or hide behind; the organizing principle of hardening.
Attack vector — The path or means by which an attacker reaches and breaches a target, such as email, a malicious web page, removable media, a vulnerable exposed service, or a trusted supplier.
Attestation — An independent professional's report on their examination of an organization's controls — describing what was tested, any exceptions found, and an opinion — which the reader evaluates for themselves (e.g., a SOC 2 report); contrasted with certification.
Audit — A formal, independent examination of whether an organization's controls meet a defined set of requirements, conducted by an internal or external party and resulting in findings, a professional opinion, or a certification decision.
Authentication — The process of verifying that an entity is who or what it claims to be, before granting access; the first A of AAA, defended against impersonation.
Authentication factor — A category of evidence used to prove an identity, of which there are three: something you know (knowledge — passwords, PINs), something you have (possession — hardware keys, authenticator apps), and something you are (inherence — biometrics).
Authorization — The process of determining what an authenticated entity is permitted to do — which resources it may reach and which actions it may take; the second A of AAA, defended against privilege escalation.
Availability — The property that systems and data are accessible to authorized users when they need them; the leg of the CIA triad attacked by denial (ransomware, DoS) and protected by backups, redundancy, and recovery planning.
B
Baseline configuration — The documented, approved set of configuration settings for a given system type — an organization's specific adopted standard, usually derived from a benchmark and adjusted for its environment — against which systems are built and audited; deviation from it is "drift."
Bastion host — A hardened, exposed, and closely monitored system that serves as a controlled single point of entry into a protected network zone; used interchangeably with jump host, with "bastion" emphasizing the hardening.
Beaconing — The regular, automated check-in of compromised malware to its command-and-control server; its defining network signature is metronomic timing — the same destination at a near-constant interval, regardless of user activity — which survives encryption.
BEC (business email compromise) — A fraud in which an attacker impersonates a trusted party (executive, vendor, lawyer), usually by email, to induce an employee to transfer funds or sensitive data; it often involves no malware or malicious link, and account-takeover variants can pass SPF/DKIM/DMARC.
Behavioral detection — Detection that identifies adversary activity by its technique, pattern, or sequence of actions (a TTP) rather than by a static indicator, so it survives the adversary changing their malware, infrastructure, and indicators.
Benchmark — A reference value — a peer-group average, an industry standard, a regulatory threshold, or the organization's own prior period — used to give a metric meaning by comparison. "Our MTTD is 5 hours" is inert; "5 hours, against a peer median of ~8 and our own 40 a year ago" tells a story. Cross-industry benchmark figures are notoriously soft, so they must be sourced honestly and presented as directional.
Biometrics — Authentication using a measured physical or behavioral characteristic (fingerprint, face, iris, voice); bound to the person and convenient, but irrevocable, probabilistic (measured by false-accept and false-reject rates), and only as trustworthy as the device that measures it.
Blameless postmortem — A structured post-incident retrospective conducted under the explicit ground rule that the goal is to improve systems and processes, not to assign individual blame; it seeks systemic root causes and produces a short list of owned, deadlined, tracked action items that feed back into preparation.
Bluetooth — A short-range (typically up to ~10 m) wireless technology for connecting peripherals such as headsets, keyboards, and card readers; lower-risk than WiFi due to its range, but subject to patchable stack vulnerabilities (the BlueBorne class) that can compromise unpaired devices in range.
Board oversight — The board of directors' responsibility to direct and supervise the security program, set the organization's risk appetite, and hold management accountable for outcomes; the apex of governance, distinct from the management that executes within it.
Board presentation — The act of delivering a security program, roadmap, and business case to an organization's highest governance body (often the Audit or Risk Committee) and asking for a specific decision, structured to answer the four things a board cares about — exposure, competence, compliance, and the ask — in the board's own units rather than technical detail.
Break-glass account — A highly privileged account reserved for emergencies (when the PAM system, identity provider, or MFA is unavailable and access is still required), stored offline in a sealed and physically secured location, made long and random, alerting loudly on any use, and tested and rotated on a schedule; a deliberate, monitored exception, never a backdoor.
Budget justification (business case) — A structured argument that translates a set of roadmap initiatives into the financial and risk terms an executive uses to decide, typically in four parts: the cost of the status quo (as annualized risk), the investment and the risk it buys down, the compliance obligations, and the alternatives ending in a single specific ask.
Build vs buy (SOC) — The strategic choice of whether to staff and operate a SOC internally (build), outsource the capability to a service provider (buy, via MSSP or MDR), or combine the two; driven largely by the headcount math of 24/7 coverage, environmental complexity, the talent market, and risk appetite, and most often resolved as a hybrid/co-managed model ("buy the coverage, build the judgment").
BYOD (Bring Your Own Device) — The practice of permitting employees to access corporate systems and data from personal devices that the employee owns and controls, rather than ones the organization issues and fully manages; the cheapest model but the hardest to balance against employee privacy.
C
Capability — A threat actor's resources, skill, patience, and the sophistication of the techniques they can bring to bear; the second axis (with motivation) used to categorize and prioritize adversaries.
Capture the flag (CTF) — A security competition or practice exercise in which participants solve challenges (finding a hidden value, "the flag," by exploiting or analyzing a deliberately vulnerable target the organizers provide) to learn and prove skills; styles include jeopardy (independent challenges by category) and attack-defense. Because the organizers own or provide the targets and invite attack, a CTF is a legal, sanctioned place to practice offensive-flavored skills.
Career ladder — The progression of roles from entry-level practitioner upward — in the defensive/leadership track, roughly analyst → engineer → architect → manager → CISO — where each rung trades hands-on depth for breadth, scope, and the ability to lead people and influence the business; the skill that earns each promotion is not the skill the next rung requires.
Certificate authority (CA) — A trusted third party within a PKI that vouches for the binding between a public key and an identity by issuing a digitally signed certificate.
Certificate lifecycle — The full set of stages an X.509 certificate moves through — key generation, certificate signing request, validation, issuance, deployment, monitoring, renewal, revocation, and retirement — whose monitoring/renewal and revocation stages are where most real-world failures occur.
Certificate lifecycle management — The end-to-end operational process of enrolling, issuing, deploying, monitoring, renewing, and revoking digital certificates so that every certificate is valid, trusted, and replaced before it expires; the logistics discipline that prevents the expired-certificate outage.
Certificate pinning — The practice of an application constraining which certificate or public key it will accept for a given server, so that even a validly CA-signed certificate is rejected if it is not the expected one; defeats MITM via mis-issued certificates or a malicious root CA, at the cost of brittleness if keys rotate without updating the pins.
Certification — A pass/fail credential issued by an accredited certification body stating that an organization meets a standard (e.g., ISO/IEC 27001); contrasted with attestation.
Chain of custody — The documented, unbroken record of who collected each piece of evidence, when, from where, and everyone who has handled, accessed, transferred, or stored it since, establishing that the evidence presented is the same evidence collected and was not tampered with.
CI/CD pipeline — The automated path from a developer's commit to running software; continuous integration (CI) builds and tests every change, and continuous delivery/deployment (CD) moves a passing build toward or all the way into production.
Cipher suite — A named bundle of cryptographic algorithms that together implement a TLS connection: a key-exchange method, an authentication/certificate type, a bulk encryption cipher and mode, and a hash; TLS 1.3 suites name only the AEAD cipher and hash because the weak options were removed.
Ciphertext — The scrambled, unintelligible output produced by encrypting plaintext; reading it requires the appropriate key.
CIS Benchmark — A detailed, consensus-developed configuration standard for a specific platform (a particular OS version, database, browser, or cloud service) published by the Center for Internet Security, typically defining a Level 1 profile (security with minimal functional impact) and a Level 2 profile (stricter, for high-security environments).
Click rate — The proportion of recipients in a phishing campaign who clicked the link (or opened the attachment, or submitted credentials): clicked / received; the susceptibility metric.
Cloud IAM (identity and access management) — The cloud platform's own access-control plane, defining which principals (users, roles, service accounts) may take which actions on which resources under which conditions (e.g., AWS IAM, Azure RBAC/Entra ID, GCP IAM). Distinct from the enterprise identity program (identity governance), which is Chapter 18.
Cloud misconfiguration — A cloud resource left in an insecure state through a setting the customer controls (such as a public storage bucket or an over-broad IAM policy); the leading cause of cloud data-exposure breaches.
Cloud security posture management (CSPM) — The practice and tooling that continuously scans cloud accounts for misconfigurations and compliance violations by comparing actual configuration against a secure baseline; a detective control (e.g., AWS Security Hub, Azure Defender for Cloud, GCP Security Command Center).
Cloud workload protection (CWPP) — Tooling that secures running cloud workloads themselves — virtual machines, containers, and serverless functions — through vulnerability scanning, runtime threat detection, and malware detection, as opposed to scanning the account's configuration.
CloudTrail — The AWS service that records every API call made in an account (who, what, when, from which IP, with which credentials, and the result) into a tamper-evident log; the cloud equivalents are Azure Activity Log / Entra ID logs and GCP Cloud Audit Logs.
Collision — The event, which a secure hash function makes computationally infeasible, in which two different inputs produce the same digest; deliberate collisions break MD5 and SHA-1 and disqualify them for security use.
Compliance — The state of conforming to a set of rules — a law, a regulation, a contract, or a voluntarily adopted standard — and being able to demonstrate that conformance to an authority empowered to check; necessary but not sufficient for security (a floor, not a ceiling).
Concentration risk — The risk arising when an organization (or a whole sector) depends heavily on a single vendor, product, or provider, so that one failure or compromise has outsized, systemic impact; treated by diversification, resilience requirements, and exit plans rather than by a more thorough assessment.
Confidentiality — The property that information is disclosed only to those authorized to see it; the leg of the CIA triad attacked by disclosure and protected by encryption, access control, and authentication.
Container — A lightweight, isolated unit that packages an application together with its dependencies so it runs consistently across environments; introduced here as a cloud workload, with image scanning covered in Chapter 31.
Container image scanning — Inspecting a built container image's operating-system packages and language libraries against known-vulnerability databases and flagging known-vulnerable components; software composition analysis extended down into the container's OS layer.
Containment — Action taken to limit the scope and magnitude of an incident and stop its spread; split into short-term containment (fast, reversible measures such as isolating a host or disabling an account) and long-term containment (a durable holding pattern, such as standing up a clean replacement system, that keeps the business running while eradication and recovery are prepared).
content security policy (CSP) — An HTTP response header that tells the browser which sources of script, style, images, and other resources are allowed to load and execute for a page, so that even if an attacker injects markup, the browser refuses to run disallowed (e.g., inline) scripts; defense in depth against XSS, not a fix for it. The key directive for XSS is script-src 'self' with no 'unsafe-inline'.
Context-aware access — Access control that incorporates contextual signals — time of day, geographic location, network reputation, resource sensitivity, recent behavior, and computed risk — into the decision, allowing access to vary by circumstance rather than being a fixed yes/no per role (the basis of dynamic policy).
Continuing professional education (CPE) — Credits that most professional certifications require holders to earn and report over each renewal cycle (through training, conferences, publishing, or other qualifying activities) to keep the credential valid; the administrative requirement exists to instill the deeper habit of continuous learning that a perishable field demands.
Continuous vendor monitoring — The practice of keeping a vendor's risk picture current throughout the relationship (not only at onboarding) through periodic re-assessment, security-rating feeds, breach and news monitoring, attestation refreshes, and ongoing SBOM/vulnerability tracking.
Continuous verification — The zero-trust property that authentication and authorization are an ongoing cycle — posture and context are re-evaluated during a session and a session can be revoked mid-stream — rather than a one-time gate at the front door; trust, once established, has a short shelf life and is constantly re-earned.
Contractual security requirements — The binding security obligations written into a vendor agreement that convert "the vendor should" into "the vendor must" — clauses such as minimum controls, right to audit, breach notification, data handling/destruction, sub-processor flow-down, liability/insurance, SBOM/provenance, and right to terminate.
Control — Any measure (safeguard or countermeasure) that reduces risk by breaking the risk chain — removing a vulnerability, deterring or blocking a threat, limiting impact, or detecting an exploit.
Control coverage — The proportion of in-scope assets, accounts, or attacker techniques that a given control actually protects, expressed as a percentage with an explicit denominator (e.g., "EDR on 95% of 220 servers"). It turns the binary "we have a control" into a measurement that exposes the dangerous uncovered remainder; it is only as honest as the asset inventory that supplies its denominator.
Control mapping (crosswalk) — The practice of identifying which controls in one framework correspond to the controls in another, so that a single implemented control and a single piece of evidence can satisfy the requirements of multiple frameworks at once.
Control owner — The named individual or role accountable for ensuring a specific control is designed, operated, and remains effective; distinct from the person who performs the control day to day, because work delegates but accountability does not.
Control prioritization — The discipline of deciding which security initiatives to fund and build first, ranking by risk-reduction per cost rather than by raw risk score, and overriding that ranking only for hard dependencies or non-negotiable compliance obligations.
Control types — The classification of any security control along two independent axes at once: its function (preventive, detective, corrective, or compensating) and its nature (administrative, technical, or physical).
Correlation rule — A piece of logic that examines events — often from multiple sources and across a window of time — and fires an alert when a defined pattern occurs; the mechanism by which a SIEM detects attacks that are invisible in any single event.
Credential stuffing — An automated attack that replays username-and-password pairs stolen from one breach against many other services, exploiting password reuse; its signature is many distinct usernames each tried with one specific password, from many sources, with a low but nonzero success rate.
Credential vaulting — Storing privileged credentials in a secured, access-controlled, audited repository (a vault) rather than in people's heads, spreadsheets, or scripts, and brokering access to them so that a human need not know a privileged password in order to use it; this restores individual accountability to shared accounts.
Critical infrastructure — The assets, systems, and networks so vital that their incapacity or destruction would have a debilitating effect on national security, the economy, or public health and safety; in the United States, organized into sixteen sectors (energy, water and wastewater, chemical, transportation, healthcare, and more), most of which run on operational technology and are interdependent.
cross-site request forgery (CSRF) — An attack in which a malicious page causes a victim's browser to send an unwanted, state-changing request to a site where the victim is already authenticated, exploiting the fact that browsers automatically attach the victim's session cookie; the request is authenticated but not intended. Prevented by anti-CSRF tokens and SameSite cookies.
cross-site scripting (XSS) — A web vulnerability in which an attacker injects script into web content that is then executed by another user's browser in the context of the trusted site, running with the victim's session and permissions; the root cause is rendering untrusted data into a page where it is interpreted as HTML/JavaScript. Fixed primarily by context-aware output encoding, with a Content Security Policy as defense in depth.
Crypto-agility — The property of designing systems so their cryptographic algorithms can be swapped out with minimal disruption (ideally by configuration), rather than being hard-wired so deeply that changing them requires rebuilding the system; the foundation that makes a PQC migration — and every future cryptographic migration — routine rather than a crisis.
CVE (Common Vulnerabilities and Exposures) — A unique public identifier for a specific disclosed vulnerability (e.g., CVE-2021-44228), maintained so the whole industry can refer to the same flaw unambiguously; a name and catalog entry, not a severity or likelihood score.
CVSS (Common Vulnerability Scoring System) — The industry-standard method (maintained by FIRST) for rating a vulnerability's intrinsic severity on a 0.0–10.0 scale from its characteristics (exploitability and impact), banded Low/Medium/High/Critical. CVSS measures severity, not risk, and severity is not priority.
CWE (Common Weakness Enumeration) — A community catalog, maintained by MITRE, of specific software and hardware weakness types, each identified by a CWE number (for example, CWE-89 is SQL Injection); scanner findings cite a CWE, whereas the OWASP Top 10 groups many CWEs into a category.
Cyber kill chain — A model that decomposes an intrusion into an ordered sequence of stages (Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, Actions on Objectives); its key lesson is that the attacker must pass every stage while the defender need only break one link.
Cybercriminal — A financially motivated threat actor, ranging from lone operators to organized enterprises, who monetizes access through ransomware, data theft, fraud, and the sale of footholds; defined defensively by being economically rational.
Cybersecurity — The practice of protecting systems, networks, data, and the people who depend on them from digital attack, damage, and unauthorized access, by preserving confidentiality, integrity, and availability across people, process, and technology.
D
Dashboard — A visual, at-a-glance display of metrics and events built from SIEM queries that run continuously; operational dashboards serve the SOC ("what needs attention now?") and executive dashboards serve leadership (trends such as MTTD/MTTR, coverage, and false-positive rate).
DAST (Dynamic Application Security Testing) — A tool family that tests a running application from the outside by sending crafted requests and observing responses; findings are more likely to be genuinely exploitable, but it needs a deployed app, cannot point to source, and tends to produce false negatives.
Data at rest vs. data in transit — The two states of data that determine the threat and control: data at rest is in storage (threat: access to the medium; control: storage encryption with key management), while data in transit is moving across a network (threat: an attacker on the path; control: a secure transport such as TLS).
Data exfiltration (network) — The unauthorized transfer of data out of an organization across the network; its network signature is usually an outbound volume anomaly relative to a host's baseline, though it can be slowed ("low and slow") or hidden in covert channels such as DNS tunneling.
Data lake — A large, low-cost store that holds vast amounts of raw or lightly-processed data, including security logs, cheaply and for a long time in a flexible schema applied at read time (schema-on-read); strong on volume and retention but, by itself, does not correlate or alert in real time.
Data poisoning — An attack that manipulates a model's training data so the deployed model learns the wrong thing, striking before the model is used; flavors include availability poisoning (broad accuracy collapse) and backdoor/targeted poisoning (accurate except on inputs carrying a secret trigger). In security, it includes an attacker gradually contaminating an anomaly detector's baseline so their behavior is learned as normal.
Deauthentication attack — An attack that forges the unauthenticated "deauthenticate" management frame to disconnect wireless devices, used to cause denial of service but more dangerously to force reconnection (enabling four-way-handshake capture and evil-twin luring); defeated by 802.11w (Protected Management Frames).
Deepfake — AI-generated or AI-altered audio or video that convincingly depicts a real, specific person saying or doing something they never said or did; the most consequential form of synthetic media because it degrades the reliability of seeing or hearing as proof of identity.
Default credentials — The factory-set, publicly documented username and password a device ships with for initial setup (e.g., admin/admin, root/root); because they are published in manuals and compiled into attack tools, a reachable device with unchanged defaults is effectively already open. The single most-exploited IoT weakness.
Default-deny — A firewall/access-control posture that denies all traffic except what is explicitly permitted; least privilege applied to the network, and a fail-safe default (an un-anticipated flow is blocked, not allowed).
Defense in depth — The principle of layering multiple, independent controls so that the failure or bypass of any one of them does not result in a successful attack; each layer is designed as if the layer in front of it has already been breached.
Denial of service (DoS/DDoS) — An attack that makes a system or network unavailable to legitimate users (an attack on availability) rather than stealing or altering data; a distributed denial-of-service (DDoS) does so from many sources at once, in volumetric, protocol (e.g., SYN flood), or application-layer forms.
Dependency risk — The risk that a software component an application depends on — directly (chosen and listed) or transitively (pulled in by another dependency) — contains a vulnerability, is malicious, or is abandoned; transitive dependencies are the more dangerous because they are typically unreviewed and unmonitored.
Detection coverage — The systematic mapping of an organization's (ATT&CK-tagged) detections onto the MITRE ATT&CK matrix to reveal which adversary techniques can be detected and which are blind spots; a prioritization tool and data-source gap analysis, not a percentage score.
Detection engineering — The disciplined practice of designing, building, testing, and maintaining the automated detections (rules, signatures, analytics) that fire alerts without a human in the loop, managed with software-engineering rigor.
Detection-as-code — The practice of writing, storing, reviewing, testing, and deploying detection rules the way software is managed: as version-controlled text, peer-reviewed before going live, tested against sample data, and deployed through a pipeline (the open Sigma format is the common portable representation).
Device posture — The measured security state of a device making a request — patch level, disk-encryption status, presence and health of endpoint protection, management/enrollment status, configuration compliance, and absence of indicators of compromise — used as an input to the access decision and re-checked during a session.
Device segmentation — The practice of placing devices, especially unmanageable IoT and embedded devices, onto isolated network segments governed by strict default-deny rules that permit each device to reach only what it genuinely needs, so a compromised device cannot move laterally to the rest of the environment.
DevSecOps — The integration of security into every stage of the software development lifecycle and the DevOps toolchain, so that security is automated, continuous, and shared by developers and operators rather than performed by a separate team at the end.
Digital forensics (DFIR) — The methodical, repeatable, and defensible practice of identifying, preserving, acquiring, analyzing, and reporting on digital evidence, typically to reconstruct what happened during a security incident and to support decisions including legal ones; commonly bundled with incident response as DFIR.
Digital signature — A value created by transforming a message's hash with the signer's private key, verifiable with the corresponding public key; it provides integrity, authenticity, and — uniquely — non-repudiation, since only the private-key holder could have produced it.
Directory service — A specialized, hierarchically organized database that stores identities (users, groups, computers) and their attributes and serves as the authoritative source of truth that other systems query about who exists and what they are; examples include Active Directory and Entra ID, and LDAP is the protocol most directories speak.
Disk imaging — The acquisition of a bit-for-bit, sector-by-sector copy of an entire storage device, including deleted files, slack space, and unallocated areas, as opposed to copying individual files.
DKIM (DomainKeys Identified Mail) — An email-authentication standard in which the sending server attaches a cryptographic signature (over selected headers and the body) to each message, verifiable by a public key published in DNS at a selector subdomain; it proves the message originated from the domain and was not altered, and it survives forwarding.
DMARC (Domain-based Message Authentication, Reporting, and Conformance) — An email-authentication policy and reporting standard built on SPF and DKIM that adds alignment (the authenticated domain must match the visible From: domain), an enforcement policy (none/quarantine/reject), and aggregate reporting to the domain owner.
DMZ — Demilitarized zone: a network segment between the untrusted internet and the trusted internal network that hosts internet-facing systems (public web, mail gateway) so their compromise is isolated from internal systems by a second firewall.
DNS (Domain Name System) — A globally distributed, hierarchical database that translates human-readable domain names into IP addresses (and other records), underlying nearly every internet connection; classic DNS is unauthenticated and runs over UDP, which is the root of much of its abuse.
DNS exfiltration — The data-theft application of DNS tunneling: stealing data by encoding it, a little at a time, into the subdomain labels of DNS queries sent to an attacker-controlled authoritative server.
DNS poisoning — Also called cache poisoning; the insertion of a fraudulent record into a resolver's cache so that subsequent lookups return an attacker-chosen address, exploiting classic DNS's lack of answer authentication.
DNS sinkhole — A DNS server or resolver policy configured to return a controlled, safe address for domains deemed malicious, so that hosts attempting to reach them are redirected away from the attacker; it acts as both a preventive control (blocking the connection) and a detective control (identifying infected hosts by their queries).
DNS tunneling — The technique of encoding non-DNS data inside DNS queries and responses (typically in subdomain labels) to smuggle traffic through a network that permits DNS but blocks other outbound protocols, often used for command-and-control.
DNSSEC (DNS Security Extensions) — A set of extensions that add cryptographic signatures to DNS records, providing integrity and origin authentication (a chain of trust from the root via DS/DNSKEY/RRSIG records) so a resolver can verify an answer is genuine; it does not provide confidentiality.
DOM-based XSS — The form of cross-site scripting that occurs entirely in client-side JavaScript, when code reads attacker-controllable input (such as the URL fragment) and writes it unsafely into the page via a dangerous sink like innerHTML; the server may never see the payload, so server-side logs can be blind to it.
Double extortion — A ransomware tactic that, before encrypting a victim's data, first exfiltrates a copy of it and threatens to publish or sell it unless paid, so that even a victim with good backups still faces a confidentiality breach.
E
EAP (Extensible Authentication Protocol) — An extensible container framework that carries many possible authentication methods (passwords, certificates, tokens) between a device and an authentication server; the chosen EAP method (e.g., EAP-TLS, PEAP) determines the security of enterprise wireless.
East-west vs north-south traffic — North-south traffic crosses the boundary between a network and the outside world (in/out to the internet); east-west traffic moves laterally between systems inside the network. A perimeter firewall sees only north-south traffic, while attackers spread through east-west lateral movement — the reason segmentation matters.
Elliptic-curve cryptography (ECC) — A family of asymmetric algorithms based on the elliptic-curve discrete-logarithm problem, achieving security comparable to RSA with much smaller keys (a 256-bit ECC key ≈ a 3072-bit RSA key).
Embedded device — A special-purpose computer built into a larger product, running fixed-function software on constrained hardware and designed to do one job rather than to be a general-purpose computer that is administered.
Endpoint detection and response (EDR) — A host security platform that continuously records behavioral telemetry (process creation and lineage, command lines, file/registry changes, network connections, module loads), detects attacker techniques rather than only known files, raises alerts for investigation, and provides response actions such as isolating a host or killing a process.
EPSS (Exploit Prediction Scoring System) — A data-driven model (maintained by FIRST) that estimates the probability, from 0 to 1, that a given vulnerability will be exploited in the wild within the next 30 days; the predicted-likelihood signal that complements CVSS's severity.
Eradication — The removal of the attacker, their access, their tools, and their persistence mechanisms from the environment, together with closing the initial access vector, so that recovery does not simply restore the breach; only as effective as the scoping that preceded it.
Evidence — The records that demonstrate a control exists and operates; the currency of an audit, since an auditor credits what can be shown, not what is asserted.
Evil twin — A rogue access point that impersonates a legitimate network by advertising the same SSID (often with a stronger signal) to lure devices into connecting to the attacker, enabling traffic interception or credential harvesting.
Exception (risk acceptance) — A formal, documented, time-bound, and approved decision to deviate from a patch SLA for a specific finding, requiring a real justification, a compensating control, an accountable owner, an expiry date with mandatory re-review, and risk-proportional approval; the necessary escape valve whose abuse (the permanent "temporary" exception) is where vulnerability-management programs most often fail.
Explainability — The degree to which a machine-learning model's individual decisions can be understood and justified by a human; genuinely hard for complex models, and decisive in security because an alert a human cannot understand is an alert a human cannot defend in an incident review or to a regulator (a key reason to prefer transparent detectors like a z-score).
Exploit — The specific technique, code, or sequence of actions that turns a vulnerability into actual harm; also used as a verb (an actor exploits a vulnerability).
F
Fail-safe default — The principle that, when a system fails or no explicit permission exists, it should default to the secure state (denied, locked, closed) rather than the permissive state; the basis of default-deny. Also called fail-secure; contrasted with fail-open.
False negative — A real attack that a detection failed to catch — a malicious event that occurred and produced no alert; invisible by definition (it leaves no record to count), and the dangerous counterpart to the false positive.
False positive — An alert that fires when there is no actual malicious activity; the detection asserted an attack and there was none. (Contrast with a false negative: a real attack that produces no alert.)
False-positive tradeoff — The inescapable tension between catching more real attacks (fewer false negatives) and raising fewer false alarms (fewer false positives), governed by where a detector's threshold is set; because attacks are rare (the base rate), even a highly accurate detector can produce a queue that is overwhelmingly false positives, so precision and alert volume — not accuracy — are the metrics that matter.
Federation — Single sign-on that crosses organizational boundaries: a pre-established trust relationship that lets one organization's users authenticate to another organization's applications without the second organization managing those users' credentials.
FIDO2 — The umbrella set of standards (from the FIDO Alliance and W3C) for passwordless, phishing-resistant authentication using public-key cryptography, comprising the WebAuthn browser API and the CTAP client-to-authenticator protocol.
Firewall — A device or software that enforces an access-control policy on network traffic, allowing or blocking it based on rules at a boundary between networks.
Firmware — The low-level, persistent code stored on an embedded device (in flash or ROM) that controls its hardware and provides its functionality; it is updated rarely, awkwardly, or never after the product ships.
Forensic artifact — Data left behind by normal system or application activity that records evidence of what users and programs did (e.g., Windows registry, the $MFT, event logs, Prefetch; Linux auth.log, shell history, filesystem timestamps), even though it was not created for investigators.
Forward secrecy — The property (from an ephemeral key exchange such as ECDHE/DHE) that compromising a server's long-term private key in the future cannot decrypt past sessions an attacker recorded; the defense against harvest-now-decrypt-later.
Fourth-party risk — The risk introduced by your vendors' vendors (the subcontractors, sub-processors, and dependencies your direct third parties rely on), with which you have no contract and often little visibility or leverage.
Full packet capture vs flow — The central architectural tradeoff of network visibility: full packet capture keeps every byte about some traffic for a short time (huge storage), while flow keeps almost nothing per record about all traffic for a long time (tiny storage). Mature programs use both deliberately.
Full-disk encryption (FDE) — Encryption of an entire storage volume (e.g., BitLocker on Windows, LUKS on Linux) so that a powered-off device's disk is ciphertext and unreadable without the key; a device-loss control that does not protect a running, logged-in system.
G
Gap assessment — A structured, self-run comparison of an organization's current controls against a target framework's requirements, producing a list of shortfalls (gaps) to remediate before a formal external audit, thereby converting would-be findings into self-owned to-dos.
GDPR (General Data Protection Regulation) — An EU law governing the processing of the personal data of people in the EU, granting data subjects rights and imposing obligations (lawful basis, data minimization, appropriate security measures, and breach notification generally within 72 hours) on any organization worldwide that processes such data.
Governance framework — A structured, published catalog of the functions, categories, and controls a security program should contain, used as scaffolding to organize a program and as a checklist to ensure nothing important was forgotten (e.g., NIST CSF 2.0, ISO/IEC 27001 used as governance structure).
Group Policy — The Windows mechanism for centrally defining and enforcing configuration settings (in Group Policy Objects) across all machines in an Active Directory domain, applied automatically and re-applied on a schedule so that drift is corrected.
Guardrail — A preventive control that makes an insecure cloud configuration structurally impossible or automatically rejected (e.g., S3 Block Public Access, a service control policy denying 0.0.0.0/0 on sensitive ports), as opposed to a gate, which halts a deployment for human review.
Guardrails vs gates — The distinction between a guardrail, a constraint built into the environment that makes an unsafe action structurally impossible or automatically corrected without per-case inspection, and a gate, a checkpoint that inspects an artifact or change and decides to pass, warn, or block; the mature pattern is to prefer guardrails and use gates only where judgment of the specific artifact is genuinely required.
Guideline — A recommended, non-mandatory practice or piece of advice that helps people comply with policies and standards but is not itself binding ("should" or "consider," not "must"); the only non-mandatory tier of the document hierarchy.
H
Hacktivist — A threat actor motivated by a political or social cause, pursuing disruption, exposure, defacement, or embarrassment rather than profit; target selection is driven by belief and events, not asset value.
Hardening — The deliberate process of configuring a system to reduce its attack surface and increase the cost of compromise: removing unneeded software, disabling unneeded services and features, tightening permissions and accounts, enabling security controls, and reducing the system to the least functionality its role requires.
Harvest-now-decrypt-later — The threat model in which an adversary captures and stores encrypted data today, while it is protected by quantum-breakable algorithms, and waits to decrypt it retroactively once a sufficiently large quantum computer exists; it makes the quantum threat a present-day concern for any data that must remain confidential for many years.
Hash function — A one-way function that maps input of any size to a fixed-size digest, with the properties of being deterministic, preimage-resistant (one-way), and collision-resistant; uses no key and provides integrity, not confidentiality.
HIPAA (Health Insurance Portability and Accountability Act) — A U.S. federal law whose Security Rule mandates administrative, physical, and technical safeguards for electronic protected health information (PHI), with some specifications "required" and others "addressable" (implement or document a justified alternative).
HMAC — A Hash-based Message Authentication Code (NIST FIPS 198-1) that mixes a shared secret key into a hash to provide integrity and authenticity; it cannot provide non-repudiation because both parties hold the same key.
HMI — Human-machine interface: the graphical screen and the computer behind it that an operator uses to see the state of a process and issue commands. Usually a Windows or Linux host, often old and unpatched, and frequently the most IT-like and attacker-friendly system in an OT environment.
Home lab — A personal, isolated environment (virtual machines on one's own computer, free-tier cloud accounts, or inexpensive hardware) where a learner practices security techniques on systems they own, building real, demonstrable skill without touching anyone else's property; it is the highest-leverage way to break the "experience paradox."
Host-based firewall — A firewall running on an individual machine that controls network traffic to and from that host, complementing network firewalls by enforcing per-host allow/deny rules even for traffic inside a network zone.
HSM (Hardware Security Module) — A dedicated, tamper-resistant hardware device that generates, stores, and uses cryptographic keys such that the private key never leaves the device in plaintext; used to guard the highest-value keys (an internal CA, payment, and tokenization master keys).
HSTS (HTTP Strict Transport Security) — A web security policy, delivered via the Strict-Transport-Security response header, that instructs a browser to interact with a site only over HTTPS for a set duration and to refuse plain HTTP, preventing protocol-downgrade and SSL-stripping attacks; the preload directive extends the protection to the first visit.
HTTP security headers — Directives a web server sends in its HTTP responses that instruct the browser to enable protective behaviors (e.g., Content-Security-Policy, X-Content-Type-Options, X-Frame-Options, Referrer-Policy), shutting down classes of web attack.
Human firewall — A trained, engaged, and fast-reporting workforce that catches threats automation misses, functioning as a context-aware distributed sensor grid; the human element reframed from the weakest link into the strongest asset.
Hypothesis-driven hunting — Threat hunting structured around a specific, testable hypothesis about adversary behavior ("if an adversary were doing technique X, we would expect to see observable Y in data source Z"), making the hunt rigorous, repeatable, and bounded.
I
IaaS (Infrastructure as a Service) — A cloud model in which the provider supplies virtual machines, networks, and storage, and the customer is responsible for everything from the operating system upward (e.g., AWS EC2, Azure VM, GCP Compute Engine).
Identity and access management (IAM) program — The organization-wide capability (also called identity governance and administration, IGA) for managing the full lifecycle of identities and their access, and for proving that the right people have the right access to the right resources for the right reasons; it combines administration (the lifecycle), authentication, and governance. Distinct from cloud IAM (Ch.15), which is a single technical access-control mechanism inside one platform.
Identity lifecycle (joiner-mover-leaver, JML) — The framework for managing an identity across its lifetime: provisioning birthright access on joining, reconciling access (granting new, revoking old) on moving roles, and fully deprovisioning on leaving; the leaver transition is the most security-critical and most commonly botched.
Impact — The magnitude of harm that results if a risk is realized, measured in money, regulatory penalty, downtime, safety, or reputation; the second factor in a risk score.
Implicit trust zone — A region of a system in which an entity, once it has gained entry, is granted broad access without further per-request verification because it is presumed trustworthy by virtue of being there; the flat corporate LAN and the network a VPN deposits a user onto are classic examples, and the natural habitat of lateral movement.
Incident commander (IC) — The single person with the authority to make and own decisions during an incident, coordinate the response, and serve as its point of contact, regardless of day-to-day rank; the IC's role is coordination and decision-making rather than hands-on investigation, anchoring a clear chain of command.
Incident response (IR) — The discipline of preparing for, detecting, analyzing, containing, eradicating, recovering from, and learning from security incidents; a security capability in its own right, judged by how fast and cleanly an organization responds rather than by whether it is ever breached.
Indicator of compromise (IoC) — An observable artifact that suggests a system may be compromised (a malicious file hash, a known-bad IP or domain, a suspicious registry key, an unusual log string); the raw evidence of an intrusion.
Indicator scoping — The process of taking confirmed indicators (a file hash, attacker IP, compromised account, registry key) and searching for them across the entire environment to determine the full extent of a compromise — every host, account, and channel involved.
Industrial control system (ICS) — The general category of control systems and instrumentation used to operate industrial processes; the umbrella term whose species include SCADA systems, distributed control systems (DCS), and the controllers (PLCs, RTUs) inside them.
Infrastructure as code (IaC) scanning — Static analysis of machine-readable infrastructure definitions (Terraform, CloudFormation, Kubernetes manifests) against security policy, performed before the infrastructure is created; effectively SAST for infrastructure.
Inherent risk — The level of risk that exists in the absence of any controls — the raw exposure if nothing were done; paired with residual risk to show how far a treatment moved a risk.
Initial access broker — A criminal specialist who breaks into organizations and then sells that access (valid credentials, an exposed remote service, a compromised account) to other attackers — such as ransomware affiliates — rather than exploiting it themselves; an expression of the specialization that makes the cybercrime ecosystem efficient and resilient.
Initialization vector (IV) — A value (related to a nonce) combined with the key in a mode of operation so that identical plaintext does not produce identical ciphertext; for modes like CBC it must be unpredictable, and reusing it undermines confidentiality.
Input validation — The practice of checking that incoming data conforms to what the application expects — ideally by positive validation (allowlisting the allowed shape and rejecting everything else), performed server-side and parsed to the expected type and range — before the application acts on it.
Insider — A person with legitimate access (employee, contractor, or partner) who causes harm, whether maliciously or — more commonly — accidentally; begins inside the perimeter with credentials and knowledge an outsider must fight to obtain.
Insider threat — The risk that a person with legitimate, authorized access (employee, contractor, or partner) causes harm, whether maliciously (theft, sabotage, fraud) or accidentally (an honest mistake); awareness directly reduces the accidental form, while the malicious form also requires access controls, monitoring, and HR processes.
Instance metadata service — A special internal endpoint (reachable from a cloud VM at the link-local address 169.254.169.254) that returns information about the instance, including the temporary IAM credentials of its attached role; a target of server-side request forgery attacks unless hardened (e.g., AWS IMDSv2).
Integrity — The property that information and systems are accurate, complete, and unaltered except by authorized parties, and that unauthorized alteration can be detected; the leg of the CIA triad attacked by tampering and protected by hashing, digital signatures, and change control.
Intrusion detection system — A system that monitors network traffic or host activity for signs of malicious behavior and generates an alert when it finds them; typically deployed out of band on a copy of the traffic, with no authority to block.
Intrusion prevention system — An intrusion-detection capability placed in-line in the traffic path so that it can drop malicious packets in real time, at the cost of being a potential point of failure and a source of disruptive false positives.
IoT (Internet of Things) — The vast, heterogeneous population of everyday physical objects embedded with computing and network connectivity — cameras, sensors, thermostats, locks, appliances, medical devices, industrial controllers, and the like.
IPsec (Internet Protocol Security) — A suite of protocols that secures traffic at the network layer (Layer 3) by encrypting and authenticating IP packets, using IKE to negotiate keys; the standard for site-to-site VPNs, running in tunnel or transport mode.
ISO/IEC 27001 — An international standard specifying the requirements for an Information Security Management System (ISMS) — a documented, risk-driven system for selecting, operating, and improving controls — against which an organization can be formally certified by an accredited body.
J
Jailbreak / root — The act of escalating to full administrative control of a mobile device by removing the manufacturer- and carrier-imposed restrictions built into the operating system (jailbreaking on iOS, rooting on Android); it dismantles the device's security model, including the app sandbox.
Jump host — A hardened, heavily monitored intermediary system that administrators must connect to first, and from which they then reach sensitive internal systems, so that no direct path exists from a general workstation into a protected zone; also called a bastion host.
Just-in-time (JIT) access — Granting privileged rights only for the limited time they are actually needed and removing them automatically afterward, so that by default no one holds standing privileged access; users are made eligible for a privileged role rather than permanent members, and activation is time-bounded, often behind an approval workflow.
Just-in-time training — The delivery of a small, targeted piece of security guidance at the exact moment a person is making a relevant decision or has just made a risky one (e.g., the teachable-moment page shown immediately after clicking a simulated phish), rather than in advance and in bulk.
K
KEV (Known Exploited Vulnerabilities) — A catalog, published and continuously updated by CISA, of vulnerabilities for which there is reliable evidence of active exploitation in the wild; a statement of fact (not a prediction) that a flaw is being used in real attacks now, and the strongest single likelihood signal for prioritization.
Key — A secret value (a string of bits) that parameterizes a cryptographic algorithm; in modern cryptography the security lives in the secrecy of the key, not of the algorithm (Kerckhoffs's principle).
Key entropy — A measure, in bits, of the unpredictability (randomness) of a key or secret; roughly the secret's length times the base-2 logarithm of its character-set size, with about 128 bits the modern floor for keys and high-value secrets.
Key management — The discipline of generating, distributing, storing, rotating, and destroying cryptographic keys throughout their lifecycle; the part of applied cryptography that most often fails, since a strong cipher with a poorly protected key protects nothing.
Key performance indicator (KPI) — A metric that measures how well a process is performing against its objective, looking at outputs and efficiency (e.g., mean time to patch a critical vulnerability). A KPI tells you how well you are doing the work, where a KRI tells you how much danger you are in; the two overlap and the boundary is not sharp.
Key risk indicator (KRI) — A metric that measures the level of risk an organization is currently carrying, typically functioning as an early-warning signal that risk is rising before it turns into a loss (e.g., the number of internet-facing systems with a known-exploited vulnerability unpatched past SLA). Boards care most about KRIs because they answer "are we exposed?"
L
Least privilege — The principle that every user, process, and system should have exactly the access required to perform its function and no more, so that compromising an identity grants an attacker the minimum possible reach.
Least-privilege session — A session granted only the minimum access needed for a specific task, time-bound and scoped to a single resource, with access to one resource not propagating to others; the principle of least privilege applied to an individual, evaluated session rather than a standing role.
Likelihood — How probable it is that a given threat successfully exploits a given vulnerability in a defined period; one of the two factors in a risk score.
Living-off-the-land — An attacker technique that abuses the legitimate tools already present on a system — such as PowerShell, Windows Management Instrumentation, and built-in administrative utilities (sometimes called LOLBins, living-off-the-land binaries) — so that malicious activity hides inside normal administrative behavior and leaves no distinctive malware for signature-based detection to flag.
LLM security (prompt injection) — The security of large-language-model applications, whose headline risk is prompt injection: an attack that smuggles adversarial instructions into the text an LLM processes so the model treats attacker-supplied content as a trusted command. Indirect prompt injection rides in on data the model fetches (a log line, email body, or web page); the community reference is the OWASP Top 10 for LLM Applications.
Local Administrator Password Solution (LAPS) — A Microsoft feature that sets a unique, random, automatically rotated password for the local Administrator account on each Windows machine and stores it securely with restricted retrieval, eliminating the shared-local-credential path used for lateral movement.
Log retention — The policy and practice of how long logs are kept, driven both by detection, hunting, and forensic needs and by compliance obligations (such as PCI-DSS and GLBA) that mandate minimum retention periods.
Log source — Any system or application that produces timestamped event records, such as a domain controller, endpoint agent, firewall, DNS resolver, cloud platform, identity provider, or custom application; the inputs a SIEM collects.
M
Machine identity — The identity a non-human entity (a server, script, application, container, function, device, or CI job) uses to authenticate to another system; the non-human counterpart to a human identity.
Man-in-the-middle (MITM) — An attack in which the adversary secretly positions themselves between two communicating parties, relaying and possibly altering the traffic while each party believes it is talking directly to the other; defeated by validated encryption (it can then only relay ciphertext and metadata) combined with Layer 2 controls.
Mandatory access control (MAC) — An access-control model in which a system-wide policy set by the administrator, and not overridable by file owners or even by root, constrains what each process may do regardless of the user it runs as (e.g., SELinux, AppArmor); contrast with discretionary access control.
MDR (Managed Detection and Response) — A managed-service model in which the provider brings its own detection technology and analysts, hunts proactively, and takes response actions on the client's behalf (e.g., isolating a host, disabling an account) rather than merely alerting; outcome-focused, but it grants a third party authority to act in the client's environment.
Mean time to detect (MTTD) — The average elapsed time from the moment an incident begins (the attacker's true first action, usually reconstructed via forensics) to the moment defenders detect it; the central measure of detection capability. Long MTTD means long attacker dwell time. Anchoring "begin" to the first alert rather than the first action systematically understates it.
Mean time to respond (MTTR) — The average elapsed time from detection of an incident to its resolution (most often defined as containment); the central measure of response capability. The "R" must be defined precisely (respond/resolve/recover/remediate differ) and held stable, and the metric is gameable by premature ticket closure, so it is paired with a reopen rate.
Memory imaging — The capture of the contents of a system's RAM (running processes, network connections, open files, injected code, in-memory secrets), which is destroyed by reboot or power-off and must therefore be collected before less-volatile sources.
Microsegmentation — The practice of dividing a network into very fine-grained segments — potentially down to the individual workload or host — and enforcing access policy between them, so that even systems on the same network must be explicitly permitted to communicate; it strangles east-west lateral movement.
MITRE ATT&CK — A free, continuously updated knowledge base, curated by MITRE, that catalogs real-world adversary behavior as a hierarchy of tactics, techniques, and procedures; the security field's shared language for describing attacks.
Mobile app sandboxing — The operating-system-enforced isolation that confines each mobile app to its own restricted environment — its own private storage and memory and a permission-gated, mediated path to anything outside it — so one app cannot read another app's data or reach the system except through interfaces the OS brokers.
Mobile device management (MDM) / Unified Endpoint Management (UEM) — A system for centrally enrolling, configuring, securing, and monitoring an organization's mobile devices — pushing security policy, deploying and restricting apps, enforcing encryption and passcodes, and remotely locking or wiping a lost or non-compliant device. UEM is the broader form that manages all endpoint types (mobile, laptops, desktops, and increasingly IoT) under one console.
Model evasion — An attack that crafts an input at inference time (after training and deployment) to be misclassified, typically to make a malicious input score as benign — e.g., a packed malware variant that scores "clean," or a phishing message tweaked to slip a filter; especially dangerous when the attacker can freely query the model to find its decision boundary.
Motivation — The underlying objective that drives a threat actor to act (money, espionage, ideology, or ego); the single most predictive thing a defender can know, because the goal shapes the behavior.
MSSP (Managed Security Service Provider) — A vendor that monitors an organization's environment and typically manages its security tools, forwarding alerts for the organization to investigate and act on; criticized for "alert shipping" — outsourcing the watching but not the working — and for lacking deep environmental context.
Multi-factor authentication (MFA) — The practice of requiring proof from two or more different authentication-factor categories, so that compromising one category does not compromise the login; its security derives from the independence of the categories, not from using one category twice.
Mutual TLS (mTLS) — A TLS configuration in which both the client and the server present and verify certificates, so each party cryptographically proves its identity; the workhorse of machine-to-machine authentication for service-to-service calls, APIs, and devices.
N
NAT — Network address translation: the technique by which a router rewrites the IP addresses in packets crossing it, typically mapping many private (RFC 1918) internal addresses to one public address; it conserves IPv4 addresses and hides internal hosts, but is not a security control.
Nation-state — A government-sponsored threat actor that attacks in the service of a state's interests (espionage, strategic advantage, or sabotage); the best-resourced and most patient class of adversary.
NetFlow/IPFIX — Protocols for emitting flow records: compact summaries of each network conversation (source/destination IP and port, protocol, time, and byte/packet counts, with no payload). NetFlow is Cisco's original; IPFIX is the vendor-neutral standard (with sFlow and J-Flow as relatives). Often generated natively by routers and switches.
Network access control — A set of technologies and policies that authenticate and authorize devices before granting them network access, optionally assessing device posture and assigning an appropriate network segment; unverified devices can be denied or quarantined.
Network baseline — A model of what normal traffic looks like for an environment (which hosts talk to which, on what ports, in what volumes, at what times); the reference against which nearly every network anomaly is judged. Best built per host and per destination, and never during a compromised window.
Network detection and response (NDR) — The operational discipline of continuously monitoring network telemetry (packets, connection logs, and flow) to detect, investigate, and respond to threats; the network-focused counterpart to endpoint detection and response.
Network segmentation — The practice of dividing a network into separate trust zones with controlled, monitored, default-denied communication between them, so that compromising one zone does not grant access to the others; the network-layer implementation of "assume breach."
Next-generation firewall — A stateful firewall that additionally inspects application-layer content, ties flows to user identity, and integrates threat intelligence and intrusion prevention; it may bundle web-application-firewall capability.
NFC (Near Field Communication) — A very-short-range (a few centimeters) wireless technology behind contactless payments, transit cards, and access badges; its range narrows the threat sharply, though legacy access badges can be cloned from brief proximity.
NIST 800-63 (AAL) — NIST's Digital Identity Guidelines (Special Publication 800-63, with authentication in 800-63B), which define the Authenticator Assurance Levels — AAL1 (single factor), AAL2 (MFA), and AAL3 (phishing-resistant, hardware-based MFA, required for the highest-value access) — used to match authentication strength to the value of what is protected.
NIST CSF (Cybersecurity Framework) — A voluntary, self-assessed framework from the U.S. National Institute of Standards and Technology that organizes security outcomes into high-level Functions (in CSF 2.0: Govern, Identify, Protect, Detect, Respond, Recover); a common language for structuring and communicating a security program rather than a certifiable standard.
NIST SP 800-207 — Zero Trust Architecture, the canonical, vendor-neutral standard (NIST, 2020) that defines zero trust through seven tenets and a logical architecture (policy engine, policy administrator, policy enforcement point); the reference document the field treats as authoritative.
NIST SP 800-61 lifecycle — The canonical U.S. model for incident handling, organized as a continuous loop of phases — Preparation; Detection & Analysis; Containment, Eradication & Recovery; and Post-Incident Activity — in which detection and containment iterate as scope is learned and lessons feed back into preparation.
Non-repudiation — The property that an actor cannot credibly deny having performed an action, because strong, attributable evidence (such as a digital signature or a uniquely held second factor) ties the action to them; more than logging, and destroyed by shared accounts.
Nonce — A "number used once": a value combined with a key so that encrypting the same plaintext twice yields different ciphertext; it need not be secret but must never be reused with the same key in counter-based modes.
Normalization — The process of transforming raw log events from many sources into a single common structure (shared schema) so that the same concept always carries the same field name and format, making cross-source queries and rules possible.
Nudge — A small change to the environment or the way a choice is presented that steers people toward a safer decision without forbidding any option or changing their incentives (e.g., an external-sender email banner); a behavioral-economics concept that works with the fast, automatic decision system.
O
OAuth 2.0 — An authorization framework for delegated authorization: it lets a user grant an application scoped, revocable access to their resources on another service via an access token, without sharing the user's password. It governs what an app may do, not who the user is.
On-call and escalation — The defined rotation of who is responsible for responding to alerts outside business hours, together with the explicit chain of whom to escalate to (Tier 1 → Tier 2 → SOC manager → IR lead → CISO) when an incident exceeds the on-call analyst's authority or expertise; a healthy rotation spreads the burden across enough people (rule of thumb ≥4–6), gates pages by severity, and compensates the burden.
OpenID Connect (OIDC) — A thin identity (authentication) layer built on top of OAuth 2.0 that proves who the user is; it adds the ID token, a signed JSON Web Token (JWT) asserting the user's identity, and powers modern web/mobile single sign-on.
Operational technology (OT) — The hardware and software that directly monitors and controls physical processes, devices, and infrastructure (valves, motors, breakers, sensors); the counterpart to information technology, which stores and moves data. In OT, the priorities invert IT's: safety first, then availability, then integrity, then confidentiality.
Order of volatility — The principle that digital evidence must be collected from the most volatile (most quickly lost) sources to the least volatile — registers/cache, then RAM, then network state, then disk, then off-host logs, then backups — so that collecting durable evidence does not destroy fragile evidence first.
Orphaned account — An account that no longer has a valid owner or business purpose — most commonly an enabled account for a person who has left the organization — which is dangerous out of proportion to its number because it is valid, unmonitored, and often privileged, making it a pre-positioned foothold for lateral movement.
OSI model — The Open Systems Interconnection model: a seven-layer conceptual framework (Application, Presentation, Session, Transport, Network, Data Link, Physical) describing how data moves between systems, where each layer has one job and a distinct attack surface and place for a control.
OT/IT convergence — The increasing interconnection of operational-technology and information-technology networks, which brings business value (data from the process reaching enterprise systems) but also exposes formerly isolated control systems to IT-borne threats; it makes the IT/OT boundary the single most important security control in an industrial enterprise.
Output encoding — The complementary practice of transforming data so that the interpreter at its destination (HTML, JavaScript, URL, SQL, shell) treats it as inert data rather than syntax; the correct encoding is context-specific, and encoding for the wrong context provides no protection.
OWASP Top 10 — A periodically updated awareness document from the Open Worldwide Application Security Project that ranks the most prevalent and impactful categories of web-application security risk; a prioritization map, not a complete standard or pass/fail test.
P
PaaS (Platform as a Service) — A cloud model in which the provider manages the hardware, hypervisor, operating system, and runtime, and the customer supplies only the application code plus its configuration, data, and access controls (e.g., AWS Lambda, Amazon RDS, Azure App Service).
Packet — The fundamental unit of data routed at the Network layer (Layer 3), consisting of a header with source and destination IP addresses and the payload it carries; it is wrapped (encapsulated) inside a Data Link frame to cross a physical network.
Packet capture (PCAP) — The act of recording network traffic byte-for-byte exactly as it crosses an interface, and the file format (after the libpcap library) used to store it; a perfect, unsummarized record of traffic for later analysis.
parameterized query — Also called a prepared statement; a database query in which the SQL command and the data are sent to the database separately, with placeholders marking where data goes, so the database treats the supplied values strictly as data and never parses them as part of the command. The structural fix for SQL injection.
Parsing — The step within normalization that extracts the meaningful fields out of a raw log message (for example, pulling the user, source IP, and timestamp out of an sshd log line) before those fields are mapped onto the common schema.
Passive OT monitoring — The practice of detecting threats and building asset visibility purely by observing a copy of network traffic (via a network tap or switch SPAN/mirror port), never by transmitting packets, so that fragile real-time control systems are never disturbed. Provides safe asset inventory, anomaly detection against a trustworthy baseline, and protocol-aware threat detection; the highest-fidelity alert is any direct IT-to-OT boundary crossing.
Passkey — A FIDO2 credential (a per-website private key) used in place of a password; it may be device-bound (stored on a hardware security key, non-exportable) or synced (stored in a cloud credential manager and backed up across a user's devices). Both are phishing-resistant.
Password hashing — Storing a password as the output of a deliberately slow, one-way password-based key derivation function (bcrypt, scrypt, or Argon2id) with a unique per-user salt, so that a breach of the credential store does not directly expose passwords; distinct from fast, general-purpose hashing, which is unsafe for passwords.
Password rotation — Automatically changing privileged credentials on a schedule and, ideally, immediately after every use (check-in or one-time rotation), so that any credential an attacker captures has the shortest possible useful life.
Password spraying — An attack that tries a few very common passwords against many accounts, deliberately staying under per-account lockout thresholds; its signature is one or a few password values attempted across many distinct accounts, and it is invisible to per-account lockout, requiring cross-account correlation to detect.
Patch management — The process of applying patches reliably across a fleet: discovering missing patches, testing them, deploying them on a schedule appropriate to risk, and verifying they were actually installed.
Patch SLA (service-level agreement) — A documented, policy-backed commitment specifying the maximum time allowed to remediate a vulnerability after discovery, tiered by the vulnerability's risk; the clock starts at discovery, and mature programs set SLAs tighter than any compliance floor.
Patching — The act of applying vendor-supplied updates that fix vulnerabilities (and bugs) in software.
Payload — The part of an attack that actually executes the attacker's intent once delivered, such as code that runs commands, installs a backdoor, or encrypts files.
PCI-DSS (Payment Card Industry Data Security Standard) — A prescriptive, contractually mandatory security standard, maintained by the PCI Security Standards Council on behalf of the card brands, that any organization storing, processing, or transmitting cardholder data must meet across its Cardholder Data Environment.
Permission — The right to perform a specific operation on a specific resource or class of resources (e.g., open_account, approve_wire_transfer); the unit of access that roles collect and grant.
phishing — A social-engineering attack, usually delivered by email, in which an attacker impersonates a trusted entity to trick a recipient into revealing credentials, transferring money, or running malware.
Phishing simulation — A controlled, authorized exercise in which an organization sends its own employees benign messages crafted to resemble real phishing attacks, in order to measure susceptibility, deliver just-in-time teaching to those who fall for them, and track workforce resilience over time. Legitimate only with written authorization, governance, legal/HR review, and a strict no-blame posture.
Phishing-resistant MFA — Authentication that cannot be phished, relayed, or socially engineered out of the user, because the proof is an origin-bound cryptographic signature with no reusable secret to capture; FIDO2/WebAuthn is the canonical example and is required at NIST AAL3.
Pipeline integrity — The property that the software a pipeline produces is exactly what the verified source defines, built by an unmodified process and verifiably unaltered from build to deployment.
Plaintext — The original, readable data before any cryptographic transformation, such as a message or a card number prior to encryption.
Playbook — A scenario-specific incident-response procedure written at the level of decisions, roles, and coordination for a particular type of incident (e.g., ransomware, phishing/BEC, account compromise, data exfiltration); followed by the incident commander and team leads.
PLC — Programmable logic controller: a ruggedized industrial computer that reads inputs from sensors, runs a control program, and drives outputs to actuators on a deterministic, real-time cycle. Built for reliability, not security; many speak unauthenticated protocols and cannot be patched without a vendor engagement and a process outage.
Policy — In access control, a statement of the conditions under which access is granted or denied, evaluated at decision time; in ABAC, a set of rules over subject, resource, action, and environment attributes.
Policy administrator (PA) — The zero-trust component that executes the policy engine's decision by establishing or tearing down the communication path between subject and resource and configuring the enforcement point with the credentials, tokens, or configuration for exactly the granted session; together with the PE it forms the policy decision point.
Policy as code — Security and compliance policy written in a machine-readable, version-controlled, testable language and automatically enforced by the pipeline or platform, so the rule and its enforcement are the same artifact.
Policy decision point (PDP) — The component that evaluates an access request (subject, action, resource, context) against the access policy and returns a verdict of permit or deny; it holds the policy logic. In zero-trust architecture it is called the policy engine.
Policy enforcement point (PEP) — The component that sits in the path of a request, intercepts the attempted access, asks the policy decision point for a verdict, and then permits or blocks the request; it must be unbypassable.
Policy engine (PE) — The zero-trust component that makes the access decision: it gathers the signals (identity, device posture, context, risk), evaluates them against policy, and returns a verdict of grant, deny, or grant-with-conditions; the heart of the policy decision point.
Port — A 16-bit number (0–65535) that identifies a specific network service or connection endpoint on a host, so that one machine can run many services at once; common services use well-known ports (e.g., HTTP 80, HTTPS 443, SSH 22, DNS 53).
Post-quantum cryptography (PQC) — Cryptographic algorithms designed to run on ordinary (classical) computers but to resist attack by both classical and quantum computers, based on mathematical problems believed hard even for quantum machines; NIST standardized the first PQC algorithms in 2024 (FIPS 203 ML-KEM, FIPS 204 ML-DSA, FIPS 205 SLH-DSA).
Pre-shared key (PSK) — A single passphrase shared by all devices on a WPA2/WPA3-Personal network, used to derive encryption keys; it cannot be revoked for one user without re-keying everyone and provides no record of who connected.
Privilege creep — The gradual accumulation of access rights an individual collects over time as they change roles and responsibilities, without the access from previous roles being removed; driven by the asymmetry that access is granted eagerly and revoked reluctantly. Also called access accumulation or permission creep.
Privileged access management (PAM) — The discipline and set of controls for securing, controlling, and monitoring accounts with elevated permissions — inventorying and vaulting privileged credentials, granting access just-in-time, tiering administrative paths, and recording and detecting privileged activity — so that compromising a single powerful account cannot lead to total environment takeover.
Privileged access workstation (PAW) — A dedicated, hardened, single-purpose computer used only to perform privileged administration — never for email, web browsing, or general productivity — so that the malware-delivery attack surface is removed from the machine where privileged credentials are used.
Privileged account — Any account whose permissions exceed those of an ordinary user in a way that could compromise the confidentiality, integrity, or availability of systems if misused: it can administer other accounts, change security settings, read or alter data broadly, or control infrastructure (e.g., domain admin, root, cloud root, DBA, backup operator, local administrators, and the admins of the security tools themselves).
Procedure — In ATT&CK, the specific implementation of a technique by a particular adversary or piece of malware on a particular occasion — the fingerprint-level what exactly they did.
Professional ethics (security) — The obligation to use security knowledge only on systems one owns or is explicitly authorized to access, to disclose vulnerabilities responsibly, to protect the data and privacy one is entrusted with, and to be honest about risk even when unwelcome; its non-negotiable core is authorization, which — not capability — is the line between a defender and a criminal.
Program governance (synthesis) — The integrated exercise of governing a complete security program — reconciling risk, controls, roadmap, and budget under one accountable structure and one strategy — as assembled and presented in the capstone, drawing together the governance, risk, and metrics work of Chapters 26, 27, and 36.
Provisioning / SCIM — Provisioning is the creation and configuration of accounts and their access (deprovisioning is their removal); SCIM (System for Cross-domain Identity Management) is an open standard for automatically provisioning and deprovisioning identities across systems via a REST/JSON API, making "disable everywhere" achievable.
Public key infrastructure (PKI) — The framework of policies, roles, and technologies that creates, distributes, validates, and revokes digital certificates, binding public keys to verified real-world identities.
Purdue model — A reference architecture that organizes an industrial enterprise into hierarchical levels (0–5, plus an industrial DMZ at 3.5), from the physical process at the bottom to enterprise business systems at the top, so that communications and trust can be controlled at the boundaries between levels. Levels 0–3 are the OT domain; 4–5 are the IT domain; the two must never communicate directly.
Purple teaming — A collaborative security exercise in which an offensive (red) team emulates real adversary techniques — typically mapped to MITRE ATT&CK — while the defensive (blue) team detects and responds in real time, working together so that every detection gap exposed is immediately turned into an improved detection or control and re-tested; distinguished from adversarial red-vs-blue by ending with measurably improved defenses rather than only a report.
Push fatigue — An MFA-defeat attack (also called MFA fatigue or push bombing) in which an attacker who already holds the password triggers a flood of push-approval prompts until the user, exhausted or confused, taps "Approve"; defeated chiefly by number matching and prompt rate-limiting.
Pyramid of pain — A model (after David Bianco) that ranks indicator types — hash values, IP addresses, domain names, network/host artifacts, tools, and TTPs — by how much pain (cost and effort) it causes the adversary to change them when denied; detections higher on the pyramid are harder for the adversary to evade.
Q
Qualitative risk (analysis) — Risk analysis that rates likelihood and impact on ordinal scales (e.g., Low/Medium/High or 1–5), producing relative rankings rather than measured quantities; fast, legible, and right for most risks, but its scores cannot be treated as true magnitudes.
Quantitative risk (analysis) — Risk analysis that expresses likelihood and impact in measured units (probabilities and dollars), enabling risks to be compared, summed, and weighed directly against the cost of controls; powerful for budget decisions but vulnerable to false precision on weak inputs.
R
RACI — A responsibility-assignment matrix that, for each task or decision, marks every role as Responsible (does the work), Accountable (owns the outcome — exactly one per row), Consulted (gives input before), or Informed (told after); its chief value is exposing rows with zero or duplicate Accountable (orphaned controls).
Ransomware-as-a-service (RaaS) — A criminal business model in which a core group (operators) develops and maintains the ransomware platform — encryption code, payment and negotiation infrastructure, even support — and rents it to affiliates who carry out the actual attacks, splitting the proceeds; the commoditization that drove the explosion in ransomware volume.
Recovery — The careful, verified restoration of systems to normal operation from known-good, tested, offline/immutable backups (or clean rebuilds), staged by business priority, with heightened monitoring afterward and explicit verification before the incident is declared closed.
reflected XSS — The non-persistent form of cross-site scripting in which the attacker's script is included in a request (typically a URL parameter) and the server reflects it straight back into the immediate response; it runs only for a victim who follows the attacker's crafted link, so delivery relies on social engineering.
Report rate — The proportion of recipients in a phishing campaign who reported the message as suspicious: reported / received; the detection metric, which mature programs often weight more heavily than the click rate.
Residual risk — The risk that remains after controls are applied; it is never zero, and a mature program drives it to a consciously accepted level rather than attempting to eliminate it.
Risk — The likelihood that a threat exploits a vulnerability against an asset, multiplied by the impact if it does; the central quantity used to prioritize defensive effort.
Risk acceptance — Treating a risk by consciously choosing to live with it as-is because further treatment costs more than the expected benefit or the residual is within appetite; legitimate only when explicit, documented, owned by someone with authority, and time-bounded.
Risk appetite — The amount and type of risk an organization is willing to accept in pursuit of its objectives, set by the board and used to calibrate the program's thresholds and exception decisions. (Introduced here as a governance concept; the full risk-management treatment is in Ch.27.)
Risk assessment — A point-in-time activity within risk management that identifies and analyzes risks to produce a prioritized picture; a program performs many assessments (enterprise-wide, pre-deployment, incident-triggered) over its life.
Risk avoidance — Treating a risk by eliminating the activity or asset that creates it (e.g., discontinuing a feature or not collecting data); the only treatment that reduces residual risk to genuinely zero, at the cost of the foregone opportunity.
Risk burn-down — A chart that tracks an organization's quantified risk (such as aggregate annualized loss expectancy, or the count of risks above appetite) declining over time as treatments are completed, analogous to a project burn-down of remaining work. A burn-down line sloping toward the risk-appetite threshold is among the most persuasive board visuals, because it shows exposure being systematically reduced to the accepted level and how fast.
Risk management — The continuous, organization-wide process of identifying risks to assets and objectives, analyzing them, deciding how to treat each, and monitoring the result so the picture stays current as threats, systems, and the business change.
Risk mitigation — Treating a risk by applying controls that reduce its likelihood, impact, or both, driving residual risk below inherent risk; the default treatment and the subject of most security engineering.
Risk register — The living, authoritative record of an organization's identified risks, their analysis, treatment, and ownership; the memory of the risk-management program and the artifact an examiner or board reviews.
Risk tolerance — The acceptable, operational variation around the risk appetite for a specific risk category or objective — the concrete, often quantitative threshold (the line) that translates the strategic appetite into day-to-day decisions.
Risk transfer — Treating a risk by shifting some or all of its financial impact to a third party (e.g., cyber-insurance or contractual liability) while typically retaining operational responsibility; transfers financial impact, never accountability.
Risk treatment — The decision of what to do with an analyzed risk; one of four options (mitigate, transfer, avoid, accept) or a deliberate combination, moving the risk from its inherent to its residual level. (NIST term: risk response.)
Risk-based prioritization — The practice of ranking remediation by the actual risk each finding poses — combining CVSS (severity), EPSS and KEV (exploitation likelihood), and asset context (exposure and value) — rather than sorting by any single signal such as CVSS alone.
Rogue access point — Any wireless access point connected to an organization's network without authorization, creating an unauthenticated bridge from radio range onto the internal wired network; often well-intentioned (an employee's consumer AP) but always a serious finding.
Role — In RBAC, a named collection of permissions that corresponds to a job function (e.g., Teller, Loan Officer); users are assigned to roles rather than being granted permissions individually, which is what makes RBAC scale.
Root-cause analysis — The determination of the underlying reason an incident was possible — the failure that, if fixed, prevents recurrence of the whole class of incident — as distinct from the proximate symptom.
RSA — A widely used asymmetric algorithm (named for Rivest, Shamir, and Adleman) whose security rests on the difficulty of factoring the product of two large prime numbers; modern use requires keys of 2048 bits or more (3072+ recommended).
RTU — Remote terminal unit: a controller built to operate at a remote, often unstaffed site (a substation, a wellhead, a pumping station) and report back over long-distance communications such as radio or cellular. Functionally close to a PLC; its defensive significance is its remoteness.
Runbook — The step-by-step technical procedure for a single task within a response (e.g., isolating a host in the EDR console, disabling an account and revoking its sessions), concrete enough for a tier-1 analyst to execute correctly under stress; a playbook references many runbooks.
Runbook-driven operations — The practice of executing detection-and-response work through documented, repeatable, step-by-step procedures (runbooks) so that the response to a given situation does not depend on which analyst is on shift; runbooks provide institutional memory, reduce cognitive load under stress, onboard juniors quickly, and are the unit of automation (document → prove → automate).
S
SaaS (Software as a Service) — A cloud model in which the provider runs the entire application stack and the customer is responsible only for how they use it: accounts, permissions, authentication, data input, and the application's own security settings (e.g., Microsoft 365, Salesforce).
Safety instrumented system (SIS) — An independent control system whose sole job is to bring a process to a safe state when conditions become dangerous, operating separately from the normal control system so that a failure or compromise of the latter does not disable the former. The last line of physical defense, and therefore the highest-value target to protect (the Triton/Trisis malware targeted it).
Salt — A unique, random value generated per password and stored alongside the resulting hash; because it is unique per user it defeats precomputation (rainbow-table) attacks and makes identical passwords hash differently. It need not be secret.
same-origin policy (SOP) — A fundamental browser security rule that restricts how a document or script loaded from one origin (scheme + host + port) can interact with resources from another origin; in particular it prevents a page from one origin from reading the responses or contents of a page from a different origin. SOP is why an attacker's page can send a request to a victim site but cannot read the victim's pages to steal an anti-CSRF token.
SAML (Security Assertion Markup Language) — An XML-based open standard (version 2.0) for exchanging authentication and authorization data between an identity provider and a service provider; its core artifact is the signed SAML assertion, and it dominates enterprise single sign-on to SaaS applications.
SAST (Static Application Security Testing) — A tool family that analyzes source code or bytecode without running it, flagging insecure patterns and data-flow (taint) paths from a source to a dangerous sink; runs early and points to a file and line, but tends to produce false positives.
SBOM (software bill of materials) — A formal, machine-readable inventory of the components and dependencies that make up a piece of software, enabling an organization to answer instantly which systems contain a given library when a vulnerability is disclosed. (Introduced here; the full treatment, including supply-chain provenance, is in Chapter 29.)
SCA (Software Composition Analysis) — A tool family that inventories an application's third-party components, including the full transitive dependency tree, and checks each against known-vulnerability databases (and often licenses); it answers "what dependencies do we run, and are any known-vulnerable?"
SCADA — Supervisory control and data acquisition: a system architecture that collects data from many distributed controllers and presents centralized monitoring and control to operators, typically across a wide geographic area (e.g., a utility running dozens of remote pumping stations from one control room).
Scope (compliance) — The precisely defined boundary of the people, processes, systems, and data to which a compliance obligation applies; everything in scope must have evidence and everything out of scope must be provably out.
Script kiddie — An unskilled attacker who runs tools and exploits written by others without deeply understanding them; opportunistic and the human face of automated, indiscriminate probing, but unable to improvise past a closed door.
seccomp — Secure computing mode: a Linux kernel facility that restricts which system calls a process may make, killing the process if it attempts a call outside its allowed set; the engine behind much container and sandbox isolation.
Secret — Any piece of confidential data that grants access to, or proves identity to, a system — such as a password, API key, token, private cryptographic key, database connection string, or certificate's private key; what makes it a secret is that possessing it lets the holder act.
Secret sprawl — The proliferation of secrets across an environment (source code, config files, environment variables, CI variables, images, wikis, chat, clones) without central control, inventory, or rotation; the standing condition that makes a secret leak — the specific event of a secret reaching a place an attacker can read it — eventually inevitable.
Secrets management — The discipline of securely storing, distributing, rotating, and auditing secrets across their lifecycle so that no secret is hard-coded, every secret has an owner and an expiry, and every access is logged.
Secrets scanning (in CI) — The automated search of code, configuration, and commit history for committed credentials (API keys, passwords, private keys, tokens), run as an unskippable continuous-integration gate alongside an advisory pre-commit hook.
Secrets vault — A hardened, access-controlled service that stores secrets encrypted at rest, releases them only to authenticated and authorized callers, and records every access; examples include HashiCorp Vault and cloud key/secret managers (AWS Secrets Manager/KMS, Azure Key Vault, Google Secret Manager), typically backed by a master key in an HSM.
Secure Boot — A UEFI firmware feature that verifies the digital signature of each component in the boot chain (firmware, bootloader, kernel) and refuses to load any that is not validly signed, preventing malicious code from running before the operating system and its defenses start.
secure email gateway (SEG) — A security control (appliance or cloud service) that filters inbound and outbound email for spam, malware, malicious URLs, and policy violations, often sandboxing attachments and rewriting URLs for click-time inspection, before messages reach users.
Secure software development lifecycle (SSDLC) — The practice of building security activities into every phase of how software is designed, written, tested, deployed, and maintained, rather than bolting a security review onto the end; associated with "shifting left" so defects are caught early when they are cheapest to fix.
Security awareness — The ongoing process of developing, across an entire workforce, the knowledge, attitudes, and (above all) behaviors needed to recognize and respond appropriately to security threats in the course of normal work; a continuous, behavioral capability, not a one-time annual event.
Security certification — A credential awarded by a professional body or vendor for passing an exam (and sometimes meeting an experience requirement) that attests to a defined body of knowledge or skill; in a career it functions as a door-opener that passes résumé filters and structures learning, not as proof that the holder can do the job. Real examples include CompTIA Security+ and CySA+, (ISC)² CISSP and CCSP, ISACA CISA/CRISC/CISM, GIAC, OffSec OSCP, and the cloud vendors' security certifications.
Security champions — Volunteers embedded within business units (not members of the security team) who serve as the local point of contact, advocate, and translator for security in their department, extending a small central team's reach and feeding ground-truth back to it.
Security charter — The foundational document (typically board- or CEO-approved) that establishes the security program's authority, scope, mandate, and reporting lines — the program's "constitution" — and grants the CISO the authority to set and enforce policy.
Security culture — The shared set of attitudes, beliefs, norms, and unwritten rules that shape how the people in an organization actually behave toward security in their daily work — what they treat as normal, what they feel safe doing, and what determines whether training takes hold.
Security gate — A security check embedded in a pipeline that evaluates an artifact or change against policy and can pass it, warn, or fail the build.
Security governance — The system of structures, policies, roles, and oversight by which an organization directs and controls its security activities and ensures they serve the organization's objectives and risk posture; governance steers (sets direction and provides oversight) while management/operation rows (executes within it).
Security group — A virtual, stateful firewall attached to cloud resources that controls inbound and outbound network traffic by rule (Azure calls the equivalent a Network Security Group; GCP uses VPC firewall rules).
Security maturity model — A framework that describes capability in a domain as a series of ordered levels — typically from ad hoc and reactive (Initial) through Repeatable, Defined, and Managed to continuously-improving (Optimized) — so an organization can rate its current state, set a target, and measure progress over time. Examples include the CMMI-derived five-level scale, the NIST CSF Implementation Tiers, and C2M2.
Security metric — A measurement of some property of a security program, chosen and defined so that its value informs a decision; the decisive test is that if the number changed sharply, someone would do something differently. A number you merely happen to have is data exhaust, not a metric.
Security operations center (SOC) — The team and function responsible for the continuous monitoring, detection, triage, and initial response to security threats across an organization; it operationalizes logging, detection, and incident response into an always-on capability rather than a set of documents.
Security program (complete) — The organized, governed, and funded whole that integrates an organization's security controls, processes, people, and risk decisions into a single managed capability aligned to the business; distinct from the governance-sense "security program" of Chapter 26, it denotes the entire integrated capability whose coherence — a risk spine, a legible structure, and a stated strategy — is what makes it fundable, not the sum of its controls.
Security program (governance sense) — The structured, governed whole — documents, roles, framework, and lifecycle — that turns a pile of individual controls into a managed, durable, accountable, scalable, and legible capability. (The complete/capstone assembly of the program is treated in Ch.38.)
Security requirement — A specific, verifiable statement of what software must do (or must never do) to be secure; the bridge between an identified threat and a built-and-tested defense, distinguished from vague advice by being something a tester can confirm.
Security roadmap — A time-phased plan that moves an organization from its current security state to its target state, with each initiative sequenced, costed, and tied to the risk it reduces; the journey a board funds, as opposed to the destination a program document describes.
Security staffing gap — The persistent structural shortfall between the number of qualified cybersecurity professionals organizations need and the number available in the labor market; widely estimated in the millions of unfilled roles globally (a figure that varies by source and should be treated as a range), making retention of trained analysts a first-class risk-management concern.
Security strategy — A stated, multi-year direction for a security program that explains where the organization is going and why, ruling some choices in and others out, against which every tactical decision can be checked.
Segregation of duties (access) — The principle that no single individual should hold all the permissions required to complete a sensitive or high-risk action alone; the action is deliberately split so that it requires two or more different people, preventing fraud and catching error. Also called separation of duties.
SELinux — Security-Enhanced Linux: a mandatory access control implementation (default on Red Hat–family distributions) that labels every process and object and enforces a system-wide policy about which labels may interact, confining processes regardless of Unix permissions or root, with enforcing, permissive, and disabled modes.
Separation of duties — The principle that a single individual should not be able to complete a high-risk transaction alone; the critical steps are split among two or more people so that fraud or error requires collusion. Also called segregation of duties (SoD).
server-side request forgery (SSRF) — An attack in which an attacker induces a server to make an outbound request to a destination of the attacker's choosing, abusing the server's network position to reach systems the attacker could not reach directly — internal services or cloud instance-metadata endpoints. Mitigated by destination allowlisting, blocking internal IP ranges (re-checked after DNS resolution and redirects), and network egress filtering.
Serverless — A cloud execution model in which the provider fully manages the underlying servers and the customer supplies only code that runs in response to events (e.g., AWS Lambda); a PaaS pattern where the customer's responsibility narrows to code, configuration, and access.
Service account — A non-human account used to run an application, service, or scheduled task, often with elevated permissions and a credential embedded in configuration or code; introduced here as a category of privileged account and treated canonically as machine identity in Chapter 20.
session fixation — An attack in which the attacker causes a victim to authenticate using a session identifier the attacker already knows, so that after login the attacker — holding the same identifier — is inside the victim's authenticated session; it depends on the application keeping the same session ID across the anonymous-to-authenticated transition. Defeated by regenerating the session ID at login.
Session recording — The capture of a detailed, tamper-resistant record of what is done during a privileged session (commands, screens, actions), stored where the recorded user cannot alter it, so that privileged activity can be reviewed, audited, and investigated; also called session monitoring, and when done live with the ability to alert on or terminate a session, real-time session monitoring.
Severity classification — The rubric that maps an incident to a severity level (e.g., SEV-1 through SEV-4) on axes the organization cares about; the level drives response speed, escalation, resourcing, and which internal and external parties are notified.
SHA-2 — The Secure Hash Algorithm 2 family (NIST FIPS 180-4), including SHA-256, the recommended general-purpose hashing standard for integrity.
SHA-3 — A newer, structurally distinct hash family standardized by NIST (FIPS 202) as an alternative to SHA-2.
Shadow IoT — The set of unauthorized, unmanaged, and often unknown IoT and connected devices that employees attach to the organization's network without IT's knowledge or approval; dangerous because a device nobody knows about is one nobody segmented, monitors, patches, or will think to check during an incident.
Shared responsibility model — The framework, published by every major cloud provider, that divides security duties between the provider (security of the cloud — hardware, hypervisor, facilities) and the customer (security in the cloud — configuration, data, and identity). Misreading where the line falls is the most expensive mistake in cloud security.
Shift left — The practice of moving security activities earlier in the software development lifecycle — toward the developer's keyboard and the moment code is written — because the same defect is far cheaper to fix the earlier it is caught.
Short-lived credentials — Credentials deliberately given a brief validity window (often minutes to hours, via dynamic secrets or platform-issued temporary tokens) so that a stolen one becomes useless almost immediately, converting the secrets problem from a prevention problem into a bounded time-window problem.
SIEM (Security Information and Event Management) — A system that ingests logs from many sources, normalizes them into a common schema, correlates events across sources and time, and raises alerts for analysts to investigate; the central platform of a Security Operations Center for real-time detection and investigation.
Sigma rule — A generic, vendor-agnostic detection written in YAML that describes detection logic independent of any SIEM, and is compiled by a backend into the native query language (SPL, KQL, etc.) of whatever SIEM is in use; the portable standard for detection-as-code.
Signature detection — Detection that matches observed activity against a database of known-bad patterns (a specific byte sequence, request, or domain); precise and low-noise for known threats but blind to attacks for which no signature exists.
Single loss expectancy (SLE) — The dollar loss expected from a single occurrence of a risk event, computed as asset value times exposure factor ($SLE = AV \times EF$); a per-event figure.
Single sign-on (SSO) — The capability that lets a user authenticate once to a central identity provider and then access multiple independent applications without re-authenticating to each; it concentrates both control (central MFA, one place to disable) and risk (a compromised IdP reaches everything).
SLSA (Supply-chain Levels for Software Artifacts) — A graduated security framework for establishing and verifying the integrity of the software supply chain, focused on build provenance — proving that an artifact was produced from a specific source by a specific, hardened, tamper-evident build process.
SOAR (Security Orchestration, Automation, and Response) — A platform that acts on what a SIEM detects by running automated or semi-automated playbooks in response — enriching an alert, taking a containment action, and creating a ticket — so a SOC can scale response the way a SIEM scales detection.
SOC 2 (System and Organization Controls 2) — An AICPA attestation framework in which an independent CPA examines and reports on a service organization's controls against the Trust Services Criteria (Security, Availability, Processing Integrity, Confidentiality, Privacy); a Type I report assesses control design at a point in time, a Type II report assesses operating effectiveness over a period.
SOC tiers — The escalating levels of analyst expertise and authority through which an alert flows: Tier 1 (triage/alert analyst — monitors the queue, follows runbooks, closes false positives, escalates the rest), Tier 2 (investigator — deep analysis, scope, containment, declares incidents, writes runbooks), and Tier 3 (threat hunter / senior responder / detection engineer — proactively hunts, leads major incidents, and builds new detections so future occurrences are caught at Tier 1 or by automation).
Social engineering — Manipulating people into performing actions or disclosing information that compromises security (for example, phishing); an attack class that bypasses technical controls by targeting human trust.
Social engineering (defense) — The set of program, behavioral, and cultural countermeasures that reduce the likelihood that the manipulation of people (the attack, owned by Chapter 2) succeeds, and increase the likelihood that it is caught and reported; built on trained reflexes (slow down, verify out-of-band, question authority safely, route alerts to the real team) rather than on knowledge alone.
Socket — The combination of an IP address and a port (e.g., 192.0.2.10:443), naming one precise endpoint of a network connection; a full connection is identified by a four-tuple of source IP/port and destination IP/port.
Software bill of materials (SBOM) — A formal, machine-readable inventory of the components that make up a piece of software — each library and module with its name, version, supplier, and dependency relationships — analogous to an ingredient list; the two dominant standard formats are SPDX and CycloneDX.
Software provenance — The verifiable record of where a software artifact came from: what source it was built from, by what build process, and that it has not been altered since; the assurance an SBOM does not provide and that the SolarWinds compromise showed was missing.
Software-defined perimeter (SDP) — An approach in which resources are hidden behind a broker and made invisible to unauthorized users, so the "perimeter" is drawn freshly in software around each authorized connection rather than fixed at a network edge; unauthorized users cannot scan for, discover, or reach the protected resource (the "dark network" property).
Span/tap — The two methods of delivering a copy of network traffic to a monitoring sensor: a SPAN port (port mirroring) copies traffic via switch configuration (cheap, but can drop packets under load), while a network tap is dedicated inline hardware that passively copies every bit with no loss (full fidelity, at hardware cost).
spear-phishing — Targeted phishing crafted for a specific individual or organization using researched details (real projects, colleagues, vendors) to raise its success rate.
Specialization track — A coherent path through the field — a cluster of related roles, skills, and certifications that build on one another (e.g., blue team, red team, GRC, cloud security, application security, engineering/architecture) — as opposed to an unrelated scatter of credentials; choosing one turns a pile of learning into a career.
SPF (Sender Policy Framework) — An email-authentication standard in which a domain owner publishes, in a DNS TXT record, the IP addresses authorized to send mail for the domain; a receiver checks whether a message arrived from a listed source. It authenticates the envelope sender and does not survive forwarding.
SQL injection — A web vulnerability in which attacker-controlled input is interpreted as part of a SQL statement, letting an attacker alter the query's logic to read, modify, or destroy data the application never meant to expose; the root cause is concatenating untrusted data into a query so it is parsed as command structure rather than data. Fixed structurally by parameterized queries.
SSID (Service Set Identifier) — The human-readable name of a wireless network, broadcast in cleartext management frames even on a fully secured network; it is not a secret, so hiding its broadcast provides minimal security.
Standard — A mandatory, specific, measurable, and testable rule that implements a policy; it names versions, lengths, algorithms, and thresholds (e.g., "MFA required; passwords ≥14 characters"), is approved at the CISO/committee level, and is the spec engineers build and auditors test against.
Stateful firewall — A firewall that tracks the state of active connections in a table and evaluates packets in the context of the conversation they belong to, permitting return traffic because it matches an established connection rather than a pre-opened port.
Stateless firewall — A firewall (or router ACL) that examines each packet in isolation against a rule list using header fields (IP, port, protocol), with no memory of prior packets and therefore no awareness of connection state.
stored XSS — Also called persistent XSS; the form of cross-site scripting in which the attacker's script is saved on the server (in a database, profile field, comment, or memo) and then served to every user who views that content — one injection, many victims, no further attacker action required.
Subnet — A logically subdivided range of IP addresses (a Layer 3 boundary), such as splitting 10.0.0.0/16 into 10.0.1.0/24 and 10.0.2.0/24; a router or firewall between subnets provides a natural place to enforce inter-zone rules. Short for subnetwork.
Supervised vs unsupervised detection — The two postures of detection ML. Supervised learns a function from labeled examples (accurate at catching things like its training data, blind to the novel, needs a clean labeled set); unsupervised learns "normal" from unlabeled data and flags deviation (surfaces the never-before-seen, but cannot say what it found or whether it is malicious).
Supply chain risk — The risk that a component, product, or service incorporated into your own systems is compromised, tampered with, or fundamentally flawed before it reaches you, so that by trusting and deploying it you import the attacker's foothold or the defect directly into your environment.
Supply-chain attack (evolution) — An attack strategy that compromises something many targets trust — a vendor's build pipeline, a popular open-source component, a package name, or hardware/firmware — so that the trust relationship delivers the attacker to all the downstream victims at once; the next generation extends beyond the SolarWinds build-compromise pattern to open-source dependency attacks, dependency confusion, and hardware/firmware compromise.
Symmetric encryption — Encryption that uses a single shared secret key for both encryption and decryption; fast and suited to bulk data, but it must solve the problem of distributing the shared key securely.
Synthetic media — Any audio, image, or video content generated or manipulated by artificial intelligence to depict people, events, or speech that are not real; the broader category that includes deepfakes.
T
Tabletop exercise — A discussion-based simulation in which the response team walks through a realistic incident scenario step by step — exercising the plan, roles, playbooks, and communications without touching any production system — in order to surface gaps before a real attacker does.
Tactic — In ATT&CK, the adversary's tactical goal in a phase of an attack (for example, Initial Access, Persistence, or Credential Access) — the why of a step.
TCP/IP — The four-layer protocol suite (Application, Transport, Internet, Link) that actually runs the internet, named for the Transmission Control Protocol and the Internet Protocol; it implements the functions the OSI model describes, collapsing OSI's top three and bottom two layers.
Technique — In ATT&CK, the method by which an adversary achieves a tactic, identified by a stable code such as T1566 (Phishing) — the how of a step.
Third-party risk management (TPRM) — The structured, lifecycle discipline of identifying, assessing, mitigating, and monitoring the risk an organization takes on through its relationships with external parties (vendors, suppliers, service providers, contractors) that have access to its data, systems, or facilities, or that it depends on to operate.
Threat — A potential cause of harm to an asset, usually originating from a threat actor but sometimes from non-adversarial sources such as hardware failure or natural disaster.
Threat actor — A person or group with the intent and capability to cause harm, ranging from opportunistic criminals to nation-state groups.
Threat detection — The practice of identifying malicious or unauthorized activity in an environment, whether automatically (a rule fires) or through analysis; the umbrella term covering both detection engineering and threat hunting.
Threat hunting — The proactive, human-led search through data for adversary activity that has not triggered any alert, undertaken on the assumption that an adversary may already be present undetected.
Threat intelligence — Curated, analyzed information about adversaries — their identities, motivations, infrastructure, and TTPs — that helps defenders anticipate, detect, and respond to attacks; the analysis that gives indicators meaning.
Threat intelligence platform (TIP) — A system that aggregates threat-intelligence feeds from many sources, normalizes and de-duplicates indicators, scores them for confidence and relevance, enriches them with context, and distributes the actionable ones to detection tooling such as the SIEM, firewalls, and EDR.
Threat model — A structured analysis of what could go wrong with a system — the assets worth protecting, the adversaries who might target them, the attack paths they could use, and the defenses that address each; here built at the organizational level (the application-specific variant is treated in a later chapter).
Threat modeling (application) — The structured activity of analyzing a design — often a single feature, using a method such as STRIDE — to identify what could go wrong from a security standpoint before it is built, so defenses can be designed in; its deliverable is a set of verifiable security requirements, not a diagram.
Three-way handshake — The three-message exchange (SYN, SYN-ACK, ACK) by which two hosts establish a reliable TCP connection and synchronize sequence numbers before any data flows; its shape in telemetry distinguishes normal traffic from port scans and SYN floods.
Tiered administration — An administrative model that partitions identities and the systems they manage into tiers by sensitivity (commonly Tier 0 control plane, Tier 1 servers, Tier 2 workstations) and forbids a higher-tier credential from ever being exposed on a lower tier, severing the credential-harvesting path from a compromised low-trust host to high privilege.
Timeline analysis — The technique of merging timestamped events from many artifact sources into a single chronological sequence (normalized to a common time zone, accounting for clock skew) so that the activity of an intrusion can be reconstructed and understood in order.
TLS (Transport Layer Security) — The protocol that secures data in transit for the web and much else (the "S" in HTTPS), providing confidentiality, integrity, and server authentication over an untrusted network; the successor to SSL, with TLS 1.3 (RFC 8446) as the current version.
TLS handshake — The opening exchange of a TLS connection in which the parties agree on a protocol version and cipher suite, establish a shared symmetric key (via ephemeral Diffie–Hellman in TLS 1.3), and authenticate the server with its certificate — completing in one round trip in TLS 1.3.
Tokenization — Replacing a sensitive value (such as a primary account number) with a non-sensitive surrogate token that has no mathematical relationship to the original and is useless if stolen, with the real value held in a separate guarded vault; reduces compliance scope by removing sensitive data from most of the environment.
TOTP (Time-based One-Time Password) — A six-to-eight digit code generated from a shared secret seed and the current time (rolling over, typically every 30 seconds) by an authenticator app and the server independently; it resists SIM swap but, because it is a secret the user reads and types, remains vulnerable to real-time phishing relay.
TPM (Trusted Platform Module) — A dedicated hardware security chip that securely stores cryptographic keys and measurements of the boot process, providing a hardware root of trust; it underpins disk encryption (keys can be sealed so the disk decrypts only if the machine boots an unmodified configuration) and hardware-backed attestation of a known-good boot state.
Triple extortion — A further escalation of ransomware extortion that, beyond encryption and data-theft threats, adds a third pressure point — typically directly threatening or harassing the victim's customers or partners whose data was stolen, and/or layering on a denial-of-service attack.
TTP (Tactics, Techniques, and Procedures) — The standard shorthand for the characteristic ways a given adversary operates, combining the ATT&CK levels of tactic, technique, and procedure.
U
Use case (detection) — A specific, named threat scenario that an organization has decided to detect, together with the correlation logic, the log sources it requires, the alert it produces, the analyst response it triggers, and its false-positive risk; the higher-level unit a correlation rule serves.
User and entity behavior analytics (UEBA) — A productized, multi-signal generalization of anomaly detection that builds behavioral baselines for users and entities (service accounts, hosts, applications) across many features at once, fusing several weak per-entity anomalies into one risk score to catch account takeover and slow insider drift that no single feature or signature would.
V
Vanity metric — A measurement that looks impressive and moves in a satisfying direction but supports no real decision — typically because it is unbounded, lacks a denominator, or measures activity rather than outcome (the archetype: "2.4 million attacks blocked"). Vanity metrics are seductive because they are easy to produce and always flattering; reporting them wastes the audience's attention and can hide real risk.
Vendor security assessment — The structured evaluation of a prospective or current vendor's security posture, typically combining a security questionnaire, a review of independent audit evidence (SOC 2 Type II, ISO 27001, penetration-test summaries), and external signals such as security-rating services or a published SBOM.
VLAN — Virtual local area network: a Layer 2 mechanism that makes one physical switch behave as several logically separate switches, isolating groups of ports into independent broadcast domains; a boundary that is only as strong as the policy enforced between the VLANs.
VPN (Virtual Private Network) — A technology that creates an encrypted, authenticated tunnel across an untrusted network so that traffic through it gains confidentiality and integrity as a property of the tunnel; protects data in transit between the two tunnel endpoints only.
Vulnerability — A weakness in an asset or its safeguards that could be used to cause harm; a potential that has not yet caused damage.
Vulnerability management — The continuous, closed-loop process of identifying, evaluating, prioritizing, remediating, and verifying the elimination of security weaknesses across an organization's assets, and reporting on the loop so it can be governed and improved; risk reduction under permanent scarcity rather than a quest to reach zero vulnerabilities.
Vulnerability scanner — A tool that checks assets against a continuously updated database of known weaknesses and reports findings. An authenticated (credentialed) scan logs into the asset and reads exact installed versions and configuration (accurate and deep); an unauthenticated scan probes from outside as an anonymous attacker would (reveals true external exposure but infers, and so produces more false positives and negatives).
W
web application firewall (WAF) — A security control that inspects HTTP/HTTPS traffic to and from a web application and applies rules to detect and block common web attacks (injection, XSS, and others) before they reach the application, operating at the application layer; it provides defense in depth, virtual patching, and attack telemetry, but is a pattern-matcher in front of a vulnerability that still exists — never a substitute for fixing the code.
WebAuthn (Web Authentication) — The W3C browser API that lets a website (relying party) create and use a per-site public/private key pair via an authenticator; the private key never leaves the authenticator and signatures are bound to the site's origin.
WEP (Wired Equivalent Privacy) — The original 1997 WiFi encryption standard, using RC4 with a 24-bit initialization vector; its IV reuse lets an attacker recover the key from captured traffic in minutes regardless of passphrase length, so it is broken and its presence is a critical finding.
WireGuard — A modern VPN protocol designed for simplicity, speed, and a small auditable codebase, using a fixed set of modern algorithms (Curve25519, ChaCha20-Poly1305, BLAKE2s) with no algorithm negotiation, which eliminates downgrade and many misconfiguration risks; peers are identified by public keys.
Wireless IDS (WIDS) — A wireless intrusion detection system that monitors the radio environment (often using listening enterprise access points) to detect rogue access points bridged to the network, evil twins advertising corporate SSIDs from unauthorized hardware, deauthentication floods, and other wireless attack signatures.
Wireshark — The standard graphical protocol analyzer for capturing and, above all, reading packets; it decodes raw bytes into human-readable protocol structure. Its command-line sibling is tshark; tcpdump is the common lightweight capture tool.
Workload identity — The identity of a running piece of software, and the pattern of granting it access based on what the workload provably is and where it runs (attested by its platform) rather than on a stored secret it carries; realized by AWS IAM roles, Kubernetes federated tokens, and SPIFFE/SVID.
WPA (Wi-Fi Protected Access) — A 2003 transitional WiFi security standard that wrapped RC4 in TKIP (per-packet key mixing) to fix WEP's worst flaws on existing hardware; now deprecated and treated as nearly WEP-equivalent.
WPA-Enterprise — The Enterprise mode of WPA2/WPA3 that replaces the shared passphrase with per-user authentication carried by EAP and decided by a central (RADIUS) server, giving each user a revocable, auditable identity and enabling per-user VLAN assignment.
WPA2 — The 2004 WiFi security standard built on AES-CCMP, with no practical cryptographic break when patched; its Personal (PSK) mode is vulnerable to offline guessing of the passphrase from a captured four-way handshake.
WPA3 — The 2018 WiFi security standard whose SAE (Dragonfly) handshake resists offline dictionary attacks, which adds forward secrecy and Enhanced Open (encryption for password-free networks) and mandates Protected Management Frames.
Write blocker — A hardware device or strictly enforced software mode placed between an investigator's system and an evidence drive that permits read commands but blocks all writes, guaranteeing the original evidence is never altered during acquisition.
X
X.509 certificate — The standard format for a public-key certificate, containing the subject identity, the subject's public key, the issuing CA, a validity period, a serial number, allowed key usages, and the CA's digital signature.
Y
YARA — A pattern-matching tool and rule language for identifying and classifying files and process memory by their content (byte strings, text strings, structural conditions); the file-and-memory counterpart to Sigma's focus on logs.
Z
Zeek — An open-source network security monitoring (NSM) platform (formerly called Bro) that watches live traffic and produces structured logs — one connection record per connection plus protocol-specific logs (DNS, TLS, HTTP, files) — instead of storing raw packets.
Zero trust (principle) — The principle that no user, device, or network location is trusted implicitly; every access request is verified explicitly and continuously, with minimal access granted ("never trust, always verify"). A synthesis of least privilege, fail-safe default, and assume breach; its full engineering is the zero-trust architecture (Chapter 32).
Zero trust architecture (ZTA) — An enterprise's concrete cybersecurity design — its components, workflows, and access policies — that implements the zero-trust principle of "never trust, always verify," granting access to each resource per request based on identity, device, and context rather than on network location. (The principle/mindset is owned by Chapter 3; this chapter owns the architecture.)
ZTNA (zero-trust network access) — A service that brokers access to individual applications based on identity, device posture, and context, granting a connection to a specific application only after a per-request policy decision and never placing the user on the network at large; the practical replacement for the remote-access VPN.