Upwind’s Cybersecurity Dictionary: The Most Common Security Terms to Know

Cybersecurity Terms From A (Attack Paths) to Z (Zero Days)

What are the most common cybersecurity terms you need to know at a glance? This dictionary goes beyond the basic tools and threats teams need to track, but also defines the principles, architectural risks, and gray areas where even mature organizations struggle. Aligning cloud posture? Rationalizing tooling? You’ve come to the right place. Knowing these terms is the foundation for making smarter and faster decisions.

Access Control

The process of making sure only authorized users get inside systems and data. Most enterprises implement role-based access control (RBAC), but complete control is elusive, given the management of exceptions, shadow entitlements, and identity sprawl across cloud, hybrid, and legacy systems. Integration across cloud, IAM, and CI/CD pipelines is rarely complete.

Address Resolution Protocol (ARP)

This protocol resolves IP addresses to MAC addresses within local networks, allowing devices to communicate on the same subnet. While ARP itself operates at a low level in the network stack, specifically, at layer 2 (the data link layer), its lack of authentication makes it vulnerable to spoofing attacks.

Admission Controller

A plugin in the Kubernetes API server. It intercepts API requests before they’re saved and enforces rules, like blocking deployments that are missing security labels or rejecting containers that run as root.

Advanced Persistent Threat (APT)

A long-term, targeted attack by a sophisticated, often state-sponsored adversary. ATPs exploit identity, supply chain, and cloud misconfigurations over months or years to hide in systems undetected. APTs require behavioral detection, data-centric protections, and threat intelligence to spot.

Adversarial AI

The attacks that fool machine learning models by manipulating inputs, like altering a malware file just enough to bypass an AI threat detector, while keeping core functions intact.

Adversary-in-the-Middle (AitM) Attack

A proxy-based session hijacking technique where an attacker sits between the user and the legitimate service, intercepting MFA tokens and full browser sessions. AiTM bypasses MFA and SSL protections, so it requires phishing-resistant authentication and session telemetry analysis, particularly in hybrid identity environments.

Agents

Software components installed on endpoints, servers, or VMs to collect data continuously and enforce policies. New generation, lightweight agents are called sensors.

AI Bill of Materials (AI BOM)

A listing of all components used to build an AI model, from datasets to third-party models, libraries, and prompts. It’s like a software bill of materials (SBOM) for AI so teams can audit risk and verify provenance.

AI Data Security

The act of protecting training data, prompts, and outputs of AI systems, since attackers who tamper with training data can influence model behavior or extract sensitive data.

AI-Security Posture Management (AI-SPM)

A category of tools that help security teams get visibility into where AI models live, what data they interact with, and what risks they introduce, as a traditional Cloud Security Posture Management (CSPM) tool tracks cloud misconfigurations.

AI Threat Detection

A use of machine learning to spot patterns that traditional rules might miss, including subtle signs of insider threats or lateral movement. It also refers to detecting threats to AI systems, including model tampering or data poisoning.

Allowlist

A list of explicitly trusted items. That can include IPs, email addresses, or apps-granted access, while other traffic, files, or identities are blocked. It’s a default deny to most traffic, with specific exceptions.

Antivirus Software

Signature-based software that scans files and processes to detect, quarantine, and remove known malware based on predefined patterns. Legacy antivirus is becoming obsolete as modern malware might be fileless or custom-built to evade signature detection. Today, Endpoint Detection and Response (EDR) software eschews signature-based detection for behavioral analytics instead.

API Payload

The data sent in an API request, often in JSON format, that tells the server what to do. API payloads are common places for attacks.

Attack Path Analysis

Mapping how an attacker could move from initial access to high-value resources. Effective attack path analysis integrates identity graphs, misconfigurations, and privilege escalation routes critical for prioritizing real-world blast radius over theoretical CVE counts.

Attack Surface

The sum of all possible points an attacker could target, like ephemeral workloads, third-party integrations, exposed APIs, public-facing domains, and over-permissioned identities. Attack surface management (ASM) platforms have become part of a layered security toolbox to discover and monitor exposed assets.

Authentication

The process of verifying a user’s identity, usually before authorizing access to resources. Strong authentication can include multi-factor authentication (MFA), federated identity, and protocols like OpenID Connect (OIDC) and Security Assertion Markup Language (SAML) that prevent token replay, identity sprawl, and password reuse.

Authorization

The process of granting permissions to users to access resources. The real risk lies in overprovisioned roles, stale entitlements, and implicit trust models, with modern organizations moving toward Attribute-Based Access Control (ABAC) and least privilege approaches, using protocols like Open Authorization (OAuth).

AWS Containers

Running containerized applications using Amazon Web Services like ECS, EKS, or Fargate. AWS handles infrastructure, but organizations must manage security from Identity and Access Management (IAM) roles to network policies and runtime protections.

AWS EC2

An Amazon service that lets organizations run virtual machines in the cloud on on-demand servers. Teams control the operating system, security settings, and apps. It can be easy to misconfigure if teams leave ports open or skip patching.

AWS Fargate

An Amazon service that lets teams run containers without managing servers. Organizations define CPU and memory. As far as security, visibility is limited since organizations won’t be able to control the host or runtime directly.

AWS Lambda Runtime

The environment in which code runs when using Amazon’s Lambda functions, including memory, operating system, and language support. It’s lightweight, but security depends on teams handling permissions, input validation, and libraries.

AWS Security

The tools, configurations, and tactics used to protect data, services, and workloads running on Amazon Web Services. While AWS operates under a shared responsibility model, challenges come from tethering multiple native services to a central control hub, managing multi-account sprawl, detecting lateral movement across services, and navigating cloud posture alongside traditional risk frameworks. To dive deeper, look to:

• What is AWS Lambda Runtime?
  AWS Container Security: A Complete Guide
• What is AWS Lambda Security?
• What is AWS Fargate?
• What are AWS Fargate Security Best Practices?
• What is AWS EC2 Security?

Backup and Recovery

An insurance policy where data is copied so it can be restored after an incident. It’s basic hygiene, but only works when teams keep backups isolated from live systems.

Behavioral Analytics

Behavioral analytics tracks patterns in user or system behavior, comparing it to established baselines in order to detect attacks that don’t adhere to known patterns and rulebooks about what’s expressly forbidden.

Browser-in-the-Browser (BitB)

BiB attacks fake browser windows inside real ones, as with login popups designed to steal credentials. It’s a complex and effective form of phishing.

Cache

Storage for temporary data like web pages or DNS lookups, so systems load faster. But if unsecured, cache can leak sensitive data like logins or API responses, or serve stale versions of content to users that may be unpatched or unupdated.

Callback Phishing

An attempt to lure human victims to surrender credentials by urging them to call a phone number where an attacker walks them through installing malware or surrendering login information, bypassing email filters.

CIS Benchmarks

Developed by the nonprofit Center for Internet Security (CIS), the security best practices include community-developed checklists for systems like Windows, Linux, and cloud platforms. 

Cloud Detection and Response (CDR)

Tools that detect and respond to threats in cloud environments, like suspicious API calls, unusual identity and access management use, or lateral movement. CDR is often a component of comprehensive CNAPP platforms.

Cloud Infrastructure Entitlement Management (CIEM)

Tools that manage who can perform tasks in an organization’s cloud environment. It tracks and right-sizes permissions, thereby reducing the blast radius from compromised accounts.

Cloud Security 

The practice of protecting apps, data, and services hosted and running in cloud environments. It spans misconfigurations to identity risks to runtime threats and requires visibility into systems that an organization doesn’t physically control. To learn more, get specific with:

• What is Gen AI Security
• AWS Shared Responsibility Model
• What is Risk Posture Management?
• What is Security Posture? 
• Agent vs Agentless Security
• What is AI-SPM
• How to Secure AI Services?
• Kubernetes API Services
• XDR Tools in 2025
• Kubernetes Security Context

Cloud Security Posture Management (CSPM)

Tools that scan the cloud environment for misconfigurations, such as open S3 buckets or overly broad roles, identify vulnerabilities so they can be patched before attackers discover them.

Cloud-Native Application Protection Platform (CNAPP)

A comprehensive tool that combines tools like CSPM, CIEM, CWPP, and CDR to secure cloud-native apps from code to runtime, offering a unified view of risks across the entire cloud stack, and sometimes even extending to hybrid and on-prem assets for holistic coverage. To explore CNAPP topics, look to:

• What is the Software Development Lifecycle?
• CIEM Explained
• CWPP vs CSPM
• What is a Cloud Workload Protection Platform?
• Cloud Detection and Response (CDR) Explained
• What is Cloud Security Posture Management?

Container Architecture

A design approach that packages code, dependencies, and configs into isolated units that run consistently across environments. Container architecture comes with shared-kernel risks, so securing containers involves securing both the app and its host.

Container Runtime Interface (CRI)

A Kubernetes API that allows the kubelet to talk to different container runtimes, abstracting runtime details so Kubernetes can stay modular and swap runtimes easily.

Container Security 

Protection for the full lifecycle of containers as they’re built, then deployed, and during runtime. It includes image scanning, hardening the host, limiting privileges, and detecting malicious behavior. To dig into each aspect of container security, look to:

• Container Security Tools
• AWS Container Security
• What is Container Runtime Security?
• Container Runtimes Explained
• What is Container Vulnerability Scanning

Credential Theft

When attackers steal usernames, passwords, and tokens to access networks. That can include approaches like phishing, keylogging, or memory scraping.

Cryptojacking

When hijackers attack and take control of a system to secretly mine cryptocurrency. Organizations pay for the compute, while attackers reap the benefits.

Common Vulnerabilities and Exposures (CVE)

A standardized identification for a known security flaw, cataloguing identified vulnerabilities. CVEs are assigned a unique identifier, such as “CVE-2024-12345”, and published along with information about existing exploits, patches, or notes.

Dark AI

The use of artificial intelligence for nefarious purposes, like generating phishing emails at scale, creating deepfakes, or automating attacks.

Data Loss Prevention (DLP)

Tools that stop sensitive data from leaving the organizational environment by accident or through attacks. They monitor for risky behavior across email, cloud, and endpoints and can block or alert policy violations.

Data Poisoning

When attackers corrupt an AI model by feeding it bad training data, like tagging malware as safe. Over time, the model “learns” bad patterns, becoming less accurate or even exploitable.

Data Security Posture Management (DSPM)

Tools to find and classify sensitive data across the cloud and then monitor who can access it, how it’s used, and where it’s exposed. Detection Engineering

Designing high-signal, low-noise security alerts. A holy grail for many security teams, it means writing detections for real-world threats like unusual API calls based on threat tactics and tuning them to avoid alert fatigue.

DevSecOps

An organizational approach that embeds security in every stage of software delivery, from code to deployment. It automates scans, enforces policies, and catches issues early. More than “shift left,” DevSecOps shifts security to all corners of the software development lifecycle.

Digital Operational Resilience Act (DORA)

A European Union regulation requiring financial entities and their providers to manage cyber threats. It mandates standardized risk management, incident reporting, resilience training, and third-party oversight across the EU financial sector.

Digital Forensics and Incident Response (DFIR)

DFIR combines 2 jobs: figuring out what happened during a cyberattack and preserving evidence (forensics), and containing, then recovering from it (incident response). 

DNS Mapping

Linking domain names to IP addresses so users can reach websites and services. Attackers abuse it to hijack traffic, map an organization’s infrastructure, and redirect users, which can impact uptime and trust.

Dynamic Application Security Testing (DAST)

DAST scans live applications as they run to find security flaws like SQL injection or cross-site scripting (XSS) without touching the source code. It’s often used in pre-production to catch issues before an app goes live.

Eavesdropping Attack

Intercepting data in transit, like login credentials, usually over unsecured networks. The attacks are typically enabled by weak encryption or misconfigured TLS.

Encryption

Scrambling data so only recipients with the right key can decode and read it. It protects data in transit (like HTTPS) and at rest (like encrypted disks) so stolen files become unreadable noise to cyberattackers.

Enumeration

An early-stage reconnaissance attack mission to probe a system and discover users, devices, and services that might be avenues of attack later.

Extended Berkeley Packet Filter (eBPF)

A next-generation technology that lets organizations run sandboxed programs inside the Linux kernel, powering deep observability without the weight of older agents.

Failover

An automatic switch to a backup system when something fails, like rerouting traffic to a standby server when a main server crashes. It keeps services running, but only works if backups are tested, synced, and working properly.

False Positive

Security tools can identify benign issues, erroneously seeing them as threats. Too many false positives waste team time and make it harder to track down and remediate real threats. It also compromises trust in security tooling and is a reminder that tuning is key to balanced detection without excessive false positives.

Federated Identity

Accessing multiple systems with a single set of credentials, like logging into a SaaS app using a corporate email account. Federation simplifies single sign-on (SSO) for faster workflows, but when a provider is compromised, all accounts behind it face the risk.

File Integrity Monitoring

FIM tracks changes to critical files and alerts on unexpected edits so teams aren’t surprised by changed system configs. It’s used to catch malware, insider threats, and stealthy persistence tactics.

Firewall

A tool that filters traffic between networks, deciding what gets in or out based on rules. This perimeter security guards everything on the inside, like suspicious IPs, unauthorized ports, or protocols that don’t belong.

General Data Protection Regulation (GDPR)

GDPR is the European Union’s data privacy law that gives people more control over their personal data. Organizations must limit data collection, get clear consent, and report breaches quickly — and GDPR applies globally if EU data is included.

Gen AI Security

Safeguards for generative artificial intelligence systems like chatbots or code generators, which face threats from prompt injection, data leakage, and model abuse. Gen AI security must manage inputs (prompts) and outputs (responses) even as dynamic models behave less predictably than traditional assets.

Governance, Risk, and Compliance (GRC)

GRC is a framework that meshes security policies, threat management, and legal or regulatory obligations. It’s how organizations prove they’re managing assets, prove trustworthiness, and avoid fines.

Grayware

Between legitimate software and malware lies grayware. It includes adware, tracking tools, and browser extensions that aren’t always malicious, but which can invade privacy, clutter systems, and perform in ways that inconvenience users — and open the door to threats.

Hashing

A cryptographic technique that converts input data into a fixed-length, irreversible string. It takes data like passwords or files and ensures theory integrity and safe storage, though weak algorithms can still be exploited through brute force and lookup tables.

HIPAA Cloud Compliance

The U.S.’s Health Insurance Portability and Accountability Act (HIPAA)’s cloud compliance regulations require cloud services handling protected health information (PHI) to meet HIPAA standards for access controls, audit logs, encryption, and signed Business Associate Agreements (BAAs) between healthcare and cloud providers.

Homoglyph Attack

A social engineering technique that swaps look-alike characters, for example, creating similar-seeming website domains, to trick users into trusting those domains or logins in order to harvest login or other data.

Honeypot

A decoy system designed to be attractive to attackers and persuade them into revealing the tactics they’re using to move inside organizational systems, for example, with an exposed database that logs their every move, while taking up precious time. 

Host-Based Intrusion Detection System (HIDS)

A security tool that monitors a single device, such as a server or endpoint. It tracks file changes, system calls, and logs to identify suspicious behavior beyond what network tools might see.

Hybrid Cloud Security

An umbrella strategy to protect workloads spread across public cloud providers, private cloud, and on-premises systems. It requires highly unified controls and visibility.

Identity and Access Management (IAM)

A framework of policies and technologies that control who has access to organizational resources. IAM governs user identities, roles, and permissions, which serve as a sort of perimeter when it comes to cloud security, but they also tend to sprawl and come with the risk of overprovisioned roles.

Infrastructure as Code (IaC)

A DevOps practice that uses code to define and provision cloud infrastructure, like networks, servers, and policies. Ideally, IaC speeds deployments and enforces consistency, but it also means a single misconfiguration can create large security exposures.

Identity Threat Detection and Response (ITDR)

A security capability that finds identity misuse, for instance, lateral movement with stolen credentials. ITDR can respond in real-time by disabling compromised accounts or revoking access tokens, and integrates with other platforms to automate response and contain threats.

Indicators of Compromise (IoC)

Forensic evidence, like IP addresses, that signal a system may be breached. IoCs are the puzzle pieces that identify, trace, and respond to threats, but they’re reactive and short-lived.

Istio

A service mesh platform that can manage traffic, security, and observability between microservices. Istio offloads things like encryption and policy enforcement from app code to serve-to-service communication, increasing security across Kubernetes clusters. 

JSON Web Token (JWT)

A compact, URL-safe token format used to transmit identity and claims between systems, commonly in authentication. JWTs are signed, allowing APIs to verify access without storing session state.

Kubernetes Security 

A layered security model for protecting containerized workloads in Kubernetes, from API access and RBAC to pod security, network policies, and runtime controls. Because Kubernetes affords plenty of power to teams, misconfigurations are common. To learn about different aspects of securing Kubernetes, look at:

• What is Kubernetes as a Service?
• How to Leverage eBPF for Kubernetes
• What is Kubernetes Runtime Security?
• What are Kubernetes Vulnerabilities?
• What is Kubernetes Vulnerability Scanning?
• Essential Open-Source Kubernetes Security Tools You Need to Know
• What is Kubernetes Security Posture Management

Kubernetes Security Posture Management (KSPM)

A security approach that monitors Kubernetes clusters for misconfigurations, risky permissions, and compliance issues. KSPM is a classification of tools that helps enforce policies in this unique environment, working across YAML files, RBAC settings, and runtime states.

Linux Kernel

The core of the Linux operating system. The kernel manages hardware, memory, processes, and system calls. The kernel is a prime target for privilege escalation, so it’s where syscall filtering, namespaces, and eBPF security fit.

Living Off Cloud (LoC)

A stealthy attack technique in which adversaries abuse legitimate cloud tools like storage buckets to persist and move laterally. It’s the cloud-native version of “living off the land” in traditional computing environments.

Logic Bomb

A piece of malicious code. It’s inside legitimate software and triggered by a specific event like a date, login, or action. Logic bombs can lie dormant until detonated, deleting files or opening backdoors for attackers.

Man-in-the-Middle (MitM)

An attack in which someone secretly commandeers and potentially alters communication between parties, as with accessing login credentials on an unsecured network. Without TLS or certificate checks, users can’t tell whether attackers are listening or tampering with sensitive data like transactions or passwords.

Mandatory Access Control

A strict security model where access decisions are not made by users but by the system based on predefined policies and data classifications. It’s an approach for high-security environments like government or defense systems.

Memory-Based Attacks

A category of attack that targets system RAM by injecting or manipulating code directly into memory. Memory-based attacks are common in advanced threats because they often evade disk-based detection and disappear on reboot.

Microsegmentation

A network security approach that breaks infrastructure into isolated segments at the workload or application level. It limits lateral movement, so if one section is breached, attackers can’t easily pivot to others.

Middleware

A software layer that connects different systems or applications, from databases to APIs. It allows for communication and handles things like authentication, but can become a security blind spot if misconfigured.

Multi-Cloud Security

A strategy for protecting workloads and data spread across multiple cloud providers like Amazon Web Services (AWS), Azure, and Google Cloud Platform (GCP). It focuses on bringing consistent policy enforcement and visibility to an otherwise diverse range of services and environments that don’t naturally talk to one another.

Multifactor Authentication (MFA)

A security control that requires users to verify identity in two or more ways, perhaps with a password and a code delivered via phone. Diversifying what users know, what they have, and what they are blocks most account takeover attempts, even with stolen credentials.

Mutual Transport Layer Security (mTLS)

A protocol that authenticates both sides of any given connection, not just the server side. Clients also present certificates, ensuring only trusted machines and services can communicate. It’s a common security measure in service meshes and zero-trust setups.

Network Detection and Response (NDR)

A security tool that monitors network traffic for signs of threat, from data exfiltration to command-and-control activity. NDR uses behavioral analytics and threat intelligence to identify attacks that bypass endpoint tools.

NIST Cybersecurity Framework

A risk-based framework from the U.S. National Institute of Standards and Technology that helps organizations manage cybersecurity posture. It’s built on 5 core functions: Identify, Protect, Detect, Respond, and Recover, and is used across industries.

North-South Traffic

A term for data moving in and out of a data center or cloud environment, like a user accessing a web app or syncing with an external API. It’s contrasted with East-West Traffic, which stays internal.

Open-Source

A software model where the source code is publicly available for anyone to use, modify, and share. Open-source means faster innovation and complete transparency, but in security, it can mean vulnerabilities are visible to everyone, including attackers.

Open Source Vulnerability Management

A process for tracking and mitigating known flaws in open-source dependencies, like outdated libraries with published CVEs. It’s key to working with open-source components since attackers can scan for unpatched code just as quickly as defenders can.

Overlay Network

A virtual network built on top of another, like tunnelling encrypted traffic between containers across clouds. It abstracts underlying infrastructure, making communication simpler. However, it also adds complexity that can obscure misconfigurations and other security issues.

Patch Management

A process for identifying and applying software updates to bugs or security flaws. Most breaches exploit known vulnerabilities, so when patches exist, they should be applied quickly to avoid falling victim.

Payment Card Industry Data Security Standard (PCI-DSS)

A security standard that protects credit card data. It’s required globally for businesses handling card payments. It mandates encryption, access controls, logging, and regular scanning to prevent theft of cardholder info.

Penetration Testing

A simulated cyberattack used by ethical hackers to find and exploit weaknesses in systems before real attackers do. It tests how well defenses hold up under strain, and can elucidate gaps that automated scans can miss.

Perimeter Security

A traditional approach to securing the outer “walls” of an organization’s “castle.” Today, with remote workers, cloud workloads, and global data transmissions, the approach, which uses firewalls, VPNs, and intrusion detection, isn’t as useful (though many of its tactics can still be), given that the perimeter itself is now blurred.

Phishing

A social engineering attack where scammers trick users into revealing sensitive data. It typically includes fraudulent emails or websites. Though low-tech, phishing is effective and can result in surrendered passwords or MFA codes.

Privilege Escalation

A tactic where attackers gain higher access than they should have, like jumping from a basic user to an admin. It follows initial access and turns a small foothold into increasing control of a system.

Proxy Server

An intermediary server that routes clients to another system. Use proxy servers to filter traffic, hide internal infrastructure, and enforce policies. It can boost privacy and control, but may be abused to mask attacks.

Public Key Cryptography

An encryption method that uses 2 keys: one public to encrypt data, and another private key to decrypt it. It powers systems like HTTPS, digital signatures, and secure email so users can exchange data securely without sharing a secret first.

Quantum Computing

A next-generation computing model that uses quantum bits (qubits) to solve huge computing problems faster than current computers can. It threatens today’s encryption, which relies on problems that tomorrow’s quantum computing may be able to solve with ease.

Red Team

A group of ethical hackers who simulate real-world attacks to test organizational defenses. Red teams don’t scan; they try to break in, stay hidden, and reach critical assets so teams learn how systems respond when under fire.

Remote Code Execution (RCE)

A critical vulnerability that lets attackers run code on a remote system without permission. RCEs can lead to full takeover, often with just a crafted input or malicious payload.

Role-Based Access Control (RBAC)

This security model grants permissions based on roles, like “developer” or “finance,” rather than assigning them individually. It simplifies access management, but roles must be correct — not overly broad or outdated.

Runtime Application Self-Protection (RASP)

A security technology that embeds into an app and monitors its behavior in real time from within. RASP blocks attacks like SQL injection based on context, not signatures. It’s laser-focused on the internal workings of the app in which it lives, and is useful for high-value apps where pre-production scanning isn’t enough.

Runtime Security

The continuous monitoring and protection of applications, containers, and infrastructure while they are actively running. Unlike static checks before deployment, runtime security detects processes as they happen, often using behavioral analysis or system call tracing. It’s critical in dynamic workloads and for cloud environments. To investigate runtime security in more depth, look to:

• What is Runtime Application Self-Protection (RASP)?
• What is Cloud Infrastructure Security?
• Either/Or? The Realistic Guide to Shift-Left vs Shift-Right Security Approaches
• Multi-Cloud Security
• Protecting Public, Private, and On-Prem with Hybrid Cloud Security

Sandboxing

A security technique to run code in a controlled and isolated environment, so malicious components can’t impact the rest of the system. It’s used in browsers, file scanners, and malware analysis to safely observe risky behaviors.

Software Bill of Materials (SBOM)

A detailed inventory of all the components in a software package, like libraries, dependencies, and versions. It helps teams track known vulnerabilities, prove compliance, and understand what’s running in their code.

Software Composition Analysis (SCA)

A security tool that scans software for open-source components and checks them for known vulnerabilities and licensing issues. Most SCA tools generate SBOMs as part of their output and add context, auditing components to identify those that are outdated or noncompliant.

Static Application Security Testing (SAST)

A code analysis approach that scans source code for vulnerabilities before the app runs. It finds hardcoded secrets and insecure functions, but needs tuning to avoid false positives, and of course, can’t find ongoing issues continuously or at runtime.

Secrets

Sensitive credentials, like API keys, tokens, passwords, or certificates, used by apps to function securely. When hardcoded or mismanaged in storage, secrets become easy entry points into systems.

Secure Coding

Coding principles focused on writing code that avoids common vulnerabilities like injection flaws and buffer overflows. It focuses on designing software to fail safely when attacked and shifts security left, early in the development pipeline, impacting how developers write and structure their code in the first place.

Security, Orchestration, Automation, and Response (SOAR)

A platform that automates security workflows from multiple tools and input sources. SOAR investigates and prioritizes alerts, blocks IPS, enriches logs, and automates the process to speed response.

Security Posture

A  measure of how well an organization can prevent, identify, and respond to threats when they happen. Security posture is based on policies, tools, configurations, and behaviors and is the result of a holistic security strategy.

Shadow AI

An unsanctioned use of artificial intelligence tools, like employees using public generative AI tools. It creates visibility and compliance risks, foremost, when sensitive data or unvetted models are involved. 

Shadow IT

Technology used inside an organization without approval. That can include unsanctioned apps, cloud services, or personal devices. It speeds the flow of work, but can often bypass security controls.

Shared Responsibility Model

A cloud security framework that defines who secures what. Most cloud clients are responsible for their data, apps, and configurations, while providers secure the infrastructure. Many breaches happen when teams misunderstand exactly what the provider contributes, and assume it handles more than it actually does.

Supply Chain Attack

A cyberattack that targets software or hardware to compromise downstream customers. Instead of accessing an organization directly, attackers can tamper with its trusted components, like open-source packages or build systems, and slip in unnoticed.

Tactics, Techniques, and Procedures (TTPs)

A framework for describing how attackers operate. Tactics are the “what,” while techniques are the “how,” and procedures are the “implementation.” All are used to track and understand threat actors and build threat-informed defenses.

Threat Intelligence

A collection of data about current or emerging cyberthreats. That can include attacker IPs, malware strains, and TTPs. Good threat intelligence helps teams prioritize risks, knowing what real-world adversaries are up to.

Threat Modeling

A structured exercise for identifying how attackers might exploit a system before they do. It maps assets, known entry points, and abuse cases so teams can design custom defenses and architectures that minimize the possibility of attack.

User Provisioning

An identity management process that creates new user accounts and access rights across systems. User provisioning can enforce least privilege and speed onboarding, but it can also leave orphaned accounts and loose ends.

Virtual Private Network (VPN)

A secure tunnel between a user and the network that encrypts internet traffic and hides location. VPNs protect data on untrusted networks, but they don’t offer app-level security, and they’re not best for zero trust environments since, once users are inside the network after a single-step login, they’re presumed to be trusted.

Vulnerability

A flaw in software, configuration, or design that could be exploited. They include unpatched bugs, exposed ports, and weak permissions. Not all vulnerabilities are high-risk, and many are never discovered, but closing these entry gaps is central to organizational security nonetheless. Prioritizing fixes is key.

Web Application Firewall (WAF)

A security filter that sits in front of web apps and blocks malicious layer 7 traffic. It inspects HTTP requests and applies rules to identify attacks without changing the app code. WAFs are specifically tuned for web apps and can reduce attack surface at the edge before it ever reaches runtime.

YAML (YAML Ain’t Markup Language) Misconfigurations

A common source of security issues in infrastructure-as-code (IaC) setups like Kubernetes is that a YAML file with a small typo or missing field can break enforcement policies. 

YARA Rules

A pattern-matching language used like custom detectors for identifying malware. YARA rules use codes, strings, and behaviors to find specific quirks that can help fingerprint threats. Analysts write YARA rules to detect threats in files or memory, making it a significant tool for reverse engineering and threat hunting.

Yubikey (Hardware Token)

A Physical security key that provides strong two-factor authentication. Instead of typing a coded password, users tap their key to verify identity. It’s phishing-resistant and user-friendly.

Zero-Day Attack

An exploit that targets a software vulnerability before the vendor knows about it or can release a fix. Defenders have “zero days” to patch it, so these attacks are hard to detect and stand to cause large amounts of damage if they’re not identified and remediated in time.

Zombie Account

An inactive user account that still has access to system data. Former employee credentials are classic examples of zombie accounts, which can be used without raising alarms in breaches, or used in insider threats.