The Referently Glossary of Cybersecurity: Terms for the Current Threat Landscape
A working reference for the language of modern cybersecurity — organized by threat surface and defensive domain. Definitions are written for security professionals, technical managers, and informed practitioners who need precision without padding.
Threat Actors and Motivation
Advanced Persistent Threat (APT)
A sophisticated, long-duration cyberattack campaign — typically state-sponsored — characterized by stealth, patience, and a specific high-value target. APT actors infiltrate networks and maintain persistent access for months or years before executing their objective. Nation-state APT groups are tracked by intelligence firms under codenames (APT28, Lazarus Group, Volt Typhoon).
Threat Actor
Any individual, group, or organization that conducts or sponsors malicious cyber activity. Threat actors are categorized by motivation: financial (cybercriminal groups), geopolitical (nation-states), ideological (hacktivists), or disruptive (insiders). Attribution is difficult and frequently contested.
Nation-State Actor
A threat actor operating under the direction or protection of a sovereign government. Nation-state actors conduct espionage, sabotage, intellectual property theft, and influence operations. Their technical capabilities and operational patience exceed those of typical criminal groups.
Cybercriminal Group
An organized criminal enterprise conducting cyberattacks for financial gain. Major cybercriminal groups operate with organizational structures resembling legitimate businesses — recruiting, HR, customer service for ransom negotiations. Groups like LockBit, ALPHV, and Cl0p have generated billions in criminal revenue.
Insider Threat
A security risk originating from within an organization — a current or former employee, contractor, or partner with legitimate access. Insider threats may be malicious (sabotage, data theft) or negligent (accidental exposure). They are harder to detect than external threats because the actor already has authorized access.
Hacktivist
A threat actor motivated by political or social ideology rather than financial gain. Hacktivist operations typically involve defacement, DDoS attacks, or data leaks intended to embarrass or disrupt a targeted organization or government. Anonymous is the most recognized hacktivist collective.
Initial Access Broker
A threat actor who specializes in breaching organization networks and selling that access to other actors — typically ransomware operators — rather than monetizing it directly. The IAB market has industrialized the first stage of ransomware attacks.
Attack Techniques
Phishing
A social engineering attack in which a deceptive communication — typically email — tricks a recipient into revealing credentials, clicking a malicious link, or opening a malware-laden attachment. Phishing remains the most common initial access vector for breaches.
Spear Phishing
A targeted phishing attack crafted for a specific individual or organization, using personal details to appear credible. Spear phishing has a substantially higher success rate than generic phishing and is the preferred initial access technique for APT actors.
Business Email Compromise (BEC)
A fraud scheme in which an attacker impersonates a trusted executive or vendor to trick employees into transferring funds or disclosing sensitive information. BEC requires no malware and generates more financial losses annually than ransomware.
Ransomware
Malware that encrypts a victim’s files and demands payment for the decryption key. Modern ransomware attacks typically involve double extortion: encrypting files and exfiltrating data, threatening to publish it if ransom is unpaid. Ransomware-as-a-Service (RaaS) models have commoditized deployment.
Supply Chain Attack
An attack that compromises a target indirectly by infiltrating a trusted third-party vendor, software component, or hardware manufacturer. The SolarWinds and XZ Utils compromises are defining examples. Supply chain attacks are high-leverage because a single compromise can propagate to thousands of downstream victims.
Zero-Day
A software vulnerability that is unknown to the vendor or for which no patch exists. Zero-days are valuable attack assets; state actors and criminal groups pay millions for reliable exploits. Once a zero-day is disclosed, the clock starts for vendors to patch and for defenders to mitigate.
Exploit
Code or a technique that takes advantage of a software vulnerability to achieve unauthorized access or behavior. An exploit transforms a theoretical vulnerability into an actionable attack capability.
Lateral Movement
The techniques an attacker uses to progressively move through a network after initial compromise, gaining access to additional systems and data. Lateral movement is the phase between initial access and objective achievement. Detection during lateral movement is often the last opportunity to stop an attack before damage occurs.
Privilege Escalation
The process of gaining higher permissions than an attacker’s initial access level — moving from a standard user account to administrator or domain controller. Privilege escalation is a required step for most high-impact attacks.
Command and Control (C2)
The infrastructure used by attackers to maintain communication with compromised systems, issue commands, and exfiltrate data. C2 infrastructure detection is a primary focus of network-based threat hunting. Modern C2 frameworks (Cobalt Strike, Brute Ratel) are designed to blend with legitimate traffic.
Living off the Land (LotL)
An attack technique that uses legitimate system tools — PowerShell, WMI, certutil, PsExec — rather than custom malware to conduct malicious operations. LotL attacks are harder to detect because the tools themselves are expected in normal system operation.
Credential Stuffing
The automated use of username-password pairs from previous data breaches to gain unauthorized access to other accounts. Effective because users reuse passwords across services. Credential stuffing is a high-volume, low-sophistication attack that succeeds through sheer scale.
SQL Injection
A code injection technique that inserts malicious SQL statements into input fields, allowing an attacker to manipulate the backend database. SQL injection can expose, modify, or delete entire databases. It has been a top web vulnerability for over two decades.
Cross-Site Scripting (XSS)
A web vulnerability in which an attacker injects malicious scripts into pages viewed by other users. XSS exploits the trust a user’s browser has in a website. Stored XSS is particularly dangerous because it persists in the target application and affects all subsequent visitors.
DDoS (Distributed Denial of Service)
An attack that overwhelms a target system with traffic from many sources simultaneously, rendering it unavailable to legitimate users. DDoS attacks are volumetric (bandwidth exhaustion), protocol (resource exhaustion), or application-layer. Botnets of compromised devices are the primary attack infrastructure.
Man-in-the-Middle (MitM)
An attack in which a threat actor secretly intercepts and potentially alters communications between two parties who believe they are communicating directly. MitM attacks can capture credentials, session tokens, and sensitive data. TLS encryption is the primary mitigation.
Watering Hole Attack
An attack that compromises websites frequently visited by a target group, infecting visitors with malware when they browse. Rather than attacking the target directly, the attacker poisons a location the target visits regularly.
Malware Taxonomy
Malware
Any software designed to disrupt, damage, or gain unauthorized access to computer systems. Malware encompasses ransomware, trojans, spyware, rootkits, worms, and more. The term is broad; specificity in classification matters for response.
Trojan
Malware disguised as legitimate software. Unlike viruses or worms, trojans do not self-replicate; they rely on users executing them. Trojans typically establish backdoor access or download additional payloads after installation.
Rootkit
Malware designed to conceal its presence and provide privileged access to a system. Rootkits operate at low system levels — sometimes in firmware or the kernel — making them extremely difficult to detect and remove.
Spyware
Software that covertly monitors user activity and transmits data to a third party. Spyware ranges from commercial stalkerware to sophisticated state-sponsored implants like Pegasus. Keyloggers are a common spyware component.
Botnet
A network of malware-infected devices controlled by a central operator. Botnets are infrastructure for spam, DDoS attacks, credential stuffing, and cryptocurrency mining. Large botnets may comprise millions of devices, predominantly consumer IoT equipment.
Wiper
Malware designed to permanently destroy data on infected systems, with no financial motive. Wipers are primarily a state-sponsored weapon used in geopolitical conflicts. NotPetya (2017) caused over $10 billion in damage and remains the most destructive cyberattack in recorded history.
Loader
A lightweight malware component whose sole purpose is to download and execute a more capable payload. Loaders are the delivery mechanism for the actual attack tool and are typically designed to evade endpoint detection.
Vulnerability Management
CVE (Common Vulnerabilities and Exposures)
A standardized identifier for publicly known cybersecurity vulnerabilities. CVE numbers (e.g., CVE-2021-44228) provide a common reference across security tools, advisories, and databases. MITRE administers the CVE program.
CVSS (Common Vulnerability Scoring System)
A framework for rating the severity of software vulnerabilities on a 0–10 scale. CVSS scores consider attack vector, complexity, required privileges, and impact on confidentiality, integrity, and availability. Scores of 9.0–10.0 are Critical.
Patch Management
The systematic process of identifying, testing, and deploying software updates that fix security vulnerabilities. Unpatched vulnerabilities are among the most common attack vectors; effective patch management is foundational hygiene.
Attack Surface
The total set of entry points through which an attacker could interact with a system — exposed ports, APIs, user interfaces, third-party integrations, physical access points. Reducing attack surface is a primary goal of hardening.
Hardening
The process of reducing a system’s attack surface by disabling unnecessary services, removing default credentials, applying least-privilege principles, and configuring security controls. Hardening is proactive defense against known attack patterns.
Penetration Testing
Authorized simulated attacks conducted to identify exploitable vulnerabilities before real attackers do. Penetration testers use the same techniques as malicious actors; findings are documented and remediated. Distinct from vulnerability scanning, which is passive discovery.
Bug Bounty
A program that rewards external security researchers for responsibly disclosing vulnerabilities to an organization. Bug bounty programs extend the security testing surface beyond internal teams at a fraction of the cost of full-time staff.
Responsible Disclosure
The practice of reporting a discovered vulnerability to the affected vendor before public disclosure, giving them time to develop a patch. Standard disclosure timelines are 90 days. Coordinated disclosure benefits the broader user community while protecting the researcher’s findings.
Defense and Architecture
Zero Trust
A security model that assumes no user, device, or network segment is inherently trustworthy — inside or outside a traditional perimeter. Zero trust requires continuous verification of identity and device posture before granting access to any resource. It is the dominant architectural paradigm for modern enterprise security.
Defense in Depth
A security strategy employing multiple overlapping layers of controls so that the failure of any single control does not result in total compromise. Defense in depth assumes breach and designs systems to contain damage.
Least Privilege
The principle that users, services, and systems should have only the minimum permissions required to perform their function. Least privilege limits the blast radius of compromised credentials and insider threats.
Network Segmentation
The division of a network into isolated segments to limit lateral movement. Proper segmentation means that a compromised device in one segment cannot freely access resources in others. Microsegmentation applies this principle at a granular, per-workload level.
Firewall
A network security control that filters traffic based on defined rules. Traditional firewalls operate at layers 3 and 4 (IP and port); next-generation firewalls (NGFW) add application awareness, deep packet inspection, and threat intelligence integration.
Intrusion Detection System (IDS)
A system that monitors network traffic or host activity for patterns indicating malicious behavior and generates alerts. IDS is passive detection; an Intrusion Prevention System (IPS) adds the ability to block detected threats automatically.
SIEM (Security Information and Event Management)
A platform that aggregates and correlates log and event data from across an environment to detect threats and support incident response. SIEMs are the operational center of security monitoring programs. Splunk, Microsoft Sentinel, and IBM QRadar are leading vendors.
SOC (Security Operations Center)
The team and technology infrastructure responsible for continuous monitoring, detection, and response to cybersecurity threats. SOC analysts triage alerts, investigate incidents, and coordinate remediation. Tier 1–3 analyst structures reflect escalating investigation complexity.
EDR (Endpoint Detection and Response)
Security software that monitors endpoints for malicious behavior and provides detection, investigation, and response capabilities. EDR goes beyond antivirus by recording endpoint activity for forensic analysis and enabling real-time threat hunting.
XDR (Extended Detection and Response)
An evolution of EDR that correlates telemetry across endpoints, network, cloud, identity, and email to provide unified detection and response. XDR reduces alert fatigue by connecting signals that would appear unrelated in siloed tools.
MDR (Managed Detection and Response)
An outsourced security service that provides continuous monitoring, threat detection, and incident response. MDR providers combine technology with human analyst expertise, serving organizations that lack internal SOC capacity.
Threat Intelligence
Information about adversaries, their tactics, techniques, and procedures (TTPs), and indicators of compromise (IoCs) that informs defensive decisions. Threat intelligence ranges from strategic (geopolitical context) to operational (active campaigns) to tactical (specific IoCs).
MITRE ATT&CK
A publicly maintained framework cataloging adversary tactics, techniques, and procedures based on real-world observations. ATT&CK is the universal language for describing attacker behavior and is used in threat intelligence, detection engineering, and red team planning.
Indicator of Compromise (IoC)
Forensic artifacts — IP addresses, domains, file hashes, registry keys — that suggest a system has been compromised. IoCs are the building blocks of threat intelligence sharing and automated detection rules.
Threat Hunting
Proactive investigation of an environment to find adversaries who have evaded automated detection. Threat hunters form hypotheses about attacker behavior, then query data to validate or refute them. Hunting assumes that sophisticated attackers are already present and undetected.
Identity and Access
Multi-Factor Authentication (MFA)
An authentication mechanism requiring at least two distinct verification factors: something the user knows (password), has (physical token, phone), or is (biometric). MFA is the single most effective control against credential-based attacks.
Single Sign-On (SSO)
An authentication scheme that allows users to access multiple applications with one set of credentials. SSO improves user experience and centralizes authentication enforcement. It concentrates risk — a compromised SSO session grants broad access.
Identity Provider (IdP)
The system responsible for authenticating users and asserting their identity to other services. Okta, Azure AD (Entra ID), and Ping Identity are leading IdPs. The IdP is the highest-value target in identity-based attacks.
Privileged Access Management (PAM)
Controls specifically designed to manage, audit, and protect privileged accounts — administrators, service accounts, and root credentials. PAM tools enforce just-in-time access, session recording, and credential vaulting.
RBAC (Role-Based Access Control)
An access control model in which permissions are assigned to roles, and users are assigned to roles — rather than assigning permissions directly to individual users. RBAC simplifies administration and reduces permission sprawl.
OAuth 2.0
An authorization framework that allows third-party applications to access resources on behalf of a user without exposing credentials. OAuth 2.0 is the standard mechanism for delegated authorization in web and mobile applications.
SAML (Security Assertion Markup Language)
An XML-based standard for exchanging authentication and authorization data between an identity provider and a service provider. SAML is widely used for enterprise SSO, particularly in legacy environments.
Passkey
A phishing-resistant authentication credential based on public-key cryptography, replacing passwords. Passkeys are tied to a specific device and domain, eliminating credential phishing and replay attacks. Defined by the FIDO2 standard and supported by major platforms.
Cloud Security
Cloud Security Posture Management (CSPM)
Tools that continuously assess cloud environments for misconfigurations against security benchmarks and compliance frameworks. Misconfigurations — public S3 buckets, permissive IAM policies, unencrypted storage — are the leading cause of cloud breaches.
Cloud Workload Protection Platform (CWPP)
Security controls protecting workloads running in cloud environments — VMs, containers, serverless functions. CWPPs provide vulnerability management, runtime protection, and behavioral monitoring for cloud-native compute.
CNAPP (Cloud-Native Application Protection Platform)
A converged security platform combining CSPM, CWPP, infrastructure-as-code security, and container security into a unified solution. CNAPP reflects the consolidation trend in cloud security tooling.
Shared Responsibility Model
The delineation of security obligations between cloud providers and customers. Providers secure the underlying infrastructure; customers are responsible for everything they configure and deploy on top of it. Misunderstanding this boundary is a common source of cloud security gaps.
Infrastructure as Code (IaC) Security
The practice of scanning Terraform, CloudFormation, and similar declarative infrastructure definitions for security misconfigurations before deployment. Shifting security left into the IaC layer is cheaper than detecting misconfigurations in running environments.
Cryptography and Data Protection
Encryption at Rest
The encryption of data when it is stored — on disk, in a database, or in cloud storage. Encryption at rest protects data if physical media or storage systems are accessed without authorization.
Encryption in Transit
The encryption of data as it moves across networks. TLS is the dominant protocol for encryption in transit. Without it, network-layer attackers can intercept and read all transmitted data.
TLS (Transport Layer Security)
The cryptographic protocol securing the majority of internet communications. TLS provides authentication, integrity, and confidentiality for data in transit. TLS 1.3, finalized in 2018, is the current standard; earlier versions contain known vulnerabilities.
PKI (Public Key Infrastructure)
The system of certificate authorities, digital certificates, and cryptographic protocols used to verify identity and enable encrypted communication at scale. PKI underpins HTTPS, email signing, and code signing.
Key Management
The policies and systems for generating, storing, distributing, rotating, and revoking cryptographic keys. Poor key management is a common failure mode: encrypted data is only as secure as the protection of the keys that decrypt it.
Hashing
A one-way cryptographic function that transforms input data into a fixed-length output (hash or digest). Hashes are used to verify data integrity, store passwords securely, and identify files. SHA-256 and SHA-3 are current standards; MD5 and SHA-1 are deprecated.
Certificate Transparency
A public logging framework for TLS certificates that allows anyone to monitor certificate issuance. Certificate Transparency enables detection of misissued or fraudulent certificates and is now required for certificates trusted by major browsers.
Compliance and Frameworks
NIST Cybersecurity Framework (CSF)
A voluntary framework published by the US National Institute of Standards and Technology, organizing security controls across five functions: Identify, Protect, Detect, Respond, Recover. The CSF is the most widely adopted security framework in the United States.
ISO 27001
An international standard for information security management systems. ISO 27001 certification requires organizations to implement and continuously improve a comprehensive set of security controls and management processes.
SOC 2
An auditing standard for service organizations covering security, availability, processing integrity, confidentiality, and privacy. SOC 2 Type II reports assess whether controls were operating effectively over a defined period and are widely required in enterprise B2B contracts.
GDPR (General Data Protection Regulation)
The European Union’s data protection regulation, establishing rights for individuals and obligations for organizations handling personal data. GDPR has extraterritorial reach; any organization processing EU residents’ data is subject to its requirements. Fines reach 4% of global annual turnover.
NIS2 Directive
The EU’s updated network and information security directive, substantially expanding the scope and obligations of the original NIS Directive. NIS2 applies to a wider range of sectors, mandates incident reporting within 24 hours, and imposes management-level accountability for cybersecurity failures.
PCI DSS
The Payment Card Industry Data Security Standard — a set of requirements for organizations that handle credit card data. PCI DSS compliance is mandated by card network rules, not law, but non-compliance results in fines and loss of card processing privileges.
HIPAA
The US Health Insurance Portability and Accountability Act, which establishes security and privacy requirements for protected health information. HIPAA applies to healthcare providers, insurers, and their business associates.
Incident Response
Incident Response (IR)
The structured process for identifying, containing, eradicating, and recovering from cybersecurity incidents. Formal IR follows phases: preparation, detection, containment, eradication, recovery, lessons learned. Speed and decisiveness in the early phases determine breach impact.
Containment
The IR phase focused on preventing an active incident from spreading. Containment may involve isolating affected systems, blocking attacker infrastructure, or disabling compromised accounts. It precedes eradication and recovery.
Forensics
The systematic collection, preservation, and analysis of digital evidence from compromised systems. Forensic investigation determines the timeline, scope, and method of an attack. Chain-of-custody procedures ensure evidence is admissible if legal action follows.
Mean Time to Detect (MTTD)
The average time between the start of an intrusion and its detection by the defending organization. Industry median MTTD for breaches has been measured in weeks to months. Reducing MTTD is the primary operational objective of security monitoring programs.
Mean Time to Respond (MTTR)
The average time between detection of an incident and its containment or resolution. MTTR measures response effectiveness. Combined with MTTD, it defines the total window during which an attacker operates unimpeded.
Tabletop Exercise
A simulated incident response discussion in which stakeholders walk through their response to a hypothetical breach scenario. Tabletop exercises identify gaps in communication, authority, and procedure without requiring live systems. They are a standard preparedness practice.
Last updated May 2026. The threat landscape evolves continuously; this glossary reflects current dominant patterns and terminology. Referently maintains this reference as a living document.