Cybersecurity Glossary
100+ security terms explained clearly. From APT to Zero-day.
APT (Advanced Persistent Threat) Threat
A prolonged, targeted cyberattack in which an intruder gains access to a network and remains undetected for an extended period. APTs typically target high-value organizations such as governments, defense, and critical infrastructure, using sophisticated techniques to steal data or conduct espionage.
AV (Antivirus) Defense
Software designed to detect, prevent, and remove malware from computers and networks. Traditional antivirus relies on signature-based detection, while modern solutions incorporate heuristic analysis, behavioral monitoring, and machine learning to identify unknown threats.
ASN (Autonomous System Number) Network
A unique identifier assigned to a group of IP networks operated by one or more network operators under a single routing policy. ASNs are used in BGP routing and are valuable in threat intelligence for attributing IP addresses to specific organizations or ISPs.
Attack Surface Threat
The total sum of all points (attack vectors) where an unauthorized user can try to enter or extract data from an environment. This includes open ports, running services, web applications, APIs, employee endpoints, and cloud resources. Reducing the attack surface is a core security practice.
Authentication Defense
The process of verifying the identity of a user, device, or system before granting access to resources. Common methods include passwords, biometrics, security tokens, certificates, and multi-factor authentication (MFA).
ASM (Attack Surface Management) Defense
The continuous discovery, inventory, classification, and monitoring of an organization's external-facing digital assets. ASM tools help security teams identify unknown or unmanaged assets that could be exploited by attackers.
Backdoor Threat
A covert method of bypassing normal authentication or security controls to gain unauthorized access to a system. Backdoors can be installed by attackers after an initial compromise, or they may be intentionally built into software by developers for maintenance purposes.
BEC (Business Email Compromise) Threat
A type of social engineering attack where criminals impersonate a trusted business contact (often an executive or vendor) via email to trick employees into transferring money or divulging sensitive information. BEC is one of the most financially damaging forms of cybercrime.
Blue Team Defense
The defensive security team responsible for maintaining and improving an organization's security posture. Blue teams monitor for threats, respond to incidents, manage security tools (SIEM, EDR), and harden systems against attacks.
Botnet Threat
A network of compromised computers (bots or zombies) controlled remotely by an attacker (botmaster) through command and control (C2) infrastructure. Botnets are used for DDoS attacks, spam campaigns, credential stuffing, and cryptomining.
Brute Force Threat
A trial-and-error attack method that systematically attempts every possible combination of passwords, encryption keys, or credentials until the correct one is found. Brute force attacks are countered by strong passwords, rate limiting, and account lockout policies.
Buffer Overflow Threat
A vulnerability that occurs when a program writes more data to a memory buffer than it can hold, causing adjacent memory to be overwritten. Attackers exploit buffer overflows to inject and execute arbitrary code, crash applications, or escalate privileges.
C2 (Command and Control) Threat
The infrastructure and communication channels that attackers use to maintain control over compromised systems. C2 servers send instructions to malware, receive stolen data, and coordinate attack activities. Common C2 channels include HTTP/HTTPS, DNS, and social media platforms.
CERT (Computer Emergency Response Team) Defense
An organization or team responsible for coordinating the response to cybersecurity incidents. CERTs collect and disseminate threat information, issue advisories, and assist organizations in handling security events. Examples include US-CERT and national CSIRTs.
CIA Triad Defense
The foundational model of information security comprising three principles: Confidentiality (data is accessible only to authorized parties), Integrity (data is accurate and unaltered), and Availability (data and systems are accessible when needed). Every security control maps to one or more of these principles.
CIDR (Classless Inter-Domain Routing) Network
A method for allocating IP addresses and IP routing that replaces the older classful network design. CIDR notation (e.g., 192.168.1.0/24) specifies an IP address and its associated network prefix length, allowing flexible subnetting and efficient address allocation. CIDR cheat sheet →
CORS (Cross-Origin Resource Sharing) Network
A browser security mechanism that allows or restricts web pages from making requests to a different domain than the one that served the page. Misconfigured CORS policies can allow attackers to steal data from authenticated sessions via malicious websites.
CVE (Common Vulnerabilities and Exposures) Analysis
A standardized system for identifying and cataloging publicly known cybersecurity vulnerabilities. Each CVE entry has a unique ID (e.g., CVE-2024-12345), a description, and references. The CVE database is maintained by MITRE and is the industry standard for vulnerability identification. Search CVEs on mlab →
CVSS (Common Vulnerability Scoring System) Analysis
An open standard for assessing the severity of computer security vulnerabilities on a scale of 0.0 to 10.0. CVSS scores consider factors like attack vector, complexity, privileges required, and impact on confidentiality, integrity, and availability. Scores are categorized as Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), and Critical (9.0-10.0).
Cryptojacking Threat
The unauthorized use of a victim's computing resources to mine cryptocurrency. Attackers deploy mining scripts on compromised websites or install mining malware on endpoints, consuming CPU/GPU resources and increasing electricity costs while generating revenue for the attacker.
CTI (Cyber Threat Intelligence) Analysis
Evidence-based knowledge about existing or emerging threats to an organization's assets. CTI encompasses IOCs, TTPs, threat actor profiles, and strategic analysis. It is used to inform security decisions, prioritize defenses, and proactively hunt for threats. Extract IOCs →
Credential Stuffing Threat
An automated attack that uses stolen username-password pairs (from data breaches) to attempt logins on other services. Because users commonly reuse passwords, credential stuffing has a high success rate. Defense requires MFA and credential monitoring.
DDoS (Distributed Denial of Service) Threat
An attack that overwhelms a target system, server, or network with a flood of traffic from multiple distributed sources (often a botnet), rendering it unavailable to legitimate users. DDoS attacks can target the network layer (volumetric), transport layer (protocol), or application layer.
DFIR (Digital Forensics and Incident Response) Analysis
A specialized discipline combining digital forensics (collecting and analyzing digital evidence) with incident response (containing and remediating security incidents). DFIR professionals investigate breaches, preserve evidence for legal proceedings, and determine the root cause and scope of attacks. EML Parser → · Hash Generator →
DLP (Data Loss Prevention) Defense
Technologies and policies designed to prevent sensitive data from leaving an organization's control. DLP solutions monitor and control data in use (endpoints), data in motion (network), and data at rest (storage) to detect and block unauthorized data transfers.
DNS (Domain Name System) Network
The hierarchical naming system that translates human-readable domain names (e.g., example.com) into IP addresses. DNS is fundamental to internet functionality and is frequently targeted by attackers through DNS spoofing, DNS tunneling, DNS hijacking, and cache poisoning attacks. Network ports →
Domain Fronting Threat
A technique that uses different domain names at different layers of communication (SNI vs. Host header) to disguise the true endpoint of a connection. Attackers use domain fronting to hide C2 traffic behind legitimate CDN domains, making it difficult to block without disrupting legitimate services.
Drive-by Download Threat
An unintentional download of malware that occurs when a user visits a compromised or malicious website. The download happens without the user's knowledge or consent, exploiting vulnerabilities in the browser, plugins, or operating system to install malware silently.
DoH (DNS over HTTPS) Network
A protocol that encrypts DNS queries by sending them over HTTPS connections, preventing eavesdropping and manipulation. While DoH improves privacy, it also challenges network security monitoring by making DNS traffic invisible to traditional inspection tools.
EDR (Endpoint Detection and Response) Defense
Security software installed on endpoints (workstations, servers) that continuously monitors for suspicious activity, collects telemetry data, and provides automated or manual response capabilities. EDR goes beyond traditional antivirus by detecting fileless attacks, behavioral anomalies, and advanced threats.
Encryption Defense
The process of converting plaintext data into an unreadable ciphertext using a mathematical algorithm and a key. Encryption protects data confidentiality at rest (on disk) and in transit (over networks). Common algorithms include AES, RSA, and ChaCha20.
Endpoint Network
Any device that connects to a network and can be a source or destination of data. Endpoints include laptops, desktops, servers, smartphones, tablets, IoT devices, and virtual machines. Endpoints are common targets for attacks and require protection through EDR, patching, and hardening.
Exploit Threat
A piece of code, software, or technique that takes advantage of a vulnerability to cause unintended behavior, such as gaining unauthorized access, executing arbitrary code, or escalating privileges. Exploits can be delivered through documents, web pages, network packets, or physical access.
Exfiltration Threat
The unauthorized transfer of data from an organization's network to an external location controlled by an attacker. Exfiltration techniques include DNS tunneling, encrypted channels, steganography, removable media, and abuse of cloud storage services.
Exploit Kit Threat
A toolkit hosted on a web server that automatically identifies vulnerabilities in a visitor's browser or plugins and delivers the appropriate exploit to install malware. Exploit kits are sold or rented in underground markets and require minimal technical skill to operate.
Firewall Defense
A network security device or software that monitors and controls incoming and outgoing network traffic based on predefined security rules. Firewalls establish a barrier between trusted internal networks and untrusted external networks. Types include packet filtering, stateful inspection, proxy, and next-generation firewalls (NGFW).
Forensics (Digital) Analysis
The scientific process of collecting, preserving, analyzing, and presenting digital evidence from computers, networks, and storage devices. Digital forensics is used in incident response, law enforcement investigations, and legal proceedings to reconstruct events and identify attackers.
FTP (File Transfer Protocol) Network
A standard network protocol used for transferring files between a client and server. FTP transmits data in plaintext (including credentials), making it insecure. SFTP (SSH File Transfer Protocol) and FTPS (FTP Secure) are encrypted alternatives.
Fuzzing Analysis
An automated software testing technique that provides random, unexpected, or malformed input to a program to discover vulnerabilities, crashes, and unexpected behavior. Fuzzing is widely used in vulnerability research and software quality assurance to find memory corruption bugs, input validation flaws, and logic errors.
GDPR (General Data Protection Regulation) Compliance
A comprehensive data privacy regulation enacted by the European Union that governs how organizations collect, process, store, and transfer personal data of EU residents. GDPR mandates data breach notification within 72 hours and imposes fines of up to 4% of global annual revenue for violations.
Governance Compliance
The framework of policies, procedures, and controls that ensure an organization's IT and security activities align with business objectives and regulatory requirements. Security governance defines roles, responsibilities, risk tolerance, and accountability for cybersecurity decisions.
GRC (Governance, Risk, and Compliance) Compliance
An integrated approach to managing an organization's governance, risk management, and compliance with regulations. GRC platforms help organizations align IT with business goals, manage risk effectively, and maintain compliance with standards like SOX, HIPAA, PCI DSS, and GDPR.
Hashing Defense
A one-way mathematical function that converts input data of any size into a fixed-size output (hash or digest). Hashing is used for password storage, file integrity verification, digital signatures, and IOC identification. Common algorithms include SHA-256, SHA-1, and MD5. Generate hashes → · MD5 vs SHA-256 →
HIDS (Host-based Intrusion Detection System) Defense
Security software installed on individual hosts that monitors system activity, file integrity, log files, and registry changes to detect suspicious or unauthorized behavior. HIDS complements network-based detection by providing visibility into activity on the endpoint itself. Examples include OSSEC and Wazuh.
Honeypot Defense
A decoy system or resource intentionally deployed to attract and trap attackers. Honeypots appear to be legitimate targets but are closely monitored to study attacker techniques, collect IOCs, and provide early warning of intrusions without risking production systems.
HTTP (Hypertext Transfer Protocol) Network
The foundation protocol of the World Wide Web, used for transmitting hypertext documents between clients and servers. HTTP is stateless and transmits data in plaintext, making it vulnerable to eavesdropping and man-in-the-middle attacks. HTTP status codes →
HTTPS (HTTP Secure) Network
The encrypted version of HTTP that uses TLS (Transport Layer Security) to protect data in transit between a client and server. HTTPS ensures confidentiality, integrity, and authentication of web communications and is identified by the padlock icon in browsers.
IDS (Intrusion Detection System) Defense
A security system that monitors network traffic or host activity for signs of malicious behavior and generates alerts. IDS operates in passive mode, detecting and reporting threats but not blocking them. Types include network-based (NIDS) and host-based (HIDS).
IOC (Indicator of Compromise) Analysis
A piece of forensic data that identifies potentially malicious activity on a system or network. IOCs include IP addresses, domain names, file hashes, URLs, email addresses, registry keys, and mutexes. They are used for detection, incident response, and threat intelligence sharing. Extract IOCs →
IPS (Intrusion Prevention System) Defense
A security system that monitors network traffic for malicious activity and takes automated action to block or prevent detected threats in real time. Unlike IDS, IPS sits inline with network traffic and can drop packets, reset connections, or block IP addresses.
Incident Response Defense
The organized approach to addressing and managing a cybersecurity incident. The incident response lifecycle includes preparation, identification, containment, eradication, recovery, and lessons learned. A well-defined IR plan minimizes damage and reduces recovery time. EML Parser →
Insider Threat Threat
A security risk that originates from within the organization, involving employees, contractors, or business partners who misuse their authorized access to harm the organization. Insider threats can be malicious (intentional sabotage or theft) or negligent (accidental data exposure).
IOA (Indicator of Attack) Analysis
Evidence that an attack is currently in progress, focusing on the attacker's intent and behavior rather than specific artifacts. Unlike IOCs (which are reactive), IOAs are proactive indicators such as code execution patterns, lateral movement, and privilege escalation attempts.
JWT (JSON Web Token) Network
A compact, URL-safe token format used for securely transmitting claims between parties. JWTs are commonly used for authentication and authorization in web applications and APIs. A JWT consists of three Base64-encoded parts: header, payload, and signature. Misconfigured JWT validation is a common security vulnerability. Decode JWTs →
Jailbreak Threat
The process of removing software restrictions imposed by the manufacturer on a device (originally iOS devices, now also applied to AI systems). Jailbreaking bypasses security controls, potentially exposing the device to malware and voiding warranties. In the AI context, it refers to prompt injection techniques that bypass safety guardrails.
Kerberos Defense
A network authentication protocol that uses tickets and a trusted third-party Key Distribution Center (KDC) to verify the identity of users and services. Kerberos is the default authentication protocol in Windows Active Directory environments. Common attacks include Kerberoasting and Golden Ticket attacks.
Keylogger Threat
Malicious software or hardware that records keystrokes on a compromised device to capture sensitive information such as passwords, credit card numbers, and personal messages. Keyloggers can be delivered through malware, phishing, or physical installation on a device.
Kill Chain (Cyber) Analysis
A framework originally developed by Lockheed Martin that describes the stages of a cyberattack: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command and Control, and Actions on Objectives. The kill chain model helps defenders identify and disrupt attacks at each stage.
Lateral Movement Threat
The technique attackers use to move through a network after gaining initial access, progressively accessing additional systems and escalating privileges to reach high-value targets. Lateral movement techniques include pass-the-hash, pass-the-ticket, RDP, WMI, and PsExec.
LDAP (Lightweight Directory Access Protocol) Network
An open protocol for accessing and maintaining distributed directory information services, commonly used for authentication and user management. LDAP is the backbone of Active Directory. LDAP injection attacks exploit improperly sanitized user input to manipulate directory queries.
Log Management Defense
The practice of collecting, aggregating, storing, and analyzing log data from various sources (servers, applications, network devices, security tools) to support security monitoring, incident investigation, compliance, and troubleshooting.
LOLBins (Living Off the Land Binaries) Threat
Legitimate, pre-installed system binaries (e.g., PowerShell, certutil, mshta, regsvr32) that attackers abuse to execute malicious actions while evading detection. Because these tools are trusted by the OS and security software, their misuse is harder to detect than deploying custom malware.
Malware Threat
Malicious software designed to damage, disrupt, or gain unauthorized access to systems. Malware categories include viruses, worms, trojans, ransomware, spyware, adware, rootkits, and wipers. Malware is delivered through phishing, drive-by downloads, removable media, and supply chain compromises. Hash Generator → · Search on mlab →
MDR (Managed Detection and Response) Defense
An outsourced cybersecurity service that provides 24/7 threat monitoring, detection, and response capabilities. MDR providers combine technology (EDR, SIEM) with human expertise (security analysts) to detect and respond to threats that automated tools alone might miss.
MFA (Multi-Factor Authentication) Defense
An authentication method that requires users to provide two or more verification factors to access a resource. Factors include something you know (password), something you have (security token, phone), and something you are (biometrics). MFA significantly reduces the risk of credential-based attacks.
MITRE ATT&CK Analysis
A globally accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. MITRE ATT&CK is used to classify threat actor behavior, build detection rules, assess defensive coverage, plan red team engagements, and communicate about threats using a common language. Explore MITRE Map →
MSSP (Managed Security Service Provider) Defense
A third-party organization that provides outsourced monitoring and management of security devices and systems. MSSPs offer services such as firewall management, intrusion detection, vulnerability scanning, and compliance management, allowing organizations to augment their internal security capabilities.
NAC (Network Access Control) Defense
A security solution that enforces policies for devices attempting to access a network. NAC checks device identity, health status (patch level, antivirus status), and user credentials before granting access. Non-compliant devices can be quarantined or given limited access.
NDR (Network Detection and Response) Defense
A security solution that monitors network traffic using behavioral analytics, machine learning, and threat intelligence to detect suspicious activity that bypasses traditional perimeter defenses. NDR provides visibility into east-west traffic and can detect lateral movement, C2 communications, and data exfiltration.
NIDS (Network Intrusion Detection System) Defense
An intrusion detection system that monitors network traffic at strategic points to identify suspicious patterns and known attack signatures. NIDS sensors are typically placed at network boundaries or key internal segments. Popular open-source NIDS include Suricata and Snort.
NIST (National Institute of Standards and Technology) Compliance
A U.S. government agency that develops cybersecurity standards and guidelines. The NIST Cybersecurity Framework (CSF) provides a structured approach to managing cybersecurity risk through five functions: Identify, Protect, Detect, Respond, and Recover. NIST SP 800-53 defines security controls for federal systems.
OAuth Network
An open authorization framework that allows third-party applications to access user resources without exposing credentials. OAuth 2.0 uses access tokens rather than passwords and is widely used for API authorization, single sign-on, and social login. Misconfigured OAuth flows can lead to account takeover.
OSINT (Open Source Intelligence) Analysis
Intelligence collected from publicly available sources such as websites, social media, public records, DNS data, WHOIS, and code repositories. OSINT is used in threat intelligence, penetration testing, investigations, and attack surface mapping to gather information about targets without direct interaction. Free OSINT tools →
OWASP (Open Web Application Security Project) Compliance
A nonprofit organization dedicated to improving software security. OWASP produces the widely referenced OWASP Top 10, a list of the most critical web application security risks (including injection, broken authentication, XSS, and security misconfiguration), along with testing guides and security tools.
Payload Threat
The component of malware or an exploit that performs the actual malicious action, such as installing a backdoor, encrypting files (ransomware), stealing data, or destroying systems. The payload is distinct from the delivery mechanism (dropper, exploit) that gets it onto the target.
Penetration Testing Analysis
An authorized simulated cyberattack performed to evaluate the security of a system, network, or application. Penetration testers (pentesters) use the same tools and techniques as real attackers to identify vulnerabilities, demonstrate impact, and provide remediation recommendations. Types include black-box, white-box, and gray-box testing.
Phishing Threat
A social engineering attack that uses fraudulent emails, websites, or messages to trick victims into revealing sensitive information (credentials, financial data) or installing malware. Phishing is the most common initial attack vector and comes in many forms: email phishing, smishing (SMS), vishing (voice), and spear phishing (targeted). Analyze emails → · Extract IOCs →
PKI (Public Key Infrastructure) Defense
A framework of roles, policies, hardware, software, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. PKI enables secure electronic communication through encryption and digital signatures, using pairs of public and private cryptographic keys.
Privilege Escalation Threat
The act of exploiting a vulnerability, design flaw, or misconfiguration to gain elevated access beyond what is normally authorized. Vertical escalation gains higher privileges (user to admin). Horizontal escalation accesses another user's resources at the same privilege level.
Purple Team Analysis
A collaborative approach where red team (offensive) and blue team (defensive) work together to improve an organization's security posture. Purple teaming combines attack simulation with real-time defense testing, ensuring that detection rules and response procedures are effective against current threat techniques.
Quarantine Defense
The isolation of a suspicious or malicious file, email, or device to prevent it from causing harm while it is analyzed. Antivirus software quarantines detected malware, email gateways quarantine suspicious messages, and NAC solutions quarantine non-compliant devices.
Ransomware Threat
Malware that encrypts a victim's files or locks them out of their systems and demands a ransom payment (typically in cryptocurrency) in exchange for the decryption key. Modern ransomware groups employ double extortion (encrypting and stealing data) and operate as Ransomware-as-a-Service (RaaS) businesses.
RBAC (Role-Based Access Control) Defense
An access control model that assigns permissions to roles rather than individual users. Users are assigned to roles based on their job functions, and they inherit the permissions associated with those roles. RBAC simplifies access management and enforces the principle of least privilege.
RCE (Remote Code Execution) Threat
A class of vulnerability that allows an attacker to execute arbitrary code on a remote system without physical access. RCE vulnerabilities are considered critical because they give attackers full control over the target. Examples include Log4Shell (CVE-2021-44228) and EternalBlue.
Red Team Analysis
An offensive security team that simulates real-world adversary attacks to test an organization's defenses, detection capabilities, and incident response procedures. Red teams use the same tactics, techniques, and procedures (TTPs) as actual threat actors, including social engineering, exploitation, and lateral movement.
Reverse Engineering Analysis
The process of analyzing a compiled binary, malware sample, or hardware device to understand its inner workings, functionality, and behavior. In cybersecurity, reverse engineering is used for malware analysis, vulnerability research, and understanding proprietary protocols. Common tools include IDA Pro, Ghidra, and x64dbg.
Rootkit Threat
A stealthy type of malware designed to provide persistent, privileged access to a system while concealing its presence from users and security tools. Rootkits can operate at the user level, kernel level, or firmware level, making them extremely difficult to detect and remove.
Sandbox Defense
An isolated, controlled environment used to safely execute and analyze suspicious files, URLs, or code without risking the production environment. Sandboxes observe malware behavior including file system changes, network connections, registry modifications, and process creation to generate detailed analysis reports.
SIEM (Security Information and Event Management) Defense
A centralized platform that collects, correlates, and analyzes security event data from across an organization's infrastructure in real time. SIEM systems aggregate logs from firewalls, endpoints, servers, and applications, applying correlation rules and analytics to detect threats and generate alerts for SOC analysts. SIEM vs SOAR →
Sigma Analysis
An open, vendor-agnostic signature format for describing log events and detection rules. Sigma rules can be converted into queries for various SIEM platforms (Splunk, Elastic, Microsoft Sentinel) and are widely shared in the security community for collaborative threat detection. YARA vs Sigma →
SOAR (Security Orchestration, Automation, and Response) Defense
A technology stack that combines security orchestration (connecting tools), automation (executing repetitive tasks), and incident response (managing cases). SOAR platforms reduce mean time to respond (MTTR) by automating playbooks for common alert types like phishing, malware, and account compromise. SIEM vs SOAR →
SOC (Security Operations Center) Defense
A centralized facility and team responsible for monitoring, detecting, analyzing, and responding to cybersecurity incidents on a 24/7 basis. SOC analysts use SIEM, EDR, SOAR, and threat intelligence tools to protect the organization. SOCs are typically structured in tiers: L1 (triage), L2 (investigation), and L3 (advanced analysis/hunting). Free SOC tools →
Spear Phishing Threat
A targeted phishing attack directed at a specific individual or organization, using personalized information to increase credibility. Unlike mass phishing, spear phishing emails are carefully crafted using OSINT about the target, making them significantly more effective and harder to detect.
SQL Injection Threat
A code injection technique that exploits vulnerabilities in an application's database layer by inserting malicious SQL statements into input fields. Successful SQL injection can allow attackers to read, modify, or delete database contents, bypass authentication, and in some cases execute operating system commands.
SSL/TLS (Secure Sockets Layer / Transport Layer Security) Network
Cryptographic protocols that provide encrypted communication over a network. SSL is the deprecated predecessor to TLS, though the term "SSL" is still commonly used. TLS secures HTTPS, email, VPNs, and other protocols through certificate-based authentication and symmetric encryption of data in transit. Network ports →
STIX/TAXII Analysis
STIX (Structured Threat Information Expression) is a standardized language for representing cyber threat intelligence, including indicators, threat actors, campaigns, and TTPs. TAXII (Trusted Automated Exchange of Intelligence Information) is the transport protocol for sharing STIX data between organizations in an automated, machine-readable way.
Supply Chain Attack Threat
An attack that targets a less secure element in the supply chain (software vendor, third-party library, hardware manufacturer) to compromise the ultimate target. Notable examples include SolarWinds (Sunburst), Kaseya, and the codecov bash uploader breach. Supply chain attacks are difficult to detect because they abuse trusted relationships.
Threat Hunting Analysis
The proactive practice of searching through networks, endpoints, and datasets to detect and isolate threats that evade existing security solutions. Threat hunters use hypotheses, threat intelligence, behavioral analytics, and anomaly detection to uncover hidden adversary activity.
Threat Intelligence Analysis
Evidence-based knowledge about threats, including context, mechanisms, indicators, implications, and actionable advice. Threat intelligence is categorized as strategic (high-level trends), tactical (TTPs), operational (specific campaigns), and technical (IOCs). It informs security decisions at all levels of an organization. Extract IOCs →
Tor (The Onion Router) Network
A free, open-source software and network that enables anonymous communication by routing internet traffic through multiple encrypted relays worldwide. Tor is used for privacy protection but also hosts hidden services (.onion sites) used by both privacy advocates and criminals on the dark web.
TTP (Tactics, Techniques, and Procedures) Analysis
A framework for describing adversary behavior. Tactics are the high-level goals (e.g., initial access, persistence). Techniques are the methods used to achieve tactics (e.g., phishing, DLL sideloading). Procedures are the specific implementations of techniques. TTPs are more durable indicators than IOCs because they reflect adversary tradecraft. Explore MITRE Map →
Two-Factor Authentication (2FA) Defense
A subset of multi-factor authentication that requires exactly two forms of verification to access an account. Common 2FA methods include SMS codes, authenticator apps (TOTP), hardware security keys (FIDO2/WebAuthn), and push notifications. 2FA provides strong protection against credential theft.
Threat Modeling Analysis
A structured approach to identifying, quantifying, and addressing security threats to a system. Common methodologies include STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege), DREAD, and PASTA. Threat modeling is best performed during the design phase of software development.
UAC (User Account Control) Defense
A Windows security feature that prevents unauthorized changes to the operating system by requiring administrator approval for actions that could affect system settings or other users. UAC bypass techniques are commonly used by malware to escalate privileges without triggering the elevation prompt.
URL Filtering Defense
A security technique that blocks or allows access to websites based on URL categories, reputation scores, or explicit allow/deny lists. URL filtering is implemented in web proxies, firewalls, and DNS-based security services to prevent users from accessing malicious, phishing, or policy-violating websites.
VPN (Virtual Private Network) Network
A technology that creates an encrypted tunnel between a user's device and a remote server, protecting data in transit and masking the user's IP address. VPNs are used for secure remote access to corporate networks and for privacy on public networks. Common protocols include WireGuard, OpenVPN, and IPsec.
Vulnerability Threat
A weakness in a system, application, or process that can be exploited by a threat actor to perform unauthorized actions. Vulnerabilities can exist in software code, configurations, network architecture, or human processes. They are identified through scanning, penetration testing, and security research.
Vulnerability Scanning Analysis
The automated process of probing systems, networks, and applications for known vulnerabilities. Vulnerability scanners compare discovered services and software versions against databases of known CVEs and misconfigurations. Popular tools include Nessus, Qualys, OpenVAS, and Nuclei.
WAF (Web Application Firewall) Defense
A security solution that monitors, filters, and blocks HTTP/HTTPS traffic to and from a web application. WAFs protect against common web attacks including SQL injection, cross-site scripting (XSS), file inclusion, and request forgery. WAFs can be network-based, host-based, or cloud-based.
Web Shell Threat
A malicious script uploaded to a web server that provides an attacker with remote access and control over the server through a web browser interface. Web shells support file management, command execution, data exfiltration, and pivoting. They are commonly written in PHP, ASP, JSP, or Python. JS Deobfuscator →
Whaling Threat
A highly targeted phishing attack aimed at senior executives (C-suite) or other high-profile individuals within an organization. Whaling attacks use sophisticated social engineering, often impersonating legal notices, executive requests, or board communications to trick victims into authorizing large financial transfers or revealing sensitive data.
Worm Threat
A type of malware that self-replicates and spreads across networks without requiring user interaction or a host file. Worms exploit vulnerabilities in network services, operating systems, or applications to propagate. Notable examples include WannaCry, Conficker, and Stuxnet.
XDR (Extended Detection and Response) Defense
An integrated security platform that unifies detection and response across multiple security layers including endpoints, network, email, cloud, and identity. XDR correlates data from these sources to provide comprehensive visibility, reduce alert fatigue, and enable faster investigation and response.
XSS (Cross-Site Scripting) Threat
A web application vulnerability that allows attackers to inject malicious client-side scripts into web pages viewed by other users. XSS can be used to steal session cookies, redirect users, deface websites, or deliver malware. Types include reflected XSS, stored XSS, and DOM-based XSS. JS Deobfuscator →
YARA Analysis
A pattern-matching tool and rule language used to identify and classify malware samples based on textual or binary patterns. YARA rules describe families of malware using strings, regular expressions, and boolean logic. Security researchers and SOC teams use YARA to scan files, memory, and processes for known threats. YARA vs Sigma →
Zero-day Threat
A previously unknown vulnerability in software or hardware that has no available patch or fix. Zero-day exploits are extremely valuable to attackers (and on the exploit market) because defenders have had "zero days" to prepare. Discovery of zero-days often leads to emergency patches and widespread media coverage. Search vulnerabilities →
Zero Trust Defense
A security model based on the principle "never trust, always verify." Zero Trust assumes that threats exist both inside and outside the network, requiring strict identity verification, least-privilege access, and continuous validation for every user, device, and connection — regardless of their location or network segment.