Glossary
98 terms from the security world, briefly explained. We link here from blog articles when we drop an acronym in the text. If something is missing, email [email protected].
Standard that lets an organisation display its logo next to authenticated mail in the inbox.
Requires DMARC `p=reject` plus a verified mark (VMC). A nice brand signal once all preconditions are in place.
See also: DMARC
The defensive team: SOC, incident response, hardening. Counterpart to red team.
Blue team maturity is often assessed through tabletop exercises and red-team engagements.
See also: Red team, Purple team
Network of compromised devices under an actor's control, usually via C2 infrastructure.
Powers DDoS, spam, credential-stuffing. The Mirai family is a classic IoT botnet.
A public or private programme where external researchers report vulnerabilities for a reward.
Complements pentesting, gives continuous coverage. Requires a mature triage process or the team drowns.
Infrastructure attackers use to send commands to compromised endpoints.
Common frameworks: Cobalt Strike, Sliver, Mythic. Detection often relies on beacon patterns and C2 traffic.
Globally distributed caching of web content, often with built-in WAF and DDoS protection.
Cloudflare, Fastly, AWS CloudFront are most common. Common mistake: forgotten CDN configurations bypassed via direct origin IP calls.
Historical term for incident response team, now often synonymous with CSIRT. The original was CERT/CC at Carnegie Mellon.
CERT-SE is Sweden's national CSIRT, formally part of MSB.
See also: CSIRT
Public append-only logs of issued TLS certificates in an auditable format.
Practical source for subdomain discovery and detecting unwanted certificate issuance against your domain.
18 prioritised security controls from the Center for Internet Security, often used as a pragmatic baseline.
More hands-on than ISO 27001. Implementation Group 1 is "minimum viable security".
Process where a finder and a vendor cooperate on the timing and content of a public vulnerability disclosure.
The familiar 90-day deadline from Google Project Zero has become industry standard, even though it is not formally regulated.
Mechanism that lets a site explicitly allow cross-origin requests from other origins. A browser policy, not server security.
CORS does not protect against CSRF — it only protects reading of the response. `Access-Control-Allow-Origin: *` on an authenticated API is dangerous.
EU regulation (2024/2847) covering cybersecurity of products with digital elements. Fully applicable 11 December 2027, with vulnerability reporting from 11 September 2026.
Manufacturers selling software or hardware into the EU must CE-mark for security, provide an SBOM, publish a vulnerability disclosure policy, and report actively exploited vulnerabilities within 24 hours.
National or sectoral incident response team. In Sweden, CERT-SE is run by MSB.
Receives NIS2 and CRA reports and is the central contact point for major incidents.
HTTP header that restricts what resources the browser may load and execute on the page. Primary defence against XSS.
Strict CSP without `unsafe-inline` is the best variant. Takes time to roll out correctly but provides high protective value.
Attack where a logged-in user's browser is tricked into sending an unwanted request to a site they're authenticated against.
Defended with CSRF tokens, SameSite cookies and origin checks. Modern SameSite=Lax defaults reduce risk significantly.
See also: XSS
Global ID system for public vulnerabilities, e.g. CVE-2024-3094. Maintained by MITRE.
The CVE ID is the universal key for talking about a specific vulnerability across systems and reports.
Scale 0.0-10.0 describing technical severity. Current version is 4.0 (2023). Combines attack vector, complexity, impact on the CIA triad.
CVSS does not tell you how likely a vulnerability is to be exploited — that's EPSS. CVSS + EPSS is a better prioritisation basis.
Classification of vulnerability types (e.g. CWE-79 = XSS, CWE-89 = SQL injection). Maintained by MITRE.
CWE describes the class, CVE the instance. The CWE Top 25 is a useful prioritisation guide.
See also: CVE
Dynamic security testing of a running application, typically via HTTP fuzzing and payload injection.
Finds runtime issues SAST cannot see, but requires the application to be deployed and testable.
Attack where a large number of simultaneous requests overload the target service and make it unavailable.
Defended with CDN, anycast and dedicated scrubbing services. Volumetric, protocol and application-layer are the three categories.
See also: CDN
Cryptographic signing of outgoing email, with the public key published in DNS.
Together with SPF it forms the basis for DMARC. Rotate keys yearly, use 2048-bit RSA or ED25519.
Policy that combines SPF + DKIM and tells receivers how to handle mail that does not authenticate.
Should be `p=reject` on all sending domains. Aggregate reports reveal who is spoofing you.
The internet's naming system, mapping hostnames to IP addresses. Also the channel for SPF, DKIM, DMARC, CAA, security.txt.
DNSSEC signs responses against tampering. DoH/DoT encrypts the transport.
EU regulation for financial entities and their ICT providers. Applicable since 17 January 2025.
Banks, insurers and critical ICT providers to the financial sector must have threat-led penetration testing (TLPT), incident response and third-party risk programmes in place.
Continuous mapping and monitoring of externally exposed assets: domains, subdomains, IPs, ports, applications, certificates.
Scanning "known" assets misses what was lost track of. EASM finds shadow IT and forgotten services before attackers do.
Agent on endpoints that logs process events, detects anomalies and enables response.
Replaces classic AV as primary defence. Common vendors: CrowdStrike, SentinelOne, Microsoft Defender for Endpoint.
European Union Agency for Cybersecurity. Receives vulnerability reports under the CRA.
Runs EU-wide certification schemes and coordinates the EU vulnerability database.
See also: CRA
Probability model (0-100 %) that a given CVE will be exploited within 30 days. Maintained by FIRST.
High CVSS with low EPSS is often lower priority than medium CVSS with high EPSS.
A finding from a scanner or test that turns out not to be a real vulnerability after verification.
High FP rates are the biggest cost for security teams handling scan output. Verification steps reduce them sharply.
Automated testing technique that feeds random or mutated input to find crashes.
Effective for finding memory bugs in C/C++ and parser flaws.
EU data protection regulation (2016/679) governing processing of personal data. Applicable since 25 May 2018.
Security incidents involving personal data must be reported to the supervisory authority within 72 hours. Security measures are required under Article 32.
GitHub's vulnerability database, often updated faster than NVD with better coverage for OSS ecosystems.
Source for Dependabot and GitHub Advanced Security alerts.
Reduce attack surface in a system by disabling unnecessary services, hardening configurations and applying least privilege.
CIS Benchmarks are the standard guides per OS/product.
See also: CIS Controls v8
Specialised hardware that handles cryptographic keys without exposing them to the host OS. FIPS 140 is the most common certification.
Required for PCI DSS, eIDAS signing, and in many financial systems. Class IV under the CRA.
HTTP header that forces the browser to always use HTTPS for the domain, including the first visit (after the preload list).
Protection against SSL stripping. `includeSubDomains` and `preload` are best practice.
See also: TLS
Hybrid of SAST and DAST: instrumented runtime correlating code flows with HTTP requests.
Better precision than SAST or DAST alone, but requires an agent in the application.
Authorisation bug where you can reach other users' data by changing IDs in the URL or body.
Missing from most automated scanners — requires manual testing or business-logic-aware scanning.
Network systems that detect (IDS) or block (IPS) known attack patterns.
Classic perimeter security. Less critical in modern cloud where traffic is encrypted and east-west dominates.
Standard family for security in industrial automation and control systems (OT/ICS).
Used in manufacturing, energy, water, transport. Often required when integrating with SCADA vendors.
Structured process to detect, handle, contain, recover from and learn from security incidents. Classic steps: prepare, identify, contain, eradicate, recover, lessons learned.
Required under NIS2, DORA, CRA and GDPR.
Behaviour-based indicator: e.g. a process tree matching a known attack TTP.
More resistant than IOC hunting since attackers often swap infrastructure.
See also: IOC, MITRE ATT&CK
Technical trace of an attack: IP address, hash, domain name, registry key.
Useful for retroactive hunting — have we seen this IP in our logs over the last 90 days?
See also: IOA
International standard for an information security management system (ISMS). Latest revision 2022, with 93 controls in Annex A.
De-facto standard for showing systematic security work. Certification opens doors with enterprise customers, insurers and procurement.
Guidance standard describing the 93 controls in ISO 27001 Annex A in detail.
Not certifiable, but where you read how controls are actually implemented.
See also: ISO 27001
CISA's list of CVEs proven to be exploited in the wild. US federal agencies must patch them within a defined window.
The KEV list is one of the clearest signals for "fix now, not next sprint".
Model of an attack in stages: recon, weaponization, delivery, exploitation, installation, C2, actions on objectives. Lockheed Martin original.
Useful for mapping where in the chain a specific detection or control kicks in.
See also: MITRE ATT&CK
Attack where the attacker gets the server to read or include local files via unsafe path handling.
Often a stepping stone to RCE via log poisoning or leakage of config files.
See also: Path traversal, RCE
EDR/XDR as a service, with an external SOC handling alerts.
Good fit for organisations that don't want to staff 24/7 themselves.
Authentication with more than one factor: something you know (password), have (token), or are (biometric).
The single most effective measure against account takeover. Hardware keys (WebAuthn) are the most resistant.
Classification of attacker tactics, techniques and procedures (TTPs), split into matrices for Enterprise, Mobile, ICS.
De-facto standard for describing detection coverage. T1059 = Command and Scripting Interpreter, etc.
See also: Kill chain
Swedish supervisory authority for NIS2 in several sectors. Receives incident reports and issues regulations.
First-line contact for NIS2 supervision in Sweden.
TLS where both client and server present certificates, providing mutual authentication at the transport layer.
Common between services (microservice meshes, B2B APIs). Better than bearer tokens for latency-sensitive identity.
See also: TLS
EU directive (2022/2555) imposing security and reporting requirements on operators of essential and important services. Implemented in Sweden via the Cybersecurity Act.
Broader than NIS1 — more sectors, faster incident reporting (24h early warning), stricter penalties.
NIST Cybersecurity Framework version 2.0, released 2024. Six functions: Govern, Identify, Protect, Detect, Respond, Recover.
Framework-agnostic, maps against ISO 27001, NIS2 and others. A good starting point for security maturity assessments.
NIST's database of enriched CVE data: CVSS scores, CPE references, CWE mappings.
Standard data source for vulnerability scanners.
Authorisation protocol, not authentication. Issues scoped tokens to third-party apps.
Most common case: "Sign in with Google" (actually OIDC on top of OAuth). Many mistakes happen when OAuth is used directly for authentication.
See also: OIDC
Authentication protocol on top of OAuth 2.0. Delivers identity via an ID token (JWT).
Modern standard for federated sign-in. Google, Microsoft, Apple and others use it.
Vulnerability where an attacker can redirect a user to an arbitrary external URL via a vulnerable redirect parameter.
Common component in phishing chains that lure victims into clicking "trusted" links.
Intelligence gathering from open sources: web search, social media, registries, leaked databases.
More pentest-relevant than people think. A powerful tool for phishing recon against specific individuals.
See also: Recon
Distributed vulnerability database from Google, with a standard format for OSS ecosystems (npm, PyPI, Go etc.).
Machine-readable format that SBOM tools match against.
Attack using `../` sequences or similar to access files outside the intended directory.
Defended by normalising and whitelisting paths, not by filtering characters.
See also: LFI
Payment card industry security standard for organisations handling card data. Latest 4.0.1 mandatory since 31 March 2025.
Required for anyone accepting card payments. Level depends on transaction volume.
Manual or partly automated security test where a tester attempts to break into systems within an agreed scope. Goal: find what an attacker could do.
Required by NIS2 (de facto), DORA (TLPT), PCI DSS and others.
Social-engineering attack where the attacker tricks victims into revealing credentials or running malware, usually via email or SMS.
The root cause of most major breaches. Defended with MFA, awareness training and DMARC.
Internal team at a product vendor that receives vulnerability reports and coordinates patches.
The CRA makes a PSIRT function de-facto mandatory for any software or hardware vendor selling into the EU.
Collaborative format where red and blue teams run together, often to fine-tune detection rules.
Faster iteration than the traditional red-team-report-then-fix cycle.
Vulnerability where the attacker can run arbitrary code on the server remotely. Always critical.
The end-game vulnerability. RCE usually hides behind unsafe deserialisation, command injection or file upload.
First phase of an attack or pentest: mapping the attack surface without interaction (passive) or with (active).
EASM tools automate passive recon. OSINT, certificate transparency logs and DNS sources are typical inputs.
See also: EASM, OSINT, Certificate Transparency
Goal-driven simulated attack that often includes physical, social and technical vectors. Longer and broader than a traditional pentest.
Tests the whole defence chain: detection, response, communication. More realistic but more expensive.
See also: Blue team, Purple team, Pentest
XML-based SSO protocol, most common in enterprise and legacy. Delivers identity via a signed assertion.
Standard in Microsoft AD FS, Okta, OneLogin. Often required for integration with large customer systems.
Static code analysis that finds security flaws in source code without executing it.
Early feedback in the development flow, but high FP rate. Typically combined with DAST + SCA.
Machine-readable inventory of all components in a piece of software: libraries, versions, licences, suppliers.
Required under the CRA. Without an SBOM you cannot answer "are we affected by CVE-X?" quickly. Standard formats are SPDX and CycloneDX.
Analysis of third-party components in a codebase against vulnerability and licence databases.
The most common root of CVEs in modern applications. SCA matches an SBOM against CVE feeds.
Standard (RFC 9116) for publishing contact and VDP information at `/.well-known/security.txt`.
The lowest bar for enabling external reporting. Should exist on all production domains.
See also: VDP
Splitting a network into isolated zones with controlled traffic between them.
Limits lateral movement once an attacker is in. Microsegmentation is the cloud version of the same idea.
See also: Zero trust
Centralised log management and correlation for security events. Splunk, Sentinel, Elastic are common.
Backbone of mature SOCs. Expensive unless you're disciplined about what to log.
Platform for automating incident response: playbooks, integrations, case management.
Lifts SOC teams above repetitive tasks, but requires a mature process first.
Team that monitors security alerts, triages and initiates incident response, often 24/7.
Can be internal or outsourced (MDR/MSSP). Maturity indicator: average MTTD (Mean Time To Detect).
US attestation from AICPA against the Trust Services Criteria (security, availability, confidentiality, processing integrity, privacy). Common for SaaS.
SOC 2 Type II is an extended audit over 6-12 months. Expected by US enterprise buyers.
See also: ISO 27001
DNS-based standard declaring which servers may send email from your domain.
First layer of defence against email spoofing. Should end with `-all` (hard fail) to be meaningful.
Attack where unsafe SQL construction lets an attacker inject their own queries via user input.
The classic. Defended with parameterised queries — never string concatenation.
One sign-in grants access to multiple applications. Built on protocols like SAML or OIDC.
Reduces password sprawl, makes off-boarding reliable.
Vulnerability where server-side code makes HTTP requests to a URL controlled by the attacker, often to internal resources.
High risk in cloud environments where SSRF can reach metadata endpoints (e.g. 169.254.169.254) and leak credentials.
Hostname under a main domain, e.g. `mail.example.com`. Subdomain discovery is central to EASM.
Forgotten subdomains are a common root of takeover risk and unscanned attack surface.
See also: EASM, Subdomain takeover
Vulnerability where a DNS pointer references a discontinued third-party resource (S3 bucket, Azure service, CDN), allowing an attacker to claim it and own the subdomain.
Often the result of missed cleanup. Discovery and DNS monitoring catch them.
Discussion-based exercise where management, IT and communications walk through an incident scenario together.
Reveals communication and decision gaps without risking production.
See also: Incident response
Structured analysis of threats against a system, often via STRIDE or PASTA methodology.
Best done early in design. Low-cost version: draw the architecture, circle data flows, ask "what if the attacker controls this component?".
Live red-team testing against critical financial entities, required under DORA. Built on the TIBER-EU framework.
Conducted every three years, overseen by the national authority (Finansinspektionen in Sweden).
Transport-layer encryption protocol, the basis of HTTPS. Current version is TLS 1.3.
TLS 1.0 and 1.1 are formally deprecated. TLS 1.2 is still acceptable but 1.3 is the default in modern stacks.
Public policy describing how external researchers can report security issues to the organisation.
Required under the CRA. Typically implemented via `/.well-known/security.txt` plus a web page.
See also: CRA, security.txt, Bug bounty
Inline filter between client and application that blocks known attack patterns (XSS, SQLi, etc.).
Temporary protective layer when a patch is delayed, but never a replacement for fixing the code.
Lookup protocol for registration data on domains, IPs and ASNs.
Limited use after GDPR (registrant data is often hidden), but still practical for IP/ASN recon.
Correlated detection across multiple data sources: endpoint, network, identity, cloud.
Marketing term that often means EDR plus a few extra log sources. Value depends on integration.
Vulnerability where an attacker gets their JavaScript to execute in the victim's browser in the context of a site. Three main types: reflected, stored, DOM-based.
OWASP Top 10. Defended with output encoding and Content Security Policy.
Vulnerability in XML parsers that allow external entities, can lead to file read, SSRF or DoS.
Less common today as XML has been pushed aside by JSON, but persists in SOAP, SAML and legacy systems.
See also: SSRF
Security model that does not trust implicitly, regardless of network location. Every access is authenticated and authorised continuously.
More an architectural principle than a product. Practical implementation requires SSO, MFA, device trust and segmented access.
Vulnerability not publicly known and without a patch. "0 days" since the vendor was notified.
Heavy actors (states, large criminal groups) sit on zero-days. For most organisations, n-day CVEs are a bigger threat.