Cyber Tool Stack

Reference

Glossary

126 terms · 26 sections

The acronyms and concepts referenced throughout the field guide, defined in plain language and cross-linked to what they relate to.

#

3-2-1 Backup Rule
A backup best practice: keep at least three copies of your data, on two different types of media, with one copy stored offsite. The modern 3-2-1-1-0 variant adds one offline or immutable copy and zero recovery errors — meaning restores are regularly tested and confirmed to work.
Immutable BackupAir GapRTO / RPORansomware

A

ACMEAutomatic Certificate Management Environment
An open protocol (RFC 8555) that automates proving domain control and then requesting, issuing, and renewing TLS certificates between a client and a certificate authority — the mechanism behind Let's Encrypt that replaced manual certificate paperwork with an API call a server can run entirely on its own.
Certificate AuthorityPKI
Agent
A small piece of software installed on a device that collects activity data and can take local action, such as blocking a process or isolating the machine from the network.
EDRTelemetryEndpoint
Air Gap
Keeping a system or backup copy physically or network-isolated from any connected system, so it can't be reached or encrypted by ransomware or other malware spreading through the network.
Immutable BackupRansomware3-2-1 Backup Rule
Attack Surface
Every point where an attacker could potentially get in or extract data — exposed servers, APIs, cloud accounts, employee accounts — the thing exposure management programs work to continuously discover and shrink.
CAASMEASMCTEM

B

BASBreach and Attack Simulation
Software that continuously and safely runs simulated attack techniques against an environment to measure whether existing defenses actually detect or block them, rather than trusting that a control works just because it's installed.
PentestCTEM
BECBusiness Email Compromise
A scam where an attacker impersonates an executive, vendor, or trusted contact — often via a compromised or look-alike account — to trick an employee into wiring money or sharing sensitive data, typically without any malware or malicious link involved.
Spear PhishingPhishing
Blue Team
The defensive side of a security organization — the analysts and engineers who monitor, detect, and respond to attacks, including those simulated by a red team during an exercise.
Purple TeamSOC
Botnet
A network of compromised devices, controlled remotely by an attacker through command-and-control infrastructure, used collectively to launch DDoS attacks, send spam, or carry out other automated abuse at scale.
C2DDoS
BYOK / HYOKBring Your Own Key / Hold Your Own Key
Two models for who controls the encryption keys protecting data in a cloud service: Bring Your Own Key lets a customer supply keys the provider still has some access to, while Hold Your Own Key keeps keys entirely outside the provider's infrastructure.
HSMEnvelope Encryption

C

C2Command and Control
The infrastructure and channel an attacker uses to remotely control malware already running on a compromised system — issuing commands, exfiltrating data, or pulling down additional tools.
SandboxLateral MovementBotnet
CAASMCyber Asset Attack Surface Management
Aggregates data from existing tools — EDR, cloud, identity, vulnerability scanners — into one queryable inventory of every asset an organization has, closing the gaps that come from no single tool seeing everything.
Attack SurfaceEASM
CASBCloud Access Security Broker
Sits between users and cloud applications to enforce visibility and data-protection policy — discovering unsanctioned app use and controlling what happens to sensitive data inside approved SaaS applications.
SASESSE
Certificate Authority
A trusted organization or system that issues digital certificates, vouching that a given public key really belongs to the named website, service, or device. Public CAs like Let's Encrypt or DigiCert are trusted by browsers and operating systems out of the box; private CAs issue certificates trusted only inside a single organization.
PKIACMEMachine Identity
CIEMCloud Infrastructure Entitlement Management
Analyzes who and what can actually do inside cloud environments, surfacing excessive or unused permissions across human and machine identities that a role's name alone wouldn't reveal.
CNAPPLeast Privilege
CIS Controls
A prioritized, practical set of safeguards published by the Center for Internet Security, grouped into implementation groups by organizational maturity — often used as a concrete starting checklist alongside a broader framework like NIST CSF.
NIST CSFGRC
CMMCCybersecurity Maturity Model Certification
A U.S. Department of Defense certification program requiring contractors and subcontractors handling defense-related information to prove they meet a tiered set of cybersecurity practices before winning certain contracts.
FedRAMPNIST CSF
CNAPPCloud-Native Application Protection Platform
A category of tools that consolidates cloud posture management, workload protection, and identity risk into one platform, aiming to replace a pile of separate point tools with correlated, prioritized findings.
CSPMCWPPCIEM
CSPMCloud Security Posture Management
Continuously checks cloud account configuration against best-practice benchmarks — an exposed storage bucket, an overly permissive security group — and flags drift before it becomes a breach.
CNAPPKSPM
CTEMContinuous Threat Exposure Management
A program model for continuously scoping, discovering, prioritizing, validating, and mobilizing action against an organization's exposures, treating exposure management as an ongoing cycle rather than a periodic vulnerability scan.
Attack SurfaceBAS
CVECommon Vulnerabilities and Exposures
A public catalog that assigns a unique identifier to a specific, publicly known software or hardware vulnerability, so vendors, researchers, and tools can all refer to the same flaw unambiguously.
CVSSKEVCWE
CVSSCommon Vulnerability Scoring System
An industry-standard formula for scoring how severe a vulnerability is, producing a 0-10 number from factors like how easily it can be exploited and what an attacker gains. The current major version, CVSS 4.0, added metrics for real-world threat activity and automatability that earlier versions lacked.
CVEEPSS
CWECommon Weakness Enumeration
A catalog of general categories of security weaknesses in software design or code — like SQL injection or improper input validation — as distinct from CVE, which tracks specific, individual instances of a vulnerability in a specific product.
CVEOWASP Top 10
CWPPCloud Workload Protection Platform
Security focused on protecting the actual compute workloads running in the cloud — virtual machines, containers, serverless functions — through vulnerability scanning and runtime threat detection, complementing CSPM's focus on account-level configuration.
CNAPPCSPM

D

Data Classification
Labeling data by sensitivity — public, internal, confidential, restricted — so that access controls, encryption, and handling rules can be applied automatically based on what a piece of data actually is.
DSPMTokenization
DDoSDistributed Denial-of-Service
An attack that floods a target with traffic from many sources at once — often a botnet — to overwhelm its capacity and knock it offline for legitimate users.
BotnetWAF
Defense in Depth
A security strategy that layers multiple, different controls — network, endpoint, identity, data — so that if an attacker gets past one, another independent layer still stands between them and the target.
Zero TrustKill Chain
Detection Rule
Logic that turns raw log or telemetry events into a security alert when a specific suspicious pattern is matched.
SIEMLog
DevSecOps
A practice and culture that builds security checks directly into the software delivery pipeline — automated scanning, policy-as-code gates — rather than treating security as a separate review that happens after development is done.
Shift LeftIaC
DFIRDigital Forensics and Incident Response
The specialized work of investigating a suspected or confirmed security breach: reconstructing what happened, how far it spread, and preserving evidence that will hold up later.
EDRSOCMDR
DMARC, DKIM & SPF
Three DNS-based email authentication standards that work together to stop domain spoofing: SPF lists which mail servers may send for a domain, DKIM cryptographically signs outgoing messages, and DMARC tells receiving mail servers what to do when a message fails those checks and reports the results back to the domain owner.
BECPhishing
DNS Filtering
Blocking access to known-malicious or policy-violating domains at the DNS resolution step, before a connection is ever made — a lightweight control that stops a lot of malware and phishing infrastructure with minimal setup.
WAFC2
DSPMData Security Posture Management
Continuously discovers where sensitive data actually lives across cloud and SaaS environments and who can reach it, catching forgotten copies and risky exposure that a data inventory built once, by hand, would miss.
Data ClassificationCSPM
Dwell Time
The length of time an attacker is present inside an environment before being detected — a key metric for measuring how well detection capabilities are actually working, since a longer dwell time generally means more damage done.
MTTD / MTTRThreat Hunting

E

EASMExternal Attack Surface Management
Continuously discovers and monitors an organization's internet-facing assets — including forgotten subdomains and shadow IT nobody remembers standing up — from the outside, the same vantage point an attacker starts from.
Attack SurfaceCAASM
EDREndpoint Detection and Response
Software that continuously records what happens on endpoints (processes, files, network connections) and detects, investigates, and responds to malicious behavior.
XDREndpointAgentEPP
Endpoint
Any laptop, server, or mobile device that runs software and connects to a network — the place where most attacks ultimately execute.
EDREPPAgent
Envelope Encryption
A key-management pattern where data is encrypted with a fast, disposable data key, and that data key is itself encrypted with a more tightly controlled master key, so rotating the master key doesn't require re-encrypting all the underlying data.
HSM
EPPEndpoint Protection Platform
The baseline security agent installed on laptops and servers that blocks known malware, enforces device and application control policy, and reports fleet-wide compliance from one console.
EDREndpoint
EPSSExploit Prediction Scoring System
A data-driven score estimating the probability that a specific vulnerability will actually be exploited in the wild within the next 30 days, meant to be used alongside CVSS severity rather than in place of it when deciding what to patch first.
CVSSKEV

F

FedRAMPFederal Risk and Authorization Management Program
The U.S. government's standardized process for security-assessing and authorizing cloud services for use by federal agencies, letting a cloud vendor get certified once and reused across many agencies instead of being individually vetted by each.
GRCNIST CSF
FIDO2 / WebAuthn
The open standards underlying passkeys and hardware security keys: WebAuthn is the browser API a website uses to request a cryptographic credential, and FIDO2 is the broader standard, including the protocol between the browser and an authenticator, that makes the credential resistant to phishing.
PasskeyMFA

G

GDPRGeneral Data Protection Regulation
The European Union's data protection law, giving individuals rights over their personal data and requiring organizations that process it to meet strict security, consent, and breach-notification obligations, with steep fines for violations.
HIPAAData Classification
GRCGovernance, Risk, and Compliance
The combined discipline of setting policy (governance), identifying and managing what could go wrong (risk), and proving adherence to laws and standards (compliance) — usually the umbrella term for the programs and tools that manage all three together.
Risk RegisterSOC 2

H

HIPAAHealth Insurance Portability and Accountability Act
A U.S. federal law that sets security and privacy requirements for protected health information, binding on healthcare providers, insurers, and the vendors that handle health data on their behalf.
PCI DSSGDPR
Honeypot
A decoy system, account, or file deliberately left exposed to attract attackers, giving defenders early warning of an intrusion and insight into attacker behavior without risking real assets.
Threat HuntingIOC
HSMHardware Security Module
A dedicated, tamper-resistant hardware device that generates, stores, and uses cryptographic keys, so the keys themselves never have to leave secure hardware even when software using them is compromised.
Envelope EncryptionBYOK / HYOK

I

IaCInfrastructure as Code
Defining and provisioning infrastructure — servers, networks, cloud resources — through version-controlled configuration files like Terraform or CloudFormation instead of manual setup, which also means a misconfiguration can be scanned and caught before anything is ever deployed.
CSPMSBOM
IAMIdentity and Access Management
The system that manages who employees are, what they're allowed to access, and how that access is granted and revoked over their time at a company.
SSOIGAIdP
IdPIdentity Provider
The system that actually authenticates a user's identity and issues the token other applications trust, underpinning single sign-on.
SSOIAMSCIM
IGAIdentity Governance and Administration
The discipline of running periodic access reviews, modeling entitlements as roles, and producing audit evidence that an organization's access actually matches who should have it.
IAMLeast Privilege
Immutable Backup
A backup copy stored so it cannot be modified, encrypted, or deleted for a set retention period — even by an administrator account — guaranteeing a clean recovery point survives even if ransomware compromises the backup system itself.
Air GapRTO / RPO3-2-1 Backup Rule
Infrastructure Security
An umbrella term for securing the layers applications run on — networks, servers, containers, and cloud services — as opposed to the application code itself. This map deliberately splits that umbrella by where each control lives: Network & Perimeter (traffic and the perimeter), Cloud Security (cloud infrastructure and container/Kubernetes security), and Security Operations (vulnerability management).
IaCCSPMMicrosegmentation
IOAIndicator of Attack
A signal that describes an attacker's intent and behavior in progress — such as a process trying to dump credentials — rather than a static artifact left behind, letting defenses catch an attack while it's still unfolding instead of only after the fact.
IOCMITRE ATT&CK
IOCIndicator of Compromise
Forensic evidence that a system has already been breached — a malicious file hash, a known-bad IP address, a suspicious registry key — used to detect or confirm past or ongoing compromise.
IOAC2YARA
ISO 27001
An international standard, published by the International Organization for Standardization, for building and certifying a formal information security management system — the standard many enterprise customers outside the U.S. (and increasingly within it) require as proof of a vendor's security program, playing a similar role to SOC 2.
SOC 2GRC
ITDRIdentity Threat Detection and Response
Detection and response focused specifically on identity systems — flagging stolen credential use, suspicious privilege escalation, and misconfigured trust relationships in an organization's identity directories.
EDRXDRIAM

J

JIT AccessJust-in-Time Access
Granting elevated or privileged access only for a limited time window tied to a specific task, then automatically revoking it, instead of leaving standing permissions active around the clock.
Least PrivilegePrivileged Account

K

KEVKnown Exploited Vulnerabilities
A catalog, maintained by the U.S. Cybersecurity and Infrastructure Security Agency, of vulnerabilities confirmed to be actively exploited by attackers — a fast, evidence-based way to prioritize patching over relying on severity scores alone.
CVECVSSEPSS
Kill Chain
A model that breaks an attack into a sequence of stages — reconnaissance, weaponization, delivery, exploitation, and so on through actions on objectives — on the premise that breaking any single link stops the whole attack.
MITRE ATT&CKLateral Movement
KSPMKubernetes Security Posture Management
Posture management scoped specifically to Kubernetes clusters — checking RBAC rules, pod security settings, and network policies against hardening benchmarks like the CIS Kubernetes Benchmark.
CSPMCNAPP

L

Lateral Movement
The stage of an attack where, after gaining an initial foothold, an intruder moves from system to system inside a network to reach more valuable targets, often using stolen credentials rather than new exploits.
C2Privileged AccountKill Chain
Least Privilege
The security principle of granting a person or system only the minimum access needed to do a specific task, rather than broad standing permissions.
Privileged AccountPAM
Log
A timestamped record of an event generated by a system, application, or device, used for troubleshooting and security investigation.
SIEMDetection Rule

M

Machine Identity
The credentials — certificates, keys, and tokens — that let non-human actors like servers, services, containers, and API clients prove who they are to each other, as opposed to the usernames and passwords that identify people. Machine identities now vastly outnumber human ones, and each is another certificate that can expire or be forged if it isn't managed.
PKICertificate AuthorityPrivileged Account
MDMMobile Device Management
A system for enrolling, configuring, and remotely locking or wiping phones and tablets used for work, without requiring physical access to the device.
UEMEndpoint
MDRManaged Detection and Response
A subscription service where a vendor's own analysts monitor an organization's security alerts and respond to routine detections, instead of the customer's team doing it alone.
EDRSOC
MFAMulti-Factor Authentication
A login flow that requires a second proof of identity beyond a password, such as a push approval, one-time code, or biometric check, so a stolen password alone isn't enough to log in.
PasswordlessPasskey
MFA Fatigue
An attack where someone who already has a victim's password sends a flood of push-based MFA approval requests, hoping the victim eventually taps 'approve' just to make the notifications stop — also called MFA bombing or push bombing.
MFAVishing
Microsegmentation
Dividing a network into small, isolated zones — down to the level of individual workloads — with tightly controlled traffic rules between them, so a compromise in one segment can't freely spread laterally to the rest of the environment.
Lateral MovementZero Trust
MITRE ATT&CKAdversarial Tactics, Techniques, and Common Knowledge
A free, continuously updated knowledge base, maintained by the MITRE Corporation, that catalogs real-world attacker behavior as a matrix of tactics (the attacker's goal, like lateral movement) and techniques (how it's done), giving defenders a shared vocabulary for describing and detecting threats.
TTPIOCThreat HuntingPurple Team
MSSPManaged Security Service Provider
A vendor that operates security tools and processes — like a SIEM or firewall — on an ongoing basis for a customer, distinct from an MDR provider's narrower focus on 24/7 detection and response for a specific set of telemetry.
MDRSOC
MTTD / MTTRMean Time to Detect / Mean Time to Respond
Two core SOC performance metrics: MTTD measures how long it takes to notice something malicious happened, and MTTR measures how long it then takes to contain and resolve it, together showing whether a security program is getting faster over time.
Dwell TimeSOC

N

NDRNetwork Detection and Response
Detection and response built around monitoring network traffic rather than endpoint or log data, catching attacker behavior like lateral movement and command-and-control that never touches a monitored endpoint.
EDRXDRC2
NIST CSFNational Institute of Standards and Technology Cybersecurity Framework
A widely adopted, voluntary framework that organizes cybersecurity activity into functions — Govern, Identify, Protect, Detect, Respond, Recover — used as a common structure for building or assessing a security program.
CIS ControlsGRC

O

OIDCOpenID Connect
A modern, JSON/OAuth-based identity standard for single sign-on, favored by newer applications and mobile apps over SAML for being simpler to implement over standard web protocols.
SSOIdPSAML
OWASP Top 10
A regularly updated, community-researched ranking of the most critical web application security risks, published by the OWASP Foundation and widely used as a baseline checklist for secure development. The current edition, OWASP Top 10:2025, was the first major update since 2021.
CWEWAF

P

PAMPrivileged Access Management
Software that vaults, rotates, and time-limits the credentials for admin, database, and service accounts capable of causing outsized damage, and records what's done with them.
Least PrivilegePrivileged AccountIAM
Passkey
A phishing-resistant, passwordless credential stored on a device that uses cryptography to prove identity to a specific website or app, without ever transmitting a shared secret that could be stolen.
PasswordlessMFA
Passwordless
Authentication that replaces the password entirely, relying instead on a device, security key, or biometric as the primary credential.
PasskeyMFA
PCI DSSPayment Card Industry Data Security Standard
A security standard, set by the major card networks, that any organization storing, processing, or transmitting credit card data must comply with — covering network segmentation, encryption, and access control specifically around cardholder data.
GRCHIPAA
PentestPenetration Test
An authorized, time-boxed engagement where a tester actively attempts to exploit vulnerabilities in a system or network, going beyond a vulnerability scan's list of weaknesses to prove which ones are actually exploitable.
Red TeamBAS
Phishing
A social-engineering attack that tricks someone into clicking a malicious link, entering credentials on a fake page, or running an attached file.
MFARansomware
PKIPublic Key Infrastructure
The combined system of certificate authorities, enrollment processes, and policies that issues, distributes, renews, and revokes digital certificates, binding public keys to verified identities so machines and people can trust one another. It's the plumbing underneath TLS, code signing, and most machine-to-machine authentication.
Certificate AuthorityMachine IdentityHSM
Privileged Account
A login — administrator, database, or service account — capable of far more damage than an ordinary user account if it's stolen or misused.
PAMLeast Privilege
Purple Team
A collaborative security exercise where offensive (red team) and defensive (blue team) staff work together in real time, comparing what attacks were attempted against what defenses actually caught, to close detection gaps faster than either working alone.
Red TeamBlue Team

R

RaaSRansomware as a Service
A criminal business model where ransomware developers lease their malware and infrastructure to affiliates who carry out the actual attacks and split the ransom, lowering the technical bar for launching a ransomware attack.
Ransomware
Ransomware
Malware that encrypts a victim's files and demands payment for the decryption key, often spreading to as many systems as possible before it's discovered.
PhishingEDR
Red Team
A group that simulates real-world adversary tactics against an organization's people, processes, and technology to test whether defenses actually hold up, typically operating without the defenders' knowledge until after the exercise.
Purple TeamPentest
Risk Register
A tracked, living list of an organization's identified risks, each with an owner, likelihood and impact rating, and a treatment plan — the central artifact most GRC programs and audits are built around.
GRCTabletop Exercise
RTO / RPORecovery Time Objective / Recovery Point Objective
Two targets that define how much disaster an organization can tolerate: RTO is how long systems can be down before recovery, and RPO is how much data — measured in time — can be lost since the last good backup.
Immutable BackupTabletop Exercise3-2-1 Backup Rule

S

SaaSSoftware as a Service
Software that's hosted and run by the vendor and accessed over the internet, rather than installed and maintained on the customer's own servers.
SAMLSecurity Assertion Markup Language
An older, XML-based standard for passing authentication and authorization data between an identity provider and an application, still widely used for enterprise single sign-on alongside the newer OIDC standard.
SSOIdPOIDC
Sandbox
An isolated environment where a suspicious file or link can be opened and observed safely, revealing what it actually does — dropping malware, calling out to a remote server — without risking the real network.
YARAC2
SASESecure Access Service Edge
An architecture that converges networking (like SD-WAN) and security services (like SWG and ZTNA) into one cloud-delivered platform, replacing a stack of separate branch and data-center appliances.
SSEZTNASWG
SBOMSoftware Bill of Materials
A formal, machine-readable inventory of every open-source and third-party component that makes up a piece of software, so an organization can quickly tell whether a newly disclosed vulnerability affects anything it runs.
VEXSupply Chain AttackCVE
SCIMSystem for Cross-domain Identity Management
A standard protocol for automatically creating, updating, and deactivating user accounts across connected applications as an identity system's records change.
IdPIGA
Secrets Sprawl
The accumulation of API keys, passwords, and certificates scattered across source code, config files, chat messages, and CI/CD systems instead of a managed vault, each one a potential credential an attacker could find and reuse.
HSMTokenization
Shift Left
Moving security testing and review earlier in the software development process — into the IDE and pull request instead of a pre-release gate — so flaws are caught and fixed while they're still cheap to change.
DevSecOps
SIEMSecurity Information and Event Management
A central system that collects logs from across an environment, correlates them into alerts using detection rules and behavioral baselining, and lets analysts search historical activity during an investigation.
SOCLogDetection RuleUEBA
Smishing
Phishing carried out over SMS text message, typically impersonating a delivery service, bank, or IT department to get a recipient to click a malicious link or share a code on their phone.
PhishingVishing
SOARSecurity Orchestration, Automation and Response
Software that automates the repetitive steps of responding to a security alert — pulling context from other tools, opening a case, taking containment action — via predefined playbooks, freeing analysts to focus on judgment calls a machine can't make.
SIEMSOC
SOCSecurity Operations Center
The team (in-house or vendor-run) responsible for monitoring security alerts around the clock and responding when something looks like a real incident.
SIEMMDRThreat Hunting
SOC 2
An audit report, defined by the AICPA (the American Institute of CPAs) — SOC stands for System and Organization Controls — that evaluates a service organization's controls around security, availability, and related trust criteria. SOC 2 is the specific report enterprise SaaS customers most often require, as distinct from SOC 1's focus on financial reporting controls.
GRCISO 27001
Spear Phishing
A phishing attack tailored to a specific person or organization using researched details — a colleague's name, a real project, a familiar vendor — to appear far more convincing than a generic mass phishing email.
PhishingBEC
SSESecurity Service Edge
The security-focused subset of SASE — ZTNA, SWG, and CASB delivered from the cloud — without the SD-WAN networking half, for organizations that want converged security without replacing their existing network connectivity.
SASEZTNACASB
SSOSingle Sign-On
A login flow that lets a user authenticate once and gain access to many connected applications, instead of maintaining a separate username and password for each one.
IAMIdP
STIX/TAXIIStructured Threat Information eXpression / Trusted Automated eXchange of Indicator Information
A pair of open standards for describing threat intelligence in a structured, machine-readable format (STIX) and automatically transporting it between sharing partners (TAXII), letting organizations exchange indicators and context without manually reformatting feeds.
IOCMITRE ATT&CK
Supply Chain Attack
An attack that compromises a trusted upstream component — a software dependency, a build pipeline, a vendor's update mechanism — so the malicious code rides along into every downstream organization that uses it.
TyposquattingSBOM
SWGSecure Web Gateway
Inspects and filters outbound web traffic for malware, phishing sites, and policy violations, typically as a cloud-delivered service that a user's traffic routes through before reaching the open internet.
SASEDNS Filtering

T

Tabletop Exercise
A discussion-based walkthrough of a simulated incident, where stakeholders talk through their planned response step by step, used to find gaps in an incident response plan before a real breach forces the issue.
RTO / RPODFIR
Telemetry
The stream of activity data — process starts, file changes, network connections — that an agent continuously records and sends to a central system for analysis.
AgentSIEMUEBA
Threat Hunting
The practice of proactively searching historical activity data for signs of a compromise that never triggered an automatic alert.
EDRSIEMSOC
Tokenization
Replacing a piece of sensitive data, like a credit card number, with a nonsensitive placeholder token that has no exploitable value on its own, while the real value is kept in a separate, tightly controlled vault.
Data Classification
TTPTactics, Techniques, and Procedures
The way security teams describe attacker behavior at three levels of detail — the high-level goal (tactic), the general method (technique), and the specific implementation (procedure) — most commonly organized using the MITRE ATT&CK framework.
MITRE ATT&CKIOCIOA
Typosquatting
Publishing a malicious package or domain with a name deliberately similar to a popular one — a common misspelling or swapped character — hoping a developer or user installs or visits the fake by mistake.
Supply Chain Attack

U

UEBAUser and Entity Behavior Analytics
Analytics that baseline what's normal for a given user or system and flag deviations from that baseline, catching suspicious activity even without a matching rule.
SIEMTelemetry
UEMUnified Endpoint Management
Device management that covers laptops and desktops alongside phones and tablets from a single console, rather than running separate tools per device type.
MDMEndpoint

V

VEXVulnerability Exploitability eXchange
A companion standard to SBOM that states whether a known vulnerability in a listed component is actually exploitable in the way the software uses it, cutting down the noise of vulnerabilities that technically exist but can't be triggered.
SBOMCVE
Vishing
Phishing carried out over a phone call, often impersonating IT support, a bank, or an executive to pressure the victim into revealing credentials, approving an MFA prompt, or transferring money.
PhishingSmishingMFA Fatigue

W

WAFWeb Application Firewall
A filter that sits in front of a web application or API, inspecting incoming requests for attack patterns like SQL injection and cross-site scripting and blocking them before they reach the application.
DDoSOWASP Top 10

X

XDRExtended Detection and Response
Extends endpoint detection and response by correlating telemetry from identity, email, and cloud systems alongside endpoint activity, so a single attack spanning multiple systems appears as one connected incident instead of scattered alerts.
EDRSIEMTelemetry

Y

YARA
A rule-based pattern-matching language and tool used to identify and classify malware by describing textual or binary patterns found in a file, widely used by malware researchers to write and share detection signatures.
IOCSandbox

Z

Zero Trust
A security approach that verifies every request based on identity, device, and context, instead of assuming anything is safe just because it's already inside the corporate network.
IAMLeast Privilege
Zero-Day
A vulnerability that's exploited by attackers before the vendor knows about it or has released a fix, leaving defenders with zero days of advance warning to patch.
CVEKEV
ZTNAZero Trust Network Access
Grants access to a specific internal application on a per-request basis, verifying identity and device posture every time, instead of putting a remote user on the corporate network the way a traditional VPN does.
SASEZero Trust

Search Cyber Tool Stack

Jump to any tool, vendor, category, or glossary term.