Lessons in Lexicon: A Dictionary of Key Cybersecurity Terms

If you’re a decision-maker, security partner, or even just curious about the world of cyber, our dictionary of cybersecurity terms will help you speak the language, ask sharper questions, and guide your teams with clarity and confidence.Read on for definitions of the most strategic, misunderstood, and mission-critical cybersecurity terms.

Whether your organization is looking to tighten your security posture or evaluating where visibility is lacking, this glossary helps you focus on what counts.
 

From A to Z, a List of Key Cybersecurity Terms

From acceptable risk to drift, misconfiguration to policy enforcement — cybersecurity is a world full of jargon. So let’s get into it, turning the page on outdated assumptions and learning the ABCs of cybersecurity.

For your convenience, we've included a directory so you can more easily jump to any particular section of interest.

 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Aa

• Acceptable risk: The level of cyber risk an organization is willing to tolerate in order to meet business goals — balancing cost, security, and operational needs. 

  • Accessible risk is related to risk tolerance, but is not the same thing. Whereas risk tolerance defines the general boundaries of what an organization is willing to risk, acceptable risk refers to a specific instance where a risk has been evaluated and formally approved within those boundaries.

• Access Control: A security method used to regulate who can view or use resources in a computing environment. It ensures that only authorized users, devices, or systems can access specific data or perform certain actions, based on defined policies.

  • Access control helps protect sensitive information by enforcing rules around permissions, user roles, and contextual factors (like location or time). Common models include:

    • Role-Based Access Control (RBAC): Grants access based on a user's role within the organization

    • Attribute-Based Access Control (ABAC): Makes decisions based on multiple attributes like user, resource, and environment

    • Mandatory/Discretionary Access Control (MAC/DAC): Based on system-enforced or user-defined rules

• ACL (Access Control List): A set of rules that define and enforce which users, groups, or systems are authorized to access specific resources and what operations (such as read, write, execute, or delete) they are permitted to perform.

  • ACLs are used to enforce granular access policies and are commonly implemented in both file systems and network devices.

    • Filesystem ACLs control access to individual files or directories, often supporting more detailed permission schemes than traditional Unix-style permissions.

    • Networking ACLs are used in routers, firewalls, and switches to permit or deny traffic based on IP addresses, protocols, ports, or other packet attributes, helping segment networks and enforce security policies.

• AD (Active Directory): Microsoft’s directory service for managing users, devices, and access control across a network.

  • AD provides centralized authentication, policy enforcement, and configuration management, making it foundational to secure Windows environments. 

    • Maintaining proper configuration and hygiene within Active Directory is critical. Misconfigurations, weak group policies, or improperly enforced settings can create vulnerabilities, exposing systems to risk.

• Attack path: The sequence of vulnerabilities, misconfigurations, or weak permissions that an attacker could exploit to move through a system or network.

• Attack surface: The total number of entry points through which an attacker could gain access to a system or environment. A larger attack surface means greater exposure. 

• Audit log: A record of system and user activity used for monitoring, compliance, and forensic investigations.

• Autonomous endpoint management (AEM):  A new category from Gartner^® referring to a next-generation IT approach that uses automation to manage, monitor, and secure endpoint devices without requiring constant human oversight.

• AV (Antivirus): A foundational security technology designed to detect and block known threats such as malware, viruses, trojans, and worms. It works primarily through signature-based detection, comparing files and code to a database of known malicious patterns.
  

  • While AV provides essential baseline protection, it is increasingly limited against modern threats that are fileless, obfuscated, or behaviorally evasive.

  • AV alone may not detect threats that don’t match known signatures, making it insufficient as a standalone defense in today’s environments. Regular updates and a layered security approach, including endpoint protection and network defenses, are recommended to complement AV.

  • EDR and XDR platforms incorporate antivirus capabilities as a first layer of protection, but security teams should not rely on AV alone to address sophisticated or persistent attacks. 

Bb

• Blackhat: A malicious hacker who conducts attacks for personal or financial gain. Black Hat is also the name of a major cybersecurity event.

• Blacklisting: A security method that blocks known bad actors, files, or applications. The opposite of whitelisting.

• Botnet: A network of compromised computers or devices — often referred to as “bots” or “zombies” — that are secretly controlled by an attacker, usually through a command-and-control (C2) server.

  • Once infected, these devices can be used collectively to perform malicious activities like launching DDoS attacks, sending spam, stealing data, or spreading malware, often without the owner’s knowledge.

• Breach: A successful attack in which data, systems, or credentials are accessed without authorization.

  • Breaches often stem from preventable misconfigurations or unpatched vulnerabilities. 

• Browser misuse: The use of browsers in ways that bypasses or ignores established policy or introduces risk. This can take the form of unsanctioned extensions, visiting unapproved sites, or insecurely storing credentials.

• BSOD (Blue Screen of Death): A critical system crash in Windows indicating a major fault, often related to hardware, driver conflicts, or software errors.

  • Sometimes a BSOD can be triggered through broken integration chains or faulty updates, as was the case with CrowdStrike's July 2024 outage. 

• Bug: An error or flaw in software code that may cause functionality issues or security vulnerabilities.

  • This is in contrast to a misconfiguration, that is not an objective design flaw, but a context-dependent deployment flaw.

• BYOD (Bring Your Own Device): A policy allowing employees to use personal devices for work — increasing flexibility but also introducing security challenges.

Cc

• C2 servers (Command and Control servers): The communication design attackers use to maintain control of infected devices, issue commands, and exfiltrate data. After a successful breach via phishing, malware, or misconfiguration, the infected system “calls back” to the attacker’s infrastructure. 

  • C2 traffic hides in plain sight by mimicking normal web traffic, leveraging encrypted sessions, trusted domains, and legitimate-looking requests. It doesn't rely on executable files, so traditional defenses like AV and EDR may miss it.

  • Detecting C2 requires visibility into browser and endpoint behavior, not just known threat signatures. Blocking these hidden communication channels is critical to preventing data loss and long-term compromise.
    

• CAB (Change Advisory Board): Typically internal to organizations in both the private and public organizations, this is a group that reviews and approves changes to IT systems to improve security, reliability, and/or resilience.

  • In security, CABs are critical for controlling the timing and impact of patches, upgrades, or configuration changes, especially in regulated industries.

• Cached credentials: Login information (like usernames and hashed passwords) that an operating system stores locally on a device so that a user can log in even when the device is disconnected from the network or domain controller.

  • While convenient, cached credentials can pose a security risk if the device is compromised, as attackers may attempt to extract or replay them.  

• CAF (Cybersecurity Assurance Framework): A high-level cybersecurity framework that was developed by the UK's National Cyber Security Centre (NCSC) to help organizations assess and improve their cybersecurity posture. CAF is designed to provide a structured, outcome-based approach to managing risk and improving resilience.

• CIS (Center for Internet Security): A nonprofit that publishes globally recognized best practices for securing systems, including the CIS and STIG Controls and Benchmarks^®.

• Client: Any device or software application that connects to a server to request and consume services or data. Clients initiate the interaction, while servers respond.

  • Examples of clients include a laptop accessing email, a smartphone using a SaaS CRM, a web browser fetching content, or an email client like Outlook. Clients can also be lightweight agents that interact with a central server.

  • Clients are often the first point of attack, making it crucial to secure them through proper authentication, software updates, and misconfiguration prevention. 

• Cloud: A network of remote servers hosted on the internet that store, manage, and process data — rather than relying on local computers or on-premises severs.

  • Cloud computing enables users to access computing resources (like storage, applications, and processing power) on demand, from anywhere, without needing to own or maintain the underlying hardware.

  • Cloud computing is foundational to modern IT — enabling scalability, flexibility, cost-efficiency, and global collaboration. However, because cloud systems are constantly exposed to the internet, they are frequent targets for cyberattacks.

• Cloud instance: A virtual server hosted by a cloud provider (like AWS or Azure) that functions like a traditional on-premise server but is accessed remotely, often via SSH or RDP.

  • Cloud instances offer scalability, flexibility, and speed for teams that need to deploy applications or services without investing in physical hardware. 

• Compliance: Adherence to industry standards, frameworks, or regulatory strictures (such as HIPAA, GDPR, NIST).  Compliance is not a guarantee of security.

• Containers: Virtualized environments that allow applications to run in isolated user spaces, ensuring consistency across different computing environments.

  • Containers encapsulate software and its dependencies, making it easier to deploy and scale applications. However, poorly configured or unsecured containers can introduce vulnerabilities that attackers can exploit.

• CSPM (Cloud Security Posture Management): Automated tools that continuously monitor cloud environments for misconfigurations, enforce security policies, support compliance efforts, and enhance visibility into infrastructure risks across platforms like AWS, Azure, and GCP.

• CTEM (Continuous Threat Exposure Management): An ongoing 5-step process first coined by Gartner^® that scopes exposure, discovers risks, prioritizes issues, validates attack & response scenarios, and mobilizes people and processes to proactively address the risk. 

  • Going beyond patching, CTEM offers a proactive, continuous approach to managing and mitigating risk across the full attack surface— including misconfigurations, over-privileged accounts, weak identities, and insecure protocols. 

• CVE (Common Vulnerabilities and Exposures): A standardized identifier for known security vulnerabilities, maintained by MITRE.

  • CVEs make it easier for tools and teams across the world to speak the same language about threats. Over the past 25 years, it has become a pillar of the global cybersecurity community.

• CVSS (Common Vulnerability Scoring System): A framework for rating the severity of security vulnerabilities, typically on a scale of 0 to 10.

  • CVSS scores are based on multiple metrics, including:  exploitability (e.g., attack vector, complexity, and required privileges), impact (on confidentiality, integrity, and availability), and scope.

  • These factors help teams prioritize remediation assessing how easy a vulnerability is to exploit and how damaging it could be.

• CWPP (Cloud Workload Protection Platform): A security solution designed to protect workloads running in cloud and hybrid environments — including virtual machines, containers, and serverless applications — across platforms like AWS EC2, Lambda, and ECS.
  

• Cyber attack: A deliberate and malicious attempt to breach the information systems, networks, or devices of an individual, organization, or government. The goal is often to steal data, disrupt operations, gain unauthorized access, or cause reputational or financial damage.

  • Cyber attacks can take many forms — including phishing, ransomware, denial-of-service (DoS), malware, and data breaches — and may exploit technical vulnerabilities, human error, or misconfigurations.

  • Attacks can be launched by threat actors ranging from lone hackers to organized cybercriminal groups or nation-states.

• Cyber fatigue: A state of mental exhaustion or apathy caused by prolonged exposure to cybersecurity alerts, warnings, and protocols. It can lead to slower response times, missed threats, low morale, and risky behavior — weakening the organization’s overall security posture. 

  • Cyber fatigue often affects IT and security professionals, but can also impact regular users within an organization.  

• Cyber hygiene: The ongoing set of practices, policies, and user behaviors that maintain the health and security of digital systems.

  • This includes regular software updates, strong password habits, controlled access, and user education.

  • So called because, like brushing your teeth, good cyber hygiene is routine — and absolutely essential to prevent long-term damage.

• Cybersecurity: The practice of of protecting systems, networks, devices, and data from cyber threats like unauthorized access, attacks, or damage. It involves technologies, processes, and policies designed to ensure the confidentiality, integrity, and availability of information.

  • Cybersecurity aims to prevent breaches, detect and respond to attacks, and maintain compliance with regulations. It is crucial for safeguarding digital assets and ensuring business continuity.

Dd

• Data at rest: Data that is stored on a physical device or media (e.g., hard drives, cloud storage) and is not actively moving through a network.

  • Securing data at rest is crucial to prevent unauthorized access or breaches due to physical theft, misconfigurations, or other security gaps.

• Data in transit: Data that is actively being transferred over a network, either between systems, devices, or servers. Encryption and secure protocols like HTTPS are essential to protect data in transit from being intercepted or altered by malicious actors.

• Dependency mapping: The process of identifying and visualizing the relationships between systems, applications, and components within an IT environment.

  • Dependency mapping helps prioritize critical systems, manage vulnerabilities, reduce the risk of cascading failures, and understand the operational risks associated with updating one system or component.

  • By mapping dependencies, organizations can anticipate the impact of changes under consideration and make more informed decisions.

• Distributed Denial-of-Service (DDOS) attack: A cyberattack that floods a targeted system, such as a website, server, or network, with overwhelming traffic from multiple compromised sources, often part of a botnet. The goal is to exhaust resources and disrupt normal operations, rendering services slow or entirely unavailable to legitimate users.

  • In enterprise environments, DDoS attacks can cause major downtime, loss of revenue, and reputational damage. While not always data-destructive, they are disruptive and can be used as a smokescreen for more targeted intrusions.

• Domain Controller: A server that manages authentication and authorization in an Active Directory environment that handles authentication (verifying identities) and authorization (determining access levels). It enforces security policies, manages domain trust, and controls user access across the network.

  • For context, when an employee logs into their corporate laptop, the Domain Controller confirms their username and password, then determines what files, printers, or systems they’re allowed to use. If compromised, Domain Controllers can offer attackers broad control over the network.

• Drift (Configuration or Policy): When configurations or policies gradually stray from their intended or baseline state.

  • This can include technical drift — like unauthorized changes or outdated settings — or policy drift, where rules defined in GPOs or device settings aren’t actually enforced on endpoints due to overrides, errors, or updates.

  • Left unchecked, drift silently weakens your security posture and increases risk, one misalignment at a time.

Ee

• EDR (Endpoint Detection and Response): A cybersecurity solution for early-stage exploitation detection and response, EDRs continuously monitor endpoint activity to sound the alarm, trace attacker behavior, contain compromised systems, and work toward incident resolution.

  • Unlike traditional AV tools, EDRs are not limited to signature-based detection. Instead, they use behavioral analysis, threat intelligence, and telemetry to uncover advanced threats like zero-days, lateral movement, fileless attacks, and provide context-rich insights.

  • Popular EDRs include CrowdStrike Falcon, SentinelOne, and Microsoft Defender for Endpoint. 

• Encryption: The process of converting data into an unreadable format for unauthorized users; essential for protecting data in transit and at rest.

• Email gateways: Security systems that manage and filter inbound and outbound email traffic to prevent spam, malware, and phishing attacks. Email gateways inspect each message for harmful attachments, suspicious links, and malicious content, blocking any threats before they reach the inbox. They can also enforce policies on data leakage prevention (DLP) and ensure compliance with regulations. 

• Endpoint: Any device that connects to and exchange information with a computer network, such as laptops, desktops, mobile phones, virtual machines, or embedded devices. Endpoints often serve as the primary target in attacks.

• Endpoint Manager: A platform (like Microsoft Intune) used to manage and secure endpoint devices and the software/applications running on them.
  

Ff

• Firewall:  A security system that filters network traffic between devices based on predefined rules. It helps protect networks by blocking unauthorized access and segmenting traffic based on criteria like IP addresses or port numbers.

  • Firewalls are important because they prevent cyberattacks, enforce security policies, and safeguard critical resources by controlling access. They play a crucial role in maintaining the integrity, confidentiality, and availability of data.

• Follina: A high-profile Microsoft Office zero-day vulnerability (CVE-2022-30190) affecting Microsoft Office, discovered in 2022. Follina allows attackers to exploit the Microsoft Support Diagnostic Tool (MSDT) using specially crafted Word documents that trigger code execution via remote template injection without needing macros or user consent.

  • Follina highlights how common software features can be weaponized and bypass standard security controls.

Gg

• Golden image:  A preconfigured, secure system template used to deploy consistent and hardened endpoints or servers.

  • Golden images are often designed and revised to reduce vulnerabilities before mass deployment — helping eliminate drift and shadow misconfigurations.

• Governance: The structures and processes that ensure cybersecurity decisions align with organizational strategy and risk tolerance. 

• Governance, Risk, and Compliance (GRC): The frameworks and processes used to align security with business strategy, manage risk, and meet regulatory requirements. An interdisciplinary endeavor, GRC typically involves a variety of professionals and departments, including IT, Operations, Enterprise Risk, Information Security, Data Privacy, and Legal.

• GPO (Group Policy Object): A GPO is a Windows-based management policy used in Active Directory environments to control user and device configurations, such as password policies, drive access, and software restrictions.

  • GPOs are managed centrally through the Group Policy Management Console (GPMC).

  • Unlike Microsoft Intune (a cloud-native MDM solution), GPOs are on-premises and domain-dependent, offering deep control but often prone to drift and misconfiguration without proper hygiene.

• GYTPOL: A unique cybersecurity solution that helps organizations detect, correct, and prevent misconfigurations across endpoints and servers without disrupting users or normal business operations. GYTPOL automates and error-proofs device-level policy enforcement.

Hh

• Hardening: The process of securing a system by reducing its attack surface. Its goal is to reduce vulnerabilities and improve system resilience against attacks.

  • Typically, it involves removing unnecessary services, software, or access, managing vulnerabilities and applying patches/updates, enforcing strict access controls and user permissions, monitoring traffic and logs to detect suspicious activity, and managing security measures such firewalls, encryption, among other things.

• HIT (Health IT): Everything related to the management of technology systems used in healthcare, including electronic health records (EHRs), PACS, and connected medical devices.

  • HIT systems handle sensitive patient data, making them high-value targets and subject to strict compliance and security requirements (e.g. HIPAA, HITECH). 

Ii

• IAM (Identity & Access Management): Frameworks and tools for ensuring the right individuals access the right resources at the right times and for the right reasons. 

• Incident response: A defined process for identifying, responding to, and recovering from security incidents in real time. It encompasses both immediate crisis management — like containing a breach or halting malicious activity — and post-incident actions such as investigation, remediation, communication, and applying lessons learned to prevent recurrence.

• Infrastructure as Code (IaC): A practice where infrastructure like servers, networks, and configurations is defined and managed through machine-readable files, often using languages like YAML, JSON, or Terraform.

  • IaC allows teams to automate deployments, enforce consistency, and scale systems quickly. However, insecure configurations or mismanaged secrets within IaC files can introduce vulnerabilities into production environments.

• Injection Attacks: A class of cyberattacks where malicious input is inserted into a program to alter its execution. This can include SQL injection, command injection, and YAML/JSON injection.

  • These attacks exploit how input is processed by applications or scripts, often giving attackers unauthorized access to data or control of systems.

  • Injection attacks are especially dangerous in systems that process external inputs without proper validation or sanitization, like misconfigured APIs, scripts, or cloud configuration files.

• IOA (Indicator of Attack): Signs that an attack is in progress based on abnormal behavior, such as unusual login attempts, unauthorized access to sensitive systems, abnormal data exfiltration activity, or network traffic patterns. 

• IOC (Indicator of Compromise): Evidence that a system has been breached, such as unusual traffic, file changes, or registry modifications.

• IT (Information Technology): The entire set of hardware, software, networks, data systems, and services that organizations use to store, process, and transmit information. This includes servers, laptops, cloud services, databases, collaboration tools, and cybersecurity systems.

  • IT is typically managed by dedicated personnel, ranging from a few specialists in small businesses to global teams in large enterprises.

• ITIL (Information Technology Infrastructure Library): A set of practices for IT service management that focuses on aligning IT services with the needs and processes of the business processes.

• ITSM (IT Service Management): The processes and tools used to manage IT services — typically guided by ITIL best practices.

Jj

• Just-in-Time (JIT) access: Temporary, time-bound access granted to critical systems or resources only when needed, typically by admins or vendors.

  • JIT helps reduce persistent privileges, a major risk in breach scenarios. By eliminating standing access, it limits exposure if credentials are compromised and enforces tighter control over sensitive environments.

Kk

• Kill chain: A cybersecurity framework popularized by Lockheed Martin that describes the stages of a cyberattack — from the attacker’s initial planning to the final objective (like data exfiltration or system disruption).

• • Originally adapted from military strategy, the kill chain helps security teams understand, detect, and disrupt attacks at each phase.

Ll

• Lateral movement: A technique where attackers move from one compromised system to another within a network to reach high-value assets or escalate access.

  • Happening after the initial breach, lateral movement can be slowed or altogether prevented through strong cyber hygiene, segmentation, and continuous monitoring. 

• Least privilege: A principle that grants users only the access they need to perform the specific tasks required for their defined roles — and nothing more. 

• Lifecycle management: The process of managing a device, application, or system from procurement to decommission, including updates and security controls.

• LockBit 2.0: A sophisticated ransomware variant that rapidly encrypts data and uses double-extortion, demanding ransom while threatening to leak stolen files. It spreads using automated tools, exploits misconfigured services like RDP, and disables backups.

  • LockBit-as-a-Service ("Ransomeware-as-a-Service" or RaaS) also enables affiliates to launch attacks, making it one of the most active and dangerous ransomware groups.

• Log4J: An open-source Java-based logging utility developed by the Apache Software Foundation. Widely used in enterprise and cloud applications, Log4j records events and system messages for debugging and monitoring purposes.

  • In 2021, it became infamous due to a critical vulnerability (Log4Shell), exposing the risks of deeply integrated open-source components.

Mm

• Macros: A small, automated script that performs repetitive tasks within applications like Microsoft Word or Excel. While macros are designed to boost productivity by automating functions such as formatting, calculations, or data imports, they also pose a significant security risk.

• • Malicious actors often embed harmful macros in documents sent via phishing emails; when users enable them, the code can execute actions like installing malware or exfiltrating data.

  • Because of this, macros from untrusted sources are usually disabled by default in enterprise environments.

• Malware: Malicious software designed to disrupt, damage, or gain unauthorized access to systems. Malware attacks can utilize viruses, ransomware, and spyware.

• MDM (Mobile Device Management): Solutions like Microsoft Intune or VMware Workspace ONE used to secure, monitor, and manage mobile endpoints like phones and tablets.

  • MDM tools enforce policies (e.g., encryption, lock screens), control app installations, and enable remote wipe.

  • Unlike GPO, which primarily governs Windows desktops in Active Directory domains, MDMs cover diverse OSs (iOS, Android, macOS) — essential in hybrid and BYOD environments.
    

• Micro-segmentation: A technique that isolates specific parts of a network, reducing the attack surface by preventing lateral movement and minimizing potential damage from breaches.

  • Elisity, for example, helps achieve this with advanced network visibility.

• Misconfiguration: A common and critical security issue where systems, devices, or applications are set up or operated in ways that leave them susceptible to security threats.

  • Unlike software bugs or vulnerabilities, these issues are related to deployment. They include default credentials, excessive permissions, unneeded open ports, and broken policy enforcement mechanisms.

• Mitigation: The process of reducing the severity, impact, or likelihood of a security threat or vulnerability. Unlike remediation, which focuses on fixing vulnerabilities or threats, mitigation often doesn't fully solve the problem, but diminishes the extent of it. 

  • Mitigation strategies include implementing controls, adjusting configurations, or taking corrective actions to limit potential damage from cyberattacks, system failures, or natural disasters.

• MITRE ATT&CK: A curated knowledge base of known adversary tactics, techniques, and procedures (TTPs) based on real-world observations. ATT&CK breaks down attacker behavior across the intrusion lifecycle, like initial access, privilege escalation, or exfiltration.

  • Security teams use ATT&CK to improve detection coverage, simulate adversaries (via purple teaming), and prioritize defenses based on how attacks actually unfold.

• MSSP (Managed Security Services Provider): An external partner that delivers outsourced cybersecurity services such as threat monitoring, incident response, and compliance support.

  • As part of the broader channel ecosystem, MSSPs act as strategic resellers and advisors, often integrating third-party security solutions into their managed offerings.

• MTTD (Mean Time to Detect): The average time it takes to identify a security incident after it occurs. Faster detection leads to quicker response, minimizing damage and reducing exposure time.

  • GYTPOL, for example, reduces MTTD with its continuous real-time monitoring and automated alerts.

• MTTR (Mean Time to Resolution): The average time it takes to respond to and resolve a detected incident. In the world of cybersecurity, a shorter MTTR is critical for minimizing the impact of breaches and restoring business continuity.

  • GYTPOL, for example, reduces MTTR through its push-button remediation.

Nn

• NAC (Network Access Control): A security technology that evaluates devices before allowing them onto a network. NAC checks posture (e.g., OS version, antivirus status), applies identity rules, and grants or denies access accordingly.

  • Unlike GPO, AD, or Intune — which focus on managing endpoint configurations — NAC works at the network layer, enforcing access decisions dynamically based on device state, user role, and location.

• N-day: A known vulnerability. Unlike zero-days, these vulnerabilities are no longer a fresh revelation and they may or may not have an available patch.

• Network: A network refers to the digital infrastructure that connects computers, servers, devices, and applications, allowing them to communicate and share resources. It represents both a vital backbone and a potential attack surface, as it’s the medium through which data travels and services are accessed.

  • Key components include endpoints (e.g., laptops, mobile devices), servers, routers, switches, firewalls, load balancers, and segmented zones to isolate sensitive areas.

  • Common network types include LANs (local networks), WANs (wide-area networks), and VPNs (virtual private networks) used to secure remote communication.

• Network Devices: Physical or virtual systems that facilitate and manage communication across a network. These include routers that direct traffic between networks, switches that manage connections within a network, firewalls that filter traffic based on security policies, and load balancers that distribute traffic across multiple servers.

  • Because they control how data flows and enforce critical security boundaries, network devices are often targeted by attackers seeking to intercept, disrupt, or gain unauthorized access to systems.

• Network segmentation: Dividing a network into smaller parts to isolate systems, tailor access controls and security policies, contain risks, and complicate lateral movement.  

• NIST (National Institute of Standards and Technology): A U.S. organization that sets widely adopted cybersecurity frameworks, such as NIST CSF — used globally across industries.

• NTLM (NT LAN Manager): A legacy Microsoft authentication protocol, often found in older systems. It's prone to vulnerabilities like pass-the-hash attacks, and is a common issue in outdated Windows settings, leading to significant security risks. 

  • Outdated Windows settings can seriously compromise security, making it essential to upgrade and secure legacy systems.

Oo

• ODM (Outcome-Driven Metrics): A data model focused on measuring the effectiveness of security initiatives based on their impact rather than just their activities. This could include tracking the reduction of breaches, response time to incidents, or improved compliance rates.

  • Outcome-Driven Metrics help ensure security efforts are delivering tangible results in reducing risk, increasing resilience, and protecting critical assets, aligning security goals with broader business objectives.

• Operational excellence: A comprehensive approach to business management that emphasizes continuous improvement, efficiency, and alignment with organizational goals.

  • While sometimes seen as competing with risk management, operational excellence can actually exist in harmony when properly approached.

• Operational resilience: The ability of an organization to continue delivering critical services during and after a disruption — whether from a cyberattack, system failure, or human error.

  • In cybersecurity, operational resilience means having secure configurations, enforced policies, and automated recovery in place to minimize downtime and negative impact. It’s not just about surviving incidents or even preventing them, but maintaining operability, performance and trust.

• OT (Operational Technology): Hardware and software systems used to monitor and control physical devices and processes in industrial or mission-critical environments.

  • Whereas IT focuses on managing digital data and computing systems, OT is the tech that keeps the physical world running, from factory machines and power plants to medical equipment.

Pp

• Pass-the-hash: An attack technique where stolen password hashes are reused to authenticate without cracking the password itself.

• Patching: The process of updating software to fix known vulnerabilities, improve performance, or enhance functionality.

  • Delayed patching is a common cause of breaches, especially in complex enterprise environments.

• Penetration testing: Simulated attacks performed by ethical hackers to find and fix vulnerabilities before real attackers can exploit them. Also known as Pen Testing.

• Policy validation: The process of ensuring that established policies are not just defined, but actually enforced across systems and devices.

• Posture management: The continuous process of monitoring, assessing, and improving an organization’s overall security state in a preventative and non-reactive manner.

  • Posture management involves identifying misconfigurations, enforcing policies, validating controls, and ensuring systems align with security best practices.

• Print spooler: A Windows service that manages print jobs. It became infamous due to high-severity vulnerabilities (like PrintNightmare) that allowed attackers to escalate privileges.

• Privilege escalation: When an attacker gains higher access than intended, often by exploiting misconfigurations or flaws in authentication.

Qq

• Quarantine: A security response that isolates suspicious or infected files, devices, or emails to prevent further harm. Quarantined assets are moved to a restricted state — for example, an email flagged by Microsoft Defender or a compromised laptop segmented via NAC. Quarantine can last until the issue is resolved or the item is cleared by a security team.

  • Tools like EDR, antivirus software, and email gateways commonly apply quarantine policies.

Rr

• Ransomware: Malware that encrypts files and demands payment for their release. Ransomware is disruptive, costly, and increasingly common, especially where basic defenses like patching and email protection are weak.

• RDP (Remote Desktop Protocol): A Microsoft protocol that enables users to remotely access and control another computer’s desktop interface over a network. Commonly used for IT support, remote work, and server management, RDP is a powerful tool, but also a frequent target for attackers.

  • When exposed to the internet without safeguards, RDP can be exploited through brute-force attacks or credential theft, often serving as an entry point for ransomware.

  • Security best practices include multi-factor authentication, VPN access, and restricting RDP to trusted IPs.

• Remediation: The process of fully resolving a security issue: removing threats, restoring configurations, and closing the gap. Unlike patching (which updates vulnerable software) or mitigation (which reduces risk without removing it), remediation fixes the root cause. True remediation restores a secure, compliant state.

• Risk assessment: The process of identifying and prioritizing risks based on impact and likelihood, used to guide security investments, controls, and interventions.

• Risk management: The process of identifying, assessing, and prioritizing risks, followed by a coordinated mitigation strategy.

  • A core executive concern, it's all about balancing security and continuity considerations with cost, usability, and innovation.

• Risk Tolerance: The level of risk an organization is willing to accept in pursuit of its objectives, without taking additional action to mitigate it. It reflects the organization's appetite for uncertainty and potential loss, and it guides decisions about which risks are acceptable versus which require controls or mitigation.

  • Risk tolerance is a key input into overall risk management strategy and varies based on industry, regulatory requirements, and business priorities.

    • For example, a company with high risk tolerance might delay applying non-critical patches to maintain uptime, while one with low risk tolerance would prioritize immediate remediation to avoid any exposure

  • Unlike acceptable risk (which refers to a specific, evaluated risk that has been formally approved), risk tolerance defines the broader boundaries that help determine which risks are considered acceptable in the first place.

Ss

• Safe remediation: The process of fixing vulnerabilities or misconfigurations in a way that avoids disruption or breaking systems.

• Security audit: A formal review of an organization’s security posture, including controls, configurations, and compliance, ensuring you can identify and address misconfigurations effectively.

• Security baseline: A collection of standard benchmarks for security of systems, applications, or environments that serve as a reference point for compliance and risk management.

  • Baselining helps teams detect drift, enforce policy, and prevent vulnerabilities before they become problems. Think of it as your system’s security blueprint: any deviation is a red flag.

• Security controls optimization: The process of systematically tuning, aligning, and right-sizing existing security tools, configurations, and operational procedures to deliver maximum risk reduction with minimal waste.

  • Rather than investing in more tools, security controls optimization aims to close gaps, reduce redundancy, and ensure each control is working as intended — often leveraging threat modeling, usage data, and performance metrics to guide decisions.

• Security policy:  A strategic framework that defines which security controls an organization should implement and how they must be configured and maintained to reduce risk and support business goals. 

• Security Posture: The overall state of an organization’s cybersecurity readiness — including its ability to prevent, detect, respond to, and recover from threats. It reflects how secure the organization’s systems, configurations, processes, and practices are at any given time.

• Server: A computer or system that provides data, services, or resources to other devices (called clients) over a network. Servers are designed to manage, store, send, and process data 24/7, supporting everything from websites and email to file sharing and databases.

  • Servers can be physical machines or virtual instances (like those in the cloud), and they often run specialized software to fulfill specific roles — such as a web server hosting websites, or a file server managing shared documents.

• Serverless: A cloud-computing execution model where users can run applications without managing servers. Serverless architectures abstract the infrastructure layer, allowing organizations to focus on code while the cloud provider automatically handles scaling and management. 

• Shadow IT: The use of unauthorized devices, applications, browser extensions, or services by employees within an organization.

  • A common example would be if an employee uses personal cloud storage (e.g., Dropbox) or unapproved apps (e.g., Slack) for business purposes.

    • This can lead to data leakage, non-compliance with regulatory standards, and increased attack surfaces, as IT has no visibility or control over these tools and systems.

• Shift Left: A proactive methodology that embeds security, testing, and quality checks as early as possible in any workflow — not necessarily just in software development.

  • In a modern enterprise, this means departments like Operations, Finance, and Procurement are empowered to consider compliance, risk, and security from the start of their processes, reducing the likelihood of shortcomings or the need to rework things later on.

• SIEM (Security Information and Event Management): A system that collects, analyzes, and correlates security data from various sources to detect threats and ensure compliance.

  • Examples of SIEM tools include Splunk, IBM QRadar, and LogRhythm. They provide real-time analysis of security alerts generated by network hardware and applications, helping security teams identify, investigate, and respond to security incidents quickly.

• SMBv1 (Server Message Block version 1): An outdated file-sharing protocol with serious vulnerabilities, famously exploited in 2017 by the WannaCry ransomware attack.

  • Microsoft has since deprecated SMBv1 due to its security flaws.

• SOAR (Security Orchestration, Automation, and Response): A solution that combines automation and orchestration to enhance a security team's response to cyber threats.

  • By automating repetitive tasks (such as alert prioritization and ticket creation), SOAR platforms like Palo Alto Networks Cortex XSOAR help security operations teams improve efficiency, consistency, and speed when responding to incidents. It reduces human error and accelerates incident resolution.

• SOC (Security Operations Center): A dedicated facility or team responsible for continuously monitoring and defending an organization’s IT infrastructure against security threats.

  • It includes advanced technologies, processes, and personnel working together to detect, respond to, and mitigate cyber incidents, ensuring that potential risks are identified and addressed swiftly.

  • SOCs play a central role in proactive defense strategies, integrating threat intelligence, incident response, and monitoring.

• Spyware: Malware designed to secretly collect information from a system or user — often used for surveillance or credential theft.

• SSH (Secure Shell): A protocol used to securely access and manage remote systems — commonly used by admins and attackers alike.

  • Vulnerabilities like RegreSSHion (CVE-2024-6387) have exposed SSH to attacks, demonstrating the risk of unauthorized access when the protocol is improperly configured.
    

• System: The interconnected set of hardware, software, networks, and processes that work together to perform specific functions or support operations within an organization. This includes endpoints, applications, cloud infrastructure, and internal networks.

Tt

• Technical debt: The accumulated impact of shortcuts, legacy systems, and deferred fixes, often which lead to long-term risk and operational cost. 

• Telnet: An outdated, insecure protocol for accessing remote systems — largely replaced by SSH.

• Traffic: The flow of data or requests across a network, including web traffic, email, and API calls. Monitoring and analyzing traffic is essential for detecting anomalies and potential security threats, such as DDOS attacks attacks or unauthorized access attempts.

Uu

• UBA (User Behavior Analytics): Tools that monitor user behavior to detect abnormal activities that may indicate insider threats, data breaches, or compromised accounts. For example, a sudden spike in file access or login attempts from unusual locations could trigger alerts.

  • UBA tools, like Sumo Logic and Exabeam, provide organizations with insights into suspicious user behaviors, enabling proactive threat detection and incident response.

• Un-patchable Vulnerability: A security flaw that cannot be resolved through traditional patching due to design limitations, lack of vendor support, or the impact on required functionality. 

  • Exposure in these cases must be managed through alternative strategies, such as device isolation, configuration adjustments, and enhanced access controls.

Vv

• VA (Vulnerability Assessment): A process of scanning and identifying potential vulnerabilities in systems, applications, and networks to assess an organization’s security posture.

  • Tools like Nessus and Qualys are commonly used to run vulnerability scans that detect these flaws, allowing organizations to prioritize remediation efforts based on the severity of the vulnerabilities discovered.

• VDI (Virtual Desktop Infrastructure):  A technology that allows organizations to host and manage desktop environments on centralized servers, offering remote access to virtualized desktops for users. This setup enhances security by providing a consistent and controlled desktop experience.

  • A key component is the use of golden images to ensure uniform security configurations, software versions, and updates across all users, reducing the risk of security breaches.

• Virus: A type of malware that replicates by infecting files or programs, often spreading across systems. 

  • Famous viruses include ILOVEYOU (2000), which caused billions in damage, and Conficker (2008), which exploited Windows vulnerabilities to infect millions of machines. 

• VM (Virtual Machine):  A virtualized environment that mimics a physical computer, allowing users to run an operating system and applications as if they were on a physical machine.

  • Unlike cloud instances, which are virtual machines hosted in a cloud environment (such as AWS EC2 or Azure VMs), VMs can be hosted on on-premises servers or cloud platforms. 

  • VMs are widely used in cybersecurity for testing malicious code, isolating risky environments, and hosting secure applications in cloud environments.

• VTY (Virtual Teletype): VTY refers to virtual command-line interfaces used to remotely access and manage network devices like routers and switches, typically via SSH or Telnet.

  • While essential for administrative control, VTY lines are a common source of misconfigurations, such as weak access controls, missing timeouts, or unrestricted login permissions. These oversights can create major security gaps, often exploited in network breaches. 

• Vulnerability: Any design defect in software, hardware, or configuration that can be exploited by attackers to gain unauthorized access, disrupt operations, or steal data. Many known vulnerabilities are serialized with a CVE code.

Ww

• Whitehat: An ethical hacker who uses their skills to help organizations  improve security — by identifying vulnerabilities, testing defenses, and reporting weaknesses before malicious actors can exploit them.

  • Whitehats are often employed in roles like penetration testing or work through bug bounty programs. 

• Whitelisting: The cybersecurity equivalent of a very exclusive guest list. A strategy where only pre-approved software or users are permitted, helping block unknown or malicious code. The opposite of blacklisting, this is where "deny by default" becomes the rule.

Xx

• XDR (Extended Detection and Response): A cybersecurity solution that unifies detection and response across multiple security layers — including endpoints, networks, cloud, and email — to provide a broader, more coordinated view of threats.

  • Unlike EDR, which focuses solely on endpoint data, XDR aggregates and correlates data from multiple sources, enabling faster threat detection, streamlined investigations, and more effective response.

• XSS (cross-site scripting): A type of security vulnerability that allows attackers to inject malicious scripts into web pages viewed by others. Typically exploited through browser extensions, XSS enables attackers to steal cookies, session tokens, or other sensitive information, or even execute actions on behalf of a user without their consent.

Yy

• YAML: A human-readable data serialization language often used for configuration files and data storage. YAML is widely used in modern application development and infrastructure as code (IaC) tools. However, if misconfigured or improperly handled, it can be a source of security misconfigurations or vulnerabilities, such as injection attacks.

Zz

• Zero-day: A newly discovered vulnerability that has not yet been patched. It represents a critical threat due to the lack of defense. 

• Zero trust: Zero Trust is a security model where trust is never assumed, and access is verified at every stage, regardless of the user's location or device.

  • By enforcing strict access controls and continuous monitoring, Zero Trust minimizes the risk of internal and external threats.

Knowledge is Power: Understanding Key Cybersecurity Terms

At GYTPOL, we believe clarity drives action. Commanding the language of cybersecurity isn't just about information; it's also a tool to empower you.

Our glossary is designed to equip decision-makers with the language and background needed to lead successfully in a high-stakes, high-complexity landscape. From board discussions to budget planning to incident response, knowing these terms gives you the confidence to drive change, reduce risk, and demand better from your teams and tools.