Offensive Cybersecurity Glossary
Clear, self-contained definitions of pentesting, Red Team, bug bounty and compliance terms (NIS2, DORA, CRA).
- APT (Advanced Persistent Threat) — An APT is a threat actor (often state-sponsored or highly resourced) that maintains covert, prolonged access to a victim's systems for months or years, prioritizing stealth over speed.
- Attack Surface — The attack surface is the total set of points — systems, APIs, accounts, integrations — through which an attacker could try to break in or exfiltrate data from an organization; the larger and less inventoried it is, the harder to defend.
- BEC (Business Email Compromise) — BEC fraud, also called "CEO fraud", occurs when an attacker compromises or impersonates a corporate email account (often an executive's) to trick an employee into making a wire transfer or another fraudulent action.
- Black Box / White Box / Grey Box — These are the three information levels a pentest can run under: black box (no prior access or documentation, like a real external attacker), white box (full access to code and configuration) and grey box (a middle ground, with user credentials but no source code).
- Blue Team — The Blue Team is an organization's defensive team: responsible for detecting, containing and responding to intrusions, managing the SIEM/EDR, and keeping defenses operational against real or simulated attacks.
- BOLA (Broken Object Level Authorization) — BOLA is an access-control flaw where an API returns data for an object (e.g. another user's order) without checking whether the requester actually has permission over that specific object — it's #1 on the OWASP API Security Top 10.
- Bug Bounty — A bug bounty program financially rewards external security researchers for finding and reporting vulnerabilities in a company's systems, with payouts proportional to the severity of the finding.
- C2 (Command and Control) — C2 infrastructure is the channel an attacker uses to communicate with compromised systems after an intrusion: sending commands, exfiltrating data, and maintaining persistence, usually designed to evade the defensive team's detection.
- CRA (Cyber Resilience Act) — The Cyber Resilience Act (EU Regulation 2024/2847) requires manufacturers of products with digital elements to build in cybersecurity requirements by design and report actively exploited vulnerabilities to ENISA within 24 hours.
- CVE — A CVE (Common Vulnerabilities and Exposures) is a unique, public identifier assigned to a known vulnerability, letting vendors, researchers and security tools reference the same flaw unambiguously.
- CVSS — CVSS (Common Vulnerability Scoring System) is the industry standard for scoring vulnerability severity from 0 to 10, based on factors like attack complexity, required privileges, and impact on confidentiality, integrity and availability.
- Data Breach — A data breach is any security incident resulting in unauthorized access, disclosure, alteration or loss of data, especially relevant when it affects personal data subject to GDPR.
- DLP (Data Loss Prevention) — DLP policies detect and block unauthorized exfiltration of sensitive data from an organization — via email, cloud storage or third-party integrations — before a leak occurs.
- DORA — DORA (EU Regulation 2022/2554) requires European financial entities to manage ICT risk, report incidents, and — for entities designated as critical — run TLPT operational resilience tests every 3 years.
- EDR (Endpoint Detection and Response) — An EDR is a tool that monitors endpoint behavior in real time to detect malicious activity that a traditional signature-based antivirus would miss.
- ENS (National Security Framework) — The ENS is the Spanish regulatory framework (Royal Decree 311/2022) governing information system security for public administrations and their providers, with three requirement levels: basic, medium and high.
- EPSS — EPSS (Exploit Prediction Scoring System) estimates, as a 0-100% probability, the likelihood that a specific vulnerability will be actively exploited in the next 30 days — complementing CVSS, which measures severity but not real exploitation likelihood.
- GDPR — The General Data Protection Regulation governs personal data processing in the EU, requiring clear legal bases, security measures proportionate to risk, and data breach notification within 72 hours.
- Hardening — Hardening is the set of configuration measures that reduce a system's attack surface — disabling unnecessary services, applying least privilege, updating components — before an attacker can exploit it.
- IDOR (Insecure Direct Object Reference) — An IDOR occurs when an application exposes a direct reference to an internal object (a file ID, an order number) without verifying the user is authorized to access that specific object, allowing access to other users' data by changing the identifier in the request.
- ISO 27001 — ISO 27001 is the international reference standard for implementing an Information Security Management System (ISMS), certifiable through external audit.
- Kill Chain — The Kill Chain is a model describing the sequential phases of a cyberattack — reconnaissance, weaponization, delivery, exploitation, installation, C2 and actions on objectives — used to understand and break the attack as early as possible.
- Lateral movement — Lateral movement is the phase of an attack where, after compromising a first system, the attacker moves toward other systems on the internal network in search of higher privileges or the attack's final objective.
- MFA / 2FA — Multi-factor (MFA) or two-factor authentication (2FA) requires, in addition to the password, a second verification factor (an app, a security key, a one-time code) to sign in, drastically reducing the impact of a stolen or leaked password.
- MITRE ATT&CK — MITRE ATT&CK is a public knowledge base cataloging real tactics, techniques and procedures (TTPs) used by attackers, widely used as a common reference for designing Red Team exercises and detection rules.
- NIS2 — NIS2 (EU Directive 2022/2555) is the European regulation requiring essential and important entities across 18 sectors to implement risk management measures, report incidents and ensure service continuity, with fines up to €10M or 2% of global turnover.
- OSINT (Open Source Intelligence) — OSINT is the discipline of gathering information from public, open sources (social media, public records, previous leaks, metadata) to build a profile of an organization's exposed surface before an attack or an authorized exercise.
- OWASP Top 10 — The OWASP Top 10 is the world's reference list of the most critical web application security risks, periodically updated by the Open Worldwide Application Security Project, and used as the methodological basis for most web pentests.
- Penetration Testing (Pentest) — A penetration test is a simulated, authorized cyberattack against an organization's systems, carried out by an expert who actively attempts to exploit the vulnerabilities found to demonstrate real impact, not just detect them.
- Phishing — Phishing is a social engineering attack that impersonates a legitimate entity (a bank, a supplier, a colleague) via email to trick the victim into revealing credentials, data, or performing a fraudulent action.
- PoC (Proof of Concept) — A PoC is the technical evidence — a script, a screenshot, a reproducible request — proving that a reported vulnerability is genuinely exploitable, distinguishing a real finding from a false positive.
- Privilege escalation — Privilege escalation is the technique by which an attacker, starting from limited access, gains higher permissions (from standard user to administrator, for example) by exploiting a misconfiguration or system vulnerability.
- Purple Team — Purple Teaming is a collaborative way of working where the red and blue teams execute and observe attack techniques in real time, tuning detection rules on the spot, instead of operating covertly and separately.
- Ransomware — Ransomware is malware that encrypts an organization's files and demands a payment (ransom) to restore access, often combined with the threat of publishing stolen data if not paid (double extortion).
- Red Team — A Red Team is a covert, real-adversary simulation exercise: the offensive team pursues a concrete business objective combining technical, social and physical vectors, without the defensive team knowing, to measure its real detection and response capability.
- Shadow IT — Shadow IT is any system, application or automation used within an organization without the IT/security team's knowledge or approval — a growing risk with low-code tools like Power Automate or browser extensions.
- SIEM — A SIEM (Security Information and Event Management) centralizes and correlates security event logs across the whole infrastructure to detect attack patterns that would be invisible looking at each system separately.
- SOC (Security Operations Center) — A SOC is the team (in-house or outsourced) responsible for continuously monitoring, detecting and responding to security incidents, usually backed by a SIEM and incident response playbooks.
- Spear phishing — Spear phishing is targeted, personalized phishing against a specific person or organization, using real information about the victim (their role, contacts, current projects) to dramatically increase success rates over generic mass phishing.
- SQL Injection (SQLi) — A SQL injection occurs when an application inserts user input directly into a database query without sanitizing it, letting an attacker read, modify or delete data — or in severe cases, take control of the database server.
- Supply chain attack — A supply chain attack compromises a vendor, software library or third-party dependency to reach, through it, organizations that trust that component — without attacking them directly.
- Threat Intelligence (CTI) — Cyber Threat Intelligence is the analysis of data about real threat actors, campaigns and attack techniques to anticipate risks specific to a sector or organization, instead of defending generically.
- TLPT (Threat-Led Penetration Testing) — TLPT is a Red Team exercise based on real threat intelligence, run under the TIBER-EU framework, that the DORA Regulation requires every 3 years from financial entities designated as critical in the EU.
- TTPs (Tactics, Techniques and Procedures) — TTPs describe a threat actor's behavior at three levels: the tactic (the goal, e.g. lateral movement), the technique (the method used) and the procedure (that specific actor's specific implementation of the technique).
- VDP (Vulnerability Disclosure Program) — A VDP is a formal responsible disclosure channel: it defines how and where researchers can report security flaws and what to expect in return, without offering monetary rewards like a bug bounty.
- Vishing and Smishing — Vishing is voice-call phishing and smishing is SMS phishing — both pursue the same goal as email phishing (obtaining credentials or data) but through channels that raise less suspicion for some users.
- Vulnerability triage — Triage is the process of validating, prioritizing and discarding incoming vulnerability reports (from bug bounty, VDP or internal channels) before they reach the development team, separating real, critical findings from noise and false positives.
- WAF (Web Application Firewall) — A WAF filters and monitors HTTP traffic to a web application to block known attack patterns (SQLi, XSS), though it doesn't replace a pentest: it doesn't catch business logic flaws or application-specific vulnerabilities.
- XSS (Cross-Site Scripting) — XSS is a vulnerability that lets an attacker inject malicious JavaScript into a web page viewed by other users, potentially stealing sessions, credentials, or performing actions on their behalf.
- Zero-day — A zero-day vulnerability is a security flaw unknown to the software vendor at the time it is discovered or exploited, meaning no patch exists yet.