Cybersecurity glossary

A secret token used to authenticate with an API. Leaked API keys can give attackers full access to the connected service.

A step-by-step route an attacker could take through your systems to reach a valuable target like a database or secrets vault.

Everything about your systems that is exposed to the internet and could potentially be targeted by an attacker.

How much damage an attacker could do from a single entry point — how many systems they could reach.

How critical an asset is in your network — assets with high centrality appear on many attack paths.

A notation for IP address ranges. For example, 10.0.0.0/24 represents 256 addresses from 10.0.0.0 to 10.0.0.255.

The combination of encryption algorithms used for a secure connection. Weak cipher suites can be broken by attackers.

The percentage of people who clicked a link in a phishing test email. Lower is better.

A specific security requirement from a framework. For example, SOC 2 CC6 requires logical and physical access controls.

A publicly known cybersecurity vulnerability with a unique ID (Common Vulnerabilities and Exposures). Example: CVE-2024-21762.

A number from 0 to 10 rating how dangerous a vulnerability is. 9-10 is critical, 7-8.9 is high, 4-6.9 is medium, below 4 is low.

A number from 0 to 10 rating how dangerous a vulnerability is. 9-10 is critical, 7-8.9 is high, 4-6.9 is medium, below 4 is low.

DomainKeys Identified Mail — email authentication using digital signatures to verify emails haven't been altered.

Domain-based Message Authentication — a policy telling email providers what to do with messages failing SPF or DKIM.

Domain Name System — translates domain names (example.com) into IP addresses.

An internet-facing system where an attacker would begin their attack, such as a web server or API endpoint.

An international standard for information security management systems. Certification demonstrates global security standards.

When an attacker moves from one compromised system to another within your network, expanding their access.

Multi-Factor Authentication — requiring a second verification step (like a phone code) in addition to a password.

An authorization protocol that lets users grant third-party apps limited access to their accounts without sharing passwords.

A social engineering attack using fake emails or websites to trick people into revealing passwords or sensitive data.

Proof Key for Code Exchange — a security extension for OAuth that prevents authorization code interception attacks.

A numbered endpoint on a server where a specific service listens. For example, port 443 is HTTPS, port 22 is SSH, port 3306 is MySQL.

When an attacker with limited access finds a way to gain higher-level permissions, like going from user to admin.

Role-Based Access Control — assigning permissions based on a user's role (Admin, Analyst, Viewer) rather than per individual.

Remote Code Execution — an attacker can run commands on your server from anywhere on the internet. One of the most dangerous types.

The percentage of people who correctly reported a phishing test email as suspicious. Higher is better.

Security Assertion Markup Language — an XML protocol for exchanging authentication data between identity providers and services.

A pre-configured set of scan options. Quick is fast but basic, Standard covers most issues, Deep is the most thorough.

The five factors of your security score: vulnerabilities, configuration, attack exposure, patch currency, and monitoring.

A 0-100 rating of how secure an asset or organization is, based on vulnerabilities, configuration, and monitoring.

A certificate you created yourself rather than getting from a trusted authority. Browsers don't trust these.

Identifying what software is running on each open port, including its version. Outdated versions often have known vulnerabilities.

Service Organization Control 2 — a compliance framework for service providers covering security, availability, and privacy.

Sender Policy Framework — a DNS record specifying which mail servers can send email for your domain. Prevents spoofing.

An attack where malicious database commands are inserted through your application's input fields, potentially exposing all your data.

A digital certificate that enables encrypted (HTTPS) connections to your domain. Expired certificates cause browser warnings.

Single Sign-On — log in once and access multiple applications. Misconfigured SSO can allow unauthorized access.

Server-Side Request Forgery — an attack that tricks your server into making requests to internal systems it shouldn't access.

A prefix to your main domain (like blog.example.com). Each subdomain can have its own server and vulnerabilities.

Transport Layer Security — the protocol that encrypts data between a user's browser and your server. The successor to SSL.

An attack where a stolen authentication token is reused by an attacker to impersonate the legitimate user.

An automated notification sent from one system to another when a specific event occurs.

Cross-Site Scripting — an attack that injects malicious code into web pages viewed by other users, potentially stealing their session data.

A vulnerability that has no available fix yet. Especially dangerous because attackers can exploit them before a patch is released.