Cybersecurity Glossary — Key Terms Explained

How to Use This Glossary

The NIST Computer Security Resource Centre (CSRC) Glossary defines over 4,000 cybersecurity and privacy terms drawn from NIST publications, CNSSI documents, and federal standards — making it the authoritative reference for information security terminology used by governments and industry worldwide.

This glossary defines 50+ cybersecurity terms in plain language. It is written for career changers and beginners who want clear, jargon-free explanations.

Each term links to the relevant course page where one exists, so you can go deeper on any topic. Bookmark this page and come back whenever you hit an unfamiliar term during your studies.

A

AES (Advanced Encryption Standard)

AES is a symmetric encryption algorithm used worldwide to protect data. “Symmetric” means the same key encrypts and decrypts the data. AES-256 (256-bit key) is the standard used by governments, banks, and VPNs. (See: Cryptography Basics)

APT (Advanced Persistent Threat)

An APT is a prolonged, targeted cyberattack where an attacker gains access to a network and remains undetected for months or years. APTs are usually backed by nation-states or well-funded criminal groups and target high-value organisations like governments, defence contractors, and critical infrastructure. (See: Threat Landscape)

Attack Surface

The attack surface is the total number of points where an attacker could try to enter or extract data from a system. Every open port, public-facing web page, API endpoint, and user account is part of your attack surface. Reducing it is one of the first steps in hardening any environment. (See: Security Concepts)

Authentication

Authentication is the process of proving you are who you claim to be. Common methods include passwords, fingerprint scans, and one-time codes sent to your phone. Authentication answers the question “Who are you?” (See: Identity and Access Management)

Authorization

Authorization determines what an authenticated user is allowed to do. After a system confirms your identity (authentication), authorization decides which files, features, or data you can access. Think of authentication as showing your ID at the door, and authorization as the list of rooms you are allowed to enter. (See: Identity and Access Management)

B

Backdoor

A backdoor is a hidden method of bypassing normal authentication to gain access to a system. Attackers install backdoors after an initial compromise so they can return later without being noticed. Some backdoors are also built intentionally into software by developers for maintenance, which creates risk if discovered by attackers. (See: Malware Threats)

Black Hat

A black hat is a hacker who breaks into systems without permission, usually for personal gain, theft, or disruption. The term comes from old Western films where villains wore black hats. Black hat activity is illegal regardless of the attacker’s skill level. (See: Ethical Hacking Intro)

Blue Team

The blue team is the defensive side of cybersecurity. Blue team members monitor networks, detect threats, respond to incidents, and strengthen defences. If you work in a Security Operations Centre (SOC), you are on the blue team. (See: Career Paths)

Botnet

A botnet is a network of compromised computers (called “bots” or “zombies”) controlled remotely by an attacker. Botnets are commonly used to launch DDoS attacks, send spam, or mine cryptocurrency. The owners of the infected machines usually have no idea their computers are part of a botnet. (See: Malware Threats)

Brute Force

A brute force attack tries every possible combination of characters until it finds the correct password or encryption key. It is the simplest form of password cracking and is effective against short or weak passwords. Strong passwords and account lockout policies are the main defences. (See: Security Concepts)

Bug Bounty

A bug bounty is a reward offered by a company to anyone who finds and responsibly reports a security vulnerability in their systems. Bug bounty programs give ethical hackers a legal way to test real-world applications and get paid for it. Platforms like HackerOne and Bugcrowd host thousands of programs. (See: Ethical Hacking Intro)

C

CIA Triad

The CIA triad is the foundation of information security. It stands for Confidentiality (only authorised people see the data), Integrity (data has not been tampered with), and Availability (data and systems are accessible when needed). Every security decision maps back to one or more of these three goals. (See: Security Concepts)

CVSS (Common Vulnerability Scoring System)

CVSS is a standardised way to rate the severity of a security vulnerability on a scale from 0.0 to 10.0. A score of 9.0 or above is considered critical. Security teams use CVSS scores to prioritise which vulnerabilities to fix first. (See: Vulnerability Analysis)

CVE (Common Vulnerabilities and Exposures)

A CVE is a unique identifier assigned to a publicly known security vulnerability, such as CVE-2024-12345. The CVE system, maintained by MITRE, gives everyone a common language to refer to the same vulnerability. When a vendor publishes a patch, they reference the CVE it fixes. (See: Vulnerability Analysis)

Cryptography

Cryptography is the practice of securing information by transforming it into an unreadable format that only authorised parties can decode. It protects data in transit (like HTTPS) and data at rest (like encrypted hard drives). Modern cryptography underpins everything from online banking to messaging apps. (See: Cryptography Basics)

Cyber Kill Chain

The Cyber Kill Chain is a 7-stage model developed by Lockheed Martin that describes the steps an attacker follows during a cyberattack: Reconnaissance, Weaponisation, Delivery, Exploitation, Installation, Command and Control, and Actions on Objectives. Defenders use it to identify and break the attack at any stage. (See: Cyber Kill Chain)

D

DDoS (Distributed Denial of Service)

A DDoS attack floods a target server or network with so much traffic that it becomes unavailable to legitimate users. “Distributed” means the attack comes from many compromised machines at once (a botnet), making it harder to block than a single-source attack. (See: DoS and DDoS Attacks)

DNS (Domain Name System)

DNS translates human-readable domain names like mycybersecuritypath.com into IP addresses that computers use to find each other. It works like a phone book for the internet. DNS is a common attack target because compromising it lets attackers redirect users to malicious sites. (See: Networking Basics)

Defense in Depth

Defense in depth is a security strategy that uses multiple layers of protection so that if one layer fails, others still stand. For example, a system might use a firewall, antivirus, intrusion detection, encryption, and user training together. No single control is expected to stop every attack. (See: Security Concepts)

Digital Certificate

A digital certificate is an electronic document that proves the identity of a website, person, or device. When you see the padlock icon in your browser, the website has a valid certificate issued by a trusted Certificate Authority (CA). Certificates are a key part of PKI and SSL/TLS. (See: Cryptography Basics)

DMZ (Demilitarised Zone)

In networking, a DMZ is a separate network segment that sits between a trusted internal network and the untrusted internet. Public-facing servers like web servers and email servers are placed in the DMZ so that if they are compromised, the attacker still cannot directly reach the internal network. (See: Networking Basics)

E

Encryption

Encryption is the process of converting readable data (plaintext) into an unreadable format (ciphertext) using an algorithm and a key. Only someone with the correct key can decrypt it back to plaintext. Encryption protects data both in transit (like emails) and at rest (like files on a hard drive). (See: Cryptography Basics)

Endpoint

An endpoint is any device that connects to a network — laptops, desktops, smartphones, tablets, and servers. Endpoints are frequent attack targets because they are where users interact with data. Endpoint detection and response (EDR) tools monitor these devices for suspicious activity.

Enumeration

Enumeration is the process of actively extracting information from a target system, such as usernames, network shares, services, and configuration details. It goes beyond passive scanning and typically happens after an attacker has some initial access or visibility. (See: Enumeration)

Ethical Hacking

Ethical hacking is the practice of testing systems for vulnerabilities with the owner’s explicit permission. Ethical hackers (also called white hats or penetration testers) use the same techniques as malicious hackers but report what they find so it can be fixed. It is a legitimate and well-paid career path (source: BLS Occupational Outlook Handbook, as of 2025). (See: Ethical Hacking Intro)

Exploit

An exploit is a piece of code, software, or technique that takes advantage of a vulnerability to gain unauthorised access or cause harm. Exploits can be packaged into tools (like Metasploit modules) or delivered via malicious documents, websites, or network packets. (See: Vulnerability Analysis)

F

Firewall

A firewall is a network security device (hardware or software) that monitors and controls incoming and outgoing network traffic based on predefined rules. It acts as a barrier between a trusted internal network and untrusted external networks. Firewalls are one of the oldest and most fundamental security controls. (See: Networking Basics)

Footprinting

Footprinting is the first phase of ethical hacking where you gather publicly available information about a target — domain names, IP addresses, employee names, technologies used, and more. It is a passive activity that does not involve direct interaction with the target’s systems. (See: Footprinting)

Forensics

Digital forensics is the process of collecting, preserving, and analysing electronic evidence after a security incident. Forensic investigators follow strict procedures to ensure evidence is admissible in court. Common tasks include disk imaging, log analysis, and malware reverse engineering. (See: Incident Response)

G

GRC (Governance, Risk, and Compliance)

GRC is a framework that aligns security practices with business goals, manages risk, and ensures the organisation meets legal and regulatory requirements. GRC roles are among the most accessible entry points into cybersecurity for career changers because they rely heavily on communication, policy writing, and process management rather than deep technical skills. (See: Career Paths)

Grey Hat

A grey hat hacker operates between black hat and white hat. They may find vulnerabilities without permission but disclose them to the organisation rather than exploit them for profit. Grey hat activity is still legally risky because accessing systems without authorisation is illegal in most jurisdictions, even if the intent is to help. (See: Ethical Hacking Intro)

H

Hashing

Hashing is a one-way function that converts data into a fixed-length string of characters (a hash). Unlike encryption, hashing cannot be reversed. It is used to verify file integrity, store passwords securely, and detect tampering. Common algorithms include SHA-256 and MD5. (See: Cryptography Basics)

Honeypot

A honeypot is a decoy system designed to look like a real target to attract attackers. Security teams use honeypots to study attack methods, detect intrusions early, and divert attackers away from real assets. A network of honeypots is called a honeynet.

HTTP/HTTPS

HTTP (Hypertext Transfer Protocol) is the protocol browsers use to request and display web pages. HTTPS adds encryption via SSL/TLS, protecting data in transit between your browser and the server. The padlock icon in your browser indicates an HTTPS connection. Any site handling logins or personal data should use HTTPS. (See: Networking Basics)

I

IDS/IPS (Intrusion Detection/Prevention System)

An IDS monitors network traffic for suspicious activity and sends alerts. An IPS does the same but can also automatically block the malicious traffic. They are often deployed alongside firewalls to add another layer of defence. (See: IDS Evasion)

Incident Response

Incident response is the structured process an organisation follows when a security breach or attack occurs. It typically includes preparation, identification, containment, eradication, recovery, and lessons learned. Having a plan before an incident happens is critical — you do not want to figure out the process while under attack. (See: Incident Response)

IoC (Indicator of Compromise)

An IoC is a piece of evidence that a security breach has occurred. Examples include unusual outbound network traffic, unexpected file changes, login attempts from unfamiliar locations, and known malicious IP addresses. Security teams use IoCs to detect, investigate, and respond to incidents. (See: Incident Response)

K

Keylogger

A keylogger is a type of malware or hardware device that records every keystroke a user types. Attackers use keyloggers to capture passwords, credit card numbers, and private messages. They can be installed through phishing emails, malicious downloads, or physical access to a device. (See: Malware Threats)

Kill Chain

See Cyber Kill Chain above. The term “kill chain” originated in military strategy and was adapted for cybersecurity by Lockheed Martin to describe the stages of a cyberattack. (See: Cyber Kill Chain)

L

Lateral Movement

Lateral movement is when an attacker who has compromised one system moves through the network to access other systems and escalate their privileges. It is a key phase in APT attacks. Detecting lateral movement requires monitoring internal traffic, not just perimeter defences. (See: Threat Landscape)

Least Privilege

The principle of least privilege means giving users and systems only the minimum level of access they need to do their job — nothing more. If an account is compromised, least privilege limits the damage the attacker can do. It is a foundational concept in both security architecture and compliance. (See: Security Concepts)

M

Malware

Malware is any software intentionally designed to cause damage, steal data, or gain unauthorised access. It includes viruses, worms, trojans, ransomware, spyware, and more. Malware is one of the most common threats and is often delivered through phishing emails or compromised websites. (See: Malware Threats)

MFA (Multi-Factor Authentication)

MFA requires two or more verification factors to prove your identity — typically something you know (password), something you have (phone or security key), and something you are (fingerprint). MFA dramatically reduces the risk of account compromise because a stolen password alone is not enough. (See: Identity and Access Management)

MITRE ATT&CK

MITRE ATT&CK is a publicly available knowledge base of attacker tactics and techniques based on real-world observations. Security teams use it to understand how attackers operate, test their defences, and improve detection. It organises techniques into categories like Initial Access, Execution, Persistence, and Exfiltration. (See: Threat Landscape)

If you are just starting to learn the language of cybersecurity, this guide walks you through everything in plain English with real-world examples — so these terms stop feeling like a foreign language.

Intro to Cybersecurity for Non-ITAvailable Now

Complete beginner guide to cybersecurity for career changers with zero IT background.

Get the Guide → $19

N

Nmap

Nmap (Network Mapper) is a free, open-source tool used for network discovery and security auditing. It scans networks to find live hosts, open ports, running services, and operating systems. Nmap is one of the first tools every cybersecurity student learns. (See: Nmap)

Network Scanning

Network scanning is the process of identifying live hosts, open ports, and services on a network. It is a key step in both ethical hacking and defensive security. Tools like Nmap and Masscan are commonly used for network scanning. (See: Scanning Networks)

O

OSINT (Open Source Intelligence)

OSINT is the practice of collecting information from publicly available sources — websites, social media, public records, DNS records, and more. In cybersecurity, OSINT is used during footprinting and reconnaissance to learn about a target without directly interacting with their systems. (See: Footprinting)

OSI Model

The OSI (Open Systems Interconnection) model is a 7-layer framework that describes how data moves across a network: Physical, Data Link, Network, Transport, Session, Presentation, and Application. It helps you understand where different security tools and attacks operate. For example, firewalls typically work at Layers 3-4, while web application firewalls work at Layer 7. (See: OSI and TCP/IP Models)

OWASP (Open Web Application Security Project)

OWASP is a nonprofit organisation that produces free resources for web application security. Their OWASP Top 10 list is the most widely referenced guide to critical web application security risks, including injection, broken authentication, and cross-site scripting. (See: Web App Hacking)

P

Patch Management

Patch management is the process of regularly updating software and systems to fix known vulnerabilities. Many major breaches happen because organisations fail to apply patches that have been available for months. A solid patch management process is one of the most effective defences.

Penetration Testing

Penetration testing (pen testing) is a simulated cyberattack performed with authorisation to evaluate the security of a system. Pen testers follow a structured methodology: planning, reconnaissance, scanning, exploitation, post-exploitation, and reporting. It is one of the most in-demand cybersecurity roles. (See: Penetration Testing Basics)

Phishing

Phishing is a social engineering attack where an attacker sends a fraudulent message (usually email) designed to trick the recipient into revealing sensitive information or clicking a malicious link. Spear phishing targets a specific individual, and whaling targets executives. Phishing is the number one initial attack vector in most breaches. (See: Social Engineering)

PKI (Public Key Infrastructure)

PKI is the framework of policies, hardware, software, and procedures used to create, manage, and revoke digital certificates. It enables secure communication over the internet by binding public keys to identities. When your browser verifies a website’s HTTPS certificate, PKI is working behind the scenes. (See: Cryptography Basics)

Privilege Escalation

Privilege escalation is the act of exploiting a vulnerability to gain higher-level permissions than originally granted. Vertical escalation means going from a regular user to an administrator. Horizontal escalation means accessing another user’s account at the same level. It is a critical step in most attack chains. (See: System Hacking)

Port Scanning

Port scanning is the process of sending packets to specific ports on a target to determine which ones are open, closed, or filtered. Open ports indicate running services that may be vulnerable. It is one of the earliest steps in both ethical hacking and defensive auditing. (See: Scanning Networks)

R

Ransomware

Ransomware is malware that encrypts a victim’s files and demands payment (usually cryptocurrency) for the decryption key. Modern ransomware attacks often include data theft and a threat to publish stolen data if the ransom is not paid (“double extortion”). Ransomware is one of the most damaging and common threats today. (See: Malware Threats)

Red Team

The red team is the offensive side of cybersecurity. Red team members simulate real-world attacks against an organisation to test its defences. Unlike a standard penetration test, a red team engagement is broader in scope and may include social engineering, physical access attempts, and long-term persistent access. (See: Career Paths)

Risk Assessment

A risk assessment identifies, analyses, and prioritises threats to an organisation’s assets. It answers three questions: What could go wrong? How likely is it? How bad would it be? Risk assessments guide where to invest security resources for the greatest impact. (See: Risk Management)

Rootkit

A rootkit is malware designed to hide its presence and maintain persistent, privileged access to a system. Rootkits can modify the operating system itself, making them extremely difficult to detect with standard antivirus tools. Removing a rootkit often requires reinstalling the operating system. (See: Malware Threats)

RSA

RSA is an asymmetric encryption algorithm that uses a pair of keys — a public key for encryption and a private key for decryption. It is widely used for secure data transmission, digital signatures, and key exchange. RSA is named after its creators: Rivest, Shamir, and Adleman. (See: Cryptography Basics)

S

SIEM (Security Information and Event Management)

A SIEM collects and analyses log data from across an organisation’s systems in real time to detect security threats. It correlates events from firewalls, servers, endpoints, and applications to identify patterns that indicate an attack. SIEM platforms like Splunk and Microsoft Sentinel are core tools in any SOC. (See: Career Paths)

Sniffing

Sniffing is the practice of capturing and analysing network traffic as it passes through a network. Legitimate uses include troubleshooting and security monitoring. Malicious sniffing intercepts unencrypted data like passwords and emails. Tools like Wireshark are used for both purposes. (See: Sniffing)

Social engineering is the art of manipulating people into giving up confidential information or performing actions that compromise security. It exploits human psychology rather than technical vulnerabilities. Phishing, pretexting, baiting, and tailgating are all forms of social engineering. (See: Social Engineering)

SOC (Security Operations Centre)

A SOC is a centralised team (and often a physical facility) responsible for monitoring, detecting, and responding to security incidents 24/7. SOC analysts are the front line of an organisation’s defence. It is one of the most common entry-level cybersecurity roles. (See: Career Paths)

SQL Injection

SQL injection is a web application vulnerability where an attacker inserts malicious SQL code into an input field to manipulate the database behind the application. It can allow attackers to read, modify, or delete data, bypass authentication, or even execute commands on the server. It is consistently in the OWASP Top 10. (See: SQL Injection)

SSL/TLS

SSL (Secure Sockets Layer) and its successor TLS (Transport Layer Security) are cryptographic protocols that encrypt data in transit between a client and a server. TLS is what makes HTTPS work. SSL is technically deprecated, but the term “SSL” is still widely used to refer to both. (See: Cryptography Basics)

T

TCP/IP

TCP/IP (Transmission Control Protocol/Internet Protocol) is the foundational protocol suite that powers the internet. TCP handles reliable data delivery, and IP handles addressing and routing. Understanding TCP/IP is essential for network security, traffic analysis, and firewall configuration. (See: OSI and TCP/IP Models)

Threat Actor

A threat actor is any individual or group that poses a threat to cybersecurity. Categories include nation-states, organised crime groups, hacktivists, insiders, and script kiddies. Understanding who your threat actors are helps determine what defences you need. (See: Threat Landscape)

Threat Vector

A threat vector is the path or method an attacker uses to reach a target. Common threat vectors include email (phishing), web browsers (drive-by downloads), removable media (USB drives), and network services (exploiting open ports). Reducing threat vectors reduces your overall risk.

Trojan

A trojan (or trojan horse) is malware disguised as legitimate software. Unlike viruses and worms, trojans do not replicate themselves — they rely on users to install them. Once running, a trojan can open backdoors, steal data, or download additional malware. (See: Malware Threats)

Two-Factor Authentication (2FA)

Two-factor authentication is a subset of MFA that requires exactly two verification factors. The most common combination is a password plus a one-time code from an authenticator app or SMS. Enabling 2FA on every account that supports it is one of the simplest and most effective security steps you can take. (See: Identity and Access Management)

V

VPN (Virtual Private Network)

A VPN creates an encrypted tunnel between your device and a remote server, hiding your IP address and protecting your data from eavesdropping on public networks. In corporate settings, VPNs allow remote employees to securely access internal resources. (See: Networking Basics)

Vulnerability

A vulnerability is a weakness in a system, application, or process that an attacker could exploit. Vulnerabilities can exist in software code, configurations, hardware, or human behaviour. The goal of vulnerability management is to find and fix these weaknesses before attackers do. (See: Vulnerability Analysis)

Vulnerability Scanning

Vulnerability scanning uses automated tools to identify known vulnerabilities in systems, applications, and network devices. Tools like Nessus, OpenVAS, and Qualys compare your systems against databases of known vulnerabilities and produce reports ranked by severity. (See: Vulnerability Analysis)

W

White Hat

A white hat is a hacker who uses their skills ethically and legally, with the target’s permission. White hat hackers include penetration testers, security researchers, and bug bounty hunters. White hat hacking is a well-respected and growing career field. (See: Ethical Hacking Intro)

Wireshark

Wireshark is a free, open-source network protocol analyser used to capture and inspect network traffic in real time. It is the most widely used tool for network troubleshooting, security analysis, and learning how protocols work. (See: Wireshark)

Worm

A worm is a type of malware that replicates itself and spreads across networks without any user interaction. Unlike viruses, worms do not need to attach to a host file. Famous examples include WannaCry and Conficker. Worms can cause massive damage by consuming bandwidth and overwhelming systems. (See: Malware Threats)

X

XSS (Cross-Site Scripting)

XSS is a web application vulnerability where an attacker injects malicious scripts into web pages viewed by other users. The script runs in the victim’s browser and can steal session cookies, redirect users, or deface websites. XSS is one of the most common web vulnerabilities and appears regularly in the OWASP Top 10. (See: Web App Hacking)

Z

Zero-Day

A zero-day is a vulnerability that is unknown to the software vendor and has no patch available. “Zero-day” refers to the fact that the vendor has had zero days to fix it. Zero-day exploits are extremely valuable on both the black market and in bug bounty programs because there is no defence until a patch is released. (See: Vulnerability Analysis)

Zero Trust

Zero Trust is a security model based on the principle “never trust, always verify.” Instead of assuming that anything inside the corporate network is safe, Zero Trust requires continuous verification of every user, device, and connection — regardless of location. It is the dominant security architecture trend in modern organisations. (See: Security Concepts)

Frequently Asked Questions

What is the CIA triad in cybersecurity?

The CIA triad stands for Confidentiality, Integrity, and Availability. It is the foundational model for information security. Confidentiality means only authorised people can access data, Integrity means data has not been tampered with, and Availability means systems are accessible when needed.

What is a zero-day vulnerability?

A zero-day vulnerability is a security flaw that is unknown to the software vendor and has no patch available. Attackers can exploit it before anyone knows it exists, which makes zero-days extremely dangerous and valuable.

What is the difference between authentication and authorization?

Authentication verifies who you are (proving your identity with a password, fingerprint, etc.). Authorization determines what you are allowed to do after your identity is confirmed (which files, systems, or features you can access).

What is phishing in cybersecurity?

Phishing is a social engineering attack where an attacker sends a fraudulent message — usually an email — designed to trick you into revealing passwords, clicking malicious links, or downloading malware. It is the most common initial attack vector in cyberattacks.

What is a SIEM and why is it important?

A SIEM (Security Information and Event Management) collects and analyses log data from across an organisation's systems to detect security threats in real time. It is a core tool in Security Operations Centres and helps analysts spot attacks that individual tools might miss.

What does a SOC analyst do?

A SOC (Security Operations Centre) analyst monitors an organisation's networks and systems for security threats 24/7. They investigate alerts, respond to incidents, and escalate serious threats. It is one of the most common entry-level roles in cybersecurity.

What is the difference between a virus and a worm?

A virus attaches to a host file and requires user interaction to spread (like opening an infected document). A worm is self-replicating and spreads across networks automatically without any user action, which often makes worms spread faster and cause more widespread damage.

What is penetration testing?

Penetration testing is a simulated cyberattack performed with the target organisation's permission to identify security weaknesses. Pen testers use the same tools and techniques as real attackers, then report their findings so vulnerabilities can be fixed before a real attack occurs.

What is the MITRE ATT&CK framework?

MITRE ATT&CK is a publicly available knowledge base that catalogues real-world attacker tactics and techniques. Security teams use it to understand how attacks work, test their defences, and improve detection capabilities. It is widely used across the industry.

What is Zero Trust security?

Zero Trust is a security model based on the principle of never trust, always verify. It requires continuous verification of every user, device, and network connection regardless of whether they are inside or outside the corporate network. It replaces the older approach of trusting everything inside the firewall.

Glossary definitions verified against NIST CSRC Glossary, CompTIA Security+ SY0-701 exam objectives, and OWASP documentation. Salary data sourced from BLS Occupational Outlook Handbook as of 2025. Individual results vary based on background, effort, and market conditions.