A
Account Takeover (ATO):
When attackers steal or guess login credentials and impersonate a user.
Adversary in the Middle (AiTM):
Intercepting and altering communication between two parties.
Azure AD (Microsoft Entra ID):
Microsoft’s identity system for Office 365, Windows devices, and enterprise apps.
B
Backups:
Copies of data stored separately for recovery after an incident.
Baiting:
Offering something enticing to trick someone into a harmful action.
BEC (Business Email Compromise):
Impersonating executives or vendors to redirect payments.
BitB (Browser in the Browser):
A fake login window that looks identical to a real one.
Blue Team:
The defenders who monitor, detect, and respond to attacks.
Brute Force Attack:
Trying many password combinations until one works.
C
C2 Channels (Command and Control):
The communication link attackers use to control compromised systems.
Clickjacking:
Tricking someone into clicking something different from what they see.
Cloud Buckets:
Online storage containers that often get exposed when misconfigured.
Confidential Computing:
Protecting data while it’s being processed inside secure, isolated hardware.
Consent Phishing:
Tricking users into granting a malicious app access to email, files, or cloud data.
CSP Rules (Content Security Policy):
Browser rules that control what a webpage can load and which sites can embed it.
Continuous Authentication:
Continuously verifying identity based on behavior, device signals, and risk.
Credential Access:
When attackers obtain login information to impersonate users.
Credential Stuffing:
Using stolen passwords from one site to break into another.
CVE:
A standardized ID number for known software vulnerabilities.
Cyber Kill Chain:
A model describing the stages of a cyberattack.
D
Data Encryption:
Scrambling data so only authorized parties can read it.
Data Exfiltration:
Stealing or transferring sensitive data out of an organization.
Deception Technology:
Using fake systems, data, and credentials to mislead attackers and detect them early.
Deepfake (Voice/Video):
AI‑generated impersonations used to deceive or manipulate.
Defense Evasion:
Techniques attackers use to hide from security tools and avoid detection.
DFIR (Digital Forensics & Incident Response):
Investigating what happened, how it happened, and what the attacker did.
DNS Spoofing:
Redirecting users to fake websites by tampering with DNS.
Domain Impersonation:
Creating a domain that looks legitimate to trick users (different from typosquatting).
DKIM:
Adds a digital signature to emails to prove they weren’t altered.
DMARC:
Tells receiving mail servers what to do when an email fails authentication checks.
Duo:
Cisco’s identity and MFA platform.
Dwell Time:
How long an attacker stays inside a system before being detected.
E
EDR (Endpoint Detection & Response):
Security software that monitors devices for malicious behavior and suspicious activity.
Email Spoofing:
Sending emails that appear to come from someone else.
Encryption:
See Data Encryption.
Evil Proxy:
An AiTM attack using a malicious proxy to steal passwords and MFA codes by sitting between the user and the real login page.
Execution:
When an attacker runs code inside a system to begin carrying out their objectives.
Exfiltration:
See Data Exfiltration.
F
Fake MFA Portals:
Phishing pages designed to steal both passwords and MFA codes at the same time.
Federation Trust Settings:
Identity configuration that controls how authentication is shared between systems; attackers may alter it to maintain access.
Firewall:
A gatekeeper that controls what traffic is allowed in or out of a network.
Formjacking:
Injecting malicious code into web forms to steal data such as credit card numbers.
Frame Busting Headers:
Browser instructions that prevent your site from being loaded inside a hidden frame used for clickjacking.
G
GDPR:
The EU’s data protection law that governs how personal data is collected, stored, and used.
Google Identity:
Google’s login and access platform for Workspace (Gmail, Drive, Docs) and cloud applications.
H
Hardware Keys:
Physical security keys (like YubiKeys) that provide strong MFA and stop phishing attacks.
Homomorphic Encryption:
A type of encryption that allows computations on encrypted data without decrypting it.
Horizontal Privilege Escalation:
Accessing another user’s data at the same privilege level.
HIPAA:
The U.S. law that protects health information (PHI).
Honeypot:
A fake system, account, or environment designed to attract attackers.
Honeynet:
A network of honeypots working together to detect and study attackers.
I
Identity Provider (IdP):
A system that manages user authentication and issues login tokens for apps and services.
Incident Response:
The structured process for handling security incidents — who does what, in what order, and how systems are restored.
Initial Access:
How an attacker gets into a system for the first time, whether through human error, a technical weakness, or a misconfiguration.
IOC (Indicator of Compromise):
A clue that an attack has happened — such as a suspicious file, IP address, domain, or registry change.
IoT Devices:
Internet‑connected devices like sensors, cameras, smart appliances, and industrial equipment.
Identity Provider (IdP) Compromise:
When attackers break into the system that controls all logins, giving them broad access across the organization.
IdP Persistence Techniques:
Methods attackers use to maintain long‑term, stealthy access to identity platforms like Okta, Azure AD, Google Identity, or Ping.
J
JavaScript Trackers:
Scripts that track user behavior, clicks, or data on websites — often used for analytics, advertising, or session monitoring.
Just‑In‑Time (JIT) Access:
Temporary admin access granted only when needed, for a limited time, with full logging and oversight.
K
Kerberoasting:
An attack where someone requests an encrypted Kerberos ticket tied to a powerful service account, then cracks it offline to steal the account’s real password.
Keylogging:
Malware or hardware that records every keystroke a user types, often used to steal passwords or sensitive information.
L
Lateral Movement:
When an attacker moves from one system, account, or environment to another inside a network after initial access.
Least Privilege:
A security principle where users and systems receive only the minimum access necessary to perform their tasks.
M
Man‑in‑the‑Middle Attack (MitM):
When an attacker secretly intercepts and possibly alters communication between two parties.
MFA (Multi‑Factor Authentication):
A login method requiring more than just a password — such as a code, app prompt, or hardware key.
MFA Fatigue:
Overwhelming a user with nonstop MFA prompts to trick them into approving one.
MITRE ATT&CK:
A global framework that catalogs attacker tactics, techniques, and procedures.
Money Mule Accounts:
Accounts used to move or launder stolen funds, often controlled by unwitting participants.
MSPs (Managed Service Providers):
Companies that manage IT systems, networks, or security for clients — often targeted by attackers to reach many victims at once.
N
Network Segmentation:
Dividing a network into smaller, isolated zones to limit attacker movement and contain breaches.
Next‑Generation Firewalls (NGFWs):
Modern firewalls that inspect traffic deeply, analyze behavior, and use threat intelligence to block attacks.
Number Matching:
An MFA method where the user must enter a number shown on the login screen into their authenticator app, reducing push‑bombing attacks.
O
OAuth:
A system that lets apps access your data without sharing your password — commonly used for “Sign in with Google/Microsoft/Apple.”
Okta:
A standalone identity platform used for authentication, MFA, SSO, and workforce identity management.
P
Packet‑Filtering Firewalls:
Basic firewalls that check source, destination, and port information to allow or block traffic.
PAM (Privileged Access Management):
Tools and processes that control, monitor, and secure high‑level administrative accounts.
Pass‑the‑Hash:
Using a stolen password hash to authenticate as a user without knowing the actual password.
Pass‑the‑Ticket:
Reusing a stolen Kerberos ticket to impersonate a user and access systems.
Password Spraying:
Trying common passwords across many accounts to avoid lockouts and find weak credentials.
Patching:
Updating software to fix vulnerabilities and security flaws before attackers exploit them.
Persistence:
Techniques attackers use to maintain long‑term access to a compromised system or identity platform.
PHI (Protected Health Information):
Health information tied to a person’s identity; protected under HIPAA.
Phishing:
A deceptive message designed to trick someone into revealing information or taking harmful action.
Phishing as a Service:
Criminals selling ready‑made phishing kits, infrastructure, and support to other attackers.
PII (Personally Identifiable Information):
Information that identifies a specific person, such as name, SSN, or address.
Ping Identity:
An enterprise identity provider used for SSO, MFA, and workforce identity management.
Privilege Escalation:
Gaining higher‑level access inside a network, often by exploiting vulnerabilities or misconfigurations.
Pretexting:
Creating a false story or identity to manipulate someone into providing information or access.
Purple Team:
Collaboration between Red Teams (attackers) and Blue Teams (defenders) to improve security.
Q
QR Code Phishing (Quishing):
Attacks that use QR codes to send victims to malicious websites or credential‑stealing pages.
Query Parameter Injection:
Manipulating URL parameters to alter application behavior or access unauthorized data.
R
Ransomware:
Malware that encrypts files or systems and demands payment for their release.
Red Team:
Security professionals who simulate real‑world attackers to test defenses.
Replay Attack:
Reusing captured authentication data (like tokens or session cookies) to impersonate a user.
Risk Assessment:
Evaluating threats, vulnerabilities, and potential impacts to determine overall risk.
Rootkit:
Malware designed to hide itself and maintain deep, stealthy access to a system.
Runtime Protection:
Security controls that monitor applications while they are running to detect malicious behavior.
S
SaaS (Software as a Service):
Cloud‑hosted applications accessed through a browser, such as Microsoft 365, Google Workspace, or Salesforce.
Sandboxing:
Running code or files in an isolated environment to safely observe behavior without risking the main system.
Scareware:
Fake alerts or pop‑ups that try to frighten users into installing malware or paying for bogus services.
Session Hijacking:
Stealing or reusing a user’s active session token to impersonate them without needing their password.
Shadow IT:
Systems, apps, or services used by employees without approval from IT or security teams.
SIEM (Security Information & Event Management):
A platform that collects logs from across an organization and analyzes them for suspicious activity.
SIM Swapping:
Taking over a victim’s phone number by tricking or bribing a carrier, often used to bypass SMS‑based MFA.
Smishing:
Phishing delivered through text messages instead of email.
Social Engineering:
Manipulating people into revealing information or performing actions that compromise security.
SOAR (Security Orchestration, Automation & Response):
Tools that automate security workflows and incident response tasks.
SPF (Sender Policy Framework):
An email authentication method that verifies which servers are allowed to send mail for a domain.
Spyware:
Malware that secretly monitors user activity and sends data to an attacker.
Supply Chain Attack:
Compromising a vendor, partner, or software provider to reach many downstream victims.
Suspicious Login:
A login attempt that deviates from normal behavior, such as unusual location, device, or time.
T
Tactics, Techniques & Procedures (TTPs):
The patterns of behavior attackers use — what they do, how they do it, and the methods behind their actions.
Threat Actor:
Any individual or group responsible for malicious cyber activity, whether criminal, state‑sponsored, or opportunistic.
Threat Intelligence:
Information about attackers, their tools, and their methods used to improve defenses.
Token Theft:
Stealing authentication tokens (cookies, session tokens, OAuth tokens) to impersonate a user without needing their password.
Traffic Inspection:
Analyzing network traffic to detect malicious behavior or policy violations.
Typosquatting:
Registering domains that look similar to legitimate ones to trick users into visiting fake sites.
U
UEBA (User & Entity Behavior Analytics):
Tools that detect unusual behavior by users or systems, such as odd login times or abnormal data access.
Unauthorized Access:
When someone gains entry to a system, account, or data without permission.
URL Filtering:
Blocking access to malicious or inappropriate websites based on categories or threat intelligence.
USB Drop Attack:
Leaving infected USB drives in public places hoping someone will plug one into a computer.
V
Vishing:
Phishing conducted over voice calls, often using spoofed caller IDs to appear legitimate.
VLAN (Virtual Local Area Network):
A logical network segment that isolates traffic for security and performance.
VPN (Virtual Private Network):
A secure, encrypted tunnel that protects data traveling between a device and a network.
Vulnerability:
A weakness in software, hardware, or configuration that attackers can exploit.
Vulnerability Scanning:
Automated tools that search systems for known security weaknesses.
W
WAF (Web Application Firewall):
A firewall that protects web applications by filtering and monitoring HTTP traffic.
Watering Hole Attack:
Compromising a website frequently visited by a target group to infect visitors.
Whaling:
A type of phishing attack aimed at high‑profile targets like executives or administrators.
Whitelist / Allowlist:
A list of approved applications, domains, or senders that are permitted to run or communicate.
Windows Event Logs:
System logs that record security events, logins, errors, and system activity.
Worm:
Malware that spreads automatically across networks without user interaction.
X
XDR (Extended Detection & Response):
A security platform that unifies data from endpoints, identities, networks, and cloud systems to detect and stop attacks.
XML External Entity Attack (XXE):
An attack that exploits insecure XML parsers to access files, run commands, or leak sensitive data.
Y
YARA Rules:
A pattern‑matching system used by security teams to identify malware based on code signatures and behavioral traits.
YubiKey:
A physical hardware security key used for strong MFA and phishing‑resistant authentication.
Z
Zero‑Day Vulnerability:
A software flaw unknown to the vendor, giving attackers an opportunity to exploit it before a patch exists.
Zero Trust:
A security model that assumes no user, device, or network is trustworthy by default — every action must be verified.
ZTA (Zero Trust Architecture):
A framework that applies Zero Trust principles across identity, devices, networks, and applications.
Z-Wave:
A wireless communication protocol used in smart home and IoT devices, sometimes targeted due to weak configurations.
