Cybersecurity Glossary

An APT (Advanced Persistent Threat) is a prolonged, stealthy attack in which a sophisticated actor —often backed by nation-states or organized crime— penetrates a network and stays hidden for months to steal data or spy. It requires advanced detection (EDR/XDR), threat hunting and continuous monitoring.

BEC (Business Email Compromise) is a sophisticated fraud in which the attacker impersonates an executive or supplier to trick employees into transferring money or sensitive data. It rarely uses malware, relying instead on social engineering and fraudulent emails, which lets it evade many traditional filters.

A Botnet is a network of devices infected with malware and remotely controlled by an attacker without their owners' knowledge. It is used to launch massive DDoS attacks, send spam, distribute malware or mine cryptocurrency. Each compromised device is called a 'bot' or 'zombie'.

A Brute Force attack tries to guess passwords or encryption keys by systematically testing every possible combination until it finds the correct one. It is countered with long, complex passwords, lockout after several failed attempts and, above all, multi-factor authentication (MFA).

A CASB (Cloud Access Security Broker) is a control point that sits between users and cloud services to enforce security policies: shadow IT visibility, data loss prevention, access control and threat detection. It is a key component of SASE architectures.

CSPM (Cloud Security Posture Management) is a set of tools that continuously assess cloud environment configurations to detect misconfigurations, exposures and compliance violations. It automates the detection and remediation of issues such as public buckets or excessive permissions before they are exploited.

CVE (Common Vulnerabilities and Exposures) is a standardized identification system that assigns a unique code to each publicly known security vulnerability. It helps vendors, researchers and IT teams speak the same language when prioritizing patches and managing the risk of their systems.

CVSS (Common Vulnerability Scoring System) is an open standard that assigns each vulnerability a score from 0 to 10 based on its severity, considering factors such as ease of exploitation and potential impact. It helps organizations prioritize which flaws to remediate first.

A DDoS (Distributed Denial of Service) attack overwhelms a server, service or network with a massive volume of malicious traffic from thousands of compromised devices (a botnet), making it inaccessible to legitimate users. It is mitigated with web application firewalls (WAF), traffic filtering and cloud-based anti-DDoS protection services.

A Deepfake is synthetic content —audio, image or video— generated with artificial intelligence to convincingly impersonate a real person. It is used in fraud, disinformation and advanced social engineering attacks, such as mimicking an executive's voice to authorize fraudulent transfers.

Disaster Recovery (DR) is the set of policies, tools and procedures that enable restoring critical systems and data after a major incident: a cyberattack, hardware failure or natural disaster. It is measured with Recovery Time Objective (RTO) and Recovery Point Objective (RPO) targets.

DLP (Data Loss Prevention) is a set of technologies and policies that detect and block the leakage of sensitive information —personal, financial or intellectual property data— whether by mistake, theft or malicious exfiltration. It monitors data in use, in motion and at rest, applying classification and encryption rules.

EDR (Endpoint Detection and Response) is a cybersecurity technology that continuously monitors endpoints —computers, servers and laptops— to detect, investigate and respond to advanced threats in real time. Unlike traditional antivirus, EDR records endpoint behavior and enables automated containment of attacks.

Encryption transforms readable data into an unintelligible format using algorithms and keys, so only whoever holds the correct key can decrypt it. It protects the confidentiality of information both at rest (stored) and in transit (over the network), and is a cornerstone of data protection.

A firewall is a security device or software that controls inbound and outbound network traffic based on predefined rules. It acts as a barrier between trusted and untrusted networks. Next-generation firewalls (NGFW) add deep packet inspection, intrusion prevention and application control.

Hardening is the process of reducing a system's vulnerability by removing unnecessary services, closing ports, applying secure configurations and patches. Following guides such as the CIS Benchmarks, it leaves each server, workstation or device with the least possible exposure.

A Honeypot is a decoy system deliberately designed to lure attackers and divert them away from real assets. By interacting with it, attackers reveal their techniques, tools and origins, producing valuable intelligence and early alerts without putting production infrastructure at risk.

IAM (Identity and Access Management) is the framework of policies and technologies that ensures the right people access the right resources at the right time. It covers user provisioning, authentication, role-based authorization and privilege review, and is the foundation of the Zero Trust model.

An IDS (Intrusion Detection System) monitors network traffic for malicious activity and raises alerts, while an IPS (Intrusion Prevention System) also blocks those threats in real time. They are typically integrated into next-generation firewalls to stop exploits and known attacks.

An Immutable Backup is a copy that cannot be modified or deleted for a defined period, not even by an administrator or by ransomware. It guarantees that a clean, recoverable version of the data always exists, becoming the last line of defense against encryption attacks.

An Insider Threat comes from people with legitimate access to systems —employees, contractors or partners— who, maliciously or through negligence, compromise security. It is especially hard to detect because the actor is already inside; it is mitigated with least privilege, monitoring and DLP.

An IoC (Indicator of Compromise) is forensic evidence that signals a possible intrusion: malicious file hashes, suspicious IP addresses or domains, altered registry keys or anomalous traffic patterns. Security teams use them to detect, investigate and contain incidents quickly.

ISO/IEC 27001 is the international standard for information security management systems (ISMS). It defines the requirements to identify risks, apply controls and continuously improve information protection. Certification demonstrates to customers and regulators that an organization manages security in a systematic way.

Malware (malicious software) is any program designed to damage, infiltrate or take control of a system without consent. It includes viruses, worms, trojans, spyware and ransomware. It is countered with a defense-in-depth strategy: endpoint protection, up-to-date patching, network segmentation and user awareness.

MFA (multi-factor authentication) is a security method that requires two or more proofs of identity to grant access: something the user knows (password), something they have (token or phone) and something they are (biometrics). It drastically reduces the risk of unauthorized access even if a password is stolen.

Microsegmentation divides the network into very small, isolated zones, applying granular security policies to each workload or application. If an attacker compromises one segment, they cannot move laterally to the rest. It is a fundamental component of Zero Trust architectures.

MITRE ATT&CK is a global, open knowledge base that catalogs the tactics, techniques and procedures (TTPs) used by real-world attackers. Security teams use it as a reference framework to map threats, assess detection coverage and strengthen their defenses in a structured way.

The principle of Least Privilege states that every user, process or system should have only the permissions strictly necessary to perform its function, no more and no less. It limits the attack surface and contains damage if an account is compromised, and is a cornerstone of Zero Trust models.

NDR (Network Detection and Response) is a technology that analyzes network traffic in real time using behavioral models and artificial intelligence to detect threats that evade traditional controls, such as lateral movement or exfiltration. It complements EDR and SIEM within a layered detection strategy.

A NOC (Network Operations Center) is the team responsible for monitoring, maintaining and optimizing the availability and performance of an organization's network infrastructure. While the SOC focuses on security, the NOC focuses on operational continuity and system health.

PAM (Privileged Access Management) controls, monitors and protects accounts with elevated permissions —administrators, service accounts and root— which are the top target for attackers. It includes credential vaults, automatic password rotation, just-in-time access and recording of privileged sessions.

Patch Management is the process of identifying, testing and applying software updates to fix vulnerabilities and bugs before they are exploited. An agile, consistent patching program is one of the most effective and cost-efficient defenses against cyberattacks.

PCI DSS is the data security standard for the payment card industry. It sets mandatory requirements for any organization that stores, processes or transmits card data, in order to protect cardholder information and prevent fraud. Non-compliance leads to penalties and loss of trust.

Pentesting (penetration testing) is a controlled security assessment in which specialists simulate real attacks to discover and exploit vulnerabilities before a malicious actor does. The result is a report with findings prioritized by risk and concrete remediation recommendations.

Phishing is a social engineering technique in which an attacker impersonates a trusted entity —via email, SMS or call— to trick the victim into revealing credentials, financial data or system access. It is the most common initial vector in enterprise security breaches.

Ransomware is a type of malware that encrypts the victim's files or systems and demands a payment (ransom) to restore access. It usually spreads through phishing or unpatched vulnerabilities. The best defense combines immutable backups, endpoint protection and a tested disaster recovery plan.

Incident Response is the set of coordinated processes to detect, contain, eradicate and recover from a security incident while minimizing its impact. It follows defined phases —preparation, detection, containment, eradication, recovery and lessons learned— to restore operations quickly.

RPO (Recovery Point Objective) defines how much data an organization can afford to lose, measured as time since the last backup. RTO (Recovery Time Objective) defines how long it can take to restore a system after an incident. Together they set the goals of any continuity and recovery plan.

A Sandbox is an isolated, controlled environment where suspicious files or programs are executed to analyze their behavior without putting real systems at risk. It is a key technique for detecting unknown malware and zero-day threats before they reach users.

SASE (Secure Access Service Edge) is an architecture model that converges networking and security functions into a single cloud-delivered service. It combines SD-WAN with security such as firewall, CASB, Zero Trust and secure web gateway, protecting remote users regardless of their location.

SD-WAN (software-defined wide area network) centrally manages and optimizes connectivity between sites through software, selecting in real time the best path for each application. It cuts costs versus MPLS links and, combined with security, is the foundation of SASE architectures.

A SIEM (Security Information and Event Management) is a platform that collects, correlates and analyzes logs and events from across the infrastructure to detect suspicious activity and generate alerts. It is the central tool of a SOC for incident investigation and regulatory compliance.

Smishing and Vishing are phishing variants that change the channel: smishing uses SMS messages and vishing uses voice calls to trick the victim into revealing data or access. They exploit urgency and trust in these channels, often impersonating banks, technical support or official entities.

SOAR (Security Orchestration, Automation and Response) brings together tools that automate repetitive security operations center tasks through playbooks. It accelerates incident response, reduces alert fatigue and lets analysts focus on the threats that truly require human judgment.

A SOC (Security Operations Center) is a team and facility that monitors, detects and responds to cybersecurity incidents continuously, 24/7. It combines specialized analysts, defined processes and technology such as SIEM to protect an organization's infrastructure in real time.

SOC 2 is an audit framework that evaluates how an organization manages its customers' data according to five trust principles: security, availability, processing integrity, confidentiality and privacy. A SOC 2 report is highly valued by companies that contract cloud services or technology providers.

Social Engineering is the psychological manipulation of people into revealing confidential information or performing actions that compromise security. It exploits trust, urgency or fear rather than technical flaws. Phishing, vishing and pretexting are its most common forms; awareness is the best defense.

Spear Phishing is a targeted, personalized phishing attack against a specific person or organization. Unlike mass phishing, the attacker researches the victim to craft highly convincing messages that impersonate trusted colleagues, bosses or suppliers, dramatically increasing the success rate.

SPF, DKIM and DMARC are email authentication protocols that verify a message truly comes from the domain it claims to represent. SPF validates the sending server, DKIM cryptographically signs the message and DMARC defines what to do if they fail. Together they prevent domain spoofing and phishing.

SSO (Single Sign-On) lets a user authenticate once to access multiple applications without re-entering credentials. It improves the experience and reduces the risk of weak or reused passwords. It is strengthened by combining it with multi-factor authentication (MFA) to validate identity before granting access.

The Attack Surface is the total set of points through which an attacker could try to enter or extract data from a system: exposed services, open ports, applications, accounts and APIs. Reducing and continuously monitoring it is key to lowering an organization's risk.

A Supply Chain Attack compromises an organization through a trusted third-party vendor, software or component. Instead of attacking head-on, the adversary infects a legitimate update or dependency, thereby reaching all of its customers, as seen in cases such as SolarWinds or MOVEit.

Threat Hunting is the proactive, human-led search for malicious activity that has evaded automated defenses. Instead of waiting for an alert, analysts form hypotheses and explore the data looking for hidden signs of compromise, reducing attacker dwell time.

Threat Intelligence is evidence-based knowledge about existing or emerging threats: tactics, techniques, indicators of compromise and malicious actors. It enables organizations to anticipate attacks and make informed defense decisions, feeding SOC, SIEM and incident response teams.

A VPN (Virtual Private Network) creates an encrypted tunnel between the user's device and the corporate network over the Internet, protecting the confidentiality of data in transit. It is key for secure remote work, although modern models evolve toward Zero Trust and SASE architectures that verify each access in a granular way.

A WAF (Web Application Firewall) protects web applications and APIs by filtering and monitoring HTTP/HTTPS traffic. It blocks common attacks such as SQL injection, cross-site scripting (XSS) and the OWASP Top 10, acting as a shield between Internet users and the application.

XDR (Extended Detection and Response) is a platform that unifies threat detection and response across multiple layers: endpoints, network, email, cloud and identities. It correlates signals from all these sources in a single console to identify complex attacks that would go unnoticed if analyzed in isolation.

Zero Trust is a security model based on the principle “never trust, always verify.” No user, device or application is granted access by default: every request is continuously authenticated, authorized and encrypted, regardless of whether it originates inside or outside the corporate network.

A Zero-Day is a vulnerability unknown to the vendor for which no patch yet exists. Attackers exploit it before a fix is released, so traditional signature-based defenses cannot detect it. It is mitigated with sandboxing, EDR/XDR and behavior-based detection.