Cybersecurity Glossary for Businesses

Microsoft directory service used to manage users, groups, devices and policies.

Active Directory centralizes authentication, authorization and identity administration in Windows environments. If the directory is compromised, attackers may gain access to critical systems, elevated privileges and corporate services.

Attack that sits between a user and a service to intercept credentials or session data.

AiTM commonly relies on malicious reverse proxies or intermediary pages to capture credentials, session cookies, tokens or MFA prompts and then reuse them against legitimate services.

Explicit list of approved items such as applications, IP addresses, domains or identities.

An allowlist model starts from a deny-by-default posture and permits only what is necessary. In practice, it often gives organizations more control than models based only on blocking known bad items.

Interface that allows systems and applications to communicate with each other.

APIs exchange data and functions between applications. From a cybersecurity perspective, they should be protected with authentication, authorization, validation, logging and controls against abuse, data leakage and unnecessary exposure.

Sophisticated threat actor or campaign that maintains long-term access for strategic objectives.

An APT usually combines stealth, persistence, lateral movement and data theft over an extended period. It is not just about malware; it is about a sustained operation with defined objectives and the ability to adapt over time.

Anything of value to the organization that should be protected.

An asset can be information, a system, an application, a database, an identity, a business process, a supplier relationship or even the company’s reputation. In cybersecurity, identifying assets is the first step to prioritizing controls and risk decisions.

Discipline focused on discovering and controlling external exposure.

ASM identifies internet-exposed assets such as domains, subdomains, IP addresses, admin panels, cloud services and applications. It helps organizations detect unmanaged exposure before an attacker exploits it.

Process used to verify that an identity is who it claims to be.

Authentication may rely on something a user knows, has or is. It is different from authorization: first the identity is verified, then the system decides what that identity is allowed to access.

Process through which a system decides what resources an identity may access.

Authorization determines permissions, roles and access scope after successful authentication. Poor authorization can still create excessive access even when identity verification works correctly.

Tool designed to detect and block known malware and some malicious behaviors.

Traditional antivirus relies heavily on signatures and known patterns. It still has value, but in modern business environments it is usually not enough on its own and should be complemented with EDR, monitoring and additional controls.

Set of potential entry points an attacker may try to exploit.

The attack surface includes domains, applications, ports, identities, devices, APIs, cloud services, suppliers and exposed configurations. Reducing it is a core preventive security measure.

Standard for exchanging authentication and authorization information.

SAML is widely used in federation and single sign-on between applications and identity providers. Correct configuration is essential for both security and access experience.

Isolated environment used to execute, analyze or test suspicious items or controlled changes.

A sandbox allows organizations to observe the behavior of files, code or processes without exposing production systems directly, making it useful for investigation, testing and validation.

Structured inventory of the components and dependencies in an application.

An SBOM improves visibility over libraries, versions, dependencies and exposure to known vulnerabilities across the software supply chain.

Analysis of software dependencies and components to identify risk and vulnerabilities.

SCA helps identify vulnerable libraries, outdated dependencies, license issues and risk exposure in modern applications.

Supervisory control system used in industrial and infrastructure environments.

SCADA enables the monitoring and control of distributed industrial processes. Its security requires a dedicated approach because of operational impact, availability requirements and IT/OT convergence.

Discipline used to protect technical passwords, tokens, certificates and service keys.

Secrets management helps prevent sensitive credentials from being exposed in code, scripts, pipelines or configuration files, while also supporting rotation, control and auditability.

Technical and organizational review of the real state of security.

A security audit evaluates controls, configurations, exposure and processes in order to identify gaps and prioritize improvements. It may focus on infrastructure, cloud, Microsoft 365, networks, compliance or overall security posture.

Incident that compromises the confidentiality, integrity or availability of information or services.

A breach may involve unauthorized access, data leakage, manipulation of information or service disruption. Its impact depends on the affected assets, the speed of detection and the response capability in place.

Set of decisions, responsibilities and oversight mechanisms used to direct security.

Security governance defines who decides, who approves, what is measured, how it is reported and how security is integrated with business, IT, risk, continuity and compliance.

Real state of an organization’s maturity, exposure and control environment.

Security posture includes configurations, processes, detection capability, governance, continuity, identity and exposure. It is broader than a simple inventory of tools.

Principle that critical tasks should be distributed across different people or roles.

Segregation of duties reduces fraud, mistakes and privilege abuse by ensuring that a single identity cannot control sensitive processes end to end.

Use of technology, apps or services not formally approved by the organization.

Shadow IT increases exposure, complicates compliance and reduces visibility over data, access, third parties and real operational configurations.

Platform that centralizes, correlates and analyzes security events.

A SIEM collects logs from systems, identity platforms, networks, endpoints, cloud services and applications to generate visibility, rules and alerts. It is an important building block inside a SOC, but it is not a response capability by itself.

Mechanism that allows users to authenticate once and access multiple services.

SSO improves user experience and centralized access control, but it also makes the identity system a critical point of security and availability.

Phishing attack delivered through SMS or mobile messaging.

Smishing attempts to induce clicks, credential theft, MFA code disclosure or malware installation through messages that appear legitimate.

Capability used to orchestrate, automate and coordinate security response workflows.

SOAR connects tools, playbooks and workflows to accelerate repetitive tasks, enrich alerts and reduce operating time in security operations and incident response.

Function or service dedicated to monitoring, detecting and investigating threats.

A SOC combines people, processes, technology and reporting to operate defense continuously. It may be internal or managed and often relies on SIEM, EDR/XDR and intelligence capabilities.

Manipulation techniques used to obtain information, access or unauthorized actions.

Social engineering exploits trust, urgency, authority or lack of knowledge to obtain credentials, payments, access or sensitive information. It includes phishing, vishing, smishing and impersonation.

Technical or visual impersonation of a source, system or sender.

Spoofing can affect email, DNS, IP addresses, domains or interfaces in order to deceive users or systems and enable fraud, phishing or unauthorized access.

Malicious software designed to spy on activity or capture information.

Spyware may record keystrokes, capture screens, monitor browsing or extract data without the user’s knowledge.

Mechanism that allows users to reset credentials without manual helpdesk intervention.

SSPR improves efficiency, but it must be configured with strong verification controls so that it does not become an account takeover path.

Copy of data, configurations or systems created to support recovery.

A backup protects against accidental deletion, corruption, technical failure or ransomware. It should be designed with appropriate frequency, validation, tamper protection and regular restore testing.

Hardened system used as a controlled entry point for administrative access to sensitive environments.

A bastion host centralizes privileged access and improves traceability, session control, segmentation and the reduction of direct exposure on critical servers.

Plan designed to keep critical business processes operating during disruption.

A BCP defines how the organization will continue delivering essential services during a crisis. It includes people, processes, communication, suppliers, locations and IT dependencies.

Analysis used to identify business criticality and tolerance to disruption.

A BIA quantifies the impact of interruptions on processes, services and resources. It is used to define priorities, tolerable downtime and recovery targets such as RTO and RPO.

Defensive function responsible for detection, containment and security improvement.

Blue Team work typically includes monitoring, detection, incident response, hardening, threat hunting and continuous improvement. The goal is to reduce exposure and increase defensive effectiveness.

Network of compromised systems controlled by an attacker.

A botnet can include endpoints, servers or IoT devices and may be used for distributed attacks, spam, fraud, illicit mining or malware propagation.

Repeated attempt to guess credentials or keys by trying many combinations.

Brute force attacks try to gain access to accounts, systems or services through automated password or key guessing. They are mitigated by MFA, smart lockout, rate limiting and strong credentials.

Program through which external researchers report vulnerabilities in exchange for recognition or rewards.

A well-structured bug bounty program can expand vulnerability discovery coverage, but it requires a defined scope, clear rules, triage capacity and remediation ownership.

Model in which staff use personal devices to access business resources.

BYOD offers flexibility, but it also complicates security control, data separation, compliance, remote wipe capability and the governance of identities and applications.

Channel used by an attacker to communicate with compromised systems and issue instructions.

C2 infrastructure enables malware downloads, lateral movement, persistence and exfiltration. Detecting it typically requires visibility across network, endpoints and anomalous behavior patterns.

Control layer that provides visibility and policy enforcement over cloud services.

A CASB helps organizations discover SaaS usage, apply access and data protection policies, reinforce compliance and reduce risk in approved and unapproved cloud services.

Electronic document that binds an identity to a public key.

Digital certificates are used to authenticate websites, users, devices or services and to support encryption, digital signatures and trust between systems.

Process used to control changes in systems, services or configurations.

Change management reduces operational and security risk by establishing review, approval, traceability, testing and rollback planning before production changes are introduced.

Set of processes and tooling used to integrate, test and deploy software changes continuously.

From a security standpoint, CI/CD pipelines must protect secrets, dependencies, runners, build artifacts and approval workflows to avoid software supply chain compromise.

Set of controls and practices used to protect cloud environments.

Cloud security covers identities, permissions, configuration, encryption, public exposure, logging, segmentation, resilience and control of services deployed in public or hybrid cloud environments.

Unified approach for protecting cloud-native applications and workloads.

CNAPP combines capabilities such as CSPM, CWPP, cloud identity analysis and risk prioritization to improve visibility and protection across modern cloud environments.

Alternative measure used to reduce risk when the ideal control cannot yet be implemented.

A compensating control does not remove the original requirement, but it allows the organization to manage risk in a reasonable way while technical, operational or temporary constraints are addressed.

Activities aimed at meeting legal, regulatory, contractual and standards-based requirements.

In cybersecurity, compliance translates obligations into controls, owners, evidence, reviews and traceability. It should be grounded in real operating practices rather than existing only as documentation.

Property that ensures information is accessible only to authorized parties.

Confidentiality protects data, communications and evidence against unauthorized access. It is one of the classic pillars of information security alongside integrity and availability.

Lightweight deployment unit that packages an application and its dependencies.

Containers improve portability and deployment speed, but they still require controls around images, configuration, secrets, permissions, isolation and monitoring.

Mechanism used to limit who can access which resource and under what conditions.

Access control combines identity, authentication, authorization, context and policy rules to reduce exposure and apply least privilege to systems, data and services.

Theft or misuse of valid credentials by an attacker.

Credential compromise gives attackers access that may appear legitimate, which makes detection harder and often accelerates lateral movement, fraud and data exfiltration.

Specialized team responsible for coordinating and managing security incidents.

A CSIRT may be internal or external and usually handles analysis, coordination, containment, communication and lessons learned during significant incidents.

Capability used to assess and correct insecure cloud configurations.

CSPM helps identify excessive permissions, exposed storage, weak settings and deviations from cloud security best practices.

Public identifier assigned to a known vulnerability.

CVE provides a standardized way to reference software and system vulnerabilities, making analysis, tracking, prioritization and remediation easier.

Scoring system used to estimate the technical severity of vulnerabilities.

CVSS helps classify the technical severity of a vulnerability, but it does not replace business context, real exposure or asset criticality when setting remediation priorities.

Standardized classification of software and design weakness types.

CWE does not identify individual vulnerabilities like CVE. Instead, it describes categories of common errors such as poor input validation, broken access control or information exposure.

Set of protections focused on cloud workloads.

CWPP focuses on servers, virtual machines, containers and other workloads, providing visibility, hardening, detection and runtime protection.

Risk source or actor capable of causing harm to digital assets.

A cyber threat can be a malicious actor, a campaign, a technique, malware or even a human error that puts confidentiality, integrity or availability at risk.

Unauthorized transfer of sensitive information outside the controlled environment.

Data exfiltration can happen through malware, insider abuse, weak configurations, compromised credentials or uncontrolled channels. It directly affects confidentiality, compliance and reputation.

Unauthorized loss or exposure of sensitive information.

A data leak may originate in human error, incorrect configurations, exposed services, suppliers, malware or insider misuse. It does not always require a sophisticated intrusion.

Discipline focused on designing, testing and improving detection logic and rules.

Detection engineering turns threat intelligence, TTPs and analytical hypotheses into useful rules, correlations, alerts and validation processes, with the goal of reducing noise and improving actionable detection.

Approach that integrates security into development, operations and continuous delivery.

DevSecOps aims to introduce security early through code review, dependency analysis, secrets management, infrastructure-as-code checks and deployment controls.

Discipline that preserves, analyzes and interprets digital evidence.

Digital forensics helps reconstruct what happened, when it happened, how the attacker gained access, what systems were affected and what evidence supports the investigation. It must preserve integrity and traceability.

Recovery plan focused on restoring systems, data and IT infrastructure after disruption.

A DRP defines how technology services will be restored after events such as ransomware, datacenter failure, cloud outages or data corruption. It includes priorities, runbooks, backups, failover and RTO/RPO targets.

Set of controls used to prevent unauthorized data leakage or transfer.

DLP helps detect and block the movement of sensitive information through email, web, endpoints, storage systems or cloud services. It typically combines classification, policy logic, inspection and logging.

System that translates domain names into IP addresses.

DNS is essential for the operation of networked services. DNS failure, hijacking or manipulation can cause outages, malicious redirection or loss of control over websites and applications.

EU regulation on digital operational resilience for financial entities and parts of their ICT ecosystem.

DORA requires ICT risk governance, incident management, operational resilience, testing and third-party oversight. It primarily affects financial entities, but it also has implications for their technology providers.

Ransomware model in which data is encrypted and the victim is also threatened with publication.

Double extortion increases pressure on the victim by combining business disruption with reputational, contractual and regulatory risk related to data exposure.

Specific view of the external attack surface exposed to the internet.

EASM focuses on discovering and monitoring public assets, forgotten exposure, cloud services, domains and configurations that are accessible from outside the organization.

Technology focused on detecting and responding to suspicious activity on endpoints.

EDR monitors processes, memory, behavior and system events on endpoints and servers to identify malicious activity and support investigation and containment.

Enterprise management of mobile devices, apps and policy controls.

EMM helps manage corporate or mixed-use mobile devices by applying security policies, remote wipe, app control and compliance requirements.

End-user or server device connected to the network.

Endpoints are a key point of exposure because they host users, applications and active sessions. Protection often combines hardening, EDR, encryption, inventory and access control.

Spanish security framework applicable to the public sector and many of its suppliers.

ENS establishes principles, requirements and measures to protect systems and services linked to the Spanish public sector. It requires controls, risk analysis, system categorization and verifiable evidence.

Microsoft identity and access service for cloud and Microsoft 365 environments.

Entra ID centralizes authentication, conditional access, federation, MFA and identity governance. It is a critical security component in Microsoft 365 and hybrid cloud environments.

Authorized practice of assessing systems and applications through controlled attack techniques.

Ethical hacking aims to uncover weaknesses before real attackers do. It may include applications, APIs, networks, identity, cloud or more advanced adversary simulation exercises.

Successful use of a vulnerability or weakness to achieve an objective.

Not every vulnerability is exploited. Exploitation means the actor has actually leveraged that weakness to gain access, execute code, escalate privileges or impact the target asset.

Degree to which an asset is visible or reachable by threats.

Exposure describes how accessible a system, identity, service or dataset is to an attacker. Not every vulnerability has the same exposure or real risk level.

Alert or finding that appears to indicate a real issue but turns out not to be one.

False positives consume operational time and reduce trust in alerts. Lowering them is a key priority in SOC operations, SIEM tuning, MDR workflows and vulnerability management.

Model in which an identity validated by one provider is trusted by multiple services.

Federation reduces credential sprawl and improves access governance, but it also concentrates risk in the identity provider and in the correct configuration of trust relationships.

Security control that filters network traffic according to defined rules.

A firewall allows or blocks communication between networks, systems, services or zones. It may exist at the perimeter, in the cloud, on the host or internally, and is often paired with segmentation and monitoring.

Process of reinforcing configurations to reduce attack surface and unnecessary exposure.

Hardening includes removing unused services, strengthening authentication, adjusting permissions, limiting exposure, reviewing default settings and applying good practices across systems, cloud, identity and applications.

Short value generated from content by a cryptographic function.

Hashes are used to verify integrity, store passwords in derived form and compare artifacts. Even a small change in the source content produces a different hash value.

Decoy resource designed to attract, detect or study malicious activity.

A honeypot may simulate vulnerable services or systems in order to gather information about attackers, tactics or unauthorized reconnaissance. It must be deployed carefully so that it does not introduce unnecessary risk.

Processes and technologies used to manage identities, authentication and authorization.

IAM aims to ensure that each user or system has only the access it needs, with appropriate controls, throughout its lifecycle. It is central to cloud, Microsoft 365, Zero Trust and compliance programs.

Industrial control systems used in plant operations, energy, water or manufacturing.

ICS environments manage physical and operational processes. Their security differs from traditional IT because of stricter availability requirements, physical safety concerns, legacy systems and OT dependencies.

Processes used to govern joiners, leavers, access reviews and segregation of duties.

IGA helps control the identity lifecycle, access certifications, segregation conflicts and traceability over who has access and why.

Behavior-based signals that may indicate an attack sequence.

Unlike IoCs, IoAs focus on suspicious actions or behavioral patterns such as credential abuse, lateral movement or persistence, even when no known malicious artifact exists yet.

Observable evidence linked to malicious activity, such as hashes, IPs or domains.

IoCs help detect known incidents or campaigns, search for traces across systems and enrich monitoring. They are useful, but they do not replace behavior-based detection.

Property that ensures information has not been altered improperly.

Integrity is one of the core security principles. It ensures that data, logs, configurations and evidence remain correct, complete and free from unauthorized modification.

Structured record of relevant organizational assets.

An asset inventory helps the organization understand what must be protected, where it is, who owns it and how critical it is. Without inventory, security becomes reactive and incomplete.

System that detects and automatically blocks certain categories of malicious traffic.

An IPS analyzes communications in real time to identify attack patterns or anomalous behavior and take blocking or containment actions.

International standard for business continuity management systems.

ISO 22301 structures how organizations plan, implement, test and improve business continuity. It is one of the most solid frameworks for BCP, DRP, exercises and resilience evidence.

International standard for implementing and auditing an information security management system.

ISO 27001 structures governance, risk assessment, controls, responsibilities, evidence and continual improvement. It is not only a certification target; it is a management framework for running security in an orderly and auditable way.

Model that describes attack stages from preparation to final objective.

The kill chain helps organizations understand where an attack can be interrupted: reconnaissance, initial access, execution, persistence, privilege escalation or exfiltration, depending on the model being used.

Principle that each identity should have only the permissions strictly required.

Applying least privilege reduces the impact of compromised credentials, human error and lateral movement. It is especially important for administrators, cloud identities, directory services and service accounts.

Record of events generated by systems, applications, networks or services.

Logs help organizations understand what happened, when and where. They are essential for monitoring, auditing, detection, troubleshooting, compliance and forensic analysis.

Software designed to damage, spy on, encrypt, alter or compromise systems.

Malware is a broad category that includes ransomware, trojans, spyware, rootkits, downloaders and many other types of malicious code depending on the attacker’s objective.

Centralized management of enterprise mobile devices.

MDM enables the application of security policy, encryption, inventory, remote wipe and configuration control over mobile devices used by the organization.

Managed service that combines technology and analysts for detection and response.

MDR provides operational capacity to detect suspicious activity, investigate alerts, escalate incidents and respond according to agreed procedures. It usually relies on EDR/XDR, SIEM and threat intelligence.

Fine-grained segmentation technique used to isolate workloads, services or zones.

Microsegmentation limits lateral movement and unnecessary communications by applying precise rules between systems, applications or asset groups.

Security controls and improvements applicable to Microsoft 365, Entra ID, Exchange, Teams and related services.

This area includes identity, MFA, conditional access, hardening, Defender, mail security, sharing settings, permissions, data protection and tenant posture. It is one of the most operationally relevant business security domains.

Knowledge base that classifies attacker tactics and techniques.

MITRE ATT&CK helps teams map real offensive behaviors and evaluate defensive coverage, detections, hunting hypotheses and control validation.

Detection and response capability based on network traffic and behavior.

NDR helps identify anomalous traffic patterns, suspicious communications, lateral movement and command-and-control activity using network telemetry and behavioral analysis.

EU directive that raises cybersecurity, governance and notification requirements.

NIS2 requires many organizations to implement security, continuity, third-party management, response and governance measures. It also increases management accountability and evidence expectations.

Authorization framework that allows one application to access another service on behalf of a user.

OAuth is widely used in SaaS integrations, apps and APIs. Poor implementation or excessive consent grants can create significant identity and access risk.

Identity layer built on top of OAuth 2.0.

OIDC enables federated authentication and the secure transfer of identity information between applications and identity providers.

Collection and analysis of information from public sources.

OSINT can support defensive research, exposure analysis, threat intelligence or offensive reconnaissance, depending on how it is used.

Technology that monitors or controls physical and operational processes.

OT includes industrial automation, control and supervisory systems. Its security priorities tend to focus especially on availability and physical safety.

Controls used to manage, restrict and supervise privileged access.

PAM reduces the risk associated with administrators, root accounts, emergency access and other critical privileges by using vaulting, rotation, session control, approvals and traceability.

Technique that reuses authentication hashes to move across systems without knowing the clear-text password.

Pass-the-Hash is especially relevant in compromised Windows environments and illustrates why credentials, segmentation and privilege protection are so important.

Process of applying updates to fix vulnerabilities or defects.

Patching reduces exposure to known flaws, but it should be prioritized according to criticality, known exploitation, dependencies and operational risk rather than treated as a purely administrative task.

Authorized technical assessment that attempts to exploit weaknesses to measure real exposure.

A pentest validates weaknesses in applications, APIs, networks, cloud environments or identity layers in order to understand the real impact of exploitation. It should end with prioritized remediation and, when useful, revalidation.

Techniques used to maintain access to a compromised system over time.

Persistence may rely on scheduled tasks, services, registry keys, hidden accounts, web shells or equivalent mechanisms that allow the attacker to return after reboot or partial cleanup.

Deception technique designed to steal credentials or trigger unauthorized actions.

Phishing most often arrives by email, but it may also use SMS, voice calls or fake websites. It exploits urgency, trust or context to obtain initial access or sensitive information.

Intermediary between a user or system and another network service.

A proxy can be used for traffic filtering, connection inspection, policy enforcement, origin hiding or performance improvement. It can also be abused by attackers to anonymize or redirect malicious activity.

Responsibility model used to clarify who executes, approves, is consulted or informed.

RACI is commonly used in governance, continuity, incident response and compliance to reduce ambiguity and make ownership explicit.

Attack that encrypts, blocks or exfiltrates information to demand payment.

Modern ransomware often goes beyond encryption and includes data theft, extortion, lateral movement, identity abuse and backup destruction. Its impact extends to continuity, reputation, compliance and business operations.

Advanced exercise that simulates a realistic adversary to measure detection and defensive resilience.

Unlike a traditional pentest, a Red Team exercise is designed to validate how well the organization can detect, contain and respond to an adversary using realistic tactics, stealth and objectives.

Step-by-step operational guide for handling a specific type of incident.

A playbook defines activation criteria, roles, decisions, actions, evidence, communications and closure steps for scenarios such as phishing, ransomware or cloud compromise.

Process used to identify threats, vulnerabilities, impact and likelihood.

Risk assessment helps organizations understand which scenarios may affect them, what impact those scenarios would have and which measures should be prioritized. It is a core element of frameworks such as ISO 27001, ENS, NIS2 and DORA.

Malware designed to hide its presence and maintain privileged access.

A rootkit attempts to make compromise harder to detect by altering system behavior, processes or visibility tools.

Maximum acceptable data loss measured in time.

RPO indicates how much data can be lost after an incident. It depends on service criticality, backup frequency, replication design and real technical recovery capability.

Maximum tolerable time to restore a service after interruption.

RTO defines how quickly a system, process or service must be restored. It should be based on business impact, technology dependency and real recovery capability rather than intuition.

Detailed operational procedure for executing a recovery or technical action.

A runbook describes steps, prerequisites, validations, dependencies and responsibilities for executing critical tasks under pressure, such as restoring a service or containing an incident.

Scenario-based exercise used to validate decisions, roles and plans during a crisis.

A tabletop exercise usually does not involve live systems, but it is highly effective for testing governance, escalation, responsibilities, decision speed and cross-team coordination against a plausible scenario.

Proactive search for malicious or anomalous activity that may have evaded automated controls.

Threat hunting starts from hypotheses, weak signals or suspicious behavior to investigate potential compromise that does not necessarily generate a clear alert.

Advanced testing approach driven by threat intelligence.

TLPT goes beyond traditional pentesting by using scenarios, techniques and objectives based on plausible threats in order to measure detection, response and defensive resilience.

Digital element used to authenticate, authorize or represent a session or permission.

Tokens may provide access to applications, APIs or sessions without requiring a password on each request. For that reason, they should be treated as sensitive credentials.

Ability to reconstruct relevant actions, changes and events.

Traceability makes it possible to understand what happened, who did what, when and on which asset. It is essential for auditing, compliance, investigation and internal control.

Tactics, techniques and procedures used by threat actors.

TTPs describe how attackers operate rather than focusing only on isolated artifacts. They are highly useful for detection, intelligence and defensive validation.

Behavior analytics used to detect anomalies in users and entities.

UEBA helps identify deviations from normal behavior, such as unusual access patterns, privilege misuse or atypical account and system activity.

On-demand cybersecurity leadership service.

A vCISO helps prioritize risks, define roadmaps, establish KPIs, coordinate providers, support steering committees and translate cybersecurity into business decisions without requiring a full-time in-house CISO.

Social engineering attack carried out by voice call.

In vishing, the attacker impersonates a supplier, bank, support team or executive in order to obtain credentials, codes, payments or urgent unauthorized actions.

Encrypted channel connecting users or locations to a private network.

VPNs enable protected remote access, but they should be designed with strong authentication, segmentation and privilege control so they do not become overly broad access paths.

Exploitable weakness in a system, application, configuration or process.

A vulnerability may enable unauthorized access, code execution, privilege escalation, data exposure or service disruption. Its real criticality depends on context, exposure and exploitation feasibility.

Continuous process of discovering, prioritizing, remediating and validating vulnerabilities.

Vulnerability management is not just scanning. It connects findings to asset criticality, business context, exposure and remediation capacity in order to reduce real-world risk.

Control designed to filter and protect HTTP/HTTPS traffic toward web applications.

A WAF helps mitigate common web attacks such as injection, automated exploitation or abusive parameter use. It does not replace secure development or pentesting.

Type of phishing targeting senior executives or financial decision-makers.

Whaling uses highly contextualized pretexts to trick high-value targets into approving payments, disclosing credentials or authorizing critical actions.

Approach or technology that extends detection and response across multiple security layers.

XDR correlates events from endpoints, identity, email, network, cloud and other controls to improve visibility, detection and response. Its value depends heavily on integration quality and the operating model around it.

Security model based on not trusting users, devices or networks by default.

Zero Trust emphasizes continuous verification, identity, context, segmentation, least privilege and adaptive access control. It is not a single product, but an architecture and operating approach.