CyberSecurityGlossary
Clear definitions of penetration testing concepts, compliance standards, threat intelligence, and security terminology, written by CREST-certified professionals for technical practitioners and non-technical stakeholders alike.
Glossary Categories
Comprehensive coverage of penetration testing, compliance frameworks, threat intelligence, and security architecture terminology.
Penetration Testing Terminology
Compliance Frameworks & Standards
Threat Intelligence & Incident Response
Security Architecture & Controls
Glossary of Key Cyber Security Terms
39 essential terms defined by CREST-certified security professionals, organised A–Z.
Active Directory
Microsoft's directory service for Windows domain networks that manages authentication, authorisation, and resource access for users, computers, and services. Active Directory is a primary target for attackers because compromising it grants access to the entire network. Common attacks include Kerberoasting, Golden Ticket, DCSync, and pass-the-hash.
Blue Team
The defensive security team responsible for detecting, responding to, and mitigating cyber threats. Blue teams operate Security Operations Centres (SOCs), manage SIEM platforms, develop detection rules, perform threat hunting, and coordinate incident response. Their effectiveness is often tested through red team exercises.
CREST
An international not-for-profit accreditation and certification body for the cyber security industry, recognised by the UK government and NCSC. CREST accredits organisations (penetration testing firms, SOC providers) and certifies individual practitioners through rigorous technical examinations. CREST accreditation provides independent assurance of quality and competence.
CVE (Common Vulnerabilities and Exposures)
A standardised identifier system for publicly known vulnerabilities. Each CVE entry (e.g., CVE-2024-12345) provides a unique reference number, description, and references to advisories and patches. CVEs are assigned by CVE Numbering Authorities (CNAs) and catalogued by NIST in the National Vulnerability Database (NVD).
CVSS (Common Vulnerability Scoring System)
A standardised framework for rating the severity of security vulnerabilities on a scale of 0.0 to 10.0. CVSS scores consider attack vector, complexity, privileges required, user interaction, and impact to confidentiality, integrity, and availability. Scores classify as Low (0.1–3.9), Medium (4.0–6.9), High (7.0–8.9), or Critical (9.0–10.0).
Cyber Essentials
A UK government-backed certification scheme that helps organisations protect against the most common cyber threats. Cyber Essentials covers five technical controls: firewalls, secure configuration, user access control, malware protection, and patch management. Required for many UK government contracts and provides a baseline for cyber hygiene.
DDoS (Distributed Denial of Service)
An attack that overwhelms a target system, network, or service with traffic from multiple distributed sources, rendering it unavailable to legitimate users. DDoS attacks can target bandwidth (volumetric), server resources (protocol attacks), or the application layer (HTTP floods). Mitigation requires traffic scrubbing, rate limiting, and CDN-based protection.
Digital Forensics
The collection, preservation, analysis, and presentation of digital evidence following a cyber security incident. Digital forensics covers disk forensics, memory forensics, network forensics, mobile device forensics, and cloud forensics. Evidence handling follows chain-of-custody procedures to maintain admissibility in legal proceedings.
DORA (Digital Operational Resilience Act)
An EU regulation requiring financial services entities to implement comprehensive ICT risk management frameworks. DORA mandates incident reporting, digital operational resilience testing (including threat-led penetration testing), third-party risk management for critical ICT providers, and information sharing on cyber threats across the financial sector.
EDR (Endpoint Detection and Response)
Security software deployed on endpoints (laptops, servers, mobile devices) that continuously monitors for suspicious activity, records telemetry, and enables rapid investigation and response. EDR tools detect malware, fileless attacks, and lateral movement by analysing process execution, file changes, network connections, and registry modifications.
Exploit
A piece of code, technique, or sequence of commands that takes advantage of a vulnerability to achieve an unintended outcome, such as gaining unauthorised access, executing arbitrary code, or escalating privileges. Exploits can be publicly available (proof-of-concept), weaponised in exploit kits, or privately developed by threat actors.
GDPR (General Data Protection Regulation)
The EU and UK regulation governing the processing of personal data. GDPR establishes rights for data subjects (access, erasure, portability), obligations for data controllers and processors (lawful basis, security measures, breach notification within 72 hours), and enforcement powers including fines of up to 4% of global annual turnover.
Incident Response
The structured approach to detecting, containing, eradicating, and recovering from cyber security incidents. Incident response follows established frameworks (NIST SP 800-61, SANS): preparation, identification, containment, eradication, recovery, and lessons learned. Effective incident response minimises business impact and reduces recovery time.
ISO 27001
The international standard for information security management systems (ISMS). ISO 27001 provides a systematic framework for managing sensitive company information, covering risk assessment, security controls (Annex A), continuous improvement, and management accountability. Certification is achieved through independent audit by accredited certification bodies.
Kill Chain
A model describing the stages of a cyber attack, originally developed by Lockheed Martin. The seven stages are: reconnaissance, weaponisation, delivery, exploitation, installation, command and control (C2), and actions on objectives. Understanding the kill chain helps defenders identify and disrupt attacks at each stage before the attacker achieves their goal.
Lateral Movement
The technique of moving through a compromised network from an initial foothold to access additional systems, data, and higher-privilege accounts. Attackers use stolen credentials, pass-the-hash, remote services (RDP, SMB, WMI), and exploitation of trust relationships between systems. Detecting lateral movement is a key SOC and EDR capability.
Malware
Malicious software designed to damage, disrupt, or gain unauthorised access to computer systems. Categories include viruses, worms, trojans, ransomware, spyware, adware, rootkits, and fileless malware. Malware is typically delivered via phishing emails, malicious websites, software supply chain compromise, or exploitation of vulnerabilities.
MDR (Managed Detection and Response)
An outsourced security service that provides 24/7 threat monitoring, detection, and active response capabilities. MDR providers deploy endpoint and network monitoring technology, staffed by experienced analysts who hunt for threats, investigate alerts, and take containment actions on behalf of the client organisation.
MFA (Multi-Factor Authentication)
An authentication method requiring users to provide two or more verification factors: something you know (password), something you have (hardware token, authenticator app), or something you are (biometrics). MFA significantly reduces the risk of account compromise from credential theft, blocking the vast majority of automated attacks.
MITRE ATT&CK
A globally accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. MITRE ATT&CK provides a common language for describing attacker behaviour across 14 tactics (reconnaissance through impact) with hundreds of documented techniques. Used by SOC teams for detection engineering, red teams for attack simulation, and organisations for security gap analysis.
NIST (National Institute of Standards and Technology)
A US government agency that develops cyber security standards and frameworks widely adopted internationally. Key publications include the NIST Cybersecurity Framework (CSF) for risk management, NIST SP 800-53 for security controls, NIST SP 800-61 for incident response, and NIST SP 800-171 for protecting controlled unclassified information.
OWASP (Open Worldwide Application Security Project)
A non-profit foundation that produces freely available methodologies, tools, and documentation for web application security. The OWASP Top 10 is the most widely recognised list of critical web application security risks, covering injection, broken authentication, sensitive data exposure, and other common vulnerabilities. OWASP testing guides form the basis of most web application penetration testing methodologies.
PCI DSS (Payment Card Industry Data Security Standard)
A set of security standards designed to ensure that organisations handling credit card information maintain a secure environment. PCI DSS includes requirements for network security, data protection, vulnerability management, access control, monitoring, and security policy. Compliance levels (1–4) are based on transaction volume.
Penetration Testing
A controlled, authorised simulated cyber attack against an organisation's systems to identify exploitable vulnerabilities before real attackers do. Penetration testers use the same tools and techniques as malicious actors, then provide a detailed report of findings with remediation guidance. Also known as pen testing or ethical hacking.
Phishing
A social engineering attack where threat actors send deceptive messages (typically email) impersonating trusted entities to trick recipients into revealing credentials, clicking malicious links, or downloading malware. Variants include spear phishing (targeted), whaling (targeting executives), vishing (voice phishing), and smishing (SMS phishing).
Privilege Escalation
The exploitation of a vulnerability, misconfiguration, or design flaw to gain elevated access beyond what was initially authorised. Vertical privilege escalation moves from a standard user to administrator or root. Horizontal privilege escalation accesses another user's resources at the same privilege level. Common vectors include unpatched systems, misconfigured permissions, and kernel exploits.
Purple Team
A collaborative approach combining red team (offensive) and blue team (defensive) capabilities where both teams work together to improve security posture. Purple teaming involves the red team executing attack techniques while the blue team observes, tunes detection rules, and validates response procedures in real time.
Ransomware
Malware that encrypts a victim's files or systems and demands payment for the decryption key. Modern ransomware operations often involve double extortion (encrypting data and threatening to publish stolen data), initial access via phishing or exploiting vulnerabilities, lateral movement across networks, and cryptocurrency-based payment demands.
Red Team
An offensive security team that simulates real-world adversaries to test an organisation's detection and response capabilities. Unlike standard penetration testing, red team engagements are typically longer, covert operations designed to test people, processes, and technology holistically, often including social engineering and physical access attempts.
SIEM (Security Information and Event Management)
A platform that aggregates and analyses log data from across an organisation's IT infrastructure to detect security threats in real time. SIEM platforms use correlation rules, machine learning, and threat intelligence to identify suspicious patterns and generate alerts for SOC analysts.
SOAR (Security Orchestration, Automation and Response)
Technology that enables organisations to automate and orchestrate security operations workflows. SOAR platforms integrate with SIEM, firewalls, EDR, and ticketing systems to automate repetitive tasks like alert triage, threat intelligence enrichment, and incident response playbook execution, reducing analyst workload and mean time to respond.
SOC (Security Operations Centre)
A centralised facility staffed by security analysts who monitor, detect, analyse, and respond to cyber security incidents 24/7/365. SOCs use SIEM platforms to aggregate logs from across the organisation, correlate events, and alert on suspicious activity. CREST-accredited SOCs meet independently verified operational standards.
Social Engineering
The manipulation of people into performing actions or divulging confidential information through psychological techniques rather than technical exploitation. Social engineering attacks exploit human trust, authority, urgency, and curiosity. Common techniques include phishing, pretexting, baiting, tailgating, and impersonation.
Threat Hunting
A proactive security activity where analysts actively search for signs of malicious activity that may have evaded automated detection tools. Threat hunters use hypothesis-driven investigations, MITRE ATT&CK technique mapping, anomaly detection, and indicator-of-compromise searches across SIEM, EDR, and network data to identify advanced threats.
VPN (Virtual Private Network)
A technology that creates an encrypted tunnel between a user's device and a network, protecting data in transit from interception. VPNs are used for secure remote access to corporate networks and to protect communications on untrusted networks. Modern zero trust architectures are increasingly replacing traditional VPNs with identity-aware access proxies.
Vulnerability
A weakness or flaw in a system, application, or process that could be exploited by a threat actor to gain unauthorised access, escalate privileges, or cause harm. Vulnerabilities can exist in software code (buffer overflows, injection flaws), configurations (default credentials, open ports), or business logic (authentication bypasses).
WAF (Web Application Firewall)
A security control that monitors, filters, and blocks HTTP/HTTPS traffic to and from web applications. WAFs protect against common web attacks including SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and application-layer DDoS attacks. WAFs can be deployed as hardware appliances, software, or cloud-based services.
XDR (Extended Detection and Response)
An evolution of EDR that extends detection and response capabilities across multiple security layers including endpoints, network, email, cloud workloads, and identity. XDR correlates data from diverse sources to provide unified visibility, reducing alert fatigue and enabling faster identification of complex, multi-stage attacks.
Zero-Day
A vulnerability that is unknown to the software vendor and for which no patch exists. Zero-day exploits are highly valuable because defenders have zero days to prepare. They are used by nation-state actors, advanced threat groups, and sold in underground markets. Discovery of zero-days is a key focus of vulnerability research programmes.
Need Expert
Security Services?
From penetration testing to 24/7 SOC monitoring, our CREST-accredited team delivers the services defined in this glossary.
Book a Free Scoping CallThe best time to test your defences is now.
Join the high-growth companies relying on Precursor for continuous offensive and defensive security.
Frequently Asked Questions
Common questions about this service, methodologies, and deliverables.
The glossary covers 40 core cyber security terms across key domains: penetration testing (vulnerability, exploit, CVE, CVSS, zero-day), compliance frameworks (GDPR, PCI DSS, ISO 27001, Cyber Essentials, DORA), threat intelligence (MITRE ATT&CK, kill chain, lateral movement), incident response, network and application security (WAF, DDoS, phishing), and defensive technologies (EDR, XDR, MDR, SOC, SIEM, SOAR).
A vulnerability assessment identifies and catalogues known vulnerabilities in systems using automated scanning tools. A penetration test goes further: a CREST-certified tester actively attempts to exploit those vulnerabilities to demonstrate real business impact and identify attack chains that automated tools cannot find. Penetration testing provides evidence of actual exploitability; vulnerability assessments provide a list of potential weaknesses.
A penetration test is a scoped, time-limited assessment of specific systems or applications, typically lasting 3–10 days. A red team engagement simulates a full adversary campaign over weeks or months, testing people, processes, and technology holistically with covert objectives. Red team operations assess detection and response capability; penetration tests assess technical vulnerability exposure.
CREST (Council of Registered Ethical Security Testers) is the UK government-recognised accreditation body for penetration testing. CREST-accredited firms employ testers who have passed rigorous hands-on technical examinations. CREST accreditation is required for UK government contracts, financial services regulated testing (FCA, PRA), and NHS DSPT assessments. It provides independent assurance that testing is conducted to a professional standard.
Terms are listed alphabetically A–Z with letter navigation so you can jump directly to the section you need. Each term includes a clear definition written for both technical practitioners and non-technical stakeholders. The glossary covers 40 core terms and is updated as new threats, technologies, and compliance requirements emerge.
Yes. Definitions are freely accessible for personal and commercial use. You may reference them in reports, documentation, training materials, and presentations with attribution to Precursor Security. For questions about bulk usage, contact us.