Cybersecurity glossary

Two-factor authentication is an electronic authentication method that adds an extra layer of security to online accounts by verifying a user's identity using two components, typically something they know and something they have.

AI in cybersecurity refers to the use of machine learning, deep learning, and other artificial intelligence techniques to enhance the detection, prevention, and response to cyber threats.

Alert Fatigue is a state cybersecurity professionals experience when overwhelmed by a high volume of security alerts, leading to desensitization and the risk of overlooking critical threats.

Anonymous Sudan is a hacktivist group that emerged in early 2023, known for carrying out numerous DDoS attacks against targets such as healthcare facilities, airports, and news websites, with activities appearing aligned with Russian strategic interests.

An Advanced Persistent Threat is a prolonged and targeted cyberattack in which an intruder gains access to a network and remains undetected for an extended period, typically carried out by sophisticated, well-resourced and often state-sponsored actors aiming to steal sensitive information.

APT27, also known as LuckyMouse or Emissary Panda, is a Chinese advanced persistent threat group active since at least 2010, known for long-term espionage campaigns and data theft across government, defense, financial, and energy sectors.

APT28, widely known as Fancy Bear, is a sophisticated cyber threat actor strongly linked to the Russian GRU, also referred to as Sofacy, Sednit, or Pawn Storm, with a long history of cyber-espionage operations.

APT29, also known as Nobelium or Cozy Bear, is a Russian advanced persistent threat group associated with the SVR foreign intelligence service, active since at least 2008 and known for sophisticated cyber espionage against government, research, energy, and financial sectors.

APT31, also known as Zirconium or Judgment Panda, is a Chinese state-sponsored advanced persistent threat group linked to the Ministry of State Security, active since at least 2010 and known for targeted phishing campaigns using zero-day vulnerabilities and custom malware.

AridViper, also known as APT-C-23 or Desert Falcon, is a threat actor allegedly associated with Hamas, primarily focused on targeting Israeli organizations in the defense, law enforcement, and government sectors.

BlackCat ransomware, also known as ALPHV, is a sophisticated ransomware group that emerged in late 2021, known for its advanced cross-platform capabilities targeting Windows, Linux, and VMware ESXi systems.

Bluenoroff is a North Korean state-sponsored advanced persistent threat group believed to be a subgroup of the Lazarus Group, also known as Hidden Cobra.

Building an effective SOC team means defining clear roles, responsibilities, and communication flows so that detection and response operations run seamlessly, since a Security Operations Center is only as strong as the people behind it.

Building a Security Operations Center is a strategic investment requiring careful planning across people, processes, and technology, with key decision points that determine whether the SOC delivers long-term value.

Business Email Compromise is a sophisticated cyber threat that targets organizations by exploiting email systems to deceive employees into transferring funds or divulging sensitive information.

Cactus ransomware is ransomware that encrypts a victim's files and demands a ransom payment in exchange for restoring the stolen and encrypted data, entering victims' systems through various infection techniques.

Calisto, also known as COLDRIVER, is a threat actor close to Russia, observed running phishing campaigns against military and strategic research targets such as NATO entities, defense contractors, NGOs, and think tanks.

Callback phishing is a spearphishing method used by ransomware threat actors as an initial access technique, impersonating legitimate platforms or companies through emails claiming the victim has been or will be charged for a service.

A Computer Emergency Response Team, also known as a CSIRT, is a team of first responders in the event of a cyberattack, whose primary mission is to contain security incidents, minimize their impact, and facilitate post-crisis remediation.

ClearFake is a malicious JavaScript framework used on compromised websites to spread malware via the drive-by download technique, tricking users into running fake web browser updates and installing malware.

Command and Control is a set of techniques and technologies used by cybercriminals and advanced persistent threat groups to centrally control compromised systems and coordinate malicious activities.

Crypters are software programs capable of encrypting, obfuscating, and manipulating malware to bypass detection mechanisms while keeping the malware's functionalities intact.

A Computer Security Incident Response Team is an operational security team that intervenes within organizations as soon as a security incident is reported, analyzing it and deploying the actions needed to contain and resolve it, while also playing a preventive role through regular threat monitoring.

Cyber Threat Intelligence is the research, analysis, and modeling of cyber threats, providing contextualized knowledge of attackers to anticipate and detect attacks.

CustomerLoader is a malware that distributes a wide variety of payloads, including infostealers, remote access trojans, and ransomware, onto infected systems.

Cybersecurity aims to protect companies' networks, systems, and sensitive data from digital attacks, through the use of IT security tools, proven methodologies, and training to prevent and contain attacks.

DarkGate is a loader with remote access trojan capabilities developed in Delphi, which gained notoriety in late 2023 for its ability to operate secretly and evade detection by antivirus systems.

Data Loss Prevention is a process of identifying critical data within an organization and putting controls in place to prevent unauthorized access, exfiltration, or deletion of that data.

The DDoSia project is a Distributed Denial of Service attack toolkit developed and used by the pro-Russia hacktivist group NoName057(16) against countries critical of the Russian invasion of Ukraine.

Doenerium is an infostealer malware designed to discreetly collect and steal confidential information from victims' computers, including logins, passwords, financial data, and other sensitive information.

Endpoint Detection and Response is a security solution that detects, analyzes, and remediates threats on endpoints through behavioral analysis rather than signature-based detection.

An Endpoint Protection Platform is a cybersecurity solution that helps organizations protect their devices — laptops, desktops, servers, and mobile devices — from cyber threats, typically through prevention-focused, signature-based detection.

Endpoint protection tools are security solutions designed to protect an organization's endpoints — such as laptops, desktops, servers, and mobile devices — from cyber threats.

FakeBat is a loader malware in MSI format, sold as Malware-as-a-Service and known for its anti-detection features, widely distributed through malvertising and fake browser updates using the drive-by download technique.

A firewall is a network security system that monitors and controls incoming and outgoing network traffic based on a set of pre-established rules, protecting a network from unauthorized access.

The Frost & Sullivan Radar is a competitive intelligence tool that positions vendors across two dimensions, the Innovation & Growth Index and the Industry Footprint Index, to evaluate and compare companies within specific industries or market segments.

The Gartner Magic Quadrant is a proprietary research methodology and visual tool developed by Gartner that evaluates the strengths and weaknesses of technology vendors within a given industry.

Generative AI is a type of artificial intelligence that creates new content — text, code, images, audio, or video — by learning patterns from existing data and generating new, similar data based on what it has learned.

Hatvibe is a custom loader written in VBScript, first identified in 2023 and used by the threat actor UAC-0063, suspected to be linked to APT28 based on victimology overlap.

Identity and Access Management refers to the set of policies, technologies, and processes that organizations use to manage and control user access to systems and resources.

An Intrusion Detection System is a cybersecurity tool used to monitor network traffic for suspicious activity and known threats, sending alerts when it discovers anomalies so security professionals can investigate.

An Indicator of Compromise is an observable artifact, such as a file hash, IP address, or domain name, that suggests a system or network may have been compromised by a security threat.

An Information Sharing and Analysis Center is a sector-specific organization that provides a central hub for collecting, analyzing, and disseminating cyber threat information among its members to enhance their cybersecurity posture.

Kinsing is a malware primarily targeting Linux systems, written in the Go programming language, that takes its name from the binary dropped on the infected system.

Mallox, also known as Fargo and TargetCompany, is a ransomware strain active since mid-2021 that targets unsecured MS-SQL servers and uses a double extortion tactic, threatening to publish stolen data if the ransom is unpaid.

Malware analysis is the practice of examining malicious software to understand what it does, how it works, and how it can be used to attack a system, helping security teams better understand and defend against cyber threats.

Managed Detection and Response is a cybersecurity service that provides organizations with proactive threat detection, incident response, and ongoing security monitoring through a combination of technology and human expertise.

Microsoft Defender Antivirus is a built-in antivirus component of the Windows operating system that provides protection against malware and other threats.

Multi-Factor Authentication is a security system that requires users to provide two or more independent forms of authentication to verify their identity before granting access.

MITRE ATT&CK is a comprehensive knowledge base of adversary tactics and techniques based on real-world cyberattack observations, describing attacker behavior through techniques and sub-techniques.

Machine Learning is a subset of artificial intelligence that provides systems the ability to automatically learn and improve from experience without being explicitly programmed, by accessing data and using it to learn for themselves.

A Managed Security Service Provider is a company that offers cybersecurity services to organizations, typically on a subscription or as-a-service basis.

Mean Time to Detect is the average time it takes an organization to identify a cybersecurity threat or security incident from the moment it occurs to when it is detected, and is a critical metric for evaluating detection effectiveness.

Mean Time to Respond (or Mean Time to Recover) is a key performance indicator in cybersecurity that measures the average time it takes an organization to respond to a security incident and begin the recovery process.

MuddyWater, also known as MERCURY, Seedworm, or Static Kitten, is an Iranian threat actor with suspected ties to the Ministry of Intelligence and Security, active since at least 2017 and primarily targeting entities in the Middle East and beyond.

Network Detection and Response is a cybersecurity solution category that focuses on monitoring and analyzing network traffic to detect, investigate, and respond to threats that may bypass traditional security controls.

Open XDR architecture is a cybersecurity approach that provides extended detection and response capabilities while ensuring interoperability with a wide range of existing security tools, rather than relying on a single vendor's stack.

Privileged Access Management is a cybersecurity strategy and set of technologies focused on controlling, monitoring, and auditing access to critical resources by privileged users.

The Payment Card Industry Data Security Standard is an information security standard for organizations that handle credit card data, with compliant organizations recognized as PCI certified.

Pikabot is a backdoor-type malware that appeared in early 2023, whose modus operandi resembles the well-known QBot malware.

PlugX is a sophisticated modular remote access trojan (RAT) used for over a decade in targeted attacks, primarily by China-linked APT groups, giving attackers full control of infected systems while evading detection.

PlugX worm is a variant of the PlugX remote access trojan with self-propagation capabilities, allowing it to spread automatically across systems, notably via USB devices, in cyber-espionage campaigns.

Predator is a commercial spyware developed and maintained by Intellexa, an Athens-based company, available in multiple versions capable of targeting iOS and Android devices as well as desktop platforms.

Ransomware as a Service is a cybercrime model where ransomware developers provide their malware to other cybercriminals, known as affiliates, who then use it to carry out attacks in exchange for a share of the ransom.

Ransom Distributed Denial of Service is a type of cyberattack where criminals threaten to carry out a Distributed Denial of Service attack against a target unless a ransom is paid.

Reaper, also known as APT37 or ScarCruft, is a North Korean cyber espionage group active since at least 2012, which has used a wide variety of tools including custom malware, legitimate tools, and publicly available exploit code.

Residential proxies are IP addresses assigned to real residential devices, such as smartphones and computers, by Internet Service Providers, often used to disguise the true origin of network traffic.

Roaming Mantis, also known as Shaoye, is a cybercriminal group that primarily targets mobile devices using rogue DNS settings and DNS hijacking to redirect victims to malicious websites or deliver malware.

A SaaS SIEM is a cloud-hosted version of traditional SIEM technology delivered as Software-as-a-Service, managed and operated by a third-party provider rather than running on the organization's own infrastructure.

Scattered Spider, also known as UNC3944 or Muddled Libra, is a cybercriminal group active since 2022, known for its sophisticated social engineering tactics and for targeting large organizations, particularly in the United States.

A Security Service Delivery Platform is an integrated cybersecurity infrastructure that enables Managed Security Service Providers and security teams to deliver, manage, and orchestrate a wide range of security services from a unified platform.

SEO poisoning, also known as search poisoning, is a cybercriminal technique that manipulates search engine rankings to promote malicious websites for a given keyword.

Shadow IT refers to the use of information technology systems, devices, software, applications, and services within an organization without explicit IT department approval, introducing significant security risks by bypassing the organization's security measures.

Security Information and Event Management is software that collects, aggregates, and correlates log and event data from across the IT infrastructure to provide real-time analysis of security alerts.

Security Orchestration, Automation and Response refers to tools that collect security threat data from multiple sources and automate the response to low-level security events without human intervention.

A Security Operations Center is a centralized unit responsible for continuously detecting, analyzing, and responding to an organization's security incidents.

SOC as a Service is a cloud-based managed security service that provides organizations with the capabilities of a traditional Security Operations Center on a subscription basis, outsourcing security monitoring and incident response.

SOC best practices are the disciplined processes, continuous improvement habits, and culture of vigilance that an effective Security Operations Center must adopt to strengthen an organization's cybersecurity posture.

Single Sign-On is an authentication method that enables users to access multiple applications with a single set of login credentials, reducing repeated logins while supporting centralized access control.

Structured Threat Information eXpression is a standardized language and serialization format developed to exchange and share cyber threat intelligence in a consistent, machine-readable way.