Skip Navigation

Cybersecurity terms and definitions

Stay informed about the latest cybersecurity terms.

From antivirus to XDR and everything in between, learn more about the top cybersecurity terms and definitions.



A cyber threat actor, usually a state-sponsored or nation-state group or individual, that seeks to access a network and remains undetected on it for a long period of time while pursuing specific objectives. APTs conduct highly targeted attacks using hard-to-detect techniques. Their approach is much more sophisticated than the average cyber criminal, and they typically have advanced technical capabilities. Their objectives are usually political or economic in nature.  

An individual or group that takes malicious action targeting IT infrastructure or cyber resources. See also attacker and hacker

A security measure where a computer, network, or other device is not connected to another network or device in any way. Air gaps are often used on critical systems to protect them from malware, ransomware, and other forms of unwanted access.

Technical notifications delivered by security tools to provide information about threats and vulnerabilities.

The tendency for security staff to become desensitized to alert notifications from the tools and technology they use. Alert fatigue is a serious challenge for infosec teams, as genuine threats may slip by undetected as staff experience exhaustion and/or burnout stemming from this fatigue.  
Read more: 8 ways to avoid cybersecurity false positives and alert fatigue

Antivirus (AV) software is a host-based tool that looks for attributes of known malicious code. AV attempts to stop attackers from compromising endpoints and servers. 

Artificial intelligence (AI) is a field of computer science focused on using computers and machines to mimic human problem-solving and decision-making. It encompasses machine learning and deep learning, and emphasizes human-like rational decision-making. AI has become a hot-button term used by organizations everywhere for a variety of applications and uses. See also machine learning.

All the parts of your IT infrastructure where an attacker could exploit vulnerabilities to gain unauthorized access. This term is frequently used interchangeable with threat surface but is more common when describing an attacker’s perspective. 
Read more: How to assess your cyber threat surface

An individual or group that attempts to take malicious action targeting IT systems or cyber resources. See also adversary and hacker.

The process of verifying a user's digital identity, typically via a password or other unique token. See also multi-factor authentication.


In a cybersecurity training exercise, blue teams act as defenders, guarding the objective from red team (or attacker) activities. 

Short for "robot," bots are software programs that perform automated tasks. In a security context, cyber criminals may use bots to deploy malware, send spam, or interrupt and compromise websites. 

A social engineering scam where attackers compromise the email account of someone within an organization, usually an executive (hence why it is also known as “CEO fraud”). BEC typically relies on phishing to extra email credentials. Once an attacker has access to an account, they attempt to initiate a wire transfer to an account they control.  
Read more: What is business email compromise?


The Chief Information Security Officer in an organization. The CISO is the senior-level information security representative, responsible for establishing the overall information security strategy and overseeing its execution.  
Read more: Five tips to prevent CISO burnout

The Chief Security Officer in an organization. The CSO is the senior-level security representative in their organization and is responsible for establishing and maintaining the overall security strategy for an organization. The CSO may also oversee information security in organizations without a dedicated CISO. 

The CIA triad refers to the confidentiality, integrity, and availability of information: keeping an organization's information private, ensuring the information is reliable and can be trusted, and ensuring it remains accessible to those within the organization. It is a foundational concept in many infosec models and guides and informs many security systems and policies.

The techniques and practices used to secure private communications or data, typically using a key to encrypt the data at the sender's location and decrypt it at the receiver's location. 

A cyber attack is an attempt by hackers or attackers to damage or destroy computer networks or systems, or otherwise render them inoperable. Generally speaking, an attack is a malicious attempt to impact data confidentiality, integrity, or availability (the CIA triad). Attacks often render information technology inoperable, or may cause other damage. Unlike cyber incidents, attacks are malicious in nature.

A cyber incident constitutes any breach (or attempted breach) of a system's security policies and protections. Generally speaking, a breach or compromise that impacts data confidentiality, integrity, or availability (the CIA triad) can be classified as a cyber incident. A cyber incident may also render information technology inoperable or otherwise cause damage. Incidents are not necessarily always malicious in nature, and include human error and other mistakes.

A cyber range is a controlled, interactive virtual environment designed to simulate real-world network conditions, including user activity and traffic. Cyber ranges provide security personnel an authentic setting to build their skills and test their response capabilities with the tools and technology they'd use in a real incident.  

Read more: What is a cyber range?

Cybersecurity is the practice of protecting information technology systems, networks, and devices from malicious activity, human error, and other vulnerabilities and threats. It encompasses a wide range of techniques and policies designed to reduce risk, preventing breaches and compromises that could impact an organization's ability to operate, their reputation, and assets.

A security concept that emphasizes a working knowledge and understanding of the systems you are trying to protect. Cyber situational awareness (CSA) is best described as knowing your network, knowing the threats facing your network, and knowing how best to respond to those threats. CSA is critical concept for reducing your threat surface.

Read more: What is cyber situational awareness?


Data backups are copies of data that can be recovered later, typically after a cyber attack or event that compromised the integrity or availability of data. Backups are a critical component of a recovery plan, making it easy to retrieve essential files and resume operations quickly after an incident.

Read more: Data backups: What business owners should know 

A security incident that violates sensitive or confidential data. This could be the result of a deliberate malicious attack that seeks to copy or steal this data; alternatively, some data breaches are accidental and result from misconfigured systems or human error. Regardless of the cause, data breaches can be incredibly damaging to an organization.  

Read more: The real cost of a data breach 

The maintenance and assurance that data in a given system is accurate and consistent.

In the context of cybersecurity and information technology, data privacy (sometimes called information privacy) refers to how businesses and other organizations collect, store, manage, and share sensitive data. This data is often referred to as personally identifiable information (PII), and its use by third parties is regulated and legislated, with repercussions for its misuse or unauthorized access. Privacy and consumer protection go hand-in-hand, giving individuals control over how organizations use and share PII. Many of the laws and regulations governing data privacy emphasize the need for greater transparency and accountability.

Read more: Your data privacy cheat sheet

A type of cyber attack that seeks to disable, shut down, or otherwise disrupt a website, service, or network. Denial of service (DoS) attacks most often flood their targets with superfluous requests in an attempt to overload them, making them unavailable. See also distributed denial of service (DDoS) attack.

A branch of forensic science that covers digital technology. Digital forensics is focused on gathering and preserving digital evidence to aid in the prosecution of cyber crime. Forensics teams use special techniques and technology to recover, investigate, and examine this evidence, storing it in a secure location for use by law enforcement.

Read more: What is digital forensics and incident response (DFIR)?

A denial of service attack launched from multiple hosts with the express intent of compromising or disrupting normal traffic flow, overloading the target with requests to make them unavailable. See also denial of service (DoS) attack.

The Domain Name System, or DNS, is used to translate internet protocol (IP) addresses into user-friendly addresses and URLs. IP addresses for websites are long strings of numbers that aren't convenient for day-to-day use. DNS converts these addresses into easy-to-remember URLs.

A DNS firewall is a network-based security solution that actively blocks users from accessing known malicious websites. DNS firewalls rely on an up-to-date list of malicious domains to protect networks. Their blocking capabilities mean they may also be used to restrict access to content from a variety of sources—for example, preventing users from accessing video streaming services on corporate devices.

Also known as DNS spoofing, DNS poisoning is a technique used by hackers to corrupt DNS data, allowing them to divert traffic to a website they control. These fake websites are often used for phishing purposes, allowing hackers to gather credentials and use them in the legitimate site.

The act of revealing or exposing information about a person online, such as their real name or home address.


In the context of cybersecurity, encryption is the process of scrambling data using a code so that it is only readable to someone else with that code. Data encryption is an essential component of data privacy.

Endpoint detection and response (EDR) is a type of cybersecurity solution focused on protecting endpoint devices, including computers, smartphones, and other internet-enabled devices. EDR solutions provide security teams greater insight into the activity occurring on an endpoint, allowing them to spot and stop potential threats early. Because EDR only covers endpoints, it is not a complete security solution.

Read more: What is the difference between MDR, XDR, and EDR?

A hacker who uses their skills for ethical purposes. These hackers are typically contracted by organizations to test their defenses or probe for vulnerabilities in their software. 

See also unethical hackerattacker, hacker, and pen test  

The unauthorized removal (or theft) of data from a network or device. Data exfiltration to an attacker-controlled device or network may also include deleting the original files on the target's machine.

A piece of software that takes advantage of a previously identified vulnerability.

Extended detection and response (XDR) solutions attempt to extend the coverage of endpoint detection and response (EDR) across networks and cloud services, providing a greater degree of protection for an organization's entire IT environment. See also XDR.

Read more: What is the difference between MDR, XDR, and EDR?


A security alert that indicates a threat, vulnerability, or compromise exists when it does not. See also alert fatigue.

A firewall is a security device that protects computers or networks by monitoring and controlling incoming and outgoing traffic. Firewalls are typically network-based or host-based. Network-based firewalls deploy an appliance within a local area network (LAN) or wide area network (WAN), whereas host-based firewalls are deployed directly to a device.


The European Union (EU) General Data Privacy Regulation (GDPR) is a law governing the transfer of personal data for businesses operating in the EU and the European Economic Area (EEA). It applies to any organization that processes the personal data of any individual within the EEA. Under the GDPR, organizations that experience a data breach must report it to supervisory authorities within 72 hours of identifying the breach. While there are no explicit requirements for cybersecurity systems, the GDPR does lay out broad expectations for businesses to meet.


A hacker is any individual who achieves a goal using their technical knowledge of computers and other information technology in a non-standard way. The term has become synonymous with malicious cyber attackers but is better understood as an individual with a specific set of technical skills.  

See also attacker and cyber criminal.

The Health Insurance Portability and Accountability Act (HIPAA) is a United States law that regulates how PII in the healthcare sector is protected against fraud and theft. Under HIPAA, healthcare organizations that collect, store, and use patient PII face certain regulatory requirements that impact security protections.

An approach to an organization's security needs that emphasizes a single solution that extends across the entire IT infrastructure, including endpoints, cloud services, and networks. Holistic cybersecurity is designed to eliminate toolset complexity and reduce total cost of ownership, helping organizations focus on threats that matter most to them.


Incident recovery is the process of restoring and repairing damaged computer systems following a cyber incident. Minimizing downtime and ensuring rapid recovery is a major component of incident response planning.

The activities involved in how an organization handles a cybersecurity incident or data breach. Organizations may engage in IR planning and preparedness to ensure they know what to do in the event of a cyber attack or data breach.

Read more: What is digital forensics and incident response (DFIR)?

The study and/or use of computers to create, store, and process digital data.

Cybersecurity vulnerabilities that originate from within an organization's network or from a staff member. Insider threats may be malicious, such as a disgruntled employee copying data to sell or expose it, or they may be accidental, resulting from vulnerabilities in the digital supply chain or a misconfigured system.

An intrusion detection system (IDS) is an application or device that monitors traffic on networks or other IT systems for malicious activity.

ISO 27001 is an international standard on the management of information security. It details requirements for establishing, implementing, and maintaining information security management systems. Once an organization has met these requirements, they can then undergo an audit and certification process conducted by an accredited third party. ISO certification may be a requirement for certain contracts or for ensuring compliance with certain regulatory bodies.

Read more: Cybersecurity frameworks 101

An IT environment encompasses the hardware, software, and network components used by an organization. It includes everything from the endpoint devices used by employees to the technology used to keep them connected and operational. A small business may have an easy-to-map IT environment, with a few endpoints, a single cloud service, and a single modem and router to keep everything connected. Large enterprises have much more expansive IT environments that use thousands of endpoints, multiple software tools, and complex networks to keep everything connected.

IT infrastructure refers specifically to the information technology components that form the foundation of a given IT service. The term shares a lot of overlap with IT environment but is more commonly used to refer to those specific components integral to a service.


Machine learning is a subfield of artificial intelligence (AI) focused on creating algorithms that can emulate human problem-solving skills, learning to perform analytical tasks without additional programming. Machine learning tools rely on external datasets to establish a baseline, and regular human interaction to fine-tine operations. In a security context, machine learning systems may be used to automate the analysis of vast quantities of data such as logs to help identify threats. Human review of these results is necessary to ensure accuracy. These systems may need additional support to help identify emerging security threats, as they have not been "trained" to spot them.  

See also artificial intelligence.

Malicious code refers to any computer code intended to cause harm to a computer. Malicious code encompasses everything from computer viruses and backdoors to Trojan horses and attack scripts.

See also APT, Malware, and Ransomware

Malware, short for malicious software, is a type of computer program designed to damage and destroy computers or computer systems. Malware may disrupt normal operations, leak private information, provide attackers with unauthorized access to data or systems, or even delete private information. Ransomware is a type of malware that restricts a user's access to their own system or data unless they pay the attacker a fee.

See also malicious code, ransomware, and APT

In a man-in-the-middle attack, an attacker takes advantage of unsecure infrastructure (such as a public Wi-Fi connection) to intercept and potentially alter communications between two parties.

Managed detection and response (MDR) security solutions protect organizations by providing cybersecurity tools, technology, and support as a managed service. MDR effectively outsources cybersecurity functions to a trusted third-party provider. Some MDR vendors may offer more comprehensive protection and support than others and may be packaged with a range of other security tools.

Read more: What is the difference between MDR, XDR, and EDR?

Multi-factor authentication (MFA) refers to authentication systems that require two or more methods of confirming a user’s identity. In practice, this generally means using a password in conjunction with a one-time code, biometric token, or confirmation via an external application.


A network is a set of computers and network devices (such as switches, hubs, modems, routers, firewalls, and peripherals) that connect to share resources. Networks often include desktop computers, laptops, phones, and other devices. Because of how diverse and varied network composition is, understanding how your network is organized is a foundational step to better security.

Network detection and response (NDR) is a network-based security solution that deploys sensors on a business' network to spot and identify threats early. NDR solutions can provide strong protection for a network at the expensive of limited visibility across the wider threat surface.

The National Initiative for Cybersecurity Education (NICE) Framework (officially NIST Special Publication 800-181 revision 1) is a widely used reference document that provides common skill requirements and duties for cybersecurity professionals. The NICE Framework allows security professionals to determine how work roles and skills align in the broader industry. It's a vital document for organizations looking to recruit security professionals.

The National Institutions of Standards and Technology (NIST) is a United States physical sciences lab and non-regulatory agency. NIST promotes U.S. innovation and industrial competitiveness in selected fields, including information technology and cybersecurity. The NIST Cybersecurity Framework is widely used  guidance for organizations to manage and reduce cyber risk. Because it is a mandatory framework for U.S. federal agencies, many vendors pursuing government contracts adhere to the framework.


A password or passcode is a secret string of characters necessary for verifying the identity of a user attempting to access a private system or private data. Passwords are best used in tandem with another form of authentication, such as a one-time key or biometric token, to ensure added security.

Read more: Password spraying attacks: Tips for detection and prevention

Short for penetration test, a pen test is a type of ethical hacking where a white hat hacker or security operator simulates a cyber attack on a computer system to evaluate its security and share their findings with the system's defenders.

Phishing is a social engineering tactic where an attacker sends fraudulent messages to a victim in an attempt to trick them into sharing confidential information (like login credentials) or to deploy malicious software. Phishing attempts may be used on their own or to gather information for use in a more sophisticated cyber attack.

See also social engineering.

The Personal Information Protection and Electronic Documents Act (PIPEDA) is a Canadian law covering data privacy. Much like the GDPR, PIPEDA is concerned with how private sector organizations collect, use, and disclose personal information. Failure to comply with PIPEDA can lead to legal action following a review from the Office of the Privacy Commissioner of Canada.

Point solutions are individual tools or technologies that address a single aspect of the threat surface or provide limited functionality. Many organizations layer several point solutions together to meet their cybersecurity needs.

See also holistic cybersecurity.


Ransomware is a type of malware that encrypts and locks up a victim's machine, offering to restore access if the victim pays the attackers a fee. Unfortunately, there is no guarantee that an attacker will hold up their end of the deal following a payment. Ransomware attacks are increasingly commonplace and continue to plague businesses of all sizes.

Read more: What small businesses need to know about ransomware

In a cybersecurity exercise, red teams act as the attacker, attempting to bypass and overcome blue team (or defender) protections and defenses and achieve their objective.

See also blue team.

A collection of malicious software designed to give an attacker unauthorized access to a computer without being detected.  

See also APT, malware


Security Information and Event Management (SIEM) systems aggregate data from a variety of disparate tools to aid in analysis. SIEM functionality requires considerable effort to set up and manage.  


Security Orchestration, Automation, and Response (SOAR) systems seek to apply automated responses to a variety of events. SOAR systems often work alongside SIEMs to save time when responding to threats. Like SIEMs, SOAR systems require careful setup and fine-tuning to work effectively. 

A security operations center (SOC) acts as an organization’s central hub for cybersecurity monitoring and analysis. SOCs work with vast quantities of data, and typically use automated tools to help human analysts identify signs of suspicious activity or anomalies that could indicate a security threat.

Read more: What is a security operations centre?

Social engineering is the manipulation of individuals to take action that would divulge confidential information or otherwise help an attacker. Social engineering tactics are commonly used to help stage multiple types of cyber attacks.

Read more: Social engineering: attacks, techniques, and defenses

Spam is the use of multiple unsolicited messages to large numbers of users, usually for advertising purposes. Spam is also a common way for attackers to engage in phishing, allowing them to send out mass messages and reach more potential targets.

A technology or security stack is a set of tools and technology used by an organization to build effective cyber defences. This stack may include endpoint protections, cloud-based sensors, a DNS firewall, and any number of solutions and services. Simplifying tech stacks to reduce redundancies and enhance protections is a popular topic in the security world.

In the context of information technology and cybersecurity, the supply chain is every component that makes up a piece of software or technology. Many applications use open-source code or software, and a vulnerability in that code or software "upstream" could impact the supplier of an application used in your tech stack.


Tabletop exercises are security preparedness activities where participants walk through a simulated cyber incident, discussing their incident response processes to highlight potential flaws or concerns.


A threat is any malicious act that attempts to damage or destroy data or disrupt operations.

An individual or group that attempts to take malicious action targeting IT infrastructure or cyber resources.

See also attacker and hacker.


Also known as an attack surface, the threat surface is all the areas of an IT network where an unauthorized user or attacker could exploit vulnerabilities to gain access to systems and confidential data to stage an attack.

Read more: How to assess your cyber threat surface

A type of malware that misleads users regarding its true intent, typically spread through social engineering tactics.


A hacker who uses their skills for malicious purposes. Unethical hackers may target computer systems or individual users to compromise data, commit fraud, or simply disrupt normal operations to test themselves. They do not follow any rules of engagement and may perform any type of attack.  

See also ethical hackerattacker, and hacker.  



A Virtual Chief Information Security Officer, typically operating on a consulting basis. vCISO services are often used by organizations who can't access a C-level security representative.

Read more: What is a virtual CISO?

A type of malicious program that replicates itself by modifying other computer programs, inserting its own code to corrupt and disrupt systems or destroy data.

A flaw in a computer system or piece of software that could provide an attacker access to the overall device or system.


A type of malicious program that, once deployed on a single computer, begins to search for other computers connected to it via a local area network or internet connection. Once it identifies these connections, it replicates itself on those machines. Worms frequently slow down systems and may be used to give attackers a backdoor into infected systems. 



The most common initialism for extended detection and response. XDR solutions attempt to extend the coverage of endpoint detection and response (EDR) across networks and cloud services, providing a greater degree of protection for an organization's entire IT environment. See also extended detection and response.

Read more: What is the difference between MDR, XDR, and EDR?


An unknown, undiscovered flaw in software that can be exploited for nefarious purposes. Vulnerabilities are broadly defined as “known” or “unknown;” known vulnerabilities are typically patched in software, so as long as software is up-to-date, it is not susceptible to threats. Unknown vulnerabilities, like zero-days, are entirely unknown, thus presenting a major threat.

Read more: What if Field Effect Never Found the Blackswan Zero-Days?