The principle that a user has only the minimal access rights needed for their job.

Living Off the Land (LOTL) attacks are a sophisticated cyber-attack technique, often fileless, where adversaries exploit native, legitimate, and pre-installed system administration tools (LOLBins like PowerShell or WMI) to execute malicious objectives, evade detection, and maintain persistence within a target system, posing a significant challenge for traditional security solutions.

Malicious code set to execute when specified conditions are met.

Longlining attacks are sophisticated, high-volume phishing campaigns employing mass customization techniques to deliver messages that appear highly targeted and low-volume, effectively mimicking spear-phishing tactics to bypass standard security defenses and deceive cybersecurity professionals and end-users.

Using TLDs that resemble legitimate ones, such as .co instead of .com, or .cm (Cameroon) to catch users who make small typos. Watch out for: Emails from service-department.co when your official company domain is service-department.com.

A social engineering tactic, the MFA Fatigue Attack involves an adversary persistently generating multi-factor authentication requests to a legitimate user, overwhelming them into approving the malicious login attempt simply to stop the continuous disruption and overloading of authentication prompts.

Using the MIME structure to show a "clean" text version of an email to the security scanner while showing a "malicious" HTML version to the user. Watch out for: Significant discrepancies between the text/plain part and the text/html part of a single email message.

The MITRE ATT&CK Framework is a globally-accessible knowledge base of adversary tactics and techniques, derived from real-world observations, used by cybersecurity professionals for threat hunting, detection engineering, red teaming, and assessing defensive posture against known threat actor behaviors across enterprise, mobile, and ICS environments.

A Mail Transfer Agent (MTA) is a specialized software component that manages the transfer of electronic mail messages from one computer system to another. It acts as the digital post office, receiving mail from senders and routing it to the appropriate destination MTA. Securing the MTA is vital for an organization's defense, as it is the gateway through which all incoming and outgoing mail passes. A misconfigured MTA can be exploited by spammers as an "open relay" to distribute millions of malicious messages.

A Mail Exchange (MX) record is a specific entry in a domain's DNS settings that tells the internet which mail server is responsible for accepting incoming messages for that domain. It provides the necessary instructions for routing email correctly. In a secure environment, the MX record often points to a cloud-based security gateway rather than the actual internal mail server. This allows the security service to scan, filter, and clean all incoming messages for threats before they ever reach the organization's internal network.

Machine learning, a core AI subset, utilizes algorithms to autonomously identify patterns in large datasets, enabling systems to detect, predict, and block sophisticated cyber threats and anomalies, continuously improving an organization's security posture without explicit programming.

A virus written in macro language, often found in Word or Excel attachments.

Malicious email attachments are payloads, often obfuscated, delivered via electronic mail, specifically engineered to exploit system vulnerabilities, execute unauthorized code, compromise endpoint security, and facilitate data exfiltration or system damage upon recipient interaction.

Malware, or malicious software, is an overarching term for covert, invasive programs designed to disrupt system operations, steal data, or gain unauthorized access to endpoints, servers, or networks, posing significant security risks.

A Man-in-the-Middle (MitM) attack is a sophisticated form of active eavesdropping and session hijacking where a malicious actor covertly intercepts, modifies, or relays communications between two parties who believe they are communicating directly, enabling data theft and session compromise.

Managed Security Service (MSS) is the outsourcing of security functions, including continuous monitoring, threat detection, incident response, vulnerability assessments, and compliance management, to expert third-party Managed Security Service Providers (MSSPs) to enhance an organization's cybersecurity posture and operational efficiency.

Mimikatz is a post-exploitation open-source tool primarily used by penetration testers and threat actors to extract plain-text passwords, NTLM, and Kerberos credentials from Windows Security Account Manager (SAM) and Local Security Authority Subsystem Service (LSASS) memory processes, facilitating lateral movement and privilege escalation within compromised networks.

Mobile security encompasses the comprehensive strategy, architecture, and technological safeguards implemented to mitigate risks across all devices accompanying users, including corporate and personal smartphones, tablets, and laptops, ensuring data integrity and confidentiality against sophisticated threats.

Model Context Protocol (MCP) is an open standard designed to connect AI systems and Large Language Models (LLMs) with external data sources, tools, and systems, replacing fragmented integrations with a unified, context-aware protocol. For cybersecurity professionals, it's critical to note that MCP enables arbitrary data access and code execution paths, requiring developers to implement native security features like authentication, authorization, and TLS externally to mitigate risks.

Using tokens as part of a two-factor process to add extra security beyond passwords.

Multicloud environments involve the strategic deployment of IT infrastructure and applications across distinct public cloud platforms, fundamentally enhancing resilience against single-vendor failure while mitigating downtime risks and demanding unified, platform-agnostic security architecture and governance for comprehensive data protection.

Multifactor Authentication (MFA) is a critical security control requiring users to provide two or more distinct verification factors—such as something they know, have, or are—to gain access. This layered approach significantly reduces the risk of unauthorized access and account compromise, even if one credential is stolen, serving as a primary gatekeeper in a zero-trust architecture.

The NIS2 Directive is the EU's latest cybersecurity legislation, replacing the original NIS Directive, designed to significantly strengthen collective cybersecurity resilience by mandating robust risk management measures and incident reporting requirements for essential and important entities across critical sectors.

NIST Compliance involves adhering to the guidance and best practices—such as the NIST Cybersecurity Framework (CSF)—developed by the National Institute of Standards and Technology to manage cybersecurity risk, strengthen data protection, and conform to regulations like FISMA and FedRAMP.

The NIST Cybersecurity Framework (CSF) is a comprehensive, risk-based framework developed by the US National Institute of Standards and Technology, providing structured guidelines, standards, and best practices across five core functions—Identify, Protect, Detect, Respond, and Recover—to effectively manage and mitigate organizational cybersecurity risks.

An annual collaborative initiative, established in 2004, where various government entities and private sector organizations unite efforts to proactively enhance public and professional awareness regarding critical issues in cybersecurity best practices and data privacy protection.

Natural Language Processing (NLP) is a specialized branch of AI that enables machines to analyze and comprehend unstructured textual data—like emails and threat reports—to detect sophisticated, language-based cyber threats such as phishing, social engineering, and malware, ensuring faster response and better protection.

Network security encompasses the layered deployment of hardware, software, and procedural controls to protect the confidentiality, integrity, and availability of network resources and data from sophisticated internal and external cyber threats, ensuring regulatory compliance and business continuity.

Network-delivered threats are categorized as Passive, like wiretapping and idle scans, focused on intercepting data, or Active, such as Denial of Service and SQL injection, aimed at executing disruptive commands against network operations and integrity.

Sending an email with a blank "Return-Path," which is standard for "Undeliverable" messages but used by attackers to bypass "From-address" filters. Watch out for: High volumes of "Out of Office" or "Bounce" messages that contain suspicious links, as these are often "Out-of-Band" phishing attempts.

OAuth (Open Authorization) is a delegation protocol enabling secure, limited third-party access to protected user resources without exposing credentials, fundamental for modern application integration and critical for managing authorization scope and minimizing exposure risks in federated identity systems.

Tricking a user into clicking "Accept" on a third-party app permissions screen, giving the attacker direct API access to their mailbox without needing a password. Watch out for: "Permissions Requested" alerts in your M365/Google logs for apps with names like "Office 365 Upgrade" requesting Mail.ReadWrite.

Operational Security (OPSEC) is a systematic, continuous risk management process utilized by cybersecurity professionals to proactively identify, control, and protect critical information or indicators that adversaries could exploit to achieve their objectives or inflict harm upon an organization's mission or assets.

The OSI Model is a seven-layer reference architecture that standardizes network communication protocols, defining the functions from physical transmission to application interaction. For cybersecurity professionals, understanding these layers is vital for identifying vulnerabilities, analyzing threat vectors, and implementing appropriate security controls at each stage of data transmission.

Open-source software (OSS) utilizes a collaborative, shared development model where the complete source code is publicly accessible, facilitating security audits, vulnerability detection, and independent modification by the community, offering transparency and often rapid patching capabilities crucial for robust security posture.

Optical Character Recognition (OCR) is a technology converting physical or image-based text into digital, machine-readable data. For cybersecurity, OCR is vital for indexing, encrypting, and monitoring digitized documents to prevent unauthorized access, detect fraud, and combat threats in illicit online communities by extracting text from images.

The Payment Card Industry Data Security Standard (PCI DSS) is a globally adopted set of contractual operational and technical requirements designed to protect cardholder data and sensitive authentication data. Enforced by the major payment card brands, it provides a crucial baseline for entities—including merchants, processors, and service providers—that store, process, or transmit payment account data to build and maintain a secure environment against threats like identity theft, fraud, and data breaches.

Data that could identify a specific individual, like SSNs or phone numbers.

Post Office Protocol version 3 (POP3) is an older method of retrieving email where messages are downloaded from the server to a single local device and then deleted from the server. While this was useful when server storage was limited, it is often discouraged in modern secure environments. Because POP3 does not synchronize across devices, it creates challenges for data recovery and incident response. Furthermore, it lacks the centralized security benefits offered by modern IMAP or cloud-based mail systems.

The specific act of targeting and downloading an entire Outlook .pst file to steal a user's entire historical email communication in one go. Watch out for: Unusual IMAP/POP3 sync activity or large outbound data transfers from a workstation to a personal cloud storage site.

PaaS is a cloud service model where the provider manages the underlying infrastructure, operating system, and runtime environment. Cybersecurity professionals focus on securing the application and data, as this shared responsibility model delegates infrastructure security to the cloud provider.

Packet loss is a critical network issue where data packets fail to reach their destination, frequently resulting in data corruption and degradation of network service quality. Cybersecurity professionals must understand its causes, implications for data integrity, and preventative measures to maintain robust network security and reliable operations.

Pass-the-hash (PtH) is a credential theft cyberattack, prevalent in Windows environments, that exploits the authentication mechanism by stealing and leveraging a user's password hash (typically NTLM) to authenticate to network resources and move laterally across a system without needing the plaintext password, enabling privilege escalation and persistent access.

Password managers are critical security applications designed to robustly generate, securely encrypt, and locally or cloud-store unique, complex credentials for multiple online services, facilitating secure access and mitigating risks associated with credential compromise and reuse.

Password protection encompasses comprehensive security strategies, policies, and technologies—including multi-factor authentication (MFA), strong password policies, secure storage with non-reversible encryption, and account lockout mechanisms—to rigorously verify user identity and safeguard authentication methods against unauthorized access and cyber threats.

A security fix for a discovered software weakness.

Patch management strategies are an essential, ongoing component of the Software Development Life Cycle (SDLC) maintenance phase, encompassing the systematic process of identifying, testing, and deploying critical security updates, patches, and hotfixes across an organization's network infrastructure to mitigate vulnerabilities and ensure system integrity.

The part of the malware that performs the malicious action.

Penetration testing is a simulated cyber attack conducted in a controlled environment to evaluate the security posture of an organization's IT infrastructure by actively exploiting identified and potential vulnerabilities, thereby providing actionable insights for remediation and defense enhancement.

Personally Identifiable Information (PII) is any information, or combination of information (direct or indirect identifiers), that allows for an individual to be distinguished or traced, requiring stringent data protection controls and adherence to regulatory frameworks like those specified by NIST and various global privacy laws.

Petya is a ransomware family targeting Windows systems, infecting the Master Boot Record (MBR) and overwriting the Windows bootloader. This triggers a reboot, presenting a fake check disk screen while encrypting the Master File Table (MFT) or disk data using algorithms like Salsa20, rendering the system unbootable until a Bitcoin ransom is paid.

Pharming is a sophisticated type of cyber-attack designed to deceive users by redirecting legitimate traffic to malicious websites, often through DNS cache poisoning or local host file modification, enabling the illicit collection of sensitive authentication credentials and personal identifiable information from unsuspecting victims.

Phishing is a deceptive cyberattack tactic employing social engineering via electronic communication channels, such as email or SMS, to illicitly acquire sensitive information, credentials, or deploy malware, often by impersonating a trustworthy entity.

A phishing simulation is a controlled, proactive cybersecurity exercise where entities deploy carefully constructed, realistic mock phishing emails to their personnel. This practice serves as a critical measure for assessing and enhancing organizational resilience, measuring employee susceptibility to social engineering threats, and validating the effectiveness of current security awareness training programs.

Malware that changes its code every time it runs to avoid detection.

Predictive analytics in cybersecurity is a proactive approach leveraging historical and current data, along with algorithms and AI/ML, to anticipate and neutralize potential cyber threats, vulnerabilities, and attacker behaviors before they materialize, enabling risk-informed decision-making and adaptive defenses.

Pretexting is a form of social engineering where attackers establish an elaborate, fabricated scenario, or "pretext," often assuming a false identity, to manipulate victims into knowingly or unknowingly divulging sensitive confidential data, granting unauthorized access to secure systems, or executing actions that compromise organizational security posture.

The Principle of Least Privilege is a critical cybersecurity model requiring that every user, process, or application is granted only the minimum necessary permissions to perform its required functions, thereby minimizing the potential attack surface and limiting damage from compromises.

In cybersecurity, privilege escalation is a post-exploitation technique where an attacker, having gained initial system access, exploits configuration flaws or vulnerabilities to obtain unauthorized, higher-level permissions, often achieving administrative or root rights, to further compromise the environment.

Privileged Access Management (PAM) is a core cybersecurity discipline focused on securing, monitoring, and controlling privileged access for human and machine identities. By enforcing the principle of least privilege, PAM mitigates risk from internal and external threats, reduces the attack surface, and ensures regulatory compliance through session monitoring and audit logs.

Privileged Identity Management (PIM) is a critical security solution providing just-in-time (JIT) and time-bound access controls for elevated roles within an IT environment, enforcing the principle of least privilege. PIM facilitates granular control, multifactor authentication for activation, and comprehensive auditing to mitigate data breaches and insider threats.

A prompt injection attack is a sophisticated cybersecurity vector exploiting vulnerable machine learning models, specifically large language models (LLMs), by leveraging meticulously crafted, non-obvious user inputs designed to illicitly manipulate the model's behavior and bypass security controls.

Protected Health Information (PHI) is individually identifiable health, treatment, or payment information, transmitted or maintained electronically or otherwise, by a covered entity or business associate. For cybersecurity professionals, this includes all health data and associated identifiers—like names, addresses, and medical record numbers—that must be secured according to HIPAA's Security Rule to protect patient privacy and integrity.

A public cloud is an essential third-party hosted model providing shared, multi-tenant "as-a-service" technologies, including IaaS, PaaS, and SaaS, running on remote servers, crucial for scalable infrastructure, identity management, and secure remote resource access.

Promising a benefit in exchange for information, such as fake surveys for gift cards.

Quishing, a form of social engineering, leverages malicious QR codes—two-dimensional barcodes capable of storing extensive data—to illicitly redirect users to compromised websites, steal credentials, or initiate unauthorized malware downloads onto target systems, thereby posing a significant threat to organizational security posture.

Ransomware is a category of malicious software that executes unauthorized encryption or system lockout, denying legitimate users access to their data or infrastructure assets until a monetary ransom is remitted to the threat actor, often involving a critical decryption key exchange.

Ransomware-as-a-Service (RaaS) is a subscription-based cybercriminal business model where RaaS operators provide fully developed ransomware kits, infrastructure, and support to RaaS affiliates, who then execute the attacks. This model often includes profit-sharing arrangements and dedicated dashboards, accelerating the scale and specialization of ransomware threats like DarkSide and LockBit.

Real User Monitoring (RUM) is a passive monitoring technique that captures and analyzes actual end-user interactions and performance data from web applications, providing crucial visibility into user experience, application performance, and identifying anomalies and malicious activities for proactive threat detection and incident response.

A red team comprises highly skilled, authorized security experts who simulate sophisticated, real-world adversary behaviors, tactics, and techniques to provide an objective assessment of an organization's existing security posture, cyber defenses, incident response capabilities, and overall resilience against targeted attacks.

Regulatory compliance is the mandated adherence to laws, regulations, and industry standards, such as GDPR or HIPAA, requiring the implementation of controls, continuous monitoring, and detailed documentation to protect sensitive data and systems against cyber threats, thereby mitigating legal and financial risks.

Malware development is fundamentally driven by the objective of establishing unauthorized remote access and control over a target system, enabling threat actors to execute malicious actions such as data exfiltration or complete device compromise, representing the highest operational benefit.

Retrieval-Augmented Generation (RAG) is an advanced technique that enhances generative AI by dynamically retrieving relevant, authoritative context from external knowledge bases—such as threat intelligence or MITRE ATT&CK—to ground outputs, minimize hallucinations, and deliver accurate, actionable cybersecurity insights.

Analyzing potential internal and external threats to an organization.

Root Cause Analysis (RCA) is a systematic, data-driven methodology for cybersecurity professionals to methodically investigate incidents, identify underlying systemic vulnerabilities, and address the true origin of security breaches—such as human error or software flaws—to prevent future recurrence and enhance organizational resilience.

Software tools that enable unauthorized control of a computer system without detection.

Secure Access Service Edge (SASE) is a cloud-native architecture that converges wide area networking (SD-WAN) and comprehensive security functions (SWG, CASB, FWaaS, ZTNA) into a unified, globally distributed service, ensuring consistent, policy-driven security and optimized access for all users, regardless of location.

SD-WAN is a virtualized network architecture leveraging centralized, policy-based control to optimize traffic routing and application performance across diverse network links. For cybersecurity professionals, it provides a platform for integrated security functions, simplifying network architecture, enhancing visibility, and enabling secure cloud access and branch connectivity.

The SEC's cybersecurity regulations establish that digital threats are fundamental to market integrity, requiring proactive measures by regulated entities to ensure investor protection and financial stability against evolving cyber risks.

Software that collects and analyzes security alerts from across a network.

SIM swapping, a serious account-takeover technique also known as SIM hijacking or port-out fraud, involves social engineering or malice to redirect a victim's legitimate mobile service to a fraudulent SIM card controlled by an attacker, facilitating unauthorized access to multi-factor authentication codes and sensitive accounts.

The Simple Mail Transfer Protocol (SMTP) is the standard technical language that mail servers use to communicate and send messages to one another. It provides the rules for how email is packaged and delivered across the internet. However, because the original SMTP protocol lacked built-in security features, it is highly susceptible to spoofing and interception. Modern defenses must add layers of security, such as TLS for encryption and SPF/DKIM for authentication, to protect the integrity of the SMTP transmission.

Simple Mail Transfer Protocol (SMTP) is the fundamental networking standard governing the transmission and relaying of email messages between mail servers across the internet. Due to its essential role, SMTP traffic is frequently exploited by threat actors for phishing, malware distribution, spoofing, and sending spam, necessitating continuous security monitoring and anomaly detection.

Tools that help security teams automate their response to threats.

A Security Operations Center (SOC) is a centralized organizational function, physical or virtual, dedicated to the continuous monitoring, analysis, and management of an organization's security posture, including the prevention, detection, investigation, and coordinated response to advanced cybersecurity incidents and threats.

SOX compliance necessitates rigorous adherence to legal mandates for financial data security and integrity, requiring cybersecurity professionals to implement and maintain robust internal controls, ensuring accurate record-keeping, and protecting sensitive financial systems and data from unauthorized access or manipulation to prevent fraudulent financial reporting.

Sender Policy Framework (SPF) is a critical email authentication method used to prevent attackers from spoofing your domain. It involves creating a DNS record that lists all the specific IP addresses and servers authorized to send emails on your behalf. When a message is received, the recipient's server checks this list; if the sender's IP is not authorized, the email may be flagged as spam or rejected. SPF is a foundational component of modern email security and works alongside DKIM and DMARC.

SQL injection (SQLi) is a critical vulnerability where an attacker exploits improper handling of user input to insert malicious SQL commands into an application's data-plane input. This manipulation alters the intended structure of database queries, potentially leading to unauthorized data retrieval, modification, deletion, or loss of system control, commonly targeting web applications utilizing SQL databases.

Secure Socket Tunneling Protocol (SSTP) is a proprietary Microsoft VPN protocol using SSL/TLS encryption over TCP port 443 to tunnel Point-to-Point Protocol traffic, ensuring secure, firewall-resistant remote access, primarily advantageous within Windows infrastructures despite its closed-source nature.

SaaS is a cloud-based software delivery model where the provider manages infrastructure and application security, while the customer retains responsibility for identity and access management (IAM), data security, and configuring proper security posture to mitigate risks like data exposure and noncompliance.

SaaS Security Posture Management (SSPM) is an essential cybersecurity platform that continuously assesses third-party SaaS applications to detect and remediate configuration drift, excessive access rights, shadow SaaS, and compliance gaps. It provides necessary visibility and governance to mitigate application- and identity-centric risks, preventing breaches from misconfigurations.

A cybersecurity sandbox is an isolated, controlled virtual environment designed for safe execution and analysis of potentially malicious or untrusted software code and files, preventing any harmful interaction with the host network, operating system, or critical production resources.

Isolating and testing programs in a secure environment before allowing them through.

A secure email gateway (SEG) acts as a critical security checkpoint, inspecting and filtering all inbound and outbound email traffic for malicious or unwanted content, such as spam, malware, and phishing attacks, before delivery to an organization's internal email servers or user inboxes.

Security awareness training is a critical, ongoing educational program designed to equip employees with the knowledge and practical skills necessary to recognize, mitigate, and appropriately respond to cyber threats, thereby protecting organizational assets and sensitive data from various forms of loss or harm.

Security Information and Event Management (SIEM) aggregates and analyzes security data from various sources across the IT infrastructure, providing cybersecurity professionals with real-time, correlated visibility for threat detection, compliance reporting, and security incident response.

A centralized location for continuous monitoring of security issues.

SOAR, or Security Orchestration, Automation, and Response, is a security framework utilizing integrated tools and software to automate repetitive security tasks and orchestrate complex workflows, enabling security operations teams to streamline threat detection, analysis, and coordinated response efforts more efficiently.

Security Service Edge (SSE) is the security component of the SASE model, integrating cloud-delivered services like SWG, ZTNA, CASB, and FWaaS to enforce Zero Trust access, secure data, and provide threat protection for remote users accessing web, cloud, and private applications.

Security as a Service (SECaaS) is a cloud-based model delivering scalable, subscription-based security solutions—such as IAM, DLP, and threat monitoring—that integrate with existing IT infrastructure. It offers specialized expertise, reduced complexity, and continuous protection against advanced threats without requiring dedicated in-house staff.