35 essential cybersecurity terms for enterprise security leaders, CISOs, and board members. Definitions sourced from NIST, CISA, SANS Institute, and MITRE ATT&CK. Each term links to related articles and concepts across the Cybersecurity Boardroom.
A prolonged, targeted cyberattack in which an unauthorized actor gains access to a network and remains undetected for an extended period. APTs typically target high-value organizations such as government agencies, defense contractors, and financial institutions to steal data or monitor activity.
The total set of points (known as attack vectors) where an unauthorized user can try to enter data to or extract data from an environment. Minimizing the attack surface is a foundational security practice that includes removing unnecessary services, closing unused ports, and enforcing least-privilege access.
The process of verifying the identity of a user, device, or system before granting access to resources. Common methods include passwords, multi-factor authentication (MFA), biometrics, and certificate-based authentication. Strong authentication is a cornerstone of Zero Trust architectures.
A network of compromised computers (bots) controlled remotely by a threat actor, typically used to conduct distributed denial-of-service (DDoS) attacks, send spam, steal credentials, or mine cryptocurrency. Botnets can consist of millions of infected devices across consumer and enterprise networks.
A documented strategy that outlines how an organization will continue operating during and after a disruptive event such as a cyberattack, natural disaster, or infrastructure failure. A BCP includes procedures for maintaining critical business functions, communication plans, and recovery objectives.
The senior executive responsible for establishing and maintaining the enterprise vision, strategy, and program to ensure information assets and technologies are adequately protected. The CISO directs staff in identifying, developing, implementing, and maintaining processes across the organization to reduce information and technology risks.
Evidence-based knowledge about existing or emerging threats to an organization's digital infrastructure, including context, mechanisms, indicators, implications, and actionable advice. CTI enables security teams to anticipate, prepare for, and respond to cyberattacks by understanding adversary tactics, techniques, and procedures (TTPs).
An incident in which sensitive, protected, or confidential data is accessed, disclosed, or stolen by an unauthorized individual. Data breaches can result in regulatory penalties, financial loss, and reputational damage. Organizations are typically required by law to notify affected individuals and regulators within specified timeframes.
A layered security strategy that employs multiple defensive mechanisms throughout an IT environment so that if one layer fails, another is in place to prevent or detect an attack. Layers may include firewalls, intrusion detection systems, endpoint protection, access controls, encryption, and security awareness training.
An attack that disrupts the normal functioning of a targeted server, service, or network by overwhelming it with traffic or sending information that triggers a crash. A Distributed Denial of Service (DDoS) attack uses multiple compromised systems — often a botnet — to flood the target, making mitigation significantly more difficult.
The process of converting plaintext data into an unreadable format (ciphertext) using a cryptographic algorithm and key, so that only authorized parties with the decryption key can access the original data. Encryption protects data at rest, in transit, and in use, and is fundamental to regulatory compliance frameworks including GDPR, HIPAA, and PCI DSS.
A cybersecurity solution that continuously monitors endpoint devices (laptops, servers, mobile devices) for suspicious activity, provides visibility into endpoint-level threats, and enables rapid investigation and response. Unlike traditional antivirus, EDR uses behavioral analysis, machine learning, and threat intelligence to detect advanced threats including zero-day exploits, fileless malware, and lateral movement.
A network security device or software that monitors and controls incoming and outgoing network traffic based on predetermined security rules. Firewalls establish a barrier between trusted internal networks and untrusted external networks such as the internet. Modern next-generation firewalls (NGFWs) include application awareness, integrated intrusion prevention, and cloud-delivered threat intelligence.
The structured methodology an organization uses to identify, contain, eradicate, and recover from cybersecurity incidents. The NIST Incident Response lifecycle consists of four phases: Preparation, Detection and Analysis, Containment/Eradication/Recovery, and Post-Incident Activity. Effective IR minimizes damage, reduces recovery time, and prevents recurrence.
An artifact observed on a network or in an operating system that, with high confidence, indicates a computer intrusion. Common IoCs include unusual outbound network traffic, anomalous privileged user activity, geographic login irregularities, suspicious registry or file changes, and known malicious IP addresses, domains, or file hashes.
The techniques an attacker uses to progressively move through a network after gaining initial access, searching for targeted data or assets. Lateral movement typically involves credential theft, exploitation of internal vulnerabilities, and abuse of legitimate tools (living-off-the-land) to escalate privileges and expand access while avoiding detection.
The security principle that a user, process, or system should be granted only the minimum level of access — or permissions — needed to perform its authorized functions. Enforcing least privilege reduces the attack surface, limits the blast radius of compromised accounts, and is a foundational requirement of Zero Trust architectures.
Software intentionally designed to cause damage to a computer, server, client, or network. Categories include viruses, worms, trojans, ransomware, spyware, adware, and fileless malware. Modern malware increasingly uses polymorphic techniques, living-off-the-land binaries, and AI-generated social engineering to evade detection.
The average time it takes for an organization to discover a security incident or breach after it has occurred. MTTD is a critical security operations metric — the shorter the detection time, the less damage an attacker can inflict. Industry benchmarks from IBM's Cost of a Data Breach report indicate the global average MTTD is approximately 194 days.
The average time it takes for an organization to contain and remediate a security incident after detection. Combined with MTTD, MTTR provides a comprehensive view of an organization's incident response effectiveness. Reducing MTTR through automation, playbooks, and practiced response procedures directly lowers breach costs.
A security technique that divides a network into small, isolated segments to limit lateral movement and contain breaches. Each segment can have its own security policies, and traffic between segments is strictly controlled. Microsegmentation is a key component of Zero Trust architecture and is particularly effective in cloud and data center environments.
An authentication method that requires users to provide two or more verification factors to gain access: something you know (password), something you have (security token or phone), and/or something you are (biometric). MFA significantly reduces the risk of credential-based attacks, which account for over 80% of data breaches according to the Verizon DBIR.
The practice of dividing a computer network into smaller subnetworks (segments), each acting as its own small network. Segmentation improves security by limiting an attacker's ability to move laterally across the network, improves performance by reducing congestion, and simplifies regulatory compliance by isolating sensitive data.
An authorized simulated cyberattack on a computer system, performed to evaluate the security of the system and identify vulnerabilities that an attacker could exploit. Penetration tests may target networks, applications, physical security, or social engineering vectors. Results inform remediation priorities and validate the effectiveness of existing security controls.
A social engineering attack in which an attacker sends fraudulent communications — typically email — that appear to come from a trusted source, designed to trick recipients into revealing sensitive information, clicking malicious links, or installing malware. Variants include spear phishing (targeted), whaling (executive-targeted), vishing (voice), and smishing (SMS).
A type of malware that encrypts a victim's files or locks them out of their systems, demanding a ransom payment (typically in cryptocurrency) for the decryption key. Modern ransomware operations employ double extortion (threatening to publish stolen data) and ransomware-as-a-service (RaaS) models. The average ransom payment exceeded $1.5 million in 2025.
The process of identifying, analyzing, and evaluating cybersecurity risks to an organization's operations, assets, and individuals. Risk assessments consider the likelihood of threat exploitation of vulnerabilities and the resulting impact. Frameworks such as NIST RMF, ISO 27005, and FAIR provide structured methodologies for conducting risk assessments.
A technology solution that aggregates and analyzes log data from across an organization's IT infrastructure — including network devices, servers, endpoints, and applications — to detect, investigate, and respond to security threats in real time. Modern SIEM platforms incorporate user and entity behavior analytics (UEBA), threat intelligence feeds, and automated response capabilities.
A centralized facility or team responsible for continuously monitoring and analyzing an organization's security posture. The SOC detects, investigates, and responds to cybersecurity incidents using a combination of technology solutions (SIEM, EDR, SOAR) and skilled analysts operating 24/7. SOC maturity models range from Level 1 (reactive) to Level 4 (predictive).
The psychological manipulation of people into performing actions or divulging confidential information. Unlike technical attacks, social engineering exploits human trust, authority, urgency, and curiosity. Common techniques include phishing, pretexting, baiting, tailgating, and business email compromise (BEC). Social engineering is involved in over 70% of successful breaches.
A cyberattack that targets an organization by compromising a less-secure element in its supply chain — typically a third-party vendor, software provider, or service partner. Notable examples include the SolarWinds Orion compromise (2020) and the Kaseya VSA attack (2021). Supply chain security requires vendor risk assessments, software bill of materials (SBOM), and continuous monitoring of third-party access.
The proactive, analyst-driven process of searching through networks and datasets to detect and isolate advanced threats that evade existing automated security solutions. Unlike automated detection, threat hunting uses hypothesis-driven investigation, behavioral analysis, and threat intelligence to identify adversary activity before it results in damage.
A weakness in a system, application, or process that could be exploited by a threat actor to gain unauthorized access, execute code, or cause disruption. Vulnerabilities are cataloged in the Common Vulnerabilities and Exposures (CVE) database and scored using the Common Vulnerability Scoring System (CVSS). Timely patching and vulnerability management programs are essential to reducing organizational risk.
A security model based on the principle of "never trust, always verify" that eliminates implicit trust from an organization's network architecture. Zero Trust requires continuous verification of every user, device, and network flow regardless of location. Key components include micro-segmentation, least-privilege access, multi-factor authentication, and continuous monitoring. NIST SP 800-207 provides the foundational framework for implementing Zero Trust.
An attack that exploits a previously unknown vulnerability in software or hardware for which no patch or fix exists. The term "zero-day" refers to the fact that the vendor has had zero days to address the flaw. Zero-day exploits are highly valued in both criminal markets and nation-state cyber operations, and defense requires behavioral detection, application hardening, and rapid response capabilities.
