glossary
The cybersecurity glossary, defined clearly.
Plain-language definitions of the application-security and offensive-security concepts teams actually use - each cross-linked to related terms, standards, and the vulnerabilities they concern.
Testing methods
DAST
Dynamic Application Security Testing
Tests a running application from the outside, like an attacker, without access to source code.
SAST
Static Application Security Testing
Analyzes source code or bytecode for vulnerabilities without running the application.
IAST
Interactive Application Security Testing
Instruments a running application to observe code behavior during tests.
RASP
Runtime Application Self-Protection
Runtime instrumentation that detects and blocks attacks against a live application.
SCA
Software Composition Analysis
Identifies open-source dependencies and their known vulnerabilities and licenses.
Penetration Testing
A simulated attack against a system to find and demonstrate exploitable vulnerabilities.
VAPT
Vulnerability Assessment and Penetration Testing
A combined approach: broad vulnerability assessment plus deeper penetration testing.
Vulnerability Assessment
Systematic identification and prioritization of vulnerabilities across a target.
Autonomous Penetration Testing
AI agents that investigate, chain, and exploit vulnerabilities without human intervention.
Continuous Penetration Testing
Ongoing, automated penetration testing that runs as the application changes.
Security platforms
WAF
Web Application Firewall
Filters and monitors HTTP traffic to block common web attacks at the network edge.
ASM
Attack Surface Management
Continuous discovery, inventory, and monitoring of an organization's attack surface.
ASPM
Application Security Posture Management
Aggregates and correlates application security findings to manage overall posture.
CNAPP
Cloud-Native Application Protection Platform
A consolidated platform combining cloud posture, workload, entitlement, and more.
CSPM
Cloud Security Posture Management
Detects misconfigurations and compliance gaps across cloud environments.
CWPP
Cloud Workload Protection Platform
Secures workloads - VMs, containers, and serverless - across their lifecycle.
CIEM
Cloud Infrastructure Entitlement Management
Manages and least-privileges identities and permissions in cloud environments.
CAASM
Cyber Asset Attack Surface Management
Builds a unified asset inventory by integrating with existing tools via APIs.
Frameworks & standards
Attack Surface
The full set of points where an attacker could attempt to enter or extract data.
Attack Chain
A sequence of steps an attacker links together to move from entry to impact.
OWASP
Open Worldwide Application Security Project
A nonprofit community producing free application-security resources and standards.
CVE
Common Vulnerabilities and Exposures
A public catalog of identifiers for specific known vulnerabilities.
CWE
Common Weakness Enumeration
A categorized list of software and hardware weakness types.
CAPEC
Common Attack Pattern Enumeration and Classification
A catalog of common attack patterns used to exploit weaknesses.
MITRE ATT&CK
A knowledge base of real-world adversary tactics and techniques.
CVSS
Common Vulnerability Scoring System
A standard for scoring the severity of vulnerabilities from 0 to 10.
Practices
Red Team
Offensive security group that emulates real adversaries to test detection and response.
Blue Team
Defensive security group responsible for detection, response, and hardening.
Purple Team
A collaborative exercise where red and blue teams work together to improve defenses.
Bug Bounty
A program that rewards independent researchers for responsibly reporting vulnerabilities.
DevSecOps
Integrates security into every stage of the software development lifecycle.
Shift Left
Moving security testing earlier in the development lifecycle.
Secure SDLC
Secure Software Development Lifecycle
Embedding security activities into each phase of software development.
Threat Modeling
Systematically identifying threats and weaknesses in a system's design.
Zero Trust
A model that trusts no request by default and verifies every access explicitly.