loading
Loading content
loading
Plain-language definitions of the offensive-security terms we use every day. Search by name or alias, or filter by category to find the concept behind a workflow.
84 terms
API security tests and protects application programming interfaces against broken authorization, excessive data exposure, and abuse of endpoints that lack a user interface.
Asset discovery identifies the hosts, domains, services, and applications that belong to an organization so each one can enter the inventory and receive monitoring.
An attack surface is the full set of points where an attacker can attempt to enter, extract data from, or manipulate a system, spanning hosts, services, applications, and human channels.
Also: ASM
Attack surface management continuously discovers, inventories, and monitors an organization's internet-facing and internal assets so security teams can track exposure as it changes.
Banner grabbing reads the identifying text a service returns on connection, such as a server header or SSH version string, to reveal the product and version in use.
Broken access control lets users act outside their intended permissions, reaching data or functions that authorization checks should have blocked.
A bug bounty program invites external researchers to report security flaws in defined scope and rewards valid, in-scope findings, expanding testing beyond an internal team.
Also: CT logs
Certificate transparency logs publicly record issued TLS certificates, so analysts can mine them for subdomains and hostnames an organization may not have advertised.
Also: metadata SSRF
A cloud metadata attack abuses SSRF or local access to query the instance metadata service and steal temporary credentials tied to a cloud workload's role.
A cloud misconfiguration is a setting that exposes data or grants excess access, such as a public object store, an open security group, or disabled logging.
Also: CSPM
Cloud security posture management continuously checks cloud accounts for misconfigurations and policy violations, such as public storage buckets or overly broad permissions.
Also: OS command injection
Command injection occurs when an application passes attacker-controlled input into a system shell, letting the attacker run arbitrary operating-system commands on the host.
Also: image scanning
Container image scanning inspects an image's layers and packages for known vulnerabilities and exposed secrets before the image runs in production.
Container security protects images, registries, and running containers against vulnerable packages, embedded secrets, and weak isolation across the container lifecycle.
Content discovery finds hidden files, directories, and endpoints on a web server by requesting candidate paths from a wordlist and noting which ones respond.
Also: CSP
A content security policy is an HTTP response header that tells browsers which script, style, and resource sources to trust, reducing the impact of cross-site scripting.
Continuous monitoring repeatedly checks assets and configurations on a schedule so teams detect new services, drift, and exposures soon after they appear rather than at audit time.
Credential stuffing replays username and password pairs leaked from one breach against other services, betting that people reuse the same credentials.
Also: CSRF, XSRF
Cross-site request forgery makes a logged-in user's browser send an unintended state-changing request to a site that trusts the user's existing session.
Also: XSS
Cross-site scripting lets an attacker inject script into pages another user's browser renders, running attacker code in the victim's session to steal data or hijack actions.
Also: Common Vulnerabilities and Exposures
A CVE is a unique public identifier assigned to a specific disclosed software or hardware vulnerability, letting teams reference the same flaw across tools and advisories (for example CVE-2021-44228 for Log4Shell).
Also: Common Vulnerability Scoring System
CVSS produces a numeric score from 0 to 10 that rates the severity of a vulnerability based on factors like attack vector, complexity, and impact, helping teams compare and prioritize fixes.
Detection engineering builds, tests, and tunes the rules and analytics that turn raw telemetry into reliable alerts about malicious activity.
Also: dirbusting
Directory brute-forcing requests many candidate paths from a wordlist against a web server to find directories and files that are present but not linked.
DNS enumeration queries a domain's DNS records (A, MX, TXT, NS, and others) and attempts zone transfers to reveal hosts, mail servers, and infrastructure clues.
Also: DAST
Dynamic application security testing probes a running application from the outside with crafted requests to find vulnerabilities without access to its source code.
An exploit is code or a technique that abuses a specific vulnerability to make a target behave in a way its operators never intended, such as running attacker commands or leaking data.
Exposure management prioritizes and reduces the weaknesses an attacker could reach by combining asset context, vulnerability data, and reachability into a single risk view.
Also: EASM
External attack surface management maps the assets an organization exposes to the public internet, including domains, IP ranges, and cloud services, from the perspective of an outside attacker.
Also: filter evasion
Firewall evasion uses techniques like packet fragmentation, decoy traffic, and protocol manipulation to slip scans or payloads past network filtering.
Fuzzing feeds large volumes of malformed or unexpected input into a target to trigger crashes, errors, or unhandled behavior that reveal vulnerabilities.
Also: identity misconfiguration
An IAM misconfiguration grants users, roles, or services more permission than they need, opening paths for privilege escalation and unauthorized access in a cloud environment.
Also: IR
Incident response is the structured process a team follows to detect, contain, eradicate, and recover from a security breach while preserving evidence.
Also: IOC
An indicator of compromise is an observable artifact, such as a malicious IP, file hash, or domain, that signals a system may have been breached.
Also: IDOR
An insecure direct object reference lets a user access another user's data by changing an identifier in a request, because the application checks the reference but not authorization.
Also: HTTP proxy, Web proxy
An intercepting proxy sits between a browser and a server so a tester can inspect, modify, and replay HTTP traffic, with Burp Suite a common example.
Also: IDS
An intrusion detection system watches network or host activity for signatures and anomalies that match attacks, raising alerts when it sees them.
Also: MITM, on-path attack
A man-in-the-middle attack places an attacker between two parties so they can read or alter traffic that each party believes is private and direct.
Metadata analysis extracts hidden details from documents and images, such as authors, software versions, and internal paths, which can reveal usernames and infrastructure.
Also: ATT&CK
MITRE ATT&CK is a public knowledge base that organizes real-world adversary tactics and techniques into a matrix defenders use to map detection and coverage.
Also: Open Source Intelligence
OSINT gathers and analyzes publicly available data, such as websites, social media, code repositories, and registration records, to build intelligence about a target.
Also: OWASP Top 10
The OWASP Top Ten is a community-maintained list of the most critical web application security risks, used as a baseline for testing and developer training.
Also: pDNS
Passive DNS records historical resolutions of domain names to IP addresses, letting analysts trace where a host pointed over time without querying the target directly.
Passive reconnaissance gathers information from third-party sources without sending traffic to the target, keeping the activity invisible to the target's logs.
Patch management tracks, tests, and deploys software updates so known vulnerabilities get fixed before attackers can exploit them.
Also: pentest, pen testing
Penetration testing simulates a real attack against systems or applications, with permission, to find and demonstrate exploitable weaknesses before a malicious actor does.
Pivoting routes traffic through a compromised host to reach networks the attacker could not access directly, turning one foothold into a gateway.
Also: Network port scanner
A port scanner is a tool that sends probes to discover open ports and services on hosts, with Nmap and masscan among the widely used options.
Port scanning probes a host's TCP and UDP ports to learn which are open and what services answer, mapping the reachable network attack surface.
Also: privesc
Privilege escalation lets an attacker move from limited access to higher rights on a system, for example from a standard user to root or domain administrator.
Also: PoC
A proof of concept demonstrates that a vulnerability is real and reachable by triggering its effect once under controlled conditions, without weaponizing it for broad attacks.
Also: recon
Reconnaissance collects information about a target's systems, people, and infrastructure to map the attack surface before any active testing begins.
Also: red team
Red teaming runs goal-driven adversary simulations across people, processes, and technology to test how well an organization detects and responds to a realistic attacker.
Also: coordinated disclosure
Responsible disclosure has a researcher privately report a vulnerability to the vendor and give time to fix it before any public details appear.
Also: cron scans
Scheduled scans run discovery or vulnerability checks automatically on a recurring timetable so coverage stays current without someone launching each run.
Also: secret detection
Secrets scanning searches code, configs, and history for exposed credentials like API keys, tokens, and passwords so teams can revoke them before attackers use them.
Security automation runs repetitive security tasks like scanning, enrichment, and triage through code and tooling instead of manual steps, freeing analysts for harder work.
Also: data pipeline
A security data pipeline moves findings and telemetry between tools, normalizing and deduplicating results so downstream stages and reports work from clean data.
Also: SOC
A security operations center is the team and tooling that monitors an organization around the clock to detect, investigate, and respond to security events.
Security orchestration coordinates many separate security tools so they share data and act in concert under a single defined process.
Also: SSRF
Server-side request forgery tricks a server into making requests the attacker chooses, often reaching internal services or cloud metadata endpoints the attacker cannot hit directly.
Also: version detection
Service fingerprinting identifies the software and version behind an open port by analyzing its responses, guiding which vulnerabilities and exploits may apply.
Shadow IT covers systems, cloud accounts, and SaaS applications that employees stand up without security or IT approval, leaving assets outside the official inventory and monitoring.
Also: Security Information and Event Management
A SIEM collects and correlates logs and events from across an environment to surface alerts, support investigations, and retain data for analysis.
Also: Security Orchestration, Automation and Response
SOAR connects security tools and runs playbooks to automate repetitive response steps, cutting the manual work analysts spend on each alert.
Also: SQLi
SQL injection abuses unsanitized input that an application places into a database query, letting an attacker read, modify, or delete data the query was never meant to expose.
Also: subdomain discovery
Subdomain enumeration finds the hostnames under a domain by querying DNS records, certificate transparency logs, and brute-force wordlists to expand the known attack surface.
Also: TTPs
Tactics, techniques, and procedures describe how a threat actor operates, from high-level goals down to the specific tools and steps they repeat across attacks.
Also: adversary
A threat actor is an individual or group that conducts malicious activity against targets, ranging from opportunistic criminals to organized state-sponsored teams.
Threat hunting proactively searches an environment for signs of attackers that automated alerts missed, using hypotheses drawn from known adversary behavior.
Also: CTI
Threat intelligence collects and analyzes data on attackers, their tools, and their methods to help defenders anticipate and prioritize relevant threats.
Also: SSL, TLS
TLS, the successor to SSL, encrypts traffic between clients and servers and authenticates the server with a certificate, protecting data in transit from interception.
Also: VM
Vulnerability management is the ongoing cycle of finding, prioritizing, remediating, and verifying weaknesses across an organization's assets.
Also: vuln scanning
Vulnerability scanning runs automated checks against hosts and applications to detect known weaknesses, missing patches, and risky configurations, then reports findings for triage.
Also: appsec, web app security
Web application security protects browser-facing applications and their APIs from attacks that target input handling, authentication, sessions, and business logic.
Also: spidering
Web crawling follows links and parses pages to map an application's URLs, parameters, and endpoints, building the inventory that later testing checks.
Also: webhooks
A webhook integration sends an HTTP callback to another system the moment an event fires, letting workflows react in real time instead of polling for changes.
A wordlist is a curated file of candidate strings, such as common paths, parameters, or passwords, that tools iterate through during discovery and brute-force tasks.
Workflow orchestration chains tools and tasks into a defined sequence, passing output from one step into the next so a full process runs end to end without hand-offs.