Glossary

Cybersecurity glossary

171 key terms and acronyms from across Cybersecurity certifications, in plain English. Definitions are simplified for learning; the official exam outlines are authoritative.

ABAC: Attribute-Based Access Control - access by attributes and context.
Active Directory (AD): Microsoft's directory service for managing users, computers and permissions in a Windows network.
AD set: The chained Active Directory environment in the OSCP exam, worth 40 of the 100 points.
ALE / SLE / ARO: Quantitative risk math: ALE equals SLE times ARO.
API gateway: A managed entry point that routes, secures and throttles API calls.
Application controls: Controls within a specific application (e.g., input validation, totals).
Assumed compromise: An exam model where you begin with a foothold and are tested on what you do next, not on initial access.
Assumed-compromise vs black box: Starting with a foothold (assumed compromise) versus starting with no inside access (black box).
Asymmetric encryption: Public/private key pair; key exchange and signatures.
Audit charter: The document that grants the audit function its authority and scope.
Audit evidence: The information used to support audit findings and conclusions.
Audit finding: A gap between the condition observed and the expected control criterion.
Audit independence: Freedom from relationships that could bias the auditor; you do not audit your own work.
BC/DR: Business Continuity and Disaster Recovery - keeping the business running and restoring IT after disruption.
BCP: Business Continuity Plan - how the business keeps operating through disruption.
BCP / DRP: Business Continuity Plan / Disaster Recovery Plan.
Bell-LaPadula: A confidentiality model: no read up, no write down.
BIA: Business Impact Analysis - finds critical functions and impacts.
Biba: An integrity model: no write up, no read down.
Business alignment: Ensuring security supports the organisation's objectives.
BYOK: Bring Your Own Key - the customer supplies and controls keys used in the provider's key service.
CASB: Cloud Access Security Broker - a control point that enforces security policy between users and cloud services.
Change management: A controlled process for approving and recording system changes.
CIA triad: Confidentiality, Integrity, Availability - the core goals of security.
Clark-Wilson: An integrity model enforcing well-formed transactions and separation of duties.
Client-side attack: A technique that relies on a user interacting with something rather than attacking a service directly.
Cloud data lifecycle: The stages data passes through: create, store, use, share, archive, destroy.
CMK: Customer-Managed Key - an encryption key the customer controls rather than the provider.
Community cloud: Cloud shared by organisations with common requirements (e.g. a sector or compliance regime).
Compensating control: An alternative control used when the primary control is impractical.
Control: A measure that reduces risk by preventing, detecting or correcting an event.
Control self-assessment: A method where process owners assess their own controls, reviewed by audit.
Corrective control: A control that fixes or restores after an event.
CPE credits: Continuing Professional Education credits used to keep OSCP+ valid over its three-year cycle.
Crypto-shredding: Rendering data unrecoverable by destroying the keys that encrypt it.
Cryptography: Securing information through encryption and hashing.
CSPM: Cloud Security Posture Management - tooling that finds and fixes misconfigurations in cloud environments.
CWPP: Cloud Workload Protection Platform - security for workloads such as VMs, containers and serverless.
Cyber kill chain: A model of the stages of an attack.
DAC: Discretionary Access Control - the owner sets access.
DAST: Dynamic Application Security Testing - testing a running application for flaws.
Data classification: Assigning sensitivity levels so the right controls apply.
Data masking: Hiding part of a value (e.g. all but the last four digits) for display or testing.
Data owner vs custodian: The owner is accountable for data; the custodian handles day-to-day protection.
Data remanence: Residual data left on storage after deletion; addressed by secure wiping or destruction.
Data residency: The physical location where data is stored.
Data sovereignty: The principle that data is subject to the laws of the country where it is located.
Defense in depth: Layering controls so no single failure is catastrophic.
Detective control: A control that identifies an event after it has occurred.
Digital signature: A hash encrypted with a private key; proves authenticity and integrity.
DLP: Data Loss Prevention - controls that stop sensitive data leaving.
DoS / DDoS: Denial of Service - overwhelming a system or service.
DRP: Disaster Recovery Plan - how IT services are restored after a disaster.
Due care: Doing what a reasonable person would to protect assets.
Due diligence: The ongoing effort to identify risks and verify controls.
Encryption: Reversible protection of confidentiality using a key.
Enumeration: Systematically discovering hosts, ports, services and other details about a target.
Ethical hacking: Authorised, scoped testing of systems to find weaknesses before attackers do.
Exploit: Code or technique that takes advantage of a vulnerability.
Exploitation: Using an identified weakness to gain access to a system.
Federation: Sharing identity across domains so users authenticate once across services.
Foothold: An initial point of access on a target from which you can work further.
Footprinting: Early information gathering to build a picture of the target before active testing.
Gap analysis: Comparing the current state to a desired state.
GDPR: EU data-protection regulation governing personal data and privacy.
General controls: Controls over the whole IT environment (e.g., access, change, operations).
Governance: The strategy, policies and oversight that direct and control security.
Hardening: Reducing a system's attack surface.
Hashing: A one-way function used to verify integrity, not to hide data reversibly.
Honeypot: A decoy system to attract and study attackers.
HSM: Hardware Security Module - tamper-resistant hardware that stores and uses cryptographic keys.
Hybrid cloud: A mix of private and public cloud connected together.
HYOK: Hold Your Own Key - keys are kept outside the cloud provider entirely.
IaaS: Infrastructure as a Service - the provider supplies compute, storage and network; the customer manages the OS upward.
IAM: Identity and Access Management - managing identities, authentication and authorization.
IDS / IPS: Intrusion Detection / Prevention System.
Incident response: The organised approach to handling a security incident.
Inherent risk: The risk that exists before any controls are applied.
Initial access: The first foothold gained on a target during an engagement.
IS audit: An independent examination of information systems and their controls.
IT governance: The structures and processes that direct and control the IT function.
Kali Linux: A Linux distribution with penetration-testing tools, used throughout PEN-200.
Key management: The processes for generating, storing, rotating and retiring encryption keys.
KPI: Key Performance Indicator - measures how well something performs.
KRI: Key Risk Indicator - signals rising risk.
Lateral movement: Moving from one compromised host to another within a network.
Least privilege: Granting only the access strictly required.
Local privilege escalation: Escalating rights on a machine where you already have a foothold.
Logical access control: Technical controls that restrict who can use systems and data.
MAC: Mandatory Access Control - the system enforces labels.
Materiality: Whether an error or weakness is significant enough to affect conclusions.
Maturity model: A scale used to assess how developed a process is.
Metasploit: A widely used exploitation framework; its use in the OSCP exam is governed by specific rules.
MFA: Multi-Factor Authentication - two or more independent factors.
MTD: Maximum Tolerable Downtime before serious harm.
Multi-tenancy: A single cloud platform serving many customers (tenants) on shared infrastructure.
Non-repudiation: Assurance that someone cannot deny an action they took.
Objectivity: An unbiased attitude that lets the auditor reach fair conclusions.
OffSec: Offensive Security, the organisation behind PEN-200 and the OSCP.
On-path attack: Intercepting communication between two parties.
OSCP: Offensive Security Certified Professional: OffSec's hands-on penetration-testing certification, tied to the PEN-200 course.
OSCP+: The current naming of the credential, valid three years and maintained with CPE credits and an annual fee.
PaaS: Platform as a Service - the provider also manages the OS and runtime; the customer manages apps and data.
Payload: The code or action delivered by an exploit to achieve a goal (conceptual).
Pen test vs vulnerability assessment: Actively exploiting weaknesses versus identifying and rating them.
PEN-200: OffSec's course "Penetration Testing with Kali Linux", which the OSCP exam is based on.
Penetration test: An authorised, scoped assessment that tries to find and demonstrate security weaknesses.
Pivoting: Using a machine you control to reach hosts you cannot access directly.
PKI: Public Key Infrastructure: certificates and authorities.
Policy: A high-level statement of management intent.
Port forwarding: Redirecting traffic through a controlled host to reach an internal service.
Post-implementation review: A check after go-live that the system delivered the intended benefits and controls.
Preventive control: A control that stops an undesirable event from occurring.
Private cloud: Cloud infrastructure dedicated to a single organisation.
Privilege escalation: Moving from limited access to higher (often administrative) rights on a host.
Procedure: Step-by-step instructions to meet a standard.
Proctoring: Live monitoring of a candidate during the exam to ensure the rules are followed.
Proof / flag: A token retrieved from a compromised machine to prove access for the exam report.
Public cloud: Cloud resources shared across many tenants over the internet.
Qualitative vs quantitative risk: Descriptive ratings versus numeric (monetary) analysis.
RACI: A responsibility model: Responsible, Accountable, Consulted, Informed.
RBAC: Role-Based Access Control - access by role.
Reconnaissance: The information-gathering phase, passive or active.
Reference monitor: The abstract component that mediates all access.
Report: The professional write-up of the engagement; on the exam you have a further 24 hours to submit it.
Residual risk: The risk that remains after controls are applied.
Reverse shell: A connection that gives an operator interactive control of a compromised host (conceptual).
Risk appetite: The amount and type of risk an organisation is willing to pursue.
Risk management: Identifying, assessing, responding to, and monitoring risk.
Risk response: Avoid, transfer, mitigate, or accept a risk.
Risk tolerance: The acceptable variation around the risk appetite.
Risk-based auditing: Planning and scoping audits by where the risk of control failure is greatest.
RPO: Recovery Point Objective - acceptable amount of data loss.
RTO: Recovery Time Objective - target time to restore a function.
RTO / RPO: Recovery Time Objective (target time to restore) and Recovery Point Objective (acceptable data loss).
Rules of engagement: The agreed scope and limits of an authorised test: what may be tested and how.
SaaS: Software as a Service - the provider runs the whole application; the customer manages data and access.
Salting: Random data added before hashing to defeat rainbow-table attacks.
Sampling: Selecting a subset of items to test, statistically or by judgement.
Sandboxing: Isolating code so it cannot affect the wider system if it misbehaves.
SAST: Static Application Security Testing - analysing source code without running it.
Scanning: Probing for live hosts, open ports and services.
Scope: The defined set of systems and actions that are authorised for testing.
SDLC: Systems Development Life Cycle - the stages of building or acquiring a system.
Segregation of duties: Splitting a task so no one person controls an entire sensitive process.
Separation of duties: Splitting tasks so no one person can commit and conceal fraud.
Session hijacking: Taking over a valid user session.
Shadow IT: Cloud services used without the organisation's approval or oversight.
Shared responsibility model: The split between what the cloud provider secures and what the customer secures; it shifts by service model.
SIEM: Security Information and Event Management - aggregates and analyses logs to detect and investigate threats.
SLA: Service Level Agreement - the provider's committed levels of availability and performance.
Sniffing: Capturing network traffic.
SOC 2: An assurance report on a service provider's controls for security, availability and related criteria.
Social engineering: Manipulating people to bypass security.
SQL injection: Abusing unvalidated input to manipulate a database.
SSO: Single Sign-On - one authentication for access to many systems.
Standalone machine: An independent target in the OSCP exam, separate from the AD set, worth points toward the 60-point pool.
Standard: A mandatory rule supporting a policy.
Sufficient and appropriate: Evidence that is enough in quantity and relevant + reliable in quality.
Symmetric encryption: Encryption with one shared key; fast, for bulk data.
TCB: Trusted Computing Base - the hardware and software that enforce security policy.
Tenant isolation: Keeping one customer's data and workloads separated from others in a multi-tenant cloud.
Third-party risk: Risk introduced by vendors and partners.
Threat / vulnerability / exploit: An actor or event, a weakness, and the means used to abuse it.
Tokenization: Replacing a sensitive value with a non-sensitive token that maps back to it.
Tunnelling: Encapsulating traffic to route it through an intermediary, often to reach internal hosts.
Vendor lock-in: Difficulty moving away from a provider due to proprietary services or data formats.
Vulnerability: A weakness that can be exploited.
Web application attack: A weakness in a web application that can lead to access, studied conceptually here.
White / black / grey hat: Authorised / malicious / unauthorised-but-non-malicious hackers.
Zero trust: Never trust, always verify; no implicit trust by network location.