A reference point for standard industry terminology, regulations, and technologies.
-
Two-Factor Authentication. An authentication method that requires two distinct factors (typically something you know plus something you have) before granting access.
NIST Glossary →
-
Access Control List. A list of permissions attached to a resource that specifies which users or systems are granted access and what operations they may perform.
NIST Glossary →
-
Advanced Encryption Standard. A symmetric block cipher standardized by NIST and used worldwide to protect sensitive data at rest and in transit.
NIST FIPS 197 →
-
Artificial Intelligence. The field of computer science focused on building systems that perform tasks normally requiring human intelligence, such as reasoning, perception, and language understanding.
NIST AI →
-
Adversarial Machine Learning. The study of attacks against ML systems (such as evasion, poisoning, and model extraction) and the defenses that make models robust to them.
NIST AI 100-2 →
-
Application Programming Interface. A defined contract that lets software components communicate, and a major attack surface that OWASP tracks with a dedicated Top 10.
OWASP API Security →
-
Advanced Persistent Threat. A sophisticated, well-resourced adversary (often nation-state backed) that gains and maintains long-term, stealthy access to a target network.
NIST Glossary →
-
Attack Surface Management. The continuous discovery, inventory, and monitoring of an organization's externally reachable assets to reduce exposure.
NIST Glossary →
-
MITRE ATT&CK. A globally accessible, curated knowledge base of adversary tactics and techniques observed in real-world attacks, used to map detections and assess coverage.
ATT&CK Framework →
-
Business Continuity Plan. Documented procedures that guide an organization in continuing critical operations during and after a disruption.
NIST Glossary →
-
Bring Your Own Device. A policy allowing employees to use personal devices for work, introducing management and data-protection challenges.
NIST Glossary →
-
Command and Control. The infrastructure and channels attackers use to remotely direct compromised systems, exfiltrate data, and deliver further payloads.
MITRE ATT&CK →
-
Cloud Access Security Broker. A policy enforcement point placed between users and cloud services to provide visibility, compliance, and threat protection.
NIST Glossary →
-
California Consumer Privacy Act. A state statute that gives California residents rights over the personal information businesses collect about them, including the right to know, delete, and opt out of the sale of their data.
CA Attorney General →
-
Continuous Integration / Continuous Delivery. A set of practices that automate building, testing, and deploying software, enabling frequent and reliable releases.
OWASP CI/CD Risks →
-
Confidentiality, Integrity, and Availability. The three core security objectives (the "CIA triad") used to frame how information must be protected.
NIST Glossary →
-
Cybersecurity and Infrastructure Security Agency. The US federal agency responsible for strengthening cybersecurity and infrastructure protection, publishing widely-used advisories and the Known Exploited Vulnerabilities (KEV) catalog.
CISA.gov →
-
Chief Information Security Officer. The senior executive accountable for an organization's information and cybersecurity strategy, risk, and governance.
NIST Glossary →
-
Cybersecurity Maturity Model Certification. A U.S. Department of Defense program, built on NIST SP 800-171, that verifies contractors protect controlled unclassified information.
NIST SP 800-171 →
-
Cybersecurity Framework. NIST's voluntary framework of functions (Govern, Identify, Protect, Detect, Respond, Recover) for managing cybersecurity risk.
NIST CSF →
-
Cross-Site Request Forgery. An attack that tricks an authenticated user's browser into submitting unwanted requests to a web application, performing actions without the user's consent.
OWASP on CSRF →
-
Cyber Threat Intelligence. Evidence-based knowledge about adversaries and their tactics, used to inform detection and defensive decisions.
NIST Glossary →
-
Common Vulnerabilities and Exposures. A standardized dictionary of publicly disclosed cybersecurity vulnerabilities, each assigned a unique identifier (e.g., CVE-2021-44228) for tracking and reference.
CVE Program →
-
Common Vulnerability Scoring System. An open framework for communicating the characteristics and severity of software vulnerabilities, producing a numerical score from 0 to 10.
FIRST CVSS →
-
Common Weakness Enumeration. A community-developed catalog of software and hardware weakness types, used to describe the root causes behind vulnerabilities (e.g., CWE-79 for XSS).
MITRE CWE →
-
Dynamic Application Security Testing. A black-box testing method that probes a running application from the outside to find vulnerabilities an attacker could exploit at runtime.
OWASP DAST Tools →
-
Distributed Denial-of-Service. An attack that overwhelms a target with traffic from many compromised sources, rendering a service unavailable to legitimate users.
CISA on DDoS →
-
DomainKeys Identified Mail. An email authentication method that attaches a cryptographic signature so receivers can verify a message was not altered in transit.
IETF RFC 6376 →
-
Data Loss Prevention. Technologies and policies that detect and block the unauthorized transmission or exfiltration of sensitive data.
NIST Glossary →
-
Domain-based Message Authentication, Reporting, and Conformance. An email policy layer over SPF and DKIM that tells receivers how to handle messages that fail authentication.
IETF RFC 7489 →
-
Domain Name System. The internet's directory service that translates human-readable domain names into the IP addresses machines use to locate each other.
What is DNS? →
-
Digital Operational Resilience Act. An EU regulation that sets uniform requirements for the security and operational resilience of ICT systems supporting financial entities.
About DORA →
-
Data Protection Officer. An independent role required under the GDPR for certain organizations to oversee data protection strategy and compliance.
GDPR Art. 37 →
-
Disaster Recovery Plan. A documented set of procedures to recover IT systems and data following a disruptive event.
NIST Glossary →
-
Endpoint Detection and Response. Security tooling that continuously monitors endpoints (laptops, servers) to detect, investigate, and respond to threats at the host level.
What is EDR? →
-
Federal Risk and Authorization Management Program. A US government-wide program that standardizes security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies.
FedRAMP.gov →
-
Family Educational Rights and Privacy Act. A US federal law that protects the privacy of student education records and gives parents and eligible students rights over those records.
US Dept. of Education →
-
Federal Information Security Modernization Act. U.S. legislation requiring federal agencies to implement and document information security programs.
NIST on FISMA →
-
General Data Protection Regulation. A regulation in EU law on data protection and privacy in the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas.
Official GDPR Source →
-
Generative AI. AI systems that create new content (text, images, audio, code) by learning the patterns and structure of their training data.
NIST AI →
-
Gramm-Leach-Bliley Act. A US law requiring financial institutions to explain how they share and protect their customers' private information, including the Safeguards Rule and Privacy Rule.
FTC GLBA Guidance →
-
Governance, Risk, and Compliance. The integrated discipline of aligning IT and security activities with business objectives, managing risk, and meeting regulations.
NIST CSF →
-
Health Insurance Portability and Accountability Act. A US federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient's consent or knowledge.
HHS HIPAA Source →
-
Hardware Security Module. A dedicated, tamper-resistant device that generates, stores, and manages cryptographic keys and performs secure crypto operations.
NIST Glossary →
-
Identity and Access Management. The framework of policies and technologies for ensuring that the right individuals and machines have the appropriate access to technology resources.
NIST Glossary →
-
Insecure Direct Object Reference. An access-control flaw where an application exposes a reference to an internal object (like a record ID) without verifying the user is authorized to access it.
OWASP Testing Guide →
-
Intrusion Detection System. A monitoring system that analyzes network or host activity and alerts on signs of malicious behavior or policy violations.
NIST Glossary →
-
Indicator of Compromise. Forensic artifacts (such as malicious IPs, file hashes, or domains) that signal a system may have been breached.
NIST Glossary →
-
Intrusion Prevention System. A monitoring system that detects malicious activity and can actively block or drop it inline before it reaches its target.
NIST Glossary →
-
Incident Response. The organized process for preparing for, detecting, containing, eradicating, and recovering from security incidents.
NIST SP 800-61 →
-
ISO/IEC 27001. The leading international standard for an Information Security Management System (ISMS), specifying requirements for establishing, implementing, maintaining, and continually improving information security.
ISO Standard →
-
JSON Web Token. A compact, URL-safe, digitally signed token format used to securely transmit claims between parties, widely used for authentication and authorization.
JWT Introduction →
-
Known Exploited Vulnerabilities. CISA's authoritative catalog of vulnerabilities that have been actively exploited in the wild, used to prioritize remediation.
CISA KEV Catalog →
-
Large Language Model. A type of artificial intelligence algorithm that uses deep learning techniques and massively large data sets to understand, summarize, generate and predict new content.
Learn about LLMs →
-
Model Context Protocol. An open standard that enables developers to build secure, two-way connections between their data sources and AI-powered tools, allowing AI models to access contextual data reliably.
MCP Documentation →
-
Multi-Factor Authentication. A security mechanism requiring two or more independent verification factors (something you know, have, or are) to gain access, dramatically reducing the risk of compromised credentials.
CISA on MFA →
-
Man-in-the-Middle Attack. An attack where an adversary secretly relays or alters communication between two parties who believe they are talking directly.
NIST Glossary →
-
Machine Learning. A subset of AI in which systems learn patterns from data to make predictions or decisions without being explicitly programmed for each task.
ML Crash Course →
-
Network Access Control. A capability that enforces policy on devices attempting to connect to a network, permitting, denying, or restricting access based on posture.
NIST Glossary →
-
National Institute of Standards and Technology. A US agency whose Cybersecurity Framework and special publications (e.g., SP 800-53) are widely adopted standards for managing and reducing cybersecurity risk.
NIST CSF →
-
Natural Language Processing. The branch of AI concerned with enabling computers to understand, interpret, and generate human language.
What is NLP? →
-
Open Authorization. An open standard for delegated access that lets applications obtain limited access to a user's resources without exposing their credentials.
OAuth 2.0 →
-
Open Worldwide Application Security Project. A nonprofit foundation that works to improve the security of software, famous for their "Top 10" list of critical security vulnerabilities.
OWASP Foundation →
-
Privileged Access Management. Controls and tooling that secure, monitor, and govern accounts with elevated permissions to limit misuse and lateral movement.
NIST Glossary →
-
Payment Card Industry Data Security Standard. A set of security standards designed to ensure that all companies that accept, process, store, or transmit credit card information maintain a secure environment.
PCI SSC →
-
Protected Health Information. Individually identifiable health information protected under HIPAA, covering a person's health status, care, or payment when linked to identifiers.
HHS Privacy Rule →
-
Personally Identifiable Information. Any data that could potentially identify a specific individual, such as name, Social Security number, biometric records, or any information linkable to a person.
NIST Definition →
-
Public Key Infrastructure. The framework of policies, hardware, and certificate authorities that manages digital certificates and public-key encryption to enable trusted communication.
NIST Glossary →
-
Principle of Least Privilege. The security practice of granting users, processes, and systems only the minimum access required to perform their function, limiting the blast radius of a compromise.
NIST Glossary →
-
Penetration Testing. An authorized, simulated attack against systems to find and demonstrate exploitable vulnerabilities before real adversaries do.
NIST Glossary →
-
Retrieval-Augmented Generation. An AI technique that grounds a language model's output by retrieving relevant external documents at query time, improving accuracy and reducing hallucination.
What is RAG? →
-
Role-Based Access Control. An authorization model that grants permissions to roles rather than individuals, so users receive access based on the role they hold.
NIST RBAC →
-
Remote Code Execution. A class of vulnerability that allows an attacker to run arbitrary code on a target machine over a network, often the most severe outcome of a security flaw.
OWASP on Code Injection →
-
Recovery Point Objective. The maximum acceptable amount of data loss, measured in time, that an organization can tolerate after a disruption.
NIST Glossary →
-
Recovery Time Objective. The targeted duration within which a business process or system must be restored after a disruption to avoid unacceptable impact.
NIST Glossary →
-
Security Assertion Markup Language. An XML-based open standard for exchanging authentication and authorization data between an identity provider and a service provider, commonly powering SSO.
What is SAML? →
-
Secure Access Service Edge. A cloud-delivered architecture that converges networking (SD-WAN) and security services (like CASB, SWG, ZTNA) into a single, identity-aware service.
Gartner on SASE →
-
Static Application Security Testing. A white-box testing method that analyzes source code, bytecode, or binaries for security vulnerabilities without executing the program.
OWASP SAST Tools →
-
Software Bill of Materials. A formal, machine-readable inventory of the components and dependencies in a piece of software, essential for managing supply-chain security risk.
CISA on SBOM →
-
Software Development Life Cycle. The structured phases for building software (such as requirements, design, build, test, and maintenance) into which security should be integrated.
NIST Glossary →
-
Security Information and Event Management. Technology that aggregates and analyzes log and event data across an organization in real time to detect, investigate, and respond to security threats.
NIST Glossary →
-
Service Level Agreement. A formal commitment between a provider and customer defining expected service levels, metrics, and remedies if they are not met.
NIST Glossary →
-
Security Orchestration, Automation, and Response. Platforms that automate and coordinate security workflows and playbooks across tools to speed up incident response.
NIST Glossary →
-
System and Organization Controls 2. An auditing procedure that ensures your service providers securely manage your data to protect the interests of your organization and the privacy of its clients.
AICPA SOC 2 Info →
-
Sarbanes-Oxley Act. A US federal law that sets requirements for financial reporting and internal controls at public companies, with significant implications for IT controls and data integrity.
SEC SOX Text →
-
Sender Policy Framework. An email authentication standard that lets a domain publish which mail servers are authorized to send on its behalf.
IETF RFC 7208 →
-
SQL Injection. A code-injection technique where malicious SQL statements are inserted into application queries, allowing attackers to read, modify, or destroy database contents.
OWASP on SQLi →
-
Single Sign-On. An authentication scheme that lets a user log in once with a single set of credentials to access multiple related but independent applications and services.
What is SSO? →
-
Server-Side Request Forgery. A vulnerability that lets an attacker coerce a server into making requests to unintended internal or external resources, often reaching systems behind a firewall.
OWASP on SSRF →
-
Transport Layer Security. The cryptographic protocol that encrypts data in transit over networks, securing HTTPS and most other internet communications (the successor to SSL).
What is TLS? →
-
Third-Party Risk Management. The practice of identifying, assessing, and controlling the security and compliance risks introduced by vendors and suppliers.
NIST SP 800-161 →
-
Tactics, Techniques, and Procedures. The patterns of behavior that describe how a threat actor operates, forming the backbone of frameworks like MITRE ATT&CK.
MITRE ATT&CK →
-
Vulnerability Management. The ongoing cycle of discovering, prioritizing, remediating, and verifying security weaknesses across systems and software.
NIST SP 800-40 →
-
Virtual Private Network. A technology that creates an encrypted tunnel over a public network, protecting traffic and masking the user's network location.
CISA Guidance →
-
Web Application Firewall. A security filter that monitors, filters, and blocks malicious HTTP traffic to and from a web application, protecting against attacks such as XSS and SQL injection.
OWASP on WAF →
-
Extended Detection and Response. An approach that unifies telemetry across endpoints, network, cloud, and identity into a single detection and response platform.
What is XDR? →
-
Cross-Site Scripting. A web vulnerability that lets attackers inject malicious client-side scripts into pages viewed by other users, enabling session theft, defacement, or redirection.
OWASP on XSS →
-
Zero Trust Architecture. A security model based on the principle "never trust, always verify," requiring continuous authentication and authorization for every user and device regardless of network location.
NIST SP 800-207 →
-
Zero Trust Network Access. A model that grants application access per session based on identity and context, replacing implicit trust in the network perimeter.
NIST SP 800-207 →