Glossary

Access Control — Enforcing Who Can Access What in a System

Access Control is the security discipline that defines and enforces who can access systems, data, and resources. This SECMONS glossary entry explains access control models, common failures, and how broken enforcement leads to major security incidents.

Advanced Persistent Threat (APT) — Long-Term, Coordinated Cyber Operations

An Advanced Persistent Threat (APT) refers to a highly capable and well-resourced threat actor that conducts prolonged, targeted cyber operations. This SECMONS glossary entry explains what defines an APT, how APT campaigns operate, and how defenders should assess APT-level risk.

API Security — Protecting Application Programming Interfaces from Abuse and Exploitation

API Security focuses on protecting Application Programming Interfaces (APIs) from unauthorized access, data exposure, and exploitation. This SECMONS glossary entry explains common API vulnerabilities, attack patterns, and defensive controls required to secure modern API-driven architectures.

Attack Surface — The Total Exposure Points an Adversary Can Target

Attack Surface refers to the sum of all possible entry points where an unauthorized user can attempt to access or exploit a system. This SECMONS glossary entry explains digital, physical, and human attack surfaces, how exposure evolves over time, and how defenders reduce risk through systematic surface reduction.

Authentication vs Authorization — Verifying Identity vs Granting Access

Authentication and Authorization are distinct security concepts: authentication verifies identity, while authorization determines access rights. This SECMONS glossary entry explains the difference, common implementation flaws, and how misconfigurations lead to security incidents.

Backdoor — Hidden Mechanism for Bypassing Normal Authentication Controls

A Backdoor is a hidden access mechanism that allows attackers to bypass standard authentication and security controls. This SECMONS glossary entry explains how backdoors are installed, how they differ from web shells, and why they are critical in post-compromise persistence.

Botnet — Network of Compromised Systems Controlled Remotely

A Botnet is a network of compromised devices remotely controlled by an attacker for coordinated malicious activity. This SECMONS glossary entry explains how botnets operate, how they are built, and how they are used in DDoS attacks, spam campaigns, and ransomware distribution.

Brute Force & Password Spraying — Systematic Credential Guessing Attacks

Brute Force and Password Spraying are credential-based attack techniques that attempt to gain unauthorized access by systematically guessing passwords. This SECMONS glossary entry explains how these attacks differ, how they are detected, and how organizations mitigate identity abuse.

Buffer Overflow — When Memory Boundaries Are Exceeded

A buffer overflow is a memory corruption vulnerability that occurs when data exceeds the allocated memory boundary, potentially allowing attackers to overwrite adjacent memory and execute arbitrary code. This SECMONS glossary entry explains how buffer overflows occur, their impact, and how defenders should interpret related CVEs.

Campaign — Coordinated Malicious Activity Conducted Over Time

A Campaign is a coordinated series of malicious activities conducted by a threat actor to achieve strategic objectives. This SECMONS glossary entry explains how campaigns are structured, how they are tracked, and why campaign analysis is central to cybersecurity intelligence.

CISA Known Exploited Vulnerabilities (KEV) — What It Means and Why It Changes Patch Priority

The CISA Known Exploited Vulnerabilities (KEV) Catalog lists CVEs that are confirmed to be actively exploited in the wild. This SECMONS glossary entry explains what KEV is, how vulnerabilities are added, how due dates work, and how defenders should operationalize KEV tracking in enterprise environments.

Command and Control (C2) — Remote Communication Channel for Compromised Systems

Command and Control (C2) refers to the infrastructure and communication mechanisms attackers use to remotely manage compromised systems. This SECMONS glossary entry explains how C2 works, common techniques, and how defenders detect and disrupt malicious control channels.

Command Injection — Executing Arbitrary System Commands via Application Input

Command Injection is a vulnerability that allows attackers to execute arbitrary operating system commands by manipulating application input. This SECMONS glossary entry explains how command injection works, its impact, how it differs from SQL injection, and how defenders can prevent it.

Credential Stuffing — Automated Account Takeover Using Reused Passwords

Credential stuffing is an automated attack technique where attackers use previously leaked username and password combinations to attempt login across multiple services. This SECMONS glossary entry explains how credential stuffing works, why password reuse fuels it, and how defenders can detect and mitigate it.

Cross-Site Scripting (XSS) — Injecting Malicious Code into Trusted Web Applications

Cross-Site Scripting (XSS) is a web vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users. This SECMONS glossary entry explains how XSS works, its types, real-world impact, and how defenders can prevent it.

CVE (Common Vulnerabilities and Exposures) — What It Is, How It Works, and Why Defenders Track It

CVE (Common Vulnerabilities and Exposures) is the global identifier standard for publicly disclosed software and hardware vulnerabilities. This SECMONS glossary entry explains CVE structure, who assigns CVEs, how CVEs relate to CVSS and CWE, and how teams use CVEs for patching, risk, and incident response.

CVSS (Common Vulnerability Scoring System) — How Severity Is Calculated and What It Really Means

CVSS (Common Vulnerability Scoring System) is the industry-standard framework used to score the severity of cybersecurity vulnerabilities. This SECMONS glossary entry explains CVSS v3.1 structure, base metrics, vectors, scoring ranges, and how defenders should interpret CVSS in real-world risk decisions.

CWE (Common Weakness Enumeration) — Root Cause Classification Behind Vulnerabilities

CWE (Common Weakness Enumeration) is the standardized taxonomy used to classify software and hardware weakness types such as use-after-free, buffer overflow, and security feature bypass. This SECMONS glossary entry explains what CWE represents, how it differs from CVE and CVSS, and how defenders use CWE to understand exploitation patterns and prioritize remediation.

Data Breach — Unauthorized Access, Exposure, or Exfiltration of Protected Information

A Data Breach is an incident involving unauthorized access, disclosure, or exfiltration of sensitive information. This SECMONS glossary entry explains what qualifies as a breach, how breaches occur, legal and operational implications, and how organizations reduce breach impact.

Data Exfiltration — Unauthorized Transfer of Sensitive Information

Data Exfiltration is the stage of an intrusion where attackers extract sensitive information from a compromised environment. This SECMONS glossary entry explains how data exfiltration works, common techniques, operational impact, and defensive detection strategies.

Defense Evasion — Techniques Used to Avoid Detection and Security Controls

Defense Evasion refers to the techniques attackers use to avoid detection, bypass security controls, and remain undetected within a compromised environment. This SECMONS glossary entry explains how defense evasion works, common techniques, and how defenders can detect and counter them.

Denial of Service (DoS) — Disrupting Availability Through Resource Exhaustion

Denial of Service (DoS) is an attack that disrupts the availability of a system, service, or network by exhausting resources or triggering crashes. This SECMONS glossary entry explains how DoS works, how it differs from Distributed Denial of Service (DDoS), and how defenders should approach mitigation.

Deserialization Vulnerability — Unsafe Object Reconstruction Leading to Code Execution

A deserialization vulnerability occurs when untrusted data is deserialized without proper validation, potentially allowing attackers to manipulate object behavior or achieve remote code execution. This SECMONS glossary entry explains how insecure deserialization works, why it is dangerous, and how defenders should mitigate it.

Drive-By Compromise — When Visiting a Website Is Enough

A drive-by compromise is an attack technique where a victim’s system is compromised simply by visiting a malicious or compromised website. This SECMONS glossary entry explains how drive-by attacks work, how they relate to browser vulnerabilities and zero-days, and what defenders should monitor.

Exploit Chain — Linking Multiple Vulnerabilities for Full Compromise

An Exploit Chain is a sequence of vulnerabilities or techniques combined to achieve full system compromise. This SECMONS glossary entry explains how exploit chains work, why single CVSS scores may underestimate risk, and how defenders should assess chained exploitation.

Exploit Kit — Automated Browser Exploitation Infrastructure

An exploit kit is a toolkit hosted on attacker-controlled infrastructure that automatically scans visiting systems for vulnerabilities and delivers exploits without user interaction beyond visiting a page. This SECMONS glossary entry explains how exploit kits work, their role in drive-by compromise campaigns, and why patch velocity is critical.

Exploited in the Wild — What It Means, How It’s Confirmed, and Why It Changes Risk

“Exploited in the wild” indicates that a vulnerability is actively being used in real-world attacks outside controlled research environments. This SECMONS glossary entry explains what qualifies as in-the-wild exploitation, how vendors confirm it, and how defenders should respond operationally.

File Inclusion (LFI/RFI) — Executing or Exposing Files via Improper Input Handling

File Inclusion vulnerabilities, including Local File Inclusion (LFI) and Remote File Inclusion (RFI), allow attackers to include unintended files in application execution flow. This SECMONS glossary entry explains how file inclusion works, how it differs from path traversal, and how defenders should mitigate it.

Incident Response — Structured Process for Detecting, Containing, and Recovering from Cyber Incidents

Incident Response is the structured process organizations follow to detect, contain, eradicate, and recover from cybersecurity incidents. This SECMONS glossary entry explains incident response phases, operational workflows, and how effective response reduces dwell time and business impact.

Indicators of Compromise (IOC) — Observable Evidence of Malicious Activity

Indicators of Compromise (IOCs) are observable artifacts that suggest a system may have been breached. This SECMONS glossary entry explains what IOCs are, common IOC types, how they are used in detection and threat intelligence, and their limitations in modern defense.

Initial Access — The First Stage of a Cyber Intrusion

Initial Access refers to the techniques attackers use to gain their first foothold inside a target environment. This SECMONS glossary entry explains common initial access vectors such as phishing, drive-by compromise, exploitation of public-facing applications, and credential abuse, and how defenders should assess and reduce exposure.

Insecure Direct Object Reference (IDOR) — Accessing Unauthorized Resources via Predictable Identifiers

Insecure Direct Object Reference (IDOR) is an access control vulnerability where an application exposes internal object references without proper authorization checks. This SECMONS glossary entry explains how IDOR works, real-world impact, and how defenders should prevent and detect it.

Kill Chain — Structured Model of the Cyber Attack Lifecycle

The Kill Chain is a structured model that describes the sequential stages of a cyber attack, from reconnaissance to impact. This SECMONS glossary entry explains the Lockheed Martin Cyber Kill Chain, its relevance in modern defense strategy, and how it complements MITRE ATT&CK.

Lateral Movement — Expanding Access Across Internal Systems

Lateral Movement is a post-compromise attack technique where an adversary moves from one compromised system to others within the same network. This SECMONS glossary entry explains how lateral movement works, why it is operationally critical, and how defenders should detect and contain it.

Loader / Dropper — Malware Components Used to Deliver and Execute Payloads

A Loader or Dropper is a malware component designed to install or execute additional malicious payloads on a compromised system. This SECMONS glossary entry explains how loaders and droppers function, how they differ, and why they are central to modern malware campaigns.

Man-in-the-Middle (MitM) — Intercepting and Manipulating Communications in Transit

A Man-in-the-Middle (MitM) attack occurs when an attacker intercepts, monitors, or alters communication between two parties without their knowledge. This SECMONS glossary entry explains how MitM attacks work, common techniques, real-world impact, and how defenders should mitigate interception risks.

Mark of the Web (MOTW) — How Windows Identifies Internet-Downloaded Files

Mark of the Web (MOTW) is a Windows security mechanism that tags files downloaded from the internet to enforce additional protections such as warnings and restricted execution. This SECMONS glossary entry explains how MOTW works, why it matters in real-world exploitation, and how bypasses increase risk.

Memory Corruption — How Low-Level Memory Bugs Lead to Crashes, Exploits, and Code Execution

Memory corruption refers to vulnerabilities that allow unintended modification of a program’s memory. This SECMONS glossary entry explains how memory corruption occurs, common weakness types such as use-after-free and buffer overflows, how attackers exploit them, and why memory corruption often leads to remote code execution.

Multi-Factor Authentication (MFA) — Adding Layers to Account Security

Multi-Factor Authentication (MFA) is a security control that requires users to provide two or more verification factors to gain access to an account or system. This SECMONS glossary entry explains how MFA works, its role in preventing credential-based attacks, and common bypass techniques attackers attempt.

Out-of-Bounds Read (CWE-125) — Reading Memory Beyond Intended Limits

An out-of-bounds read occurs when a program reads data outside the boundaries of an allocated memory buffer. This SECMONS glossary entry explains how out-of-bounds reads happen, their security impact, and how they relate to memory corruption and data exposure vulnerabilities.

Patch Management — Deploying Security Updates to Reduce Exploitable Risk

Patch Management is the operational process of acquiring, testing, deploying, and verifying software updates to remediate security vulnerabilities. This SECMONS glossary entry explains how patch management works, how it differs from vulnerability management, and why delayed patching leads to real-world exploitation.

Path Traversal (Directory Traversal) — Accessing Files Outside Intended Directories

Path Traversal, also known as Directory Traversal, is a vulnerability that allows attackers to access files and directories outside the intended application root. This SECMONS glossary entry explains how path traversal works, its impact, and how defenders should prevent and detect it.

Persistence — Maintaining Long-Term Access After Initial Compromise

Persistence is the stage of an intrusion where attackers establish mechanisms to maintain access to a compromised system or environment over time. This SECMONS glossary entry explains how persistence works, common techniques used by threat actors, and how defenders can detect and remove persistent footholds.

Phishing — Deceptive Social Engineering to Steal Credentials and Deliver Malware

Phishing is a social engineering technique where attackers impersonate trusted entities to steal credentials, deliver malware, or gain initial access. This SECMONS glossary entry explains phishing variants, operational impact, and defensive controls.

Privilege Escalation — Gaining Higher Access Rights Than Intended

Privilege Escalation is an attack technique where a user or process gains higher permissions than originally granted. This SECMONS glossary entry explains vertical and horizontal privilege escalation, common exploitation paths, and defensive mitigation strategies.

Proof of Concept (PoC) — Demonstration Code Validating a Vulnerability

A Proof of Concept (PoC) is code or a technical demonstration that validates the existence of a vulnerability. This SECMONS glossary entry explains how PoCs influence risk, exploitation timelines, and defensive prioritization.

Ransomware — Malware That Encrypts or Extorts for Financial Gain

Ransomware is a type of malicious software that encrypts data or threatens publication to extort payment from victims. This SECMONS glossary entry explains how ransomware operates, common attack stages, and why modern ransomware campaigns combine encryption with data exfiltration.

Remote Access Trojan (RAT) — Malware Enabling Stealth Remote Control

A Remote Access Trojan (RAT) is malware that provides attackers with covert remote control over compromised systems. This SECMONS glossary entry explains how RATs operate, how they are deployed, and why they are central to espionage, credential theft, and long-term persistence.

Remote Code Execution (RCE) — What It Means and Why It’s One of the Most Dangerous Vulnerability Impacts

Remote Code Execution (RCE) allows an attacker to execute arbitrary code on a target system from a remote location. This SECMONS glossary entry explains how RCE occurs, how it differs from other impacts, how it is typically exploited, and why RCE-class vulnerabilities demand immediate attention.

Risk vs Exposure — Understanding the Difference Between Vulnerability and Impact

Risk and Exposure are related but distinct concepts in cybersecurity. Exposure refers to the presence of a weakness or reachable asset, while risk reflects the likelihood and impact of exploitation. This SECMONS glossary entry explains how the distinction influences prioritization and security strategy.

Sandbox Escape — Breaking Out of Application Isolation Boundaries

A sandbox escape occurs when an attacker bypasses application isolation mechanisms to execute code outside a restricted environment. This SECMONS glossary entry explains how sandboxing works, how escapes occur, and why sandbox escape vulnerabilities significantly increase exploitation impact.

Security Feature Bypass (CWE-693) — When Protection Mechanisms Fail

Security Feature Bypass, commonly mapped to CWE-693 (Protection Mechanism Failure), refers to vulnerabilities that allow attackers to circumvent built-in security controls such as warnings, sandboxing, or policy enforcement. This SECMONS glossary entry explains how these weaknesses occur, why they are dangerous, and how defenders should interpret them in real-world risk scenarios.

Security Misconfiguration — Improper System Settings That Create Exploitable Exposure

Security Misconfiguration refers to improper or insecure system settings that expose applications, infrastructure, or cloud services to unauthorized access. This SECMONS glossary entry explains common misconfiguration patterns, operational impact, and how they contribute to real-world breaches.

Session Hijacking — Taking Over Authenticated User Sessions

Session Hijacking is an attack technique where an attacker takes control of a valid user session by stealing or predicting session identifiers. This SECMONS glossary entry explains how session hijacking works, common attack methods, real-world impact, and defensive mitigation strategies.

SQL Injection (SQLi) — Executing Unauthorized Database Queries

SQL Injection (SQLi) is a vulnerability that allows attackers to manipulate database queries by injecting malicious input into application fields. This SECMONS glossary entry explains how SQL injection works, common impact scenarios, and how defenders should mitigate and detect it.

Supply Chain Attack — Compromising Trusted Vendors to Reach Downstream Targets

A supply chain attack occurs when threat actors compromise a trusted vendor, software provider, or service to gain indirect access to downstream customers. This SECMONS glossary entry explains how supply chain attacks work, common techniques, and how defenders should reduce third-party risk.

Tactics, Techniques, and Procedures (TTPs) — Understanding Adversary Behavior Patterns

Tactics, Techniques, and Procedures (TTPs) describe how threat actors operate across the attack lifecycle. This SECMONS glossary entry explains what TTPs are, how they differ from indicators of compromise, and why behavioral intelligence is critical for long-term defense.

Threat Actor — Individuals or Groups Responsible for Cyber Operations

A Threat Actor is an individual, group, or organization that conducts malicious cyber activity. This SECMONS glossary entry explains threat actor types, motivations, capabilities, and how they are classified in cybersecurity intelligence reporting.

Threat Intelligence — Structured Analysis of Adversary Behavior and Risk

Threat Intelligence is the structured collection, analysis, and interpretation of information about adversaries, vulnerabilities, and campaigns to support informed security decision-making. This SECMONS glossary entry explains types of threat intelligence, operational workflows, and how intelligence drives risk reduction.

Use-After-Free (CWE-416) — How Memory Lifecycle Bugs Lead to Code Execution

Use-After-Free (CWE-416) is a memory corruption vulnerability class where a program continues to use memory after it has been freed. This SECMONS glossary entry explains how use-after-free bugs occur, why they are dangerous, how they are exploited, and how defenders should interpret related CVEs.

Vulnerability Management — Identifying, Prioritizing, and Remediating Security Weaknesses

Vulnerability Management is the continuous process of discovering, assessing, prioritizing, and remediating security weaknesses across systems and applications. This SECMONS glossary entry explains how vulnerability management works, how it differs from patch management, and how organizations reduce real-world risk.

Watering Hole Attack — Targeting Victims Through Trusted Websites

A watering hole attack is a targeted strategy where attackers compromise a website frequently visited by a specific group and use it to deliver exploits or malware. This SECMONS glossary entry explains how watering hole attacks work, how they differ from mass exploit kits, and how defenders can detect and mitigate them.

Web Shell — Malicious Server-Side Backdoor for Remote Control

A Web Shell is a malicious script deployed on a web server that allows attackers to execute commands remotely. This SECMONS glossary entry explains how web shells are deployed, why they are difficult to detect, and how defenders can identify and remove them.

Zero Trust — Security Model Based on Continuous Verification and Least Privilege

Zero Trust is a security model that assumes no user, device, or system is inherently trusted, even inside the network perimeter. This SECMONS glossary entry explains Zero Trust principles, architectural components, and how it reduces attack surface and lateral movement risk.

Zero-Day Vulnerability — What It Means, How It’s Used, and Why It’s High Risk

A zero-day vulnerability is a software flaw that is exploited before a patch is available or before the vendor is aware of it. This SECMONS glossary entry explains what qualifies as a zero-day, how it differs from n-day vulnerabilities, how zero-days are weaponized, and how defenders should respond.