Cybersecurity Glossary

A

Access Control — The policies, procedures, and technical mechanisms that govern who can access which resources and under what conditions. Access control encompasses both authentication (verifying identity) and authorization (enforcing permissions). Effective access control follows the principle of least privilege — granting only the minimum access required to perform a function. See the full guide on identity and access management.

Advanced Persistent Threat (APT) — A prolonged, targeted cyberattack in which an adversary establishes a foothold in a network and maintains access over an extended period to steal data, conduct espionage, or prepare for a larger operation. APTs are typically associated with nation-state actors or sophisticated criminal groups. They differ from opportunistic attacks in their patience, resources, and specificity of targeting.

Annualized Loss Expectancy (ALE) — A quantitative risk metric that estimates the expected financial loss from a specific threat over one year. Calculated as the product of the Annual Rate of Occurrence (ARO) and the Single Loss Expectancy (SLE). ALE enables comparison of security investment costs against the risk they mitigate. See the ALE calculator for worked examples.

Annualized Rate of Occurrence (ARO) — The estimated frequency at which a specific threat event is expected to occur in a one-year period. An ARO of 0.5 means the event is expected to occur once every two years. ARO is a key input to annualized loss expectancy calculations.

Application Security (AppSec) — The practice of finding, fixing, and preventing security vulnerabilities in software applications throughout the development lifecycle. AppSec includes secure code review, static and dynamic application security testing (SAST/DAST), software composition analysis (SCA), and developer security training. See application security best practices.

Asset — Any resource that has value to an organization and requires protection. Assets include hardware (servers, endpoints, network devices), software (applications, operating systems), data (customer records, intellectual property, financial data), and people (employees with critical knowledge or access). Asset identification and classification is the foundation of risk assessment.

Attack Surface — The sum of all points where an unauthorized user can attempt to enter or extract data from a system. Attack surfaces include exposed network services, web applications, APIs, email endpoints, physical access points, supply chain integrations, and human targets for social engineering. Reducing the attack surface is a fundamental security strategy. See attack surface management.

Attack Vector — The specific path or method an attacker uses to gain unauthorized access to a system. Common attack vectors include phishing emails, exploited software vulnerabilities, compromised credentials, malicious USB devices, and supply chain compromises. Understanding attack vectors informs both defensive controls and incident response planning.

Audit — A systematic, evidence-based examination of an organization’s security controls against a defined standard or baseline. Audits may be internal (conducted by the organization) or external (conducted by an accredited third party). See the complete guide on cybersecurity audits and IT compliance audits.

B

Backup — A copy of data stored separately from the primary system so that it can be restored in the event of data loss, corruption, or ransomware. Effective backup strategies follow the 3-2-1 rule: three copies of data, on two different media types, with one copy stored offsite or in the cloud. Backup integrity testing — actually restoring from backups — is critical and frequently neglected.

Blue Team — The defensive security team responsible for protecting an organization’s information systems. Blue team activities include monitoring for threats, responding to incidents, hardening systems, and improving detection capabilities. Blue teams work in opposition to red teams during adversarial exercises.

Breach — An incident in which unauthorized access to data is confirmed. A breach differs from a security incident in that data exposure or exfiltration has been verified, not merely suspected. Breach notification requirements vary by jurisdiction and regulation — GDPR requires notification within 72 hours, while US state laws vary. The costs of a breach extend beyond remediation to include legal, regulatory, reputational, and operational impacts.

Business Continuity — The planning and processes that ensure critical business functions can continue during and after a disruptive event. Business continuity planning encompasses disaster recovery (restoring IT systems), crisis management (leadership coordination), and operational continuity (maintaining core business functions). See business continuity strategies.

Business Impact Analysis (BIA) — An assessment that identifies critical business processes, the resources they depend on, and the impact of disruption at various time intervals. BIA outputs — Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO) — drive disaster recovery planning and investment.

C

CASB (Cloud Access Security Broker) — A security enforcement point between cloud service users and cloud applications that enforces security policies for cloud access. CASBs provide visibility into cloud usage (including shadow IT), data loss prevention, threat protection, and compliance monitoring across SaaS, PaaS, and IaaS environments.

CIA Triad — The three foundational objectives of information security: Confidentiality (data is accessible only to authorized parties), Integrity (data is accurate and unaltered), and Availability (data and systems are accessible when needed). Every security control can be mapped to protecting one or more of these objectives.

CISO (Chief Information Security Officer) — The senior executive responsible for an organization’s information security strategy, risk management, and compliance. The CISO reports to the CEO, CTO, or board and is accountable for the security program, incident response, and regulatory compliance. Organizations that cannot justify a full-time CISO hire often engage a fractional CISO or virtual CISO. See also what does a CISO do and CSO vs CISO.

CMMC (Cybersecurity Maturity Model Certification) — A US Department of Defense framework that requires defense contractors to demonstrate cybersecurity practices at one of three maturity levels. CMMC 2.0 aligns with NIST SP 800-171 and requires third-party assessment for Level 2 and above. Contractors handling Controlled Unclassified Information (CUI) must achieve CMMC certification to be eligible for DoD contracts.

Compliance — The state of meeting the requirements of a law, regulation, standard, or contractual obligation. In cybersecurity, compliance typically involves implementing prescribed security controls, documenting their operation, and demonstrating evidence during audits. Common compliance frameworks include SOC 2, ISO 27001, PCI-DSS, HIPAA, and CMMC. See cybersecurity compliance services and the SOC 2 compliance checklist.

Credential Stuffing — An attack that uses stolen username/password pairs from one breach to attempt login on other services, exploiting password reuse. Unlike brute force attacks, credential stuffing uses known-valid credentials and is therefore more likely to succeed. Defense relies on multi-factor authentication, credential monitoring, and rate limiting.

Cryptography — The practice of securing information by transforming it into an unreadable format using mathematical algorithms. Cryptography underpins encryption (data protection), digital signatures (authentication and integrity), hashing (data integrity verification), and key management. Modern cryptographic standards include AES-256 for symmetric encryption and RSA/ECC for asymmetric encryption.

Cyber Risk Quantification (CRQ) — The discipline of measuring cybersecurity risk in financial terms. CRQ methods produce dollar-denominated estimates of potential loss, enabling security investments to be evaluated against the risk they reduce. The FAIR model is the most widely adopted CRQ framework. See what is cyber risk quantification, CRQ tools comparison, and FAIR vs Monte Carlo.

D

Data Classification — The process of categorizing data based on its sensitivity and the impact of unauthorized disclosure. Common classification levels include Public, Internal, Confidential, and Restricted. Classification drives security control requirements — restricted data requires encryption at rest and in transit, access logging, and stricter retention policies than public data.

Data Loss Prevention (DLP) — Technologies and processes that prevent sensitive data from being transmitted outside the organization without authorization. DLP systems monitor email, web traffic, cloud uploads, USB transfers, and print operations for patterns matching classified data (credit card numbers, SSNs, intellectual property). DLP is a key component of data protection strategy.

Data Security Posture Management (DSPM) — A category of security tools that discovers and classifies sensitive data across cloud environments, identifies misconfigurations and excessive permissions, and monitors data access patterns. DSPM answers the question: where is our sensitive data, who can access it, and is it properly protected. See what is DSPM and best DSPM tools.

Defense in Depth — A security strategy that layers multiple defensive controls so that if one control fails, others continue to provide protection. Layers typically include network security (firewalls, segmentation), endpoint protection (EDR, antivirus), application security (WAF, input validation), identity security (MFA, least privilege), data security (encryption, DLP), and operational security (monitoring, incident response).

Denial of Service (DoS) / Distributed Denial of Service (DDoS) — An attack that overwhelms a system, network, or application with traffic or requests, making it unavailable to legitimate users. DDoS attacks use multiple compromised systems (botnets) to amplify the attack volume. Mitigation strategies include traffic filtering, rate limiting, content delivery networks, and DDoS protection services.

Disaster Recovery (DR) — The processes and technologies for restoring IT systems and data after a disruptive event. Disaster recovery planning defines Recovery Time Objectives (how quickly systems must be restored) and Recovery Point Objectives (how much data loss is acceptable). See business continuity and disaster recovery and disaster recovery plan template.

E

EDR (Endpoint Detection and Response) — Security technology deployed on endpoints (laptops, servers, workstations) that continuously monitors for suspicious activity, detects threats, and enables response actions including isolation, remediation, and forensic investigation. EDR goes beyond traditional antivirus by detecting behavioral anomalies and providing investigation capabilities. EDR is a core component of a modern managed detection and response service.

Encryption — The process of converting data into an unreadable format (ciphertext) using a cryptographic algorithm and key, so that only authorized parties with the correct decryption key can read it. Encryption at rest protects stored data (databases, file systems, backups). Encryption in transit protects data moving across networks (TLS/SSL, VPN). Both are typically required by compliance frameworks.

Exploit — Code, a technique, or a sequence of commands that takes advantage of a vulnerability to achieve an unauthorized outcome — remote code execution, privilege escalation, data access, or denial of service. Exploits may be publicly known (published in CVE databases) or zero-day (unknown to the vendor). The time between exploit availability and patch deployment is the window of maximum risk.

F

FAIR (Factor Analysis of Information Risk) — An international standard (OpenFAIR) for cyber risk quantification that decomposes risk into measurable factors: threat event frequency, vulnerability (susceptibility and resistance strength), and loss magnitude (primary and secondary losses). FAIR produces probability distributions of financial exposure rather than ordinal risk ratings. See FAIR vs Monte Carlo.

Firewall — A network security device or software that monitors and controls incoming and outgoing network traffic based on predetermined security rules. Firewalls establish a barrier between trusted internal networks and untrusted external networks. Types include packet-filtering firewalls, stateful inspection firewalls, next-generation firewalls (NGFW) with deep packet inspection, and web application firewalls (WAF).

Forensics — The practice of collecting, preserving, analyzing, and presenting digital evidence in a manner that is legally admissible. Digital forensics is applied during incident response to determine what happened, how it happened, what was affected, and who was responsible. Forensic procedures maintain chain of custody and evidence integrity.

G

Gap Analysis — An assessment that compares an organization’s current security posture against a target state (a framework, standard, or maturity level) and identifies the gaps that must be closed. Gap analysis is typically the first step before a compliance initiative or security program build-out. See cybersecurity gap analysis.

Governance — The framework of policies, standards, roles, and accountability structures that direct and control an organization’s cybersecurity program. Governance defines who makes security decisions, how risk is managed at the executive and board level, and how the security program aligns with business objectives. See cybersecurity governance and GRC.

GRC (Governance, Risk, and Compliance) — The integrated approach to managing governance, risk management, and compliance activities. In cybersecurity, GRC encompasses policy management, risk assessment, compliance tracking, audit management, and reporting. See cybersecurity GRC and best GRC tools.

H

Hardening — The process of reducing a system’s attack surface by removing unnecessary services, applying security configurations, patching known vulnerabilities, and enforcing access controls. Hardening benchmarks from organizations like CIS (Center for Internet Security) provide detailed configuration checklists for operating systems, databases, cloud services, and network devices.

Hash / Hashing — A one-way mathematical function that converts input data into a fixed-length string (hash value or digest). Hashing is used for password storage (storing hashes instead of plaintext passwords), data integrity verification (detecting file tampering), and digital signatures. Common algorithms include SHA-256 and bcrypt. Unlike encryption, hashing is not reversible.

HIPAA (Health Insurance Portability and Accountability Act) — US federal law that establishes requirements for protecting the privacy and security of protected health information (PHI). The HIPAA Security Rule requires covered entities and business associates to implement administrative, physical, and technical safeguards. Violations carry civil penalties up to $2.1 million per violation category per year.

Honeypot — A decoy system or resource designed to attract attackers, detect unauthorized access attempts, and gather intelligence about attack methods. Honeypots appear to be legitimate targets but are isolated, monitored, and contain no real data. They serve as early warning systems and intelligence-gathering tools.

I

IAM (Identity and Access Management) — The framework of policies, processes, and technologies that manages digital identities and controls access to resources. IAM encompasses user provisioning, authentication, authorization, single sign-on (SSO), multi-factor authentication, privileged access management, and identity governance. See the full guide on identity and access management.

Incident — An event that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information it processes. Not all events are incidents — an incident implies a violation or imminent threat of violation of security policies. Incident severity classification drives the urgency and scope of response.

Incident Response (IR) — The structured process for detecting, containing, eradicating, and recovering from security incidents. Incident response follows defined phases: preparation, detection and analysis, containment, eradication, recovery, and post-incident review. See security incident management and incident response plan template.

Indicator of Compromise (IoC) — Observable artifacts that indicate a system has been compromised or is under attack. IoCs include malicious IP addresses, file hashes of known malware, suspicious registry modifications, unusual outbound network traffic, and anomalous user account activity. Security teams use IoCs to detect breaches and hunt for threats.

Information Security Policy — A formal document that defines an organization’s approach to protecting information assets. The policy establishes the scope of the security program, roles and responsibilities, acceptable use requirements, data classification standards, and consequences for policy violations. See information security policy guide and cybersecurity policy template.

Insider Threat — A security risk originating from within the organization — employees, contractors, or business partners who have authorized access to systems and data. Insider threats may be malicious (intentional theft or sabotage), negligent (accidental data exposure), or compromised (credentials stolen by an external attacker). See insider threat indicators.

ISO 27001 — The international standard for information security management systems (ISMS). ISO 27001 provides a systematic approach to managing sensitive information through risk assessment, control implementation, and continuous improvement. Certification requires a formal audit by an accredited certification body. See ISO 27001 requirements.

K

Key Management — The processes and infrastructure for generating, distributing, storing, rotating, and destroying cryptographic keys. Poor key management undermines even strong encryption — if keys are stored alongside encrypted data, compromised through weak access controls, or never rotated, the encryption provides no real protection.

Kill Chain — A model describing the stages of a cyberattack from initial reconnaissance through objective completion. The Lockheed Martin Cyber Kill Chain defines seven stages: reconnaissance, weaponization, delivery, exploitation, installation, command and control, and actions on objectives. Understanding the kill chain informs defensive strategies — disrupting any stage breaks the attack.

KPI (Key Performance Indicator) — A measurable value that demonstrates how effectively a security program is achieving its objectives. Security KPIs include mean time to detect (MTTD), mean time to respond (MTTR), patch compliance rate, phishing simulation failure rate, and security training completion rate. See cybersecurity KPIs.

L

Lateral Movement — The techniques an attacker uses to move through a network after gaining initial access, progressively accessing additional systems and escalating privileges to reach high-value targets. Lateral movement is a hallmark of advanced persistent threats and is the phase where the attacker expands from initial foothold to critical assets. Zero trust architecture and micro-segmentation are primary defenses.

Least Privilege — The principle that users, applications, and systems should be granted only the minimum level of access required to perform their functions. Least privilege limits the blast radius of compromised accounts, reduces insider threat risk, and is a foundational requirement of zero trust architecture and most compliance frameworks.

Log Management — The collection, storage, normalization, and analysis of log data from across the IT environment. Logs from firewalls, servers, applications, identity systems, and cloud services provide the raw data for threat detection, incident investigation, and compliance evidence. Effective log management requires centralized storage, retention policies aligned with compliance requirements, and integration with SIEM platforms.

M

Malware — Malicious software designed to damage, disrupt, or gain unauthorized access to computer systems. Categories include viruses (self-replicating code), worms (self-propagating across networks), trojans (disguised as legitimate software), ransomware (encrypts data for extortion), spyware (monitors user activity), and rootkits (hides malicious presence).

MDR (Managed Detection and Response) — An outsourced security service that provides threat monitoring, detection, investigation, and response capabilities. MDR combines technology (EDR, SIEM, SOAR) with human analysts who investigate alerts, hunt for threats, and coordinate incident response. MDR is the operational layer that converts security tooling into security outcomes. See managed detection and response.

MFA (Multi-Factor Authentication) — An authentication method that requires users to provide two or more independent verification factors: something they know (password), something they have (phone, hardware token), or something they are (biometric). MFA is the single most effective control against credential-based attacks. FIDO2/WebAuthn hardware keys provide the strongest MFA, followed by authenticator apps, with SMS codes being the weakest.

Micro-Segmentation — A network security technique that divides the network into isolated segments, each with its own access controls. Micro-segmentation limits lateral movement by requiring authentication and authorization for traffic between segments, even within the same data center. It is a core implementation pattern for zero trust architecture.

MITRE ATT&CK — A globally accessible knowledge base of adversary tactics, techniques, and procedures (TTPs) based on real-world observations. ATT&CK provides a common language for describing attacker behavior and is used to evaluate detection coverage, plan red team exercises, and assess security tool effectiveness. The framework covers enterprise, mobile, and ICS environments.

N

NIST (National Institute of Standards and Technology) — A US federal agency that develops cybersecurity standards and guidelines. Key NIST publications include the Cybersecurity Framework (CSF), SP 800-53 (security and privacy controls), SP 800-171 (protecting CUI), and SP 800-63 (digital identity guidelines). See NIST compliance.

NIST Cybersecurity Framework (CSF) — A voluntary framework of standards, guidelines, and best practices organized around five core functions: Identify, Protect, Detect, Respond, and Recover. CSF 2.0 added a sixth function: Govern. The framework is widely adopted across industries and is the basis for many organizations’ security program structure. See the guide on cybersecurity risk management framework.

O

OWASP (Open Worldwide Application Security Project) — A nonprofit organization that produces freely available resources for web application security. The OWASP Top 10 — a regularly updated list of the most critical web application security risks — is the most widely referenced application security standard. Current Top 10 risks include broken access control, cryptographic failures, injection, insecure design, and security misconfiguration.

P

Patch Management — The process of identifying, testing, and deploying software updates (patches) to fix known vulnerabilities. Effective patch management requires asset inventory, vulnerability prioritization (by exploitability and business impact), testing procedures, deployment automation, and exception tracking. Mean time to patch is a key cybersecurity KPI.

PCI-DSS (Payment Card Industry Data Security Standard) — A set of security requirements for organizations that store, process, or transmit payment card data. PCI-DSS defines 12 requirement categories covering network security, access control, vulnerability management, encryption, monitoring, and security policy. Compliance is validated through annual assessments and quarterly vulnerability scans. See PCI audit.

Penetration Testing (Pentest) — An authorized simulated cyberattack conducted to evaluate the security of a system, network, or application. Penetration testers (ethical hackers) use the same tools and techniques as real attackers to identify vulnerabilities that could be exploited. Pentest results inform remediation priorities and validate that security controls work as intended.

Phishing — A social engineering attack that uses fraudulent emails, messages, or websites to trick recipients into revealing credentials, installing malware, or transferring funds. Variants include spear phishing (targeted at specific individuals), whaling (targeting executives), vishing (voice phishing), and smishing (SMS phishing). Phishing is the initial attack vector in the majority of breaches.

Privileged Access Management (PAM) — The security controls and technologies that manage, monitor, and audit access for privileged accounts — those with elevated permissions to critical systems, databases, and infrastructure. PAM includes credential vaulting (storing privileged passwords in encrypted vaults), session recording, just-in-time access provisioning, and privilege elevation controls.

R

Ransomware — Malware that encrypts an organization’s data and demands payment (ransom) for the decryption key. Modern ransomware operations often involve double extortion (threatening to publish stolen data) and triple extortion (attacking the victim’s customers or partners). Defense requires layered controls including backup integrity, network segmentation, endpoint detection, and incident response planning.

Red Team — An authorized group of security professionals who simulate real-world adversary tactics, techniques, and procedures to test an organization’s defensive capabilities. Unlike penetration testing (which focuses on finding vulnerabilities), red teaming evaluates the effectiveness of detection, response, and resilience capabilities. Red team exercises are conducted against blue teams.

Residual Risk — The risk that remains after security controls have been implemented. No control eliminates risk entirely — residual risk is the exposure an organization accepts after applying its security measures. Residual risk should be formally documented, accepted by appropriate management, and monitored. When residual risk exceeds risk appetite, additional controls are needed.

Risk Appetite — The level of risk an organization is willing to accept in pursuit of its business objectives. Risk appetite is set by executive leadership and the board and expressed as a boundary — we accept up to X dollars of potential loss, or we will not accept risks above Y probability. Risk appetite guides investment decisions, control implementation, and risk acceptance.

Risk Assessment — The process of identifying threats, evaluating vulnerabilities, estimating the likelihood and impact of adverse events, and prioritizing risks for treatment. Risk assessments may be qualitative (using ordinal scales), quantitative (using financial models), or hybrid. See cybersecurity risk assessment, security risk assessment, and the risk assessment checklist.

Risk Register — A structured record of identified risks, their assessed likelihood and impact, assigned risk owners, current controls, treatment plans, and status. The risk register is the central artifact of a risk management framework and is reviewed regularly by security leadership and the board.

S

SASE (Secure Access Service Edge) — A cloud-delivered architecture that converges networking (SD-WAN) and security (CASB, SWG, ZTNA, FWaaS) into a single service. SASE provides secure, direct-to-cloud connectivity for distributed workforces without routing traffic through a central data center.

SIEM (Security Information and Event Management) — A platform that collects, aggregates, correlates, and analyzes log and event data from across the IT environment to detect security threats. SIEM systems generate alerts based on correlation rules, behavioral analytics, and threat intelligence. SIEM is the foundational technology for security operations centers. See also SOC as a service.

Single Loss Expectancy (SLE) — The estimated financial loss from a single occurrence of a specific threat event. SLE is calculated by multiplying the asset value by the exposure factor (the percentage of the asset lost). SLE is used in annualized loss expectancy calculations for cyber risk quantification.

SOAR (Security Orchestration, Automation, and Response) — Technology that automates and orchestrates security operations workflows — enriching alerts with threat intelligence, executing containment playbooks, and coordinating response actions across multiple security tools. SOAR reduces mean time to respond and enables security teams to handle higher alert volumes without proportional headcount increases.

SOC (Security Operations Center) — The centralized function responsible for continuous monitoring, detection, and response to cybersecurity threats. A SOC combines people (analysts), processes (triage and escalation procedures), and technology (SIEM, EDR, SOAR) to provide 24/7 security monitoring. See SOC as a service and SOC reports.

SOC 2 — An audit framework developed by the AICPA that evaluates an organization’s controls relevant to security, availability, processing integrity, confidentiality, and privacy. SOC 2 Type I reports assess control design at a point in time. SOC 2 Type II reports assess operating effectiveness over a period (typically 6-12 months). See SOC 2 compliance checklist.

Social Engineering — Psychological manipulation techniques used to trick people into revealing confidential information, granting access, or performing actions that compromise security. Social engineering exploits human psychology — trust, urgency, authority, fear — rather than technical vulnerabilities. Phishing is the most common form, but social engineering also includes pretexting, baiting, tailgating, and quid pro quo attacks.

Supply Chain Security — The practices and controls that protect against threats originating from third-party vendors, software suppliers, and service providers. Supply chain attacks compromise a trusted supplier to gain access to the supplier’s customers. Defense requires vendor risk assessment, software bill of materials (SBOM) management, and continuous monitoring of third-party risk. See supply chain security.

T

Tabletop Exercise — A discussion-based exercise in which participants walk through a simulated security incident scenario to evaluate response procedures, decision-making processes, and communication protocols. Tabletop exercises test plans and people, not technology. They identify gaps in incident response plans, unclear roles, and coordination failures before a real incident occurs. See cybersecurity tabletop exercises.

Threat Actor — An individual or group that poses a cybersecurity threat. Threat actor categories include nation-state actors (espionage, disruption), cybercriminal organizations (financial gain), hacktivists (ideological motivation), insider threats (employees or contractors), and script kiddies (unskilled attackers using available tools). Understanding threat actors informs risk assessment and threat hunting.

Threat Intelligence — Information about current and emerging cyber threats, including threat actor tactics, techniques, and procedures (TTPs), indicators of compromise (IoCs), and vulnerability exploits. Threat intelligence is consumed at strategic (executive decision-making), tactical (security operations), and operational (incident response) levels.

Threat Modeling — A structured approach to identifying and prioritizing potential threats to a system by analyzing its architecture, data flows, trust boundaries, and entry points. Common methodologies include STRIDE (Spoofing, Tampering, Repudiation, Information Disclosure, Denial of Service, Elevation of Privilege) and PASTA (Process for Attack Simulation and Threat Analysis).

V

Vulnerability — A weakness in a system, application, process, or configuration that could be exploited by a threat actor. Vulnerabilities arise from software defects (coding errors), misconfigurations (default credentials, open ports), design flaws (insecure architecture), and human factors (lack of training). See vulnerability management lifecycle and risk-based vulnerability management.

Vulnerability Management — The continuous process of identifying, classifying, prioritizing, remediating, and monitoring security vulnerabilities across an organization’s IT environment. Effective vulnerability management goes beyond patching — it includes risk-based prioritization (which vulnerabilities to fix first based on exploitability and business impact), exception management, and metrics tracking. See vulnerability management lifecycle.

Vulnerability Scanning — Automated testing that identifies known vulnerabilities in systems, applications, and configurations by comparing the environment against databases of known issues (CVE databases, vendor advisories). Vulnerability scanners produce reports listing found vulnerabilities with severity ratings (typically CVSS scores). Scanning is one input to the broader vulnerability management process.

Z

Zero-Day — A vulnerability that is unknown to the software vendor and for which no patch exists. Zero-day exploits are particularly dangerous because there is no specific defense available until the vendor issues a patch. Defense against zero-days relies on behavioral detection (EDR, network anomaly detection), application whitelisting, least privilege, and network segmentation.

Zero Trust — A security model based on the principle that no user, device, or network connection should be implicitly trusted. Zero trust requires continuous verification of identity and authorization, micro-segmentation of networks, least-privilege access, and comprehensive monitoring. The model assumes breach — that attackers may already be inside the network — and designs controls accordingly. See zero trust architecture.