- Symmetric encryption
- Encryption using one shared secret key for both encrypting and decrypting — fast, ideal for bulk data (e.g., AES); the challenge is securely distributing the key.
- Asymmetric encryption
- Encryption using a public/private key pair (e.g., RSA, ECC) — solves key exchange and enables digital signatures, but is slower than symmetric.
- AES (Advanced Encryption Standard)
- The modern, widely trusted symmetric block cipher used for bulk data encryption; supports 128-, 192-, and 256-bit keys.
- RSA
- A widely used asymmetric algorithm based on the difficulty of factoring large numbers; used for key exchange and digital signatures.
- Elliptic Curve Cryptography (ECC)
- Asymmetric cryptography that delivers equivalent strength to RSA with much shorter keys — efficient for mobile and constrained devices.
- Diffie-Hellman
- A key-exchange algorithm that lets two parties derive a shared secret over an insecure channel; the ephemeral variant (DHE/ECDHE) provides forward secrecy.
- Cryptographic hash function
- A one-way function mapping input of any size to a fixed-length, irreversible digest (e.g., SHA-256) — provides integrity, not confidentiality.
- SHA-256
- A secure 256-bit cryptographic hash from the SHA-2 family, used for integrity verification and digital signatures.
- HMAC
- Hash-based Message Authentication Code — a hash combined with a secret key to provide both integrity and authenticity of a message.
- Digital signature
- A value created with a sender's private key that proves authenticity, integrity, and non-repudiation; verified with the sender's public key.
- Non-repudiation
- Assurance that a party cannot deny having performed an action — provided cryptographically by digital signatures.
- Salt
- Random data added to a password before hashing so identical passwords produce different hashes, defeating precomputed (rainbow-table) attacks.
- Key stretching
- Deliberately slow password hashing (bcrypt, PBKDF2, Argon2) that increases the cost of brute-force attacks.
- Public Key Infrastructure (PKI)
- The framework of CAs, RAs, and policies that creates, distributes, validates, and revokes digital certificates binding identities to public keys.
- Certificate Authority (CA)
- The trusted entity in a PKI that signs and issues digital certificates and can revoke them.
- Registration Authority (RA)
- The PKI entity that verifies a requester's identity before the CA issues a certificate.
- Digital certificate (X.509)
- A document binding a verified identity to a public key, signed by a CA so relying parties can trust the key.
- Certificate Revocation List (CRL)
- A published list of certificates a CA has revoked before their natural expiry.
- OCSP
- Online Certificate Status Protocol — a real-time query to check whether a single certificate has been revoked, instead of downloading a full CRL.
- Root of trust
- A trusted anchor (e.g., a root CA or hardware module) from which a chain of trust is built.
- Hardware Security Module (HSM)
- A tamper-resistant device that generates, stores, and uses cryptographic keys inside a hardened boundary; keys never leave in plaintext.
- Trusted Platform Module (TPM)
- A chip embedded in a host for secure boot integrity measurement and hardware-backed key storage.
- Key escrow
- Storing a recoverable copy of cryptographic keys with a trusted third party for business continuity or legal access.
- Perfect forward secrecy (PFS)
- Use of ephemeral session keys so that compromise of a long-term private key cannot decrypt previously recorded sessions.
- TLS (Transport Layer Security)
- The protocol that secures data in transit (e.g., HTTPS) using a hybrid of asymmetric key exchange and symmetric encryption.
- SSH (Secure Shell)
- A protocol providing an encrypted channel for remote login and command execution.
- SFTP
- SSH File Transfer Protocol — secure file transfer running over an SSH-encrypted channel.
- IPsec
- A protocol suite that authenticates and encrypts IP traffic, commonly used to build VPN tunnels.
- Post-quantum cryptography (PQC)
- Algorithms designed to resist attacks by large quantum computers, which could break today's RSA and elliptic-curve cryptography.
- Crypto-agility
- Designing systems so cryptographic algorithms can be swapped out without re-architecting — essential for the post-quantum transition.
- “Harvest now, decrypt later”
- The threat of an adversary recording encrypted traffic today to decrypt it once quantum computers mature.
- Homomorphic encryption
- Encryption that allows computation on ciphertext without decrypting it, so data stays protected during processing.
- Brute-force attack
- An attack that tries every possible key or password until the correct one is found; defeated by large key spaces and key stretching.
- Collision (hashing)
- When two different inputs produce the same hash output; resistance to collisions is why MD5 and SHA-1 are deprecated.
- Certificate pinning
- Hard-coding the expected certificate or public key in a client so it rejects any other, even from a valid CA.
- Secure enclave / TEE
- A trusted execution environment that isolates sensitive code and keys from the main operating system.
- Zero trust
- A security model that removes implicit trust based on network location and verifies every request on identity, device, and context — “never trust, always verify.”
- Verify explicitly
- The zero-trust tenet of authenticating and authorizing every request on identity, device health, and context — no implicit trust from location.
- Assume breach
- The zero-trust mindset of designing as if an attacker is already inside — segmenting, encrypting, and monitoring to contain damage.
- Defense in depth
- Layering multiple, overlapping controls (data, app, host, network, perimeter, people) so that if one fails, others still protect the asset.
- Network segmentation
- Dividing a network into isolated zones (VLANs, subnets) so traffic between them passes through controls, limiting lateral movement.
- Microsegmentation
- Segmentation pushed down to individual workloads or hosts, enforcing zero-trust policy at a fine granularity.
- DMZ (demilitarized zone)
- A network segment placed between the internal network and untrusted external networks to host public-facing services.
- Air gap
- A physical control that isolates a system or network with no connection to other networks, used for the most sensitive environments.
- VLAN
- A virtual LAN that logically separates devices into broadcast domains regardless of physical location, supporting segmentation.
- SASE
- Secure Access Service Edge — converges networking (SD-WAN) and security (SWG, CASB, ZTNA, FWaaS) into one cloud-delivered service.
- ZTNA
- Zero Trust Network Access — grants application access per session based on identity and policy, instead of broad network access like a VPN.
- CASB
- Cloud Access Security Broker — a policy enforcement point between users and cloud services for visibility, DLP, and access control.
- Shared responsibility model
- The cloud security split where the provider secures the cloud infrastructure and the customer secures their data, identities, and configurations.
- IaaS
- Infrastructure as a Service — the customer secures the most (OS, apps, data); the provider secures the underlying physical and virtualization layers.
- SaaS
- Software as a Service — the provider secures almost everything; the customer mainly secures its data and user access.
- Data Loss Prevention (DLP)
- Monitoring and blocking unauthorized movement of sensitive data across network, endpoint, and storage based on classification.
- Data classification
- Labeling data by sensitivity (e.g., public, internal, confidential, restricted) so the right protections can be applied.
- Web Application Firewall (WAF)
- A control that filters, monitors, and blocks malicious HTTP traffic to and from a web application (layer 7).
- Intrusion Prevention System (IPS)
- Inline monitoring that actively detects and blocks identified threats, unlike an IDS, which only alerts.
- Intrusion Detection System (IDS)
- Monitoring that detects and alerts on suspicious activity but does not block it inline.
- Network Access Control (NAC)
- A control that admits devices to the network only if they meet security policy (patch level, posture, identity).
- Virtual Private Network (VPN)
- An encrypted tunnel that secures data transmission over an unsecured network such as the internet.
- Virtualization
- Running isolated virtual machines on shared hardware via a hypervisor — used to contain and segregate sensitive workloads.
- Secure by design
- Building security into a system from the start rather than bolting it on later.
- Attack surface
- The total set of points where an attacker could attempt to enter or extract data; reducing it is a core architectural goal.
- Least functionality
- Configuring systems to provide only the services and capabilities required, disabling everything else to shrink the attack surface.
- High availability (HA)
- Architecture that minimizes downtime through redundancy, failover, and load balancing.
- Containerization
- Packaging an application with its dependencies into an isolated container; secured via image scanning, least privilege, and runtime controls.
- SD-WAN
- Software-defined WAN — centrally managed, policy-driven wide-area networking, often paired with security in a SASE architecture.
- Bastion host
- A hardened, exposed host that brokers access into a private network, reducing direct exposure of internal systems.
- Identity and Access Management (IAM)
- The discipline and tools for managing digital identities and controlling their access to resources.
- Privileged Access Management (PAM)
- Controls that secure, monitor, and limit the use of privileged/administrator accounts.
- SIEM
- Security Information and Event Management — aggregates and correlates logs across the enterprise to detect threats, alert, and support investigations.
- SOAR
- Security Orchestration, Automation, and Response — automates and coordinates incident response via playbooks and tool integrations.
- Security Operations Center (SOC)
- The team and facility that monitors, detects, and responds to security events around the clock.
- Alert fatigue
- Desensitization caused by too many alerts (often false positives) from an untuned SIEM, leading analysts to miss real threats.
- MITRE ATT&CK
- A knowledge base of real-world adversary tactics (goals) and techniques (methods) used to map detections and drive threat hunting.
- Cyber Kill Chain
- Lockheed Martin's linear 7-stage intrusion model: reconnaissance, weaponization, delivery, exploitation, installation, command & control, actions on objectives.
- Indicator of compromise (IoC)
- A forensic artifact (malicious IP/domain, file hash, registry key, beaconing) that signals a system may have been breached.
- Threat hunting
- The proactive, hypothesis-driven search for adversaries that have evaded existing detections, before any alert fires.
- Threat intelligence
- Evidence-based knowledge about threats — actors, their TTPs, and indicators — used to inform defense.
- Honeypot
- A decoy system designed to lure, detect, and analyze attackers, diverting them from real assets and revealing their techniques.
- Red team
- An offensive security team that emulates real adversaries to find exploitable gaps before attackers do.
- Blue team
- A defensive security team that detects, responds to, and hardens against attacks through the SOC.
- Purple team
- A function that integrates Red and Blue teams so attack findings immediately improve detections.
- White team
- The group that sets the rules of engagement, referees a security exercise, and scores it impartially.
- Penetration test
- An authorized simulated attack that exploits vulnerabilities to assess real-world risk and validate defenses.
- Incident response lifecycle
- NIST's four phases: preparation; detection & analysis; containment, eradication & recovery; post-incident activity.
- Containment
- Limiting the spread and impact of an incident (e.g., isolating a host) — usually the first action in a live incident.
- Eradication
- Removing the threat — malware, attacker footholds, compromised accounts — from the environment.
- Chain of custody
- The documented, unbroken record of who handled evidence and when — what keeps it admissible in legal proceedings.
- Order of volatility
- Collecting evidence most-volatile-first (memory, network state) before less-volatile data (disk) so nothing is lost.
- Forensic image
- A bit-for-bit, hash-verified copy of storage made for analysis so the original evidence is never altered.
- Legal hold
- A directive to preserve relevant data once litigation or an investigation is anticipated.
- Root cause analysis
- Determining the underlying reason an incident occurred so the same issue can be prevented from recurring.
- Signature-based detection
- Detection that matches known patterns (hashes, rules, byte sequences) — precise on known threats but blind to novel ones.
- Behavioral analytics
- Detecting threats by flagging deviations from a baseline of normal user, host, or network behavior.
- File Integrity Monitoring (FIM)
- A control that detects unauthorized changes to critical files by comparing them against a known-good baseline.
- Endpoint Detection and Response (EDR)
- Endpoint tooling that records and analyzes activity to detect, investigate, and respond to threats on hosts.
- Vulnerability scanner
- A tool (e.g., Nessus) that probes systems for known vulnerabilities and misconfigurations.
- Dwell time
- The period an attacker remains undetected in an environment; threat hunting and detection aim to reduce it.
- Playbook
- A predefined, repeatable set of response steps for a given incident type, often automated through SOAR.
- Log aggregation
- Centralizing logs from many sources so they can be correlated and analyzed together (a core SIEM function).
- Mean Time to Respond (MTTR)
- The average time to contain and resolve an incident; lower MTTR signals a more mature operations program.
- Risk appetite
- The amount and type of risk an organization is willing to accept in pursuit of its objectives, set by leadership.
- Risk tolerance
- The acceptable variation around the risk appetite for a specific objective or activity.
- Residual risk
- The risk that remains after a chosen treatment (mitigate, transfer, accept, avoid) has been applied.
- Risk mitigation
- Reducing a risk's likelihood or impact by applying controls.
- Risk transfer
- Shifting the financial impact of a risk to a third party, such as through insurance or contractual indemnity.
- Risk acceptance
- Choosing to tolerate a risk because it falls within the organization's risk appetite.
- Risk avoidance
- Eliminating a risk by stopping the activity that creates it.
- Single Loss Expectancy (SLE)
- The monetary loss expected from one occurrence of a risk — asset value × exposure factor.
- Annualized Rate of Occurrence (ARO)
- How many times per year a given loss event is expected to occur.
- Annualized Loss Expectancy (ALE)
- SLE × ARO — the expected yearly loss a control's cost is justified against.
- Qualitative risk analysis
- Assessing risk with relative ratings (high/medium/low) rather than precise monetary values.
- Quantitative risk analysis
- Assessing risk with monetary values and probabilities (SLE, ARO, ALE) to justify control spending.
- Due diligence
- The investigation and ongoing evaluation of risk involved in a decision, such as a vendor or acquisition.
- Due care
- The reasonable actions and controls a prudent organization implements based on its due-diligence findings.
- Separation of duties
- Splitting a sensitive task across multiple people so no single person can complete it alone, preventing fraud.
- Least privilege
- Granting each user or process only the minimum access needed to perform its function.
- Job rotation
- Periodically moving staff between roles to surface fraud and reduce dependence on any one person.
- Mandatory vacation
- Requiring staff to take time off so that fraudulent activity dependent on their presence is exposed.
- Gap analysis
- Comparing the current security state against a desired or required state to identify what's missing.
- Business Continuity Plan (BCP)
- A plan to keep critical business functions running during and after a disruption.
- Disaster Recovery Plan (DRP)
- A plan focused on restoring IT systems and data after a disruptive event — a key component of a BCP.
- RTO (Recovery Time Objective)
- The maximum acceptable time to restore a system or process after a disruption.
- RPO (Recovery Point Objective)
- The maximum acceptable amount of data loss, measured as time, after a disruption.
- ISMS
- Information Security Management System — the policies and processes (e.g., per ISO 27001) that manage information-security risk.
- ISO 27001
- An international standard specifying requirements for establishing and operating an ISMS.
- NIST Cybersecurity Framework
- A voluntary framework organizing cybersecurity activities into core functions (Identify, Protect, Detect, Respond, Recover, Govern).
- GDPR
- General Data Protection Regulation — the EU law protecting the privacy and personal data of EU residents.
- PCI DSS
- Payment Card Industry Data Security Standard — requirements for protecting cardholder data.
- HIPAA
- U.S. regulation protecting the privacy and security of health information.
- CMMI
- Capability Maturity Model Integration — a model for assessing and improving the maturity of organizational processes.
- ITIL
- A framework of best practices for delivering IT services effectively and efficiently.
- Data Protection Officer (DPO)
- A role responsible for overseeing an organization's compliance with data-protection laws such as GDPR.
- Third-party / vendor risk assessment
- Evaluating a vendor's security posture and compliance before and during a business relationship.
- Software Bill of Materials (SBOM)
- A machine-readable inventory of every component and dependency in software, key to managing supply-chain risk.
- Risk register
- A documented record of identified risks, their assessment, owners, and treatment status.
- Compensating control
- An alternative safeguard used when the primary control cannot be applied, to reduce residual risk.