Glossary
Every term and acronym used across the notes, in one searchable list.
- AAAFundamentals
- Authentication, Authorisation, Accounting. The three steps of access control: prove who you are, get permitted to act, and have that action logged.
- AEADCryptography
- Authenticated Encryption with Associated Data. A cipher mode (e.g. AES-GCM) providing confidentiality and integrity together. The modern default.
- AESCryptography
- Advanced Encryption Standard. The default symmetric block cipher; 128-bit blocks with 128/192/256-bit keys. No practical break exists.
- APTThreats
- Advanced Persistent Threat. A well-resourced, usually state-sponsored actor that maintains long-term covert access for espionage or sabotage.
- Argon2Cryptography
- The winner of the 2015 Password Hashing Competition; a memory-hard password hashing function. Argon2id is the recommended variant for storing passwords.
- ARPNetworking
- Address Resolution Protocol. Maps IP addresses to MAC addresses on a local network. Has no authentication, enabling ARP spoofing.
- ASNNetworking
- Autonomous System Number. A globally unique identifier for a network under one routing policy, used in BGP and handy for mapping an organisation's IP ranges during OSINT.
- Attack surfaceFundamentals
- The total set of points where an attacker can attempt to interact with a system. Reducing it is one of the cheapest defensive wins.
- Avalanche effectCryptography
- A property of good hashes and ciphers where changing one input bit flips about half the output bits.
- bcryptCryptography
- A deliberately slow password-hashing function based on the Blowfish cipher. Acceptable for password storage, though Argon2id is now preferred.
- BIAGRC
- Business Impact Analysis. Identifies critical processes and the impact of their disruption, feeding RTO and RPO targets.
- BotnetThreats
- A network of compromised devices controlled remotely by an attacker, used for DDoS, spam, or credential stuffing.
- Brute forceCryptography
- Trying every possible key or password until one works. Defended by large keyspaces and rate limiting.
- BSSIDNetworking
- Basic Service Set Identifier. The MAC address of a wireless access point's radio, used to identify and geolocate a specific Wi-Fi network.
- C2Threats
- Command and Control. The channel an attacker uses to remotely control compromised machines, e.g. via HTTPS, DNS, or a messaging service.
- CACryptography
- Certificate Authority. A trusted third party that signs digital certificates, vouching that a public key belongs to a named identity.
- CBCCryptography
- Cipher Block Chaining. A block cipher mode that XORs each plaintext block with the previous ciphertext block, seeded by an IV.
- Certificate pinningWeb
- Hardcoding the expected certificate or public key for a host so a client rejects any other, defeating man-in-the-middle attacks that use a rogue but valid certificate.
- Certificate transparencyWeb
- A public, append-only log of issued TLS certificates. Searching CT logs reveals subdomains and hostnames an organisation has certificates for.
- CIA triadFundamentals
- Confidentiality, Integrity, Availability: the three core properties that security controls protect.
- CSPRNGCryptography
- Cryptographically Secure Pseudo-Random Number Generator. The only acceptable source of keys, IVs and nonces.
- CSRFWeb
- Cross-Site Request Forgery. Tricks a logged-in user's browser into sending an unwanted authenticated request. Defended with anti-CSRF tokens and SameSite cookies.
- CVEGRC
- Common Vulnerabilities and Exposures. A unique identifier (e.g. CVE-2021-44228) for a publicly disclosed vulnerability.
- CVSSGRC
- Common Vulnerability Scoring System. A 0–10 severity score for vulnerabilities based on exploitability and impact metrics.
- DDoSThreats
- Distributed Denial of Service. Overwhelming a service from many sources at once to exhaust its resources and deny availability.
- Defence in depthFundamentals
- Layering independent controls so that the failure of any one does not result in compromise.
- DHCryptography
- Diffie–Hellman key exchange. Lets two parties derive a shared secret over a public channel. Ephemeral DH (DHE/ECDHE) provides forward secrecy.
- DLPDefensive
- Data Loss Prevention. Controls that detect and block sensitive data leaving an organisation.
- DNSNetworking
- Domain Name System. Resolves human names to IP addresses. Runs on port 53; DNSSEC adds integrity, DoH/DoT add confidentiality.
- DorkPractical
- A crafted search-engine query using advanced operators (site:, filetype:, inurl:) to surface exposed files, pages or data. Also called Google dorking.
- EDRDefensive
- Endpoint Detection and Response. Agent-based tooling that records endpoint activity and enables detection, investigation and response.
- EXIF metadataPractical
- Exchangeable Image File data embedded in photos, recording camera model, timestamps and often GPS coordinates. A common OSINT source if not stripped before sharing.
- Forward secrecyCryptography
- A property where compromise of a long-term key cannot decrypt previously recorded sessions, because each session used a fresh ephemeral key.
- GCMCryptography
- Galois/Counter Mode. An AEAD mode combining counter-mode encryption with an authentication tag. The modern default, used in TLS 1.3.
- GDPRGRC
- General Data Protection Regulation. EU/UK data-protection law governing the processing of personal data, with fines up to the higher of £17.5m / €20m or 4% of global turnover.
- HashingCryptography
- A one-way function producing a fixed-size digest. Secure hashes provide preimage, second-preimage and collision resistance.
- HIDS / NIDSDefensive
- Host- / Network-based Intrusion Detection System. Monitors a host or network for signs of malicious activity.
- HMACCryptography
- Hash-based Message Authentication Code. A keyed construction (e.g. HMAC-SHA256) proving a message's integrity and authenticity.
- HSMCryptography
- Hardware Security Module. A tamper-resistant device that generates and stores cryptographic keys so they never appear in reachable memory.
- HUMINTThreats
- Human Intelligence. Information gathered through interpersonal contact, such as interviews, pretexting or insider sources, rather than technical collection.
- IDS / IPSDefensive
- Intrusion Detection / Prevention System. An IDS alerts on suspicious traffic; an IPS sits inline and can block it.
- IoCDefensive
- Indicator of Compromise. An observable artefact (file hash, IP, domain) that suggests an intrusion has occurred.
- IVCryptography
- Initialisation Vector. A random or unique value that makes a cipher's output differ for identical plaintexts. Must never be reused with the same key in stream/CTR modes.
- Kerckhoffs's principleCryptography
- A cryptosystem should remain secure even if everything about it except the key is public knowledge.
- Kill chainThreats
- Lockheed Martin's model of intrusion stages: reconnaissance, weaponisation, delivery, exploitation, installation, C2, actions on objectives.
- Least privilegeFundamentals
- Granting every user and process the minimum access needed to function, limiting the blast radius of any compromise.
- MAC (address)Networking
- Media Access Control address. A 48-bit hardware identifier for a network interface, used at layer 2.
- MAC (message)Cryptography
- Message Authentication Code. A tag proving integrity and authenticity using a shared secret key. Provides no non-repudiation.
- MFAIdentity
- Multi-Factor Authentication. Requiring two or more independent factors: something you know, have, or are.
- MITRE ATT&CKThreats
- A knowledge base of real-world adversary tactics and techniques, organised by tactic (the why) and technique (the how).
- ML-KEMCryptography
- Module-Lattice-Based Key-Encapsulation Mechanism (FIPS 203), formerly Kyber. NIST's post-quantum key-establishment standard.
- NmapPractical
- The standard network scanner for host discovery, port scanning, service/version detection and scriptable enumeration.
- Non-repudiationFundamentals
- Assurance that a party cannot deny having taken an action. Provided by digital signatures, not by shared-key MACs.
- OSINTPractical
- Open Source Intelligence. Intelligence gathered from publicly available sources such as websites, records, social media and search engines.
- OWASPWeb
- Open Worldwide Application Security Project. A nonprofit behind the OWASP Top 10, ASVS, ZAP and other application-security resources.
- Passive DNSNetworking
- Historical records of DNS resolutions collected by sensors over time. It reveals which IPs a domain has used and which domains share an IP, without querying the target.
- PhishingThreats
- Social-engineering via fraudulent messages to steal credentials or deliver malware. Variants: spear phishing (targeted), whaling (executives), smishing (SMS), vishing (voice).
- PKICryptography
- Public Key Infrastructure. The CAs, certificates, and processes that bind public keys to identities and manage their lifecycle.
- Privilege escalationOffensive
- Gaining higher permissions than granted: vertical (user to admin) or horizontal (one user to another's resources).
- Pyramid of PainThreats
- David Bianco's model ranking indicators by how much disruption denying them causes an attacker, from trivial hash and IP changes up to tactics, techniques and procedures.
- RansomwareThreats
- Malware that encrypts a victim's data and demands payment. Modern variants also exfiltrate data first for double extortion.
- RBACIdentity
- Role-Based Access Control. Permissions are assigned to roles, and roles to users, simplifying administration.
- RPO / RTOGRC
- Recovery Point Objective (max tolerable data loss, in time) and Recovery Time Objective (max tolerable downtime). Key disaster-recovery targets.
- RSACryptography
- An asymmetric algorithm whose security rests on the difficulty of factoring large semiprimes. 2048-bit minimum; being displaced by elliptic curves.
- SaltCryptography
- A unique random value added per password before hashing, defeating rainbow tables and ensuring identical passwords hash differently. Not secret.
- SaltingCryptography
- See Salt.
- Side channelCryptography
- An attack that exploits physical leakage of an implementation (timing, power, cache or electromagnetic emissions) rather than the algorithm itself.
- SIEMDefensive
- Security Information and Event Management. Aggregates and correlates logs from across an estate to detect and investigate incidents.
- SIGINTThreats
- Signals Intelligence. Intelligence derived from intercepted communications and electronic emissions, including network and radio traffic.
- SOARDefensive
- Security Orchestration, Automation and Response. Automates and coordinates incident-response workflows, often alongside a SIEM.
- SOCDefensive
- Security Operations Centre. The team and facility responsible for monitoring, detecting and responding to security events.
- SQL injectionWeb
- Injecting attacker-controlled SQL into a query through unsanitised input. Prevented by parameterised queries.
- SSRFWeb
- Server-Side Request Forgery. Coercing a server into making requests to internal systems an attacker can't reach directly.
- STRIDEFundamentals
- A threat-enumeration model: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege.
- Threat intelligenceDefensive
- Analysed information about adversaries, their capabilities and indicators, turned into context that informs detection and defensive decisions.
- TLSCryptography
- Transport Layer Security. The protocol securing HTTPS and more, providing authentication, key exchange and authenticated encryption. Use 1.2 or 1.3.
- TOTPIdentity
- Time-based One-Time Password. A six-digit code derived from a shared secret and the current time, used as a second factor.
- TTPThreats
- Tactics, Techniques and Procedures. The behaviour patterns of an adversary, sitting at the top of the Pyramid of Pain because they are the hardest to change.
- VulnerabilityFundamentals
- A weakness that a threat could exploit. Combined with a threat and impact, it produces risk.
- WAFDefensive
- Web Application Firewall. Filters HTTP traffic to block common application attacks such as injection and XSS.
- WHOISNetworking
- A query protocol for registration records of domains and IP ranges, returning registrar, dates and contacts where not redacted. A staple OSINT lookup.
- XSSWeb
- Cross-Site Scripting. Injecting attacker-controlled script that runs in other users' browsers. Types: stored, reflected, DOM-based.
- Zero trustFundamentals
- A model that trusts no request by default regardless of network location: 'never trust, always verify'.
- Zero-dayThreats
- A vulnerability unknown to the vendor, for which no patch yet exists, leaving defenders 'zero days' to prepare.