Cybersecurity Knowledge Base
CyberPedia
Your essential guide to cybersecurity threats, attacks, and defenses. Understand the risks. Protect your business.
A
Advanced Persistent Threat (APT)
Summary: Long‑term, targeted intrusion by skilled and well‑resourced attackers.
Core idea: Quietly break in, stay hidden, and methodically work toward strategic goals such as data theft, espionage, or preparing for disruption.
Main risks: Large‑scale data loss, financial and operational damage, reputational harm, and potential regulatory or geopolitical consequences.
Red flag: Patterns of repeated, subtle suspicious activity over time—especially around high‑value systems and accounts—rather than a single obvious “incident.”
Summary: High‑level concept describing exposure.
Core idea: An organization’s attack surface is the sum of all the ways an attacker could interact with and potentially compromise its systems, data, people, and partners.
Main importance: A large, poorly managed attack surface makes attacks more likely and harder to detect; shrinking and hardening it is a core security goal.
Red flag: When an organization lacks a clear inventory of its internet‑facing systems, internal apps, and third‑party connections, it likely has a bigger and riskier attack surface than it realizes.
B
Summary: Network communication pattern used for remote control.
Core idea: Beaconing is the repeated, often periodic “phone home” behavior of compromised systems contacting attacker-controlled infrastructure to signal presence and receive instructions.
Main risks: Sustained attacker control, stealthy data exfiltration, and coordinated malicious actions across multiple hosts, all enabled by seemingly routine outbound traffic.
Red flag: Regular outbound connections from an endpoint to an unusual or rarely used destination—especially tied to unknown or suspicious processes—are a strong sign of potential beaconing and should trigger immediate investigation and containment.
Summary: Endpoint full‑disk encryption technology (Windows feature).
Core idea: BitLocker is Microsoft’s built‑in full‑disk encryption solution that encrypts entire drives so data at rest on Windows devices is protected from unauthorized access, especially when devices are lost or stolen.
Main benefits: Strong encryption for data at rest, reduced risk from physical device compromise, support for compliance, and integration with Windows and enterprise management tools.
Red flag: Windows devices handling sensitive data that are not using full‑disk encryption—or that have BitLocker enabled without proper recovery key management and strong unlock methods—represent a significant risk if they are lost, stolen, or repurposed without secure wiping.
Summary: Organizational defense team in cybersecurity.
Core idea: The Blue Team is the defensive side—they watch for attacks, respond to them, and continually strengthen security.
Main focus areas: Monitoring, incident response, vulnerability management, and long‑term improvement of the company’s security posture.
Key contrast: If Red Teams act like “ethical hackers” to test defenses, Blue Teams act like the “guards and alarm system” keeping the business safe day to day.
Summary: Network of compromised devices under remote control.
Core idea: A botnet is a collection of infected machines (bots) that attackers control as a group to launch large‑scale attacks, send spam, spread malware, and perform other malicious activities—often without the owners’ knowledge.
Main risks: DDoS attacks, large‑scale phishing and credential abuse, malware distribution, data theft, and reputational damage when your systems are used as part of a criminal network.
Red flag: Unexpected, sustained network activity, devices appearing on blocklists, or evidence that your IPs are part of attacks can all indicate botnet involvement and should trigger immediate investigation.
Summary: Security incident involving unauthorized access to or exposure of systems or data.
Core idea: A breach means someone who shouldn’t have access has managed to get in, see, steal, change, or disrupt information or systems.
Main risks: Data loss, identity theft and fraud, operational disruption, financial cost, regulatory penalties, and reputational harm.
Red flag: Any evidence that accounts or systems have been accessed in unusual ways, or that sensitive data has left controlled environments, should be treated as a potential breach and investigated quickly.
Summary: Password/credential guessing attack.
Core idea: A Brute Force Attack is a systematic, often automated series of login or key‑guessing attempts, aiming to find a working credential or key by trying many possibilities.
Main risks: Account takeover, unauthorized access to systems and data, potential data breaches, and service disruption from excessive failed attempts.
Red flag: Repeated failed login attempts against many accounts, or rapid login attempts from the same source, especially where weak passwords and no MFA are present, strongly indicate brute force activity and require immediate investigation.
Business Continuity and Disaster Recovery (BCDR)
Summary: Combined planning and processes for resilience (Business Continuity) and IT recovery (Disaster Recovery).
Core idea: BCDR ensures that critical business functions can continue during disruptions and that systems and data can be restored within acceptable time and data‑loss limits.
Main benefits: Reduced downtime, less financial and reputational damage, stronger resilience against cyber attacks and other disasters, and better compliance with regulatory expectations.
Red flag: Organizations that have backups but no tested BCDR plans—or that have never practiced restoring systems and running the business during an outage—are likely to struggle badly in a real‑world incident.
Business Email Compromise (BEC)
Summary: Social engineering technique that uses fake verification/fix pages.
Core idea: The attacker gets you to run the harmful command for them by following simple on‑screen instructions.
Main risks: Password theft, remote control of devices, business account compromise, and follow‑on attacks like ransomware.
Red flag: Any webpage that asks you to open a system tool (like Run, PowerShell, or Terminal) and paste in a command to “verify,” “update,” or “fix” something.
C
Summary: Fundamental security model.
Core idea: The CIA Triad defines three essential properties of secure information systems—Confidentiality (only the right people can see data), Integrity (data is trustworthy and unchanged without authorization), and Availability (data and systems are usable when needed).
Main business relevance: It provides a simple checklist to think about risks and controls: does this safeguard protect who can see data, how accurate it is, and whether it’s accessible at the right time?
Red flag: A control or decision that focuses only on one pillar (for example, availability) and ignores the others can create serious gaps—such as systems that are always up but easily breached, or data that’s well‑protected but unreachable in an emergency.
Summary: Financially motivated scam using real or fake business email accounts.
Core idea: Attackers impersonate trusted people (executives, vendors, employees) to trick staff into sending money or sensitive data.
Main risks: Direct financial loss, data exposure, damaged relationships, and legal/regulatory impact.
Red flag: Any email asking for urgent, unusual, or secret payment changes—especially when it involves new bank details or bypassing normal procedures.
Summary: Post-compromise control and communication mechanism.
Core idea: Command and Control (C2) is the communication infrastructure that lets attackers remotely manage compromised systems, send instructions, and receive data throughout an intrusion.
Main risks: Sustained attacker presence, ongoing data theft, coordinated lateral movement, and on-demand deployment of ransomware or destructive actions, all enabled by hidden, often encrypted channels.
Red flag: Repeated, periodic connections (beaconing) from endpoints to unusual or newly registered domains, odd DNS patterns, or encrypted traffic to unexpected destinations—especially tied to suspicious processes—strongly suggests active C2 and demands immediate investigation and containment.
Summary: Risk‑transfer and financial protection mechanism.
Core idea: Cyber insurance is a specialized insurance policy that helps organizations cover certain costs and liabilities from cyber incidents like breaches, ransomware, and major outages.
Main benefits: Financial support for incident response, legal and regulatory work, business interruption, and some third‑party claims; access to specialized response partners.
Red flag: Treating cyber insurance as a substitute for strong security—rather than as a back‑up for when controls fail—can lead to denied claims, higher premiums, and severe business impact when a major incident occurs.
D
Summary: Data security and compliance control set (tools + processes).
Core idea: Data Loss Prevention (DLP) identifies, monitors, and controls sensitive data in use, in motion, and at rest to prevent unauthorized or accidental disclosure outside approved channels.
Main benefits: Reduces data‑leak risk, supports regulatory compliance, improves visibility into sensitive information, and helps prevent both accidental and intentional exfiltration.
Red flag: When an organization handles significant sensitive data but has no visibility into how it moves (no DLP or equivalent controls), the chance of unnoticed leaks and costly breaches is much higher.
Summary: Hidden, anonymized part of the internet accessible only with special tools like the Tor browser.
Core idea: A small, intentionally unindexed network where anonymity is the main feature—used both for privacy (journalists, activists) and for serious criminal activity (stolen data, cybercrime tools, illegal markets).
Main business risks: Sale of stolen credentials and data, cybercrime‑as‑a‑service fueling attacks like ransomware, and reputational damage if your organization’s data appears on Dark Web leak sites.
Red flag: Any offer or communication involving buying/selling access, stolen data, or hacking tools “on the Dark Web,” especially if it targets or mentions your company or customers.
Summary: Portion of the internet that is not indexed by search engines and typically requires login, payment, or special access.
Core idea: The Deep Web is where most private and restricted online content lives—like banking, email, intranets, and databases—using normal browsers but protected behind authentication or access controls.
Main business relevance: It holds critical internal and customer data, so strong access control and security around Deep Web systems are essential to prevent unauthorized access and data breaches.
Red flag: When people mix up “Deep Web” with “Dark Web” and assume all non‑indexed content is shady; in reality, the Deep Web is mostly ordinary, legitimate online services that must still be properly secured.
Summary: Security architecture and strategy principle.
Core idea: Defense in Depth is the practice of using multiple, overlapping security layers—across network, endpoint, identity, data, monitoring, and process—so that no single control’s failure leads to full compromise.
Main benefits: Reduced single points of failure, better chances of detecting and containing attacks, limited impact when breaches occur, and stronger alignment with security best practices.
Red flag: Environments that rely heavily on one or two controls (for example, a perimeter firewall and basic antivirus) without strong identity, segmentation, monitoring, and process layers are at high risk that a single successful attack step will lead to widespread compromise.
Distributed Denial of Service (DDoS)
Summary: Availability‑focused cyber attack.
Core idea: A Distributed Denial of Service attack uses many systems (often a botnet) to flood a target with traffic or requests, overwhelming its capacity so legitimate users can’t access services.
Main risks: Service outages, lost revenue, operational disruption, reputational damage, and potential use as a distraction for other attacks.
Red flag: Sudden, sustained surges in traffic or requests from many sources that cause slowness or downtime—especially when there’s no normal business reason for the spike—may indicate an active or attempted DDoS attack.
Domain-based Message Authentication, Reporting & Conformance (DMARC)
Summary: Email authentication and policy framework.
Core idea: DMARC lets a domain owner publish policies telling recipients how to handle emails that fail SPF/DKIM checks and whether the sending domain truly matches the visible From: address, plus sends reports back to the owner.
Main benefits: Reduces domain spoofing and phishing, improves deliverability of legitimate email, and provides visibility into how and where a domain is being used to send messages.
Red flag: Domains that send business email but don’t use DMARC (or only use p=none indefinitely) are easier for attackers to impersonate and give the organization little visibility into that abuse.
DomainKeys Identified Mail (DKIM)
Summary: Email authentication protocol.
Core idea: DKIM adds a cryptographic signature to outgoing emails so receiving servers can verify that the message was authorized by the sending domain and hasn’t been altered in transit.
Main benefits: Helps detect forged or tampered emails, improves deliverability, and strengthens defenses against spoofing and phishing—especially when used with SPF and DMARC.
Red flag: Domains that send business email but don’t use DKIM (or have broken DKIM signatures) are easier to impersonate and more likely to have their messages flagged or abused by attackers.
Summary: Technique for advanced search‑based reconnaissance.
Core idea: Dorking uses advanced search engine queries and operators to locate exposed information, systems, and files that are not obvious through normal searching—often revealing misconfigurations or unintended public data.
Main relevance: Helpful for defenders to understand and reduce their online exposure, but also used by attackers to identify easy targets; intent and authorization determine whether its use is ethical.
Red flag: If routine self‑checks show login pages, directory listings, backups, or sensitive documents from your organization appearing in public search results, your attack surface is likely over‑exposed and needs immediate attention.
E
Endpoint Detection and Response (EDR)
Summary: Endpoint security and monitoring technology.
Core idea: Endpoint Detection and Response (EDR) continuously monitors endpoints for suspicious behavior, helping detect, investigate, and respond to attacks beyond traditional antivirus capabilities.
Main benefits: Earlier detection of advanced threats, richer forensic visibility, faster containment and remediation, and stronger support for threat hunting and incident response.
Red flag: Repeated, unexplained suspicious activity on endpoints—such as unusual PowerShell use, lateral movement attempts, or recurring malware detections—without corresponding EDR visibility or response suggests gaps in endpoint monitoring and response that need to be addressed.
Summary: Identity and token‑abuse attack technique.
Core idea: EvilTokens refers to abusing authentication tokens—by stealing, forging, or manipulating them—to impersonate trusted identities and access systems without going through normal login checks.
Main risks: Stealthy account and service compromise, bypass of MFA and normal login defenses, large‑scale data access or modification, and persistent footholds in cloud and application environments.
Red flag: Unusual token activity—such as valid tokens used from new geographies, API clients, or time windows, especially with high privileges—should be treated as a strong indicator of token abuse and investigated with urgency.
Summary: Data theft–driven cyber extortion attack pattern.
Core idea: Extortionware is an attack in which adversaries steal sensitive data and use the threat of exposing or selling it as leverage to extort money or other concessions from victims.
Main risks: Financial loss, reputational harm, regulatory and legal consequences, and lasting exposure from data that remains in adversaries’ hands even after the incident.
Red flag: Discovery of unauthorized data access or exfiltration, followed by direct contact from threat actors threatening to leak or auction internal or customer data, is a strong indicator of extortionware activity and requires immediate coordinated technical, legal, and communications response.
Summary: Blackmail/extortion via email, often pretending to involve hacked routers, cameras, or networks.
Core idea: Attackers send mass emails claiming they have compromising data or recordings and demand payment (usually in cryptocurrency) to keep it secret.
Main risks: Emotional distress, financial loss if the victim pays, and potential exposure to malware or further scams.
Red flag: Any unsolicited email that claims to have hacked your router or recorded you, demands payment to prevent “exposure,” and pressures you to act quickly and secretly.
F
Summary: Social‑engineering and phishing attack using fake calendar events instead of (or in addition to) standard emails.
Core idea: Attackers create convincing calendar invites with malicious links, attachments, or instructions to trick people into handing over passwords, installing malware, or sharing sensitive information.
Main risks: Compromised accounts, data theft, internal phishing, and financial or operational damage if business systems are accessed.
Red flag: Unexpected calendar invites—especially from unknown senders—with urgent or scary subjects and links asking you to log in, download software, or provide personal or financial information.
Summary: Malware and attack technique category (memory and script-based).
Core idea: Fileless malware relies on in-memory execution and legitimate system tools instead of traditional files on disk, making it harder for file-focused defenses to detect.
Main risks: Stealthy compromise, credential theft, lateral movement, and major attacks (including ransomware or data theft) executed via trusted processes and scripts.
Red flag: Unusual or unauthorized use of scripting tools and system utilities—especially executing encoded commands, downloading content, or interacting with sensitive systems—strongly suggests possible fileless activity and warrants immediate investigation.
Summary: Network and system security control.
Core idea: A firewall is a gatekeeper that inspects network traffic and applies rules to decide which connections are allowed and which are blocked, helping protect systems from unauthorized access and many types of attacks.
Main benefits: Reduces exposure to the internet and between internal systems, supports segmentation, filters known bad traffic, and forms a core part of a layered defense.
Red flag: If an organization has little visibility into its firewall rules (or uses broad “any‑to‑any” allows), its firewalls may provide far less protection than expected—even though they are technically in place.
H
Summary: Defensive deception and detection mechanism.
Core idea: A honeypot is a purposely vulnerable, monitored decoy system or service used to attract attackers so defenders can detect and study malicious activity without exposing real assets.
Main benefits: Earlier and higher-fidelity detection, better understanding of attacker techniques, richer threat intelligence, and stronger training and validation for security teams.
Red flag: Any unauthorized interaction with a honeypot—especially attempts to exfiltrate data or move laterally—should be treated as a strong indicator of compromise and investigated immediately.
I
Summary: Organizational process for handling security incidents.
Core idea: Incident response is the structured, step‑by‑step approach to preparing for, detecting, containing, eradicating, and learning from cyber incidents so damage is minimized and operations can safely return to normal.
Main benefits: Limits business impact (downtime, data loss, cost, reputation damage), supports legal and regulatory duties, and continuously improves overall security.
Red flag: If an organization discovers an incident and reacts in an ad‑hoc, confused way—with no clear plan, roles, or communication—it likely lacks a mature incident‑response capability and is at higher risk of severe, repeat impacts.
Indicators of Compromise (IOC)
Summary: Evidence and artifacts that suggest systems or accounts may have been compromised.
Core idea: IOCs are technical clues—like malicious file hashes, IPs, domains, unusual logins, or configuration changes—that help detect, investigate, and respond to cyber attacks.
Main benefits: Enable earlier detection, focused investigations, targeted blocking and cleanup, and ongoing improvement of defenses.
Red flag: When multiple strong IOCs (for example, known malware file plus connections to a known malicious domain plus abnormal user behavior) appear together, it strongly suggests an active or recent compromise that needs immediate attention.
Information Governance Process
Summary: Organizational process and governance framework.
Core idea: An information governance process is the structured way an organization decides how information is classified, accessed, protected, retained, and disposed of, so it supports the business while meeting legal, security, and privacy requirements.
Main benefits: Better control of data, reduced breach impact and legal risk, lower storage and e‑discovery costs, and clearer guidance for staff on how to handle information.
Red flag: If an organization cannot clearly say what information it has, where it is stored, who owns it, who can access it, and how long it’s kept, its information governance process is weak—and both security and compliance risks are significantly higher.
Summary: Cybercriminal role in the attack ecosystem.
Core idea: An Initial Access Broker gains footholds in victim environments (accounts, VPNs, endpoints) and sells that access to other attackers, who then carry out ransomware, data theft, or other operations.
Main risks: Rapid progression from unnoticed initial compromise to full‑scale ransomware or data‑theft incidents, repeated resale of access, and industrialization of attacks through specialization.
Red flag: Unusual remote logins, unknown remote management tools, or suspicious access to high‑value systems—especially without MFA or from new locations—may indicate that initial access has been established and could be marketed or used by downstream attackers.
Summary: Risk arising from people inside an organization who have legitimate access to systems, data, or facilities.
Core idea: Harm (intentional or accidental) caused by insiders misusing their access, leading to data loss, fraud, sabotage, or privacy violations.
Main risks: Data breaches, financial fraud, operational disruption, regulatory penalties, and reputational damage.
Red flag: Unusual or unnecessary use of access—especially to sensitive data or systems—combined with policy violations, large data movements, or strong emotional/behavioral warning signs.
K
Summary: Conceptual model for describing the stages of a cyber attack.
Core idea: The kill chain breaks an attack into sequential steps—from reconnaissance to final objectives—so defenders can understand, detect, and disrupt attacks at multiple points.
Main value for businesses: Helps design layered defenses, analyze incidents, and explain how and where to strengthen security controls.
Red flag: If an organization only focuses on blocking the final stage (like ransomware execution) and ignores earlier kill‑chain stages (reconnaissance, phishing, initial access), it remains highly exposed to successful attacks.
L
Summary: Post‑compromise technique/operational style.
Core idea: Living off the Land is when attackers use legitimate, built‑in tools and features of an environment to perform malicious actions, reducing reliance on custom malware and making detection harder.
Main risks: Stealthy lateral movement, persistent access, data theft, and disruptive actions carried out under the guise of normal administration, which complicate detection and response.
Red flag: Unusual or unauthorized use of powerful system utilities and scripting tools—especially for tasks like downloading content, querying many systems, changing security settings, or accessing sensitive data—should be treated as a strong indicator of possible Living‑off‑the‑Land activity and investigated promptly.
M
Summary: Malicious software designed to harm, exploit, or secretly control devices and networks.
Core idea: Malware is “bad software” that gets onto systems through tricks, vulnerabilities, or unsafe downloads and then steals data, disrupts operations, or hands control to attackers.
Main risks: Data theft, ransomware and system lockouts, financial and operational damage, regulatory and reputational impact.
Red flag: Unusual system behavior (slowdowns, pop‑ups, changed settings) after opening attachments, clicking links, or installing new software—especially when security tools are disabled or reporting issues.
Summary: Network/communication attack pattern.
Core idea: A Man‑in‑the‑Middle attack places an attacker between two parties to secretly intercept and optionally alter their communications, even though both sides believe they’re talking directly.
Main risks: Stolen credentials and data, session hijacking, modified transactions, and silent malware injection.
Red flag: Use of sensitive services over untrusted networks (especially open Wi‑Fi), ignored certificate warnings, or signs that traffic is being proxied or re‑encrypted unexpectedly are all indicators that MitM risk may be present and should be investigated.
Summary: Financial and money‑laundering scam that uses people as intermediaries to move illegal funds.
Core idea: Criminals send money to a person’s account and instruct them to forward it, making that person the “money mule” who helps hide the money’s criminal origin.
Main risks: Legal charges, frozen or closed bank accounts, financial loss, and long‑term impact on personal and professional reputation.
Red flag: Any offer—job, favor, romance, or investment—where you’re asked to receive money and then quickly send it on, especially for someone you don’t know in real life.
Multifactor Authentication (MFA)
Summary: Security control that requires more than one proof of identity to log in.
Core idea: MFA combines two or more factors (something you know, have, or are) so that a stolen password alone is not enough to break into an account.
Main benefits: Strongly reduces account takeovers, protects high‑value business systems, supports compliance, and limits damage from phishing and password leaks.
Red flag: Any email, text, or call that asks you to share MFA codes or approve login prompts you didn’t initiate—this is often a sign of an active attack.
N
Summary: Modern endpoint security/antivirus approach.
Core idea: Next-Gen Antivirus uses behavioral analysis, machine learning, and cloud intelligence—not just signatures—to detect and block both known and unknown threats on devices.
Main benefits: Better detection of new and sophisticated attacks (including fileless and ransomware), richer visibility for security teams, and stronger protection for endpoints than traditional AV alone.
Red flag: Organizations that rely only on old-style, signature-only antivirus—without behavior-based or Next-Gen capabilities—are much more exposed to modern, fast-changing attacks.
Next-Generation Firewall (NGFW)
Summary: Advanced network security control (evolution of the firewall).
Core idea: A Next-Generation Firewall combines traditional firewalling with application awareness, user identity, deep inspection, and integrated threat prevention to more effectively control and secure network traffic.
Main benefits: Finer‑grained policies (per app and user), improved detection and blocking of modern threats, better visibility, and stronger support for compliance and governance.
Red flag: If an organization only uses basic, port‑based firewall rules—without application or user awareness—many modern threats can blend in with normal web traffic and bypass controls that an NGFW could detect and stop.
O
Summary: Privacy‑focused network and software (The Onion Router).
Core idea: Tor routes internet traffic through multiple encrypted hops to provide strong anonymity, enabling access to both the regular web and hidden .onion services.
Main uses: Protecting privacy, bypassing censorship, enabling secure communication for journalists and activists—and, on the downside, providing cover for some criminal activity.
Red flag: When Tor appears in an organization’s network logs—especially from servers or sensitive systems—without a clear, approved reason, it may indicate attempts to hide access, exfiltrate data, or interact with high‑risk hidden services.
Open-Source Intelligence (OSInt)
Summary: Intelligence discipline focused on publicly available information.
Core idea: OSINT is the structured process of gathering and analyzing open, legally accessible data (web, social media, records, media, etc.) to produce actionable insights for security, investigations, and decision‑making.
Main cybersecurity relevance: Used by defenders and attackers alike to map digital footprints, find weaknesses, enrich threat intelligence, and plan or counter cyber operations.
Red flag: When OSINT reveals sensitive details—like exposed credentials, detailed network info, or oversharing by staff—that could easily be abused by attackers, it signals that public exposure needs to be reduced and controls strengthened.
P
Summary: Authorized security testing activity that simulates attacks.
Core idea: Penetration testing is a controlled, ethical attempt to break into systems, applications, or networks to find and demonstrate weaknesses so they can be fixed before real attackers exploit them.
Main benefits: Identifies practical vulnerabilities, shows real business impact, supports risk‑based remediation, and strengthens overall security posture and compliance.
Red flag: Organizations that never perform penetration testing—or rely only on automated scans—may have serious gaps that remain invisible until a real attacker exploits them.
Summary: Social engineering technique using fabricated stories or identities.
Core idea: Attackers create believable roles and scenarios (pretexts) to gain trust and convince people to share sensitive information or grant access they normally wouldn’t.
Main risks: Account compromise, data theft, financial fraud (especially BEC), and enabling larger intrusions into business systems.
Red flag: Any unexpected request—no matter how polished—that asks you to bypass normal processes or share sensitive information, backed up by a story that sounds plausible but can’t be independently confirmed.
Summary: Social‑engineering attack that uses fake messages to trick people into doing something harmful.
Core idea: Attackers impersonate trusted senders and use urgent or convincing messages to steal passwords, data, or money, or to install malware.
Main risks: Account compromise, data breaches, financial fraud, malware infections (including ransomware), and broader compromise of business systems.
Red flag: Any message—email, text, call, or DM—that urges you to click a link, open an attachment, or share sensitive information right away, especially when the sender or URL doesn’t fully check out.
R
Summary: Digital extortion that encrypts systems and often steals data.
Core idea: Attackers gain access, spread across the network, disable defenses and backups, encrypt data, and demand ransom (often while also leaking or threatening to leak data).
Main risks: Business shutdown, permanent data loss, large financial and recovery costs, legal and regulatory exposure, and reputational harm.
Red flag: Sudden inability to open many files, visible ransom notes, or systems displaying messages demanding payment to restore access.
Summary: Defensive testing role focused on offensive (attack‑style) techniques.
Core idea: A Red Team is an authorized “ethical attacker” group that simulates real‑world cyber attacks against an organization to reveal and help fix weaknesses in people, processes, and technology.
Main benefits: Provides realistic insight into how an attacker could compromise systems, tests the Blue Team’s detection and response capabilities, and drives targeted security improvements.
Red flag: When an organization treats security only as checklists and tools, without ever letting a Red Team test its defenses end‑to‑end, it may have a false sense of security about how it would fare against real attackers.
Summary: Malware category (remote‑control tool for attackers).
Core idea: A Remote Access Trojan is malicious software that secretly grants attackers remote control of an infected device, enabling spying, data theft, and further attacks as if they were physically at the machine.
Main risks: Compromise of sensitive data, lateral movement into wider networks, follow‑on attacks (including ransomware), and long‑term stealthy access.
Red flag: Any evidence that a device is connecting to unknown servers, behaving as if remotely controlled, or running unauthorized tools should be treated as a potential RAT infection and investigated quickly.
Summary: Social‑engineering and financial fraud involving fake refunds and supposed “overpayments.”
Core idea: Scammers pretend to refund money, then claim they accidentally refunded too much and pressure victims into sending money back.
Main risks: Direct financial loss, compromised bank accounts or devices, and further fraud using stolen data or access.
Red flag: Any “refund” that requires remote access to your device, logging into online banking while a stranger watches, or sending money back via gift cards, wire, crypto, or cash.
S
Summary: Security isolation and analysis mechanism.
Core idea: A sandbox is an isolated environment used to safely execute and observe untrusted or suspicious code and content without exposing real systems to harm.
Main benefits: Safer handling of unknown threats, behavior‑based detection of malware, better support for incident response and threat intelligence, and reduced impact if something goes wrong.
Red flag: Delivering or running untrusted files, links, or applications directly on production systems—without sandboxing, isolation, or strong endpoint controls—significantly increases the risk that a single malicious item can compromise users or critical infrastructure.
Secure Access Service Edge (SASE)
Summary: Cloud-delivered networking and security architecture.
Core idea: Secure Access Service Edge (SASE) converges SD‑WAN and cloud-based security (SWG, CASB, FWaaS, ZTNA) into a unified service that delivers secure, optimized access for users and devices wherever they are.
Main benefits: Simplified architecture, improved performance for cloud and remote users, consistent zero trust security controls, and easier global scalability.
Red flag: Continued reliance on legacy hub‑and‑spoke VPNs and scattered point products—especially for a heavily remote or cloud-first workforce—can signal that SASE-style consolidation and modernization may be needed to reduce complexity and risk.
Summary: Informal label for low‑skill attacker.
Core idea: A Script Kiddie is an unskilled or novice attacker who relies on pre‑built tools and scripts created by others to perform hacking activities, without deep technical understanding.
Main risks: Opportunistic compromise of poorly secured systems, disruptive attacks (defacement, DDoS, account takeovers), reputational damage, and added background noise for defenders.
Red flag: Frequent, noisy probing or exploitation attempts using well‑known tools and public exploits—especially against unpatched or weakly configured systems—often signals script kiddie activity and highlights basic hardening gaps that need attention.
Security Information and Event Management (SIEM)
Summary: Central security monitoring and log‑analysis platform.
Core idea: A SIEM collects and correlates security‑relevant events from across an organization, turning raw logs into alerts, investigations, and reports that help detect and respond to threats.
Main benefits: Better visibility, faster and more informed incident response, support for compliance, and the ability to see attack patterns that span multiple systems.
Red flag: If an organization has a SIEM but it is poorly tuned, missing key log sources, or not actively monitored, it may give a false sense of security while real threats go unnoticed.
Security Operations Center (SOC)
Summary: Organizational function/team focused on security monitoring and response.
Core idea: A Security Operations Center is the centralized group (and supporting tools) that continuously watches for threats, investigates suspicious activity, and coordinates response to security incidents across an organization.
Main benefits: Faster detection and response, better visibility, stronger coordination during incidents, and ongoing improvement of defenses.
Red flag: If an organization has many security tools but no clear, centralized function to monitor them and respond (no SOC or equivalent), alerts may be missed or handled ad hoc—leaving serious threats to linger unnoticed.
Summary: Email authentication protocol.
Core idea: SPF lets domain owners publish a list of authorized mail servers in DNS so receiving systems can verify whether emails claiming to be from that domain are actually sent from approved sources.
Main benefits: Reduces email spoofing, supports phishing prevention and brand protection, and can improve deliverability of legitimate messages.
Red flag: Domains that send email but lack SPF or have incorrect SPF records are easier to impersonate and more likely to have messages flagged or abused by attackers.
Summary: Governance and risk management concept (unsanctioned technology use).
Core idea: Shadow IT is the use of unapproved applications, services, or devices for work, operating outside official IT and security oversight.
Main risks: Security and compliance gaps, data leakage, unsupported critical workflows, and more complex incident response when something goes wrong.
Red flag: Discovery of sensitive data or key business processes running on tools or services that IT/security were unaware of—especially personal accounts or consumer-grade apps—signals active Shadow IT that needs assessment and formalization.
Summary: Internet-wide device and service search engine.
Core idea: Shodan is a search engine that indexes exposed devices and services on the internet, allowing users to discover what systems are publicly reachable and how they are configured.
Main risks: Attackers can use it to quickly find vulnerable or misconfigured systems, while defenders who ignore it may be unaware of dangerous exposures in their own environment.
Red flag: Discovery of sensitive systems (admin portals, databases, ICS/OT devices, management consoles) visible in Shodan under your organization’s footprint should trigger immediate investigation, access restriction, and validation of perimeter controls.
Summary: Phishing attack delivered via SMS/text messages.
Core idea: Attackers send scam texts pretending to be trusted organizations or contacts, trying to make you click malicious links, disclose information, or install bad apps.
Main risks: Stolen credentials and financial data, compromised bank and work accounts, malware on mobile devices, and follow‑on attacks against individuals and businesses.
Red flag: Any unexpected, urgent text that includes a link or asks you to verify accounts, update payments, or share personal or security information—especially when you didn’t start the conversation.
Summary: Targeted social‑engineering/Phishing attack.
Core idea: Spearphishing uses carefully crafted, personalized messages that impersonate trusted individuals or organizations to trick specific targets into sharing information, transferring money, or installing malware.
Main risks: Account takeovers, financial fraud (especially BEC), data breaches, and malware/ransomware infections.
Red flag: Any highly personalized email or message that asks you to take an urgent, unusual, or secret action—especially involving payments, credentials, or attachments—should be independently verified before you respond.
Summary: Human‑focused attack method that relies on manipulation rather than purely technical exploits.
Core idea: Attackers use lies, pressure, and psychological tricks to get people to do things that compromise security—such as sharing information, clicking links, running software, or granting access.
Main risks: Account and system compromise, data breaches, financial fraud, and enabling more technical attacks like malware or ransomware.
Red flag: Any request—digital or in person—that pushes you to bypass normal procedures, act urgently, or share sensitive information or access without proper verification.
Summary: Unwanted or unsolicited digital messages, usually sent in bulk.
Core idea: Spam is the “junk mail” of the internet—often just annoying advertising, but also a common carrier for scams, phishing, and malware.
Main risks: Wasted time, higher chance of someone clicking a malicious link or opening a bad attachment, potential system abuse and reputational damage if your accounts are used to send spam.
Red flag: Any unexpected bulk or promotional message from an unknown sender, especially with urgent or too‑good‑to‑be‑true claims and links or attachments you didn’t ask for.
Summary: Web application injection vulnerability and attack.
Core idea: SQL Injection happens when an application lets untrusted input be interpreted as part of an SQL command, allowing attackers to manipulate queries and interact with the database in unauthorized ways.
Main risks: Data theft, data tampering, authentication bypass, system compromise, regulatory penalties, and reputational damage.
Red flag: Any code that builds SQL by concatenating user‑controlled input—especially for logins, search, or reporting—without parameterization or strict validation is a strong indicator of SQL Injection risk and should be refactored immediately.
Summary: Indirect attack strategy via trusted third parties.
Core idea: A Supply Chain Attack compromises a supplier, vendor, or service provider so attackers can infiltrate downstream organizations through trusted software, services, or hardware.
Main risks: Large-scale compromise through a single weak link, stealthy entry via trusted channels, significant data and operational impact, and complex, multi‑party incident response.
Red flag: Unexpected or suspicious behavior tied to vendor software, updates, or remote access—especially across multiple systems at once—should be treated as potential supply chain compromise and investigated with both technical and vendor coordination.
T
Tactics, Techniques, and Procedures (TTP)
Summary: Threat intelligence and attack-behavior classification concept.
Core idea: TTP stands for Tactics, Techniques, and Procedures, describing the hierarchy from an attacker’s high-level objectives down to their specific methods and steps.
Main benefits: Provides a stable, behavior-focused way to understand, detect, and share information about attacker operations beyond quickly changing indicators.
Red flag: If an environment’s defenses and monitoring focus only on individual IOCs (like bad IPs or hashes) and not on underlying TTPs, it is more likely to miss repeated or evolved attacks that reuse the same behaviors with new technical artifacts.
Summary: Social‑engineering and financial fraud impersonating tax authorities or related agencies.
Core idea: Attackers scare victims with fake tax debts, audits, or refunds to pressure them into paying quickly or handing over sensitive information.
Main risks: Direct financial loss, identity theft, compromise of personal and business financial data, and stress or disruption around tax time.
Red flag: Any call, email, text, or message demanding immediate “tax payment” via gift cards, wire transfer, cryptocurrency, or payment apps—especially when paired with threats of arrest or legal action if you don’t comply right away.
Summary: Social‑engineering and fraud scheme masquerading as technical support.
Core idea: Attackers pretend to be legitimate support staff, invent or exaggerate problems, then pressure victims into paying for fake services or granting remote access.
Main risks: Financial loss, malware installation, account compromise, and data theft on personal or business devices.
Red flag: Any unsolicited call or pop‑up claiming there is something wrong with your computer or account and insisting you must grant remote access or pay immediately to “fix” it.
Summary: Generic label for the “who” behind cyber threats and attacks.
Core idea: A threat actor is any person or group whose actions could harm systems, data, or organizations—ranging from criminals and nation‑state teams to insiders and hobbyists.
Main relevance: Helps describe and analyze attacks in terms of motives, capabilities, and behavior, so businesses can better understand their risk and plan defenses.
Red flag: When you see repeated suspicious activity following recognizable patterns (for example, specific phishing styles or tools), it likely points to an organized threat actor or group rather than random noise.
U
Unified Threat Management (UTM)
Summary: Consolidated network security platform/model.
Core idea: Unified Threat Management combines several security functions—firewall, intrusion prevention, VPN, web and email filtering, and more—into a single, centrally managed appliance or service to simplify protection at the network edge.
Main benefits: Easier management, broad baseline protection, and cost‑effectiveness for smaller environments or branch offices.
Red flag: Relying solely on a UTM—without additional layers like strong endpoint security, identity controls, monitoring, and incident response—can create a false sense of safety, especially as networks become more cloud‑ and remote‑work‑oriented.
V
Summary: Secure networking technology/service.
Core idea: A Virtual Private Network creates an encrypted tunnel between a device and a remote server, protecting data in transit and often enabling secure remote access to internal resources.
Main benefits: Better security on untrusted networks, secure remote connectivity for employees, and reduced exposure of internal systems.
Red flag: If an organization relies on VPN access but does not use strong authentication, keep software updated, or monitor VPN activity, a stolen or guessed VPN credential can become a powerful entry point for attackers.
Summary: Malware category (self‑replicating code attached to host files).
Core idea: A virus is malicious code that attaches to legitimate programs or files and replicates when those hosts are run, often spreading and causing damage or disruption.
Main risks: Data corruption, operational disruption, wider spread through shared files and media, and additional malware being installed on infected systems.
Red flag: Repeated file corruption, unexpected changes to executables or documents, unusual behavior after using removable media, or multiple detections of similar malicious code on different files suggest an active virus infection that requires investigation and cleanup.
Summary: Social‑engineering scam using voice calls and voicemails.
Core idea: Attackers impersonate trusted people or organizations on the phone to pressure victims into sharing sensitive information, granting access, or sending money.
Main risks: Financial loss, account compromise, identity theft, and business system breaches if employees are targeted.
Red flag: Any unexpected call that creates urgency and asks for passwords, PINs, one‑time codes, remote access, or unusual payments—especially when the caller discourages you from hanging up and calling back via official channels.
W
Summary: Malware category (self-propagating network-borne malware).
Core idea: A worm is malicious software that self-replicates and spreads autonomously—often by exploiting vulnerabilities or weak configurations—without relying on users to repeatedly run infected files.
Main risks: Fast, large-scale spread across networks, service disruption, delivery of additional malware (such as ransomware or botnets), and expensive, organization-wide remediation.
Red flag: Sudden increases in internal network scanning, many systems showing similar infections or alerts in a short time, or widespread service instability strongly suggest a worm or worm-like propagation and demand urgent containment and patching.
z
Summary: Security architecture and mindset.
Core idea: Zero Trust replaces implicit trust based on network location with explicit, continuous verification of users, devices, and actions, using least‑privilege access and an “assume breach” mentality.
Main benefits: Limits attacker movement and blast radius, better secures remote and cloud access, improves protection of sensitive data, and aligns security with real business context.
Red flag: Organizations that still rely mainly on “inside is trusted, outside is not”—with broad internal access and weak identity controls—are far from Zero Trust and remain highly exposed if a single account, device, or entry point is compromised.