68 Cybersecurity Key Terms you Should Know

Cybersecurity is littered with key terms and sayings that you should know for when you apply, and work within the cybersecurity industry. Although there are hundreds if not thousands of key terms, here are 81 cybersecurity key terms you should know. 

Table of Contents

Beginner Cybersecurity Terms (38 Terms)


A botnet is a term given to multiple devices connected to the internet, that are under the control of a single user, device, or organization which is typically used for malicious use. A botnet is commonly used to trigger a distributed denial-of-service attack (DDoS). 

Data Breach

A data breach is a term given to a security violation, leading to sensitive, protected or otherwise confidential information being transmitted or viewed. This is also referred to as a stolen data breach. An example of this would be your company getting hacked, and the attacker stealing/copying payslip information. 

DDos (or DoS)

A distributed denial-of-service (or denial-of-service) is where an attacker attempts to disrupt or cause downtime of key infrastructure or services within an organization. This could be a specific application or an array of devices. This is commonly used to cause disruption or to allow for further attacks to be delivered. 


Encryption is a form of data obfuscation (or data scrambling) where encryption keys, and other forms of confirmation are used to ensure only the intended user can read/use the data. Encryption takes human-readable data, encrypts it using a special key unique to that data and makes it unreadable. 

Read More: What is Data Encryption? (Beginners Guide)


Ransomware is a type of malware that commonly encrypts (deeming it unusable) or steals data before threatening to leak/release the information unless a ransom is paid. These ransoms are typically paid in cryptocurrency, and in most cases even if paid – does not unencrypt files. 

Data Integrity

Data Integrity is the term given to the ongoing maintenance, care, and assurance of data and information. This could be the accuracy, consistency, completeness and safety of data in relation. This can be both physical integrity, or logical integrity. It may also be subject to various compliance/regulatory aspects such as GDPR

False Positive

In cybersecurity, a false positive is an alert that incorrectly flags a threat, vulnerability, or attack that is present within an organization.  Think of this as a ‘false alarm’ to a fire, where the alarm ‘believes’ there is a fire, but there isn’t. 

True Positive

In cybersecurity, a true positive is an alert that correctly flags a threat, vulnerability, or attack that is present and likely occurring within an organization. This is a genuine threat and should be treated with extreme caution. 

False Negative

In cybersecurity, a false negative is where no alert is flagged, but a threat, vulnerability, or attack has taken place or been exploited. This means, that you have seen indicators of compromise, but the alert was never raised to suggest an attack had happened.


Authentication is the term given when trying to prove something (or someone) is what it says it is. This process is called authentication and typically checks multiple aspects to ensure something is what it is. An example of this would be a username and password, where the password is the authenticating aspect. 


Authorization is a term given to the process where a system, person, or other-likewise thing determines if another system, person, or other-likewise thing has permission to access, view or copy something. An example of this would be a file server, and the user accessing it. If the user has the authorization to view a file on the server, the file server will check and confirm before allowing access. 


Red team (red teaming) in cybersecurity relates to a group or single user who plays the role of an enemy, attacker, or competitor who can provide attacking feedback on an organization. For example, if you hire a hacker (or Penetration tester) to hack your network from the outside, this would essentially be a red-team role. 


Blue Team is the term that relates to the defence of a system or organization. Whilst a red-team role attacks and pokes to find exploits, a blue-team role is an opposite trying to prevent an exploit from being abused.

Black Hat

A ‘Black Hat’ is a term used referring to hackers/attackers who don’t abide by laws or ethical standards. A black hat hacker is typically someone who is hacking for enjoyment, or commercial gain in an illegal manner and does not have the authorization to hack 3rd parties. 

White Hat

A ‘White Hat’ is a term used referring to hackers/attackers who do abide by laws and ethical standards. A white hat hacker is typically someone who is hacking to find exploits or vulnerabilities and then takes that information and provides it to the attacked, in order to fix, improve, or better an organization’s cybersecurity. 


Malware is a broad term given to files, code, or other media types that are delivered over the internet (or an internal network) that can infect and conduct an attack in many forms on a device or system. Malware is often used interchangeably with a ‘virus’, as these terms both cover most attack types that use files (i.e malicious software).

MitM (Man-in-the-Middle)

A Man-in-the-Middle (MitM) attack is where an attacker can sit between two systems, users, or even networks in order to intercept, view, modify, and prevent communication with the intended recipient. As an example, this can be done through unsecured wireless access points – where an unathorized attacker can watch network communication and document transfer from one device to another – leading to modification of a document, or stealing of it. 

A MitM is also known as “Network Eavesdropping”. 


A phishing attack (pronounced fishing) is where an attacker sends thousands of emails that look like they’re from legitimate companies, that typically redirect, link, or otherwise lure a user to respond or react. A phishing attack could be an email from an attacker, that looks like an email from your bank asking you to confirm your credit card details. 

Whilst these are usually in bulk, direct phishing (known as spear phishing) is a direct, specific email for a single user, or organization which may be even harder to spot as fake. 


Spyware is a type of malware that aims to gather information about a system, network, or person before sending it back to the attacker. Whilst spyware in itself isn’t network-attacking software, it can lead to information disclosure about other weak points, leading to a heavier attack. Regardless, spyware is still dangerous as information about a business can be gathered quickly. 


Adware is a form of malware (although a weak one) that simply promotes advertising once installed. Often referred to as advertising software, adware simply promotes advertisements which can lead to phishing links or just ads that the software developers will commercially gain from. 

Attack Vector

An attack vector is a way for an attacker to gain access or exploit a system/service/network once found. An attack vector can be a small exploit in a piece of software or a network-wide vulnerability. The attack vector is simply the route an attacker can ‘get in’ and exploit further services/systems.

Dark Web / Dark Net

The dark web / dark net (often called the deep dark web) is a private array of servers/systems that allow for cybercriminals to gather and other illegal activity to take place where anonymity is at its peak. To access the dark web, you typically have to have specific software with unique configurations and authorization.

Whilst the dark web in cybersecurity refers to the illegal side, there are many legal ways to use the dark web, and most people who use it do not do it for illegal reasons. 


A virus is a common term given to an array of software/malware that often installs itself onto a device, before spreading to other devices/systems on the same network to infect those. Similarly to a human virus, the spread of a computer virus can be quite difficult to clean up once infected.  


In cybersecurity, a trojan (or trojan horse) is a piece of malware that misguides a user of its main goals/intent. This, for example, could be a ‘YouTube to MP3 converter’ which is actually a trojan piece of malware which downloads further malware or ransomware. 

The name Trojan comes from the Ancient Greek story of the Trojan Horse, where a horse was gifted to the enemy – but the recipient did not realise it was full of combatants. 

Trojan Horse (Greek Story - not Cybersecurity - but the same idea!)
Trojan Horse (Greek Story – not Cybersecurity – but the same idea!)


In cybersecurity, spoofing refers to when an attacker misleads a system or user by disguising themselves (or their commands) as something/someone else. For example, emails that appear to come from your CEO or boss to your direct email may be spoofed, as they appear to be your boss at face value. 

BYOD (Bring-Your-Own-Device)

Bring your own device is a term given to a device which is not owned but may be managed by an organization. For example, you may have a mobile phone which you use for work purposes, but is owned by you, and is also your personal phone. If you use this at work, this is technically part of BYOD. This can also be named BYOL (laptop) and BYOC (computer) depending on the device. 


Pentesting (or penetration testing) is a form of ethical hacking that is an authorized cyberattack that an organization may use to better their defence against a cyber attack. Pentesting typically comes as part of vulnerability assessments and other compliance requirements depending on the country of operations. 

MFA (Multi-Factor Authentication)

Multi-Factor Authentication (known as 2FA) is a term given to two or more authentication methods. For example, single authentication may be a username and password, but to better security using mobile authentication codes (MFA). You may notice this when logging into a banking app, where you are asked for a code once you’ve put your password in. This is MFA. 

Digital Forensics

Digital forensics is a term given to analysts who are trained on precise recovery, investigation, examination and analysis of devices/systems that have been (or thought to have been) infected by malware. This isn’t always a requirement, but in the event of a large-scale attack/data breach, an organization is likely required to pay for a digital forensics team to analyse how, and what happened. 

IoT (Internet of Things)

The Internet of Things (IoT) describes an array of devices or anything that can connect and communicate to the internet or other devices. Items such as smart bulbs to laptops all come under ‘IoT’. 

Blocklist (formerly Blacklist)

A blocklist is a list that allows you to restrict access from specific aspects, such as a user account, IP address or domain name. Whilst an allowlist lets you allow access, a blocklist will restrict access. An example of this is a malicious IP attempting to scan your network, you may opt to block this IP using a blocklist. 


A whitelist (better known as allowlist) is a list that is used to authorize/approve/allow an IP, user, device, or other variable access to a service/system. For example, if you and your team are the only people who need access to a server, you may opt to add an allowlist for just your team to access the server. 

PII (Personally Identifiable Information)

Personal data (or personally identifiable information) is information that can identify someone. This data includes names, phone numbers, emails, and house addresses and can even be a date of birth or medical records etc.

PII is often split into non-sensitive and sensitive data, where medical records and other ‘further’ data are sensitive whereas race, gender, date of birth or religion are all non-sensitive. 

SOC (Security Operations Center)

A Security Operations Centre (SOC) is a term used to describe a team of cybersecurity experts who use a SIEM or SOAR tool that creates alerts and incidents for review. A SOC uses multiple tools and is the heart and soul of cybersecurity for organizations. 

SIEM (Security Information and Event Management)

A SIEM (pronounced Seem) is a tool that collects information from multiple sources before formatting them (using normalization) into human-readable formats and allows for machine-lead correlation of the alerts. 

For example, a SIEM tool such as Microsoft Sentinel collects hundreds of thousands of events/logs from multiple systems, and uses machine learning to correlate, and aggregate the data for analysts to review.

Microsoft Sentinel - Voted best SIEM Tool 2022
Microsoft Sentinel – Voted best SIEM Tool 2022

SOAR (Security, Orchestration, Automation and Response

Security Orchestration, Automation and Response is a term that is a step up from a SIEM, where actions can be taken when certain criteria is met. A SOAR solution (like IBM’s CP4S) allows for automated action to be taken on a system, or user account that would prevent or limit an attack.

SSL (Secure Socket Layer)

SSL or Secure Sockets Layer is the standard for end-to-end encryption between a server and a client, which can be a web server. This encryption confirms and secures a connection to prevent from information being stolen whilst data is in transit. 

SIR/CSIRT (Security Incident Response/Cybersecurity Incident Response Team)

A SIR or CSIRT is a security incident response team that knows how to deal with, communicate and resolve a cybersecurity incident no matter the threat/incident at hand. They typically help in the day-to-day with other activities, however, have responsibilities to ensure incidents are dealt with fast and effectively. 

Intermediate Cybersecurity Terms (21 Terms)

APT (Advanced Persistent Threat)

An APT in cybersecurity typically refers to nation-backed actors (attackers) who have support from their government. Countries such as North Korea are typically hotspots for this, although unconfirmed. Advanced refers to the knowledge and ability of the attackers, persistence refers to the continuous 24/7 attacks. 

ATP (Advanced Threat Protection)

Advanced threat protection solutions (ATP) are typically big-box brand pieces of software that are designed to protect your organization from complex cyberattacks. Whilst most anti-viruses use signature matching (such as file hashes), advanced threat protection will leverage AI and machine learning to detect malicious activity even if it’s never been seen before.


A backdoor in cybersecurity refers to an exploit, or vulnerabilities (attack vectors) that an attack has either placed there or is leveraging if they are found. An example is if an attacker was able to gain access to a device and place a backdoor before they were cut out of the device. They may be able to use the backdoor to gain access again, despite being kicked out and blocked from one attack vector. 

BFA (Brute Force Attack)

A brute-force attack is an attack type (with other sub-types) that allows an attacker to try to log in or access a system/user account by trying multiple combinations in rapid succession. A common brute-force attack is a password spray or dictionary brute-force attack where an attacker will use common words in quick succession against one account in an attempt to guess right after hundreds of thousands of attempts. 

DLP (Data Loss Prevention)

Data loss prevention is a set of procedures and tools that are designed to ensure that data is not lost in any way. This covers both data at rest, and in transit but also the usage of data and is often aligned with government compliance requirements. 

MDR (Managed Detection and Response)

MDR or managed detection and response is a service that is often sold by technology resellers that allow for managed detection and response (using a SIEM or SOAR tool) to allow a business to focus on other matters, whilst outsourcing their cybersecurity monitoring. 

DNS (Domain Name System)

DNS refers to a way of mapping domain names (like hakubi.io or google.com) to computers. This naming system is one of the core practices of the internet,  and whilst being used for domains like the above and linking to web servers, can be used in a business for easy access to resources without having to type IP addresses/port numbers etc. 

Digital Transformation (Business-term)

Digital transformation is a term used by organisations that are making a leap towards better technology used for their business. This means creating new, or modifying business-focused requirements whilst using technology to their advantage. 

EDR (Endpoint Detection and Response)

An Endpoint Detection and Response solution is like an anti-virus but on a much more advanced level, where detection of threats (both zero-day/new and old) can be detected, reported on, and responded to automatically. These are typically run-off rule-based detection and response features. 

Drive-By Attack

A drive-by download attack is an unintentional download of malicious scripts or code to your device. Whilst this in itself might not be an issue, it often leaves you open to further attacks such as device hijacking and spyware. It can also lead to the download of PUAs (Potentially unwanted applications). 

FIDO (Fast Identity Online)

FIDO or Fast Identity Online is a simpler and stronger way to authenticate online. By using passkeys and other authentication methods such as biometric methods, FIDO is a provider of SSO (single-sign-on) that uses newer, more secure authentication methods.

IR Plan (Incident Response Plan)

An incident response plan is a plan, policy, or document that is used by senior cybersecurity experts to deal with genuine incidents/threats. These typically outline key contacts, processes, and timings which will help guide a fast and effective incident response. 

IAM (Identity and Access Management)

IAM or Identity and Access Management is a framework (and or service) that ensures that users wanting to access something have the right access and permissions to do so. This is similar to authorization but looks at a wider landscape for a user account and or device. 

IOCs (Indicator of Compromise)

An indicator of compromise is a term used that helps identify when an attack has taken place or could happen at any point. An IOC could be anything from a file hash, IP address, file name, and much more. If these IOCs are seen, they can be used to correlate other attacks and get a fuller understanding of an attack. 

IPS (Intrusion Prevention System)

An IPS are typically a piece of hardware or software, but can also refer to a framework of aspects that can prevent intrusion within an organization. An IPS will screen and evaluate all network traffic to see if it’s normal and expected, or malicious and unexpected. These can also be configured to business-specific requirements. 

Insider Threat

An insider threat is a term given to an attack vector (a way an attacker can get into a business’s systems/service) that is commonly exploited by a staff member of the organization. This can be both intentional, and unintentional. An intentional insider threat could be someone leaking their password to a server or system with admin privileges, whereas an unintentional could be something like a well-disguised phishing email. 


Spearphishing is the term given to a phishing email that is direct and targeted. Where a phishing email may be sent to hundreds or thousands at once, spear phishing could be user or organization-specific and is commonly has the sole intent to gain access to a user’s information, account, or a way into the organization. 

Threat Intelligence (CTI/TI)

Threat Intelligence is the field of cybersecurity where researchers find intelligence relating to new attacks, upcoming attacks, and other threats in the landscape. This information doesn’t nessersairly come within a team and more frequently is by using open-source tools like AlienVault or news websites. 


A zero-day is an attack, or most commonly a vulnerability that has never been seen before, and is used to gain access to a user account, device, software, service, or network. These vulnerabilities are typically unexpected, and can’t be patched for a number of days (or hours depending on severity) and will often cause widespread issues.

The most notable zero-day was Log4J, a Linux-based log tool which caused almost 20% of organizations worldwide to be affected by it, and a patch wasn’t released for a number of days – with many instances still being exploited today. 

SSO (Single Sign-On)

SSO refers to single-sign which is a new form of authentication. Companies such as Okta provide SSO where a user can have one account, and leverage SSO to only need to sign in once to be able to authenticate on multiple applications, typically cloud-based. 

Okta Single Sign-On Services
Okta – SSO (Single Sign-On)

Social Engineering

Social engineering refers to an attack tactic where an attacker will use physiological manipulation in order to gain information, or trust within an organization despite not being authorized to do so. An example of this in the simplest of terms could be getting let into a secure-card building, before asking the staff of a business for information despite not being an employee of that business. 

Advanced Cybersecurity Terms (9 Terms) 

MITRE ATT&CK Framework (and its contents)

The MITRE ATT&CK framework is a framework that allows for every kind of attack (both known and unknown) to be aligned to a framework item, or category. The contents of this list as massive, but can prove to be beneficial once learnt. The MITRE ATT&CK framework is one of the biggest, and most used in the world. It can be found on their website.

MITRE ATT&CK Framework - One of the Cybersecurity Key Terms
MITRE ATT&CK Framework

Process Hollowing

Process hollowing is a vicious attack exploit that allows an attacker to remove code within an executable file or process, before replacing it with malicious content. Once this code is run (as a genuine piece of software), the malicious code is also run causing malware or other attack vectors to be used.


Sandboxing refers to the process of purposefully opening malicious (or seemingly malicious) software or files without the risk of infecting other devices. A sandbox is commonly a virtual machine that can be turned off, reset, and managed rapidly, but commonly has tools on it that allow for analysis of the file system to see how a piece of malware operates. 

SECaaS (Security as a Service – also known as MDR)

Security-as-a-Service (SECaaS) which can also be referred to as MDR (managed detect and response) allows a business to provide a security service to other businesses. This means complete management of one organization’s security could be managed by a completely separate organization. 


A rootkit is a collection of software, typically malware that is stored within an OS root file (System32 for Windows) and allows for open-door access to a device or system without the owner knowing it. It often masks itself as genuine software and can replace files that appear genuine. 

Fileless Malware

Fileless malware is malware that hides within legitimate programs, without files being left behind which could expose itself. Commonly, fileless malware will remain within a computer’s RAM which is cleared regularly as it’s never saved memory and in most cases would need computer forensics to be recovered, if at all possible. 


A honeypot is a term that cybersecurity experts use to gather information about attacks, by purposefully leaving systems open to vulnerabilities, exploits, and other attacks to learn about it. These honeypots are often specially configured virtual machines and can never lead to a genuine attack, but simply learn about an attack. 


A keylogger is a type of malware that remains on a device and registers/logs keystrokes on a keyboard. For example, a keylogger may be installed or find its way onto a device, where the user types their username and password which an attacker can use for further access to a system. 

Threat Hunting

Threat hunting relates to the process of hunting for threats using IOCs, and other information that may signal an attack could be happening. Threat hunting is not always IOC related, however, is the easiest way of doing it. For example, hunting for a file that has not been seen on any systems (based on alerts and detection) using its file hash could bring back a result that was not picked up by a SIEM. 

Why does Cybersecurity have so many abbreviations?

I couldn’t say! Cybersecurity, just like normal technology abbreviates almost everything to some extent. As you can see from above, many people use abbreviations as it’s easier to remember or shortner a conversation. This would work quite well if people knew said abbreviations. It doesn’t always help however when companies abbreviate with the same word – such as a ‘WAF’. (Web Application Firewall – or Web Application Formats).

Conclusion on Cybersecurity Key Terms

Overall, whether you’re looking to start a new career, or how to abbreviate a term, we hope that this list has been helpful to you. We refer back to it all the time, so why not keep it favourited and come back when you need to know a term.

Photo of author

About the Author

Charlie K

Charlie has been working with technology since the age of 6, and has skilled up on all things technical. Cybersecurity is one aspect that has never failed to disappoint. After several years in the industry, Charlie is branching out to help others get into the industry.

Leave a Comment