Security Glossary

Plain-language definitions of terms used across this site. Written for practitioners and technically-curious readers, not compliance checklists.

A C D E F I L M O P R S T Z

A

APT (Advanced Persistent Threat): A long-running attack campaign, typically by a nation-state or state-sponsored group, designed to maintain undetected access to a target environment over months or years. Unlike opportunistic attacks, APTs are targeted and patient. The goal is usually intelligence collection, sabotage, or pre-positioning for future operations rather than immediate financial gain. If you are a small business or individual, you are almost certainly not dealing with an APT. If you work in defense, critical infrastructure, or government contracting, the calculus changes.
AiTM (Adversary-in-the-Middle): An attack where the attacker sits between you and the legitimate site, relaying traffic in real time. Unlike classic phishing, AiTM captures your session cookie after you successfully authenticate, including after MFA. This is how attackers bypass MFA without needing your password or one-time code at all.

C

Credit Freeze: A federally protected right that blocks any new credit account from being opened in your name. Free at all three major bureaus (Equifax, Experian, TransUnion) and takes effect within one business day online. A freeze is stronger than a credit lock: a lock is a private contract with the bureau, a freeze is a legal right under the FCRA. Temporarily lift it when you need to apply for credit, then refreeze. If your SSN was exposed in a breach, a credit freeze is the first thing you should do, not the last.
Credential Stuffing: Automated attacks that take username/password pairs leaked in one breach and try them on other services. Effective because most people reuse passwords. A single breach of a low-value site becomes the keys to your email, bank, or cloud accounts if you reused that password.

D

Dark Web: The portion of the internet not indexed by standard search engines and accessible only through anonymizing tools like Tor. It hosts both legitimate privacy uses and criminal marketplaces where stolen data, malware, and access credentials are bought and sold. Breach victims' data frequently appears on dark web markets within hours of exfiltration, often months before official notification letters arrive. The dark web is less mysterious than it sounds: it is a distribution channel for stolen data, not a different internet.
Data Breach: Unauthorized access to and exfiltration of data from a system or database. A breach is not the same as a hack. Data can be exposed through misconfigured storage, insider access, or third-party vendor compromise without any attacker ever "breaking in."
Deepfake: AI-generated audio, video, or images that convincingly impersonate a real person. In security contexts, deepfakes are used as a social engineering tool: cloned executive voices authorizing wire transfers, synthetic video calls impersonating colleagues, AI-generated phishing messages that match someone's actual writing style. In 2024, a finance employee at a multinational company transferred $25.6 million after a video call where every participant except him was a deepfake. The threat is not the video quality. It is that humans are not wired to be skeptical of what they see and hear in a meeting.
Double Extortion: A ransomware attack model where the attacker both encrypts the victim's systems and exfiltrates the data before doing so. The victim faces two simultaneous demands: pay to decrypt, and pay to prevent publication or auction of the stolen data. If the ransom is declined, the attacker sells or publicly releases the data. Rhysida, the ransomware group behind the MedStar Health breach, operates on this model. Double extortion means a backup strategy alone is no longer sufficient protection against ransomware: even if you restore from backup, the data is already gone.

E

EDR (Endpoint Detection and Response): Security software that runs on individual devices (endpoints) to monitor for suspicious behavior, detect threats, and enable response. Different from traditional antivirus: EDR watches behavior patterns rather than just known malware signatures.
Email Bombing (Subscription Bombing): An attack technique where automated tools register a target's email address with thousands of legitimate mailing lists simultaneously, generating hundreds to thousands of confirmation and welcome emails within minutes. The flood is not the attack. It is cover for an attack already in motion: a transaction confirmation, password reset, or new-device alert is buried in the noise while the victim scrambles to clear their inbox. Documented in Black Basta ransomware campaigns at over 1,500 emails per hour. The defense is inbox filters that surface financial and security alerts before an attack happens, not after.

F

FIDO2 (Fast Identity Online 2): The standard behind hardware security keys (like YubiKey) and passkeys. FIDO2 authentication is phishing-resistant by design: the credential is cryptographically bound to the specific website's origin. An AiTM proxy fails the check because it cannot present as the real origin. FIDO2 is the authentication standard that actually stops the attack techniques that bypass traditional MFA. WebAuthn is the browser API that implements FIDO2; the terms are often used interchangeably in documentation.

I

Infostealer: Malware designed to silently harvest credentials, session cookies, browser-saved passwords, cryptocurrency wallets, and other sensitive data from an infected machine. Infostealers are frequently sold as a service. Their logs (bulk exports of stolen data) are bought and sold on criminal marketplaces and are the upstream source of many account takeovers.
Incident Response (IR): The structured process an organization follows when a security incident occurs. The standard framework has six phases: Prepare (tools, plans, training before an incident), Identify (determine that an incident is happening), Contain (stop the spread), Eradicate (remove the attacker or malware), Recover (restore normal operations), and Review (learn from what happened). The review phase is the one most organizations skip, which is why they repeat the same incidents. An IR plan written before an incident is worth ten times one written during.
Insider Threat: A security risk originating from someone with legitimate access to your systems: employees, contractors, or partners. Insider threats are the hardest category to detect because the access being misused is authorized access. Motivations range from financial gain to grievance to negligence. The standard controls are separation of duties (no single person has unchecked access to sensitive systems), robust access logging, and least-privilege access policies. Edward Snowden is the most cited example, though the vast majority of insider incidents are accidental rather than malicious.

L

Lateral Movement: The techniques attackers use to move from an initial foothold to other systems in a network. Compromising one account or machine is rarely the end goal. Lateral movement is how attackers reach the data, systems, or privileges they actually want.

M

MCP (Model Context Protocol): An open standard released by Anthropic in November 2024 that gives AI assistants a standardized way to connect to external systems: databases, file systems, APIs, and developer tools. MCP servers expose data the AI can read and tools the AI can execute: write a file, run a query, send a message. The governance problem is that MCP servers run as child processes of trusted developer tools, use no authentication by default, and leave no footprint in standard security monitoring. Developers are deploying them faster than security teams know they exist.
Medical Identity Theft: Fraud where someone uses your identity to receive medical care, obtain prescriptions, or file insurance claims. Unlike financial identity theft, the damage is not just monetary: fraudulent entries corrupt your actual health records. Wrong medications, wrong blood type, wrong diagnoses on file in systems used during emergencies. A full medical record (name, SSN, date of birth, diagnoses, insurance information) sells for $250 to $1,000 on criminal markets because the data is permanent and the fraud is hard to detect. Credit monitoring does not catch it.
MFA (Multi-Factor Authentication): Requiring more than one form of verification to authenticate: something you know (password), something you have (phone or hardware key), or something you are (biometric). MFA blocks most automated attacks but does not stop all targeted attacks. AiTM, SIM swapping, and MFA fatigue attacks all bypass traditional MFA.
MFA Fatigue: An attack that floods a target with push notification approval requests until they approve one out of frustration or confusion. Requires the attacker to already have the victim's password. Used in high-profile attacks against Uber and Cisco.

O

OAuth (Open Authorization): A standard that lets third-party apps access your accounts without needing your password. When you click "Sign in with Google" or "Connect your calendar," you are granting an OAuth token with specific permissions. Those tokens persist indefinitely unless you revoke them. High-risk OAuth scopes include Mail.Read, Mail.ReadWrite, and offline_access: an app with these permissions can read every email you receive regardless of future password changes. After compromising an account, attackers often add a malicious OAuth app as a persistence mechanism that survives password resets.
OTP (One-Time Password): A password valid for a single use or short time window. The 6-digit code texted to your phone is an OTP. SMS-based OTPs are vulnerable to SIM swapping and AiTM attacks. App-based TOTP codes are more secure than SMS but still phishable.

P

Password Manager: Software that generates, stores, and autofills unique credentials for every account. The core value is simple: you cannot reuse passwords if the manager is generating them for you. A 2024 analysis of 19 billion exposed passwords found 94% were reused or duplicated. A password manager eliminates that attack surface entirely. Reputable options include Bitwarden (open source, free) and 1Password (paid, family plan). Avoid LastPass: attackers exfiltrated encrypted vaults in 2022 and anyone with a weak master password remains at ongoing risk. Browser-based password saving is acceptable for low-risk accounts but insufficient for email, banking, or anything tied to your identity.
Passkeys: A phishing-resistant authentication standard that replaces passwords with cryptographic key pairs. The private key never leaves your device; authentication requires your device plus a local verification (biometric or PIN). Passkeys cannot be phished, stuffed, or stolen in a server-side breach because the server only stores a public key.
PHI (Protected Health Information): Any individually identifiable health information covered by HIPAA: diagnoses, treatment records, prescriptions, insurance information, billing records, and any other data that can be linked to a specific patient. PHI is the category of data involved in healthcare breaches, which is why those breaches carry heavier notification requirements and higher regulatory penalties than most. PHI has a long shelf life: unlike a credit card number, a diagnosis or SSN cannot be canceled. A full PHI record sells for significantly more on criminal markets than a financial record alone.
Phishing: Deceptive messages designed to trick targets into revealing credentials, clicking malicious links, or taking actions that benefit the attacker. Spear phishing is targeted at a specific person or organization using personalized context. Phishing is the initial access technique behind the majority of breaches.
Prompt Injection: An attack where malicious instructions are embedded in content an AI system processes, causing it to take unintended actions on behalf of the attacker. In a web browsing AI, a hidden instruction on a webpage might tell the model to exfiltrate data or send a message. In an MCP context, a tool description could contain instructions that redirect the AI's behavior without the user knowing. Prompt injection is to AI systems roughly what SQL injection is to databases: the AI blindly executes instructions it should be treating as data.

R

Ransomware: Malware that encrypts a victim's files or systems and demands payment (typically in cryptocurrency) for the decryption key. Modern ransomware operations are professional criminal enterprises with support desks, negotiation teams, and affiliate programs. The "as-a-service" model means attackers rent the ransomware platform and split the ransom with the developers. Ransomware is the most financially damaging category of cybercrime: the average cost of a ransomware recovery in healthcare exceeded $10 million in 2024, not counting ransom payments.
Ransomware-as-a-Service (RaaS): A criminal business model where ransomware developers license their tools and infrastructure to affiliate attackers who conduct the actual intrusions. The developers take a percentage of each ransom. Affiliates get a proven platform, negotiation support, and a dark web leak site without having to build any of it. Rhysida (used in the MedStar breach), LockBit, and BlackCat/ALPHV all operate on this model. RaaS lowered the technical bar for running ransomware campaigns significantly: you no longer need to write malware to deploy it.

S

Session Hijacking: Stealing an authenticated session cookie to impersonate a logged-in user without needing their password or MFA code. Modern AiTM attacks are primarily session hijacking attacks. Cookie theft via infostealer malware is the other common vector.
SIM Swapping: Social engineering a mobile carrier into transferring a victim's phone number to an attacker-controlled SIM card. Once successful, the attacker receives all SMS messages sent to that number, including MFA codes. Used in attacks against crypto holders and, notably, the 2024 SEC X account compromise.
Session Token: A credential issued by a server after successful authentication that proves you are logged in, without requiring you to re-enter your password on every request. Stored as a cookie in your browser. Session tokens have become the primary target of modern attackers because stealing one bypasses the entire authentication process, including MFA. AiTM phishing captures them in real time; infostealer malware harvests them from browser storage; token replay attacks reuse them from different devices. Shorter token lifetimes and continuous access evaluation reduce the window of exposure after a token is stolen.
Shadow IT: Software, services, or systems used within an organization without the knowledge or approval of the IT or security team. The term originated with personal smartphones in enterprise environments around 2009. It now includes unsanctioned SaaS tools, developer tools, AI integrations, and MCP servers. Shadow IT is not inherently malicious: most of it is employees using tools that help them work. The problem is that unapproved tools bypass security review, data classification, access controls, and vendor vetting. You cannot protect what you do not know exists.
Social Engineering: Manipulating people into taking actions or revealing information rather than exploiting technical vulnerabilities. Phishing is social engineering via email. Vishing is the phone-based version. Pretexting involves fabricating a scenario to establish false trust before making a request. Most major breaches involve social engineering at some stage: technical defenses stop automated attacks, but a person who is convinced they are helping IT support can hand over access no exploit could reach. AI has made social engineering significantly more scalable by reducing the cost of high-quality, personalized messaging.
Supply Chain Attack: An attack that targets a vendor, dependency, or third party to compromise downstream users who trust that component. Rather than attacking a hardened target directly, the attacker compromises something that target depends on. The SolarWinds attack in 2020 is the most cited example: attackers inserted malware into a software update trusted by 18,000 organizations. In the npm ecosystem, supply chain attacks frequently target widely-used packages that are pulled as transitive dependencies by thousands of projects. Any MCP server that uses npm packages inherits the supply chain risk of every package it depends on.

T

TOTP (Time-Based One-Time Password): The algorithm behind authenticator apps like Google Authenticator, Authy, and 1Password. Generates a 6-digit code that changes every 30 seconds based on a shared secret and the current time. More secure than SMS OTP but still vulnerable to real-time phishing and AiTM attacks.

Z

Zero-Day: A software vulnerability that is unknown to the vendor and has no available patch. "Zero days" refers to the time the vendor has had to fix it. Zero-days are valuable, expensive, and primarily used by nation-state actors and sophisticated criminal groups. Most attackers don't need them because unpatched known vulnerabilities are plentiful.