The Glossary.

Microsoft's enterprise directory and authentication service. The richest attack surface in most enterprise environments, with established kill chains from low-privileged user to Domain Admin.

See also Kerberos, LDAP, Privilege Escalation, Lateral Movement

A red-team variant where the operators imitate a specific named threat actor — its TTPs, tooling, infrastructure pattern — to test whether defenses tuned for that actor actually catch it.

See also Red Team, MITRE ATT&CK, APT

EU regulation (2024/1689) classifying AI systems by risk tier with corresponding obligations. Cybersecurity duties apply to high-risk systems and general-purpose AI models.

See also CRA, GDPR / DSGVO

A managed front door for APIs — handling authentication, rate limiting, request routing, and observability. Where most modern web traffic actually first hits a security control.

See also WAF, OAuth 2.0, JWT

A threat actor characterized by sustained, well-resourced, multi-stage operations against specific targets — typically state-aligned or state-sponsored. The label is overused; the meaning is operational, not legal.

See also Threat Actor, Adversary Emulation, TTP

An engagement that starts inside the perimeter — for example, with an attacker-controlled workstation — to bypass the (already-tested) external surface and focus on lateral movement and blast radius.

See also Red Team, Lateral Movement, Blue Team

Reaching an authenticated state without valid credentials — via logic flaws, hardcoded credentials, mass-assignment, or session-handling defects.

See also Session Fixation, JWT

Germany's integrated supervisor for banks, insurers, payment service providers, and securities markets. Publishes the BAIT/VAIT/KAIT/ZAIT requirements and is the competent national authority under DORA.

See also BAIT, VAIT, KAIT, ZAIT, DORA, MaRisk

BaFin's IT-supervisory requirements for credit institutions — covering IT governance, information security, identity management, and outsourcing. The interpretation framework for §25a KWG.

See also BaFin, VAIT, MaRisk, DORA

Testing from an outside attacker's perspective, with no internal knowledge, accounts, or source code provided. Maximizes realism, minimizes depth per unit of time.

See also White Box Testing, Grey Box Testing, Assumed Breach

The defensive counterpart to red — the people, tooling, and detections that protect, monitor, and respond. In an exercise context, the team being tested.

See also Red Team, Purple Team, SOC

Germany's federal cybersecurity authority. Sets technical baselines (IT-Grundschutz, C5), certifies products and personnel, oversees KRITIS operators, and acts as the national NIS2 competent authority.

See also KRITIS, BSI IT-Grundschutz, BSI C5, NIS2

A BSI-published audit catalog for cloud-service providers, increasingly required by German public-sector and regulated customers when procuring cloud services.

See also BSI, ISO/IEC 27001

The BSI's modular control catalog for managing information-security risk in German organizations. ISO/IEC 27001 compatible; common path to certification for public-sector and KRITIS bodies.

See also BSI, ISO/IEC 27001

A program that pays external researchers for valid vulnerability reports against a defined scope. Complements but does not replace engagement-based testing.

See also Responsible Disclosure, Penetration Test

A defect where every individual request is authenticated and authorized correctly, but the sequence or combination of requests violates the application's intended rules — e.g., a discount applied twice, a checkout completed without payment.

See also IDOR, Race Condition

EU directive (2022/2557) on the physical resilience of critical entities — the non-cyber companion piece to NIS2.

See also NIS2, KRITIS

An entity that issues digital certificates after verifying the identity of the requester. Trust in a CA is itself trust in its policies, audits, and key custody.

See also PKI, TLS

The automated pipeline that builds, tests, and deploys software on every change. Security-relevant choke points are secret handling, supply-chain trust, and deployment-key custody.

See also IaC, DevSecOps

The communication channel between a compromised host and attacker-controlled infrastructure that issues commands and receives results. Modern C2 frequently mimics legitimate web or cloud traffic.

See also Persistence, Foothold

Injection of attacker-controlled commands into a call passed to the underlying operating-system shell. Typically leads to immediate remote code execution as the application user.

See also SQL Injection, Insecure Deserialization

A lightweight, isolated process bundle that shares the host kernel but has its own filesystem, network, and process view. The standard packaging unit for cloud-native applications.

See also Kubernetes (K8s), IaC

Overly permissive CORS headers (e.g., `Access-Control-Allow-Origin: *` combined with credentials) that let attacker-controlled origins read protected responses.

See also XSS, CSRF

EU regulation (2024/2847) setting horizontal cybersecurity requirements for products with digital elements — across hardware and software. Comes into force in stages from 2026.

See also ENISA, AI Act, NIS2

The OWASP-renamed bucket for what used to be called sensitive-data exposure: missing encryption, weak algorithms, bad key management, mishandled certificates.

See also TLS, Hash Function, PKI

An attack that causes an authenticated user's browser to issue an unintended state-changing request to a trusted application. Defended by anti-forgery tokens or same-site cookie policies.

See also XSS

A skill-building competition format where participants exploit prepared challenges to retrieve hidden tokens (flags). Two main variants: jeopardy-style and attack-defense.

The MITRE-curated identifier system for publicly disclosed vulnerabilities. A CVE is a name; CVSS is a score; KEV is a curated subset of actively exploited ones.

See also CVSS, CWE, Zero-Day

A standardized 0.0–10.0 severity-scoring framework for vulnerabilities. CVSS 3.1 is the current widespread version; CVSS 4.0 (2023) adds more contextual metrics.

See also CVE, CWE

A MITRE-curated taxonomy of software-weakness types. Where CVE names a specific instance, CWE names the class of weakness it belongs to.

See also CVE, CVSS

A seven-step model of an intrusion (recon, weaponization, delivery, exploitation, installation, command-and-control, actions on objectives) introduced by Lockheed Martin in 2011. Useful for narrative reporting; less granular than ATT&CK.

See also MITRE ATT&CK, Diamond Model

An ICS variant designed for plant-scale process control — refineries, power generation, chemical plants — with controllers, HMIs, and engineering stations on a tightly integrated network.

See also ICS, SCADA

The classical principle of layering independent controls so that the failure of any single layer does not compromise the system. Complementary to, not replaced by, Zero Trust.

See also Zero Trust

The practice of integrating security activities — threat modeling, automated testing, dependency scanning — into the same pipeline that builds and deploys software.

See also CI/CD, IaC

A four-vertex analytical framework — adversary, capability, infrastructure, victim — for structured note-taking on a single intrusion event. Pairs naturally with ATT&CK for TTPs.

See also MITRE ATT&CK, Cyber Kill Chain

Brute-force enumeration of paths and files on a web server, using wordlists tuned to the detected stack. Surfaces hidden admin panels, backup files, legacy endpoints.

See also Fingerprinting

Controls — at endpoint, network, and cloud-storage layers — that classify sensitive data and block disallowed transfers. Effective against accidents and lazy insiders, evadable by motivated attackers.

See also Exfiltration

An XSS variant where the malicious payload is introduced and executed entirely within the browser via unsafe handling of DOM sinks, with no server-side reflection.

See also XSS

EU regulation (2022/2554) for the financial sector, harmonizing ICT risk management, incident reporting, resilience testing (including TLPT), and oversight of critical third-party providers. Directly applicable since January 2025.

See also NIS2, TLPT, TIBER-EU, BaFin, BAIT, VAIT

Compute and storage placed close to data sources or end users, instead of in a central data center or cloud region. Reduces latency; multiplies the attack surface that must be physically protected.

See also IoT, OT

Endpoint-resident agents that observe process, file, network, and registry activity, ship telemetry, and enable remote response actions. The successor to traditional antivirus.

See also XDR, MDR

EU regulation governing electronic identification and trust services (signatures, seals, time stamps). eIDAS 2.0 introduces the EU Digital Identity Wallet.

See also PKI, Certificate Authority (CA)

The EU cybersecurity agency. Publishes threat landscapes, certification schemes, and implementation guidance — including for NIS2, CRA, and the Cybersecurity Act.

See also NIS2, CRA, AI Act

The not-for-profit governance body for TISAX and ENX, the secure automotive industry network. Accredits TISAX audit providers and operates the result-exchange portal.

See also TISAX, VDA ISA

Removing data from the target environment to attacker-controlled storage. Modern exfiltration is throttled and channel-disguised to slip past data-loss prevention.

See also DLP, Post-Exploitation

Working code that takes a vulnerability from theoretical to actual — gaining unauthorized access, execution, or data. Distinct from a proof-of-concept by intent and reliability.

See also Proof-of-Concept (PoC), Zero-Day, CVE

Identifying the specific software stack — server, framework, library version — of a target via header patterns, error pages, default content, or behavioral probes.

See also Reconnaissance, Directory Fuzzing

A persistent presence in the target environment from which an attacker can operate. Typically a compromised host with reliable callback to attacker-controlled infrastructure.

See also Initial Access, Command & Control (C2), Persistence

EU regulation 2016/679 on the processing of personal data. Mandates technical and organizational measures, breach notification within 72 hours, and the right to data-subject access.

See also LINDDUN, DLP

Testing with partial information — typically authenticated user accounts and high-level architecture, but no source. The most common mode for application assessments.

See also Black Box Testing, White Box Testing

Authentication material baked into source code, configuration files, or firmware images. Eliminated by secret managers and build-time injection, not by `.gitignore`.

See also Misconfiguration, HSM

A one-way function mapping arbitrary input to a fixed-length digest. Security-relevant properties: pre-image resistance, second-pre-image resistance, collision resistance.

See also SHA-256, HMAC, Salt

A construction that combines a cryptographic hash with a shared secret to produce a message authentication code. Resistant to length-extension attacks that plain `hash(key || message)` is not.

See also Hash Function, SHA-256

The operator-facing display and control surface for an industrial process. Increasingly browser-based, increasingly exposed to the same vulnerability classes as web applications.

See also SCADA, PLC

An intentionally exposed system with no legitimate purpose, designed to attract attackers so their behavior — and indicators — can be captured. Useful for early-warning and threat intelligence.

See also IOC, Threat Hunting

A tamper-resistant hardware device that generates, stores, and uses cryptographic keys without ever exposing the key material to host memory. Mandatory for high-assurance key custody.

See also PKI, Certificate Authority (CA)

Provisioning and configuring infrastructure through machine-readable definitions (Terraform, Pulumi, CloudFormation) rather than console clicks. Enables review and reproducibility.

See also Container, CI/CD

The discipline and tooling for managing who can do what in a system — users, groups, roles, policies, sessions. In cloud contexts, the highest-leverage attack surface.

See also SSO, MFA, Zero Trust

The umbrella for systems that monitor and control physical industrial processes — from a single PLC to a plant-wide DCS. Security model is fundamentally different from IT: safety and availability first, confidentiality last.

See also SCADA, PLC, DCS, OT

An authorization flaw where a user can access another user's records by guessing or altering an identifier in the request, because the server checks authentication but not ownership.

See also Business Logic Flaw, Authentication Bypass

A monitoring system that observes network or host activity and raises alerts when it matches attack signatures or anomaly profiles. Detection only, no blocking.

See also IPS, SIEM

The first foothold an attacker establishes inside a target environment — through phishing, exposed credentials, exploitable service, or supply-chain compromise.

See also Phishing, Foothold, Lateral Movement

Reconstruction of attacker-controlled serialized objects (Java, .NET, PHP, Python) leading to gadget-chain remote code execution. Hard to remediate without library upgrades.

See also Command Injection,

A vulnerability class where the server stores or executes uploaded files without sufficient validation, allowing webshells, archive bombs, or content-type confusion attacks.

See also Path Traversal, Command Injection

An observable artifact — IP address, file hash, domain, registry key — that suggests an intrusion may have occurred. Useful for known-bad detection; brittle against novel adversaries.

See also TTP, STIX / TAXII

Network-connected embedded devices outside the traditional IT inventory — sensors, cameras, building automation, consumer electronics. Notorious for unpatched stacks and hardcoded credentials.

See also OT, Hardcoded Credentials

An IDS variant that sits inline and drops, resets, or rewrites traffic when it matches an attack pattern. Active mitigation; risks false-positive disruption.

See also IDS, WAF

The international standard for information-security management systems (ISMS). Specifies the process; Annex A lists the controls. The 2022 revision modernized the control set.

See also ISO/IEC 27002, BSI IT-Grundschutz, SOC 2

The companion standard to ISO/IEC 27001, providing implementation guidance for each Annex A control. Reference rather than certification target.

See also ISO/IEC 27001

A signed, base64-encoded token format used for stateless authentication. Easy to misuse: accepting `alg: none`, weak signing keys, and missing audience validation are the recurring traps.

See also OIDC, OAuth 2.0

BaFin's IT-supervisory requirements for capital-management companies (asset managers under the KAGB).

See also BaFin, BAIT, VAIT

A ticket-based network authentication protocol designed in the 1980s and the foundation of Active Directory authentication. Attacks include Kerberoasting, AS-REP roasting, and Golden Ticket forgery.

See also Active Directory (AD), Privilege Escalation

The German regulatory category for operators of critical infrastructure across nine sectors. Subject to BSI oversight, mandatory state-of-the-art security, and incident reporting. Implements NIS2 in part.

See also BSI, NIS2, BSI IT-Grundschutz

An open-source orchestration system for containerized workloads. Powerful and complex; misconfigured cluster roles and exposed dashboards are the recurring weakness pattern.

See also Container, IAM

Moving from the initial foothold to other systems inside the same environment — using stolen credentials, exploited trust relationships, or remote-execution primitives.

See also Pivoting, Privilege Escalation, Kerberos

The directory protocol underneath Active Directory and several open-source IAM stacks. LDAP injection is a parallel risk to SQL injection where filter strings are concatenated unsafely.

See also Active Directory (AD), SQL Injection

A privacy-focused threat-modeling framework — Linkability, Identifiability, Non-repudiation, Detectability, Disclosure of information, Unawareness, Non-compliance. Used where GDPR-class data is in scope.

See also STRIDE, GDPR / DSGVO

BaFin's minimum requirements on risk management for credit institutions. Sets the qualitative bar that BAIT then specifies for the IT dimension.

See also BaFin, BAIT

An outsourced SOC service — usually built on EDR or XDR plus a 24/7 analyst team. Where a 24/7 in-house SOC is uneconomical.

See also SOC, EDR, XDR

A class of vulnerabilities in unsafe-language code where memory layout assumptions are violated — buffer overflows, use-after-free, type confusion. Mitigated by ASLR, stack canaries, and increasingly by memory-safe languages.

See also Zero-Day,

Authentication requiring two or more independent factors from the categories knowledge, possession, and inherence. Phishing-resistant MFA (WebAuthn, hardware keys) is the modern standard.

See also SSO, SAML, OIDC

A vulnerability rooted in a configuration choice — not an unsafe primitive — that exposes data or functionality unintentionally. Default credentials, open S3 buckets, exposed management consoles are typical.

See also Hardcoded Credentials,

A community-curated knowledge base of real-world adversary tactics, techniques, and procedures (TTPs), indexed by platform and adversary group. The lingua franca for blue-team detection coverage and red-team scope.

See also TTP, Cyber Kill Chain, Diamond Model

A 1979-vintage serial industrial protocol still ubiquitous in field devices. No native authentication or encryption — security depends entirely on network isolation.

See also OPC UA, ICS

TLS in which both client and server present and validate certificates. Used for service-to-service authentication where bearer tokens are insufficient.

See also TLS, PKI

EU directive (2022/2555) that raises cybersecurity requirements for essential and important entities across 18 sectors. Replaces the original NIS directive; enforced via national transposition laws.

See also DORA, CER, KRITIS, BSI

The US federal control catalog for information systems. Densely cross-referenced, used as a vocabulary even outside US-federal procurement contexts.

See also NIST CSF, ISO/IEC 27001

A US National Institute of Standards and Technology framework organizing security around five functions: Identify, Protect, Detect, Respond, Recover (version 2.0 adds Govern). Widely cited internationally as a maturity scaffold.

See also ISO/IEC 27001, BSI IT-Grundschutz

The NoSQL counterpart to SQL injection — manipulation of query operators (e.g., MongoDB's `$ne`, `$gt`) or JavaScript evaluation inside the database engine.

See also SQL Injection

An authorization framework that allows a user to grant a third party scoped access to their resources without sharing credentials. Authorization, not authentication — OIDC adds the authentication.

See also OIDC, JWT

An identity layer on top of OAuth 2.0 that adds standardized ID tokens. The modern default for federation in new applications.

See also OAuth 2.0, SAML, SSO, JWT

A platform-independent industrial communication protocol with first-class security (encryption, authentication, certificates). The modern replacement for the older OPC Classic.

See also Modbus, ICS

Collection of information from publicly available sources — DNS, code repositories, breach data, social media, archives — to build a target picture without active interaction.

See also Reconnaissance, Fingerprinting

The umbrella for technology that interacts with the physical world — ICS, SCADA, building automation, medical devices. Differentiated from IT by its different priorities (safety, availability) and far longer lifecycles.

See also ICS, IoT

A nonprofit foundation publishing freely available standards, guidance, and tooling for application security. Its outputs — Top 10, ASVS, Testing Guide, Cheat Sheets — are the de-facto reference set for web and API security work.

See also OWASP Top 10, OWASP ASVS

A three-level requirements catalog (L1 opportunistic, L2 standard, L3 advanced) for verifying application security controls. Used as the spec when an audit needs verifiable evidence per control.

See also OWASP, OWASP Top 10

A long-form manual that prescribes the test cases for every OWASP-recognized vulnerability class. The pre-flight checklist for web assessments.

See also OWASP, OWASP ASVS

A ten-item ranking of the most impactful web-application security risks, refreshed every three to four years. Used to brief stakeholders and to bound minimum scope on routine assessments.

See also OWASP, OWASP ASVS

Use of relative-path segments (e.g., `../`) in input to escape an intended directory and read or write arbitrary files. Often combined with file-upload weaknesses.

See also XXE, Insecure File Upload

The card-brand-mandated standard for any environment that stores, processes, or transmits payment-card data. Currently v4.0 with phased compliance dates through 2025.

See also ISO/IEC 27001, SOC 2

An authorized, time-boxed simulation of an attack against a system or environment, intended to surface exploitable weaknesses and validate controls. The deliverable is a report of confirmed findings with reproduction steps.

See also Red Team, TLPT, Black Box Testing, Assumed Breach

Mechanisms that allow an attacker to retain access across reboots, credential changes, or partial cleanup — registry autoruns, scheduled tasks, service installs, malicious certificates.

See also Foothold, Command & Control (C2)

Social-engineering attacks delivered at volume, typically via email, asking the recipient to disclose credentials or run a payload. The most common initial-access vector.

See also Spear Phishing, Social Engineering, Initial Access

Tunneling network traffic through a compromised host to reach systems that the attacker cannot directly route to. The mechanical layer beneath lateral movement.

See also Lateral Movement, Command & Control (C2)

The system of policies, processes, and components — root CAs, intermediate CAs, registration authorities, revocation lists — that binds public keys to identities.

See also Certificate Authority (CA), TLS, HSM

A ruggedized industrial computer that executes deterministic control logic for a single machine or cell. The atomic unit of ICS and the most common point of ladder-logic manipulation.

See also ICS, HMI, SCADA

Everything an attacker does after a foothold is achieved: situational awareness, credential harvesting, lateral movement, persistence, exfiltration.

See also Foothold, Lateral Movement, Exfiltration

Elevating from a low-privilege context to a higher one — local (user → root/SYSTEM) or remote (standard user → domain admin).

See also Lateral Movement, Kerberos, Active Directory (AD)

Minimal demonstration code that proves a vulnerability is real and exploitable, often used to convince a vendor or stakeholder. Not engineered for reliability or weaponization.

See also Exploit, CVE

EU directive that opened bank account access to licensed third parties and mandated strong customer authentication for electronic payments.

See also ZAIT, MFA

A practitioner-defined seven-phase pentest framework: pre-engagement, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, reporting. The most widely-referenced methodological backbone for technical security testing.

See also OWASP, MITRE ATT&CK

A collaborative exercise where red and blue work side-by-side: red executes a known TTP, blue confirms (or fails to confirm) detection in real time. Optimizes detection coverage, not surprise.

See also Red Team, Blue Team, MITRE ATT&CK

A defect that manifests when concurrent requests interleave in an unexpected order, breaking an invariant the code assumed was atomic. In security contexts, classically a double-spend or double-redeem.

See also Business Logic Flaw

The first phase of an engagement: identifying targets, surfaces, and access vectors. Subdivided into passive (no traffic to the target) and active (probes, scans).

See also OSINT, Fingerprinting

An offensive-security operation simulating a specific adversary against the full attack surface — people, processes, technology. Scope-light, objective-driven, often unannounced to defenders.

See also Blue Team, Purple Team, Adversary Emulation, TLPT

The practice (and norm) of reporting a discovered vulnerability to the affected party privately first, allowing a remediation window before public disclosure. Sometimes called coordinated disclosure.

See also Bug Bounty, CVE

Three layers of the cloud-service model. SaaS gives a finished application; PaaS gives a runtime environment; IaaS gives raw compute, storage, and network. Each shifts the security responsibility boundary.

See also IAM, VPC

A unique, random value mixed into a password before hashing, so identical passwords yield different digests. Mandatory for any stored-password scheme.

See also Hash Function

An XML-based federation protocol for SSO, dominant in enterprise integrations. Verbose, but the only practical choice when one party speaks only SAML.

See also SSO, OIDC

An isolated runtime environment in which untrusted code or files are executed, so their behavior can be observed without affecting the host. Used in malware analysis and in browser security architectures.

See also EDR, Honeypot

A specific class of ICS that supervises distributed assets — pipelines, grids, water networks — via long-distance telemetry and remote control. The classic high-impact target.

See also ICS, PLC

Forcing a victim to use a session identifier known to the attacker, who then hijacks the session after the victim authenticates. Mitigated by regenerating the session ID on login.

See also Authentication Bypass

The 256-bit member of the SHA-2 family. The current default cryptographic hash for general use, including TLS certificates and content addressing.

See also Hash Function, HMAC

A platform that ingests logs from across an environment, normalizes them, applies detection rules, and surfaces alerts. The central nervous system of a SOC.

See also SOC, SOAR, EDR

Tooling that codifies analyst playbooks so routine triage and response steps execute automatically across the security stack. Lives on top of a SIEM, not instead of it.

See also SIEM, SOC

The function — internal or outsourced — that monitors security events, triages alerts, and runs incident response. Measured by mean time to detect and mean time to respond.

See also SIEM, SOAR, MDR

An AICPA attestation report on the operational controls of a service organization, against five trust-services criteria. The de-facto procurement document for US enterprise sales.

See also ISO/IEC 27001, PCI DSS

Manipulation of people — by impersonation, pretext, urgency, or authority — to obtain information or actions that bypass technical controls.

See also Phishing, Spear Phishing

Phishing targeted at a single person or small group, with personalized context that increases the click-through rate dramatically.

See also Phishing, Social Engineering

Injection of attacker-controlled SQL fragments into a query, typically via unparameterized concatenation of user input. Outcomes range from authentication bypass to full database extraction.

See also NoSQL Injection, Command Injection

An architecture where one authentication event grants access to multiple downstream applications via federated tokens — typically SAML or OIDC.

See also SAML, OIDC, OAuth 2.0

Coercing a server to make a network request the attacker controls — to internal services, cloud metadata endpoints, or arbitrary URLs. A primary path into otherwise unreachable internal infrastructure.

See also XXE

STIX is the format for representing structured threat intelligence; TAXII is the transport for exchanging it. Together they enable machine-to-machine sharing of indicators and TTPs.

See also TTP, IOC

A six-category threat-modeling mnemonic: Spoofing, Tampering, Repudiation, Information disclosure, Denial of service, Elevation of privilege. Microsoft-originated, still the most teachable starter framework.

See also LINDDUN, Threat Modeling

An individual or group with intent and capability to attack a defined set of targets. Catalogued by name, tooling, infrastructure, and TTP signature.

See also APT, TTP, MITRE ATT&CK

Hypothesis-driven proactive search through telemetry for adversary activity that escaped automated detection. Distinguished from alert triage by who started the investigation: the hunter, not the SIEM.

See also SOC, SIEM, TTP

The structured exercise of enumerating likely threats against a system before they are realized. Outputs are control gaps and test priorities, not predictions.

See also STRIDE, LINDDUN, Diamond Model

An ECB-published framework for intelligence-led red-team tests against financial-sector entities, with national flavors (TIBER-DE, TIBER-NL, etc.). The implementation baseline for DORA's threat-led penetration testing requirement.

See also DORA, TLPT, Red Team

The German automotive industry's information-security assessment and exchange mechanism, governed by ENX and based on the VDA ISA catalog. Required to participate in OEM supply chains.

See also ENX Association, VDA ISA, ISO/IEC 27001

Intelligence-driven red-team testing against critical systems, mandated for in-scope financial entities under DORA. Implementation follows TIBER-EU and its national variants.

See also DORA, TIBER-EU, Red Team

The cryptographic protocol that secures most HTTP, SMTP, and database traffic. TLS 1.2 is the minimum baseline; TLS 1.3 is current; SSL is deprecated.

See also mTLS, PKI, Certificate Authority (CA)

The behavioral fingerprint of an adversary — what they do (tactics), how (techniques), and exactly how (procedures). Catalogued by MITRE ATT&CK.

See also MITRE ATT&CK, IOC, Threat Actor

United Nations regulations for cybersecurity (R155) and software-update management (R156) of road vehicles. Required for vehicle type approval in UN-1958 markets, including the EU.

See also TISAX

BaFin's IT-supervisory requirements for insurance undertakings, structured in parallel to BAIT. Now overlaid with DORA for in-scope entities.

See also BaFin, BAIT, DORA

The control catalog that TISAX assessments evaluate against. Maintained by the German automotive association (VDA), aligned to ISO/IEC 27001 with automotive-specific extensions.

See also TISAX, ENX Association, ISO/IEC 27001

An isolated network segment inside a public-cloud provider, with its own address space, routing, and access controls. The unit of network blast-radius in modern cloud designs.

See also IAM

A reverse-proxy filter for HTTP traffic, applying signature- and anomaly-based rules to block known attack patterns. A useful brake, not a fix; vulnerabilities behind it still need patching.

See also IDS, IPS

Testing with full information — source code, architecture diagrams, credentials. Maximizes coverage and defect-density yield; useful before a code release.

See also Black Box Testing, Grey Box Testing

A category that broadens EDR's endpoint focus to include email, network, cloud, and identity telemetry under a single correlation layer. Vendor-defined more than standards-defined.

See also EDR, SIEM

Injection of attacker-controlled script into a page rendered by another user's browser. Three primary modes: reflected, stored, and DOM-based.

See also DOM XSS, CSRF

Abuse of XML parsers that resolve external entity references, enabling file read, SSRF, and in some configurations remote code execution. Mitigated by disabling DTD processing.

See also SSRF, Path Traversal

BaFin's IT-supervisory requirements for payment institutions and e-money institutions.

See also BaFin, BAIT, VAIT, PSD2

An architectural principle that grants no implicit trust based on network location and instead verifies every request against identity, device posture, and least-privilege policy. Aspirational at scale; selective in practice.

See also Defense in Depth, IAM

A vulnerability for which no public patch yet exists at the time of exploitation. The countdown nickname; in practice the meaningful question is exploitation visibility, not patch existence.

See also CVE, Exploit