HomeAnalyst Training
Malware Hunter’s Glossary
HomeAnalyst Training
Malware Hunter’s Glossary

Editor’s note: The current article was originally published on September 16, 2020, and updated on December 7, 2023.

Do you know how a DMA attack works? Or what distinguishes Smurf attacks from Fraggle attacks?  The cybersecurity industry is filled with technical terms, jargon and industry-specific acronyms: knowing them is essential for anyone working in the field. 

That’s why, here at ANY.RUN, we’ve created an alphabetical list of key terms every cybersecurity professional should know by heart (or, at the very least, known by heart where to look them up).

How does this glossary work?

This glossary provides concise definitions for terms and abbreviations frequently found in cybersecurity articles, blogs, and other information security resources. 

Use the table of contents in the left sidebar to jump to a specific letter, or scroll through the list from A to Z. 


Active Directory

Active Directory (AD) is a Microsoft service used for managing users, computers, and other resources within a network. It uses a hierarchical structure to organize objects and enforce security policies across a Windows environment. AD is a common target in lateral movement and privilege escalation attacks. 


AES stands for Advanced Encryption Standard, a symmetric encryption algorithm that was established by the U.S. National Institute of Standards and Technology (NIST) in 2001. It’s widely considered secure and efficient, replacing the older Data Encryption Standard (DES). AES is used in various security protocols and systems to encrypt data at rest and in transit. 

ARP spoofing or ARP poisoning

ARP spoofing, also known as ARP poisoning, is an attack where an attacker sends falsified ARP (Address Resolution Protocol) messages over a local area network. This tricks network devices into associating the attacker’s MAC address with an IP address of a legitimate network resource, like a router. The goal is often to intercept, modify, or stop data traffic. 


ASCII stands for American Standard Code for Information Interchange. It’s a character encoding standard used for representing text and control characters in computers. While not directly a cybersecurity term, ASCII is often relevant in tasks like data analysis and payload encoding during security assessments. 

Admin Privilege

Admin privilege grants a user elevated rights to configure and manage a system. In cybersecurity, these permissions are a high-value target for attackers, as they can provide full control over systems and networks. 


Adware is a type of software that automatically displays or downloads advertising material, often in the form of pop-up ads or banners, when a user is online. While not inherently malicious, adware can degrade system performance and user experience, and some variants may include spyware capabilities. 

Attack vector

An attack vector is a path or means by which an attacker gains unauthorized access to a system or network. Examples of common attack vectors include phishing emails, malicious websites, and software vulnerabilities. 

APT (Advanced Persistent Threat)

An advanced malware actor, usually a computer network that gains access and stays hidden for long periods of time. APTs are often state-sponsored and target government and military organizations, as well as perform military espionage.  


Authentication is the process of verifying the identity of a user, system, or service. It’s often part of a broader access control mechanism, ensuring that only authorized entities can access resources. Authentication can be performed by checking unique information (PIN, Password), unique objects (Passport), or unique traits (Fingerprints, Voice, Face geometry).

Analyze suspicious files and links in the ANY.RUN sandbox 

Create free account



Bashdoor is a type of backdoor exploit that takes advantage of vulnerabilities in the Bash shell, commonly found in Unix and Linux systems. This exploit allows an attacker to execute arbitrary commands on the target system, often bypassing typical security measures. Bashdoor attacks are particularly concerning because they can provide full control over a compromised system. 

BAT file

A BAT file is a batch file used in DOS and Windows environments to execute a series of commands. While BAT files themselves are not malicious, attackers often use them to automate tasks like deploying malware or performing system modifications. Due to their ability to execute multiple commands in sequence, they are commonly involved in scripting attacks. 

BGP (Border Gateway Protocol)

BGP is a routing protocol used to facilitate data exchange between different autonomous systems on the Internet. It plays a critical role in how data travels across networks. BGP is susceptible to various attacks, such as BGP hijacking, where an attacker reroutes traffic through malicious servers for data interception or network disruption. 


Blackholing is a network defense technique where incoming traffic is rerouted to a null or non-existent destination, effectively dropping the packets. This is often used to mitigate DDoS attacks by directing malicious traffic away from the targeted resources. However, it’s a blunt instrument that can also block legitimate traffic if not carefully configured. 

Blind hijacking

Blind hijacking is an attack where the attacker intercepts and modifies packets between two parties without either party knowing that the data has been altered. 


Bluejacking is an attack that exploits Bluetooth vulnerabilities to send unsolicited messages or data to Bluetooth-enabled devices. It is generally considered low-risk and often more of a prank than a serious attack. 


Bluesnarfing is a more malicious form of Bluetooth attack compared to bluejacking. In bluesnarfing, an attacker gains unauthorized access to a Bluetooth-enabled device to steal sensitive information like contacts, text messages, or even control the device. 


A backdoor is a hidden method for bypassing normal authentication or encryption in a computer system, a product, or an embedded device. Attackers often install backdoors to secure remote access to a compromised system. 

Black hat hacking

when a hacker performs actions with harmful intent, such as stealing information or getting a ransom. 

Brute force attack

an attack that attempts to guess a correct password by imputing as many random combinations as possible. 

Block cipher

an algorithm that divides information into data blocks of fixed, identical length and subsequently encrypts or decrypts each block. A type of symmetric encryption. 


A group of computers that were invaded by malware which gave an attacker control over each machine. Attackers use these machines to perform malicious actions, such as DDoS attacks or mail spam distribution. Owners of machines included in the botnet usually don’t know about the misuse of their hardware.  

BYOD (Bring Your Own Device)

a policy that determines whether employees are allowed to use their personal devices at work and whether personal devices can be connected to the corporate network. 


CAN (Controller Area Network)

CAN, or Controller Area Network, is a communication protocol commonly used in automotive and industrial control systems. It allows microcontrollers and devices to communicate without needing a host computer. 

COM file

A COM file is a type of simple executable file format originally used in DOS systems. These files have largely been replaced by more complex formats like EXE, but they still can be run in certain Windows environments. Because of their simplicity, COM files are sometimes used in malware and attack campaigns to execute shellcode or deploy payloads. 

C&C (Command and Control server)

A Command and Control server, often abbreviated as C&C or C2, is a computer controlled by an attacker or criminal group to send commands to systems compromised with malware. 

CSP (Content Security Policy)

Content Security Policy (CSP) is a security standard used to prevent cross-site scripting (XSS), clickjacking, and other code injection attacks. It allows web administrators to specify which sources of content are permitted on a web page, blocking the browser from loading anything from unauthorized sources. 


A type of cyber-attack that hijacks part of the device’s power to mine cryptocurrency without the user’s consent. 


An act of creating a new, fake social-media account of a non-existing person and subsequently use this account to deceive a specific individual. 


a state of data produced by the encryption process. Ciphertext appears random, but data in this format can be decrypted and restored to the original form using a decryption key. 


An attack technique that makes users click on malicious URLs without realizing that they interacted with them. This can be performed by hiding actual interactive content under a cover-web page that displays seemingly harmless content. However, when clicking users interact with content underneath that they don’t even see. 

CND (Computer Network Defense)

A set of internal measures performed to secure a network from outside attacks. The measures that make up a Computer Network Defense are outlined in the security policy of a given company. 


A more technically correct synonym of the word “hacker”, that is less used outside of the cybersecurity community and thus less known.  

Critical infrastructure

The most crucial systems or networks for business or state. The compromise of such systems will lead to devastating aftermath.  

CVE (Common Vulnerabilities and Exposures)

CVE is a public registry of all recorded attacks, exploits, and vulnerabilities, created by the MITRE non-profit. It is potentially the most comprehensive cyber-security database on the planet. 


The science of privacy, data integrity, and authentication methods. Cryptography studies methods of encrypting — a reversible conversion of data using a secret algorithm or key into encrypted, seemingly random text. 

Cookie file

A cookie file is a smal text file stored on a user’s computer by a web browser. Cookies are used to store information like login states, user preferences, or tracking data. 

Cyber team

A group of individuals hired to develop, maintain, and improve cybersecurity measures for an organization or a state. Cyber Teams perform penetration testing, scan networks for vulnerabilities, and educate employees about cybersecurity. 


Data integrity

Data integrity proves that information has not been modified or altered in any way. Cryptographic hashing is employed to retrieve a value by considering the original data. When hashing is performed subsequently the retrieved value should stay the same to indicate that the data remained intact. 

Data mining

A process of analyzing volumes of information in order to find the most valuable data, called meta-data. 

Data theft

An act of taking information without the owner’s consent, through physically stealing hardware that hosts the data or leaking information.  

DDoS (Distributed Denial of Service) attack

A cyberattack that aims to disrupt the operation of a service, often by overloading the servers with incoming requests. Such as when thousands of requests are made to the server beyond its capacity to process them. 


A process that reverts ciphertext back to its original form using a secret key. For instance, decrypting is how victims of ransomware attacks restore information, by using publicly available decrypting services or by obtaining the key though paying the ransom. 

Deep web

The deep web refers to parts of the internet that are not indexed by traditional search engines. This includes private databases, password-protected websites, and personal email accounts. Contrary to some perceptions, the deep web is not synonymous with illegal activities. 


DES stands for Data Encryption Standard, an older symmetric-key algorithm for encrypting electronic data. It was once a federal standard but was replaced by AES due to its vulnerability to brute-force attacks. 

DHCP snooping

DHCP snooping is a security feature on switches that filters DHCP traffic to prevent rogue DHCP server attacks. The feature builds a table of legitimate IP address leases, blocking unauthorized DHCP messages. 

DMA attack

DMA stands for Direct Memory Access, and a DMA attack exploits this capability to directly read or write to a system’s memory. This bypasses the CPU and operating system, often subverting normal authentication mechanisms. DMA attacks require physical access to a system and are commonly executed through ports like Thunderbolt or FireWire. 

Digital forensics

The process of collecting information about potentially illegal actions within a computer network to present found data in a court of law. 

DLP (Data Loss Prevention)

A set of measurements and guidelines that an organization uses to prevent the loss of information through leakage as a result of cyberattacks, malicious actions from within the company, or hardware failure. 

DMZ (Demilitarized Zone)

An isolated extension of a private network, which is protected by a firewall and open to outside connections, making select data publicly available. 


DNS stands for Domain Name System. It’s the protocol that translates human-readable domain names to IP addresses, allowing browsers to load Internet resources. DNS is a critical part of internet infrastructure but is also susceptible to attacks like DNS poisoning and DNS hijacking. 

DNS hijacking

DNS hijacking is an attack where the attacker redirects queries to a different DNS server, often for malicious purposes like phishing or traffic interception. This can be done by compromising a user’s DNS settings or by attacking the DNS server itself. 

DNS poisoning

DNS poisoning is an attack that inserts corrupt DNS cache entries to redirect queries to malicious sites. Unlike DNS hijacking, which targets the user’s settings or server, DNS poisoning focuses on corrupting the DNS resolver cache. 


DOC is a file extension used for Microsoft Word documents. While commonly used for text-based files, DOC files can contain macros and scripts, which could be malicious. 


DOCX is a more modern file extension used for Microsoft Word documents, introduced with Word 2007. Unlike DOC, it uses XML-based formatting and is less prone to macro viruses due to its structure. However, it can still be weaponized through embedded links or malicious macros as part of social engineering attacks. 

Domain fronting

Domain fronting is a technique used to bypass network censorship or monitoring by making outgoing requests appear as if they’re headed to a benign domain, while the actual destination is a different, potentially restricted site. This is achieved through layers of HTTP and DNS trickery. 

Domain name kiting, domain kiting

Domain kiting is the practice of registering a domain name and then repeatedly canceling and re-registering it during the grace period to avoid paying registration fees. 

Domain shadowing

Domain shadowing is an attack technique where an attacker gains access to a domain registration account to create subdomains without the owner’s knowledge. These rogue subdomains are then used for malicious activities like hosting phishing sites or C&C servers. 

DoS attack

A DoS, or Denial of Service attack, aims to make a targeted system or network unavailable by overwhelming it with traffic or exploiting vulnerabilities to trigger a crash. Unlike DDoS attacks, which involve multiple systems, a DoS attack typically originates from a single source. 

Downgrade attack

A downgrade attack forces a system to fall back to a less secure version of a protocol or weaker encryption algorithms. This makes it easier for an attacker to exploit known vulnerabilities in the outdated protocol. Downgrade attacks can occur in various scenarios, such as during SSL/TLS handshakes. 

Drive-by download

A type of cyberattack where the victim’s computer becomes compromised automatically after visiting a malicious website. Attacks like this are made possible by leveraging the natural tendency of web browsers to automatically execute JavaScript code, which creates a potential vulnerability. 


Email spoofing

Email spoofing is the practice of sending emails with a forged sender address to deceive recipients. This technique is often used in phishing attacks to gain the trust of the target. 

EDR (Endpoint Detection & Response)

Endpoint Detection and Response (EDR) is a group of cybersecurity products that focus on monitoring and responding to security threats on individual devices — or endpoints. Antivirus software belongs to this group, among other tools. 

EMET (Enhanced Mitigation Experience Toolkit)

EMET was a free Microsoft tool to boost Windows security by applying techniques that made it harder for attackers to exploit software vulnerabilities. It’s now retired, with its features integrated into Windows 10. 

Evil Maid Attack

An Evil Maid Attack is when an attacker gains access to a victim’s unattended computer. The name stems from a scenario in which an adversary was able to access the victim’s notebook left in a hotel room. The attack aims to compromise security by tampering with hardware or installing malicious software to steal sensitive data or encryption keys. 

EAP (Extensible Authentication Protocol)

EAP, or Extensible Authentication Protocol, is a framework used in network communication for secure authentication. It allows various authentication methods to be used, such as passwords, digital certificates, or token-based authentication, to establish a secure connection between a client and a server. EAP is commonly used in Wi-Fi networks and VPNs to ensure that only authorized users can access network resources. 


A computer program that is continually updated to complicate hacking attacks and improve usability. 


A process of taking a readable data format and encrypting using a private key to obtain ciphertext. 


False Flag

A False Flag operation is when an entity or individual carries out an action, like a cyberattack, and makes it look like someone else did it. This is done to divert blame or confuse investigators. 

Fast Flux

Fast Flux is a technique used in cyberattacks to hide the real location of malicious servers or websites. It involves rapidly changing the IP addresses associated with a domain name through a network of compromised or “flux” machines. 

FDE (Full Disk Encryption)

Full Disk Encryption (FDE) is a security technology that encrypts an entire storage device, such as a hard drive or solid-state drive, to protect the data stored on it. With FDE enabled, all the data on the disk is automatically encrypted, making it unreadable without the appropriate decryption key or password. 


A filter that companies use to block unwanted network traffic. Firewalls whitelist incoming requests based on a set of pre-defined parameters. In other words, by default they block all incoming traffic, treating all requests as potentially harmful. 

Fraggle Attack

A Fraggle Attack is a network-based distributed denial-of-service (DDoS) attack that is similar to a Smurf Attack. It involves the attacker sending a large volume of Internet Control Message Protocol (ICMP) echo request packets (ping) to an IP broadcast address, typically using IP addresses that don’t belong to them. These packets are then broadcasted to multiple hosts on the network, causing those hosts to respond to the victim’s IP address with ICMP echo replies, overwhelming the victim’s network bandwidth and causing a denial of service. 


A Hash is a code used in cryptography to turn readable data into an encrypted string of text with a fixed length. Applying the same hash to data twice indicates that information has not been altered, as long as the output does not change.  


Hacktivism is hacking that is done out of principle or for a cause rather than to gain profit. Hacktivists often defend their actions claiming that what they do is for the right cause, however, in a lot of cases it is still illegal. 

Heap Spraying

Heap spraying is a malicious technique used in cyberattacks to exploit vulnerabilities in software applications. It involves flooding a program’s memory (heap) with a large volume of malicious code or data, typically in the form of shellcode or payloads. By doing so, attackers aim to increase the probability that their malicious code will be executed when the vulnerable program’s memory is corrupted or manipulated. 


A honeypot is a defensive decoy that mimics the operation of a real system to trick hackers into attacking it, instead of the production resources of an organization. Honeypots are used to make attackers waste as much time as possible and to collect information about new malicious techniques. 

HTTP (Hypertext Transfer Protocol)

Hypertext Transfer Protocol (HTTP) is the foundation of data communication on the World Wide Web. It is an application layer protocol used for transmitting and receiving data between a client (usually a web browser) and a server (where websites are hosted). 

HTTPS (Hypertext Transfer Protocol Secure)

Hypertext Transfer Protocol Secure (HTTPS) is a secure version of the standard HTTP protocol. HTTPS encrypts the data transmitted between the client and server, ensuring that it cannot be easily intercepted or tampered with by malicious actors. This encryption is typically achieved using SSL/TLS (Secure Sockets Layer/Transport Layer Security) protocols. 


Identity cloning

This is a criminal activity in which the attacker takes on the identity of another real person and uses it for their own gain, usually to perform actions that they could not do with the real identity, like accessing a credit line.  

IMAP (Internet Message Access Protocol)

IMAP is an email protocol that enables users to access and manage email messages stored on a remote server. It supports email synchronization across multiple devices, providing flexibility in email management. 

IDS (Intrusion Detection System)

IDS is a passive cyber-defense system that monitors the network for unauthorized connections and performs defensive actions if such connections are found. 

IPS (Intrusion Prevention System)

IPS is an active security system that is designed to uncover cyber-attack attempts and automatically take measures to reduce their chances of success. 

IP Address (Internet Protocol Address)

An IP address, short for Internet Protocol address, is a unique numerical label assigned to each device connected to a computer network that uses the Internet Protocol for communication. 

IPv4 (Internet Protocol version 4)

IPv4, or Internet Protocol version 4, is a widely used addressing scheme for identifying devices on a computer network. It uses a 32-bit numerical address, usually displayed in four sets of decimal numbers separated by periods (e.g., 

IPv6 (Internet Protocol version 6)

IPv6, or Internet Protocol version 6, is an upgraded and expanded version of IPv4. It uses a 128-bit numerical address format, which provides an astronomically larger number of unique addresses. IPv6 addresses are typically represented as a series of hexadecimal numbers separated by colons (e.g., 2001:0db8:85a3:0000:0000:8a2e:0370:7334). 

IRP (Incident Response Platform)

An Incident Response Platform (IRP) is a comprehensive software solution designed to assist organizations in effectively managing and responding to cybersecurity incidents. It provides a centralized platform for detecting, analyzing, and mitigating security threats and breaches. 

iSCSI (Internet Small Computer System Interface)

ISCSI is a protocol used for enabling the transfer of block-level data between a computer and a storage device over an IP network. It allows remote storage devices, often referred to as storage area networks (SANs), to appear as if they are locally attached to a computer or server. 



Typically, a keylogger is a malicious program, more rarely hardware, that records the interactions of the victim with their keyboard, allowing to see what sensitive information the victim has typed. 


Kerberos is a network authentication protocol designed to provide secure authentication for users and services over a non-secure network, such as the internet. It uses encryption and a trusted third-party authentication server to verify the identities of users and services. 

KRACK attack (Key Reinstallation Attack)

The Key Reinstallation Attack, commonly known as KRACK, is a cybersecurity vulnerability that affects Wi-Fi networks secured with the WPA2 (Wi-Fi Protected Access 2) protocol, which is commonly used for securing wireless communication. KRACK exploits weaknesses in the WPA2 protocol to intercept and manipulate data transmitted over a Wi-Fi network. 


L2TP (Layer 2 Tunneling Protocol)

L2TP is a networking protocol that allows the creation of virtual private networks (VPNs). It operates at the data link layer and is often used in combination with another encryption protocol, like IPsec, to enhance security. 

LAN (Local Area Network)

Lan is a computer network that is connected within a restricted space, such as within the constraints of a single building. 

LDAP (Lightweight Directory Access Protocol)

LDAP is a network protocol used for accessing and managing directory information. It’s often used in authentication, authorization, and directory services for various applications and systems. 

LotL Attack (Living off the Land Attack)

A LotL attack is a cyberattack strategy where threat actors use legitimate system tools and utilities to carry out malicious activities, making their actions harder to detect. Tools leveraged in LotL attacks may include PowerShell, Windows Management Instrumentation (WMI), or scripting languages like Python and JavaScript. 

LTE (Long Term Evolution)

LTE, or Long Term Evolution, is a standard for wireless broadband communication. It is part of the 4G (fourth generation) technology family and is designed to provide faster and more efficient mobile data communication than its predecessor, 3G (Third Generation).  

Link jacking

Link jacking is a spam-like practice of purposefully misrepresenting the destination of a link on a website. For example, when an advertisement seems to be directed to a product page, but instead takes the user to a random page oversaturated with ad banners. 


MAC address (Media Access Control Address)

A MAC address, also known as a hardware address or physical address, is a unique identifier assigned to a network interface controller (NIC) on a device. It consists of a series of hexadecimal numbers and is used to identify devices on a local network segment. 

MAC flooding

MAC Flooding is a network attack that exploits the limitation of switches in Ethernet networks. In this attack, the attacker sends a flood of forged Ethernet frames, each with a different, spoofed MAC address. The intention is to overwhelm the switch’s MAC address table, causing it to enter a fail-open mode, where it starts broadcasting incoming traffic to all ports instead of forwarding it to the correct destination. 

Malvertising (Malicious Advertising)

Malvertising is a cyber threat strategy where malicious code or malware is concealed within online advertisements. Cybercriminals use malvertising to deliver malware to unsuspecting users when they visit legitimate websites that display these ads. 

MBR (Master Boot Record)

The MBR, or Master Boot Record, is a crucial data structure located at the beginning of a storage device, such as a hard drive or SSD, that is used to boot a computer’s operating system. It contains the initial code that the computer’s BIOS or UEFI firmware executes during the boot process. 

MD5 (Message Digest Algorithm 5)

MD5 is a cryptographic hash function that produces a 128-bit (16-byte) hash value from an input data or message. It’s widely used for data integrity and checksum purposes. 

Mean Time to Respond (MTTR)

Mean Time to Respond, often abbreviated as MTTR, is a key performance indicator (KPI) in incident response and cybersecurity. It measures the average amount of time it takes for an organization to detect and respond to a security incident once it has occurred. 

Memory Scraper

A memory scraper is a type of malware designed to scan and capture sensitive information directly from a computer’s RAM. It’s particularly adept at extracting data such as credit card numbers, usernames, passwords, and other confidential information that may be  stored in temporary memory while a user is interacting with applications or making online transactions. 

MITB attack (Man-in-the-Browser Attack)

A Man-in-the-Browser (MITB) attack is a type of cyberattack where a malicious actor inserts their code into a victim’s web browser, allowing them to intercept and manipulate web communication between the user and websites. 

MitD attack (Man-in-the-Disk Attack)

A Man-in-the-Disk (MitD) attack is a type of security vulnerability and attack vector that targets the way mobile applications handle storage and data on a device’s external storage, such as an SD card. In a MitD attack, a malicious actor takes advantage of weak permissions or insufficient security measures in mobile apps. They place malicious files or manipulate existing files in the external storage space, where the targeted app stores data. 

MITM Attack (Man-in-the-Middle Attack)

A Man-in-the-Middle (MITM) attack is a cyberattack where an unauthorized third party intercepts and potentially manipulates communication between two parties without their knowledge. To carry out a MITM attack, an attacker typically positions themselves between the victim and the legitimate party, acting as a covert intermediary. This can be accomplished through various techniques, such as ARP spoofing, DNS spoofing, or the use of malicious proxy servers. 


MITRE ATT&CK is a public resource that contains data of past cyberattacks. An indispensable resource for cybersecurity researchers looking to expand their knowledge about malicious techniques used by hackers.



The .NET (pronounced dot-net) framework is a software development platform developed by Microsoft. It provides a comprehensive environment for building and running various types of applications, including web, desktop, and mobile applications. 


NetBIOS, short for Network Basic Input/Output System, is a legacy networking protocol used for communication between devices on a local area network (LAN). 

NAT (Network Address Translation)

NAT, or Network Address Translation, is a technology used in networking to modify network address information while in transit. It allows multiple devices within a private network to share a single public IP address for accessing resources on the internet. 

NGFW (Next-Generation Firewall)

A Next-Generation Firewall (NGFW) is a security appliance or software solution that combines traditional firewall functionality with advanced security features. NGFWs go beyond basic packet filtering and stateful inspection to provide more comprehensive security measures. They often include intrusion detection and prevention systems (IDPS), application-aware filtering, deep packet inspection, and SSL/TLS decryption capabilities. 


OLE (Object Linking and Embedding)

Object Linking and Embedding (OLE) is a technology developed by Microsoft that allows different applications to share and manipulate objects or data. With OLE, you can embed objects created in one application, such as a spreadsheet or a chart, into another application like a document or presentation. 


OpenID is an open-standard protocol used for single sign-on (SSO) authentication. It allows users to use a single set of login credentials to access multiple websites or applications without the need to create and remember separate usernames and passwords for each one. 

OSINT (Open-Source Intelligence)

Open-Source Intelligence (OSINT) is the practice of collecting, analyzing, and using publicly available information from various sources to gather insights and intelligence. OSINT sources include websites, social media, news articles, public records, and more. 

Overlaying Attack

An overlaying attack is a cybersecurity threat where an attacker creates a deceptive layer or overlay on top of a legitimate interface or application. The goal of this attack is to trick users into interacting with the malicious overlay, typically to steal sensitive information like login credentials or credit card details. Overlaying attacks are often associated with phishing and social engineering tactics. 

Outsider threat

Outsider threat is a potential danger that is likely coming from an outside source like a competing organization, another state, or a vindictive ex-worker. 

OWASP (Open Web Application Security Project)

OWASP is an established online community of enthusiasts who help websites improve their cyber-defense through a wide range of tools and practices. This community focuses on studying attack patterns to learn as much as possible about malware to build an effective defense strategy. 


Packet sniffing

Packet sniffing is a process of taking data packets (parts of a computer network transmission) and saving them for further analysis by a network administrator or a security researcher. 

Payment card skimmers

A payment card skimmer is a gadget that works with Point Of Sale terminals that hackers use to collect payment card information from victims when a plastic card is entered into the terminal. 

Pen (Penetration) testing

Pen testing is a complex cybersecurity procedure that involved ethical hacking. Thus, cybersecurity professionals conduct a controlled attack on a system using real malware and malicious techniques to find out the weak points in the defense.  


Phishing is a malicious technique of uncovering sensitive information by tricking the victim into willingly disclosing data as part of human interaction, such as when replying to a text message or an email. 

Piggyback programs

A Piggyback program is software that comes together with a program that the user downloaded explicitly. When the installation of the main software ends, it often shows a prompt asking the user to download another product in the hope that the user automatically clicks “Ok”. 

PKI (Public Key Infrastructure)

PKI is a collection of cryptographic security techniques designed to create a stronger cyber defense of communication and information storage. 

POS (Point of Sale) intrusions

Point of sale intrusion takes place when an attacker hacks a POS terminal in a physical store or on a website that supports online check-out. POS intrusions aim to steal credit card information from victims that make purchases at a targeted organization. 

POP3 (Post Office Protocol 3)

POP3, or Post Office Protocol 3, is a standard email protocol used for receiving emails from a mail server to a client device, such as an email client or application. When you configure an email client with POP3 settings, it connects to the mail server, downloads incoming emails to the client device, and typically removes them from the server  


Punycode is a method used to encode Internationalized Domain Names (IDNs) into a format that is compatible with the ASCII character set. IDNs allow domain names to include non-ASCII characters, such as accented letters or characters from various languages. Punycode converts these non-ASCII characters into a standardized ASCII representation, making it possible for browsers and other internet applications to correctly process and display domain names with international characters.

Try the full range of the ANY.RUN sandbox’s features.
Request a 14-day free trial 

Get started


RAT (Remote Access Trojan)

A RAT, or Remote Access Trojan, is malicious software that allows an attacker to gain unauthorized access and control over a victim’s computer or network. Once deployed, a RAT enables remote monitoring, data theft, and the ability to execute commands on the compromised system. 


a type of malicious program that encrypts the victim’s information and threatens that access to the data will be permanently lost, unless a ransom is paid. Ransomware typically drop a ransom note on the desktop, which contains instructions on restoring the data. The note directs victims to a website, where they can obtain a decryption key with a cryptocurrency payment.  

RAAS (Ransomware as a Service)

RAAS is a method of distributing ransomware when malware creators distribute the program to clients in exchange for money, rather than operating the malware themselves. Clients who purchase RAAS typically obtain the malware build, access to an operations dashboard as well as access to technical support. 

RC4 (Rivest Cipher 4)

RC4, short for Rivest Cipher 4, is a widely used stream cipher encryption algorithm. It’s known for its simplicity and speed in encrypting data. 

RDP (Remote Desktop Protocol)

RDP, or Remote Desktop Protocol, is a proprietary Microsoft protocol that enables remote access to a computer or server over a network connection. 

Remote Shell

A remote shell, sometimes abbreviated as “RShell” or “rsh,” is a network communication tool that enables users to execute commands on a remote computer or server from a local machine. It allows for command-line interaction with a remote system, facilitating tasks like file transfers, system administration, and troubleshooting. Remote shells can be useful for legitimate purposes, but they can also be exploited by malicious actors to gain unauthorized access to systems. 

RSA (Rivest-Shamir-Adleman)

RSA, which stands for Rivest-Shamir-Adleman, is a widely-used public key encryption algorithm in modern cryptography. It’s named after its inventors Ron Rivest, Adi Shamir, and Leonard Adleman. RSA operates using a pair of cryptographic keys: a public key for encryption and a private key for decryption. Data encrypted with the public key can only be decrypted using the corresponding private key, which provides a secure way to transmit sensitive information over untrusted networks. 

RTF (Rich Text Format)

RTF, or Rich Text Format, is a file format used for text documents that contain formatting information, such as font styles, colors, and formatting attributes. They are commonly used for creating documents that need to retain consistent formatting across different software and operating systems. RTF can contain embedded malware or malicious macros. 


Rootkit is a type of malicious program which differentiates itself from other malware types by its stealth capabilites. Rootkits gain the administrative right to the OS of an infected machine and take measures to prevent detection, allowing them to stay hidden over time and collect as much data as possible. 


SASE (Secure Access Service Edge)

SASE, or Secure Access Service Edge, is a cybersecurity model that integrates network security and wide-area networking (WAN) capabilities into a cloud-based service. It ensures secure and scalable access to network resources for remote users and branch offices, simplifying network architecture and enhancing security by moving critical functions to the cloud. 


Sandboxing is a process of creating an isolated environment and launching programs or even whole operating systems within created playgrounds to evaluate their behavior or conduct studies while protecting the main system. 

Secure element

A secure element is a dedicated and tamper-resistant hardware component within a device, such as a smartphone or a smart card, designed to store and protect sensitive data, including cryptographic keys, biometric information, and payment credentials. 

SCADA (Supervisory Control and Data Acquisition)

SCADA is a set of actions and logging protocols used to record information to automate the functioning of large and complicated computer systems. 


SD-WAN, short for Software-Defined Wide Area Networking, is a technology that simplifies and optimizes the management of wide area networks (WANs). It achieves this by using software-based approaches to control and direct data traffic across the WAN. 

SSID (Service Set Identifier)

An SSID, or Service Set Identifier, is a unique alphanumeric identifier assigned to a wireless network. It serves as the name of the network and allows wireless devices to identify and connect to a specific Wi-Fi network. 

SHA (Secure Hash Algorithm)

SHA, which stands for Secure Hash Algorithm, refers to a family of cryptographic hash functions used to produce fixed-length hash values from variable-length input data. Common SHA algorithms include SHA-1, SHA-256, and SHA-3, each with varying levels of security. 

Side Channel Attack

A side channel attack is a type of cybersecurity attack that exploits unintended information leakage from a physical system during its operation. Instead of directly targeting cryptographic algorithms or software vulnerabilities, side channel attacks focus on capturing data, such as power consumption, electromagnetic radiation, or timing information, that is unintentionally emitted by a device. 


Sinkholing is a cybersecurity technique used to divert malicious network traffic away from its intended destination to a controlled and secure location, often managed by security researchers or network administrators. 

SIEM (Security Information and Event Management)

SIEM is a framework that dictates constant requiring security evaluation, helping to find irregularities or violations of the security protocol.  

SOAR (Security Orchestration, Automation, and Response)

SOAR, or Security Orchestration, Automation, and Response, is a cybersecurity technology stack that streamlines incident response processes. SOAR platforms integrate and automate security tools, enabling efficient response to security incidents, threats, and vulnerabilities. 

SOPs (Standard Operating Procedures)

SOPs, sometimes called “security policy,” is a set of guidelines in the organization that must be followed by all employees to maintain high-level cybersecurity. 

Smurf Attack

A Smurf attack is a type of Distributed Denial of Service (DDoS) attack that targets a victim’s network by exploiting Internet Control Message Protocol (ICMP) and IP broadcast addresses. In a Smurf attack, the attacker sends a large number of ICMP echo request (ping) packets to an IP broadcast address on a network. This causes all devices on the network to respond to the victim’s IP address with ICMP echo replies, overwhelming the victim’s network with an excessive volume of traffic. 


Spam is an intrusive, unwanted, and usually low-quality content or messages that are often distributed in mass batches to a large number of contacts. 

Spear phishing

Spear phishing is an attack where an adversary employs social engineering techniques and a targeted approach to leverage real contacts of the victim. Personalized content makes spear-phishing attacks especially dangerous since the attacker can trick the victim into thinking that they are dealing with a legitimate entity. 


Spyware is a type of malicious program that records user actions and sends them to the attacker. It can exist in a lawful form when operated by advertising agencies to learn about customer behavior or as malware when used by hackers in illegal applications. 

SQL Injection

SQL injection is a malicious technique in which an attacker exploits vulnerabilities in a web application’s input validation to manipulate an SQL query sent to a database. By injecting malicious SQL code into user inputs, such as text fields or URLs, attackers can trick the application into executing unintended database commands. 

SSH (Secure Shell)

SSH, or Secure Shell, is a cryptographic network protocol that enables secure remote access, authentication, and data communication between computers over unsecured networks, such as the internet. SSH encrypts all data transmitted between the client and server, safeguarding against eavesdropping and unauthorized access. 

SSL (Secure Sockets Layer)

SSL, or Secure Sockets Layer, is a cryptographic protocol that ensures secure and encrypted communication between a user’s web browser and a web server. SSL is designed to establish a secure connection for transmitting sensitive data, such as login credentials, credit card information, and personal details, over the internet. It is usually used in conjunction with the HTTP protocol (HTTPS). 

Stack Smashing

Stack smashing, also known as a buffer overflow, is a cybersecurity vulnerability and exploitation technique that occurs when an attacker injects more data into a buffer (a temporary data storage area) than it can hold. This excess data overflows into adjacent memory areas, potentially corrupting or altering critical program data and control flow. 


Stalkerware is a type of malicious software that is installed on a victim’s device, typically without their knowledge or consent, to secretly monitor and record their activities. 

Symlink (Symbolic Link)

A symlink, short for symbolic link, is a reference or pointer to another file or directory in a filesystem. Unlike a hard link, which points directly to the data of the target file or directory, a symlink is a separate file that contains a path or reference to the target. 


TCP (Transmission Control Protocol)

TCP, or Transmission Control Protocol, is one of the core protocols of the Internet Protocol (IP) suite and is responsible for reliable data transmission between two devices over a network. TCP provides a connection-oriented and error-checking communication method, ensuring that data sent from one device is received accurately and in the correct order by the receiving device. 

Threat intelligence

Threat intelligence includes any and all information that an organization has regarding past, current, or future cybersecurity threats. Threat intelligence data is used by cybersecurity professionals to defend against potential attacks. 

Trojan (Trojan Horse)

Trojan is a malicious program that tricks the user into thinking that it is harmless and uses social engineering techniques to control the victim into downloading the malware and starting the execution process. 

TOR (The Onion Router)

 TOR, short for The Onion Router, is a privacy-focused network technology that facilitates anonymous internet communication. It achieves anonymity by routing data through a series of volunteer-operated servers, or “nodes,” with each node peeling away a layer of encryption, akin to layers of an onion.  

TLS (Transport Layer Security)

TLS, or Transport Layer Security, is a cryptographic protocol used to secure data transmission over a network, typically the internet. It ensures that data exchanged between two systems remains private and tamper-proof during transit. TLS encrypts data by creating a secure “tunnel” between a client (e.g., a web browser) and a server (e.g., a website). 

TPM (Trusted Platform Module)

A TPM, or Trusted Platform Module, is a hardware-based security component integrated into computers and devices to enhance their security. It stores cryptographic keys, passwords, and other sensitive data, protecting them from software-based attacks and unauthorized access. 


UDP (User Datagram Protocol)

UDP, short for User Datagram Protocol, is one of the core transport layer protocols in computer networking. It operates on top of the Internet Protocol (IP) and is used for sending data packets across a network. Unlike TCP (Transmission Control Protocol), UDP is connectionless and does not establish a dedicated, reliable connection before sending data. This makes UDP faster but less reliable, as it does not guarantee delivery or order of packets. 

UEBA (User and Entity Behavior Analytics)

UEBA, which stands for User and Entity Behavior Analytics, is a cybersecurity technology that focuses on monitoring and analyzing the behavior of users and entities (such as devices and applications) within a network or system. It uses machine learning and advanced analytics to establish a baseline of normal behavior for users and entities. When deviations from this baseline occur, UEBA can detect potential security threats or anomalies, such as insider threats or unauthorized access. 

UEFI (Unified Extensible Firmware Interface)

UEFI, which stands for Unified Extensible Firmware Interface, is a modern replacement for the traditional BIOS (Basic Input/Output System) that is used to initialize and manage the hardware components of a computer during the boot process. 

URL spoofing

URL spoofing is a deceptive practice in which an attacker creates a fake or fraudulent web address (URL) that closely resembles a legitimate one. 

UAF (Use-After-Free)

Use-After-Free, abbreviated as UAF, is a critical software vulnerability that occurs when a program or application tries to access or use memory that has been previously freed or deallocated. 

User Agent

A User Agent, often referred to as a UA, is a piece of software or an application that acts on behalf of a user when interacting with web servers or online services. It is a critical component of the HTTP request sent by a client (such as a web browser) to a web server when requesting a web page or resource. The User Agent string, typically included in the HTTP headers, contains information about the client software, including its name, version, and sometimes additional details about the operating system and device. 

USSD (Unstructured Supplementary Service Data)

USSD, or Unstructured Supplementary Service Data, is a communication protocol used by mobile phones to send text-based messages between the device and a mobile network’s servers. Unlike SMS (Short Message Service), which is store-and-forward and may be delayed, USSD messages are sent in real-time and are usually used for interactive communication. 


VBS (Visual Basic Script)

VBS, short for Visual Basic Script, is a scripting language developed by Microsoft. It is often used for automating tasks, creating small applications, and customizing the behavior of Windows operating systems. VBS scripts are written in plain text and can be executed using the Windows Script Host (WSH) or other scripting engines. Malicious actors often use VBS for harmful purposes, such as distributing malware. 

VNC (Virtual Network Computing)

VNC, which stands for Virtual Network Computing, is a remote desktop protocol and software application that allows users to control and view the graphical desktop of a remote computer or server over a network connection. 

VLAN (Virtual Local Area Network)

VLAN, which stands for Virtual Local Area Network, is a network segmentation technique used to divide a physical network into multiple logical subnetworks. These subnetworks are isolated from one another, even though they share the same physical network infrastructure. 


A virus is a type of malware that normally appends to a master file and executes when the victim interacts with the host file. Malware of this type spread to other objects and even other computers in the network with user interactions.  


Vishing is a phishing attack instance in which the attacker used Voice over IP protocol to call another VoIP user, enabling to communicate with the victim verbally. 


Watering Hole

A watering hole attack is a type of targeted cyberattack where malicious actors compromise websites or online resources that are frequently visited by a specific group of users. The goal is to infect the computers of the target group by injecting malware into these legitimate websites. 

WebDAV (Web Distributed Authoring and Versioning)

WebDAV, short for Web Distributed Authoring and Versioning, is an extension of the HTTP (Hypertext Transfer Protocol) that enables collaborative editing and management of files and documents on web servers. 

WebRTC (Web Real-Time Communication)

WebRTC, which stands for Web Real-Time Communication, is an open-source project and set of web technologies that enables real-time communication directly between web browsers and applications. 

Wi-Fi Dissociation

Wi-Fi dissociation, often referred to as deauthentication, is a network security process used to disconnect a client device from a Wi-Fi network. This action is typically taken by network administrators to prevent unauthorized access or to manage network resources. 

Wildcard Certificate

A wildcard certificate is an SSL/TLS certificate used to secure multiple subdomains under a single domain name. For example, a wildcard certificate for “*.example.com” could secure “blog.example.com,” “shop.example.com,” and so on. While convenient and cost-effective, wildcard certificates can pose a security risk. If compromised, the attacker gains control over all subdomains the certificate secures. 


WEP stands for Wired Equivalent Privacy, an outdated encryption standard for wireless networks. Introduced in 1997, WEP was found to have several vulnerabilities, making it relatively easy to crack within minutes. Due to its weaknesses, it has been largely replaced by more secure protocols like WPA and WPA2. 

WPA and WPA2

WPA (Wi-Fi Protected Access) and WPA2 are encryption protocols designed to secure wireless networks. WPA was developed as an interim solution to replace the flawed WEP standard, while WPA2 is an enhanced version that followed. WPA2 uses the AES encryption standard and provides stronger security than WPA, which typically uses TKIP encryption. Both are considered much more secure than WEP but should be configured properly to maximize protection. 


A worm is a type of malicious program, which is focused on spreading to as many systems as possible by copying its code into files and spreading through networks. Worms used to be a popular way to deliver the final malicious payload to victims, but today they are rarely used.


XXE attack

An XXE, or XML External Entity, attack exploits vulnerabilities in XML parsers to read local files, interact with internal systems, or execute remote code. The attack occurs when an application processes XML input that references an external entity. 



YARA is a tool used for identifying and classifying malware based on textual or binary patterns. It’s akin to writing antivirus signatures but is more flexible and extensible. YARA rules can be applied across different stages of incident response, from initial detection to in-depth malware analysis. 


Zero-day exploit

Zero-day exploit is a term that indicates vulnerabilities in software that are not fixed or programs that exploit them. 


A zip-bomb is a malicious archive file designed to harm or incapacitate a system by exhausting its resources. When the archive is unpacked, it decompresses into a size far larger than the original file, often many gigabytes or even petabytes. Zip-bombs are primarily used to disable antivirus software or to engage in denial-of-service attacks against file-processing systems. 


A Zombie computer is a machine that has been illegally accessed by a malware operator and became a member of the botnet. Zombie computers perform malicious actions on behalf of an attacker who hijacks control over the resources of a compromised machine. 

0 – 9


3DES, or Triple DES, is an encryption algorithm that applies the DES encryption method three times to each data block. While more secure than single DES, it’s generally considered less secure than more modern algorithms like AES. 


802.1X is a standard for network access control, often used in corporate Wi-Fi networks. It provides a framework for authenticating and controlling user traffic based on a user’s credentials or device certificate. 


Cybersecurity lingo is particularly rich since it uses the computer programming terminology and features a host of its own unique words and concepts on top of it. Here we have collected some of the most widely used terms to help you get started in the world of cybersecurity or simply refresh your memory of common professional vocabulary.  

Don’t stop with this article and continue learning the language of our industry. It will help you to easily communicate with your co-workers and members of the cyber-defense community! 


ANY.RUN is a cloud malware sandbox that handles the heavy lifting of malware analysis for SOC and DFIR teams. Every day, 300,000 professionals use our platform to investigate incidents and streamline threat analysis.  

Request a demo today and enjoy 14 days of free access to our Enterprise plan.   

Request demo → 

What do you think about this post?

3 answers

  • Awful
  • Average
  • Great

No votes so far! Be the first to rate this post.