Cybersecurity Glossary

Account takeover (ATO) refers to the unauthorized takeover of user accounts by attackers. Attack vectors: credential stuffing (leaked passwords), brute force, phishing/MFA bypass, session hijacking, password reset vulnerabilities, and SIM swapping. ATO is the starting point for fraud, data breaches, and privilege escalation. Detection: impossible travel, device fingerprinting anomalies, velocity checks.

Adversarial machine learning refers to attack techniques that specifically manipulate or deceive machine learning models. These include adversarial examples (minimal changes to input data that cause models to misclassify), data poisoning (tainted training data), model inversion (extraction of training data), prompt injection (in LLMs), and model stealing. MITRE ATLAS documents these attack techniques.

An air gap refers to the physical separation of a computer system or network from the internet and other insecure networks. Air-gapped systems cannot be accessed without physical media (USB, optical discs) or specialized hardware. Applications: Nuclear facilities, military systems, SCADA systems, certification authorities. Known attacks: Stuxnet (USB), VAMPIRE, USBee (electromagnetic side channels), Fansmitter (fan noise).

The method or mechanism through which an attacker gains access to a system or exploits a vulnerability—e.g., email, the network, physical access, or compromised software.

Anonymization permanently removes personal identifiers—pseudonymization replaces them with a pseudonym and is traceable. Both methods are key GDPR techniques for implementing data protection by design.

Protecting APIs (Application Programming Interfaces) against misuse, unauthorized access, injection attacks, and data leaks. APIs are a modern attack surface: The OWASP API Security Top 10 lists the most common vulnerabilities, ranging from Broken Object-Level Authorization to Rate Limiting.

Application security (AppSec) encompasses all measures, processes, and technologies designed to protect software applications from attacks—from development through testing to operation. The goal is to identify and eliminate vulnerabilities in code, architecture, configuration, and dependencies before attackers can exploit them.

An Advanced Persistent Threat (APT) is a sophisticated, long-term cyberattack—usually carried out by state-sponsored or state-backed actors—that targets a specific objective and remains undetected for months or years.

An attack path is the sequence of vulnerabilities, misconfigurations, and permissions that an attacker exploits to move from an initial access point to a target (e.g., domain admin, database). Attack path analysis using tools such as BloodHound, Microsoft Security Exposure Management, and XM Cyber identifies and prioritizes these paths for remediation.

Attack Path Management (APM) continuously identifies all possible attack paths in the corporate network, from the entry point to critical assets—and prioritizes countermeasures based on actual exploitation risk, not CVSS scores.

Attack Surface Management (ASM) is the continuous process of discovering, cataloging, classifying, and assessing the risks associated with all assets and vulnerabilities that an attacker could exploit. External ASM (EASM) focuses on assets visible from the internet; internal ASM focuses on lateral movement risks. ASM forms the foundation for CTEM (Continuous Threat Exposure Management).

A contractual instrument under Article 28 of the GDPR that must be concluded between the controller (the client) and the processor (the service provider) when third parties process personal data on behalf of the controller. Without a DPA, data processing by the service provider is unlawful.

The identity verification process: Anyone who claims to be someone must prove it—through something they know (password), have (token), or are (biometrics).

Systematic data backup to a medium separate from the primary system—the last line of defense against ransomware, hardware failure, human error, and disasters. The 3-2-1 rule is the recognized minimum standard.

Breach and Attack Simulation (BAS) is a technology that continuously and automatically simulates cyberattacks to identify security vulnerabilities in real time—without the need for manual penetration testers. BAS platforms test detection (does the SIEM detect the attack?), prevention (does the firewall block it?), and response (does the SOC respond correctly?) based on MITRE ATT&CK® techniques.

Biometric authentication uses unique physical characteristics (fingerprints, face, iris, voice) or behavioral patterns (typing rhythm, gait) for identification. It is phishing-resistant and convenient—but it comes with specific risks: stolen biometric data cannot be changed, and liveness detection attacks and GDPR requirements (Art. 9) necessitate careful implementation.

The Blue Team is the defensive side of cybersecurity: it protects systems, detects attacks, responds to incidents, and continuously improves the security posture. Unlike the Red Team (attackers) or the Purple Team (a combination of both), the Blue Team represents the day-to-day operations of the defense—SOC, IR teams, threat hunters, and security engineers.

Security considerations for wireless Bluetooth connections. Bluetooth attacks such as BlueBorne, BIAS, and BLUFFS enable data extraction and device control without user interaction. In enterprise environments, headsets, input devices, and IoT devices are common attack vectors.

A network of many compromised computers and IoT devices that are remotely controlled by an attacker (botmaster)—usually for DDoS attacks, spam, or cryptocurrency mining.

A method for cracking passwords or encryption keys by systematically trying every possible combination. Online brute-force attacks target login forms, while offline brute-force attacks crack stolen hashes. Mitigation: MFA, account lockout, rate limiting, and strong passwords.

The BSI's German framework for information security, comprising over 200 components and three security levels. A prescriptive approach with specific implementation guidelines—a mandatory reference for operators of critical infrastructure and federal agencies.

A buffer overflow occurs when a program writes more data to a buffer than it can hold, causing adjacent memory areas to be overwritten. Buffer overflows enable stack-based overflows (overwriting the return address → arbitrary code), heap-based overflows, and format string attacks. Protection mechanisms: ASLR, stack canaries, NX bit/DEP, PIE, Fortify Source. Buffer overflows are one of the oldest classes of vulnerabilities and form the basis of many exploits.

Bug bounty programs reward external security researchers for responsibly reporting vulnerabilities. Platforms: HackerOne (Apple: up to $1 million, Microsoft, Lufthansa), Bugcrowd, Intigriti (European, GDPR-compliant). Scope definition (in-scope/out-of-scope), severity assessment according to CVSS, triage process, and safe harbor clause (legal protection for researchers). VDP (Vulnerability Disclosure Policy) as a free starting point. BSIG §8b mandates a VDP for KRITIS entities.

A management discipline designed to ensure the continuity of critical business processes in the event of disruptions. This entry describes the basic concepts of RTO, RPO, BCP, and DRP. For practical implementation in the context of cyberattacks—including the 3-2-1-1-0 backup rule, ransomware scenarios, and tabletop exercises—see the more detailed entry on Business Continuity Management (Cyberattacks).

Business Continuity Management (BCM) ensures that critical business processes continue to run or are quickly restored in the event of a cyberattack, ransomware, or IT failure. Key concepts: BIA (Business Impact Analysis), RTO (Recovery Time Objective), RPO (Recovery Point Objective), BCP (Business Continuity Plan), DRP (Disaster Recovery Plan), offline backup strategy (3-2-1-1-0 rule), tabletop exercises. ISO 22301 and BSI IT-Grundschutz Standard 200-4.

Business Email Compromise (BEC) is one of the most costly cyber threats: Attackers compromise or spoof business emails to trick victims into making wire transfers, sharing data, or providing login credentials—often without using malware, relying solely on social engineering.

A systematic analysis of the impact of critical business process failures on the company. The BIA determines the Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for each process—serving as the basis for business continuity plans and backup strategies.

Business logic flaws are vulnerabilities in the application logic itself, not in the implementation. Scanners and WAFs do not detect them because, within the context of the respective business process, they are valid requests. Typical examples include negative order quantities, price manipulation via parameters, race conditions when redeeming coupons, and workflow bypass through direct step calls. Only manual expert knowledge can reliably detect such errors.

A company policy that allows employees to use their own smartphones, tablets, and laptops for work purposes. BYOD reduces hardware costs but significantly increases security risks—personal devices are harder to control than company-owned ones.

A Command & Control (C2) framework is a tool used by red teams and penetration testers to manage communication with compromised hosts after gaining initial access to target systems. Attackers use the same techniques. Well-known frameworks include Cobalt Strike, Metasploit, Sliver, and Havoc. Understanding C2 is essential for defense and detection engineering.

Canary Tokens are invisible digital tripwires that trigger an immediate alert if an attacker triggers them. Types: URL tokens (embedded in documents), DNS tokens, AWS key tokens, Excel tokens. Detection of: insider threats, document exfiltration, credential theft, network reconnaissance. Free via canarytokens.org (Thinkst Canary). Deployment in Honeydocs, Active Directory, Kubernetes Secrets.

A Cloud Access Security Broker (CASB) is a security solution positioned between enterprise users and cloud services that enforces security policies. CASBs offer four core capabilities: visibility (which cloud services are being used?), compliance (are policies being followed?), data security (DLP for cloud data), and threat protection (anomaly detection). Shadow IT discovery is the most common entry-level use case.

Certificate pinning is a security technique in which an application accepts only specific TLS certificates or public keys instead of relying on the general CA trust system. It prevents man-in-the-middle attacks even if an attacker possesses a CA-signed certificate. Primarily used in mobile apps. Bypass methods: Frida hooking, SSL kill switch, custom root certificate. Risk: Certificate pinning can block legitimate traffic analysis tools.

Certificate Transparency (RFC 6962) is an open framework that records all issued TLS certificates in publicly verifiable, append-only logs. It was developed by Google to detect fraudulent or improperly issued certificates. All modern browsers require CT entries (SCTs) in certificates. For pentesters, CT is a valuable OSINT tool for subdomain discovery (crt.sh, censys.io). Organizations can use CT monitoring to detect unauthorized certificate issuances for their own domains.

The CISA KEV (Known Exploited Vulnerabilities) Catalog is a list of actively exploited vulnerabilities maintained by the U.S. agency CISA. All U.S. federal agencies are required to patch KEV vulnerabilities within defined timeframes. For businesses: Prioritization guidance beyond CVSS—if a vulnerability is listed in KEV, it is being actively exploited. API access and integration with patch management, SIEM, and vulnerability scanners.

The executive responsible for an organization's overall information security. The CISO is responsible for security strategy, risk management, compliance, and incident response—and serves as the direct link between technical IT security and senior management.

Clickjacking (also known as UI redressing) is an attack in which a transparent or invisible webpage is superimposed over a legitimate site. The user clicks on what they believe to be something harmless, but is actually clicking on hidden buttons on the real site—and unintentionally triggers actions such as likes, money transfers, or granting permissions.

Cloud governance is the framework of policies, processes, and technologies that ensures cloud resources are operated securely, in compliance with regulations, cost-effectively, and in alignment with business objectives. Key elements: landing zone architecture, policy-as-code (Azure Policy, AWS SCPs), cost management, tagging strategies, and cloud security posture management (CSPM).

Cloud IAM manages identities and access rights in cloud environments (AWS, Azure, GCP). Overprivileged IAM roles are the most common cause of cloud data breaches. Best practices: least privilege, short-lived credentials, managed identities instead of access keys, regular access reviews, and automated policy analysis using cloud-native tools.

Cloud security addresses the shared responsibility model: Cloud providers secure the infrastructure, while customers secure their data, configurations, identities, and applications. Most common vulnerabilities: misconfigurations (public S3 buckets, permissive security groups), excessive IAM permissions, lack of encryption, no MFA for root. CSPM tools (Defender for Cloud, AWS Security Hub, Wiz) detect deviations. CSMA, CWPP, and CIEM as security categories.

Code signing refers to the cryptographic signing of software, scripts, and executable files using a private key to verify their origin and integrity. Signed software verifies who created the code (authenticity) and that it has not been altered since signing (integrity). Applications: Windows Authenticode, macOS Gatekeeper, Android APK signing, kernel modules, UEFI Secure Boot.

Command injection occurs when user input is passed unfiltered to operating system commands. Attackers can inject their own OS commands and execute them on the server. Typical vectors: shell functions in PHP, Python subprocess with `shell=True`, Node.js shell calls. Impact: complete system compromise. Protection: never use shell calls with user input, use parameterized commands, and apply least privilege for processes.

IT security compliance refers to adherence to legal provisions, regulatory requirements, and contractual obligations in the field of information security. Relevant frameworks for German companies: GDPR, NIS2, ISO 27001, BSI IT-Grundschutz, KRITIS Regulation, industry-specific regulations (BAIT, VAIT, KAIT).

Container escape refers to techniques that allow an attacker to break out of a container into the host or other containers. Common attack vectors include: privileged containers (--privileged), incorrectly mounted host directories, insecure cgroup/namespace configuration, Docker socket mounts, kernel exploits, and Runc CVEs. Protection: unprivileged containers, read-only filesystems, Seccomp/AppArmor profiles, no privileged ports below 1024.

Security measures for containerized applications (Docker, Kubernetes). Containers share the host kernel—a compromised container can put other containers or the host at risk. Container security includes image hardening, runtime protection, network segmentation, and supply chain security.

CORS misconfigurations occur when web servers return `Access-Control-Allow-Origin` wildcards or unvalidated origins. Attackers can send cross-site requests with cookies from the victim’s browser and read sensitive API responses. This is particularly critical when `Access-Control-Allow-Credentials` is set to `true`. Mitigation: Validate a strict origin whitelist on the server side; do not combine wildcards with credentials.

Credential stuffing is an automated attack in which attackers try stolen username-password combinations obtained from data breaches on other services—exploiting the habit of reusing the same password across multiple accounts.

Cryptographic agility refers to a system’s ability to replace cryptographic algorithms and parameters without making fundamental architectural changes. Cryptographic agility is crucial for the migration to post-quantum cryptography (PQC) and enables a rapid response to algorithm weaknesses (e.g., SHA-1 deprecation, MD5 replacement) without requiring a complete system redesign.

The unauthorized use of another person’s computing power for cryptocurrency mining without the owner’s knowledge. Often carried out via browser scripts or malware—recognizable by an unexpected spike in CPU usage. This results in high energy costs and system wear and tear.

Content Security Policy (CSP) is an HTTP header that instructs the browser which sources are allowed for scripts, stylesheets, images, and other resources. CSP prevents XSS attacks by blocking inline scripts and unknown external sources. Common misconfigurations: unsafe-inline, unsafe-eval, wildcard hosts, missing default-src directive. Recommended: Nonce-based CSP or Strict-Dynamic.

Automated detection and remediation of misconfigurations in cloud environments (AWS, Azure, GCP). CSPM continuously monitors compliance with best-practice frameworks such as CIS benchmarks and identifies exposed S3 buckets, overprivileged IAM roles, and unencrypted databases.

Cross-Site Request Forgery (CSRF) is an attack in which an attacker tricks a logged-in user's browser into sending unintended HTTP requests to a web application—on the user's behalf and without their knowledge. It is listed among the OWASP Top 10 and is particularly dangerous in the context of state-changing actions.

Continuous Threat Exposure Management (CTEM) is a program defined by Gartner in 2022 for the continuous, prioritized reduction of the attack surface. CTEM consists of five phases: scoping, discovery, prioritization, validation, and mobilization. It combines vulnerability management, threat intelligence, attack surface management, and breach and attack simulation into an integrated approach.

Common Vulnerabilities and Exposures—a public repository of known security vulnerabilities in software and hardware, each identified by a unique CVE ID.

Common Vulnerability Scoring System (CVSS) – a standardized framework for numerically assessing security vulnerabilities (0–10). CVSS 4.0 (since 2023) supplements the Base Score with a Threat Score (active exploits?) and an Environmental Score (severity in the specific environment).

A 7-phase model that describes a cyberattack from reconnaissance through to achieving its objectives. It enables defenders to detect and thwart attacks early on—the sooner, the less damage is caused.

Cyber resilience refers to an organization’s ability not only to prevent cyberattacks and IT disruptions, but also to withstand them, recover quickly, and continue to operate during and after an incident. Resilience goes beyond prevention: “Assume a breach”—plan for the possibility that an attack will succeed.

Threat hunting is the proactive, hypothesis-driven search for threats that automated detection systems have not yet identified. Methodology: Hypothesis-driven (MITRE ATT&CK), intelligence-driven, situational awareness-driven. Tools: Velociraptor (endpoint artifact collection), KAPE (forensic triage), Sigma Rules, EDR queries. Metrics: MTTD, hunter efficiency, true positive rate.

Cyber insurance covers financial losses resulting from cyberattacks: business interruption, data recovery, ransom payments (ransomware), third-party liability (GDPR fines only partially covered!), IT forensics, crisis management, and notification costs. Prerequisite: Proof of a minimum security standard (MFA, backup strategy, patch management). Policies distinguish between first-party and third-party coverage. GDPR fines are not insurable in Germany.

Synonym for the dark web: the encrypted, anonymous part of the internet (Tor/.onion) that focuses on illegal marketplaces, stolen credentials, and ransomware-as-a-service. In German-speaking countries, "Darknet" is the more common term.

The part of the internet that is accessible only through specialized software (Tor, I2P) and offers anonymity. Stolen data, malware, login credentials, and cybercrime-as-a-service offerings are traded on the dark web. Relevant for businesses: Monitoring whether their own data is circulating on the dark web.

A security testing method that attacks running web applications from the outside—without access to the source code. DAST simulates real attackers and identifies vulnerabilities such as SQL injection, XSS, and misconfigured servers that remain undetected by static code analysis.

Data Loss Prevention (DLP) prevents the unauthorized leakage of sensitive data from the organization. DLP systems monitor data in three states: data at rest (storage), data in motion (network), and data in use (endpoints). Detection methods: Regex patterns (credit card numbers, IBAN, Social Security numbers), fingerprinting (document signatures), ML-based classification. Key solutions: Microsoft Purview DLP, Symantec DLP, Forcepoint. GDPR requirement for the protection of personal data.

Data masking refers to the process of obscuring or replacing sensitive data with realistic test data to ensure data protection in non-production environments (development, testing, staging). Methods: static masking (copying with replacement data), dynamic masking (on-the-fly for database queries), format-preserving encryption (FPE), tokenization. Difference from anonymization: Masking is often reversible.

Data classification categorizes information based on its protection requirements: public, internal, confidential, strictly confidential (or subject to confidentiality requirements). Classification systems form the basis for DLP, access rights, encryption, and retention periods. Microsoft Purview Information Protection uses labels and automatic classification (trainable classifiers, pattern matching). BSI Basic Protection: Protection requirements 'normal', 'high', 'very high'. ISO 27001: Annex A-8.2.

Data classification (determination of protection requirements) categorizes data into protection classes based on its sensitivity (e.g., public, internal, confidential, strictly confidential). It forms the basis for appropriate technical and organizational measures (TOMs), DLP rules, and access controls. ISO 27001 (A.5.12), BSI IT-Grundschutz, and GDPR Art. 32 require a structured classification.

An attack in which a target system is overwhelmed by massive amounts of traffic from many distributed sources, rendering it inaccessible to legitimate users.

Technical and organizational measures against distributed denial-of-service attacks. From CDN-based traffic filtering to anycast routing: How companies ensure availability under DDoS attack.

An umbrella term for all deception-based security controls: honeypots (individual systems), honeynets (entire fake networks), and honeytokens (fake credentials, fake files). Difference from the honeypot entry: Deception Technology describes the overall concept and enterprise platforms; for implementation details, see honeypot-deception.

Deepfakes are AI-generated fake audio, video, or image content that imitates real people. As attack vectors: voice cloning for CEO fraud (vishing 2.0), video deepfakes for video conference fraud, and synthetic photos for social engineering. Detection methods: Deepfake detectors, biometric liveness detection, watermarking standards (C2PA). Prevention: Passphrases, verification processes, multi-factor authentication.

Defense in Depth (DiD) is a security architecture principle that layers multiple independent layers of protection on top of one another so that the failure of one layer does not lead to a complete compromise of the system. The concept originates from military strategy and was adapted by the NSA for IT security. Each layer compensates for the weaknesses of the others.

DevSecOps integrates security into the DevOps cycle from the first line of code through to deployment. Core principle: Shift Left Security. Key toolchain: SAST (Semgrep, SonarQube), DAST (OWASP ZAP), SCA (Snyk, Trivy), secrets detection (GitLeaks, TruffleHog), IaC scanning (Checkov, tfsec), and security gates in CI/CD pipelines. NIS2 and ISO 27001 explicitly require security in the SDLC.

A DevSecOps pipeline integrates automated security testing into every phase of the CI/CD process: SAST on commit, SCA for dependencies, container scanning during the build, DAST against staging environments, and IaC scanning before deployment. Security gates ensure that critical findings halt the pipeline.

Digital Forensics and Incident Response (DFIR) combines digital forensics (securing and analyzing evidence) with incident response (containing and resolving incidents). Following cyberattacks, DFIR teams secure evidence in a manner admissible in court, reconstruct the attack timeline, identify the initial attack vector, and assist with law enforcement. Core disciplines: Memory Forensics, Disk Forensics, Network Forensics, Malware Analysis.

Forensic analysis of digital systems following a security incident—secures evidence for legal proceedings, reconstructs attack paths and the perpetrator’s activities, and provides the basis for criminal prosecution and technical damage analysis.

DKIM is an email authentication method that uses cryptographic signatures to verify the integrity and origin of emails.

DMARC is an email authentication protocol that builds on SPF and DKIM and gives domain owners control over how to handle unauthenticated emails.

DNS cache poisoning (DNS spoofing) refers to attacks in which fake DNS responses are injected into a resolver’s cache. This redirects users to malicious servers without the actual domain being compromised. Most well-known attack: the Kaminsky attack in 2008. Protection: DNSSEC, query source port randomization (RFC 5452), DNS-over-HTTPS/TLS, 0x20-bit trick.

DNS rebinding is an attack that circumvents the browser’s Same-Origin Policy (SOP) by temporarily redirecting the DNS record of an attacker’s domain to internal IP addresses. Browsers believe they are communicating with the external attacker’s domain, but are actually accessing internal services (routers, cameras, IoT devices, localhost). Attacks enable the reading of internal resources, CSRF against internal services, and access to cloud metadata. Protection: DNS rebinding filters in routers, private IP blocking in browsers, and authentication on internal services.

Protecting the Domain Name System against tampering, eavesdropping, and abuse. DNS is the most critical network infrastructure—almost all attacks exploit DNS. DNS security measures include DNSSEC, DNS over HTTPS (DoH), DNS over TLS (DoT), and blocking malicious domains.

EU Regulation (2022/2554) on digital operational resilience in the financial sector. Mandatory for 20 categories of financial firms as of January 17, 2025. Regulates ICT risk management, incident reporting, and resilience testing.

The EU General Data Protection Regulation (GDPR), in effect since May 2018, requires all companies that process the personal data of EU citizens to comply with its provisions. Fines of up to 4% of global annual revenue or €20 million—whichever is higher.

Chapter V of the GDPR governs the transfer of personal data to third countries outside the EU/EEA. The legal bases are: adequacy decisions (e.g., the EU-US DPF since 2023), Standard Contractual Clauses (SCCs), Binding Corporate Rules, and exceptions under Article 49. U.S. cloud services (AWS, Azure, Google, Salesforce) have been legally usable again since the EU-US Data Privacy Framework.

A Secure Email Gateway (SEG) is a security solution that scans incoming and outgoing emails for malware, phishing, spam, and policy violations. SEGs analyze email headers, bodies, and attachments, use sandboxes for suspicious files, and enforce anti-spoofing mechanisms (SPF, DKIM, DMARC). Market leaders include Proofpoint, Mimecast, Microsoft Defender for Office 365, and Cisco Secure Email.

EDR (Endpoint Detection and Response) goes beyond traditional antivirus: instead of simply comparing signatures, EDR analyzes process behavior in real time. It detects fileless malware, lateral movement, memory injection, and LOLBin abuse. Key products: Microsoft Defender for Endpoint, CrowdStrike Falcon, SentinelOne, Palo Alto Cortex XDR. XDR (Extended Detection and Response) extends EDR to include network, cloud, and identity into a unified platform.

EPSS (Exploit Prediction Scoring System) is a data-driven model developed by FIRST (Forum of Incident Response and Security Teams) that calculates the probability that a CVE will be actively exploited in the wild within the next 30 days. EPSS supplements CVSS (which only assesses severity) by incorporating a probability of exploitation, thereby enabling risk-based prioritization.

Authorized testing of IT systems by security experts using the same methods as real attackers—with the goal of identifying and addressing vulnerabilities before criminal hackers can exploit them.

An exploit is code, a technique, or a sequence of actions that takes advantage of a specific security vulnerability in software, hardware, or a system to gain unauthorized access or control.

Fileless malware is malware that runs entirely in memory (RAM) without writing files to the hard drive. Uses legitimate system tools: PowerShell, WMI, MSHTA, Regsvr32, LOLBins. Detection methods: Memory forensics (Volatility), ETW tracing, behavioral detection in EDR. Examples: Cobalt Strike Beacon (reflective DLL), PowerSploit, Meterpreter.

A network security system that filters incoming and outgoing traffic based on defined rules at Layers 3 and 4 (IP, port, protocol). It protects network segments—unlike a WAF, which specifically secures web applications at Layer 7.

Security of embedded software in hardware devices (BIOS/UEFI, routers, IoT, industrial control systems). Firmware vulnerabilities are particularly critical: they persist even after the operating system is reinstalled, are difficult to detect, and often affect many devices of the same model simultaneously.

Fuzzing (fuzz testing) is an automated testing method in which a program is bombarded with vast amounts of random or systematically mutated input to trigger crashes, assertions, or unexpected behavior that indicates security vulnerabilities. Coverage-guided fuzzers such as AFL++ and LibFuzzer maximize code coverage. Key areas of application: network protocols, file parsers, browser engines, cryptography libraries.

GraphQL APIs pose specific security risks: introspection exposes the entire API structure, deeply nested queries can cause denial-of-service attacks (query depth attacks), batching allows rate limits to be bypassed, and a lack of field-level authorization leads to data leaks. Protection: Disable introspection in production, set query depth limits, implement field-level authorization, and enforce query complexity limits.

Cryptographic mechanism for message integrity checking and authentication: combines a message with a secret key using a hash function, so that only parties with the key can verify the code.

A single-bait system that lures attackers and records their behavior. Every connection is automatically flagged as suspicious—no false positives are possible. Honeypots form the foundation: Deception Technology and honeypot-deception extend this concept to include canary tokens, fake credentials, and entire honeynet infrastructures.

A practical guide to implementing deception infrastructure: honeypots (Cowrie, T-Pot) for network detection, canary tokens for files and AD credentials, and commercial platforms (Attivo, Illusive). This guide supplements the basic entry on honeypots and the conceptual entry on deception technology with concrete deployment instructions.

HTTP Strict Transport Security (HSTS) is an HTTP response header that instructs browsers to access a domain exclusively via HTTPS. After the first HTTPS connection, all subsequent HTTP connections are redirected to HTTPS on the client side before they reach the server. This prevents SSL stripping attacks and stops users from accidentally establishing unencrypted connections. Important parameters: max-age, includeSubDomains, preload.

HTTP parameter pollution occurs when multiple parameters with the same name are sent in an HTTP request and backend systems interpret them differently. Attackers can use this to bypass validation logic, circumvent WAF rules, and trigger unexpected behavior. Affected: Parameter parsing in PHP (last value), ASP.NET (first value), Node.js (array) – the inconsistency between components is exploited.

HTTP Request Smuggling (CWE-444) is an attack that exploits desynchronization between the front end (reverse proxy, CDN) and the back-end server. Differences in how Content-Length and Transfer-Encoding: chunked are interpreted allow attackers to "smuggle" HTTP requests. Variants: CL.TE (front-end uses Content-Length, back-end uses Transfer-Encoding), TE.CL (reverse), TE.TE (both use TE, but handle them differently). Result: hijacking other users’ requests, bypassing authentication, cache poisoning.

HTTP security headers are response headers that the web server sends with every response to tell the browser how to behave securely—which resources it is allowed to load, whether pages can be embedded in frames, and whether cookies are sent only over HTTPS. They are easy to implement and protect against a range of attacks.

Identity and Access Management (IAM) encompasses technologies and processes for managing digital identities and controlling who is permitted to access which resources.

Interactive Application Security Testing (IAST) combines SAST and DAST: agents are injected directly into running applications and analyze code execution and data flows in real time as tests are performed. IAST detects more vulnerabilities than SAST alone, with fewer false positives than DAST—and without the need for a separate testing phase.

The unauthorized theft and misuse of another person's personal information—to enter into contracts, make purchases, commit crimes, or harm others in that person's name.

Identity federation enables the secure use of identities across organizational boundaries—without the need for separate accounts. SAML 2.0, OpenID Connect, and WS-Federation are the protocols used. Typical use cases: 'Login with Azure AD,' B2B partner access, and cloud SSO. Security risks arise from incorrect trust configuration, insecure token validation, and overprivileged attributes.

Identity Governance and Administration (IGA) manages digital identities, access rights, and their lifecycles: Joiner/Mover/Leaver processes, Role-Based Access Control (RBAC), access reviews (regular revalidation of permissions), Segregation of Duties (SoD) – dual-control principle at the system level, recertification campaigns, audit trail for compliance. Products: SailPoint IdentityNow, Saviynt, One Identity, Microsoft Entra ID Governance.

Insecure Direct Object Reference (IDOR) is an access control vulnerability in which an application uses direct references to internal objects (user IDs, file paths, database keys) without performing authorization checks. Attackers manipulate these references to gain unauthorized access to data. IDOR is part of OWASP A01:2021 (Broken Access Control) and is one of the most common critical vulnerabilities in web applications and APIs.

Intrusion Detection Systems (IDS) detect suspicious network activity and attacks, while Intrusion Prevention Systems (IPS) also actively intervene to block attacks. Modern next-generation IPS systems combine signatures, behavioral analysis, and threat intelligence to provide multi-layered network defense.

IaC Security refers to security practices for Infrastructure as Code—Terraform, Pulumi, AWS CloudFormation, Bicep, and Ansible. Security flaws in IaC templates directly lead to insecure cloud infrastructure: public S3 buckets, overprivileged IAM roles, missing encryption, and exposed ports. IaC scanning tools such as Checkov, tfsec, and Trivy detect misconfigurations before deployment.

Insecure deserialization (OWASP A08:2021) occurs when an application processes serialized objects from untrusted sources without sufficient validation. Attackers manipulate serialized data to call arbitrary methods during deserialization (gadget chains). Affected are Java (readObject), PHP (unserialize), Python (native serialization formats), .NET (BinaryFormatter), and Ruby (Marshal.load). Result: Remote Code Execution, Privilege Escalation, or Denial of Service.

Security risks posed by individuals with legitimate system access—employees, contractors, or partners. Unlike social engineering, which relies on external deception, the threat posed by insider threats stems from the access itself: whether malicious (sabotage, data theft) or negligent (phishing victims, misconfiguration).

An Intrusion Prevention System (IPS) analyzes network traffic in real time and actively blocks detected attacks, unlike an Intrusion Detection System (IDS), which only detects and alerts. IPS modes: inline (packet filtering in the network path), passive (out-of-band) with TCP reset. Detection methods: signature-based (Snort rules), anomaly-based (baseline comparison), behavior-based (UEBA). Integration into NGFW platforms (Palo Alto, Fortinet).

Indicators of Compromise (IOCs) are forensic artifacts or observations within a system or network that indicate past or ongoing compromise—such as known malware hashes, suspicious IP addresses, or unusual registry entries.

Protocol suite for secure communication over IP networks: encrypts and authenticates IP packets at the network layer (Layer 3)—the foundation for VPNs in corporate networks.

An Information Security Management System (ISMS) is a systematic approach to managing sensitive corporate information that encompasses processes, people, and IT systems and is based on the PDCA cycle.

International Standard for Information Security Management Systems (ISMS). ISO 27001 defines requirements for the establishment, operation, and improvement of an ISMS. ISO 27001 certification demonstrates proven information security—a prerequisite for many business relationships and NIS2 compliance.

ISO/IEC 27005 is the international standard for information security risk management. It defines the process for risk identification, assessment, treatment, and communication as part of an ISMS in accordance with ISO 27001. ISO 27005 is a methodological guide, not a certifiable standard, and describes how risks are assessed and treated in a structured manner.

JSON Web Tokens (JWTs) are compact, signed tokens used to securely transmit user identities and claims between systems. JWTs serve as the foundation for modern API authentication and single sign-on—but if implemented incorrectly, they can be a common security vulnerability.

Kerberos is a network authentication protocol based on symmetric keys and tickets. In the Windows Active Directory domain environment, Kerberos is the primary authentication protocol (replacing NTLM). Kerberos-specific attacks such as Kerberoasting (service ticket offline cracking), AS-REP Roasting, Pass-the-Ticket, Golden Ticket, and Silver Ticket are key attack techniques against Active Directory environments.

Kerberos-based attacks exploit vulnerabilities in the Windows authentication protocol: Golden Ticket (KRBTGT hash → unlimited domain access), Silver Ticket (service hash → service access without DC contact), Kerberoasting (cracking SPN hashes offline), AS-REP Roasting (accounts without pre-authentication), Overpass-the-Hash (NTLM hash → Kerberos ticket). Detection via Microsoft Defender for Identity (MDI) and Zerologon monitoring.

AI security encompasses measures to protect AI/ML systems from attacks, as well as the secure use of AI in security-critical contexts. Large Language Models (LLMs) are of particular importance: the OWASP LLM Top 10 (2025) catalogs the most significant risks, such as prompt injection, training data poisoning, LLM supply chain vulnerabilities, and excessive agency. The EU AI Act and NIST AI RMF establish regulatory frameworks.

Organizations and facilities that are critical to the national community, the failure or disruption of which would cause significant supply shortages or pose a serious threat. In Germany, these are regulated by the BSI-KritisV across 10 sectors.

Cryptography protects confidentiality, integrity, and authenticity: symmetric encryption (AES-256-GCM) for performance, asymmetric encryption (RSA-4096, ECC P-384) for key exchange and signatures, and hybrid methods that combine both. TLS 1.3 (mandatory, 1.0/1.1 deprecated), PKI and certificate chains, quantum threat from Shor’s algorithm → post-quantum cryptography (CRYSTALS-Kyber, CRYSTALS-Dilithium). BSI recommends: AES-256, RSA-3072+, SHA-256+.

Lateral movement describes an attacker’s propagation after gaining initial access: pass-the-hash, pass-the-ticket, kerberoasting, overpass-the-hash, golden/silver ticket, DCSync. MITRE ATT&CK: TA0008. Tools: BloodHound (path analysis), Impacket, CrackMapExec, Cobalt Strike. Countermeasures: Network segmentation, Credential Guard, Protected Users Group, LAPS, tiered model, Privileged Access Management (PAM).

A security principle that requires users, applications, and services to be granted only the minimum privileges necessary to perform their legitimate tasks. Least privilege dramatically reduces the attack surface: a compromised account with minimal privileges can cause only limited damage.

File inclusion vulnerabilities occur when web applications use filenames from user input in file-loading functions without sufficient validation. LFI (Local File Inclusion) reads local server files such as /etc/passwd or log files. RFI (Remote File Inclusion) includes external URLs, thereby enabling remote code execution. These are common attack vectors in PHP applications. Protection: Input validation, allow_url_include=Off, basename() normalization.

"Living off the Land" (LotL) refers to attack techniques in which attackers use only legitimate tools and utilities already present on the system (LOLBins = Living off the Land Binaries) instead of their own malware. By using PowerShell, WMI, certutil, regsvr32, mshta, and other built-in Windows tools, attackers evade antivirus detection and make forensic attribution more difficult. MITRE ATT&CK; T1218 (System Binary Proxy Execution).

A general term for any type of software developed with the intent to cause damage, steal data, or compromise systems—from viruses and Trojans to ransomware.

An attack in which an attacker secretly inserts themselves between two communicating parties, intercepts the data traffic, and potentially manipulates it—without the sender or recipient noticing.

Centralized management and security for corporate mobile devices (smartphones, tablets, laptops). MDM enables remote wipe, app distribution, encryption enforcement, and compliance monitoring—essential requirements for secure BYOD and corporate mobility strategies.

An outsourced security service in which an external provider detects, analyzes, and responds to threats around the clock. MDR combines XDR technology with human expertise—offering the most efficient solution for 24/7 security monitoring for companies without their own SOC team.

Memory safety vulnerabilities arise in languages without automatic memory management (C/C++) due to incorrect manual memory management. Main categories: Buffer overflow (stack/heap), use-after-free, double-free, integer overflow, format string. Historically, this category accounts for ~70% of all critical CVEs in large software projects (Microsoft, Google). Protection: Memory-safe languages (Rust, Go), AddressSanitizer, stack canaries, ASLR, DEP/NX.

A security procedure that requires two or more independent factors from different categories (knowledge, possession, biometrics). MFA is the umbrella term—two-factor authentication (2FA) is a specific type that uses exactly two factors. Microsoft estimates that MFA prevents 99.9% of all account compromises.

Microsegmentation divides networks into isolated segments at the workload level—providing greater granularity than traditional VLAN segmentation. Each application, VM, or container is assigned its own firewall rules. This makes it significantly more difficult for ransomware and lateral movement to spread, as compromised systems cannot establish direct connections to other workloads.

A comprehensive, publicly accessible knowledge system that documents real-world attacker tactics, techniques, and procedures (TTPs). ATT&CK; (Adversarial Tactics, Techniques & Common Knowledge) is used by security teams worldwide as a common language for threat analysis, detection engineering, and purple teaming.

MITRE D3FEND is the counterpart to ATT&CK from a defender’s perspective: a structured knowledge model for defensive cybersecurity techniques such as hardening, detection, isolation, and deception—with direct mappings to ATT&CK attack techniques.;

Mobile malware refers to malicious software that targets smartphones and tablets—including banking Trojans, spyware, stalkerware, SMS stealers, and ransomware. While mobile malware on iOS and Android differs technically from desktop malware, it is at least as dangerous: banking details, two-factor authentication codes, and personal communications are all stored on smartphones.

A Managed Security Service Provider (MSSP) handles cybersecurity tasks as an external service provider: 24/7 SOC operations, SIEM management, vulnerability management, threat hunting, and incident response. MSSPs enable small and medium-sized businesses to achieve enterprise-level security without maintaining their own SOC team. What sets them apart from MDR (Managed Detection & Response) is their ability to actively respond to threats.

A security solution that monitors all network traffic (east-west and north-south) using machine learning and behavioral analysis. NDR detects what EDR and firewalls miss: lateral movement, C2 communication over HTTPS, and agentless IoT attacks. In XDR platforms, NDR is integrated as network telemetry.

A security solution that controls which devices are allowed to connect to the corporate network. NAC verifies the identity and security status (patch level, antivirus, certificate) before granting network access—and automatically isolates non-compliant devices.

Network Monitoring monitors network traffic for anomalies, outages, and attacks. Network Detection and Response (NDR) is the security-focused evolution of this technology: using behavioral analysis, machine learning, and threat intelligence, NDR also detects zero-day attacks, lateral movement, and data exfiltration within the internal network.

Dividing a network into isolated segments (VLANs, subnets, zones) to limit the spread of attackers following an initial breach. A core principle of the defense-in-depth strategy and a prerequisite for Zero Trust.

The totality of all technical and organizational measures taken to protect networks and the data transmitted over them—including firewalls, IDS/IPS, network segmentation, encryption, and access controls.

EU Directive (2022/2555) on strengthening cybersecurity. In Germany, this applies to approximately 30,000 companies across 18 sectors with 50 or more employees or annual revenue of at least €10 million. Fines of up to €10 million.

NTLM (NT LAN Manager) is a Windows authentication protocol based on a challenge-response mechanism using the NT hash. Although it has been replaced by Kerberos as the primary AD protocol, NTLM is still used for local logins, fallback authentication, and SMB connections. Critical NTLM attacks: Pass-the-Hash (PtH) – authentication using only a hash without a plaintext password; NTLM Relay – an attacker redirects the authentication flow; Responder – NTLM hash capture on the local network.

OAuth 2.0 is an authorization framework that allows applications to access resources on a user’s behalf with limited permissions. OpenID Connect (OIDC) builds on OAuth 2.0 and adds authentication—the foundation for modern single sign-on and social login.

An open redirect is a web application vulnerability in which an attacker exploits the redirect functionality of a legitimate website to redirect users to an external attacker-controlled website. Although it does not technically involve direct code execution, Open Redirect is used as a catalyst for phishing (legitimate URL misleads about the destination), OAuth/OIDC token theft (redirect_uri manipulation), and as an SSRF tool. In OWASP API Security, Open Redirect is relevant to A3:2023 (Broken Object Property Level Authorization).

Intelligence gathering methods using publicly available sources: social media, business directories, DNS, Shodan, job postings. Used by attackers for reconnaissance and by defenders for vulnerability analysis.

Protection of Operational Technology—control systems, PLCs, SCADA, and industrial protocols in manufacturing, energy, water, and transportation. OT security differs fundamentally from traditional IT security: availability takes precedence over confidentiality.

The OWASP Top 10 is a regularly updated list of the ten most critical security risks for web applications, published by the Open Web Application Security Project Foundation.

Pass-the-hash is an attack technique in which NTLM password hashes are used directly for authentication without knowing the plaintext password. It enables lateral movement in Windows networks. Tools: Mimikatz (sekurlsa::pth), Impacket (psexec.py, wmiexec.py), CrackMapExec. Protection: Windows Defender Credential Guard, Protected Users Group, SMB signing, LAPS, tier model.

Enterprise password managers centrally manage login credentials: encrypted (AES-256), with approval workflows, audit logs, Active Directory integration, and SCIM provisioning. Key products: 1Password Business, Bitwarden for Teams, Keeper Enterprise, Dashlane Business, Delinea Secret Server (also for admins/PAM). Benefits: no more Post-it notes with passwords, strong, unique passwords for every site, secure team sharing without sharing passwords via email.

A systematic process for identifying, testing, approving, and deploying software updates (patches) to address security vulnerabilities in IT systems.

Path traversal (CWE-22, OWASP A01:2021) allows attackers to access files outside the permitted directory using ../ sequences. Objective: Reading sensitive files (/etc/passwd, web.config, .env, SSH keys); in the worst-case scenario, writing or executing files. Variants: URL-encoded traversal (%2e%2e%2f), double-encoded (%252e%252e%252f), null-byte injection (.php%00), Windows paths with backslash notation. Protection: absolute path validation with realpath(), allowlist-based file selection.

A penetration test (pentest) is an authorized, controlled attack on IT systems in which security experts simulate the methods of real attackers to identify and assess vulnerabilities.

A structured document that details the methods, findings, and recommendations of a penetration test. A professional penetration test report includes an executive summary, technical findings with CVSS scores, proof-of-concept, risk assessment, and prioritized recommendations.

Phishing ist ein Social-Engineering-Angriff, bei dem Angreifer durch gefälschte E-Mails, Websites oder Nachrichten Nutzer zur Preisgabe von Zugangsdaten, Zahlungsinformationen oder zur Ausführung von Malware verleiten.

Phishing simulations send controlled, fake phishing emails to employees to measure and improve their detection rates. Metrics: Click-through rate (target: <5%), reporting rate (target: >60%), credential submission rate. Platforms: KnowBe4, Proofpoint Security Awareness, Hoxhunt, Lucy Security, SoSafe. GDPR-specific requirement: The works council must be involved; results may not be used to discipline individual employees.

A framework of policies, processes, and technologies for managing digital certificates and cryptographic key pairs—enabling encrypted communication, digital signatures, and identity verification in networks.

Port scanning is a reconnaissance technique used to determine which network ports are open on a system and which services are running on them. It is the first step in penetration testing and attacker reconnaissance—and at the same time an important tool for system administrators to take inventory.

An attack technique in which an attacker creates a fabricated identity or scenario (pretext) to manipulate the victim into disclosing information or performing certain actions—the refined foundation of every social engineering attack.

Privilege escalation refers to the technique by which an attacker, after gaining initial access, obtains higher privileges—moving from a standard user account to a local administrator or domain administrator.

A security solution for controlling, monitoring, and auditing privileged accounts (admins, service accounts, root). Prevents the misuse of IT superuser privileges—both by external attackers and insiders.

A Privileged Access Workstation (PAW) is a dedicated, hardened computer used exclusively for administrative tasks—no email, no web browsing, no Office applications. The PAW concept follows Microsoft’s Tiered Administration Model: Tier 0 (Domain Controller), Tier 1 (Server), Tier 2 (Workstations). Technical details: separate VLAN, dedicated AD tier, Credential Guard, AppLocker whitelist, USB lock, dedicated VPN. Prevents the theft of admin credentials via phishing or malware on regular work computers.

Prototype pollution is a JavaScript-specific vulnerability in which attackers manipulate the prototype chain of objects. Since all JavaScript objects inherit from `Object.prototype`, controlled inputs in `__proto__` or `constructor.prototype` keys can override global object properties. Result: Denial of Service, property injection for privilege escalation, and often remote code execution in Node.js. Affected: lodash, jQuery (historically), all deepmerge/cloneDeep implementations without protection.

A collaborative security approach in which attackers (Red Team) and defenders (Blue Team) work together to improve detection and response. Purple Teaming bridges the gap between attack simulation and operational security improvements—with immediate feedback.

Race conditions (CWE-362) occur when a system's security depends on two or more operations being executed in a specific order, but parallel execution violates that order. TOCTOU (Time-Of-Check Time-Of-Use) is the most common form: checking and using a resource occur at different times. Security implications: double spending in financial applications, privilege escalation via temporary files, discount abuse, account takeover. Protection: atomic database operations, mutexes, optimistic locking.

Ransomware is malware that encrypts a victim’s files or systems and demands a ransom for their restoration. It is one of the most common and costly cyber threats facing businesses.

A criminal business model in which ransomware developers rent out their malware as a service to "affiliates" who carry out attacks and share the ransom proceeds. RaaS has made ransomware attacks massively scalable—no programming knowledge required.

Remote Code Execution (RCE) is the most critical class of vulnerabilities and allows an attacker to execute arbitrary code on the target system—without physical access. RCE results from vulnerabilities such as buffer overflows, deserialization errors, command injection, server-side template injection (SSTI), SQL injection with file write permissions, or path traversal in combination with file upload. CVSS score: typically 9.0–10.0 (Critical). RCE serves as the entry point for ransomware, lateral movement, and APT attacks.

Red Team: The attacker team simulates realistic cyberattacks. Blue Team: The defender team detects and responds. Purple Team: Both teams collaborate to maximize learning outcomes.

The Red Team simulates realistic attacks over an extended period (weeks/months) against the company’s actual defenses—without the Blue Team’s (SOC/Incident Response) knowledge. Blue Team: Defense, detection, and response. Purple Team: Red and Blue teams collaborate for maximum learning impact. Difference from penetration testing: Red Team tests processes and people, not just technology. TIBER-EU as a standardized Red Team framework for the financial sector.

A systematic process for identifying, assessing, and addressing information security risks. ISO 27001 and NIS2 require a risk-based approach: risks are assessed based on their likelihood of occurrence and impact, and are mitigated through measures to bring them down to an acceptable level.

An XML-based protocol for single sign-on (SSO) between an identity provider (IdP) and a service provider (SP). SAML allows users to log in once to the IdP and access multiple services without having to re-enter their password.

An isolation technique that executes suspicious programs or code in a sandboxed environment without compromising real systems. A core concept of modern malware analysis and browser security.

Secure Access Service Edge (SASE) is a network security framework that combines wide area networking (WAN) and network security functions (CASB, SWG, ZTNA, FWaaS, SD-WAN) into a unified cloud-native service. SASE solves the problem of outdated hub-and-spoke network architecture for a distributed workforce using cloud applications.

Three complementary methods for software security testing: SAST performs static analysis of source code, DAST dynamically tests running applications, and SCA checks third-party dependencies for known CVEs. Together, they form the foundation of modern CI/CD security pipelines.

An SBOM (Software Bill of Materials) is a machine-readable inventory of all software components, libraries, and dependencies in an application—including open-source packages, versions, and licenses. SBOMs enable the rapid identification of affected systems in the event of new CVEs (e.g., Log4Shell) and are required by regulation under U.S. Executive Order 14028 and the EU Cyber Resilience Act.

Key management covers the entire lifecycle of cryptographic keys: generation, distribution, storage, rotation, revocation, and deletion. Weak keys, insecure storage, or a lack of rotation render even strong encryption useless. Hardware Security Modules (HSMs), Key Management Services (KMS), and Secrets Managers are the technical solutions.

Automated tools for identifying known security vulnerabilities in IT systems. Vulnerability scanners compare system configurations and software versions against CVE databases and generate prioritized lists of findings. Well-known tools: Nessus, OpenVAS, Qualys, Rapid7 InsightVM.

Secrets management refers to the secure storage, management, rotation, and auditing of sensitive access credentials (passwords, API keys, certificates, database credentials) in software systems. Poor secrets management is one of the most common causes of data breaches—especially in cloud environments.

Secure Boot is a UEFI firmware standard that ensures only cryptographically signed bootloaders and operating system kernels are allowed to load. It protects against bootkits and rootkits that run before the operating system starts. Enabled via UEFI settings, configurable with custom keys (Custom Secure Boot). Supported by Windows 10/11, Linux (shim, GRUB), macOS (Apple T2/M1). Complemented by Measured Boot and TPM 2.0.

A development philosophy in which security is embedded in the architecture and code from the very beginning—not as an after-the-fact patch. Secure-by-design principles include a minimal attack surface, secure defaults, defense in depth, and fail-safe defaults.

Security awareness training equips employees to act as a human firewall: phishing detection, social engineering, password hygiene, mobile security, and GDPR obligations. Effective programs utilize phishing simulations (target click-through rate: <5%), micro-learning (3–5 min.), gamification, and spear-phishing-based refresher training. KPIs: Click-through rate, reporting rate, credential entry rate. Regulatory requirements: NIS2, ISO 27001 A.6.3, BSI IT-Grundschutz ORP.3.

Security Champions are developers or engineers who serve as advocates for security within their teams. They act as a bridge between the security team and the development teams, promote secure coding practices, identify security risks early on, and help scale application security across the entire organization.

Systematic recording of security-related events in IT systems. The foundation for attack detection, forensics, and compliance verification. Without logging, incident response is blind—attackers can operate undetected.

A Security Operations Center (SOC) is the central hub for real-time monitoring, detection, and response to cybersecurity incidents. SOCs bring together people, processes, and technology—SIEM, EDR, SOAR—to detect and combat threats 24/7.

Security posture describes the overall state of an organization’s cybersecurity—the sum of its policies, controls, maturity level, vulnerabilities, and threat exposure. A strong security posture is measurable (Secure Score, compliance rate, MTTD/MTTR) and is continuously assessed through CSPM, vulnerability management, and security audits.

Security ratings are continuous, automated assessments of an organization’s cybersecurity on a scale (typically 0–900 or A–F), based on publicly visible indicators: open ports, SSL configuration, DNS records, dark web entries, and compromised systems. Providers such as BitSight, SecurityScorecard, and Riskrecon are used for vendor risk assessments, cyber insurance, and executive reporting.

Server-side template injection occurs when user input is inserted directly into template engines without prior escaping. Attackers can exploit template syntax to execute server-side code, potentially escalating to remote code execution. Affected: Jinja2 (Python), Twig (PHP), Freemarker (Java), Handlebars (Node.js). Detectable by {{7*7}} = 49 in the output. Protection: Render templates only using trusted templates.

Serverless security refers to securing Function-as-a-Service (FaaS) environments such as AWS Lambda, Azure Functions, and Google Cloud Functions. Attack vectors: event injection, overprivileged roles, insecure dependencies, broken access control at the function level, cold-start timing attacks, and excessively long timeouts. Protection: OWASP Serverless Top 10, minimal IAM permissions, layer validation, dependency scanning.

Session fixation is an attack in which an attacker provides a valid session ID to a victim and waits until the victim authenticates using that pre-determined session. Unlike session hijacking (stealing an existing session), the attacker sets the session ID before the user logs in. After authentication, the attacker uses the known session ID to gain unauthorized access. Protection: generate a new session ID after login, SameSite cookies, HttpOnly flag.

Shadow APIs are undocumented, forgotten, or unmanaged API endpoints that run in production without the security team’s knowledge. They arise from legacy systems, rapid development cycles, or shadow IT. Security risks include: no authentication, missing rate limits, and unpatched vulnerabilities. Detection is achieved through API discovery tools, traffic analysis, and API gateways.

Shadow IT refers to all IT systems, software, services, and devices that employees use without the knowledge or approval of the IT department. Common examples include using a personal Dropbox account for customer data, a WhatsApp group for project coordination, and ChatGPT for internal company documents. Shadow IT arises from frustration with IT bureaucracy—and creates unmanageable risks for security, compliance, and data protection.

Side-channel attacks do not extract confidential data by exploiting vulnerabilities in the algorithm, but rather by observing physical characteristics: timing (Spectre, Meltdown – CVE-2017-5753/5754), power consumption (Differential Power Analysis), electromagnetic emissions, and acoustics (RSA key derived from fan noise). Spectre/Meltdown: speculative execution in x86 CPUs allows kernel memory to be read from user space.

Technology platform for log aggregation, correlation, and real-time alerting. SIEM detects and reports security incidents—SOAR automates the response, and the SOC manages human operations. SIEM is the 'eye,' SOAR is the 'arm,' and the SOC is the 'brain.'

Phishing attacks via text message or messaging apps. Smishing messages contain fake links to phishing sites or directly ask recipients to disclose sensitive information—often under the guise of package notifications, bank alerts, or official government communications.

A platform that automates security workflows, integrates various security tools, and orchestrates incident response processes. SOAR reduces the mean time to respond (MTTR) from hours to minutes through automated playbooks.

An organizational unit that monitors IT security 24/7, detects incidents, and responds to them. The SOC is the team—it uses SIEM as a technical detection platform and SOAR for automation. For detailed information on setting up a SOC, see the Security Operations Center article in the Wiki.

Manipulating people rather than systems using psychological principles such as authority, urgency, and reciprocity. Tools: phishing (email), vishing (phone), smishing (SMS), pretexting, baiting. Unlike an insider threat, the attacker comes from outside the organization and uses deception to gain access. 91% of all cyberattacks begin with social engineering.

Unwanted bulk emails or messages sent for advertising purposes, phishing, malware distribution, or fraud—one of the oldest and most widespread phenomena on the internet.

A targeted phishing attack aimed at a specific person or organization—tailored with personal details, colleagues' names, and current context. Significantly more effective than generic phishing and harder to detect.

SPF is a DNS-based email authentication protocol that specifies which mail servers are authorized to send emails on behalf of a domain.

SQL injection is an attack in which an attacker injects malicious SQL code into input fields or parameters of a web application in order to gain unauthorized access to the database or manipulate data.

Single Sign-On (SSO) allows users to authenticate once and then access multiple applications and services without having to log in again. SSO is based on protocols such as SAML 2.0, OIDC/OAuth 2.0, and Kerberos. From a security perspective, SSO is a double-edged sword: it reduces password vulnerabilities, but a compromised SSO provider grants access to all connected services. Identity Providers (IdP): Azure AD/Entra ID, Okta, Ping Identity, Google Workspace.

Server-Side Request Forgery (SSRF) is a vulnerability in which an attacker forces the server to send HTTP requests to internal or external resources that the attacker cannot directly access. SSRF can be used to attack cloud metadata APIs (AWS IMDSv1: 169.254.169.254), internal microservices, databases, and admin interfaces. SSRF ranks 10th on the OWASP Top 10 2021 (A10:2021) and is a common attack vector in cloud environments.

Steganography refers to the art of hiding messages or data within seemingly innocuous carrier files (images, audio, video, documents) without revealing the existence of the hidden message. Unlike cryptography (which encrypts content), steganography conceals the existence of the communication. Attackers use it for malware command-and-control, data exfiltration, and watermarking.

A subdomain takeover occurs when a DNS record for a subdomain still points to an external service that is no longer active. Attackers can take over the service account and host their own content under the legitimate subdomain. Typical vectors: GitHub Pages, Heroku, Azure, Netlify, AWS S3 buckets with DNS records not removed after account termination. Impact: Phishing under a legitimate domain, cookie theft, content spoofing, XSS against the main domain. Protection: Regular DNS audits, immediate CNAME cleanup.

Supply chain attacks compromise software or hardware before it reaches its destination: SolarWinds (18,000 victims, SUNBURST backdoor), XZ Utils backdoor (CVE-2024-3094), npm typosquatting, dependency confusion, malicious NPM packages, CI/CD pipeline compromise. Protection: SBOM (CycloneDX/SPDX), SLSA Framework, Sigstore/Cosign for package signing, private registry, dependency pinning.

Attack on the software supply chain: Instead of attacking the target company directly, attackers compromise a supplier, service provider, or shared software library. An infected update then infects thousands of customers at once.

A simulated crisis exercise in which a security team runs through a hypothetical attack or incident during a meeting—without affecting any actual systems. Tabletop exercises identify gaps in incident response plans before a real incident occurs.

Threat actors are the entities behind cyberattacks—classified by motivation, resources, and capabilities: nation-state groups (APT28, Lazarus), organized crime (ransomware-as-a-service), hacktivists, insider threats, and opportunistic script kiddies. Knowing which threat actor is involved determines which protective measures are appropriate.

Threat hunting is the proactive, hypothesis-driven search for hidden threats within an organization’s infrastructure—before any alerts are triggered. Unlike reactive detection methods, threat hunting assumes that attackers are already inside the network and actively searches for indicators of their presence.

Threat Intelligence (TI) is the systematic collection, analysis, and use of information about cyber threats: Indicators of Compromise (IOCs), Tactics, Techniques, and Procedures (TTPs), threat actors, and their motives. A distinction is made between Strategic (C-Level), Operational (SOC triage), and Tactical Intelligence (technical IOCs). Key sources: MISP, OpenCTI, VirusTotal, CISA, BSI, commercial feeds (Recorded Future, Mandiant, CrowdStrike Falcon Intel).

A structured process for systematically identifying security threats in software development or IT architecture. STRIDE, PASTA, and DREAD are the best-known methods. Goal: To identify security vulnerabilities before code is written.

Timing attacks exploit differences in the execution time of cryptographic operations or comparison functions to infer confidential information. Classic attacks: password timing (early termination upon the first difference), RSA timing (modular exponentiation), cache timing (Spectre/Meltdown). Protection: Constant-time comparisons (hmac.compare_digest), blinding, branch-free implementations.

An industry-specific security standard for the automotive industry, managed by the ENX Association. It is based on the VDA ISA questionnaire and is required by OEMs such as VW, BMW, and Mercedes as a supplier requirement.

A cryptographic protocol for secure data transmission over the Internet—it encrypts the connection between the client and the server, authenticates the server using a certificate, and protects against eavesdropping and tampering. The successor to SSL.

Technical and organizational measures (TOMs) are security measures required under Article 32 of the GDPR that organizations must implement to protect personal data from unauthorized access, loss, or destruction.

A dedicated security chip on the motherboard that securely stores cryptographic keys, verifies system integrity during boot, and serves as a hardware root of trust for BitLocker, Windows Hello, and other security features.

A framework for describing attacker behavior: Tactics (What is the goal?), Techniques (How is it achieved?), and Procedures (Specific steps). TTPs are more consistent than IoCs—attackers change IP addresses, but rarely change their approach.

Security analysis technology that establishes behavioral baselines for users and systems and detects statistically significant deviations. UEBA identifies insider threats and compromised accounts even when no known IoCs are available.

A phone-based social engineering attack in which attackers pose as IT support, a bank, or a government agency to trick victims into revealing login credentials, personal information, or making money transfers. AI-powered voice cloning makes vishing particularly dangerous in 2024—even the voices of well-known figures are being imitated.

An encrypted tunnel that securely connects two endpoints over a public network (the Internet)—protects remote employees, connects company locations, and hides network traffic from third parties.

A flaw, design defect, or misconfiguration in software, hardware, or an IT system that attackers can exploit to gain unauthorized access or cause damage.

A vulnerability assessment is the systematic identification and prioritization of security vulnerabilities in IT systems using scanners, configuration checks, and manual reviews—without actively exploiting them (unlike a penetration test). The result is a prioritized risk report that includes CVSS scores and remediation recommendations.

A specialized firewall for HTTP/HTTPS traffic that protects web applications from attacks such as SQL injection, XSS, and the OWASP Top 10. It analyzes requests at the application layer (Layer 7)—going significantly deeper than traditional network firewalls.

An attack method in which criminals compromise websites that the target audience regularly visits. Instead of attempting a direct attack on the target, the "watering hole" is poisoned—much like a predator waiting at a watering hole.

Web cache poisoning is an attack in which an attacker uses unkeyed HTTP headers or parameters to inject malicious content into a web cache. This cached content is then served to other users without contacting the origin server. Attack vectors: manipulated HTTP headers (X-Forwarded-Host, X-Forwarded-Scheme), fat cookies, query string parameters. Result: XSS, open redirect, denial of service against many users simultaneously.

WebSockets enable bidirectional real-time communication between browsers and servers. Security risks arise from a lack of origin validation (cross-site WebSocket hijacking), a lack of authentication after the handshake, unencrypted ws:// connections instead of wss:// connections, and a lack of input validation in WebSocket messages. Protection: Validate Origin headers, enforce wss://, and use token authentication during the handshake.

Highly specialized spear-phishing attacks targeting top executives (CEO, CFO, CISO). Attackers spend weeks researching their targets to create perfectly forged emails—often in the context of M&A, financial transactions, or confidential projects.

An integrated security platform that correlates telemetry data from endpoints (EDR), the network (NDR), email, and the cloud, and analyzes it across silos. XDR serves as the overarching framework—NDR provides network telemetry, EDR provides endpoint telemetry, and SIEM provides log aggregation.

Cross-Site Scripting ist ein Angriff, bei dem ein Angreifer schädlichen JavaScript-Code in Webseiten einschleust, der dann im Browser anderer Nutzer ausgeführt wird und Session-Hijacking, Phishing oder Malware-Verteilung ermöglicht.

XML External Entity (XXE) Injection is a vulnerability in XML parsers that allows external entities to be embedded in XML documents. Attackers use XXE to read local files (/etc/passwd, AWS credentials), carry out SSRF attacks, or, in rare cases, achieve remote code execution. XXE is listed as A04 in the OWASP Top 10 2017 and occurs particularly in insecure XML parser configurations (libxml2, Java SAXParser, .NET XmlDocument).

Zero Trust replaces the outdated perimeter model (“trusted inside, untrusted outside”) with continuous verification: identity (who?), device (health status?), context (location, time, behavior). Core principles: Verify Explicitly, Least Privilege Access, Assume Breach. NIST SP 800-207, Microsoft Zero Trust, Google BeyondCorp. Technical components: Identity Provider (Azure AD/Okta), MDM/EDR for Device Trust, Microsegmentation, CASB, SASE.

A zero-day (or 0-day) is a security vulnerability for which no patch from the vendor exists at the time of discovery or exploitation—defenders have zero days to respond.

A cryptographic method that allows a party to prove that it knows a secret without revealing the secret itself. The basis for privacy-preserving authentication and blockchain applications.

A network access method that replaces traditional VPNs. Instead of full network access, users and devices are granted access only to specific applications—following continuous verification of identity, device, context, and authorization.

A security procedure that requires two independent forms of identity verification—typically a password plus a one-time code (TOTP) or a hardware key. Prevents account takeovers even if passwords are stolen.