Security Glossary

Advanced Persistent Threat. A prolonged, targeted intrusion where an attacker gains network access and remains undetected for weeks or months. APT groups are typically nation-state or state-sponsored actors with specific intelligence or sabotage objectives.

Command and Control. The infrastructure an attacker uses to communicate with compromised systems inside a target network. C2 channels allow the operator to issue commands, move laterally, exfiltrate data, and maintain persistent access. Common C2 frameworks include Cobalt Strike, Sliver, and Mythic.

The unauthorised transfer of data from a compromised system to an attacker-controlled location. Exfiltration is often the final objective in an intrusion. Methods include DNS tunnelling, HTTPS channels, cloud storage uploads, and physical media.

The first tactic in the MITRE ATT&CK framework. It covers the techniques adversaries use to gain their first foothold in a target network: spear phishing, exploiting public-facing applications, compromising supply chain software, or using valid credentials obtained through other means.

The techniques an adversary uses to move through a network after gaining initial access. The attacker pivots from one compromised system to another, escalating privileges and reaching high-value targets. Common methods include pass-the-hash, RDP hijacking, and token impersonation.

Open Source Intelligence. Information gathered from publicly available sources: websites, social media, public records, code repositories, DNS records, and job postings. OSINT is the starting point for most red team reconnaissance and threat intelligence work.

A structured process of probing for vulnerabilities in an application, network, or system by safely attempting to exploit them. Pen testing has a narrower scope and defined boundaries compared to red teaming. Most engagements last 1-3 weeks and focus on a specific target.

Techniques adversaries use to maintain access to a compromised system across reboots, credential changes, and network disruptions. Common methods include scheduled tasks, registry modifications, DLL hijacking, and firmware implants.

An attack that uses deceptive emails, messages, or websites to trick recipients into revealing credentials, clicking malicious links, or downloading malware. Spear phishing targets specific individuals. It remains the most common initial access vector in real-world breaches.

Exploiting a vulnerability or misconfiguration to gain elevated access. Vertical escalation means moving from a standard user to administrator. Horizontal escalation means accessing another user's resources at the same privilege level. Both appear in nearly every red team engagement.

The first phase of an attack. The adversary gathers information about the target to plan their operation. Passive recon uses publicly available data (OSINT). Active recon involves direct interaction with target systems, such as port scanning or social engineering calls.

An independent group that simulates real-world adversary behaviour against an organisation. Red teams use the same tactics, techniques, and procedures as actual threat actors to find vulnerabilities and test whether detection and response controls work under pressure.

The manipulation of people to perform actions or reveal confidential information. Techniques include phishing, pretexting, baiting, and tailgating. In red team engagements, social engineering is often the fastest path to initial access.

The defensive security team responsible for monitoring, detecting threats, and responding to incidents. Blue teams maintain security controls, tune detection rules, and investigate alerts. Their effectiveness is measured by how quickly they spot and contain adversary activity.

A security strategy that deploys multiple layers of controls throughout a system. If one layer fails, the next layer continues to protect. The principle applies to network segmentation, access controls, monitoring, and physical security alike.

Endpoint Detection and Response. Security technology that continuously monitors endpoints (laptops, servers, workstations) to detect, investigate, and respond to threats. EDR captures detailed telemetry that helps analysts trace attacker activity across the kill chain.

The structured process for handling a security breach or cyberattack. The goal is to contain damage, preserve evidence, restore operations, and prevent recurrence. Most frameworks follow six phases: preparation, identification, containment, eradication, recovery, and lessons learned.

Security Information and Event Management. A platform that aggregates log data from across the environment, correlates events, and generates alerts when suspicious patterns appear. SIEM is the central nervous system of most SOC operations.

Security Operations Centre. A centralised team that monitors, detects, analyses, and responds to security incidents around the clock. SOC analysts use SIEM, EDR, and threat intelligence feeds to identify malicious activity across the organisation's environment.

Evidence-based knowledge about threats to an organisation's assets. Threat intelligence provides context on who is attacking, how they operate, and what they target. It informs defensive priorities, detection rules, and red team scenario design.

A structured process for identifying potential threats, vulnerabilities, and attack vectors against a system or application. Threat modelling helps organisations prioritise security investments by mapping the most likely and most damaging attack scenarios before they occur.

A systematic scan and review of security weaknesses in a system or network. Unlike penetration testing, vulnerability assessments identify and classify flaws without actively exploiting them. Output is a prioritised list of vulnerabilities ranked by severity.

Extended Detection and Response. An evolution of EDR that correlates security data across endpoints, networks, cloud workloads, and email into a single detection and response platform. XDR reduces alert fatigue by connecting related events automatically.

A framework developed by Lockheed Martin that describes seven stages of a cyberattack: Reconnaissance, Weaponisation, Delivery, Exploitation, Installation, Command and Control, and Actions on Objectives. It helps defenders identify where to break the attack chain.

A publicly accessible knowledge base of adversary tactics and techniques built from real-world observations. ATT&CK catalogues how threat actors operate across 14 tactical categories, from initial access through exfiltration. Red teams use it to structure engagements and map findings.

Threat Intelligence-Based Ethical Red Teaming, developed by the European Central Bank. TIBER-EU provides a standardised approach for intelligence-led red team tests on critical financial infrastructure. Tests run against live production environments with regulatory oversight. Adopted by 24+ EU member states plus Switzerland.

The Council for Registered Ethical Security Testers. CREST is the leading international accreditation body for penetration testing, red teaming, and threat intelligence providers. It certifies both individuals and organisations. CREST accreditation is required or preferred for TIBER-EU, CBEST, and PCI DSS testing.

A security philosophy that presumes adversaries have already compromised or will compromise the environment. Organisations adopting this mindset invest in detection, containment, and response rather than relying solely on prevention. Red team engagements test whether this assumption holds.

The total set of points where an attacker could attempt to gain unauthorised access. This includes network services, APIs, user interfaces, physical access points, and human targets. Reducing the attack surface is a fundamental defensive principle.

Common Vulnerabilities and Exposures. A standardised list of publicly disclosed security flaws, each assigned a unique identifier (e.g. CVE-2024-1234). CVE entries allow security teams, vendors, and researchers to reference the same vulnerability unambiguously.

Common Vulnerability Scoring System. An open framework that rates the severity of security vulnerabilities on a scale from 0.0 to 10.0. Scores factor in exploitability, impact, and environmental context. A CVSS score of 9.0+ is rated Critical.

A collaborative exercise where red and blue teams work together in real time. The red team executes attack techniques while the blue team attempts to detect and block them. Findings feed directly into detection rule improvements and control tuning.

A software vulnerability with no available patch. The vendor either does not know about it or has not yet released a fix. Zero-day exploits are highly valued by threat actors and red teams because no defensive signature exists to detect them.