Security Glossary - apviso [APVISO](/)Product

Resources

Developers

Company

[Pricing](/#pricing)[Partners](/partners)[Enterprise](/enterprise)

[Login](/login)[Start free pentest](/register?intent=free-local-pentest)

[Login](/login)[Start free](/register?intent=free-local-pentest)

[Home](/)GlossarySecurity Glossary
=================

Key terms and concepts in AI pentesting, application security, and autonomous vulnerability discovery.

[A](#letter-A)[B](#letter-B)[C](#letter-C)[D](#letter-D)[E](#letter-E)[F](#letter-F)[H](#letter-H)[I](#letter-I)[L](#letter-L)[M](#letter-M)[N](#letter-N)[O](#letter-O)[P](#letter-P)[R](#letter-R)[S](#letter-S)[T](#letter-T)[V](#letter-V)[W](#letter-W)[X](#letter-X)[Z](#letter-Z)A
-

[### Agentic Pentesting

A multi-agent approach to penetration testing where specialized AI agents collaborate to find and exploit vulnerabilities.](/glossary/agentic-pentesting)[### AI Penetration Testing

The use of artificial intelligence agents to autonomously discover, exploit, and report security vulnerabilities in software systems.](/glossary/ai-penetration-testing)[### AI Security Testing

The application of artificial intelligence and machine learning techniques to automate and enhance security testing processes.](/glossary/ai-security-testing)[### API Security

The practice of protecting APIs from threats and vulnerabilities, covering authentication, authorization, rate limiting, and input validation.](/glossary/api-security)[### Application Security (AppSec)

The discipline of protecting applications from threats by finding, fixing, and preventing security vulnerabilities throughout the software lifecycle.](/glossary/application-security)[### Attack Simulation

The practice of emulating real-world cyber attacks against systems to evaluate defensive capabilities and identify security gaps.](/glossary/attack-simulation)[### Attack Surface

The sum of all points in a system where an attacker can attempt to enter or extract data, including APIs, UI components, and network services.](/glossary/attack-surface)[### Attack Surface Management (ASM)

The continuous discovery, inventory, classification, and monitoring of an organization's internet-facing assets and their security posture.](/glossary/attack-surface-management)[### Automated Pentesting

Penetration testing that uses automated tools and scripts to discover and exploit vulnerabilities with minimal human involvement.](/glossary/automated-pentesting)[### Automated Security Testing

The use of software tools to automatically test applications and systems for security vulnerabilities without manual intervention.](/glossary/automated-security-testing)[### Autonomous Pentesting

Security testing that runs end-to-end without human intervention, from reconnaissance through exploitation to reporting.](/glossary/autonomous-pentesting)

B
-

[### Blue Team

A defensive security team responsible for protecting an organization's assets by detecting, preventing, and responding to cyberattacks.](/glossary/blue-team)[### Broken Access Control

A category of vulnerabilities where access restrictions are not properly enforced, allowing users to act outside their intended permissions.](/glossary/broken-access-control)[### Buffer Overflow

A vulnerability where a program writes data beyond the boundaries of allocated memory, potentially allowing code execution or crashes.](/glossary/buffer-overflow)[### Bug Bounty

A program where organizations reward external security researchers for responsibly discovering and reporting vulnerabilities in their systems.](/glossary/bug-bounty)

C
-

[### CI/CD Security

Protecting continuous integration and delivery pipelines from attacks and integrating security checks into automated build and deployment processes.](/glossary/ci-cd-security)[### Clickjacking

An attack that tricks users into clicking hidden elements on a transparent overlay, performing unintended actions on a trusted website.](/glossary/clickjacking)[### Cloud Security

The set of policies, technologies, and controls that protect cloud-based systems, data, and infrastructure from threats.](/glossary/cloud-security)[### Command Injection

A vulnerability that allows attackers to run arbitrary operating system commands on the server through a vulnerable application.](/glossary/command-injection)[### Compliance

Adherence to security standards, regulations, and frameworks that govern how organizations protect data and manage risk.](/glossary/compliance)[### Continuous Pentesting

An approach to security testing where penetration tests run regularly or on every change, rather than as periodic engagements.](/glossary/continuous-pentesting)[### Continuous Security Testing

An approach where security tests run continuously or on every code change, providing ongoing assurance rather than point-in-time assessments.](/glossary/continuous-security-testing)[### Cross-Site Request Forgery (CSRF)

An attack that tricks authenticated users into submitting unintended requests to a web application they are logged into.](/glossary/csrf)[### Cross-Site Scripting (XSS)

A vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.](/glossary/cross-site-scripting)[### Crowdsourced Security

A security testing model that leverages a community of independent researchers to find vulnerabilities, typically through bug bounty programs.](/glossary/crowdsourced-security)[### CVE (Common Vulnerabilities and Exposures)

A standardized identification system for publicly known cybersecurity vulnerabilities, providing unique IDs like CVE-2024-12345.](/glossary/cve)[### CVSS (Common Vulnerability Scoring System)

A standardized framework for rating the severity of security vulnerabilities on a 0-10 scale, used to prioritize remediation efforts.](/glossary/cvss)

D
-

[### DAST (Dynamic Application Security Testing)

A black-box testing methodology that analyzes running applications by sending requests and examining responses for security vulnerabilities.](/glossary/dast)[### Defense in Depth

A security strategy that layers multiple defensive mechanisms so that if one control fails, others continue to provide protection.](/glossary/defense-in-depth)[### DevSecOps

A development methodology that integrates security practices into every phase of the software development lifecycle.](/glossary/devsecops)[### Directory Traversal

A vulnerability that allows attackers to access files and directories outside the intended web root by manipulating file path parameters.](/glossary/directory-traversal)[### DNS Rebinding

An attack that manipulates DNS resolution to bypass same-origin policy, allowing a web page to communicate with internal network services.](/glossary/dns-rebinding)

E
-

[### EASM (External Attack Surface Management)

A specialized approach to discovering and monitoring an organization's externally exposed assets, services, and vulnerabilities from an attacker's perspective.](/glossary/easm)

F
-

[### Fuzzing

An automated testing technique that provides invalid, unexpected, or random data as inputs to find crashes, hangs, and security vulnerabilities.](/glossary/fuzzing)

H
-

[### HTTP Request Smuggling

A technique that exploits differences in how front-end and back-end servers parse HTTP requests, allowing attackers to smuggle malicious requests.](/glossary/http-request-smuggling)

I
-

[### IAST (Interactive Application Security Testing)

A hybrid testing approach that combines SAST and DAST by instrumenting the application runtime to detect vulnerabilities during execution.](/glossary/iast)[### Insecure Deserialization

A vulnerability where untrusted data is used to reconstruct application objects, potentially leading to remote code execution.](/glossary/insecure-deserialization)[### Insecure Direct Object Reference (IDOR)

A vulnerability where an application exposes internal object identifiers without proper authorization, allowing access to other users' data.](/glossary/idor)

L
-

[### LLM (Large Language Model)

An AI model trained on vast amounts of text data that can understand and generate human-like text, reason about complex tasks, and power autonomous agents.](/glossary/llm)[### Local File Inclusion (LFI)

A vulnerability that allows attackers to include files from the server's local filesystem, potentially exposing sensitive data or achieving code execution.](/glossary/lfi)

M
-

[### Multi-Agent Systems

An architecture where multiple autonomous AI agents collaborate, each with specialized roles, to accomplish complex tasks more effectively than a single agent.](/glossary/multi-agent-systems)

N
-

[### Network Segmentation

Dividing a network into isolated segments to contain breaches and limit lateral movement by attackers between systems.](/glossary/network-segmentation)

O
-

[### Open Redirect

A vulnerability where a web application redirects users to an attacker-controlled URL, enabling phishing and credential theft.](/glossary/open-redirect)[### OWASP Top 10

A regularly updated list of the ten most critical web application security risks, published by the Open Web Application Security Project.](/glossary/owasp-top-10)

P
-

[### Patch Management

The systematic process of identifying, acquiring, testing, and deploying software updates to fix security vulnerabilities.](/glossary/patch-management)[### Penetration Testing

A systematic process of probing applications, networks, and systems for security vulnerabilities by simulating real-world attacks.](/glossary/penetration-testing)[### Privilege Escalation

A technique where an attacker gains higher access levels than originally granted, moving from a low-privilege user to an admin or root account.](/glossary/privilege-escalation)[### Proof-Based Scanning

A pentesting approach that validates vulnerabilities by safely exploiting them, providing proof of exploitability and eliminating false positives.](/glossary/proof-based-scanning)[### PTaaS (Penetration Testing as a Service)

A cloud-delivered model for penetration testing that provides on-demand, continuous security assessments via a SaaS platform.](/glossary/ptaas)[### Purple Team

A collaborative security approach where red team (attackers) and blue team (defenders) work together to improve an organization's security posture.](/glossary/purple-team)

R
-

[### Race Condition

A vulnerability where the timing of concurrent operations can be exploited to bypass security checks or cause unintended behavior.](/glossary/race-condition)[### Reconnaissance

The initial phase of penetration testing where information about the target is gathered to identify potential attack vectors and entry points.](/glossary/reconnaissance)[### Red Team

An offensive security team that simulates real-world attacks against an organization to test its defenses and response capabilities.](/glossary/red-team)[### Remote Code Execution (RCE)

A critical vulnerability that allows an attacker to run arbitrary code on a target system remotely, often leading to full system compromise.](/glossary/rce)[### Remote File Inclusion (RFI)

A vulnerability that allows attackers to include and run files from remote servers, typically leading to immediate code execution.](/glossary/rfi)

S
-

[### SAST (Static Application Security Testing)

A white-box testing methodology that analyzes application source code, bytecode, or binaries for security vulnerabilities without running the program.](/glossary/sast)[### SCA (Software Composition Analysis)

A methodology that identifies and assesses the security risks of open-source and third-party components used in an application.](/glossary/sca)[### Security Misconfiguration

Vulnerabilities arising from insecure default configurations, incomplete setups, or overly permissive settings in applications and infrastructure.](/glossary/security-misconfiguration)[### Server-Side Request Forgery (SSRF)

A vulnerability that allows attackers to induce the server to make HTTP requests to arbitrary destinations, potentially accessing internal services.](/glossary/ssrf)[### Shift Left

A development philosophy of performing tasks earlier in the lifecycle, commonly applied to testing, security, and quality assurance.](/glossary/shift-left)[### Shift-Left Security

Moving security testing earlier in the software development lifecycle to catch vulnerabilities before they reach production.](/glossary/shift-left-security)[### Social Engineering

Manipulation techniques that exploit human psychology to trick people into revealing sensitive information or performing security-compromising actions.](/glossary/social-engineering)[### SQL Injection

A code injection technique that exploits vulnerabilities in database query construction to access, modify, or delete data.](/glossary/sql-injection)[### Subdomain Takeover

A vulnerability where an attacker claims control of a subdomain that points to an unclaimed or decommissioned external service.](/glossary/subdomain-takeover)

T
-

[### Threat Modeling

A structured process for identifying potential security threats and vulnerabilities in a system, prioritizing risks, and planning mitigations.](/glossary/threat-modeling)

V
-

[### Vulnerability Assessment

A systematic review of security weaknesses in a system, including identification, quantification, and prioritization of vulnerabilities.](/glossary/vulnerability-assessment)[### Vulnerability Disclosure

The process of reporting, acknowledging, and addressing security vulnerabilities, typically following responsible disclosure timelines.](/glossary/vulnerability-disclosure)[### Vulnerability Management

The continuous process of identifying, evaluating, prioritizing, and remediating security vulnerabilities across an organization's systems.](/glossary/vulnerability-management)[### Vulnerability Scanning

Automated inspection of systems and applications to identify known security weaknesses using signature databases and heuristics.](/glossary/vulnerability-scanning)

W
-

[### WAF (Web Application Firewall)

A security system that monitors, filters, and blocks HTTP traffic to and from a web application based on predefined security rules.](/glossary/waf)[### Web Application Security

The practice of protecting web applications from attacks by addressing vulnerabilities in code, configuration, and architecture.](/glossary/web-application-security)

X
-

[### XML External Entity (XXE)

A vulnerability in XML parsers that allows attackers to read local files, perform SSRF, or cause denial of service through malicious XML entities.](/glossary/xxe)

Z
-

[### Zero-Day Vulnerability

A previously unknown security flaw that has no available patch, giving defenders zero days to prepare before it can be exploited.](/glossary/zero-day-vulnerability)

[APVISO](/)Autonomous AI-powered penetration testing for modern web applications.

Subscribe

[](https://github.com/apviso)[](https://x.com/Apviso_com)[](https://www.linkedin.com/company/apviso/)

[![Featured on Good AI Tools](https://goodaitools.com/assets/images/badge.png)](https://goodaitools.com/ai/apviso)

Product

- [Features](/#features)
- [Pricing](/pricing)
- [Integrations](/integrations)
- [Benchmarks](/#compare)
- [Affiliate Program](/affiliate)
- [Partners](/partners)
- [Enterprise](/enterprise)

Resources

- [Blog](/blog)
- [Use Cases](/use-cases)
- [Glossary](/glossary)
- [Comparisons](/comparisons)
- [Alternatives](/alternatives)
- [Compliance](/compliance)
- [Vulnerabilities](/vulnerabilities)
- [Industries](/industries)
- [OWASP APTS](/trust/apts)

Developers

- [Knowledge Base](/docs)
- [API Reference](/docs/api)
- [MCP Server](/docs/mcp)

Company

- [About](/about)
- [Contact](/contact)
- [Status](https://status.apviso.com)
- [Privacy Policy](/legal/privacy)
- [Terms of Service](/legal/terms)

© 2026 APVISO. All rights reserved.