Security Glossary
Key terms and concepts in AI pentesting, application security, and autonomous vulnerability discovery.
A
Agentic Pentesting
A multi-agent approach to penetration testing where specialized AI agents collaborate to find and exploit vulnerabilities.
AI Penetration Testing
The use of artificial intelligence agents to autonomously discover, exploit, and report security vulnerabilities in software systems.
AI Security Testing
The application of artificial intelligence and machine learning techniques to automate and enhance security testing processes.
API Security
The practice of protecting APIs from threats and vulnerabilities, covering authentication, authorization, rate limiting, and input validation.
Application Security (AppSec)
The discipline of protecting applications from threats by finding, fixing, and preventing security vulnerabilities throughout the software lifecycle.
Attack Simulation
The practice of emulating real-world cyber attacks against systems to evaluate defensive capabilities and identify security gaps.
Attack Surface
The sum of all points in a system where an attacker can attempt to enter or extract data, including APIs, UI components, and network services.
Attack Surface Management (ASM)
The continuous discovery, inventory, classification, and monitoring of an organization's internet-facing assets and their security posture.
Automated Pentesting
Penetration testing that uses automated tools and scripts to discover and exploit vulnerabilities with minimal human involvement.
Automated Security Testing
The use of software tools to automatically test applications and systems for security vulnerabilities without manual intervention.
Autonomous Pentesting
Security testing that runs end-to-end without human intervention, from reconnaissance through exploitation to reporting.
B
Blue Team
A defensive security team responsible for protecting an organization's assets by detecting, preventing, and responding to cyberattacks.
Broken Access Control
A category of vulnerabilities where access restrictions are not properly enforced, allowing users to act outside their intended permissions.
Buffer Overflow
A vulnerability where a program writes data beyond the boundaries of allocated memory, potentially allowing code execution or crashes.
Bug Bounty
A program where organizations reward external security researchers for responsibly discovering and reporting vulnerabilities in their systems.
C
CI/CD Security
Protecting continuous integration and delivery pipelines from attacks and integrating security checks into automated build and deployment processes.
Clickjacking
An attack that tricks users into clicking hidden elements on a transparent overlay, performing unintended actions on a trusted website.
Cloud Security
The set of policies, technologies, and controls that protect cloud-based systems, data, and infrastructure from threats.
Command Injection
A vulnerability that allows attackers to run arbitrary operating system commands on the server through a vulnerable application.
Compliance
Adherence to security standards, regulations, and frameworks that govern how organizations protect data and manage risk.
Continuous Pentesting
An approach to security testing where penetration tests run regularly or on every change, rather than as periodic engagements.
Continuous Security Testing
An approach where security tests run continuously or on every code change, providing ongoing assurance rather than point-in-time assessments.
Cross-Site Request Forgery (CSRF)
An attack that tricks authenticated users into submitting unintended requests to a web application they are logged into.
Cross-Site Scripting (XSS)
A vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users.
Crowdsourced Security
A security testing model that leverages a community of independent researchers to find vulnerabilities, typically through bug bounty programs.
CVE (Common Vulnerabilities and Exposures)
A standardized identification system for publicly known cybersecurity vulnerabilities, providing unique IDs like CVE-2024-12345.
CVSS (Common Vulnerability Scoring System)
A standardized framework for rating the severity of security vulnerabilities on a 0-10 scale, used to prioritize remediation efforts.
D
DAST (Dynamic Application Security Testing)
A black-box testing methodology that analyzes running applications by sending requests and examining responses for security vulnerabilities.
Defense in Depth
A security strategy that layers multiple defensive mechanisms so that if one control fails, others continue to provide protection.
DevSecOps
A development methodology that integrates security practices into every phase of the software development lifecycle.
Directory Traversal
A vulnerability that allows attackers to access files and directories outside the intended web root by manipulating file path parameters.
DNS Rebinding
An attack that manipulates DNS resolution to bypass same-origin policy, allowing a web page to communicate with internal network services.
E
F
H
I
IAST (Interactive Application Security Testing)
A hybrid testing approach that combines SAST and DAST by instrumenting the application runtime to detect vulnerabilities during execution.
Insecure Deserialization
A vulnerability where untrusted data is used to reconstruct application objects, potentially leading to remote code execution.
Insecure Direct Object Reference (IDOR)
A vulnerability where an application exposes internal object identifiers without proper authorization, allowing access to other users' data.
L
LLM (Large Language Model)
An AI model trained on vast amounts of text data that can understand and generate human-like text, reason about complex tasks, and power autonomous agents.
Local File Inclusion (LFI)
A vulnerability that allows attackers to include files from the server's local filesystem, potentially exposing sensitive data or achieving code execution.
M
N
O
P
Patch Management
The systematic process of identifying, acquiring, testing, and deploying software updates to fix security vulnerabilities.
Penetration Testing
A systematic process of probing applications, networks, and systems for security vulnerabilities by simulating real-world attacks.
Privilege Escalation
A technique where an attacker gains higher access levels than originally granted, moving from a low-privilege user to an admin or root account.
Proof-Based Scanning
A scanning approach that validates vulnerabilities by safely exploiting them, providing proof of exploitability and eliminating false positives.
PTaaS (Penetration Testing as a Service)
A cloud-delivered model for penetration testing that provides on-demand, continuous security assessments via a SaaS platform.
Purple Team
A collaborative security approach where red team (attackers) and blue team (defenders) work together to improve an organization's security posture.
R
Race Condition
A vulnerability where the timing of concurrent operations can be exploited to bypass security checks or cause unintended behavior.
Reconnaissance
The initial phase of penetration testing where information about the target is gathered to identify potential attack vectors and entry points.
Red Team
An offensive security team that simulates real-world attacks against an organization to test its defenses and response capabilities.
Remote Code Execution (RCE)
A critical vulnerability that allows an attacker to run arbitrary code on a target system remotely, often leading to full system compromise.
Remote File Inclusion (RFI)
A vulnerability that allows attackers to include and run files from remote servers, typically leading to immediate code execution.
S
SAST (Static Application Security Testing)
A white-box testing methodology that analyzes application source code, bytecode, or binaries for security vulnerabilities without running the program.
SCA (Software Composition Analysis)
A methodology that identifies and assesses the security risks of open-source and third-party components used in an application.
Security Misconfiguration
Vulnerabilities arising from insecure default configurations, incomplete setups, or overly permissive settings in applications and infrastructure.
Server-Side Request Forgery (SSRF)
A vulnerability that allows attackers to induce the server to make HTTP requests to arbitrary destinations, potentially accessing internal services.
Shift Left
A development philosophy of performing tasks earlier in the lifecycle, commonly applied to testing, security, and quality assurance.
Shift-Left Security
Moving security testing earlier in the software development lifecycle to catch vulnerabilities before they reach production.
Social Engineering
Manipulation techniques that exploit human psychology to trick people into revealing sensitive information or performing security-compromising actions.
SQL Injection
A code injection technique that exploits vulnerabilities in database query construction to access, modify, or delete data.
Subdomain Takeover
A vulnerability where an attacker claims control of a subdomain that points to an unclaimed or decommissioned external service.
T
V
Vulnerability Assessment
A systematic review of security weaknesses in a system, including identification, quantification, and prioritization of vulnerabilities.
Vulnerability Disclosure
The process of reporting, acknowledging, and addressing security vulnerabilities, typically following responsible disclosure timelines.
Vulnerability Management
The continuous process of identifying, evaluating, prioritizing, and remediating security vulnerabilities across an organization's systems.
Vulnerability Scanning
Automated inspection of systems and applications to identify known security weaknesses using signature databases and heuristics.
W
WAF (Web Application Firewall)
A security system that monitors, filters, and blocks HTTP traffic to and from a web application based on predefined security rules.
Web Application Security
The practice of protecting web applications from attacks by addressing vulnerabilities in code, configuration, and architecture.