Cybersecurity Glossary — CVE, CVSS, ASM, CSPM and 40+ Terms Explained
A clear, practical reference for the security terms that matter most — from CVE and CVSS to ASM, CSPM, zero-day, and OWASP. Useful for security teams, developers, and executives.
ASM (Attack Surface Management)
The continuous process of discovering, inventorying, classifying, and monitoring all external-facing digital assets to identify and reduce exposure to cyberattacks. See: What is ASM? Read more →
CVE (Common Vulnerabilities and Exposures)
A standardized identifier for publicly known cybersecurity vulnerabilities. Each CVE has a unique ID (e.g., CVE-2021-44228 for Log4Shell), a description, and references. Maintained by MITRE, published in the National Vulnerability Database (NVD).
CVSS (Common Vulnerability Scoring System)
A framework for rating the severity of security vulnerabilities on a scale of 0–10. CVSS considers exploitability (attack vector, complexity, privileges required) and impact (confidentiality, integrity, availability). Scores: Critical (9–10), High (7–8.9), Medium (4–6.9), Low (0.1–3.9).
CWE (Common Weakness Enumeration)
A categorized list of software and hardware weaknesses — the root causes behind vulnerabilities. Where CVE describes a specific vulnerability instance, CWE describes the underlying weakness class (e.g., CWE-89 = SQL Injection, CWE-79 = XSS).
CSPM (Cloud Security Posture Management)
Continuous monitoring and assessment of cloud infrastructure configurations to detect misconfigurations, compliance gaps, and security risks in AWS, Azure, and GCP environments. See: What is CSPM? Read more →
DAST (Dynamic Application Security Testing)
Security testing that analyzes a running application from the outside — simulating attacks without access to source code. Detects vulnerabilities that only appear at runtime, like injection flaws and broken authentication.
SAST (Static Application Security Testing)
Security analysis of source code, bytecode, or binaries without executing the application. Detects vulnerabilities early in development but cannot find runtime issues or configuration problems.
EPSS (Exploit Prediction Scoring System)
A probability score (0–100%) predicting the likelihood that a CVE will be exploited in the wild within the next 30 days. Developed by FIRST, EPSS helps teams prioritize patching by exploitability — not just theoretical severity.
CISA KEV (Known Exploited Vulnerabilities)
A catalog maintained by the U.S. Cybersecurity and Infrastructure Security Agency listing CVEs with confirmed, active exploitation in the wild. CISA KEV status is the strongest signal to prioritize a vulnerability — these are being actively used by attackers right now.
Zero-day
A vulnerability that is unknown to the software vendor and has no available patch. "Zero days" refers to the number of days the vendor has had to fix it. Zero-days are especially dangerous because defenders cannot patch what they don't know about.
Exploit
Code or a technique that takes advantage of a vulnerability to gain unauthorized access, escalate privileges, or cause damage. A CVE describes the vulnerability; an exploit is the mechanism to trigger it.
Shadow IT
Cloud services, SaaS tools, or infrastructure deployed by teams without central IT or security team awareness or approval. Shadow IT expands the attack surface invisibly — ASM tools discover it automatically.
SBOM (Software Bill of Materials)
A formal, machine-readable inventory of all software components and dependencies in an application. SBOMs enable rapid response to new CVEs by quickly identifying which systems use the affected component.
OWASP (Open Web Application Security Project)
A non-profit foundation that publishes open standards, tools, and guides for web application security — most notably the OWASP Top 10, a list of the most critical web application security risks. See: OWASP Top 10 Read more →
Threat Intelligence
Evidence-based knowledge about existing or emerging threats — including attacker TTPs (tactics, techniques, procedures), IOCs (indicators of compromise), and context. Used to prioritize defenses and anticipate attacks.
IOC (Indicator of Compromise)
Artifacts observed in a network or system that indicate a potential breach — malicious IP addresses, file hashes, domain names, registry keys, or unusual network traffic patterns.
TTPs (Tactics, Techniques, and Procedures)
A framework (popularized by MITRE ATT&CK) describing how threat actors operate: their goals (tactics), how they achieve them (techniques), and specific implementation details (procedures).
Penetration Testing (Pen Test)
A simulated cyberattack performed by authorized security professionals to identify exploitable vulnerabilities. Unlike automated scanning, pen testers chain vulnerabilities and demonstrate real-world attack paths and business impact.
Red Team / Blue Team
Red team: offensive security professionals who simulate attackers. Blue team: defensive security professionals who detect and respond. Purple teaming involves both working together to improve detection and response.
SOC (Security Operations Center)
A team of security analysts who monitor, detect, analyze, and respond to cybersecurity incidents in real time — typically using a SIEM, threat intelligence feeds, and endpoint detection tools.
SIEM (Security Information and Event Management)
Software that aggregates and analyzes log data from across an organization's infrastructure to detect suspicious patterns and generate alerts. Common SIEMs: Splunk, Microsoft Sentinel, Elastic SIEM.
XDR (Extended Detection and Response)
A security platform that integrates data from multiple security layers — endpoints, network, cloud, email — to provide unified threat detection, investigation, and automated response.
WAF (Web Application Firewall)
A security control that monitors and filters HTTP traffic to and from a web application, blocking common attacks like SQL injection, XSS, and CSRF. A WAF reduces exposure but does not eliminate underlying vulnerabilities.
IDS / IPS (Intrusion Detection / Prevention System)
IDS monitors network traffic for suspicious patterns and alerts. IPS can also block malicious traffic. Both are network-layer controls that detect known attack signatures and anomalous behavior.
MFA (Multi-Factor Authentication)
Authentication requiring two or more verification factors — something you know (password), something you have (OTP/hardware key), or something you are (biometric). MFA prevents credential-based account takeover.
Principle of Least Privilege
A security design principle stating that users, systems, and processes should have only the minimum permissions needed to perform their function. Reduces blast radius when credentials or systems are compromised.
Zero Trust
A security model based on "never trust, always verify" — no user, device, or service is inherently trusted, regardless of network location. Every access request is authenticated, authorized, and continuously validated.
SSL/TLS
Cryptographic protocols that provide encrypted communication over the internet. TLS (Transport Layer Security) is the modern version; SSL is deprecated. All websites should use TLS 1.2 or 1.3. Weak configurations (TLS 1.0/1.1, weak ciphers) are flagged by Xentinel.
SSRF (Server-Side Request Forgery)
A vulnerability where an attacker forces the server to make HTTP requests to unintended destinations — internal services, cloud metadata endpoints (AWS 169.254.169.254), or external systems. Used in the Capital One breach to steal IAM credentials.
SQL Injection
An injection attack where malicious SQL code is inserted into a query via user input, allowing attackers to read/modify databases, bypass authentication, or execute OS commands. Remains one of the most common and damaging vulnerabilities despite being well-understood.
XSS (Cross-Site Scripting)
An attack where malicious JavaScript is injected into web pages and executed in victims' browsers. Stored XSS persists in the database; reflected XSS is delivered via URL. Can steal session cookies, redirect users, or perform actions on behalf of victims.
Put this knowledge to work
Scan your attack surface for CVEs, misconfigurations, and OWASP Top 10 risks. Free, no signup.