Cybersecurity Glossary

Plain-language definitions of the terms we use most, from penetration testing to gap assessments. Each entry links to a deeper guide where one exists. For the long-form explainers, see our Definitions Series.

Assumed Breach Attack Narrative Attack Surface Business Logic Flaw CIS Controls Gap Assessment Lateral Movement NIST Cybersecurity Framework (CSF)Penetration Testing Privilege Escalation Purple Teaming Red Teaming Social Engineering Tabletop Exercise Virtual CISO (vCISO)Vulnerability Assessment Web Application Penetration Testing Wireless Penetration Testing

Assumed Breach: A test that starts where an attacker ends up anyway: already inside, with a foothold. Instead of spending days getting in, the tester begins with low-level access and sees how far it goes. It answers the question that matters most: when someone gets in, how bad does it get?
Attack Narrative: The story a good pentest report tells. Not a list of findings, but the step-by-step path the tester walked from first foothold to full compromise. It shows how small, individually minor issues chained into a real breach, which is what makes the risk land with engineers and executives alike.
Attack Surface: Everything an attacker could try to get in through: your websites, APIs, cloud accounts, wireless networks, employees, and the vendors connected to you. It is almost always larger than the inventory you think you have, which is why mapping it is step one of any honest assessment.
Business Logic Flaw: A weakness in how an application is meant to work, not in its code or configuration. Applying one discount twice, or skipping a payment step by reordering requests. Scanners miss these because nothing is technically broken; the rules just do not hold. Finding them takes a human who understands the workflow.
CIS Controls: A prioritized set of 18 security actions, published by the Center for Internet Security, ordered by how much they actually reduce risk. The first group, IG1, is the basic hygiene every organization should have, and it is where most fall short.
Gap Assessment: A structured comparison of your security program against a framework like CIS, NIST CSF, or ISO 27001. Unlike a vulnerability scan, it looks at governance, policy, and process, not just technical flaws, and hands you an ordered roadmap to close the distance.
Lateral Movement: How an attacker spreads after the first foothold, hopping from one system or account to the next toward something valuable. A single compromised laptop is rarely the goal; it is the doorway. Testing for lateral movement shows whether one breach stays contained or becomes a domain-wide problem.
NIST Cybersecurity Framework (CSF): A widely adopted framework that organizes security into six functions: Govern, Identify, Protect, Detect, Respond, and Recover. It is the common language regulators and boards understand, which makes it a useful standard to measure a program against.
Penetration Testing: A hands-on security test where a human, working with permission, tries to break into your systems the way a real attacker would. Unlike a scan, a pentest proves what someone could actually do with a weakness, not just that the weakness exists.
Privilege Escalation: The move from limited access to powerful access, like a regular user account becoming an administrator. It is the hinge of most serious breaches, because the gap between "an attacker read one inbox" and "an attacker owns the network" is usually one successful escalation.
Purple Teaming: A collaborative exercise where the attacking team (red) and the defending team (blue) work together in real time. The attackers run techniques while the defenders watch their tools respond, tuning detection on the spot. It trades the surprise of a red team for faster, measurable improvement in what you catch.
Red Teaming: A goal-driven, adversary-style engagement that tests not just your defenses but whether your team notices and responds. Rather than finding every vulnerability, a red team picks an objective, like reaching customer data, and takes any realistic path to it, the way a determined attacker would.
Social Engineering: Attacks that target people instead of technology: phishing emails, phone pretexting, or talking past a front desk. Most breaches start here, because it is easier to trick a person than to defeat a firewall. Testing it shows whether your training and verification steps hold up under pressure.
Tabletop Exercise: A discussion-based breach simulation. Your team works through a realistic incident, like ransomware or a data breach, in a room, testing decisions and coordination without touching production systems. It surfaces the gaps in your response plan before a real incident does.
Virtual CISO (vCISO): Fractional security leadership: an experienced security executive who runs your program part-time instead of as a full-time hire. A vCISO sets strategy, owns the roadmap, handles compliance and board reporting, and steps in during incidents, at a fraction of a full-time salary.
Vulnerability Assessment: An automated scan that catalogs known weaknesses across your systems: missing patches, misconfigurations, exposed services. It is fast and good for breadth, but it reports potential issues without proving they are exploitable. Most programs pair it with penetration testing for depth.
Web Application Penetration Testing: A focused test of a web app's security, covering authentication, access controls, input handling, and business logic. It catches the flaws scanners cannot reason about, like one user reaching another's data by changing a number in the URL.
Wireless Penetration Testing: A test of the security around your WiFi and other radios. It checks encryption strength, rogue access points, guest-network isolation, and how far your signal bleeds past the walls, because wireless is the rare attack surface an adversary can reach from the parking lot.

Ready to Strengthen Your Defenses?

Schedule a free consultation with our security experts to discuss your organization's needs.

Schedule Consultation Call Us

Or call us directly at (445) 273-2873