Cybersecurity Glossary

The discipline and toolchain that keeps the application itself secure across the SDLC — code review, SAST, DAST, SCA, secrets scanning, threat modelling, dependency hygiene, and runtime hardening.

Black-box runtime security testing that probes a running application from the outside — exercising HTTP endpoints, forms, and APIs to surface vulnerabilities that only appear when code actually executes.

Tools that continuously discover sensitive data across cloud and SaaS, classify it, map access paths, and flag exposure — a posture layer above DLP that focuses on where data sits rather than what crosses the perimeter.

Agent installed on every endpoint that continuously records process, file, network, and identity activity, detects malicious behaviour, and lets responders contain or reverse it from a central console.

Source-code analysis that inspects an application without running it — looking for injection patterns, unsafe deserialisation, hard-coded secrets, and other code-level weaknesses inside the SDLC.

Platform that ingests, normalises, and correlates security logs from across the estate, then alerts on patterns matching known attack behaviours — the SOC's central log and detection layer.

Platform that turns SIEM detections and other security signals into automated playbooks — opening tickets, isolating accounts, resetting MFA, collecting evidence — so analysts spend triage time on the cases that actually need humans.

Successor to EDR that correlates endpoint, identity, email, network, and cloud telemetry inside a single detection-and-response platform — designed to surface attack chains that no single sensor would catch alone.

Security model that treats every request as untrusted by default — no implicit network perimeter, every access decision is verified per-session against identity, device posture, and context.

Use of AI-generated synthetic voice — and increasingly video — to impersonate a known executive or colleague during a fraud attempt.

A social-engineering attack that bombards a user with MFA push prompts until they tap Approve out of annoyance or confusion.

An attack on an LLM-powered application that smuggles attacker instructions into the model's context, causing it to act against the operator's intent.

Malware that encrypts data and/or exfiltrates it, then demands payment for decryption or non-publication — almost always entering through a human-mediated step.

Cybercrime business model where ransomware operators rent their malware, infrastructure, and leak sites to affiliates in exchange for a cut of each ransom.

An intrusion that compromises a trusted upstream vendor — software, SaaS, MSP — to reach every downstream organization that uses it.

A small, contextual intervention that steers a person toward a safer choice without restricting freedom — the unit of work behind behavior-centered cybersecurity.

The executive accountable for an organization's information security strategy, risk posture, and regulatory exposure — known as RSSI in France.

The GDPR-mandated role responsible for monitoring an organization's compliance with EU data-protection law and acting as the contact point for the supervisory authority.

Ebbinghaus's 1885 finding that newly learned information decays exponentially — the reason annual security awareness training fails.

"When a measure becomes a target, it ceases to be a good measure" — the trap behind phishing click-rate as a security KPI.

Short, focused learning units — typically 30 seconds to 3 minutes — that fit inside the working day and survive the forgetting curve.

An evidence-based learning schedule that reactivates content at increasing intervals to counter the forgetting curve.

French certification, granted by ANS, that any organization hosting personal health data on behalf of a French controller must hold.

US federal law governing protected health information — the Security Rule explicitly mandates a security awareness and training program for the workforce.

International standard for an Information Security Management System (ISMS) — the closest thing to a global certification mark for security.

Payment-card data security standard maintained by the PCI Security Standards Council — Requirement 12.6 explicitly mandates a formal security awareness program.

AICPA attestation framework based on five Trust Services Criteria — the de facto B2B SaaS sales gate for North American buyers.

France's national cybersecurity agency — publishes the guidance, certifications (SecNumCloud, CSPN) and incident-response posture French organizations align with.

The California Consumer Privacy Act (CCPA, 2018) and its amendment the California Privacy Rights Act (CPRA, 2020) — the strongest US state privacy law, GDPR-adjacent in spirit, enforced by the California Privacy Protection Agency since 2023 and binding on any business worldwide that hits the thresholds while handling California residents' data.

U.S. federal law (2018) compelling U.S.-headquartered cloud providers to hand over customer data on lawful U.S. request — regardless of where the data is physically stored — which conflicts with EU data-protection law for EU customers.

France's independent data-protection authority — enforces GDPR, runs the 72-hour breach-notification clock and publishes binding guidance on personal-data handling.

EU Regulation 2022/2554 making digital operational resilience — including human-factor controls — directly binding on financial entities since 17 January 2025.

The GDPR clause requiring controllers and processors to implement appropriate technical and organizational measures — increasingly read to include behavioral controls.

Two overlapping but structurally different security frameworks — ISO 27001 is an international certification of your information-security management system; SOC 2 is a US-originated attestation report on how well your controls met the AICPA Trust Services Criteria over a defined period.

EU Directive 2022/2555 raising cybersecurity obligations across essential and important entities, with behavioral controls and training now in audit scope.

Two 2022 EU cybersecurity texts that overlap in spirit but apply differently — NIS2 is a horizontal directive covering 18 critical sectors (transposed nationally, with member-state variation), DORA is a sector-specific regulation directly binding on financial entities and their ICT providers; for a bank or insurer, DORA is lex specialis and wins on ICT topics.

The French Politique de Sécurité des Systèmes d'Information — an organization's master security policy, formalized following ANSSI's PSSI-E methodology.

ANSSI's qualification scheme for trusted cloud providers — proving both technical security and immunity to non-EU extraterritorial law (notably the U.S. CLOUD Act), required for French public-sector and critical-infrastructure cloud workloads.

The pre-intervention read of what employees actually do across SaaS, identity and email — the reference any subsequent behavior change is measured against.

The audit artifact a risky behavior was detected, the employee was nudged, and the behavior was corrected — increasingly demanded over training completion certificates.

A risk-team metric anchored on what employees actually do over time, not on training completions or click-rate on simulated phishing emails.

The Gartner-coined category that replaces Security Awareness Training with behavior-centered, evidence-producing controls applied at the moment of risk.

The empirically documented gap between what employees know about cybersecurity and what they actually do at the moment of decision.

The legacy compliance-driven training category — annual e-learning modules and click-rate phishing tests — that Human Risk Management is now replacing.

An automated attack that replays username/password pairs leaked in third-party breaches against unrelated services, exploiting password reuse to take over accounts at scale.

Open authentication standards using device-bound asymmetric cryptography to deliver phishing-resistant sign-in — the practical answer to MFA fatigue and adversary-in-the-middle phishing.

An authentication scheme that requires two or more independent factors — something you know, have, or are — to verify a user, raising the cost of credential theft.

The practice of using the same password — or near-identical variants — across multiple services, turning any single breach into a multi-account compromise via credential stuffing.

An authentication architecture where one identity provider issues tokens that grant access to many downstream applications, reducing credential surface but concentrating blast radius.

A targeted fraud in which an attacker impersonates an executive, supplier, or counsel to redirect a legitimate payment — historically the single most financially damaging cybercrime category.

An attack that tricks a user into granting a malicious third-party app persistent OAuth access to their mailbox, files, or workspace — bypassing MFA entirely.

A social-engineering attack that impersonates a trusted entity to trick a person into surrendering credentials, money, or access — by email, SMS, voice, QR code, or OAuth consent.

Phishing in which the malicious link is delivered as a QR code rather than text, shifting the click from a managed laptop to an unmanaged personal phone.

Manipulating a person — rather than exploiting a software flaw — to obtain credentials, money, or access; the umbrella category under which phishing, vishing, and BEC sit.

A targeted phishing attack crafted for a specific person or small group, using public OSINT to reach a credibility that bulk phishing cannot achieve.

Phishing delivered over a voice call — increasingly combined with an email pretext and, since 2023, with AI-cloned voices of executives and colleagues.

A policy-enforcement layer that sits between users and cloud services to inspect traffic, block disallowed actions, and tag data — the gatekeeping model of SaaS security.

A set of technologies that inspect data at rest, in motion, or in use to prevent sensitive information from leaving authorized boundaries.

An external account — ex-vendor, former contractor, departed partner — that still has access to a SaaS workspace, file, or channel months or years after the work ended.

A SaaS calendar — typically Google Calendar or Microsoft 365 — whose visibility setting leaks meeting titles, attendees, locations, or links to anyone in the domain or on the public internet.

An access token a user issues to a third-party application via OAuth, giving that app standing permission to read or write data inside another SaaS — often beyond MFA, often forever.

Sharing a SaaS file or folder via an 'anyone with the link' setting that bypasses authentication — the most common quiet data leak inside Google Drive, SharePoint, Dropbox, and Notion.

Software, SaaS, or cloud services in use inside an organization without IT or security approval — invisible to inventory, unmanaged, and rarely off-boarded.