Cybersecurity Glossary
A practical reference for IT leaders, compliance officers, and security teams. No jargon walls - just clear definitions of the concepts that matter.
The total set of points where an attacker could try to enter or extract data from a system. This includes web applications, APIs, open ports, cloud services, third-party integrations, and even employee email addresses. Reducing your attack surface is one of the most effective ways to lower security risk - and the first step is knowing what it looks like. Regular penetration testing maps your attack surface and identifies weak points.
Penetration testing performed by AI agents that plan, execute, and report on security assessments without human intervention during the test itself. Unlike vulnerability scanners, autonomous pentest platforms attempt real exploitation - identifying not just potential weaknesses but proving which ones are actually exploitable. SQUR's multi-agent AI architecture delivers autonomous pentests in 24 hours at a fraction of traditional costs.
Learn more about autonomous pentestingA penetration testing approach where the tester has no prior knowledge of the target system's internals - simulating an external attacker. The tester discovers the attack surface and vulnerabilities from scratch, just as a real threat actor would. Compare with grey-box and white-box testing.
A standardised naming system for publicly known cybersecurity vulnerabilities. Each CVE entry (e.g. CVE-2024-12345) has a unique ID, a description, and at least one public reference. When a penetration test or vulnerability scan finds an issue, mapping it to its CVE helps teams prioritise remediation using existing threat intelligence.
An open standard for rating the severity of security vulnerabilities on a scale from 0 to 10. A CVSS score considers factors like how easy the vulnerability is to exploit, whether authentication is required, and the potential impact on confidentiality, integrity, and availability. Scores are grouped as: Low (0.1-3.9), Medium (4.0-6.9), High (7.0-8.9), and Critical (9.0-10.0). SQUR's reports include CVSS ratings for every finding to help teams prioritise remediation.
Full guide: What is a CVSS Score?An EU regulation (in force since January 2025) that requires financial entities to ensure their ICT systems can withstand, respond to, and recover from disruptions and cyber threats. DORA Article 24 mandates annual penetration testing of critical systems. Articles 26-27 define a more advanced requirement - threat-led penetration testing (TLPT) - for significant financial institutions. SQUR supports the Article 24 annual testing requirement with evidence-based reports delivered in 24 hours. SQUR does not provide TLPT services.
Full guide: What is DORA?The act of taking advantage of a vulnerability to gain unauthorised access, escalate privileges, or extract data. In a penetration test, exploitation is the step that proves a vulnerability is real and dangerous - not just theoretical. This is what separates a pentest from a vulnerability scan: scanners detect potential issues, while pentests prove them by attempting real exploitation.
A security alert that incorrectly flags something as a vulnerability when it is not. False positives waste remediation effort and erode trust in security tooling. Traditional vulnerability scanners often produce high false-positive rates. SQUR uses dual-AI verification to validate every finding through actual exploitation, significantly reducing false positives in pentest reports.
The EU's data protection regulation, in effect since May 2018. GDPR requires organisations handling personal data of EU residents to implement appropriate technical and organisational measures to protect that data - which regulators increasingly interpret to include regular security testing. Article 32 specifically calls for processes to regularly test and evaluate the effectiveness of security measures. A penetration test is one of the most concrete ways to demonstrate this.
A penetration testing approach where the tester has partial knowledge of the system - typically valid user credentials or limited documentation. This simulates an insider threat or a compromised user account. Grey-box testing often uncovers vulnerabilities that black-box testing misses, like privilege escalation or insecure direct object references (IDOR).
A vulnerability where an application exposes internal references to objects (like database IDs or filenames) without proper access controls. An attacker can manipulate these references to access other users' data. IDOR is one of the most common web application vulnerabilities and is notoriously difficult for automated scanners to detect - but SQUR's AI agents identify IDOR with a 100% success rate in benchmark testing.
The international standard for information security management systems (ISMS). ISO 27001 provides a systematic framework for managing sensitive information through risk assessment, security controls, and continuous improvement. Annex A control A.12.6 and A.18.2 reference vulnerability management and compliance checking, which regular penetration testing directly supports. Many European SMEs pursue ISO 27001 certification to demonstrate security maturity to customers and partners.
A system design where multiple specialised AI agents collaborate on different aspects of a task. In autonomous pentesting, separate agents may handle reconnaissance, vulnerability identification, exploitation, and reporting - coordinated by an orchestration layer. This approach provides broader coverage and deeper analysis than a single-model system. SQUR uses a multi-agent architecture built on LangGraph to deliver comprehensive security assessments.
The EU Network and Information Security Directive 2 - updated legislation (transposition deadline October 2024) that strengthens cybersecurity requirements for essential and important entities across sectors like energy, transport, health, and digital infrastructure. NIS2 requires organisations to implement risk-based security measures, including vulnerability handling and security testing. Unlike DORA (which targets financial services specifically), NIS2 applies broadly across critical sectors.
A nonprofit foundation that produces freely available tools, documentation, and standards for web application security. The OWASP Top 10 is the most widely referenced list of critical web application security risks, covering vulnerabilities like injection, broken authentication, and security misconfiguration. Pentest reports are often mapped against OWASP categories to provide a standardised risk view.
A security standard for organisations that handle branded credit cards. PCI DSS Requirement 11.3 explicitly mandates regular penetration testing of cardholder data environments. Both internal and external pentesting are required at least annually and after significant infrastructure changes. For e-commerce businesses processing card payments, PCI DSS compliance is non-negotiable.
A controlled security assessment in which a tester - human or AI-driven - simulates real-world attacks against a system to identify exploitable vulnerabilities before malicious actors do. Unlike vulnerability scanning, a pentest involves actual exploitation: proving that weaknesses can be leveraged to breach systems, escalate privileges, or access sensitive data. Pentesting is required or recommended by most compliance frameworks including DORA, ISO 27001, PCI DSS, and SOC 2.
Full guide: What is Penetration Testing?An attack where a user gains higher access rights than intended - for example, a regular user gaining admin privileges. Privilege escalation can be vertical (gaining higher-level access) or horizontal (accessing another user's resources at the same level). Both are common penetration test findings and represent serious security risks.
The process of fixing a security vulnerability after it has been identified. Effective remediation includes understanding the root cause, applying the fix (patching, configuration change, code update), and verifying the fix through retesting. SQUR provides remediation guidance with every finding and offers free retesting to verify that fixes are effective.
A follow-up security test that verifies whether a previously identified vulnerability has been successfully remediated. Retesting is a critical step in the vulnerability lifecycle - without it, you cannot prove that a fix actually works. SQUR includes free retesting after remediation, so teams can close findings with confidence.
The defined boundaries of a penetration test - specifying which systems, URLs, IP ranges, and application components are included (in scope) and excluded (out of scope). Clear scope definition is essential for legal compliance, efficient resource use, and meaningful results. SQUR allows per-URL scope configuration with granular permissions for access vs. exploitation.
An auditing standard developed by the AICPA for service providers storing customer data. SOC 2 evaluates controls related to security, availability, processing integrity, confidentiality, and privacy. While SOC 2 doesn't explicitly mandate pentesting, the Common Criteria (CC7.1) requires vulnerability management processes, and regular penetration testing is widely considered a best practice for demonstrating compliance.
An attack where malicious SQL code is inserted into input fields or parameters to manipulate a database. Successful SQL injection can lead to data theft, data modification, or complete database compromise. It remains one of the most common and dangerous web application vulnerabilities. SQUR's autonomous agents detect and exploit SQLi with a 100% success rate in benchmark testing.
A vulnerability that allows an attacker to make the server send requests to unintended locations - potentially accessing internal services, cloud metadata endpoints, or other systems behind the firewall. SSRF is particularly dangerous in cloud environments where metadata services can expose credentials and configuration data.
Information about current and emerging cyber threats, collected and analysed to inform security decisions. Threat intelligence covers indicators of compromise (IoCs), attacker tactics and techniques, and vulnerability trends. Under DORA Articles 26-27, threat-led penetration testing (TLPT) must be informed by threat intelligence specific to the financial entity being tested.
An advanced form of security testing defined in DORA Articles 26-27 that simulates sophisticated, real-world attack scenarios based on current threat intelligence. TLPT involves red team exercises targeting critical functions on live production systems and is required at least every three years for significant financial entities. TLPT has specific requirements - including external threat intelligence providers and certified red team testers - that go beyond standard penetration testing. Note: SQUR supports DORA Article 24 annual testing, not TLPT.
An automated process that identifies known security weaknesses in systems, applications, or networks by comparing them against databases of known vulnerabilities. Scanners check for missing patches, misconfigurations, default credentials, and known CVEs. Unlike penetration testing, vulnerability scanning does not attempt exploitation - it flags potential issues without proving they are exploitable. This means scanners tend to produce more false positives and miss complex, chained attack paths.
A penetration testing approach where the tester has full access to source code, architecture documentation, and system credentials. This allows for deep analysis of application logic, code review for security flaws, and testing of internal components. White-box testing is thorough but time-intensive and typically reserved for high-value or high-risk applications.
A vulnerability that allows an attacker to inject malicious scripts into web pages viewed by other users. XSS can steal session cookies, redirect users to phishing sites, or modify page content. There are three types: Stored (persistent), Reflected (non-persistent), and DOM-based. XSS remains in the OWASP Top 10 and is a standard finding category in penetration test reports.
A vulnerability in XML parsers that allows an attacker to interfere with an application's processing of XML data. XXE can lead to file disclosure, server-side request forgery, port scanning, and in some cases remote code execution. Applications that accept XML input without disabling external entity processing are at risk.
A software vulnerability unknown to the vendor, with no available patch. Zero-days are particularly dangerous because there is no official fix and traditional vulnerability scanners (which rely on known CVE databases) cannot detect them. Autonomous penetration testing that explores application behaviour rather than matching known signatures has a better chance of discovering zero-day-like issues through logic testing and fuzzing.
Autonomous pentesting with real exploitation, evidence-based reports, and free retesting. Starting at €1,995.
Book a Demo