Cybersecurity Glossary

Clear definitions of 52+ threat intelligence and cybersecurity terms — from IOCs and TTPs to CVSS scores, EPSS, and the CISA KEV catalog.

Threat Intelligence

IOC (Indicator of Compromise)

An Indicator of Compromise is a piece of forensic data — such as a malicious IP address, domain, URL, file hash, or email address — that signals a system has been compromised or attacked. Security teams use IOCs to detect, block, and investigate threats.

Threat Intelligence

Threat intelligence is evidence-based knowledge about cyber threats — including who is attacking, how, and why. It is used to make faster, better-informed security decisions. Actionable threat intelligence includes IOCs, TTPs, and context that security teams can act on immediately.

TTP (Tactics, Techniques, and Procedures)

TTPs describe the behavior of threat actors: the high-level goals they pursue (tactics), the specific methods they use to achieve those goals (techniques), and the detailed, repeatable actions that implement those methods (procedures). The MITRE ATT&CK framework catalogues TTPs used by real adversaries.

Threat Feed

A threat feed is a structured, continuously updated stream of IOCs and threat data from a single source or aggregator. Security tools ingest threat feeds to keep blocklists and detection rules current. Examples include Spamhaus DROP, abuse.ch URLhaus, and CISA KEV.

Dark Web

The dark web is a portion of the internet accessible only through anonymizing networks like Tor. It hosts illicit marketplaces, ransomware leak sites, stolen credential databases, and threat actor forums. Monitoring dark web sources provides early warning of breaches and planned attacks.

Threat Actor

A threat actor is any individual, group, or organization that conducts malicious cyber activity. Threat actors are classified by motivation (financial, espionage, hacktivism), capability (nation-state, organized crime, script kiddie), and targeting patterns. Attribution helps predict future attack patterns.

Threat Hunting

Threat hunting is the proactive, human-led search for threats that automated security tools have not detected. Hunters form hypotheses about attacker behavior, then query security telemetry (logs, EDR data, network flows) to confirm or refute them using TTPs from frameworks like MITRE ATT&CK.

Confidence Score

A confidence score quantifies how certain a threat intelligence system is that an indicator is malicious, given the evidence. isMalicious calculates confidence by weighting signals from 17 sources by their reliability, cross-correlating agreement, and applying time decay to older signals.

SIEM (Security Information and Event Management)

A SIEM aggregates, normalizes, and correlates log data from across an organization's infrastructure to detect threats and support incident response. Popular SIEMs include Splunk, Microsoft Sentinel, and Elastic Security. Threat intelligence enrichment significantly improves SIEM detection accuracy.

SOC (Security Operations Center)

A Security Operations Center is a team (and facility) responsible for continuously monitoring, detecting, investigating, and responding to cybersecurity incidents. SOC analysts rely on threat intelligence, SIEM platforms, and playbooks to triage alerts efficiently.

Incident Response

Incident response (IR) is the structured process of detecting, containing, eradicating, and recovering from a security incident, then conducting a post-incident review to prevent recurrence. The SANS PICERL model defines six phases: Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned.

False Positive

A false positive in threat intelligence is a benign indicator incorrectly classified as malicious. High false positive rates waste analyst time and cause legitimate traffic to be blocked. isMalicious uses multi-source correlation and reliability weighting to minimize false positives below 0.1% for high-confidence verdicts.

False Negative

A false negative is a genuinely malicious indicator that a security system fails to detect or classify as a threat. False negatives are more dangerous than false positives because they allow real attacks to pass undetected. Coverage across multiple threat feeds reduces false negative rates.

Malware & Attacks

Ransomware

Ransomware is malware that encrypts a victim's files or systems and demands payment (usually cryptocurrency) for the decryption key. Modern ransomware groups also exfiltrate data before encrypting and threaten to publish it — a tactic called double extortion.

C2 (Command and Control)

A Command and Control server is infrastructure used by attackers to remotely control compromised hosts (a botnet) and deliver instructions, exfiltrate data, or push malware updates. Blocking C2 communications is one of the most effective ways to disrupt an active attack.

Botnet

A botnet is a network of compromised devices ("bots") controlled by an attacker via a C2 server. Botnets are used for DDoS attacks, spam campaigns, credential stuffing, and ransomware delivery. Individual bots are often unaware they are compromised.

Malware

Malware is any software designed to harm, exploit, or gain unauthorized access to a system. It includes viruses, worms, trojans, ransomware, spyware, adware, rootkits, and more. Detection relies on file hashes, behavioral signatures, and threat intelligence feeds.

Phishing

Phishing is a social engineering attack that tricks users into revealing credentials, clicking malicious links, or downloading malware — typically via email. Spear phishing targets specific individuals; smishing uses SMS; vishing uses voice calls.

Double Extortion

Double extortion is a ransomware tactic where attackers both encrypt and exfiltrate victim data, then threaten to publish the stolen data on a leak site if the ransom is not paid. This creates pressure on victims even if they have functional backups.

Trojan

A Trojan is malware that disguises itself as legitimate software to trick users into installing it. Unlike viruses, Trojans do not self-replicate; they rely on social engineering. Once installed, they may install backdoors, steal credentials, or drop additional malware.

Credential Stuffing

Credential stuffing is an automated attack where stolen username/password pairs from one data breach are tested against other services, exploiting the widespread habit of password reuse. It is distinct from brute force because it uses real credentials rather than guessing.

Supply Chain Attack

A supply chain attack targets the software or hardware supply chain rather than the end victim directly. Attackers compromise a trusted supplier — a software library, build system, or hardware manufacturer — to inject malicious code that is then distributed to thousands of downstream users.

Network & Infrastructure

IP Reputation

IP reputation is a score or classification indicating whether an IP address has been associated with malicious activity. Factors include appearance on blocklists, volume of spam sent, history of port scanning, C2 hosting, and abuse reports.

Blocklist (Denylist)

A blocklist is a list of IPs, domains, URLs, or file hashes known to be malicious. Firewalls, DNS resolvers, and email gateways use blocklists to automatically block traffic from known bad actors. Blocklists must be kept current to remain effective.

ASN (Autonomous System Number)

An Autonomous System Number identifies a collection of IP address ranges under the control of a single organization (an Internet Service Provider, cloud provider, or enterprise). ASNs are used in threat intelligence to identify hosting providers commonly used by attackers.

NRD (Newly Registered Domain)

A Newly Registered Domain is a domain registered within the past 30–90 days. NRDs are a key risk signal because the vast majority of phishing campaigns, malware distribution, and spam infrastructure uses freshly registered domains to evade blocklists.

DNS History

DNS history is a record of historical DNS resolution data for a domain — including all IP addresses it has ever resolved to, when changes occurred, and what nameservers have been used. It is used in threat investigations to trace infrastructure reuse and identify related malicious domains.

Reverse IP Lookup

Reverse IP lookup returns all domain names hosted on a given IP address. It is used by threat hunters to identify other malicious domains sharing the same hosting infrastructure as a known bad actor — a technique known as infrastructure pivoting.

Domain Reputation

Domain reputation is a classification of a domain based on its history of malicious activity, registration patterns, and content. Factors include age, registrar, phishing/malware associations, WHOIS data, and appearance on threat feeds.

WHOIS

WHOIS is a protocol that returns registration information for a domain or IP address — including registrant, registrar, registration and expiration dates, and nameservers. Threat analysts use WHOIS to investigate ownership, identify registration patterns of malicious actors, and find related infrastructure.

DNS (Domain Name System)

The Domain Name System translates human-readable domain names (like ismalicious.com) into IP addresses. DNS data is a rich source of threat intelligence — malicious domains, fast-flux networks, DNS tunneling, and typosquatting are all detectable via DNS analysis.

Fast Flux

Fast flux is a DNS technique used by attackers to rapidly change the IP addresses associated with a domain — sometimes cycling through hundreds of IPs within minutes. It is used to make C2 servers and phishing sites resistant to IP-based blocking and takedowns.

Typosquatting

Typosquatting (also called URL hijacking) registers domains that are slight misspellings of legitimate websites to capture traffic from users who make typing errors. These domains are often used for phishing, malware distribution, or ad fraud.

ISP (Internet Service Provider)

An ISP provides internet connectivity to consumers and businesses. In threat intelligence, ISP context for an IP address indicates whether it is a residential, commercial, or hosting IP — a key factor in risk scoring, since hosting IPs are far more likely to be malicious.

Vulnerabilities

EPSS (Exploit Prediction Scoring System)

EPSS is a data-driven model from FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Scores range from 0 to 1 (0%–100%). EPSS helps prioritize patching by combining NVD data with real-world exploitation observations.

CVSS (Common Vulnerability Scoring System)

CVSS is an open framework for communicating the severity of software vulnerabilities. A CVSS v3 base score from 0 to 10 reflects factors like attack vector, complexity, privileges required, and impact on confidentiality, integrity, and availability. Scores ≥ 9.0 are Critical; ≥ 7.0 are High.

CVE (Common Vulnerabilities and Exposures)

CVE is a public catalogue of known cybersecurity vulnerabilities, maintained by MITRE and sponsored by CISA. Each entry has a unique CVE ID (e.g., CVE-2024-12345), a description, and references. CVE IDs are the universal language for tracking and patching specific vulnerabilities.

KEV (CISA Known Exploited Vulnerabilities)

The CISA KEV catalog lists CVEs that have been confirmed as actively exploited in the wild. US federal agencies are required to patch KEV vulnerabilities by mandated due dates. KEV status is the highest-urgency signal for vulnerability prioritization.

SBOM (Software Bill of Materials)

An SBOM is a formal inventory of all software components and dependencies in an application — similar to an ingredient list. SBOMs are used to rapidly identify which systems are affected when a vulnerability (like Log4Shell) is discovered in a common dependency.

SSVC (Stakeholder-Specific Vulnerability Categorization)

SSVC is a decision-tree framework developed by CISA and Carnegie Mellon for prioritizing vulnerability response based on exploitation status, automatable exploitation, and mission impact. It complements CVSS by focusing on actionability rather than technical severity alone.

Zero-Day

A zero-day is a vulnerability that is unknown to the software vendor and therefore has no patch available. Attackers who discover zero-days can exploit them with no defenders able to protect patched systems. CISA KEV and EPSS track exploitation risk for both zero-days and known vulnerabilities.

Patch Management

Patch management is the systematic process of identifying, acquiring, testing, and deploying software updates (patches) to fix security vulnerabilities and bugs. EPSS scores and CISA KEV membership help security teams prioritize which patches to apply first when resources are limited.

Standards & Frameworks

MITRE ATT&CK

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. It is used as a foundation for threat detection, red team exercises, and gap analysis in security programs. The framework covers Enterprise, Mobile, and ICS environments.

STIX (Structured Threat Information Expression)

STIX is a standardized language for describing cyber threat intelligence in a machine-readable format. It enables organizations to share IOCs, TTPs, and threat actor profiles in a consistent way. STIX is often paired with TAXII for transport.

TAXII (Trusted Automated eXchange of Intelligence Information)

TAXII is a transport protocol for sharing STIX-formatted threat intelligence between organizations. It defines how threat data is packaged, requested, and delivered. isMalicious provides a TAXII 2.1-compatible endpoint for enterprise consumers.

NIST CSF (Cybersecurity Framework)

The NIST Cybersecurity Framework provides a policy framework of computer security guidance for how private-sector organizations can assess and improve their ability to prevent, detect, and respond to cyber attacks. It organizes security activities into five functions: Identify, Protect, Detect, Respond, and Recover.

OpenCTI

OpenCTI is an open-source threat intelligence platform for storing, analyzing, and sharing structured threat intelligence data in STIX 2.1 format. It supports connectors to external feeds and platforms, including isMalicious, enabling automated enrichment of indicators.

API & Integration

API Key

An API key is a unique identifier used to authenticate requests to an API. It grants access to specific resources and rate limits. API keys should be kept secret and rotated regularly; they should never be exposed in client-side code or version control.

Rate Limiting

Rate limiting controls how many API requests a client can make in a given time window, preventing abuse and ensuring fair resource distribution. isMalicious enforces per-key rate limits and returns HTTP 429 with a Retry-After header when limits are exceeded.

Webhook

A webhook is an HTTP callback that sends real-time notifications to a configured URL when a specific event occurs. isMalicious webhooks push threat alerts when a monitored IP or domain changes status, enabling security tools to react without polling.

Bulk API

A bulk API endpoint accepts multiple indicators in a single request, enabling high-throughput threat intelligence lookups without the latency overhead of individual calls. isMalicious supports batches of up to 10,000 mixed IP, domain, and URL indicators per request.

Streaming Threat Feed

A streaming threat feed delivers real-time updates of newly identified malicious indicators via a persistent HTTP connection or webhook, eliminating the need to poll for updates. This is critical for SIEMs and firewalls that need sub-minute freshness.