Cybersecurity Glossary

Clear definitions of 30+ threat intelligence and cybersecurity terms — from IOCs and TTPs to CVSS scores, EPSS, and the CISA KEV catalog.

Threat Intelligence

IOC (Indicator of Compromise)

An Indicator of Compromise is a piece of forensic data — such as a malicious IP address, domain, URL, file hash, or email address — that signals a system has been compromised or attacked. Security teams use IOCs to detect, block, and investigate threats.

Threat Intelligence

Threat intelligence is evidence-based knowledge about cyber threats — including who is attacking, how, and why. It is used to make faster, better-informed security decisions. Actionable threat intelligence includes IOCs, TTPs, and context that security teams can act on immediately.

TTP (Tactics, Techniques, and Procedures)

TTPs describe the behavior of threat actors: the high-level goals they pursue (tactics), the specific methods they use to achieve those goals (techniques), and the detailed, repeatable actions that implement those methods (procedures). The MITRE ATT&CK framework catalogues TTPs used by real adversaries.

Threat Feed

A threat feed is a structured, continuously updated stream of IOCs and threat data from a single source or aggregator. Security tools ingest threat feeds to keep blocklists and detection rules current. Examples include Spamhaus DROP, abuse.ch URLhaus, and CISA KEV.

Dark Web

The dark web is a portion of the internet accessible only through anonymizing networks like Tor. It hosts illicit marketplaces, ransomware leak sites, stolen credential databases, and threat actor forums. Monitoring dark web sources provides early warning of breaches and planned attacks.

Malware & Attacks

Ransomware

Ransomware is malware that encrypts a victim's files or systems and demands payment (usually cryptocurrency) for the decryption key. Modern ransomware groups also exfiltrate data before encrypting and threaten to publish it — a tactic called double extortion.

C2 (Command and Control)

A Command and Control server is infrastructure used by attackers to remotely control compromised hosts (a botnet) and deliver instructions, exfiltrate data, or push malware updates. Blocking C2 communications is one of the most effective ways to disrupt an active attack.

Botnet

A botnet is a network of compromised devices ("bots") controlled by an attacker via a C2 server. Botnets are used for DDoS attacks, spam campaigns, credential stuffing, and ransomware delivery. Individual bots are often unaware they are compromised.

Malware

Malware is any software designed to harm, exploit, or gain unauthorized access to a system. It includes viruses, worms, trojans, ransomware, spyware, adware, rootkits, and more. Detection relies on file hashes, behavioral signatures, and threat intelligence feeds.

Phishing

Phishing is a social engineering attack that tricks users into revealing credentials, clicking malicious links, or downloading malware — typically via email. Spear phishing targets specific individuals; smishing uses SMS; vishing uses voice calls.

Double Extortion

Double extortion is a ransomware tactic where attackers both encrypt and exfiltrate victim data, then threaten to publish the stolen data on a leak site if the ransom is not paid. This creates pressure on victims even if they have functional backups.

Network & Infrastructure

IP Reputation

IP reputation is a score or classification indicating whether an IP address has been associated with malicious activity. Factors include appearance on blocklists, volume of spam sent, history of port scanning, C2 hosting, and abuse reports.

Blocklist (Denylist)

A blocklist is a list of IPs, domains, URLs, or file hashes known to be malicious. Firewalls, DNS resolvers, and email gateways use blocklists to automatically block traffic from known bad actors. Blocklists must be kept current to remain effective.

ASN (Autonomous System Number)

An Autonomous System Number identifies a collection of IP address ranges under the control of a single organization (an Internet Service Provider, cloud provider, or enterprise). ASNs are used in threat intelligence to identify hosting providers commonly used by attackers.

NRD (Newly Registered Domain)

A Newly Registered Domain is a domain registered within the past 30–90 days. NRDs are a key risk signal because the vast majority of phishing campaigns, malware distribution, and spam infrastructure uses freshly registered domains to evade blocklists.

DNS History

DNS history is a record of historical DNS resolution data for a domain — including all IP addresses it has ever resolved to, when changes occurred, and what nameservers have been used. It is used in threat investigations to trace infrastructure reuse and identify related malicious domains.

Reverse IP Lookup

Reverse IP lookup returns all domain names hosted on a given IP address. It is used by threat hunters to identify other malicious domains sharing the same hosting infrastructure as a known bad actor — a technique known as infrastructure pivoting.

Domain Reputation

Domain reputation is a classification of a domain based on its history of malicious activity, registration patterns, and content. Factors include age, registrar, phishing/malware associations, WHOIS data, and appearance on threat feeds.

Vulnerabilities

EPSS (Exploit Prediction Scoring System)

EPSS is a data-driven model from FIRST.org that estimates the probability a CVE will be exploited in the wild within the next 30 days. Scores range from 0 to 1 (0%–100%). EPSS helps prioritize patching by combining NVD data with real-world exploitation observations.

CVSS (Common Vulnerability Scoring System)

CVSS is an open framework for communicating the severity of software vulnerabilities. A CVSS v3 base score from 0 to 10 reflects factors like attack vector, complexity, privileges required, and impact on confidentiality, integrity, and availability. Scores ≥ 9.0 are Critical; ≥ 7.0 are High.

CVE (Common Vulnerabilities and Exposures)

CVE is a public catalogue of known cybersecurity vulnerabilities, maintained by MITRE and sponsored by CISA. Each entry has a unique CVE ID (e.g., CVE-2024-12345), a description, and references. CVE IDs are the universal language for tracking and patching specific vulnerabilities.

KEV (CISA Known Exploited Vulnerabilities)

The CISA KEV catalog lists CVEs that have been confirmed as actively exploited in the wild. US federal agencies are required to patch KEV vulnerabilities by mandated due dates. KEV status is the highest-urgency signal for vulnerability prioritization.

SBOM (Software Bill of Materials)

An SBOM is a formal inventory of all software components and dependencies in an application — similar to an ingredient list. SBOMs are used to rapidly identify which systems are affected when a vulnerability (like Log4Shell) is discovered in a common dependency.

SSVC (Stakeholder-Specific Vulnerability Categorization)

SSVC is a decision-tree framework developed by CISA and Carnegie Mellon for prioritizing vulnerability response based on exploitation status, automatable exploitation, and mission impact. It complements CVSS by focusing on actionability rather than technical severity alone.

Standards & Frameworks

MITRE ATT&CK

MITRE ATT&CK is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. It is used as a foundation for threat detection, red team exercises, and gap analysis in security programs. The framework covers Enterprise, Mobile, and ICS environments.

STIX (Structured Threat Information Expression)

STIX is a standardized language for describing cyber threat intelligence in a machine-readable format. It enables organizations to share IOCs, TTPs, and threat actor profiles in a consistent way. STIX is often paired with TAXII for transport.

TAXII (Trusted Automated eXchange of Intelligence Information)

TAXII is a transport protocol for sharing STIX-formatted threat intelligence between organizations. It defines how threat data is packaged, requested, and delivered. isMalicious provides a TAXII 2.1-compatible endpoint for enterprise consumers.

API & Integration

API Key

An API key is a unique identifier used to authenticate requests to an API. It grants access to specific resources and rate limits. API keys should be kept secret and rotated regularly; they should never be exposed in client-side code or version control.

Rate Limiting

Rate limiting controls how many API requests a client can make in a given time window, preventing abuse and ensuring fair resource distribution. isMalicious enforces per-key rate limits and returns HTTP 429 with a Retry-After header when limits are exceeded.

Webhook

A webhook is an HTTP callback that sends real-time notifications to a configured URL when a specific event occurs. isMalicious webhooks push threat alerts when a monitored IP or domain changes status, enabling security tools to react without polling.