Glossary of cybersecurity terms
Every term used across the Cybersecurity Fundamentals path, defined in plain language and linked to the lesson where it’s explained in full. Skim it as a refresher, or use your browser’s find (Ctrl/Cmd-F) to jump to a word. Terms are grouped by theme, roughly in the order the path introduces them.
Foundations
Cybersecurity — Protecting systems, data, and the people who depend on them from digital harm; an ongoing practice, not a product. See What is cybersecurity?
CIA triad — The three goals that define “secure”: confidentiality, integrity, and availability. See The CIA triad
Confidentiality / integrity / availability — Keeping data secret, unaltered, and accessible to legitimate users, respectively. See The CIA triad
Threat — A potential harmful event, or the actor that could cause it. See Threats, vulnerabilities & risk
Vulnerability — A weakness that could be abused to cause harm. See Threats, vulnerabilities & risk
Exploit — The means of taking advantage of a vulnerability. See Threats, vulnerabilities & risk
Risk — The chance of harm and how bad it would be — roughly likelihood times impact. See Threats, vulnerabilities & risk
Attack surface — Everything an attacker could interact with — ports, inputs, dependencies, people; shrinking it is a cheap win. See Threats, vulnerabilities & risk
Threat actor — Whoever might attack — opportunists, criminals, insiders, nation-states — each with different motives. See Who attacks, and why
Least privilege — Granting each user or process only the access it needs, and no more. See The security mindset
Defense in depth — Layering multiple, overlapping controls so a single failure isn’t a breach. See Defense in depth
Assume breach — Designing as if something is already compromised, so one failure is contained. See The security mindset
Cryptography
Cryptography / encryption — Scrambling information with a key so only the key holder can read it. See What is cryptography?
Plaintext / ciphertext — The readable original and its encrypted, unreadable form. See What is cryptography?
Key — The secret that encrypts and decrypts; in good crypto, only the key is secret, not the algorithm. See What is cryptography?
Symmetric encryption — One shared secret key encrypts and decrypts (e.g. AES); fast, but the key must be shared safely. See Symmetric & public-key encryption
Public-key (asymmetric) encryption — A public/private key pair; anyone can encrypt with the public key, only the private key decrypts. See Symmetric & public-key encryption
Hash — A one-way function turning any input into a fixed fingerprint; used for integrity and password storage. See Hashing & integrity
Salt — Random data added before hashing a password so identical passwords don’t share a hash. See Hashing & integrity
Digital signature — Signing with a private key so anyone can verify who sent something and that it wasn’t changed. See Digital signatures & certificates
Certificate / PKI / CA — A certificate binds an identity to a public key, signed by a Certificate Authority within a public-key infrastructure. See Digital signatures & certificates
End-to-end encryption — Encryption where only the endpoints hold the keys, so even the service can’t read the content. See Cryptography in practice
Identity & access
Authentication — Verifying who someone is, using something they know, have, or are. See Authentication basics
Authorization — Deciding what an authenticated user is allowed to do. See Authorization & access control
MFA (multi-factor authentication) — Requiring two or more different factors, so a stolen password alone isn’t enough. See Passwords, MFA & passkeys
Passkey — A device-held key pair that replaces a password and resists phishing. See Passwords, MFA & passkeys
RBAC (role-based access control) — Assigning permissions to roles and roles to users, rather than to individuals directly. See Authorization & access control
Secret — An API key, token, password, or private key that grants access if known; keep it out of code and rotate it. See Managing secrets & keys
Social engineering — Manipulating people (via phishing, pretexting, and the like) instead of attacking technology. See Social engineering & the human layer
Attacks
Malware — Malicious software — viruses, worms, trojans, spyware. See Malware & endpoint security
Ransomware — Malware that encrypts data and demands payment; defended against mainly with tested backups. See Malware & endpoint security
Phishing — Fraudulent messages that trick people into credentials or actions. See Social engineering & the human layer
Credential stuffing — Reusing passwords leaked from one breach to break into other accounts. See Common attacks, in plain terms
Injection (e.g. SQL injection) — Untrusted input changing the meaning of a query or command; prevented with parameterized queries. See Web application attacks
XSS (cross-site scripting) — Untrusted input running as script in a victim’s browser; prevented with output encoding. See Web application attacks
CSRF (cross-site request forgery) — Tricking a browser into making an authenticated request; prevented with tokens and SameSite cookies. See Web application attacks
Man-in-the-middle (MITM) — Intercepting or altering traffic between two parties; defended with encryption in transit. See Network attacks
Spoofing — Forging an identity or address to impersonate or redirect. See Network attacks
DoS / DDoS — Overwhelming a service to make it unavailable. See Network attacks
Defenses & operations
Hardening — Shrinking a system’s attack surface and locking down its configuration. See Hardening systems
Patching — Keeping software updated so known, fixed flaws can’t be abused. See Hardening systems
Secure coding — Building software that resists attack — validating input, avoiding injection, managing dependencies. See Secure coding
Segmentation — Separating systems so a breach in one zone can’t reach everything. See Securing networks & services
Logging & monitoring — Recording and watching activity so you can detect and investigate trouble. See Monitoring & incident response
Incident response — The plan to identify, contain, eradicate, recover from, and learn from a security incident. See Monitoring & incident response
PII (personally identifiable information) — Data that identifies a person; minimize, protect, and retain it carefully. See Privacy & data protection
Data minimization — Collecting and keeping only the data you need, so a breach exposes less. See Privacy & data protection
Practice & ethics
Shift left — Building security in from the start of development rather than bolting it on at the end. See Security for developers
CTF (capture the flag) — A legal, purpose-built competition for practising security skills with permission built in. See Where to go next
Responsible disclosure — Reporting a discovered flaw ethically and giving the owner time to fix it. See Where to go next
Metadata (on the air) — The patterns that remain even when content is encrypted — that a transmission happened, its timing, and often IDs. See Wireless & RF security