Plain-English definitions for red, blue, purple, and leadership audiences
Common Vulnerabilities and Exposures
A unique identifier (e.g. CVE-2024-12345) assigned to a publicly disclosed software vulnerability. CVEs let everyone — vendors, defenders, attackers, journalists — reference the same flaw unambiguously.
Common Vulnerability Scoring System
A 0.0–10.0 score that estimates the technical severity of a vulnerability. v3.1 splits into Base, Temporal, and Environmental metrics. Treat CVSS as a starting point — exploitation context (KEV, EPSS) usually matters more for prioritization.
Known Exploited Vulnerabilities catalog
CISA's authoritative list of CVEs with confirmed in-the-wild exploitation. If a CVE is on KEV, it should jump to the top of your patch queue regardless of CVSS. U.S. federal agencies have binding remediation deadlines (BOD 22-01).
Exploit Prediction Scoring System
A daily-updated probability (0–1) that a CVE will be exploited in the next 30 days. Pairs well with CVSS: high CVSS + high EPSS = patch now; high CVSS + low EPSS = schedule normally.
Indicator of Compromise
An observable artifact suggesting an intrusion — file hashes, IPs, domains, mutex names, registry keys, JA3/JA4 fingerprints. IOCs are tactical and short-lived; rotate them aggressively and prefer behavior-based detections where possible.
Tactics, Techniques, and Procedures
The 'how' of an adversary's behavior. Tactics = goals (Initial Access), Techniques = means (Phishing), Procedures = specific implementations (a particular HTA loader). Detecting on TTPs is harder than IOCs but vastly more durable.
Adversary tactics & techniques framework
A curated knowledge base of real-world adversary behavior, organized as a matrix of Tactics (columns) and Techniques (cells). The lingua franca for threat modeling, detection engineering, and red/purple team exercises.
Indicator of Attack
Behavioral signals that an attack is in progress (e.g. lsass memory access, suspicious parent-child process trees). Unlike IOCs, IOAs describe intent and don't expire when an attacker swaps infrastructure.
Advanced Persistent Threat
A well-resourced adversary (often state-sponsored) that maintains long-term access to targeted networks. Tracked under group names like APT29, Volt Typhoon, or Lazarus depending on the vendor's taxonomy.
Command and Control
The channel an attacker uses to control compromised hosts — HTTPS beacons, DNS tunneling, Slack/Telegram bots, domain fronting. Detecting C2 traffic is a high-leverage defender activity.
Software Bill of Materials
A machine-readable inventory of components in a piece of software (SPDX or CycloneDX). Critical for triaging supply-chain CVEs like Log4Shell — you can't patch what you can't find.
Vulnerability with no patch available
A flaw exploited before the vendor has a fix. After a patch ships, exploitation of unpatched systems is called 'n-day' — usually a bigger volumetric threat than true 0-days.
Remote Code Execution
A vulnerability class that lets an attacker run arbitrary code on a target over the network — the most dangerous outcome for an internet-facing service. Compare to LPE (Local Privilege Escalation).
Server-Side Request Forgery
An attacker tricks the server into making HTTP requests on its behalf — often used to reach cloud metadata endpoints (IMDSv1) and steal IAM credentials.
Red + Blue collaboration
A working mode where offensive operators execute techniques while defenders watch their telemetry in real time, closing detection gaps as they go. More efficient than annual red-team reports.
Security Orchestration, Automation, Response
Platforms that codify incident-response playbooks — enrich an alert, query EDR, isolate a host, notify on-call. Reduces analyst toil on repetitive tier-1 work.