CDA Cybersecurity Glossary: Tools and Techniques (Batch 2)

# CDA Cybersecurity Glossary: Tools and Techniques (Batch 2)

Cybersecurity has its own language, and that language matters. Misunderstanding a term can mean the difference between a patched system and an open door. This glossary defines ten foundational concepts across the Planetary Defense Model (PDM): from the threat actors hunting your network, to the tools defenders use to stop them, to the compliance obligations that set the minimum bar. Each entry is written for practitioners and decision-makers who need clarity without the noise.

---

What Is an APT?

PDM Domain: Threat Intelligence and Defense (TID)

An Advanced Persistent Threat, or APT, is a specific category of adversary: typically a nation-state government or an organization funded and directed by one. What separates an APT from ordinary cybercrime is the combination of sophistication, patience, and strategic intent. An APT is not trying to grab a few credit card numbers and disappear. It is trying to stay inside your network for months or years without being detected, quietly stealing intelligence, pre-positioning for disruption, or building leverage.

The word "advanced" refers to the quality of the tradecraft. APT operators use custom-built malware that commercial antivirus products have never seen, exploit zero-day vulnerabilities before vendors have released patches, and maintain careful operational security to avoid tripping detection systems. They are not running automated scripts against a target list. They are hand-selecting targets and adapting their tactics in real time.

The word "persistent" is the part that keeps security teams up at night. Standard attackers hit, grab, and leave. APTs establish persistent access, meaning they plant multiple backdoors, create new administrator accounts, and maintain footholds across several systems simultaneously. If you find one intrusion and clean it up, the APT likely has three others you have not found yet. Dwell time (the period between initial compromise and detection) for APT intrusions has historically measured in months.

The word "threat" is a reminder that there is a real human adversary on the other end making deliberate decisions. Some of the most tracked APT groups include APT28 (also known as Fancy Bear, attributed to Russian military intelligence), APT41 (a Chinese group that conducts both state-sponsored espionage and financially motivated cybercrime), and the Lazarus Group (attributed to North Korea, responsible for the 2014 Sony Pictures breach and the 2016 Bangladesh Bank heist). More recent campaigns include Volt Typhoon and Salt Typhoon, both attributed to China and focused on critical infrastructure pre-positioning.

CDA's Predictive Defense Intelligence (PDI) methodology is specifically designed to surface APT activity before it becomes a crisis: "See the threat before it sees you." Understanding which APT groups target your industry, what techniques they prefer, and which assets they are most likely after is the starting point for building a TID capability that can actually respond.

For a complete technical deep-dive, see the APT profile articles covering Volt Typhoon, Salt Typhoon, APT28, and related threat actors.

---

What Is EDR?

PDM Domain: Threat Intelligence and Defense (TID)

Endpoint Detection and Response, universally abbreviated as EDR, is a category of security software that runs on individual devices (laptops, servers, workstations) and continuously monitors everything happening on that device in order to detect and investigate threats. Think of it as a flight data recorder plus a smoke alarm, built into every machine across your organization.

The most important distinction to understand is how EDR differs from traditional antivirus. Legacy antivirus works by comparing files against a list of known-bad signatures. If a piece of malware is in the signature database, the antivirus catches it. If it is not, the malware runs freely. EDR flips that model. Instead of looking for known malware, EDR watches for malicious behavior: a process that spawns a child process in an unusual way, a script that attempts to dump credentials from memory, a binary that starts making network connections it has no business making. Behavior-based detection catches threats that signature databases miss, including custom APT tooling and never-before-seen malware.

The telemetry EDR collects is extensive: every process creation event, every network connection, every file read and write, every registry change on Windows systems. That telemetry gets streamed to a cloud backend for analysis, correlation, and threat hunting. When a suspicious event fires, security analysts can pull a full timeline of everything that happened on that endpoint before, during, and after the event.

Major EDR platforms include CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint, and VMware Carbon Black. Each runs at the kernel level of the operating system, which gives it the visibility it needs but also means a defective update can cause serious problems. The July 2024 CrowdStrike outage (a faulty sensor configuration update that caused Windows systems to blue-screen globally) is the most prominent example of the risk that comes with kernel-level software touching millions of machines simultaneously.

For a complete technical deep-dive, see Endpoint Detection and Response (EDR).

---

What Is a SIEM?

PDM Domain: Threat Intelligence and Defense (TID)

A Security Information and Event Management system, almost always referred to as a SIEM (pronounced "sim"), is the central nervous system of a security operations center. Its job is to collect log data from every corner of the enterprise, normalize it into a consistent format, correlate events across sources, and surface alerts when something looks wrong.

The scope of data a SIEM ingests is wide. Firewall logs tell you what traffic was allowed and denied. Endpoint logs tell you what processes ran and what files were touched. Cloud platform logs tell you who accessed what in your AWS, Azure, or GCP environment. Identity logs from Active Directory or Entra ID tell you who authenticated, from where, and whether any authentication attempts failed. The SIEM pulls all of this together into a single place where analysts can search, investigate, and build detection rules.

Correlation is the SIEM's core capability. A single failed login is noise. Fifty failed logins against twenty accounts over five minutes, followed by a successful login from an unusual geographic location, is a probable credential-stuffing attack. Correlation rules (or ML-based detection models in modern SIEMs) connect those dots automatically and generate an alert.

The major SIEM platforms include Splunk (the market leader for large enterprises), Microsoft Sentinel (cloud-native, deeply integrated with the Microsoft ecosystem), IBM QRadar, and Elastic SIEM (built on the open-source Elastic Stack). Each has its own query language, pricing model, and strengths.

The challenge every SIEM user faces is alert fatigue. A poorly tuned SIEM can generate thousands of alerts per day, most of them false positives. Security teams that spend all day chasing noise have no time to investigate the real events buried underneath. Tuning a SIEM, suppressing irrelevant alerts, and building high-confidence detection rules is a sustained operational discipline, not a one-time configuration.

For a complete technical deep-dive, see SIEM Architecture and Implementation.

---

What Is DLP?

PDM Domain: Data Protection and Sovereignty (DPS)

Data Loss Prevention, or DLP, is a category of technology that monitors, detects, and blocks the unauthorized movement of sensitive data outside the organization. If your crown-jewel data is a patient record, a credit card number, proprietary source code, or a classified document, DLP is the system that watches for that data trying to leave through channels it should not be using.

DLP operates across three primary environments. Network DLP sits at the perimeter and inspects outbound traffic: emails, web uploads, file transfers. If an employee tries to email a spreadsheet containing five hundred Social Security numbers to a personal Gmail address, network DLP can detect the content and block the transmission before it leaves the building. Endpoint DLP runs on individual devices and monitors file operations directly: copying sensitive files to a USB drive, uploading to an unsanctioned cloud storage service, or printing regulated data can all be detected and blocked at the device level. Cloud DLP monitors activity inside SaaS platforms and cloud storage (Google Drive, SharePoint, Box, Salesforce) where sensitive data increasingly lives.

The content inspection techniques DLP uses range from simple to sophisticated. Pattern matching catches obvious formats: a regex rule that flags anything resembling a Social Security number (XXX-XX-XXXX) or a credit card number (sixteen digits in a standard format). Document fingerprinting creates a unique hash of a sensitive file and alerts when that exact content appears elsewhere. Machine learning classification can identify sensitive content based on context even when it does not match a known pattern.

DLP is a cornerstone of CDA's Sovereign Data Protocol (SDP), the DPS methodology that operates on a single principle: "Your data lives where you decide. Period." You cannot enforce data sovereignty if you cannot see where your data is going.

For a complete technical deep-dive, see Data Loss Prevention (DLP).

---

What Is a Vulnerability?

PDM Domain: Vulnerability and Surface Defense (VSD)

A vulnerability is a weakness in a system, a piece of software, or a process that an attacker can exploit to do something they should not be able to do. Gaining unauthorized access, elevating their own privileges, crashing a service, or stealing data: all of these outcomes can follow from a single unaddressed vulnerability.

The lifecycle of a vulnerability has several stages, and understanding them matters for prioritization. First comes discovery, when a researcher or attacker finds the weakness. Then disclosure: responsible researchers report to the vendor privately, giving them time to build a patch before going public. Vendors release patches, and organizations scramble to apply them. The window between public disclosure and when a given organization finishes patching is the exploitation window, the period of maximum risk. Attackers do not wait. Published proof-of-concept exploit code often appears within days of a CVE announcement, and mass exploitation campaigns can begin within hours.

The CVE system (Common Vulnerabilities and Exposures) assigns a unique identifier to each publicly disclosed vulnerability, such as CVE-2021-44228 for Log4Shell. CVSS (Common Vulnerability Scoring System) scores each vulnerability on a 0 to 10 scale based on factors like attack complexity, required privileges, and potential impact. A CVSS score of 9.8 out of 10 is a critical finding that demands immediate attention.

One critical distinction: a vulnerability is a weakness. An exploit is the code or technique that takes advantage of that weakness. Having a vulnerability does not mean you have been breached. Having a vulnerability that is publicly known, unpatched, and accessible from the internet means you are one exploit away from it.

In 2023 alone, more than 29,000 CVEs were published, meaning an average of roughly eighty new vulnerabilities per day. No organization can patch everything immediately. Prioritization based on exploitability, exposure, and asset criticality is the core discipline of CDA's Continuous Surface Reduction (CSR) methodology.

For a complete technical deep-dive, see Vulnerability Management.

---

What Is an Exploit?

PDM Domain: Vulnerability and Surface Defense (VSD)

An exploit is code, a technique, or a sequence of actions that takes advantage of a vulnerability to make a system do something it was not designed to do. Where a vulnerability is the weakness, the exploit is the weapon. A vulnerability sitting in an air-gapped system with no network access and no authorized users carrying malicious payloads is a theoretical problem. That same vulnerability with a working public exploit and an internet-exposed attack surface is an active emergency.

Exploits are categorized in several useful ways. Remote exploits can be triggered over a network without any prior access to the target system. Local exploits require the attacker to already have some level of access and are typically used for privilege escalation after an initial foothold is established. Authenticated exploits require valid credentials. Unauthenticated exploits do not, which makes them significantly more dangerous because any attacker on the network (or the internet) can trigger them without prior compromise.

The zero-day versus N-day distinction matters enormously for defense. A zero-day exploit targets a vulnerability that the vendor does not yet know about, meaning no patch exists. Nation-state APT groups invest heavily in zero-days because they can use them without risk of detection by signature-based defenses. An N-day exploit targets a vulnerability that has already been disclosed and patched, but organizations that have not yet applied the patch remain vulnerable. The vast majority of successful attacks use N-day exploits against known, patchable vulnerabilities.

Exploit kits are pre-packaged toolkits sold on criminal forums that bundle multiple exploits targeting common software like web browsers and plugins. Nation-state programs stockpile zero-days as strategic intelligence assets, which is why the debate between responsible disclosure (notify the vendor) and nation-state stockpiling (keep the weapon) is genuinely consequential for everyone's security.

For a complete technical deep-dive, see Zero-Day Vulnerabilities and Exploit Development.

---

What Is a CVE?

PDM Domain: Vulnerability and Surface Defense (VSD)

CVE stands for Common Vulnerabilities and Exposures. It is a standardized catalog of publicly disclosed security vulnerabilities, maintained by MITRE and funded by the U.S. Department of Homeland Security. Each entry in the catalog gets a unique identifier following the format CVE-[year]-[sequence number], for example CVE-2021-44228, which is the identifier for the Log4Shell vulnerability in the Apache Log4j logging library.

The CVE system exists to give everyone in the security industry a shared vocabulary. Before CVEs, vendors, researchers, and security tools used different names for the same vulnerability, making it nearly impossible to coordinate patches and defenses across the ecosystem. A CVE ID means that when a vendor says "this patch addresses CVE-2023-44487," every SIEM rule, every scanner, and every security team knows exactly which vulnerability is being referenced.

CVE identifiers are assigned by CVE Numbering Authorities (CNAs), which include major software vendors (Microsoft, Apple, Google all operate as CNAs), research organizations, and MITRE itself. Once assigned, CVE entries are published to the National Vulnerability Database (NVD), which enriches them with CVSS scores and additional analysis.

CVSS scoring evaluates three dimensions: the Base Score (intrinsic severity based on attack vector, complexity, and impact), the Temporal Score (adjusted for exploit availability and patch status), and the Environmental Score (adjusted for your specific environment and asset criticality). A 9.8 CVSS score means the vulnerability is critical in most environments. A 5.0 might be critical in your environment if the affected system holds your most sensitive data.

A newer scoring model called EPSS (Exploit Prediction Scoring System) attempts to estimate the probability that a given CVE will be exploited in the wild within 30 days. EPSS, combined with CVSS, gives security teams a much stronger basis for patch prioritization than severity score alone.

For a complete technical deep-dive, see Vulnerability Management and CVSS Scoring.

---

What Is IAM?

PDM Domain: Identity Access and Trust (IAT)

Identity and Access Management (IAM) is the discipline that ensures the right people can access the right resources at the right times, and that everyone else cannot. That sentence sounds simple. The implementation, at any meaningful scale, is one of the most complex operational problems in enterprise security.

IAM breaks down into three core functions. Authentication answers the question: who are you? This is the username-and-password prompt, the MFA code, the hardware token, the biometric scan. Authentication verifies that you are who you claim to be. Authorization answers the next question: what are you allowed to do? Even a fully authenticated user should only be able to access the specific systems and data their role requires, a principle called least privilege. Governance asks the third question: are these access rights still appropriate? People change roles, projects end, employees leave. IAM governance processes (access reviews, certification campaigns, automated de-provisioning) keep the access model from becoming a sprawling mess where former employees still have credentials and contractors retain access long after their engagements end.

Cloud platforms have made IAM both more powerful and more complicated. AWS IAM, Microsoft Entra ID (formerly Azure Active Directory), and Google Cloud IAM each offer granular, policy-based access control that can be applied to every API call, every storage bucket, and every virtual machine. Cloud misconfiguration in IAM (overly permissive roles, publicly accessible storage buckets, forgotten service accounts with admin rights) is consistently one of the top sources of cloud security incidents.

CDA's Zero Possession Architecture (ZPA) methodology extends IAM beyond conventional access control: "Trust nothing. Possess nothing. Verify everything." ZPA treats every access request as unverified by default, removes standing privileged access wherever possible, and relies on just-in-time provisioning so that elevated rights exist only for the duration of the task that requires them.

For a complete technical deep-dive, see Identity Governance and Administration (IGA), Privileged Access Management (PAM), and Cloud Identity Security.

---

What Is a Penetration Test?

PDM Domain: Vulnerability and Surface Defense (VSD)

A penetration test (almost always called a pen test) is an authorized, simulated cyberattack against a defined target. The goal is to find security vulnerabilities before a real attacker does, and to demonstrate what damage those vulnerabilities could actually cause if exploited. The authorization part is not a formality. Pen testers perform the same actions as malicious attackers. The signed statement of work and rules of engagement are what separate a pen test from a crime.

Pen tests follow a structured methodology with distinct phases. Reconnaissance is passive and active information gathering about the target: domain names, IP ranges, employee names and email formats, technology stack, publicly exposed services. Scanning identifies live hosts, open ports, and running services. Exploitation attempts to leverage discovered vulnerabilities to gain unauthorized access. Post-exploitation explores what is accessible once inside: can the tester escalate privileges, move laterally to other systems, access sensitive data, or maintain persistent access? The engagement closes with a reporting phase: a clear deliverable that documents every finding, the evidence and reproduction steps, and prioritized remediation recommendations.

Pen tests are scoped and categorized by how much information the testers start with. In a black-box test, testers have no prior knowledge of the target, simulating an external attacker. In a white-box test, testers have full documentation and source code access, maximizing coverage efficiency. Gray-box tests fall in between, representing a common scenario like a compromised employee account or a breached vendor with partial internal access. Scope can focus on external network infrastructure, internal network, web applications, physical security, or social engineering, depending on what the organization needs to validate.

The key distinction between a pen test and a red team engagement is time horizon and objective. A pen test is a point-in-time exercise focused on finding as many vulnerabilities as possible within a defined scope. A red team engagement is longer, stealthier, and goal-based: the team attempts to achieve a specific objective (reach a specific database, gain domain admin, exfiltrate a defined data set) while operating as covertly as a real adversary would.

For a complete technical deep-dive, see Penetration Testing Methodology and Third-Party Penetration Testing.

---

What Is Compliance?

PDM Domain: Risk Governance and Assurance (RGA)

In cybersecurity, compliance means meeting the security requirements defined by a law, a regulation, a contractual obligation, or an industry standard. Depending on your industry and the data you handle, compliance obligations can come from many directions simultaneously: a healthcare organization might be subject to HIPAA, a payment processor to PCI DSS, a government contractor to CMMC, and a company seeking enterprise customers to SOC 2. Each framework defines a set of controls, and compliance means demonstrating that those controls are implemented and operating as intended.

The most common frameworks you will encounter include HIPAA (protecting patient health information in U.S. healthcare), PCI DSS (protecting cardholder data for anyone who processes credit card payments), SOC 2 (demonstrating security and availability controls to enterprise customers, especially relevant for SaaS companies), ISO 27001 (an international standard for information security management systems), NIST CSF (a voluntary framework widely used as a baseline by U.S. organizations), and CMMC (Cybersecurity Maturity Model Certification, required for Department of Defense contractors).

The most important thing to understand about compliance is that it is a floor, not a ceiling. Compliance answers the question: are you meeting the minimum requirements defined by this standard? It does not answer the question: are you secure? An organization can be fully compliant with every applicable framework and still suffer a devastating breach. The requirements in any given standard represent a consensus view of baseline practices, often written years before current threat actors developed their techniques. The "compliant but breached" phenomenon is well documented across every regulated industry.

CDA's Perpetual Compliance Assurance (PCA) methodology is built on this reality. PCA's operating principle, "Compliance is not an event. It is a state," rejects the annual audit cycle model in favor of continuous evidence collection, real-time control monitoring, and automated compliance mapping. The goal is not to pass an audit. The goal is to maintain compliance posture 365 days a year while simultaneously building security capabilities that exceed what any framework requires.

For a complete technical deep-dive, see Compliance Program Design and Regulatory Compliance Landscape.