Security Glossary

Penetration Testing Glossary

Plain-Englishdefinitionsofthekeytermseverysecurityleadershouldknow—fromOWASPTop10andCVSStoredteaming,lateralmovement,andMITREATT&CK.

What does each penetration testing term mean?

This glossary collects the core vocabulary Penteor uses across every service page — from web, mobile, and cloud testing to red teaming, API security, and compliance audits. Each entry is written as a one-sentence operator definition — short enough to quote, precise enough to use in a scoping call or board report.

Penetration Testing: An authorized, simulated cyberattack carried out by security professionals to find and exploit weaknesses in a system before malicious actors do — delivering a prioritized report with reproduction steps and remediation.
Vulnerability Assessment: A systematic identification and classification of security weaknesses across infrastructure, applications, or configurations — focused on breadth of coverage rather than deep exploitation.
Red Team Operations: A full-scope, goal-based adversary simulation that tests people, processes, and technology — designed to evaluate an organization's ability to prevent, detect, and respond to a realistic attacker.
Blue Team: The defensive security team responsible for monitoring, detecting, and responding to attacks — the counterpart that a red team operation is designed to test and improve.
Purple Team: A collaborative exercise in which red and blue teams work side-by-side — attackers demonstrate techniques in real time so defenders can tune detection and response as they go.
OWASP Top 10: The industry-standard list published by OWASP ranking the ten most critical web-application security risks — the baseline checklist every web penetration test covers.
OWASP MASVS: The Mobile Application Security Verification Standard — OWASP's mobile counterpart to the Top 10, defining requirements for architecture, data storage, cryptography, network, authentication, and resilience.
OWASP API Security Top 10: OWASP's list of the most critical security risks specific to APIs — including BOLA, broken authentication, excessive data exposure, lack of rate limiting, and mass assignment.
Broken Object Level Authorization (BOLA): An API vulnerability where the server does not verify that the caller is allowed to access the referenced object — typically exploited by changing an ID in a URL to access another user's data.
CVSS (Common Vulnerability Scoring System): The industry-standard scoring framework that rates vulnerabilities from 0.0 to 10.0 based on exploitability and impact — CVSS scores appear against every finding in a Penteor report.
CVE (Common Vulnerabilities and Exposures): A publicly cataloged identifier for a known vulnerability in a specific software product — the shared reference used across vendors, scanners, and patch management.
MITRE ATT&CK: A globally accessible knowledge base of adversary tactics, techniques, and procedures based on real-world observations — the framework that underpins red-team operations and detection engineering.
PTES (Penetration Testing Execution Standard): A structured seven-phase methodology — pre-engagement, intelligence gathering, threat modeling, vulnerability analysis, exploitation, post-exploitation, and reporting — used for infrastructure penetration tests.
Reconnaissance: The first phase of any attack or penetration test — gathering information about the target through passive OSINT and active probing to map the attack surface before exploitation begins.
OSINT (Open-Source Intelligence): Intelligence gathered exclusively from publicly available sources — DNS records, certificate transparency logs, leaked credentials, social media, code repositories — without touching the target directly.
Attack Surface: The complete set of points — endpoints, APIs, services, users, devices, accounts — where an unauthenticated or authenticated attacker could attempt to enter or extract data from a system.
Threat Modeling: The structured process of identifying likely attackers, their motivations, and the paths they would take through a system — used to prioritize controls and scope penetration tests.
Exploit: A specific piece of code, command sequence, or technique that takes advantage of a vulnerability to cause unintended behavior — from a single crash to remote code execution.
Zero-Day (0day): A vulnerability that is unknown to the vendor and therefore has no patch available — the most dangerous class of flaw because defenders have had zero days to fix it.
SQL Injection: A web-application vulnerability where user input is interpolated directly into a SQL query, letting an attacker read, modify, or delete arbitrary data from the database.
Cross-Site Scripting (XSS): A web vulnerability in which an attacker injects client-side script into pages viewed by other users — used to steal sessions, credentials, or perform actions on the victim's behalf.
Cross-Site Request Forgery (CSRF): A web attack that tricks an authenticated user's browser into sending an unwanted request to a trusted site — exploiting the fact that browsers attach session cookies automatically.
Server-Side Request Forgery (SSRF): A vulnerability where an attacker induces a server-side application to make HTTP requests to arbitrary targets — often used to reach internal services, metadata endpoints, or cloud credentials.
Remote Code Execution (RCE): The ability for an attacker to run arbitrary commands on a target system over the network — typically the most severe class of vulnerability because it leads directly to full compromise.
Privilege Escalation: The act of going from lower-privileged access (standard user) to higher-privileged access (administrator, root, or domain admin) by exploiting a misconfiguration or local vulnerability.
Lateral Movement: The phase of an attack where, after initial foothold, the attacker moves between hosts, accounts, or network segments to reach the ultimate objective — typically through credential reuse and trust relationships.
Active Directory (AD): Microsoft's directory service at the heart of most enterprise Windows environments — a prime target on internal penetration tests because compromising domain admin typically means owning the entire estate.
Kerberoasting: An Active Directory attack that requests Kerberos service tickets for accounts with Service Principal Names and cracks them offline to recover the service account password.
Pass-the-Hash: A lateral-movement technique where the attacker authenticates to a remote service using a captured NTLM hash — without needing to know the plaintext password.
Social Engineering: The manipulation of people — rather than systems — into performing actions or revealing information, through pretexting, phishing, vishing, or in-person impersonation.
Phishing: A social-engineering attack delivered via email (or SMS, voice, or chat) that impersonates a trusted sender to trick the recipient into clicking a link, opening an attachment, or disclosing credentials.
Vishing: Voice phishing — social engineering over the phone where the attacker impersonates IT, a supplier, or an executive to extract sensitive information or trigger an authorized-looking action.
Command and Control (C2): The infrastructure an attacker uses to communicate with compromised hosts — issuing commands, exfiltrating data, and maintaining persistence through a covert channel.
Assumed Breach: A testing model that starts from the premise that the attacker already has initial foothold (a user account, a laptop) — the most cost-efficient way to measure internal blast radius.
Rules of Engagement (RoE): The signed document defining the boundaries of a penetration test — in-scope targets, allowed techniques, testing windows, emergency contacts, and data-handling rules.
Proof of Concept (PoC): A reproducible demonstration that a vulnerability is real and exploitable — the step-by-step evidence that turns a scanner alert into a validated finding worth remediation.
Blast Radius: The set of systems, data, and users an attacker could reach after exploiting a single vulnerability — the measurement of how much damage one mistake can cause.
Defense in Depth: A layered security strategy where multiple independent controls must fail before a breach occurs — designed so that no single weakness, misconfiguration, or human error is catastrophic.
Zero Trust: A security model that assumes no implicit trust for any user, device, or network — every request is authenticated, authorized, and continuously validated, regardless of origin.
Identity and Access Management (IAM): The cloud discipline of managing who can do what to which resources — IAM misconfigurations are the root cause of the majority of public cloud breaches.
Role-Based Access Control (RBAC): An authorization model where permissions are attached to roles, and users are assigned roles — the foundation of Kubernetes, cloud, and enterprise-application authorization.
Penteor Testing Appliance (PTA): The hardened hardware device Penteor ships to clients for remote internal-network testing — provides VPN-backed access so internal infrastructure tests run securely without travel.
PCI DSS: The Payment Card Industry Data Security Standard — mandates annual penetration testing and segmentation validation (Requirement 11.4) for any organization storing, processing, or transmitting card data.
NIS2 Directive: The EU directive on the security of network and information systems — expands scope to essential and important entities across sectors and mandates risk management, incident reporting, and testing.
DORA: The EU Digital Operational Resilience Act — requires regulated financial entities to carry out Threat-Led Penetration Testing (TLPT) and prove operational resilience of their ICT systems.
GDPR: The EU General Data Protection Regulation — governs the processing of personal data of people in the EU; security testing is part of the "appropriate technical and organizational measures" Article 32 requires.
ISO 27001: The international standard for an Information Security Management System (ISMS) — control A.12.6 and A.8.8 explicitly require technical vulnerability management and independent testing of controls.
Scenario Simulation: A targeted test that simulates a specific threat scenario — ransomware, supply-chain compromise, insider threat — using MITRE ATT&CK techniques to evaluate defenses against a named adversary profile.
AI & LLM Red Teaming: Adversarial testing of AI products and large language models for prompt injection, jailbreaks, data exfiltration, and unsafe behavior — the AI-native equivalent of application penetration testing.
Prompt Injection: An attack against an LLM-powered application where crafted input overrides the system prompt — causing the model to ignore its instructions, leak secrets, or perform unauthorised actions.
DNS Reconnaissance: The practice of enumerating an organization's DNS records (A, AAAA, MX, NS, TXT, CNAME, SOA) and subdomains to map internet-facing infrastructure — the first step of any external engagement.
Container Escape: Breaking out of a container (Docker, containerd, Kubernetes pod) to gain access to the underlying host — typically via a misconfigured runtime, privileged container, or kernel vulnerability.
CIS Benchmarks: Consensus-based, prescriptive configuration baselines published by the Center for Internet Security — the industry reference for hardening operating systems, containers, Kubernetes, and cloud accounts.

Need help turning these concepts into a real security assessment?

Request a security assessment