Glossary

Verification process to confirm whether a detected threat is legitimate.

A large-scale release of stolen or exposed data.

The continuous tracking of newly issued SSL/TLS certificates to identify domains that may be impersonating a legitimate brand.

a phishing technique where attackers create malicious websites or emails using characters that look nearly identical to legitimate ones, such as substituting a Latin "o" with a Cyrillic "о".

A structured and continuously updated stream of threat data—such as malicious IP addresses, domains, file hashes, phishing URLs, or attacker indicators—that is automatically integrated into security systems to enhance detection and response.

EPSS (Exploit Prediction Scoring System) is a scoring model that estimates the likelihood that a known vulnerability will be exploited in the real world.

CVSS (Common Vulnerability Scoring System) is a standardized framework used to measure the severity of security vulnerabilities. It assigns a numerical score (typically from 0 to 10) based on factors like how easily the vulnerability can be exploited and the potential impact, helping organizations prioritize which risks to fix first.

The act of fixing identified vulnerabilities, misconfigurations, or exposures to eliminate security risks.

The overall strength of an organization’s security defenses, policies, and readiness against cyber threats.

The strategic process of identifying, managing, and minimizing all internet-facing assets, services, and entry points that attackers could exploit, thereby decreasing the overall risk of compromise.

OSINT (Open-Source Intelligence) is the process of collecting and analyzing publicly available information from sources such as websites, social media, news, forums, and public records to gather actionable insights for security, investigations, or research.

Email thread hijacking is when a hacker gains access to an email account and inserts malicious messages into an existing conversation, pretending to be a trusted contact to trick victims into sending money, sharing sensitive information, or clicking harmful links.

BNS (Baiting News Sites) are fake or misleading news websites created to attract attention using sensational headlines.Their goal is to lure people into clicking links, sharing personal information, downloading malware, or spreading misinformation.

Business Email Compromise (BEC) is a sophisticated, targeted cybercrime where attackers impersonate executives, employees, or trusted vendors via email to trick victims into transferring funds or stealing sensitive data.

Search Engine Index is the database where search engines (like Google or Bing) store information about web pages they have discovered and analyzed. If a page is in the index, it can appear in search results. If it’s not indexed, it won’t show up in searches.

Passive DNS is a system that collects and stores historical records of domain names and the IP addresses they have been connected to. It helps security teams see past domain-to-IP relationships to investigate threats, track malicious activity, and understand infrastructure changes.

IT Hygiene refers to the routine practices and security measures organizations follow to keep their systems, networks, and data secure. This includes activities like updating software, managing passwords, fixing vulnerabilities, removing unused accounts, and monitoring systems to reduce security risks.

Vulnerability is a weakness in a system, software, network, or process that attackers can exploit to gain unauthorized access, cause damage, or steal information.

Exposures are instances where sensitive information, systems, or digital assets are unintentionally left accessible to the public or unauthorized users.

An attack method where an adversary repeatedly attempts different passwords or credential combinations to gain unauthorized access to a system or account.

An investigative technique where analysts start with one known malicious indicator (such as a domain or IP address) and use it to discover other related assets connected to the same attacker.

External Continuous Threat Exposure Management (External CTEM) is a proactive cybersecurity approach that focuses on continuously identifying, analyzing, and reducing an organization’s external exposures and threats from an outside-in perspective. It extends the CTEM framework beyond internal environments to monitor the organization’s internet-facing assets, digital footprint, and attacker infrastructure across the open, deep, and dark web.

A continuous, risk-based security framework that identifies, validates, prioritizes, and remediates cyber exposures across an organization’s external and internal attack surface. CTEM emphasizes ongoing visibility and measurable risk reduction rather than periodic assessments.

A proactive security approach focused on identifying, monitoring, and mitigating risks before they are exploited. It combines continuous exposure visibility, threat intelligence, and predictive analysis to neutralize threats at their earliest stages.

Fraud Navigator is a unique concept by CTM360, inspired by the MITRE framework, that observes fraud and illustrates how fraudsters navigate through different stages of a fraud campaign. It identifies seven key stages in a fraud campaign: Resource Development, Evasion Trigger, Distribution, Target Interaction, Motive, and Monetization.

Offensive Defense is a proactive security approach focused on proactively discovering vulnerabilities, exposures, and exploitable weaknesses before adversaries do. It blends threat simulation and reconnaissance-style discovery to strengthen defensive posture.

The process of adding contextual and intelligence data to a basic threat indicator (such as an IP address or domain) to better understand its origin, ownership, risk level, and connections.

Measurable signs that indicate a system, network, or account have been infected, breached, or involved in malicious activity.

These signify an active, ongoing attempt to compromise a system, such as live phishing sites or unauthorized access attempts.

These are early signs of potential attacks or reconnaissance activities, such as newly registered look-alike domains or rogue infrastructure targeting an organization.

These are security gaps and misconfigurations that expose an organization to risk, such as open ports, misconfigured DNS records, or leaked credentials.

Advanced threat intelligence that uses behavioral analysis, trend mapping, and attacker pattern recognition to anticipate likely attack vectors before they are executed. It enables organizations to move from reactive detection to forward-looking risk prevention.

Activity whereby someone acquires or otherwise assumes the online identity of another entity for the purposes of acquiring that person's or business's brand equity.

UTM is a software or hardware that combines several network security functions such as IDS/IPS, VPN, Firewall, Gateway Anti-Virus and others under one platform, making it easier to manage and monitor through a single interface.

A vulnerability in the system that the developer does not know about. These vulnerabilities are difficult to detect as they do not have a signature which anti malware or intrusion prevention systems depend on to find vulnerabilities. The vulnerability is called Zero-Day because it takes zero days for the first attack to occur since the vulnerability has been made public.

Web Referral Log Analyzer: This is a simple tool, used for the early detection of Phish attacks. This tool extracts Suspicious URLs from the web server's referral logs, compares it with white list & sends the rest of the URL' to a specified email.

An exercise in which a system's security is tested by security experts. Red team is in charge of attacking and gaining access/control of an objective while the blue team is responsible for defending it. This exercise is meant to test the system and reveal vulnerabilities and measure the readiness of the security team responsible for defending it.

Tactics (or Tools), Techniques, and Procedures is the behavior of attackers or adversaries in the cyber space. TTPs are usually deeply analyzed to understand how the adversary works and how to expect and prepare for future attacks.

It is a technique used to hide the existence of a message, files, or any other information. For example, hiding a text message inside an image file to avoid being discovered (Data hidden within data).

Sender Policy Framework (SPF) helps prevent spoofing emails of the host by granting specified servers or IP addresses authorization to send emails from the host.

Start of Authority record containing administrative information about the resided zone and zone transfers.

An attack which takes advantage of speech recognition systems' errors. Example: A person with bad intent can create a malicious mobile application called Ramazon. When a user tries to install Amazon application on their phone using voice commands, the voice recognition system might hear Ramazon instead of Amazon and end up downloading the malicious application.

A form of social engineering where victims are tricked into thinking that their device is infected with a virus, encouraging them to download an anti virus software, which in fact is malicious.

The process of affecting the visibility of a website or a web page in a search engine's unpaid results.

Root Zone refers to the highest level of the Domain Name System (DNS) structure. It contains the names and the numeric IP addresses for all the top level domain names such as the gTLDs (.com, .net, .org, .jobs), and all the country code top level domains (ccTLDs), for example (.us, .uk .ph), including the entire list of all the root servers.

If you click on a link and find yourself at an unexpected website, you may have been ‘pagejacked’. This happens when someone steals part of a real website and uses it in a fake site. If they use enough of the real site, Internet search engines can be tricked into listing the fake site and people will visit it accidentally. The fake site could contain unwanted or offensive material. As an online merchant trading via a website, you need to know that your site isn’t being stolen in this way. Unfortunately you can’t prevent pagejacking; you can only deal with it after you know it’s a problem.

An inference attack is a data mining technique used to illegally access information about a subject or database by analyzing data. This is an example of breached information security. Such an attack occurs when a user is able to deduce key or critical information of a database from trivial information without directly accessing it.

Domain has been reserved via the dropcatcher service. In case the user decides not to renew the domain, another person can take it.

An attack in which the user will attempt to exploit bugs in the system allowing them to reach and use resources which should not be accessed by them.

PUP is a program that piggybacks software downloaded by the user. It is an unwanted program that downloads with the user's consent such as spyware, adware, or toolbars for browsers.

Phishing kits are kits provided by hackers for people with basic computer skills to launch phishing attacks. The kit includes several items which make launching a wide scale phishing attack easy such as spamming software, source code, and script to launch the attack.

DNS poisoning to redirect legitimate internet traffic of your websites to a fraudulent page.

An internet advertising model used to direct traffic to websites, in which advertisers pay the publishers.

Hijacking nested browsing context, effectively embedding another HTML page into the current page.

Fast flux is a DNS technique used by botnets to hide phishing and malware delivery sites behind an ever-changing network of compromised hosts acting as proxies.

An attack in which the victim is negotiated into using older and more vulnerable security protocols, making it easier for the attacker to launch the attack.

A doppelganger domain is similar to typosquatting domain. It is a domain which is missing "." (dot) in a domain name. For example, an instance of Doppelganger domain for mail.google.com is mailgoogle.com (notice the missing dot). When the content on these domain matches branding and content of the original website, users are not able to tell the difference and are more likely to be tricked by an attacker (e.g., for credential harvesting or financial fraud).

An attack where hackers use ultrasonic frequencies to launch a voice command to phones to unlock them and steal information.

Domain-based Message Authentication, Reporting and Conformance (DMARC) is a mechanism used to aid validating emails, prevent spoofing, and provide reporting.

Attacker has partial knowledge/access, and can focus on specific weaknesses and discover more as he moves along.

The use of computer networks to gain illicit access to confidential information, typically that held by a government or other organization.

DomainKeys Identified Mail (DKIM) allows senders to associate a hidden signature with their emails, allowing receiving mailservers to verify their authenticity.

Border Gateway Protocol used to exchange information about routing between AS Numbers.

The use of computer technology to disrupt the activities of a state or organization, especially the deliberate attacking of communication systems by another state or organization.

Common Vulnerabilities and Exposures is a database that contains all known vulnerabilities. These vulnerabilities have been tagged by a specific code such as: CVE-2019-5736.

Command and control refers to the main server used by a DDoS attacker to control the botnets used in a DDoS attack.

Canonical Name record used to specify a hostname that is an alias for another hostname.

Bulletproof hosting (sometimes known as bulk-friendly hosting) is a service provided by some domain hosting or web hosting firms that allows their customer considerable leniency in the kinds of material they may upload and distribute.

Botnet comprises of multiple Internet-connected devices, each of which is running one or more bots. Botnets may be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allows the attacker to access the device and its connection.

Attacker has full knowledge and access to the source code and infrastructure. A more thorough test can be performed in this type of pen testing.\n

The hacker does not know the in/outs of the IT infrastructure. Usually launches a full scale brute force attack to reveal vulnerabilities. Can be very time consuming.\n

In search engine optimization (SEO) terminology, Black Hat SEO refers to the use of aggressive SEO strategies, techniques and tactics that focus only on search engines and not a human audience, and usually does not obey search engines guidelines.

When BGP runs between two peers in the same autonomous system (AS), it is referred to as Internal BGP (iBGP or Interior Border Gateway Protocol). When it runs between different autonomous systems, it is called External BGP (EBGP or Exterior Border Gateway Protocol).

When BGP runs between two peers in the same autonomous system (AS), it is referred to as Internal BGP (iBGP or Interior Border Gateway Protocol). When it runs between different autonomous systems, it is called External BGP (EBGP or Exterior Border Gateway Protocol).

A host with very few services/applications running on it, usually put between the internal network and the internet. This point acts as a proxy and is the only entry point to the internal network.

Having a critical computer or machine in a physically isolated location as well as disconnecting it from the internet.

Web skimming is when a malicious code is inserted into a payment page. Whenever the customer attempts to pay online, the malicious code will steal the payment information (card number, expiry date, holder name, security code...) and send it to the attacker.

A Domain Name System (DNS) zone file is a text file that describes a DNS zone. A DNS zone is a subset, often a single domain, of the hierarchical domain name structure of the DNS. The zone file contains mappings between domain names and IP addresses and other resources, organized in the form of text representations of resource records (RR).

Service provider of domain names.

Is a technique on the World Wide Web in which a Uniform Resource Locator (URL) may be made substantially shorter and still direct to the required page.

A URL Redirection Attack is a kind of vulnerability that redirects you to another page freely out of the original website when accessed, usually integrated with a phishing attack.

Twishing refers to phishing scams that are carried over Twitter. The attacker might tweet a post interesting or strange enough to trick users into visiting a fraudulent website and logging in with their credentials.

Binary Trading (commonly also known as Binary Options Trading or Binary Options) is a type of option where the trader takes a yes or no position on the price of a stock or other assets, with the resulting payoff being all or nothing. Questionable activities such as brand infringement, unregistered establishments, identity theft, misrepresentation of potential gains and back-end manipulation of software to cheat users is common in the name of BOT. As there does not appear to be an explicit legal framework to govern binary trading, online companies continue to operate and trap victims. This type of scam is known as TRAP10.

Any word, name, symbol, or design, or any combination thereof, used in commerce to identify and distinguish the goods of one manufacturer or seller.

Top-level domain (TLD) refers to the last segment of a domain name, or the part that follows immediately after the "dot" symbol.

Removal of content (full website or profile) that affects a brand or individual including cybersquatting.

Socialbots are software programmed to behave like humans on social media by posting pictures, retweeting, and even chatting with people. Socialbots can be used for malicious purposes such as distorting public opinion during political campaigns, marketing, and spreading scams.

A method of acquiring spam for analysis, via planting of bogus email addresses which are rigged to forward emails to a specific mailbox.

Shutting down of Content and Websites related to Phishing Activities. Asking host to takedown certain content.

Defensive Registration refers to registering domain names, often across multiple TLDs and in varied grammatical formats, for the primary purpose of protecting intellectual property or trademark from abuse, such as cybersquatting.

Real-time Blackhole List (RBL) is a service where users can check whether an IP address/domain is on a known blacklist.

A process to regain control over a hijacked account.

A polymorphic virus is a malicious program that modifies itself when it replicates. This technique enables it to evade detection by security software.

Phish tagging allows banks to understand how attackers use the phished data. Banks can create fake customer accounts and share the credentials with CTM360. CTM360 uses these credentials on phishing sites targeting that bank and then the bank can observe what the attacker does with the phished data.

It is an advanced brute-force technique that attempts to attack multiple user accounts with commonly used passwords.

States which nameservers handle queries about the location of a domain name.

Attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other.

A proxy Trojan horse that infects a web browser by taking advantage of vulnerabilities in browser security to modify web pages, modify transaction content or insert additional transactions, all in a completely covert fashion invisible to both the user and host web application.

Providing security vendors fraudulent IP and Domains to be blocked in real-time through browsers, email firewalls, ISPs, proxies and any other relevant security products.

Malware designed to record sensitive information that the targeted user provides in forms on the Internet. These malware particularly target the victim’s financial information.