Resources

Cybersecurity glossary

No jargon. Definitions practitioners actually use — not marketers.

NIS2: EU Directive 2022/2555 on cybersecurity. Covers essential and important entities across 18 sectors. Requires 10 risk-management measures (Art. 21), 24-hour incident reporting and personal board liability.
DORA: EU Regulation 2022/2554 (Digital Operational Resilience Act). In force for financial entities since 17 January 2025. Five pillars: ICT risk management, incident reporting, resilience testing (including TLPT), third-party risk, information sharing.
ISO 27001:2022: International information security management standard. The 2022 version has 93 Annex A controls (down from 114 in 2013) and 11 new controls: threat intelligence, cloud security, secure development, DLP and more.
Pentest: A manual penetration test performed by a human. Chains findings into real attack paths, tests business logic and delivers proof of business impact. Different from an automated vulnerability scan.
TLPT: Threat-Led Penetration Testing. A red-team test aligned with the TIBER-EU framework, required every 3 years for significant financial entities under DORA.
OWASP Top 10: A list of the 10 most common web application vulnerability categories, maintained by the OWASP Foundation. The baseline reference for web testing.
OWASP MASVS: Mobile Application Security Verification Standard. Mobile app security verification standard with levels L1 (baseline) and L2 (defence in depth).
OWASP API Top 10: A list of the 10 most common API vulnerability categories. BOLA (Broken Object Level Authorization) has been number 1 for years.
IDOR: Insecure Direct Object Reference. A class of flaw where an application exposes objects (e.g. user IDs) without checking permissions. Classic example: /api/invoice/123 returns another customer's invoice after changing the ID.
BOLA: Broken Object Level Authorization. The API equivalent of IDOR — the API does not verify whether the user is allowed to access the requested object.
ISMS: Information Security Management System. The set of policies, procedures and controls that manage information security under ISO 27001.
Statement of Applicability (SoA): A document required by ISO 27001 that lists all 93 Annex A controls, indicates which are applied (and why) and which are excluded (with justification).
CSIRT: Computer Security Incident Response Team. In Poland: CSIRT NASK, CSIRT GOV (ABW), CSIRT MON. NIS2 requires incident notification to the relevant CSIRT within 24 hours.
Social engineering: Attacks that use the human as the vector (phishing, vishing, smishing, pretexting, tailgating). 74% of breaches start with a human.
Phishing simulation: A controlled simulation of a phishing attack against employees, used to measure awareness and as a training tool.

Missing a term?

Write to us — we'll add it and reply personally.

Book a consultation Read the blog