Acceptable Risk

Acceptable risk is the level of risk a company is willing to tolerate based on the likelihood of exploitation, the value of the asset or data, and the strength of existing security controls. Acceptable risk thresholds are often tradeoffs. For example, a company may be willing to tolerate greater risk of data leakage if it’s...

Access Control (or Access Management)

Access control is a security measure that enables organizations to provide varying levels of access to systems, network resources, and data based on the user’s identity and the sensitivity of the system or data. For example, access control measures can limit access to valuable intellectual property to a few key executives while blocking access to...

Active Asset

An active asset is an attack surface element that is currently in use. Differentiating active assets from inactive assets is an essential practice when implementing attack surface reduction measures, ensuring that only inactive assets are depreciated or eliminated to avoid business disruption.

Application Programming Interface (API)

An application programming interface (API) is a set of rules and protocols that enable two applications to communicate with each other and share data. Application developers use APIs to integrate the functions of one application into another without coding those capabilities from scratch. Nearly every application makes use of at least one API today. However,...


In the context of attack surface management, an asset is an IT element such as an application, code, website, server, or another element that provides a point of entry for a cyber attacker to breach a network, system, application, or device. The external attack surface comprises all internet-facing IT assets, both known and unknown. Assets...

Asset Discovery

Asset discovery, also known as supply chain discovery, is the process of identifying the IT assets that make up the attack surface, including known and unknown assets, managed and unmanaged assets, as well as vendors’ assets, subsidiaries’ assets, and rogue (malicious) assets. The attack surface constantly expands as business needs change and new assets like...

At-Risk Asset (or Asset Risk)

Internet-facing IT assets do not all carry the same risk. Accurately identifying at-risk assets and determining the level of risk requires context, such as how, when, and where it’s used, who owns or manages the asset, and how it’s connected to other assets in the digital supply chain. At-risk assets are those with exploitable vulnerabilities.

Attack Surface Assessment

Attack surface assessment is the process of evaluating assets to identify high-risk areas and vulnerabilities to understand the attack surface from an attacker’s perspective. The assessment considers factors such as where vulnerabilities exist, whether those vulnerabilities are exploitable, the connections between assets, and what consequences could result from a breach.

Attack Surface Element

An attack surface element is an internet-facing asset that makes up part of a company’s attack surface. Attack surface elements include physical devices, networks, servers, websites, cloud, applications, and other internet-facing assets within a company’s ecosystem.

Attack Surface Inventory

Attack surface inventory is the complete accounting of all assets or elements that make up a company’s attack surface and can include both first-party assets and assets that the company does not directly own or control. It’s the result of an asset discovery process.

Attack Surface Management

Attack surface management is the overall processes and methods used to discover assets and map the attack surface, identify vulnerabilities and assess risk, prioritize vulnerabilities based on the risk level and likelihood of exploitation, and the remediation efforts to mitigate or eliminate attack surface risks. It also includes attack surface reduction measures. For example, if...

Attack Surface Monitoring

Attack surface monitoring is one component of attack surface management. It encompasses the methods and processes used to continuously scan an organization’s attack surface to identify previously unknown assets and detect abnormal behavior and vulnerabilities.

Attack Surface Reduction

Attack surface reduction describes the decisions and actions an organization takes to remove potential points of entry on its attack surface or to bolster the security of assets to make them less vulnerable to attack. Attack surface reduction can involve many different techniques, such as removing redundant applications, eliminating user accounts that are no longer...

Attack Surface Visibility

Effective attack surface management requires attack surface visibility. Companies gain attack surface visibility through supply chain discovery and attack surface monitoring, inventory, and assessment. Attack surface visibility means a company fully understands its assets, where they exist, their connections, and what vulnerabilities and risks exist.

Attack Vector

An attack vector is a method a threat actor uses or the path they follow to exploit a vulnerability. Examples of attack vectors include poor encryption, exposed assets, weak passwords, malware, distributed denial of service (DDoS) attacks, phishing, and more.



Classification is a method of categorizing assets or vulnerabilities based on their potential impact, exploitability, the likelihood of a breach, and other factors. Classification enables businesses to prioritize remediation efforts, addressing the vulnerabilities and risks that present the most serious potential risks to the organization before addressing vulnerabilities with lesser potential impacts.

Cloud Asset

A cloud asset refers to any IT element used for cloud computing, such as virtual or physical servers and storage, databases, and SaaS applications. Most IT assets can be cloud assets depending on whether it contributes to operations in the cloud.

Common Vulnerabilities and Exposures (CVE)

Common Vulnerabilities and Exposures (CVE) is a database of publicly disclosed IT security flaws and issues. It provides a central point of reference for entities to exchange information about vulnerabilities and exposures that might impact others. This database contains only publicly reported CVEs, however, and therefore isn’t a complete reference of all vulnerabilities and exposures...

Continuous Discovery

Continuous discovery is the process of constantly scanning the digital supply chain to identify previously unknown assets and vulnerabilities. It’s a necessary component of effective attack surface management.

Credential Theft

Credential theft occurs when malicious actors steal login details and use them to access services or applications. Threat actors then steadily elevate their privileges or access bank accounts, e-commerce websites, and other platforms as a customer. Credential theft can cause significant financial losses for victims (both companies and the affected customers). When used in the...

Cyber Risk

Cyber risk is the potential exposure to harm through an enterprise’s online presence, which can be anything from a web service to communication tools to social media accounts. While cyber security includes the prevention of data breaches, it also protects the organization from monetary, intellectual, and reputational loss.

Cyber Risk Assessment

A cyber risk assessment evaluates an asset, vulnerability, or system as a whole to determine the likelihood of a breach and the potential consequences of an exploit.

Cyber Risk Quantification

Cyber risk quantification refers to the calculations and methods used to gauge the potential consequences of a data breach targeting a particular asset. It can be expressed in several ways, such as potential financial loss, business disruption, or severity of the risk, as long as it’s in relevant terms that both internal and external stakeholders...


Data Breach

A data breach exposes sensitive data to unauthorized users. Basically, any data accessed by an unauthorized audience is a data breach. For enterprises, data breaches can result in lost intellectual property and consumer trust, as well as millions of dollars in fines, depending on the severity.


Decommissioning is the process of removing an asset from a company’s network and properly disposing of it or recycling it while ensuring that no information can be retrieved from it. It’s a common practice when upgrading hardware components such as servers, laptops, and entire data centers. Failure to decommission an asset properly means it remains...

Defense in Depth

Defense in depth is another term for layered security. It means implementing multiple layers of security controls so that if one fails, there’s another obstacle to prevent threat actors from accessing the network or system.

Digital Supply Chain

The Digital Supply Chain is the result of business processes and transactions migrating to web-based services and applications. These “products” are now digital, and the “suppliers” of the components deliver their products via APIs and embedded code. Internet connectivity – the heart of these Digital Supply Chains – has enabled the explosion of digital business...



Encryption turns plain text into ciphertext that cannot be interpreted by anyone other than the intended user. It looks like a series of random numbers, letters, and characters to an unauthorized user who intercepts encrypted data or steals it from a company’s network and prevents attackers from using the data in any meaningful way. However,...

Exploit (or Exploitation)

An exploit is a code, command sequence, or program that takes advantage of a security flaw or vulnerability to gain access to an application or network. Hackers use exploits to steal data, install malware, or cause other unintended behavior.


An exposure is a misconfiguration or a flaw in a software application that enables threat actors to gain unauthorized access to an application or network.


False Positive

A false positive is a security alert indicating a threat or vulnerability that does not actually exist. IT security teams must investigate alerts to determine if it is legitimate and take appropriate action if so. A large number of false positives consumes significant time and resources, contributing to cybersecurity costs. Sometimes, dealing with many false...

Fourth Parties

Your enterprise is aware of the risks it assumes when working with a third-party vendor. But what about the vendors used by those third parties? They have their own digital supply chain of vendors, IT infrastructures, dependencies, and resources. And each element in these supply chains exposes you to more and more potential risk. Multiply...


Inactive Asset

An inactive asset is an internet-facing IT element connected to first-party, active assets but is not currently used. Despite being inactive, these assets are part of the attack surface and can leave the door open to threat actors.

Internet of Things (IoT)

The Internet of Things (IoT) is a network of everyday objects interconnected via the internet to send and receive data. These objects are embedded with software or sensors to collect data and send it to other devices or software systems. IoT devices and systems contribute to the attack surface, and they can contain vulnerabilities that...


Known Asset

A known asset is an IT element in a company’s IT systems that the company knows exists. Most companies have many known assets that are part of the attack surface, but they can still pose risks if they fail to implement appropriate security.


Layered Security

Layered security is a cybersecurity approach that implements multiple layers of security controls. If an attacker manages to get past one security control, they have one or more additional security measures to evade if they’re targeting a system with layered security. Think of the additional security layers as fail-safes or backup measures. Layered security is...

Legacy IT

Over time, new technologies emerge that provide more advanced software and computing functionality, leading businesses to invest in upgrading their applications and systems. Legacy IT refers to an outdated operating system or software application that’s still being used by an organization because it supports a critical business function. It includes applications that developers no longer...


Malicious Asset

A malicious asset, also known as a rogue asset, is created by a threat actor or unauthorized user to target a company. Phishing websites or mobile applications designed to appear as those owned by the target company, typo-squatted domains, and stolen data sets shared or sold on the dark web are examples of malicious assets.

Mergers and Acquisitions (M&A)

In mergers and acquisitions, two or more businesses are consolidated into one, either by combining two or more separate businesses into one new single entity or by one company purchasing and taking over the assets of another. M&A transactions expand the attack surface for the acquiring company or the newly formed entity, and many companies...


Misconfiguration is when an application’s or system’s settings are not selected or improperly implemented, which can leave the application or system vulnerable to unauthorized access. Misconfiguration can occur in a network, application, cloud infrastructure, and any component with settings.


In the context of cybersecurity, mitigation is a damage control process that does not completely eradicate a vulnerability or threat but minimizes the potential negative consequences that could occur with a breach.


Network Penetration

Network penetration is the act of breaking through security controls and gaining unauthorized access to a network. It’s often used in the context of network penetration testing (or network pen testing), which simulates a real-world attack to identify potential vulnerabilities and entry points for attackers.

Network Segmentation

Network segmentation creates barriers between different areas of a network, allowing each subnetwork to function independently. It’s a strategy that helps to reduce the attack surface. If a threat actor manages to access one network segment, they could not access other segments or spread malware automatically throughout the entire network.

Nth Parties

Nth parties pose the same risk to your enterprise as third parties but are significantly more difficult to track: they are the vendors, services, applications, and IT infrastructures of your vendors’ vendors. That’s right: they are connected to your organization by “nth” degrees of separation within your cyber supply chain.


Open Source Software (OSS)

Open source software is an application with publicly available source code that anyone can access, modify, and distribute based on the terms of the license. Many modern applications use some OSS components. Because anyone can modify or expand open source code, threat actors can inject malicious code into an OSS that otherwise appears safe. Malicious...

Orphaned Asset (or Orphaned App)

Orphaned assets are IT assets that lack identifiable origins or connections and are not readily visible to security teams as a result. Examples include virtual machines that have no physical host and applications that have been abandoned and have no clear administrator or manager. These assets are often left exposed, making them ideal targets for...


Penetration Test

A penetration test is a type of security test that simulates a hacker breaking into a network or system to evaluate the strength of a company’s security controls.

Principle of Least Functionality

The principle of least functionality is a strategy that limits an application’s functionality to only the essential capabilities, restricting or prohibiting the use of other functions, services, or ports that aren’t integral to the business’s use of the system.

Principle of Least Privilege

The principle of least privilege is a strategy that limits the access and capabilities of a user to the minimum necessary to perform their job duties. If a threat actor tricks a user into revealing their credentials, they cannot access higher-level functionality or data than the victim’s privileges allow.

Public Key Infrastructure (PKI)

Public key infrastructure (PKI) is a set of processes, hardware and software components, and other elements involved in managing digital certificates and public-key encryption. SSL certificates, for instance, are managed by PKI. These certificates assure website visitors that they’re sending information to the intended recipient. Several problems associated with PKI can create vulnerabilities, such as...


Red Team

A red team comprises a group of IT professionals (either internal company employees or a third-party contractor) that simulates the potential actions of a threat actor to test a company’s cybersecurity posture. The individuals that compose a red team are also known as ethical hackers. Red teaming is the process of challenging every security control,...

Regulatory Compliance

Regulatory compliance over information and cybersecurity ensures consumer information remains private or data stays away from malicious actors. Regulations may apply to government agencies and healthcare organizations, financial services companies, and other industries but can extend to the other companies that contract with these organizations. They’re issued by federal, state, and local governments and industry...


Remediation is the elimination of a risk or threat. It goes hand-in-hand with mitigation, which is the process of limiting the potential damage of a threat. Mitigation is often a temporary solution until the threat is remediated.

Reputational Risk

Reputational risk is any risk your company takes that can damage brand loyalty resulting in loss of sales. While that sometimes includes customer service failures and environmental impact, enterprises lose customers when they lose customer data. In an effort to regain trust, companies spend millions of dollars to put in new security measures, revisit marketing...

Risk Assessment

Not only is a cybersecurity risk assessment an essential part of any security practice, but some organizations must also perform a risk assessment to meet regulatory compliance standards. These assessments point out security deficiencies, failures in best practices, and potential loopholes waiting for hackers to exploit. A risk assessment can vary in scope and purpose,...

Risk Indicator

Security teams use metrics called risk indicators or key risk indicators (KRIs) to measure the company’s cyber risk and prioritize remediation and mitigation efforts. Risk indicators include things like common vulnerabilities and exposures (CVEs), invalid certificates, previously unknown shadow IT, credential exposure, non-compliance with security policies, compromised files, instances of malware, TLS/SSL certificate misconfigurations, weak...

Risk Management

Cyber risk management involves all the actions IT professionals take to prioritize cybersecurity within an organization and reduce vulnerabilities across the business. Part of risk management may be compliance with industry regulatory agencies and spreading awareness of operational risks across all departments when working online.

Risk Mitigation

Risk mitigation reduces the potential damage an organization will suffer when a breach occurs. While some risks will always be present when operating online, mitigation procedures are intended to reduce any damage that occurs when those risks turn into exploits. Part of a cybersecurity risk mitigation plan might also include communications and marketing procedures to...

Risk Prioritization

Security professionals often face many more issues than they can realistically mitigate immediately. They use risk prioritization to determine which risks pose the most serious consequences based on the assets impacted, their connections, exploitability, and other factors.

Risk Scoring

Risk scoring is a method security professionals often use to compare and prioritize the severity or exploitability of vulnerabilities. Quantifying the level of risk based on a rating scale provides a more objective way to determine which vulnerabilities to address first. Attack surface management solutions use risk scoring and other methods to prioritize risks and...

Risk Tolerance

Businesses always face some level of risk. Risk tolerance is the amount of risk the company is willing to accept. The risk tolerance threshold varies depending on factors such as the assets involved and the value of the data at risk.

Rogue Asset

Also known as a malicious asset, a rogue asset is an asset created by a threat actor or an asset stolen by and under the control of a threat actor.


SaaS (Software-as-a-Service)

Software-as-a-Service is a software delivery method. Users access SaaS via the internet rather than downloading and installing a software application on a device. SaaS products typically are sold on a subscription basis rather than a one-time purchase.

Security Control

Security controls are safeguards and countermeasures implemented to monitor systems, reduce the attack surface, detect vulnerabilities, prevent cyber attacks, and mitigate risks.

Security Monitoring

Security monitoring is the process of continuously scanning a company’s IT systems and maintaining real-time or near-real-time awareness of the activities and events occurring within those systems. Security monitoring solutions alert security teams when abnormal activity is discovered, allowing them to investigate and respond to vulnerabilities and threats before they escalate into an incident that...

Security Risk Assessment

According to the National Institute of Standards and Technology, a cyber security risk assessment identifies the risk to your organization’s operations, assets, users, and more through the use of information technology. Since risk is always present in business, a thorough assessment tests the protection in place to effectively mitigate risk.

Shadow IT

Shadow IT comprises information technology systems, such as devices, software, services, and applications employees are using without the explicit approval of the company’s IT department. It’s not being actively managed and monitored by the company’s security team, meaning shadow IT can introduce serious security vulnerabilities. Vulnerability scanners only scan what is known — the sources...

Social Engineering

Social engineering is a sophisticated cyber attack method that uses manipulation and deception tactics to trick the victim into divulging sensitive information or providing access to information systems containing sensitive data. Social engineering comprises various attack methods such as phishing, ransomware, pretexting, and baiting, among others.

Spear Phishing

Spear phishing campaigns are a type of social engineering attack that targets specific people in an organization. These malicious actors research high-value targets (for example, people with advanced permissions on the platform or account managers for celebrities) and send trustworthy emails to request money or information. To make their emails look trustworthy, they use domains...

Subsidiary Asset

Subsidiary assets are owned or managed by a company’s subsidiaries outside of the company’s networks. They may be known or unknown. In mergers and acquisitions, subsidiary assets are a prominent concern for parent companies. Attack surface management solutions offering robust digital supply chain discovery identify subsidiary assets, their connections, and any associated risks or vulnerabilities.

Supply Chain Risk Management

Digital supply chain risk management focuses on the security risks and vulnerabilities in all the components of the digital supply chain. As organizations deploy more and more services and applications online, the greater the likelihood that they’ve incorporated code, data, or other functionality from a third party into that application. The challenge is identifying the...


Third-Party Security

Third-party security protects an organization from the risk associated with third-party vendors. Companies have traditionally spent time and money securing their perimeter and on-premise systems but have given little focus to the security practices of their vendors.

Threat Vector

A threat vector, also known as an attack vector, is the method a cyber attacker uses to gain unauthorized access to IT systems to exploit vulnerabilities, introduce malware or steal sensitive data.

TPRM: Third-Party Risk Management

Third-party risk management (TPRM) includes all the best practices to control the risks of working with outside vendors and subcontractors. The goal of TPRM is to protect your intellectual property, operational systems, financial records, customer data, and other sensitive information from malicious actors.


Unknown Asset

An unknown asset is an element that exists within a company’s IT infrastructure without the company’s knowledge. Attack surface management solutions identify unknown assets, such as shadow IT, subsidiary assets, and orphaned apps.


Vendor-Managed Asset

A vendor-managed asset is an element of a company’s IT infrastructure controlled and managed by a vendor, so the company has no direct control over the asset. These assets may be known or unknown, and they can introduce serious vulnerabilities into the company’s network. Attack surface management solutions provide visibility into vendor-managed assets, how they’re...

Vendor Risk Management

Vendor risk management ensures the business is not at risk for a data breach, operational outage, or other negative impacts due to its connections with third-party vendors and suppliers. These vendors are critical for day-to-day operations and efficiencies but can be a massive risk without monitoring risk from every angle.


A vulnerability is a weakness in a company’s systems that provides opportunities for cyber attackers to gain unauthorized access and carry out successful cyber attacks. Vulnerabilities can exist in security policies, security controls, application configurations, code, open ports, and every other area of a company’s information systems.

Vulnerability Assessment

A vulnerability assessment is an evaluation of a discovered vulnerability to determine the level of risk it poses to the organization, such as how easily threat actors can exploit it and the sensitivity of the data that they can access. Vulnerability assessment is used to determine risk scores and prioritize risks.

Vulnerability Management

Vulnerability management includes processes and solutions to continuously monitor a company’s IT systems, identify potential vulnerabilities, prioritize risks, mitigate risks, and report on incidents.

Vulnerability Patching

Vulnerability patching is the process of applying fixes to applications or systems that remediate a discovered vulnerability. They may be implemented as temporary mitigation efforts and incorporated into the next software release, or they may be permanent fixes that eradicate the vulnerability. Regularly checking for updates and installing the most current, secure software versions and...

Vulnerability Scanning

Vulnerability scanning is an ongoing process of monitoring a company’s IT networks, systems, and software to identify potential security risks. Vulnerability scanning solutions automate this process and report on abnormal behavior discovered so security teams can take immediate action to remediate or mitigate vulnerabilities.


Zero Trust

Zero Trust is a cybersecurity framework that assumes the company is always at risk from internal and external threats. All users, applications, and activities are considered potential threats rather than implicitly trusted. A Zero Trust model requires continuous authentication and validation at every stage of a transaction and operates on the principle of least privilege....