Cybersecurity & Dark Web
Glossary

A prolonged and targeted cyberattack where an intruder gains access to a network and remains undetected for an extended period, typically months or years. APTs are usually conducted by nation-state actors or sophisticated criminal organizations with specific espionage, data theft, or sabotage objectives. According to Mandiant's threat intelligence research, APT groups employ custom malware, zero-day exploits, and advanced social engineering to maintain persistent access while avoiding detection by traditional security tools.

A set of protocols and tools that allows different software applications to communicate with each other. In cybersecurity contexts, APIs are both critical infrastructure and potential attack vectors—threat actors often target poorly secured APIs to access sensitive data or systems. According to Gartner research, API attacks are one of the fastest-growing threat vectors, with organizations needing to implement strong authentication, rate limiting, and monitoring for their API endpoints.

The sum of all possible points where an unauthorized user could attempt to enter or extract data from a system or network. This includes physical, digital, and human elements such as network ports, applications, user accounts, and social engineering vectors. According to security best practices, reducing your attack surface through proper configuration, access controls, and employee training is a fundamental principle of cybersecurity defense.

A network of compromised computers or devices (called "bots" or "zombies") controlled remotely by an attacker through command and control (C2) infrastructure. Botnets are used for various malicious activities including DDoS attacks, spam distribution, credential stuffing, and cryptocurrency mining. According to FBI cybercrime reports, large botnets can comprise millions of infected devices worldwide, with threat actors renting botnet access on dark web marketplaces for prices ranging from hundreds to thousands of dollars.

A security incident where unauthorized parties gain access to protected data, systems, or networks. Data breaches can result from hacking, malware, insider threats, or physical theft. According to IBM's 2024 Cost of Data Breach Report, the average cost of a data breach reached $4.88 million globally, with breaches taking an average of 197 days to identify and contain. Organizations typically must report breaches to regulators and affected individuals under laws like GDPR and CCPA.

Infrastructure used by threat actors to communicate with and control compromised systems in a target network. C2 servers send commands to malware implants and receive stolen data. Modern C2 infrastructure often uses encrypted channels, domain generation algorithms (DGAs), and cloud services to evade detection. According to cybersecurity research, identifying and blocking C2 communications is critical for stopping active intrusions and preventing data exfiltration.

A technique where attackers extract authentication credentials (usernames, passwords, hashes, or tokens) from a compromised system's memory, registry, or files. Tools like Mimikatz are commonly used for credential dumping on Windows systems. Once credentials are obtained, attackers can move laterally across networks, escalate privileges, or sell the credentials on dark web marketplaces. This is a critical stage in most advanced attacks and data breaches.

An automated cyberattack where stolen username-password pairs from one breach are tested against other websites and services, exploiting users who reuse passwords. According to Akamai security research, credential stuffing attacks account for billions of login attempts annually, with success rates typically between 0.1% and 2%. Organizations combat this through multi-factor authentication, bot detection, and monitoring for suspicious login patterns from dark web credential leaks.

A standardized identifier system for publicly disclosed cybersecurity vulnerabilities. Each CVE entry provides a unique ID (e.g., CVE-2024-1234), description, and references for a specific security flaw. Maintained by MITRE Corporation, the CVE system enables security teams to track, prioritize, and remediate vulnerabilities consistently across tools and platforms. According to NIST data, thousands of new CVEs are published annually, making vulnerability management a critical ongoing process.

A framework developed by Lockheed Martin that describes the stages of a cyberattack from reconnaissance to data exfiltration: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control, and Actions on Objectives. Security teams use this model to understand attack progression and implement defenses at each stage. Breaking the kill chain at any point can prevent or limit the impact of an attack.

A hidden part of the internet that requires special software like Tor to access, featuring .onion domains and providing anonymity to users. Unlike the surface web indexed by search engines, the dark web is intentionally hidden and hosts both legitimate privacy-focused sites and criminal marketplaces. According to cybersecurity researchers, the dark web represents approximately 5% of the total internet but hosts the majority of cybercrime marketplaces, ransomware leak sites, and forums where stolen data is traded. Organizations use dark web monitoring to detect when their data appears in these underground communities.

An e-commerce platform on the dark web where illegal goods and services are bought and sold, typically using cryptocurrency for anonymity. These marketplaces trade in stolen data, hacking tools, drugs, weapons, and fraudulent documents. According to law enforcement reports, major marketplaces like AlphaBay and Dream Market processed hundreds of millions in transactions before being shut down, though new marketplaces continually emerge to replace them.

An incident where sensitive, protected, or confidential data is accessed, stolen, or used by unauthorized individuals. Breaches can result from cyberattacks, insider threats, lost devices, or misconfigured systems. According to IBM's 2024 Cost of Data Breach Report, the average breach costs $4.88 million and exposes 26,000 records. Breached data often appears on dark web forums or marketplaces, where it's sold to other criminals for identity theft, fraud, or further attacks.

Unintentional exposure of sensitive data, typically through misconfigured databases, exposed APIs, or improperly secured cloud storage. Unlike breaches involving active attacks, leaks result from security oversights. According to security research, millions of records are exposed through leaks annually—such as publicly accessible S3 buckets or MongoDB instances. Once discovered, leaked data is often shared on hacker forums and can be exploited the same way as stolen data.

A cyberattack that overwhelms a target system, network, or service with massive amounts of traffic from multiple sources (typically a botnet), making it unavailable to legitimate users. According to Cloudflare's DDoS threat reports, attacks have reached multi-terabyte sizes and are often used for extortion, competitive sabotage, or as diversions during data theft operations. DDoS-for-hire services are readily available on dark web marketplaces.

The process of converting encrypted (ciphertext) data back into readable (plaintext) format using a cryptographic key. In cybersecurity contexts, decryption is essential for authorized data access but is also the goal of ransomware victims seeking to recover encrypted files. Proper key management ensures only authorized parties can decrypt sensitive data, while weak encryption or stolen keys can lead to unauthorized decryption and data theft.

The portion of the internet not indexed by standard search engines, including password-protected sites, private databases, email accounts, and subscription content. Unlike the dark web, the deep web is not inherently malicious—it simply consists of content behind authentication or paywalls. According to internet research estimates, the deep web is significantly larger than the surface web, comprising approximately 96% of internet content including legitimate business systems, academic databases, and personal accounts.

A cybersecurity technology that continuously monitors endpoint devices (computers, servers, mobile devices) for suspicious activities and threats, providing detection, investigation, and response capabilities. Unlike traditional antivirus, EDR solutions track behavioral patterns, use threat intelligence, and enable security teams to hunt for threats and respond to incidents. According to Gartner research, EDR is considered essential for modern cybersecurity programs, with the market growing rapidly as organizations seek to detect advanced threats that evade signature-based defenses.

The process of converting readable data (plaintext) into an encoded format (ciphertext) using cryptographic algorithms and keys, making it unreadable without the proper decryption key. Encryption protects data confidentiality during storage and transmission. According to cybersecurity best practices, organizations should encrypt sensitive data both at rest and in transit using strong algorithms like AES-256. However, encryption can also be weaponized by ransomware attackers who encrypt victim files and demand payment for decryption keys.

A communication method where data is encrypted on the sender's device and only decrypted on the recipient's device, preventing intermediaries (including service providers) from accessing the content. E2EE is used in messaging apps like Signal and WhatsApp to protect privacy. While E2EE enhances legitimate privacy, it also enables criminals on the dark web to communicate securely, complicating law enforcement investigations of cybercrime and terrorist activities.

Software, data, or techniques that take advantage of a vulnerability to cause unintended behavior in a system, such as gaining unauthorized access, executing malicious code, or causing denial of service. Exploits can target known vulnerabilities (for which patches may exist) or zero-day vulnerabilities (previously unknown flaws). According to dark web market research, exploit code and exploit kits are valuable commodities, with prices ranging from hundreds to millions of dollars depending on the vulnerability's severity and the affected software's prevalence.

A network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules, acting as a barrier between trusted internal networks and untrusted external networks. Firewalls can be hardware-based, software-based, or cloud-based. According to security architecture best practices, firewalls are a foundational security control but must be properly configured and regularly updated to remain effective against modern threats.

Online communities where cybercriminals, hackers, and security researchers exchange information, tools, techniques, and stolen data. Major forums like XSS (formerly known as DaMaGeLaB), Exploit.in, and the now-defunct BreachForums serve as marketplaces for cybercrime services and meeting places for threat actors. According to threat intelligence research, these forums are critical sources for understanding emerging threats, threat actor TTPs, and early warning signs of planned attacks. Many forums operate on both the clear web and dark web with various access tiers.

A fixed-length string of characters generated from input data using a cryptographic hash function (like SHA-256 or MD5), used to verify data integrity and store passwords securely. Hash functions are one-way operations—you cannot reverse them to obtain the original input. In cybersecurity, password hashes are often targeted by attackers who use rainbow tables or brute-force methods to crack them. According to security best practices, organizations should use strong, salted hashing algorithms for password storage.

A structured approach to handling security breaches or cyberattacks, involving preparation, detection, containment, eradication, recovery, and post-incident analysis. Effective incident response minimizes damage, reduces recovery time and costs, and helps prevent future incidents. According to IBM's 2024 breach cost research, organizations with incident response teams and tested plans save an average of $1.5 million compared to those without. Many organizations maintain incident response playbooks for common scenarios like ransomware or data breaches.

Evidence that suggests a system or network has been compromised by a threat actor. IOCs include file hashes, IP addresses, domain names, URLs, email addresses, registry keys, and behavioral patterns associated with malicious activity. Security teams use IOCs to detect, investigate, and respond to threats. According to threat intelligence practices, sharing IOCs across organizations and through platforms like MISP helps the broader security community defend against common threats more effectively.

A type of malware designed to steal sensitive information from infected systems, including credentials, browser data, cryptocurrency wallets, session tokens, and files. Popular infostealers like RedLine, Raccoon, and Vidar are distributed through phishing, malvertising, and software cracks. According to cybercrime research, stolen data is compiled into "stealer logs" and sold in bulk on dark web marketplaces, where buyers search for credentials to specific companies or services for targeted attacks.

Cybercriminals who specialize in gaining unauthorized access to corporate networks and then selling that access to other threat actors, typically ransomware groups. IABs use various methods including exploiting vulnerabilities, phishing, and purchasing stolen credentials. According to threat intelligence reports, IABs operate on dark web forums and private Telegram channels, with network access prices ranging from hundreds to hundreds of thousands of dollars depending on the target organization's size and industry. This business model has created an efficient cybercrime supply chain.

A security technology that monitors network traffic or system activities for malicious behavior or policy violations, generating alerts when suspicious activity is detected. IDS can be network-based (NIDS) or host-based (HIDS). Unlike firewalls that block traffic, IDS typically operates in monitoring mode. According to security operations best practices, IDS alerts should be reviewed and correlated with other security data to identify genuine threats and reduce false positives.

Techniques used by attackers to move through a network after initial compromise, accessing additional systems and escalating privileges to reach their ultimate objectives. Common lateral movement methods include credential theft, pass-the-hash attacks, and exploiting trust relationships between systems. According to MITRE ATT&CK framework research, detecting and preventing lateral movement is critical for limiting breach impact, as attackers often spend weeks moving laterally before executing their final objectives like data theft or ransomware deployment.

Dark web websites operated by ransomware groups where they publish stolen data from victims who refuse to pay ransoms. These sites serve as pressure tactics and proof of breach capability. According to ransomware tracking research, major groups like LockBit, BlackCat/ALPHV, and Cl0p maintain sophisticated leak sites with countdown timers, search functionality, and downloadable data samples. Victims typically receive 7-14 days warning before full data publication, creating urgency for ransom payment or incident response.

Malicious software designed to damage, disrupt, or gain unauthorized access to computer systems. Categories include viruses, worms, trojans, ransomware, spyware, and adware. According to AV-TEST Institute data, over 450,000 new malware samples are detected daily. Modern malware often features polymorphic capabilities to evade signature-based detection, command and control communication for remote operation, and anti-analysis techniques to frustrate security researchers.

A security mechanism requiring two or more verification factors to gain access to a system, combining something you know (password), something you have (token or phone), and/or something you are (biometric). According to Microsoft security research, MFA blocks over 99.9% of automated credential stuffing attacks. However, sophisticated attackers have developed MFA bypass techniques including phishing with reverse proxies, session hijacking, and SIM swapping, making MFA implementation strategy important.

A technique for anonymous communication over a computer network where messages are encrypted in layers (like an onion) and routed through multiple nodes, with each node decrypting only its layer to reveal the next destination. The Tor network uses onion routing to provide anonymity for both users and .onion hidden services. According to privacy research, while onion routing protects legitimate privacy needs, it also enables criminal activities on the dark web by making it extremely difficult to trace communications back to their source.

A special-use top-level domain suffix designating an anonymous hidden service reachable via the Tor network. Unlike traditional domains registered through DNS, .onion addresses are cryptographically generated and can only be accessed through Tor Browser. According to Tor Project statistics, thousands of .onion sites exist, ranging from legitimate privacy-focused services to dark web marketplaces and ransomware leak sites that threat intelligence platforms monitor.

The process of identifying, testing, and deploying software updates that fix security vulnerabilities and bugs. Timely patching is critical for preventing exploitation of known vulnerabilities. According to Verizon's Data Breach Investigations Report, many breaches exploit vulnerabilities for which patches have been available for months or years. Organizations must balance security urgency with testing requirements to avoid patches that break critical systems.

A simulated cyberattack against a system or network to evaluate security posture and identify exploitable vulnerabilities before real attackers find them. Penetration testing can be black box (no prior knowledge), white box (full knowledge), or gray box (partial knowledge). According to security consulting research, regular penetration testing is a best practice for validating security controls, meeting compliance requirements, and understanding how multiple vulnerabilities could be chained together in real attacks.

A social engineering attack where attackers impersonate legitimate entities through email, text, or other communication to trick victims into revealing sensitive information or installing malware. According to Proofpoint's threat reports, phishing is the most common initial attack vector, used in over 90% of successful breaches. Phishing kits and phishing-as-a-service offerings are readily available on dark web forums, lowering the barrier to entry for cybercriminals.

A social engineering technique where an attacker creates a fabricated scenario (pretext) to manipulate victims into divulging information or performing actions. Unlike generic phishing, pretexting involves creating a believable narrative and often includes research about the target. According to FBI IC3 reports, pretexting is commonly used in business email compromise (BEC) attacks where attackers impersonate executives or vendors to initiate fraudulent wire transfers or data disclosure.

Malicious software that encrypts a victim's files or systems, demanding payment (usually in cryptocurrency like Bitcoin or Monero) for the decryption key. Modern ransomware groups employ "double extortion"—encrypting data and threatening to publish it on dark web leak sites if ransom isn't paid. According to IBM's 2024 Cost of Data Breach Report, ransomware attacks are among the costliest breaches, with groups like LockBit, BlackCat/ALPHV, Cl0p, and Play collectively victimizing thousands of organizations globally. The average ransom demand ranges from tens of thousands to millions of dollars.

A business model where ransomware developers lease their malware and infrastructure to affiliates who conduct attacks, sharing ransom profits (typically 70-80% to affiliates, 20-30% to developers). RaaS has industrialized ransomware attacks, enabling less technical criminals to deploy sophisticated ransomware. According to cybercrime research, major RaaS operations like LockBit and BlackCat run professional programs with technical support, marketing, and dispute resolution systems on dark web forums and private channels.

A group of security professionals who simulate real-world adversaries to test an organization's detection and response capabilities. Red teams use the same tactics, techniques, and procedures as actual threat actors to identify security gaps. According to security operations research, red team exercises provide valuable insights into defensive blind spots and help train blue team (defensive) personnel under realistic conditions, improving overall security posture.

A collection of malicious software tools that enable unauthorized root or administrative access to a computer while hiding their presence from users and security software. Rootkits can operate at various levels including application, kernel, or even firmware/BIOS. According to malware research, rootkits are particularly dangerous because they can subvert antivirus software, hide malicious processes and files, and maintain persistent access even after apparent remediation.

A security solution that aggregates and analyzes log data from across an organization's infrastructure to detect threats, investigate incidents, and meet compliance requirements. SIEM platforms correlate events from firewalls, endpoints, servers, and applications to identify patterns indicating attacks. According to Gartner research, SIEM is a foundational security technology, though effective deployment requires significant tuning, skilled analysts, and integration with threat intelligence to reduce false positives and detect sophisticated threats.

A centralized facility where security teams monitor, detect, analyze, and respond to cybersecurity incidents using people, processes, and technology. SOCs operate 24/7 using SIEM, EDR, threat intelligence, and other tools to protect organizational assets. According to security operations research, effective SOCs require skilled analysts, defined playbooks, metrics-driven improvement, and integration with incident response capabilities. Many organizations outsource SOC functions to Managed Security Service Providers (MSSPs) due to staffing and cost challenges.

Psychological manipulation techniques used to trick people into revealing confidential information, granting access, or performing actions that compromise security. Social engineering exploits human psychology rather than technical vulnerabilities and includes tactics like phishing, pretexting, baiting, and tailgating. According to Verizon's DBIR, human error contributes to over 80% of security breaches, making security awareness training essential. Sophisticated attackers research targets on social media and corporate websites to craft convincing attacks.

A targeted phishing attack directed at specific individuals or organizations, using personalized information to increase credibility and success rates. Unlike mass phishing campaigns, spear phishing involves research about the target, their organization, colleagues, and business relationships. According to threat intelligence research, spear phishing is the primary initial access method for APT groups and business email compromise (BEC) attacks. These emails often impersonate executives, IT staff, or trusted vendors to request wire transfers, credential disclosure, or malware installation.

Collections of data stolen by infostealer malware, packaged and sold on dark web marketplaces. Each log typically contains credentials, cookies, browser data, cryptocurrency wallets, and system information from a single infected device. According to cybercrime research, stealer logs are sold in bulk for $5-$10 each or searched via subscription services where buyers query for specific company credentials. Organizations should monitor dark web marketplaces for their domains appearing in stealer log offerings, indicating employee compromise.

The portion of the internet that is publicly accessible and indexed by standard search engines like Google, Bing, and Yahoo. This includes websites, social media, news sites, and other content discoverable through normal browsing. According to internet research, the surface web represents only about 4-10% of the total internet content, with the remaining divided between the deep web (password-protected legitimate content) and dark web (anonymized hidden services). The surface web is where most users operate but also where threat actors gather intelligence about potential targets.

An individual or group that conducts or has the intent to conduct malicious cyber activities. Threat actors include nation-states, organized criminal groups, hacktivists, insider threats, and individual hackers. According to threat intelligence frameworks, understanding threat actor motivations (financial gain, espionage, ideology, revenge) helps organizations prioritize defenses and predict attack patterns. Different threat actor types employ varying levels of sophistication, resources, and tactics.

A proactive security approach where analysts actively search through networks and systems to detect threats that evaded automated defenses. Unlike reactive incident response, threat hunting assumes that adversaries are already present and seeks to find them before they cause damage. According to SOC best practices, effective threat hunting uses hypotheses based on threat intelligence, MITRE ATT&CK techniques, and knowledge of organizational environment to systematically search for indicators of compromise and anomalous behaviors.

Evidence-based knowledge about existing or emerging threats that helps organizations make informed security decisions. Threat intelligence includes information about threat actors, their tactics, techniques, procedures (TTPs), indicators of compromise (IOCs), and threat context collected from sources like dark web forums, ransomware leak sites, security research, and incident response. According to Gartner research, effective threat intelligence programs consume data from multiple sources, analyze it for relevance to organizational risk, and operationalize insights through SIEM rules, EDR configurations, and security team awareness.

A free software and network that enables anonymous communication by routing traffic through multiple volunteer-operated servers (nodes), encrypting data in layers. Tor is used to access the dark web and .onion sites, providing privacy for both users and service operators. According to Tor Project metrics, millions of users access Tor daily for legitimate privacy needs, journalism, and censorship circumvention. However, this same anonymity enables cybercriminal activities, making Tor infrastructure essential for dark web marketplace operations and ransomware leak sites.

Malware that disguises itself as legitimate software to trick users into installing it, then performs malicious actions like stealing data, downloading additional malware, or creating backdoors. Named after the Greek mythology story, trojans rely on social engineering rather than self-replication. According to malware statistics, trojans are among the most common malware types, distributed through fake software downloads, email attachments, and malvertising. Remote Access Trojans (RATs) are particularly dangerous, giving attackers full control over infected systems.

A concept in threat intelligence describing the behavior patterns of threat actors. Tactics are high-level objectives (e.g., initial access, lateral movement), techniques are specific methods (e.g., spear phishing, credential dumping), and procedures are detailed implementations. According to the MITRE ATT&CK framework—the industry standard for documenting TTPs—understanding adversary behaviors enables better detection and defense strategies than relying solely on indicators of compromise, which threat actors can easily change.

A security mechanism requiring two different authentication factors to verify identity, typically combining something you know (password) with something you have (SMS code, authenticator app, or hardware token). 2FA is a subset of MFA focusing specifically on two factors. According to Google research, 2FA blocks 96% of bulk phishing attacks and 76% of targeted attacks. However, SMS-based 2FA is vulnerable to SIM swapping attacks, making app-based or hardware token 2FA more secure options.

A technology that creates a secure, encrypted connection over a less secure network (typically the internet), protecting data in transit and masking the user's IP address. Organizations use VPNs for remote access security, while individuals use them for privacy. According to security research, while VPNs provide important privacy and security benefits, they can also be abused by threat actors to hide malicious activity and bypass geographic restrictions when accessing dark web marketplaces or conducting attacks.

A weakness in software, hardware, or processes that could be exploited to compromise security. Vulnerabilities can result from coding errors, design flaws, misconfigurations, or inadequate security controls. According to NIST's National Vulnerability Database, thousands of new vulnerabilities are discovered annually and assigned CVE identifiers. Organizations must implement vulnerability management programs to identify, assess, prioritize, and remediate vulnerabilities before attackers exploit them. Critical vulnerabilities affecting internet-facing systems require immediate patching.

An automated process that identifies security weaknesses in systems, networks, and applications by testing for known vulnerabilities. Scanners compare system configurations and installed software against vulnerability databases to detect missing patches, misconfigurations, and security gaps. According to compliance frameworks like PCI DSS, regular vulnerability scanning is required. Organizations should scan at least quarterly, after significant changes, and prioritize remediation based on vulnerability severity and system criticality.

A targeted attack where adversaries compromise websites frequently visited by their intended victims, using the sites to deliver malware or collect credentials. Named after predators waiting at watering holes for prey, these attacks often target industry-specific websites, forums, or news sites. According to APT research, watering hole attacks are sophisticated, requiring reconnaissance to identify victim browsing habits and technical skills to compromise legitimate websites while evading detection.

A form of spear phishing that targets high-profile executives ("big fish") like CEOs, CFOs, and other senior leaders who have access to sensitive information and financial authority. Whaling attacks are highly customized, often impersonating board members, legal counsel, or regulatory bodies. According to FBI IC3 Business Email Compromise reports, whaling is responsible for billions in annual losses, with attackers conducting extensive research using LinkedIn, company websites, and social media to craft convincing scenarios for fraudulent wire transfers.

Self-replicating malware that spreads across networks without user interaction, exploiting vulnerabilities in systems to propagate. Unlike viruses that require host files, worms are standalone programs. According to malware history, worms like WannaCry (2017) and NotPetya (2017) caused billions in global damages by rapidly spreading through networks using exploits like EternalBlue. Modern worms can spread through email, network shares, removable media, and internet-facing vulnerabilities, making network segmentation and patch management critical defenses.

An evolution of EDR that integrates security data from multiple sources (endpoints, networks, cloud, email, identity) into a unified platform for detection, investigation, and response. XDR correlates threats across the entire environment to detect sophisticated attacks that span multiple attack vectors. According to Gartner research, XDR addresses the limitation of siloed security tools, providing better visibility and faster response by automatically correlating related security events and enabling coordinated actions across security controls.

A web application vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users, potentially stealing session cookies, credentials, or other sensitive data. XSS occurs when applications don't properly validate or sanitize user input before displaying it. According to OWASP Top 10, XSS remains one of the most common web vulnerabilities. There are three main types: stored XSS (malicious script permanently stored on target server), reflected XSS (script reflected off web server), and DOM-based XSS (vulnerability exists in client-side code).

A previously unknown software vulnerability that is exploited by attackers before the vendor has developed and released a patch—meaning defenders have "zero days" to prepare. Zero-day exploits are extremely valuable because they provide reliable access with no available defenses. According to dark web market research and cybersecurity threat intelligence, zero-day exploits command premium prices ranging from tens of thousands to millions of dollars depending on the affected software's prevalence (e.g., Windows, iOS, Chrome). Nation-state actors and sophisticated criminal groups actively acquire and deploy zero-days for espionage and cybercrime.

A security model based on the principle "never trust, always verify"—requiring strict identity verification for every person and device attempting to access network resources, regardless of whether they're inside or outside the network perimeter. Zero Trust assumes breach and implements continuous verification, least privilege access, and microsegmentation. According to NIST and industry research, Zero Trust architectures are becoming essential as traditional perimeter-based security fails against modern threats, cloud adoption, and remote work. Implementation includes MFA, network segmentation, encryption, and continuous monitoring.

A compromised computer or device infected with malware that allows remote control by an attacker, typically as part of a botnet. Zombies (also called "bots") are used collectively to conduct DDoS attacks, send spam, mine cryptocurrency, or perform credential stuffing. According to botnet research, zombie devices can include computers, servers, IoT devices, and smartphones. Device owners often don't realize their systems are compromised and participating in attacks. Proper security hygiene including updates, antivirus, and network monitoring helps prevent zombie infections.