Knowledge Base
Cybersecurity & Dark Web
Glossary
Definitions of cybersecurity, dark web, and threat intelligence terms used across this site. Learn the language of modern cybersecurity with 50+ expert-defined terms.
Reference Glossaries
Definitions are written for general orientation. For formal terminology and current control guidance, use the primary reference maintained by the relevant standards body.
A
Advanced Persistent Threat (APT)
A prolonged and targeted cyberattack where an intruder gains access to a network and remains undetected for an extended period, typically months or years. APTs are usually conducted by nation-state actors or sophisticated criminal organizations with specific espionage, data theft, or sabotage objectives.
API (Application Programming Interface)
A set of protocols and tools that allows different software applications to communicate with each other. In cybersecurity contexts, APIs are both infrastructure and potential attack vectors. Threat actors may target poorly secured APIs to access sensitive data or systems.
Attack Surface
The sum of all possible points where an unauthorized user could attempt to enter or extract data from a system or network. This includes physical, digital, and human elements such as network ports, applications, user accounts, and social engineering vectors.
B
Botnet
A network of compromised computers or devices (called "bots" or "zombies") controlled remotely by an attacker through command and control (C2) infrastructure. Botnets are used for various malicious activities including DDoS attacks, spam distribution, credential stuffing, and cryptocurrency mining.
Breach
A security incident where unauthorized parties gain access to protected data, systems, or networks. Data breaches can result from hacking, malware, insider threats, or physical theft.
C
Command and Control (C2)
Infrastructure used by threat actors to communicate with and control compromised systems in a target network. C2 servers send commands to malware implants and receive stolen data. Modern C2 infrastructure often uses encrypted channels, domain generation algorithms (DGAs), and cloud services to evade detection.
Credential Dumping
A technique where attackers extract authentication credentials (usernames, passwords, hashes, or tokens) from a compromised system's memory, registry, or files. Tools like Mimikatz are commonly used for credential dumping on Windows systems. Once credentials are obtained, attackers can move laterally across networks, escalate privileges, or sell the credentials on dark web marketplaces. This is a critical stage in most advanced attacks and data breaches.
Credential Stuffing
An automated cyberattack where stolen username-password pairs from one breach are tested against other websites and services, exploiting users who reuse passwords.
CVE (Common Vulnerabilities and Exposures)
A standardized identifier system for publicly disclosed cybersecurity vulnerabilities. Each CVE entry provides a unique ID (e.g., CVE-2024-1234), description, and references for a specific security flaw. Maintained by MITRE Corporation, the CVE system enables security teams to track, prioritize, and remediate vulnerabilities consistently across tools and platforms.
Cyber Kill Chain
A framework developed by Lockheed Martin that describes the stages of a cyberattack from reconnaissance to data exfiltration: Reconnaissance, Weaponization, Delivery, Exploitation, Installation, Command & Control, and Actions on Objectives. Security teams use this model to understand attack progression and implement defenses at each stage. Breaking the kill chain at any point can prevent or limit the impact of an attack.
D
Dark Web
A hidden part of the internet that requires special software like Tor to access, featuring .onion domains and providing anonymity to users. Unlike the surface web indexed by search engines, the dark web is intentionally hidden and hosts both legitimate privacy-focused sites and criminal marketplaces.
Darknet Marketplace
An e-commerce platform on the dark web where illegal goods and services are bought and sold, typically using cryptocurrency for anonymity. These marketplaces trade in stolen data, hacking tools, drugs, weapons, and fraudulent documents.
Data Breach
An incident where sensitive, protected, or confidential data is accessed, stolen, or used by unauthorized individuals. Breaches can result from cyberattacks, insider threats, lost devices, or misconfigured systems.
Data Leak
Unintentional exposure of sensitive data, typically through misconfigured databases, exposed APIs, or improperly secured cloud storage. Unlike breaches involving active attacks, leaks result from security oversights.
DDoS (Distributed Denial of Service)
A cyberattack that overwhelms a target system, network, or service with massive amounts of traffic from multiple sources (typically a botnet), making it unavailable to legitimate users.
Decryption
The process of converting encrypted (ciphertext) data back into readable (plaintext) format using a cryptographic key. In cybersecurity contexts, decryption is essential for authorized data access but is also the goal of ransomware victims seeking to recover encrypted files. Proper key management ensures only authorized parties can decrypt sensitive data, while weak encryption or stolen keys can lead to unauthorized decryption and data theft.
Deep Web
The portion of the internet not indexed by standard search engines, including password-protected sites, private databases, email accounts, and subscription content. Unlike the dark web, the deep web is not inherently malicious. It consists of content behind authentication or paywalls.
E
EDR (Endpoint Detection and Response)
A cybersecurity technology that continuously monitors endpoint devices (computers, servers, mobile devices) for suspicious activities and threats, providing detection, investigation, and response capabilities. Unlike traditional antivirus, EDR solutions track behavioral patterns, use threat intelligence, and enable security teams to hunt for threats and respond to incidents.
Encryption
The process of converting readable data (plaintext) into an encoded format (ciphertext) using cryptographic algorithms and keys, making it unreadable without the proper decryption key. Encryption protects data confidentiality during storage and transmission.
End-to-End Encryption (E2EE)
A communication method where data is encrypted on the sender's device and only decrypted on the recipient's device, preventing intermediaries (including service providers) from accessing the content. E2EE is used in messaging apps like Signal and WhatsApp to protect privacy. While E2EE enhances legitimate privacy, it also enables criminals on the dark web to communicate securely, complicating law enforcement investigations of cybercrime and terrorist activities.
Exploit
Software, data, or techniques that take advantage of a vulnerability to cause unintended behavior in a system, such as gaining unauthorized access, executing malicious code, or causing denial of service. Exploits can target known vulnerabilities (for which patches may exist) or zero-day vulnerabilities (previously unknown flaws).
F
Firewall
A network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules, acting as a barrier between trusted internal networks and untrusted external networks. Firewalls can be hardware-based, software-based, or cloud-based.
H
Hacker Forum
Online communities where cybercriminals, hackers, and security researchers exchange information, tools, techniques, and stolen data. Major forums like XSS (formerly known as DaMaGeLaB), Exploit.in, and the now-defunct BreachForums serve as marketplaces for cybercrime services and meeting places for threat actors.
Hash
A fixed-length string of characters generated from input data using a cryptographic hash function (like SHA-256 or MD5), used to verify data integrity and store passwords securely. Hash functions are one-way operations; you cannot reverse them to obtain the original input. In cybersecurity, password hashes are often targeted by attackers who use rainbow tables or brute-force methods to crack them.
I
Incident Response
A structured approach to handling security breaches or cyberattacks, involving preparation, detection, containment, eradication, recovery, and post-incident analysis. Effective incident response minimizes damage, reduces recovery time and costs, and helps prevent future incidents.
Indicator of Compromise (IOC)
Evidence that suggests a system or network has been compromised by a threat actor. IOCs include file hashes, IP addresses, domain names, URLs, email addresses, registry keys, and behavioral patterns associated with malicious activity. Security teams use IOCs to detect, investigate, and respond to threats.
Infostealer
A type of malware designed to steal sensitive information from infected systems, including credentials, browser data, cryptocurrency wallets, session tokens, and files. Popular infostealers like RedLine, Raccoon, and Vidar are distributed through phishing, malvertising, and software cracks.
Initial Access Broker (IAB)
Cybercriminals who specialize in gaining unauthorized access to corporate networks and then selling that access to other threat actors, typically ransomware groups. IABs use various methods including exploiting vulnerabilities, phishing, and purchasing stolen credentials.
Intrusion Detection System (IDS)
A security technology that monitors network traffic or system activities for malicious behavior or policy violations, generating alerts when suspicious activity is detected. IDS can be network-based (NIDS) or host-based (HIDS). Unlike firewalls that block traffic, IDS typically operates in monitoring mode.
L
Lateral Movement
Techniques used by attackers to move through a network after initial compromise, accessing additional systems and escalating privileges to reach their ultimate objectives. Common lateral movement methods include credential theft, pass-the-hash attacks, and exploiting trust relationships between systems.
Leak Site
Dark web websites operated by ransomware groups where they publish stolen data from victims who refuse to pay ransoms. These sites serve as pressure tactics and proof of breach capability.
M
Malware
Malicious software designed to damage, disrupt, or gain unauthorized access to computer systems. Categories include viruses, worms, trojans, ransomware, spyware, and adware.
MFA (Multi-Factor Authentication)
A security mechanism requiring two or more verification factors to gain access to a system, combining something you know (password), something you have (token or phone), and/or something you are (biometric).
O
Onion Routing
A technique for anonymous communication over a computer network where messages are encrypted in layers (like an onion) and routed through multiple nodes, with each node decrypting only its layer to reveal the next destination. The Tor network uses onion routing to provide anonymity for both users and .onion hidden services.
.onion Domain
A special-use top-level domain suffix designating an anonymous hidden service reachable via the Tor network. Unlike traditional domains registered through DNS, .onion addresses are cryptographically generated and can only be accessed through Tor Browser.
P
Patch Management
The process of identifying, testing, and deploying software updates that fix security vulnerabilities and bugs. Timely patching is critical for preventing exploitation of known vulnerabilities.
Penetration Testing
A simulated cyberattack against a system or network to evaluate security posture and identify exploitable vulnerabilities before real attackers find them. Penetration testing can be black box (no prior knowledge), white box (full knowledge), or gray box (partial knowledge).
Phishing
A social engineering attack where attackers impersonate legitimate entities through email, text, or other communication to trick victims into revealing sensitive information or installing malware.
Pretexting
A social engineering technique where an attacker creates a fabricated scenario (pretext) to manipulate victims into divulging information or performing actions. Unlike generic phishing, pretexting involves creating a believable narrative and often includes research about the target.
R
Ransomware
Malicious software that encrypts a victim's files or systems, demanding payment (usually in cryptocurrency like Bitcoin or Monero) for the decryption key. Modern ransomware groups employ "double extortion": encrypting data and threatening to publish it on dark web leak sites if ransom isn't paid.
Ransomware-as-a-Service (RaaS)
A business model where ransomware operators provide malware and infrastructure to affiliates who conduct attacks and share proceeds. The commercial terms and division of work vary by operation.
Red Team
A group of security professionals who simulate real-world adversaries to test an organization's detection and response capabilities. Red teams use the same tactics, techniques, and procedures as actual threat actors to identify security gaps.
Rootkit
A collection of malicious software tools that enable unauthorized root or administrative access to a computer while hiding their presence from users and security software. Rootkits can operate at various levels including application, kernel, or even firmware/BIOS.
S
SIEM (Security Information and Event Management)
A security solution that aggregates and analyzes log data from across an organization's infrastructure to detect threats, investigate incidents, and meet compliance requirements. SIEM platforms correlate events from firewalls, endpoints, servers, and applications to identify patterns indicating attacks.
SOC (Security Operations Center)
A centralized facility where security teams monitor, detect, analyze, and respond to cybersecurity incidents using people, processes, and technology. SOCs operate 24/7 using SIEM, EDR, threat intelligence, and other tools to protect organizational assets.
Social Engineering
Psychological manipulation techniques used to trick people into revealing confidential information, granting access, or performing actions that compromise security. Social engineering exploits human psychology rather than technical vulnerabilities and includes tactics like phishing, pretexting, baiting, and tailgating.
Spear Phishing
A targeted phishing attack directed at specific individuals or organizations, using personalized information to increase credibility and success rates. Unlike mass phishing campaigns, spear phishing involves research about the target, their organization, colleagues, and business relationships.
Stealer Logs
Collections of data stolen by infostealer malware, packaged and sold on dark web marketplaces. Each log typically contains credentials, cookies, browser data, cryptocurrency wallets, and system information from a single infected device.
Surface Web
The portion of the internet that is publicly accessible and indexed by standard search engines like Google, Bing, and Yahoo. This includes websites, social media, news sites, and other content discoverable through normal browsing.
T
Threat Actor
An individual or group that conducts or has the intent to conduct malicious cyber activities. Threat actors include nation-states, organized criminal groups, hacktivists, insider threats, and individual hackers.
Threat Hunting
A proactive security approach where analysts actively search through networks and systems to detect threats that evaded automated defenses. Unlike reactive incident response, threat hunting assumes that adversaries are already present and seeks to find them before they cause damage.
Threat Intelligence
Evidence-based knowledge about existing or emerging threats that helps organizations make informed security decisions. Threat intelligence includes information about threat actors, their tactics, techniques, procedures (TTPs), indicators of compromise (IOCs), and threat context collected from sources like dark web forums, ransomware leak sites, security research, and incident response.
Tor (The Onion Router)
A free software and network that enables anonymous communication by routing traffic through multiple volunteer-operated servers (nodes), encrypting data in layers. Tor is used to access the dark web and .onion sites, providing privacy for both users and service operators.
Trojan Horse
Malware that disguises itself as legitimate software to trick users into installing it, then performs malicious actions like stealing data, downloading additional malware, or creating backdoors. Named after the Greek mythology story, trojans rely on social engineering rather than self-replication.
TTPs (Tactics, Techniques, and Procedures)
A concept in threat intelligence describing the behavior patterns of threat actors. Tactics are high-level objectives (e.g., initial access, lateral movement), techniques are specific methods (e.g., spear phishing, credential dumping), and procedures are detailed implementations. The MITRE ATT&CK framework documents TTPs. Understanding adversary behaviors can support detection and defense beyond indicators of compromise, which threat actors can change.
Two-Factor Authentication (2FA)
A security mechanism requiring two different authentication factors to verify identity, typically combining something you know (password) with something you have (SMS code, authenticator app, or hardware token). 2FA is a subset of MFA focusing specifically on two factors.
V
VPN (Virtual Private Network)
A technology that creates a secure, encrypted connection over a less secure network (typically the internet), protecting data in transit and masking the user's IP address. Organizations use VPNs for remote access security, while individuals use them for privacy.
Vulnerability
A weakness in software, hardware, or processes that could be exploited to compromise security. Vulnerabilities can result from coding errors, design flaws, misconfigurations, or inadequate security controls.
Vulnerability Scanning
An automated process that identifies security weaknesses in systems, networks, and applications by testing for known vulnerabilities. Scanners compare system configurations and installed software against vulnerability databases to detect missing patches, misconfigurations, and security gaps.
W
Watering Hole Attack
A targeted attack where adversaries compromise websites frequently visited by their intended victims, using the sites to deliver malware or collect credentials. Named after predators waiting at watering holes for prey, these attacks often target industry-specific websites, forums, or news sites.
Whaling
A form of spear phishing that targets high-profile executives ("big fish") like CEOs, CFOs, and other senior leaders who have access to sensitive information and financial authority. Whaling attacks are highly customized, often impersonating board members, legal counsel, or regulatory bodies.
Worm
Self-replicating malware that spreads across networks without user interaction, exploiting vulnerabilities in systems to propagate. Unlike viruses that require host files, worms are standalone programs.
X
XDR (Extended Detection and Response)
An evolution of EDR that integrates security data from multiple sources (endpoints, networks, cloud, email, identity) into a unified platform for detection, investigation, and response. XDR correlates threats across the entire environment to detect sophisticated attacks that span multiple attack vectors.
XSS (Cross-Site Scripting)
A web application vulnerability that allows attackers to inject malicious scripts into web pages viewed by other users, potentially stealing session cookies, credentials, or other sensitive data. XSS occurs when applications don't properly validate or sanitize user input before displaying it.
Z
Zero-Day
A previously unknown software vulnerability that is exploited by attackers before the vendor has developed and released a patch, leaving defenders with "zero days" to prepare. Zero-day exploits are extremely valuable because they provide reliable access with no available defenses.
Zero Trust
A security model based on the principle "never trust, always verify," requiring strict identity verification for every person and device attempting to access network resources, regardless of whether they're inside or outside the network perimeter. Zero Trust assumes breach and implements continuous verification, least privilege access, and microsegmentation.
Zombie
A compromised computer or device infected with malware that allows remote control by an attacker, typically as part of a botnet. Zombies (also called "bots") are used collectively to conduct DDoS attacks, send spam, mine cryptocurrency, or perform credential stuffing.
Stay Protected
Monitor the Dark Web for Your Organization
Match a configured organization or domain against collected threat records and review the available source evidence.
No credit card required
Review real records