This is a device or software that adds extra functionality to another device or program. Consider, for example, browser extensions or plug-ins, which are software packages that get added to the browser to give users extra options.

Address bar

An address bar usually refers to the text box in your browser that shows the URL location a browser tab or window is currently on or viewing. A user can manually fill in the URL he wants to visit from here. Or he/she can visit a site in another way (e.g. by clicking a link) and the address bar will show the resulting URL.

Sometimes, the address bar refers to a path that is shown in a file explorer utility.

Note that under some circumstances, the address bar also functions as a search bar if the text that is entered is not recognized as a valid URL.


Is a type of fraud that lets advertisers pay for advertisements even though the number of impressions (the times that the advertisement has been seen) is enormously exaggerated. You can read more about adfraud in the blog post, Adfraud vs. Adware.


Adware is a form of malicious software which displays unwanted advertising on your computer.  For more information, see this blog post.


In the context of internet connections, this expression means that the connection is always accessible. Nothing needs to be turned on, and there is no need to dial in. DSL and cable are prime examples of always-on connections.


In computing, analog is usually used as the opposite of digital. Analog signals are continuous and can reach any value between two given extremes. Consider this analogy: If digital can be black or white, then analog can also be any of the gray shades in between.


In computing and technology, android can mean one of the following:

  • A robot that appears human
  • The Android Operating system that was developed by the Open Handset Alliance (OHA) and that can mainly be found on smart-phones and tablets. But it can also be found in televisions, smart-watches, cars, and many other electronic devices. The operating system (OS) is based on Linux, but has been customized for usability on touchscreen devices as outlined by Google (one of the founders of the OHA).

Android app

Is a program that was designed for the Android OS. Android apps can be downloaded from various app stores. Be sure to pick the ones you decide to trust wisely. Even the app stores that do have a good vetting system, sometimes miss adware or malware.


In computing, this is a piece of software that repeats an annoying task. Most commonly used to describe IRC bots that send out unsolicited messages to participants.


Is also known as nagware or begware. It’s software that keeps reminding a user to perform a certain action like registering or buying software by showing pop-ups or other messages.

Anomaly detection solution

Is any next-generation firewall or intrusion detection/intrusion prevention system (IDS/IPS) in place in an enterprise network that monitors, alerts, and blocks potentially malicious or suspicious network traffic.


Is the action, or attempt to, disable the ability to track back information or actions to a certain user. There are a few main types:

  • Data anonymization, which removes personally identifiable information from a dataset
  • Anonymizing remailer, which forwards email without disclosing the original sender
  • Anonymous surfing, which is visiting internet sites through an anonymous proxy, a tunnel, or the Tor network 


Usually refers to an anonymous proxy. Anonymizers are tools that minimize the amount of tracking done during surfing in an attempt to hide the true identity of the user. Besides tacking prevention they hide your IP address and sometimes encrypt your traffic.

Application security

Are the countermeasures taken to secure an application. This starts during the design and development of the application but broadens to the host and network the application is deployed on. This has to be done to defend against threats and attacks from the outside that will attempt to exploit the application.


Stands for Advanced Persistent Threat, which is a prolonged, aimed attack on a specific target with the intention of compromising their system and gaining information from or about the target. For more information, see this blog post.


Stands for Address Resolution Protocol, which is used to find a physical address that belongs to an IP address.

The normal procedure is to send an ARP request over the network and the machine that has the requested IP will answer with an ARP reply. This procedure then associates a physical machine with an IP address. Attackers can abuse this protocol by ARP spoofing, broadcasting an IP address so that the traffic meant for that IP address can be intercepted by the attacker.

Artificial Intelligence

Is sometimes shortened to AI. It describes the science that works on intelligence in machinery (computers/robots). The first discussion being what we define as intelligence and whether we can describe human intelligence close enough to reproduce and recognize it in machines. The main pillars are defined as the abilities to learn, reason, and self-correct. There are several disputed tests that are used to determine intelligence in machines, important ones are those by Turing and Hintze.


Is short for American Standard Code for Information Interchange. ASCII tables represent a seven-bit encoding standard for text files. Later, a 8-bit encoding was introduced called the extended ASCII (EASCII), which included the original 128 characters plus additional characters.


Is the masking of initiatives by corporations, governments, or political parties to make the campaign appear to be spontaneous or initiated by civilian groups. Sometimes masking the origin makes the campaign more effective or less controversial.

Attack vector

Is the technique used to obtain unauthorized access to a system or network. It is an important part of vulnerability research to know which attack vector is or might be used. Examples of attack vectors are:

Augmented Reality

Is sometimes shortened as AR. Augmented reality is a cross between the physical world and virtual reality. It adds images, sounds, motion sense, and even smell to the physical reality.


In computing, it is the process of verifying the identity of a user or process. Usually this is done to check whether the user or process has sufficient rights for access or to make modifications. You can find more information in these blog posts:

AV killer

Is malicious code that disables the users antivirus software to avoid detection. The term AV killer is also used sometimes for malware that disables firewalls. Also see retroviruses.



Typically a type of Trojan malware that allows its creator or proponent to gain access to a system by bypassing its security. The term “backdoor” can also refer to the method of gaining access to user systems undetected; should not be mistaken for exploits.

Other form/s: backdooring


In the context of computer malware, behavior refers to the actions malware performs on an affected system once executed.


Is a numerical system with only two different values: 0 and 1, or True and False. Compare the decimal system which uses 10 different values (or numerals): o to 9. Binary is popular in electronics and therefore in computing because 0 can be regarded as OFF and 1 as ON.


Is the measurement and statistical analysis of people’s physical and behavioral characteristics. In biometrics authentication, this means personally identifiable and unique features are stored in order to give the holder access to certain resources. Consider for example a fingerprint reader to log on to a computer.


Is a cryptocurrency, a payment medium that relies on cryptography rather than on banks or governments. It is very popular among internet criminals as it’s readily exchangeable for other physical currencies and is practically untraceable.


In computing, it usually refers to a list of domains and/or IP adresses. Blacklists are long lists of known or suspected malicious servers and/or domains. These lists are used to protect users from receiving mail from these servers or from browsing to sites that are on these domains/IP addresses.


Is a wireless technology mainly used for short distance connections between devices. Communication is done at a band around 2.45 GHz. To avoid interference between devices, they use a low power signal, which is what makes it a short range connection, but it does not need a line of sight to establish a connection.


In computing, to boot a system is to turn the device or machine on and load the operating system into random access memory. The boot-up process is made up out of different stages, depending on the setup of the system and the operating system that has to be loaded. For most cases, these stages are important parts of them:

  • The BIOS or UEFI are powered up and do the Power-On Self Test (POST)
  • The bootloader loads the operating system
  • Once all the operating systems files have been loaded, control is given to the OS.

Boot sector

Is a part of a physical information carrier (usually a hard drive) that contains the code that has to be loaded in a systems RAM memory first, to start the actual boot process and load the operating system. The boot sector is created when a volume is formatted.

Boot sector virus

Is malware that infects the boot sector of a drive or other storage device. During a boot, this sector is automatically located and loaded into memory. This makes boot sector viruses harder to remove as they will load before normal removal software.


Is a type of rootkit that alters or replaces the bootloader of the affected system in order to take over control. To remove a bootkit, one will need a bootable medium, which has the necessary tools to undo the changes made by the bootkit.


A derivative of the word “robot.” It usually pertains to (1) one or more compromised machines controlled by a bot master or herder for the purpose of spamming or launching DDoS attacks, and (2) an automated program coded with certain instructions to follow, which includes interacting with websites and humans via the use of Web interfaces (e.g. IMs). A collective of bots is called a botnet.

Synonym: zombie machine


A collection of bots.  The term also refers to the malware run on a connected device to turn it into a bot.

In computing, breadcrumbs are navigation aids that tell users where exactly they are while surfing on a site or in a set of folders. It shows the hierarchy of links on a site or the steps in the folder structure. Consider, for example, the address bar in a Windows explorer window.


Is a contraction of browser and lock. The term is used to describe the state of the internet browser in response to certain sites where the user is unable to perform any of the actions below:

  • close the open tab or window
  • blocks access to the desktop of the system
  • stops you from navigating to another site

The term is also used in cases where malware opens a browser window for the above purposes without the user actively using the browser. The browser controls can be hidden so the user would not recognize it as such.

The objectives for this behavior can be numerous, but it in essence the threat actor wants the user to do something he normally wouldn’t have done, i.e. call a tech support scam number, pay a ransom, or install an extension. You can find more information about browser lockers in our blog post, Regaining Control Over Edge.


In computing, a buffer refers to the amount of data stored and shared between applications to compensate for the difference in speed with which these can handle the data. Consider, for example, your browser buffering (part of) a movie while downloading it and, at the same time, while your movie player plays it.


A bundler is a group of programs that are bunched up together to be installed with a main program, which is usually what users desire to install onto their systems. These additional programs are other unwanted software, such as adware and toolbars.


In computing, this refers to the act of writing data to a drive with a recordable disc (CD, DVD). The data is written onto the disc using a laser and, until the invention of rewritable discs (RW), this was considered a one-time only process.



Stands for command and control, which may pertain to a a centralized server or computer that online criminals use to issue commands to control malware and bots and to receive reports from them.

Other forms: command & control, C2


In computing,  a cache is a temporary storage that is used to speed up future requests. For example, a browser cache stores contents of websites, so they can be displayed faster the next time the user visits them. For information about DNS cache poisoning, have a look at the blog post, DNS Hijacks: What to Look For.


Stands for Computer-Aided Design. This is the use of computer technology to help with the design of two- or three-dimensional objects. This specialized type of software helps to design, modify, analyze, optimize, and even create objects in many fields, including architecture, mechanics, engineering, and art.

Cold boot

In computing, cold boot happens when the system gets booted from a shut down or powerless state. Sometimes used in cases to specify that the power to the system was unplugged and then plugged in again to remedy a certain problem. A reboot executed from the OS is called a warm boot.

Companion virus

Is a type of virus that uses two typical Windows properties:

  • Windows does not require file extensions to run a requested file.
  • When more than one file qualify for a command, Windows chooses the one that comes first alphabetically.

To illustrate, let’s say you want to run ipconfig from the command prompt. If you do not specify the extension, this normally runs the file ipconfig.exe. However, if there is a file (companion virus) in the same path that is called, this is executed as, alphabetically, it comes first before ipconfig.exe.

Computer ethics

Is a set of moral principles that describe how decisions in the field of computing should be made. Examples would be rules for disclosing of compromised information and vulnerabilities, copying of electronic content, and the impact of computers (artificial intelligence) on human lives.

Computer science

Is a multi-disciplinary collection of studies in the fields that are related to digital information. Computer systems, the internet, programming, data storage, and artificial intelligence are some of the best known fields.


In malware research, this refers to a program that makes malware hard to read by researchers. The crudest technique for crypters is usually called obfuscation. A more elaborate blog post on that is Obfuscation: Malware’s best friend.

Obfuscation is also used often in scripts, like JavaScript and VBScript. But most of the time, these are not difficult to bypass or de-obfuscate. More complex methods use actual encryption. More information about this and related subjects can be found in our blog post, Explained: Packer, Crypter, and Protector


Is the knowledge of sending and storing data encrypted. This is done so the data can only be read by the person encrypting the data and the person(s) for whom the information is intended. But encryption techniques are also used by malware called ransomware. Ransomware encrypts a users’ data without his consent and offers to provide him with the key for a certain compensation. More information can be found in our blog post, How to encrypt files and folders.


Is the term for crimes that are related to computers and networks, including traditional crimes like fraud, blackmail, identity theft (to name a few) that are being done over the Internet or by using computing devices. Cybercrime has rapidly become a serious problem because of the growth of computer users and the fact that it knows no borders, which makes finding and punishing cyber criminals difficult.


Data exfiltration

An act of retrieving, copying, and transferring data, such as user credentials, about individuals and/or organizations without authorization.

Synonym: siphoning


DDoS stands for Distributed Denial of Service.  It is a network attack that involves attackers forcing numerous systems (usually infected with malware) to send network communication requests to one specific web server. The result is the receiving server being overloaded by nonsense requests and either crashing the server and/or distracting the server enough that normal users are unable to create a connection between their system and the server.  This attack has been popularized in many “Hacktivism” attacks by numerous hacker groups as well as state-sponsored attacks conducted by governments against each other.


Is the short term for defragmentation. It is the process of reorganizing a file system so that those that were split up when saved and changed are put back together again. This removes pointers to and from the fragments and optimizes the speed with which these files can be used. It also frees up space on the drive.


Also spelled dialler can have several definitions when it comes to computing. All of them involve connections to a telephone or ISDN (Integrated Services Digital Network) line.

  • A program or app that initiates the best connection for the number chosen by the user
  • A program that connects a system to the internet over a telephone or ISDN line
  • Malware that connects a system to a network or number with fraudulent intent


DNS stands for Domain Name Service.  It is an internet protocol that allows user systems to use domain names/URLs to identify a web server rather than inputting the actual IP address of the server.  For example, the IP address for is, but rather than typing that into your browser, you just type ‘’ and your system reaches out to a ‘DNS Server’ which has a list of all domain names and their corresponding IP address, delivering that upon request to the user system.  Unfortunately, if a popular DNS server is taken down or in some way disrupted, many users are unable to reach their favorite websites because without the IP address of the web server, your system cannot find the site.


Is short for Domain Name System Security Extensions. It is a set of extensions that add extra security to the DNS protocol. This is done by enabling the validation of DNS requests, which is specifically effective against DNS spoofing attacks. DNSSEC provides the DNS records with a digital signature, so the resolver can check if the content is authentic. More information can be found in the blog post, DNSSEC: why do we need it?


In computer security related terminology domain refers to either:

  1. A group of computers that are under the control of a common operator and administered as one unit, or
  2. The name of a Web resource following the rules of the Domain Name System (DNS), which translates the Domain Name into an IP address

Domain administrator privileges

Refers to administrator access to all machines within a network.


or Trojan-Downloader is malware with the sole intention to download other programs, usually more malware, to the infected system as soon as an internet connection is available.

Drive-by download

Pertains to (1) the unintended download of one or more files, malicious or not, onto the user’s system without their consent or knowledge. This usually happens when a user visits a website or views an email on HTML format. It may also describe the download and installation of files bundled with a program that users didn’t sign up for. These files can be adware, spyware, or PUPs; (2) the general term used for files that were downloaded unintentionally; i.e. “drive-by downloads.”


Also called Trojan dropper is a type of malware that installs other malware on the affected system. The other malware is part of the same executable, which is usually in compressed form.

Dwell time

Refers to the amount of time passed from when malware has initially infiltrated a system to when it has been detected and removed.



Is the process of changing data in a way that can not (easily) be undone (decrypted) by parties that don’t have the decryption key. Users encrypt information or messages so they can’t be read by anyone. Ransomware encrypts files so the victim can no longer use them, unless he pays the ransom. More information about encryption can be found in the blog post, Encryption: types of secure communication and storage.

End user

Is the person that a certain product is designed, developed, and created for. For this intended user, the product should be suitable (ease of use), and it should be a finished product. Even if a product can be developed further, this should not hinder the end user from using it.


Also known as electronic sports are basically video games competitions. Any computer- or console-game that has a multi-player competition qualifies as an eSport. Most of them fall in the genre of fighting, be it shooters, strategy or battle arena, but other types of games can fall into this category. Professional players participate in many of them.


Pertains to (1) a type of malware programmed to take advantage of a software bug or vulnerability on a system in order to compromise it and allow the exploit’s creator or proponent to take control of it; (2) the act of successfully taking over a system by taking advantage of certain software vulnerabilities installed on it. A collection of exploits is called an “exploit kit.”

Exploit Kit

A collection of exploits which are packaged up for use by criminal gangs in spreading malware.



Stands for Frequently Asked Questions. These are lists drawn up around a certain subject of commonly asked questions and the answers to those questions. These lists are often a first line of support for may products and answer many of the questions that users may have.

File-based attack

Refers to an attack where threat actors use certain file types, usually those bearing document file extensions like .DOCX and .PDF, to entice users to open them. The file in question has been embedded with a malicious code (malcode); thus, once opened, this code is also executed. Usually, the malcode delivers an equally malicious payload.

Below are other file types used in malicious attacks:

  • Binary executables: EXE, DLL, MSI
  • Scripts: JS, VBS, PowerShell



Refers to the process of gathering information about a system at first contact. The information often concerns location, installed operating system, and installed software. Fingerprinting is often used by malware to determine whether the system is vulnerable to certain attacks and to assess whether it is a desirable victim.

Foothold expansion

An act of a threat actor creating backdoors that are used to re-enter a network after initially infiltrating it.



Stands for Graphical User Interface. This is a type of interaction that helps a system user to control and manipulate software. The alternative are command line programs that are usually perceived as hard to understand and hard to learn, where a well-designed GUI can make or break the success of programs.



Is a person that has a very deep understanding of certain systems or processes. His knowledge enables him to use those subjects for other goals than they were designed for. This is done by finding flaws or loopholes in them. There is a distinction between white hackers that report the flaws they find without abusing them and grey/black hackers that use the flaws they find, for personal gain at the expense of others.


Is a state of inactivity to save energy. In computing this expression is used for powering down a computer while preserving the state it is in. The content of the RAM (Random Access Memory) is saved to a drive (usually the main hard disk of the system) and will be restored in RAM as soon as the system is brought back out of hibernation. Not to be confused with sleep mode, which is another energy saving method that uses a little energy to keep the data in RAM. The advantage of sleep mode is that the system is ready for use almost instantaneously where waking from hibernation takes some time.


Stands for Host Intrusion Prevention System, which describes a software package that monitors for suspicious activities occurring within a host machine. This helps keeps a system secure, without depending on a specific threat to be added to a detection update. For more information, see the article HIPS.


A hoax  is the term we use to generally describe a fake or false warning. Hoaxes did start  out as emails, but nowadays they are most active on social media, especially on Facebook. This has considerably increased the speed with which they spread. For more information, see the article hoax.


Is by definition a word of the same written form as another but of different meaning and usually origin, whether pronounced the same way or not. But in cyber-security this is expanded to include words that look the same. This can be achieved by using numbers that looks the same as a letter or characters from another characterset that look the same to humans, but computers see the difference. For example the letter Omicron from the Greek alphabet looks exactly the same as the “Latin” O, but they have a different code in the Unicode table.

Host-based solution

Refers to software that is installed in end-point systems as opposed to a centralized solution.



Is short for Input/Output, the expression is used to describe any information exchange between a computer system and the outside, in both directions. Usually this expression is used, but not limited to for the traffic between the system and peripheral devices.

Incident scope

In a malware attack against enterprises, an incident scope generally refers to the extent of damage against the organization, how much data has been stolen, what the attack surface is, and how much it’d cost them to resolve the attack and prevent it from happening again in the future.

Intellectual property

Refers to creations of the mind, whether they are inventions, art, designs, names, or commercial images. Laws on intellectual property differ from one country to the other, but they usually protect the rights of the person or company that first successfully claims coming up with the creation.


Is a (large) network with restricted access. Usually set up by or for a company or other organization and with access limited to the staff or members of the organization.


In computing IOC stands for indicator of compromise. These indicators can be found after a system intrusion and tell the investigators something about the sort of attack or security breach. These indicators can be IP addresses, domains, hashes of malware files, virus signatures, and similar artifacts. They can lead the investigators to the vulnerabilities that may have been used, possible prevention methods, and sometimes even help in attribution.


Stands for Internet of Things. It represents a host of internet connected devices that do not require direct human input. You can think of refrigerators, cars, security camera’s, but also pacemakers and other biochip transponders. The device has to have a unique identifier and the ability to connect to a network to qualify as a part of the IoT. Many concerns have surfaced about some of these devices due to the weak or complete lack of implemented security in these connected devices.

IP address

An IP address is a number assigned to each system that is participating in a network using the Internet Protocol, such as the World Wide Web.

There are two standards in use: IPv4 and IPv6, but every computer that has an IP address has at least an IPv4 address. An IPv4 address consist of 4 elements each ranging from 0 to 255. A well-known example is the IP-address, which points back at the computer that sends the query.



Is short for Intrusion Prevention System. These systems monitor network traffic to determine whether a security breach or malware infection has taken place. When applicable they can intervene in such cases as pre-determined by the network administrator to avoid further damage. In general, a complete Intrusion Prevention System can include components like firewalls and anti-virus software.


Is short for Information Technology. Describes the study or the use of systems (especially computers and telecommunications) for storing, retrieving, and sending information. Often used to describe the department that focuses on the success of computer operations and other information technologies needs, within an organization.



In the context of malware, a keylogger is a type of Trojan spyware that is capable of stealing or recording user keystrokes.

Other forms: key logger, keylogging
Synonyms: keystroke logger, system monitor


Is one stroke of any key on a machine operated by a keyboard, as a typewriter, computer terminal, and so on. Sometimes keystrokes per hour (KSPH) or keystrokes per minute (KSPM) are used as a standard of typing speed. And the efficiency of programs is sometimes measured by how little keystrokes it takes to get a job done.



Stands for Local Area Network. It is a network of computers and other devices spread over a relatively small space, f.e. a building or group of buildings. Usually these devices all connect to a server or group of servers by ethernet or wifi. Sometimes they are connected to other LANs and together they form a WAN (Wide Area Network).

Lateral movement

Refers to various techniques and/or tactics that threat actors use that allows them to move through a network to access or search for key assets and data within a network. At times, they employ this to control remote systems. Remote administration tools (RATs) are usually used in performing lateral movement.

Local administrator privileges

Refers to administrator access to a specific machine within a network, allowing an owner to make system configurations, install and uninstall software, and use other privileged OS components. The owner of the machine is usually (and by default) the administrator.


On any given system localhost refers to “this computer”, the one . It uses the IP address to use the loopback function in order to reach the resources stored  on the system itself.


Stands for Layered Service Provider. A Layered Service Provider is a file (.dll) using the Winsock API to insert itself into the TCP/IP stack. There it can intercept, filter, and even modify all the traffic between the internet and a system’s applications. More detailed information can be found in the blogpost Changes in the LSP stack. An example of an LSP hijacker can be found in the blogpost Fake Adblocker Bylekh is an LSP Hijacker.


Malicious/Destructive payload

Simply known as payload, this refers to a portion of malware that performs its malicious activity. A payload can be as benign as changing an affected system’s desktop screensaver or as destructive as deleting key operating system (OS) files.


Malware which is delivered by email messages.  For more information, see


Or malicious advertising, is the use of on-line advertising to distribute malware with little to no user interaction required. More information can be found in our blogposts: What is malvertising? and Truth in malvertising: How to beat bad ads.


The shortened version of “malicious software.” Malware is the generic or umbrella term to refer to any malicious programs or code that are harmful to systems.

Man in the Middle (MitM)

In cybersecurity, a man-in-the-middle attack is an attack where the threat actor manages to intercept and forward the traffic between two entities without either of them noticing. To pull this off the, attacker has to be able to convincingly “impersonate” both parties and he can follow and influence the “conversation”. The MitM attack can also be done between browser and internet, for example, or between a Wi-Fi hotspot and an internet user.

Mass malware/Opportunistic attack

In contrast to a targeted attack, an opportunistic attack involves malware that is being distributed in large numbers for anyone to download or injected into websites for anyone to access. Any victim is welcomed. Well-known methods are email and exploit kits.


Stands for Master Boot Record. Typically, the MBR is the first sector on a startup drive (or other partitioned media). It contains the boot loader, which basically is a piece of executable code that starts the loading of the Operating System, or the boot-loader on a system that has more than one operating system installed. More information can be found in the blogpost Meet the Master Boot Record.

Memory dump

A memory dump is the content of the systems RAM (Random Access Memory) created at a specific point in time. Usually this is done at the moment of a program crash or system failure and used to diagnose the problem. But they can also be made manually, for the purpose of memory forensics like the investigation of advanced (e.g. fileless) malware.


Are basically data about data. Metadata gives background information about data that gives the user of the data information about the origin, the relevance and the creation. Examples are geotags in photographs (where was the photograph taken) and the file information of documents ( who created it, when was the last change, size, etc.).


Stands for Multi-factor authentication. The most well-known version of MFA is 2FA (Two factor authentication). Both represent the combination of more than one method of getting access to a resource (logging in). For more information see this blog-post Understanding the basics of Two-Factor Authentication.


Is short for Multimedia Messaging Service. This service is an enhancement of the Short Message Service (SMS) and allows the user to send longer messages (SMS is limited to 160 characters), accompanied with pictures, short videos, and audio over a cellular network.


Or cross-platform, is an expression to describe software that has been developed to work on multiple operating systems.



In computing the definition of a network is a group of two or more computers systems linked together. Consider for example your home network or a LAN (Local Area Network). A prime property of networks is their topology. The main topologies  are:

  • mesh
  • star
  • bus
  • ring
  • tree

Network perimeter

Refers to the boundary between a private network and a public network, such as the World Wide Web.


NewTab is software that changes the default page of a new tab on the browser. This can result in similar negative effects and behavior like browser toolbars or browser hijackers. NewTab can manipulate browser(s) to change their home page or search provider in order to hijack internet traffic and inject advertisements.



In computing this stands for Operating System. The most well-known operating systems are Microsoft Windows, Linux, Apple’s MacOS, Android, and Google’s Chrome OS. Most of these can be divided in more specific operating systems (e.g. Windows 8.1) or grouped into more general clusters of operating systems (e.g. Chrome OS is based on the Linux kernel)


Is short for Open Systems Interconnection. This is a model that defines a networking framework to implement protocols in seven layers:

  1. Physical
  2. Data Link
  3. Network
  4. Transport
  5. Session
  6. Presentation
  7. Application

This model was designed by ISO (International Organization for Standardization) as a design template for building network systems. The lower layers deal with electrical signals, chunks of binary data, and routing of these data across networks. Higher levels cover network requests and responses, representation of data, and network protocols as seen from a user’s point of view.



Is usually short for runtime packers. It is also known as self-extracting archives, which is software that unpacks itself in memory when the “packed file” is executed. Sometimes, this technique is also called executable compression.

This type of compression is invented to make files smaller, so users wouldn’t have to unpack them manually before they could be executed. However, given the current size of portable media and internet speeds, the need for smaller files is not that urgent anymore. So when you see some packers being used nowadays, it is almost always for malicious purposes. In essence, to make reverse engineering more difficult, with the added benefit of a smaller footprint on the infected machine. For more information about this subject, have a look at the blog post, Explained: Packer, Crypter, and Protector


Is essentially a short and simple password. Consider for example the 4 digit numerical code to unlock a smartphone.


Is essentially a complex password made up of a sequence of words. The differences with a regular password are the presence of spaces and the length that makes a passphrase more complex.


Is a method of authentication that has become popular due to its ease of use. The growing need for complex and longer passwords has diminished that ease of use a bit. More information can be found in our blogpost The Password and You.


In computing and telecommunications, a payload is part of transmitted data that is the actual intended message. In malware research, a payload is the malware that the threat actor wants to deliver to the victim. For example, if the threat actor sent out a document with a malicious Macro as an email attachment and the victim gets infected with ransomware, then the ransomware is the payload. The threat actor did use the email, document, or the packer, crypter or  protector to avoid detection.

Penetration Testing

Penetration Testing (or “pen testing”) is the practice of running controlled attacks on a computer system (network, application, Web app, etc.) in an attempt to find unpatched vulnerabilities or flaws. By performing pen tests, an organization can find ways to harden their systems against possible future real attacks, and thus to make them less exploitable.


An attempt to fraudulently obtain credentials without permission, often done by email but also appears on social networks, in fake programs asking for login details, and over the phone.


Is a term to describe hacking anything to do with telephone systems. The term is a contraction of the words phone and freaks and goes back to the time when the telephone structure was still gaining popularity and was by far not as secure as it is now. At the time phreaking was more driven by curiosity than pursuing illegal activity.


Is short for Personally Identifiable Information. This phrase is used for data that could be tracked back to one specific user. You will see it used in Privacy Policies and other privacy statements. Examples of PII are names, social security numbers, biometrics, and other data that, in combination with other data, could be enough to identify a user.


In computer science this describes the ability to use a variable or function in more than one way. The applied use depends on the context in the program. The easiest example is the use of  “+” (which is in fact a very basic function). In most programming languages, when used with numbers it will calculate the sum, but when a string variable is involved, it will join the strings together.

Power User

In computer science is a user that uses a system or software with more than average skills, knowledge, and demands. Often they will use a system that is equipped for special tasks the Power User often needs it to perform. People can easily be Power Users in one field and be regular users in others.

Privilege escalation

An act or event that occurs when a threat actor or unauthorized user achieves full access to normally restricted resources on a computing device’s operating system (OS) it has gained access to. Currently, there are two kinds: horizontal escalation, in which the actor assumes the identity of another user to gain his/her level of privilege; vertical escalation, in which the actor grants himself a higher access privilege by manipulating the system or taking advantage of its flaws.


In malware research, a protector is software intended to prevent tampering and reverse engineering of programs. The methods used can—and usually will—include both packing and encrypting. This combination, plus added features, makes what is usually referred to as a protector. Researchers are then faced with protective layers around the payload, making reverse engineering difficult.

A completely different approach, which also falls under the umbrella of protectors, is code virtualization, which uses a customized and different virtual instruction set every time you use it to protect your application. Of these protectors, there are professional versions that are used in the gaming industry against piracy. More information about this and related subjects can be found in our blog post, Explained: Packer, Crypter, and Protector


In general, it is the act of performing an action for someone else. In computing, this translates as approaching a resource (like the internet) through a different (proxy) server. This server can act as a simple gateway, but it can also add functionality to the requests it receives and sends. The most well-known proxies are the ones that allow access to resources that are restricted. For example, sites that are only open to visitors from a certain country, or the opposite, sites that are not a allowed at a certain location (work, school).


Stands for “potentially unwanted program.” A program (or bundle of programs) which may be included with software the person downloading it wants. The PUP component may include unnecessary offers, add-ons, deals, adverts, toolbars, and pop-ups, all of which may be entirely unrelated to the functionality of the sole wanted program.


QR Code

Is a 2-dimensional barcode. They are squares filled with black and white blocks invented to keep track of cars during manufacturing. Because of the speed with which they can be read and the amount of data they can store, they are rapidly becoming popular in a growing range of fields.


Is by origin a medical term which means keeping infected persons or animals away from healthy ones, to minimize the chances of spreading a contagious disease. This term was picked up by the AV-industry, that uses the term for files they have moved to a safe location on a system, because they were identified as malware. In quarantine the files can no longer be executed, but the user can restore them if he feels the detection was false.



A type of software which locks users out of their computer and/or encrypts their files, offering to unlock on the condition that the victim pays a ransom. The ransom may involve Bitcoin or more traditional forms of payment. Ransomware ranges from crude to highly sophisticated, and only a few types are able to have their encryption successfully decrypted.


Is short for reconnaissance, which (in the context of information security) describes an act of a threat actor using remote access tools (RAT) to gain access to a target system to assess items of value and map the network landscape.

Remote access

Is controlling a computer system from another location. There are many programs that enable this method of working. Very convenient if you want to work on your office computer from home. Unfortunately, it is also a tool of choice for Tech Support Scammers.


Are also referred to as anti-anti-virus viruses. Which means that it tries to attack and disable any anti-virus, or other protective software, on the system they are trying to infect, so it won’t get detected.


Is software, generally classified as malware, that provides the attacker with administrator privileges on the infected system and actively hides from the normal computer user. They also hide from other software on the system, often even from the operating system.

RunPE Technique

A common technique malware uses: running the original executable, suspending it, unmapping from the memory, mapping the payload on its place, and running it again.


Safe Mode

It’s a boot option that loads only the most basic drivers needed for Windows to run. There are different sets of drivers that can be loaded, depending on the kind of “Safe Mode” the user selects. For more information, see the article safe mode.

Sandbox solution

A type of solution wherein IT administers run a program in a controlled environment to determine whether it is safe to deploy within their network or not.


In computer security related terminology a seed is one of the factors used to create (a series of) seemingly random numbers or strings. Consider for example Domain Generating Algorithms or encryption keys that are created on the fly. In the combination of factors, the seed is the constant that is the same for one set of random items. For example, the seed for the file encryption used on one victim, can be unique for that victim and for all his files. The seed for one series of generated domains is generally the same until the author switches to a new variant of the malware using the domains.


Is short for search engine optimization. This is a set of marketing techniques aimed at raising the popularity of a website. The goal is to have your site high up in the search results when a user searches for certain relevant keywords. This brings more visitors to the site and bring in more business.


Is a form of blackmail in which the victim is forced to perform sexual favors for the blackmailer. This is often done by threatening to make embarrassing pictures public that were obtained under false pretenses over the internet.


Stands for Security information and event management. SIEM systems are designed to provide SOCs or other security managers with information about the entire system’s infrastructure to support detection and help with incident response and prevention.


Stands for Security Operations Center and is a centralized unit of personnel, processes and technology that guard the security and investigate security breaches for a bigger entity, usually a company or a network. A SOC does not necessarily have to be part of an organization, they can be hired externally.

Social engineering

In cyber-security social engineering is the description of methods that attackers use to get the victims to breach security protocol or give up private information. There are many tactics that lead to this goal, relying on basic human nature. Like seducing the victims by playing on their greed, vanity, or their willingness to help someone.

Software delivery layer

Refers to a method for network administrators to push out and manage software on the systems they are responsible for.

Software vulnerability

Refers to a weakness or flaw in software, which leaves it open to be exploited by threat actors.


Is undesired electronic junk mail that is sent out in bulk. Because of it’s nature it is a waste of time and resources, and you will find that many organizations have some kind of filtering in place so that only (hopefully) a small portion of it ever reaches the end-user.


Is a method of deceiving users with any sort of on-line messages, but usually email, into giving up important data. Spearphishing attacks are phishing attacks that are targeted at a particular user or group of users (e.g. employees of one company). The intended victim(s) will be asked to fill out data or lured into installing data gathering malware on his system. Learn more about phishing in our blogpost Phishing 101: Part 1.


It is a kind of malware that is installed on the target’s computer with the intention of gathering and sending information to a third-party actor or organization that normally doesn’t have privileged access to such information. In earlier years, this term is also used for adware and cookies.



Is the science of hiding information. In cyber-security this usually comes down to hiding the malicious information behind seemingly harmless messages. Consider for example malvertising where the code is hidden in images. Or malware where the threat actors used Twitter as their C&C infrastructure.

System optimizer

This type of software combines some or all of the below functionalities:

  • Registry cleaner
  • Driver Updater
  • Temp file cleaner
  • Disk optimizer (disk defragmenter)
  • Report system errors

Since all these functionalities are offered by free tools built into the Windows operating system, many system optimizers are considered Potentially Unwanted Programs (PUPs), especially if they exaggerate the seriousness of possible improvements that can be made on user system.


Targeted attack

Refers to an attack aimed at a certain person or group of people. The attackers can be an organization or people that work in a certain field.

Third party

Is a term used to describe an entity that is involved in a deal, but not directly as one of the entities that close the deal. In privacy policies, the term is often used to avoid being blamed, as the publisher, for something any third party might do to the user. For example, additional software that is included in a bundler, will usually be referred to as “third-party software”.

Threat actor

In cyber-security is a group or person behind a malicious incident. As it is sometimes unclear whether an attack was done by one person or whether there is a group or organization involved, we use this as a general term to describe the responsible entity.


Is short for Top Level Domain. This is the right hand part of a domain name. Examples are .com, .gov, and . info. In the hierarchical structure of the DNS system these are at the highest level, hence the name. A complete list of valid TLDs can be found at the site.


A program which claims to perform one function but actually does another, typically malicious. Trojans can take the form of attachments, downloads, and fake videos/programs. Once on board a PC, the Trojan may do a number of things including steal sensitive data, monitor webcams, upload files to a third-party server, or just play pranks on the system owner by opening the CD tray, switching off the screen, or redirecting them to shock sites and other unwanted content.


Is a systematical approach to finding the cause of a malfunction or other problem. With computers this usually starts with studying logs, some of which may have been created specifically for the problem at hand, others may be error logs or even memory dumps.


Typosquatting is the practice of deliberately registering a domain name which is similar to an existing popular name, in the hope of getting traffic by people who mis-type the URL of the popular domain.  For more information, see the article typosquatting.



Stands for Uniform Resource Locator and is a method to find resources located on the World Wide Web. A URL consists of (at least) a protocol (i.e. HTTP) and either a domain or an IP address. They can also include a path on the server to point to a particular file or site.

USB attack

Refers to an attack where threat actors use a USB drive to spread malware. In a targeted attack, infected USB drives are deliberately dropped in public locations, such as parking lots, to entice victims to picking it up and opening it using their computers.



Often refers to closely related malware strains or types of malware that are in the same family.

Virtual memory

Is a memory management technique in use by the Windows operating system to enlarge the address space. It uses a part of the hard drive to store pages and copy them into the RAM memory when they are needed. This method is slower then using RAM only, but it enables the user to run programs even if his RAM memory is already all in use.


A virus is malware attached to another program (such as a document) which can replicate and spread after an initial execution on a target system where human interaction is required. Many viruses are harmful and can destroy data, slow down system resources, and log keystrokes.


Is short for Virtual Local Access Network. It describes a network of systems that are simulating to be on the same network. They are bound at OSI Layer 2 (the datalink layer) which means they can communicate as if connected by wire while they can in fact be on different LAN‘s and be physically far apart. VLAN’s are often used to divide LANs into subsets that are allowed to share certain information and devices. Or to create a group of systems around the world that belong to a certain group in the same organization.


Is short for virtual private network. This is a virtual extension of a private network over the internet. It is often used to allow employees that are not in the physical office to connect to resources on the intranet as if they were in the office. But there are also commercial VPNs that can be used to anonymize your internet traffic.  You can find more information about those in our blog post, One VPN To Rule Them All!


Is short for Virtual Reality. It’s a computer generated simulation of an environment, using images, sound, and sometimes other sensations like for example “force feedback” to give the users the illusion that they are in that environment and can interact with the objects in that environment. VR is primarily used in medicine, military training and video games.


Warm boot

In computing, this is also called a soft boot. It restore the system to its initial state without shutting it down completely. It is often used when applications are hanging or frozen, or after installing software. In Windows ,for example, this can be achieved by choosing “Restart” in the shutdown menu. Also see cold boot.


In computing, it is a list of resources and destinations that we decided to trust. Application whitelisting is a method that allows only specific software and applications to run in order to maintain security. This is more restrictive than blacklisting processes, which has pros and cons. Whitelisting is more secure yet time-consuming to manage.


Is a trademarked phrase for connections compliant with the IEEE 802.11 standard. This is a wireless technology used to provide internet and other WLAN connections. Wi-Fi-certified products are interoperable with each other. The IEEE 802.11 is often combined with a letter to indicate the radio frequency band the products use.


Is the name for any means of transferring information or power over a distance without the need of an electrical conductor (wire).


A worm is much the same as a virus, with the key difference being it does not need to be attached to another program to spread.


Is short for Wi-Fi Protected Access. WPA and WPA2 are security protocols designed for the secure access of Wi-Fi. WPA was intended as an easy upgrade from WEP, but that turned out to be less easy than expected. Later WPA2 replaced WPA and supports CCMP, an encryption mode with strong security.



A zero-day vulnerability is an exploitable vulnerability in software that has not been disclosed yet. Zero days sarcastically stands for the time the software creator has then left to patch the vulnerability. More information can be found in our blog post, What is a Zero-Day?


Is the description for systems that have been infected by a Trojan that added the system to a botnet. The term is used because the system is taken out of control of its owner, and now obeys the botherder like a zombie. You can read more about these botnets in our blog post, The Facts about Botnets.

Cybersecurity info you can’t do without

Want to stay informed on the latest news in cybersecurity? Sign up for our newsletter and learn how to protect your computer from threats.

Select your language