A glossary for the terminology that recurs.

Continuous threat exposure management has its own vocabulary, and so does the broader category around it. This glossary covers the terms that recur on the Deepinfo site and across the work generally. If a term you're looking for isn't here, the contact form at the bottom is real and we'll add useful additions.

See the platform Talk to us

TERMS

Definitions, concise.

ASN (Autonomous System Number): A unique identifier assigned to a network operator (typically an ISP or large organization) for routing on the internet. ASNs help map infrastructure ownership and trace traffic patterns.
Asset: An internet-facing entity Deepinfo monitors: a domain, subdomain, IP address, or service endpoint. Assets are the units that scanning, risk detection, and scoring operate on.
Asset Inventory: A catalog of every internet-facing asset belonging to an organization. Most security teams know about 60-80% of their inventory; the remaining 20-40% is what attackers find.
ATT&CK (MITRE ATT&CK): A globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. Used to describe how threat actors operate at the technique level. Threat Actor Intelligence in Deepinfo CTI maps actor TTPs to ATT&CK technique IDs.
Attack Surface: The collection of internet-facing systems, applications, services, and data that attackers can interact with. External attack surface includes domains, subdomains, IP addresses, cloud services, and third-party-hosted infrastructure.
BGP (Border Gateway Protocol): The protocol that determines how data routes between autonomous systems on the internet. BGP hijacking attacks redirect traffic by announcing false routes.
Brand Impersonation: The use of a legitimate brand's name, logo, or visual identity by malicious actors to deceive users. Includes phishing pages, fake mobile apps, fraudulent social media accounts, and counterfeit websites.
BRP (Brand Risk Protection): Deepinfo's module for detecting brand impersonation across domains, mobile apps, social channels, and search results. Includes Managed Takedown for filing removal requests directly with registrars, hosts, app stores, and platforms.
CAPEC (Common Attack Pattern Enumeration and Classification): A MITRE-maintained catalog of common attack patterns. Each pattern describes how an attack works at the technique level. Deepinfo maps findings to CAPEC where applicable for compliance and detection-engineering use.
Certificate Transparency: A public log system that records every SSL/TLS certificate issued. Security teams use CT logs to discover assets and detect unauthorized certificates issued for their domains.
CISA KEV (Known Exploited Vulnerabilities catalog): A US Cybersecurity and Infrastructure Security Agency catalog of CVEs confirmed to be exploited in the wild. Every CVE in Deepinfo's system carries a KEV flag; KEV-listed CVEs jump to the top of the prioritization queue.
Confusable Match: Domains that visually resemble a legitimate domain through character substitution, Unicode tricks, or homograph attacks (for example, using "rn" to look like "m"). Detection requires multiple match algorithms beyond simple string comparison.
CTEM (Continuous Threat Exposure Management): A framework Gartner introduced for thinking about external risk across five stages: scoping, discovery, prioritization, validation, and mobilization. Deepinfo is a CTEM-first platform built around discovery, prioritization, and mobilization.
CTI (Cyber Threat Intelligence): Deepinfo's module covering dark web monitoring, breach data, infostealer logs, threat actor intelligence, and IOC feeds. Sometimes called "external threat intelligence" to distinguish from internal SOC threat intelligence.
CVE (Common Vulnerabilities and Exposures): A standardized identifier for a publicly-disclosed security vulnerability. Each CVE has a unique ID (e.g., CVE-2024-12345), a description, and metadata including affected products and CVSS scoring.
CVSS (Common Vulnerability Scoring System): A standardized severity score for CVEs (0.0-10.0 scale). Useful as a baseline. Limited by being theoretical: high CVSS doesn't mean active exploitation. Deepinfo enriches CVSS with EPSS and CISA KEV signals for real-world prioritization.
CWE (Common Weakness Enumeration): A category-level taxonomy of software weaknesses. Different from CVE (which is a specific vulnerability instance); CWE describes the underlying weakness class. Deepinfo maps findings to CWE for compliance and weakness-pattern analysis.
Cybersecurity Rating: A score representing the security posture of an organization, typically derived from external observable data like exposed services, certificate hygiene, breach history, and patch status. Used by enterprises to assess vendor risk.
Dark web: Internet content not indexed by standard search engines, typically requiring specialized access (Tor, I2P) or invitation. Deepinfo's CTI module monitors selected dark web sources for organization, executive, brand, and credential mentions.
DNS (Domain Name System): The system that translates domain names into IP addresses. DNS records also carry email routing, certificate validation, and other infrastructure information.
Domain Squatting: Registering domain names similar to legitimate brands to either profit from typo traffic, sell back to the brand, or stage attacks. Includes typosquatting, cybersquatting, and combosquatting.
DSI (Deep Search & Insights): Deepinfo's module providing direct queryable access to the internet-scale dataset. Includes Domain Intelligence, Domain Search, Vulnerability Intelligence, Vulnerability Search, and Instant Lookups.
EASM (External Attack Surface Management): A category of security tooling focused on discovering, monitoring, and managing the assets an organization exposes to the public internet. Deepinfo's EASM module covers discovery, continuous scanning, comprehensive risk detection, remediation, and complete risk scoring.
EPSS (Exploit Prediction Scoring System): A model that estimates the probability a CVE will be exploited in the wild within the next 30 days, based on real-world exploitation data. Deepinfo enriches every CVE with EPSS for real-world prioritization.
FERPA: US Family Educational Rights and Privacy Act. Governs privacy of student educational records. Relevant to Deepinfo's Education industry vertical.
GDPR: EU General Data Protection Regulation. Governs personal data processing for EU residents. Relevant across multiple industries Deepinfo serves.
HIPAA: US Health Insurance Portability and Accountability Act. Governs handling of protected health information. Relevant to Deepinfo's Healthcare industry vertical.
Homoglyph attack: A phishing technique using visually-similar Unicode characters from non-Latin alphabets to register lookalike domains that render identically to legitimate brand domains in some browsers. Caught by Fraudulent Domain Monitoring's eight confusable match types.
IAB (Initial Access Broker): A threat actor who specializes in gaining unauthorized access to organizations and selling that access to other criminals (typically ransomware operators) rather than conducting attacks themselves.
Incident Response (IR): The process of detecting, investigating, containing, and recovering from security incidents. IR teams follow defined playbooks and document lessons learned to prevent recurrence.
Infostealer: Malware that captures credentials, session cookies, autofill data, and browsing history from infected devices, then delivers the captured data to criminal markets. Deepinfo's Compromised Employee Device Monitoring watches infostealer log dumps for indicators tying back to customer organizations.
IOC (Indicator of Compromise): A piece of data: a domain, IP, hash, certificate fingerprint, that indicates malicious activity. Deepinfo's CTI IOC Feeds deliver curated IOC streams in standard formats for SIEM, SOAR, and threat-intel platform integration.
IP (Internet Protocol) Address: A numeric label assigned to every device connected to a network. IPv4 uses 32-bit addresses (about 4 billion total); IPv6 uses 128-bit addresses to handle the larger modern address space.
Issue lifecycle: Deepinfo's nine-state model for tracking findings: Newly Detected, Reappeared, Unresolved, Marked as Resolved, Verified Resolved, Risk Accepted, Ignored, Marked as False Positive, Not Applicable. Replaces binary open/closed with state-aware tracking suitable for compliance audit trails.
KEV: See CISA KEV.
KVKK: Türkiye's Personal Data Protection Law. Governs personal data processing for Turkish residents. Mentioned in Deepinfo's privacy policy alongside GDPR alignment.
Lookalike domain: A domain registered to imitate a legitimate brand domain, typically used in phishing campaigns. Includes typo variants, character substitutions, homoglyph attacks, and brand-keyword combinations. Caught by Fraudulent Domain Monitoring.
Managed Takedown: Deepinfo's takedown service for fraudulent domains, fake apps, social impersonation, and search abuse. Files removal requests directly with registrars, hosting providers, CDNs, app stores, social platforms, and search engines, and tracks each request to resolution.
MDR (Managed Detection and Response): A service model where an external provider monitors customer environments, detects threats, and responds to incidents. MDR combines technology, threat intelligence, and analyst expertise.
MSP (Managed Service Provider): An organization delivering managed services to customers, often including security services. Deepinfo partners with MSPs and MSSPs (Managed Security Service Providers) through the Partner Program.
MSSP (Managed Security Service Provider): A vendor that delivers security operations as a service, typically including monitoring, log management, and incident response. MSSPs serve organizations that lack in-house security operations capacity.
NIST CSF (NIST Cybersecurity Framework): A voluntary framework from the US National Institute of Standards and Technology that organizes cybersecurity activities into five functions: Identify, Protect, Detect, Respond, Recover.
OWASP Top 10: The Open Web Application Security Project's list of the most critical web application security risks. Deepinfo maps findings to OWASP Top 10 (2021) for compliance and developer-team communication.
Passive DNS: Historical records of DNS resolutions captured by sensors across the internet. Passive DNS lets investigators see what domains historically resolved to an IP, even if those records have changed since.
Patch Tuesday: The second Tuesday of each month, when Microsoft releases security patches. Many other vendors follow similar predictable cadences, which security teams plan deployment cycles around.
PCI DSS: Payment Card Industry Data Security Standard. Compliance framework for organizations handling payment card data. Deepinfo maps findings to both PCI DSS 4.0 and PCI DSS 3.2.
Phishing Kit: A pre-packaged collection of templates, code, and infrastructure that lets attackers deploy phishing pages quickly. Phishing kits often impersonate specific brands and capture credentials, payment data, or authentication tokens.
Pivot (in investigation): Moving from one indicator to a related one: e.g., from a domain to its IP, from an IP to all domains hosted on it, from an email to all domains registered with that email. DSI Domain Search is built around investigation pivots.
Reverse lookup: A query that finds entities sharing a common attribute. Reverse-IP finds domains pointing to an IP. Reverse-MX finds domains using an MX server. Reverse-WHOIS finds domains registered with an email. Foundational for DSI investigations and EASM discovery.
Reverse-IP Lookup: Finding all domains hosted on a given IP address. Useful for discovering related infrastructure, shared hosting risks, and asset enumeration during investigation.
Reverse-WHOIS: Finding all domains registered with a specific email address, organization name, or other registration identifier. Helps discover subsidiary domains and acquired company infrastructure.
SBOM (Software Bill of Materials): A formal record of the components, libraries, and dependencies that make up a piece of software. Required by some regulations and useful for tracking exposure when vulnerabilities are disclosed in components.
Shadow IT: Internet-facing infrastructure spun up by employees, contractors, or business units without security team awareness. Shadow IT often falls outside official asset inventories.
SIEM (Security Information and Event Management): Software that aggregates logs from across an organization's infrastructure, correlates events to detect threats, and supports compliance reporting. Modern SIEMs increasingly combine with SOAR for automated response.
SOAR (Security Orchestration, Automation, and Response): A category of security tooling for automating SOC workflows. Deepinfo integrates natively with major SOAR platforms; IOC Feeds and finding alerts route directly into SOAR playbooks.
SOC (Security Operations Center): The team and infrastructure responsible for monitoring, detecting, and responding to security incidents. SOCs typically run 24/7 and combine analysts, tooling, and defined response procedures.
SSL/TLS (Secure Sockets Layer / Transport Layer Security): Cryptographic protocols that encrypt data in transit between clients and servers. SSL is the legacy term; TLS is the modern protocol used across HTTPS, email, and other secure channels.
STIX/TAXII: Structured Threat Information Expression / Trusted Automated Exchange of Intelligence Information. Standards for representing and sharing threat intelligence. Deepinfo's IOC Feeds support STIX/TAXII delivery for threat-intel platform integration.
Subdomain Enumeration: The process of discovering subdomains belonging to a parent domain. Combines passive DNS, certificate transparency, brute-force probing, and other techniques.
Supply Chain Attack: An attack that compromises an organization through a trusted third party, vendor, or software dependency rather than the organization directly. Examples include the SolarWinds, Kaseya, and 3CX incidents.
Takedown: The process of removing malicious content from the internet, typically by submitting evidence to hosting providers, registrars, or platforms. Effective takedown coordination requires evidence packages and established relationships with intermediaries.
Threat Actor: An individual or group responsible for malicious cyber activity. Categories include nation-state actors, criminal organizations, hacktivists, and insider threats.
Threat Hunting: Proactive search for threats that have evaded existing defenses, typically driven by hypotheses derived from threat intelligence. Distinguished from incident response by being initiated without a known compromise.
TPRM (Third-Party Risk Management): Deepinfo's module for continuous external monitoring of vendors, suppliers, and partners. Replaces point-in-time vendor questionnaires with always-on monitoring at the same depth as internal asset monitoring.
TTP (Tactics, Techniques, and Procedures): A way of describing how a threat actor operates. Tactics are the why; techniques are the how; procedures are the specific implementation. Deepinfo maps actor TTPs to MITRE ATT&CK technique IDs.
Typosquatting: Registering domains that exploit common typos of legitimate domain names (for example, "googel.com" for "google.com"). Used for phishing, malware distribution, and ad fraud.
Vendor Assessment: The process of evaluating a vendor's security posture before or during a business relationship. Traditional assessments rely on questionnaires; modern approaches add continuous monitoring of the vendor's external attack surface.
WASC (Web Application Security Consortium): A category-level taxonomy of web application security weaknesses. Deepinfo maps findings to WASC for compliance and weakness-pattern analysis.
WHOIS: A protocol and database that records domain name registration information, including registrant, registrar, registration date, and contact details. Modern WHOIS data is often redacted or proxied for privacy reasons.
Zero-Day: A vulnerability that's actively exploited before a patch is publicly available. Zero-days command premium prices on criminal markets and are typically reserved by sophisticated actors for high-value targets.

SEE IT IN PRACTICE

Terms in the abstract are easy. See them applied.

The free threat exposure report runs Deepinfo against your domain. The terms in this glossary become concrete findings, scores, and recommendations.

Get a free threat exposure report Talk to us