Glossary

A set of protocols and tools for building software applications, often a target for attackers and penetration testing.

Testing conducted with no prior knowledge of the target system, simulating an external attacker’s perspective.

The defensive security team responsible for detecting and responding to attacks (often tested by the Red Team).

A standardised method for rating the severity of security vulnerabilities on a scale of 0.0-10.0.

Testing with partial knowledge of the system (like user credentials or documentation), balancing realism with efficiency.

A nonprofit foundation that produces freely-available articles, methodologies, and tools for web and application security.

A simulated cyber attack against your systems to identify exploitable vulnerabilities. Unlike vulnerability assessments, penetration testing involves active exploitation to demonstrate real-world impact.

Continuous penetration testing that is delivered through a subscription model to provide ongoing security assessments rather than point-in-time tests.

A framework defining the phases and methodologies for conducting penetration tests.

A collaborative approach where the Red Team and Blue Team work together to improve both offensive and defensive capabilities.

An authorised group of security professionals that simulate real-world attacks against an organisation to assess detection and response capabilities. More realistic than standard penetration testing.

The approved guidelines for conducting a penetration test, including techniques that are authorised during testing, testing windows and timeframes, and and escalation contacts and procedures.

The defined boundaries of a penetration test, including which systems, networks, or applications will be tested and what methods are authorised.

A review of security weaknesses in a system. Unlike penetration testing, this does not involve active exploitation, and focuses on the identification and severity classification of vulnerabilities.

Penetration testing with full knowledge including source code, architecture diagrams, and credentials. Provides the most thorough assessment.