TAG Taxonomy

Application programming interface (API) security involves visibility and mitigation, often based on best practices, required to address vulnerabilities in web APIs.

Container and Kubernetes security involves the protection of clusters, pods, images, runtimes, hosts, and infrastructure in cloud-native workload environment.

Dynamic application security testing involves run-time scanning and analysis of an application in search of vulnerabilities such as server configuration and authentication problems.

Interactive application security testing involves run-time scanning and analysis of an application using instrumentation that is embedded into the code.

Mobile application security testing involves the vulnerability assessment and penetration testing required to identify potential security issues in mobile apps.

Runtime application self-protection (RASP) is a security control embedded in an application runtime system designed to detect and prevent attacks in real time.

Software compositional analysis (SCA) is an automated software testing method that focuses on identifying open-source components in a code base.

Static application security testing (SAST) involves analysis of application source code to detect evidence of vulnerabilities such as poor programming practice or problematic code.

Biometrics involves the use of physical, human attributes such as facial features and fingerprints as authentication proof of a reported identity.

Mobile push is a common factor used in authentication where the application, service, or other resource being accessed sends a challenge to the user on their mobile.

Multifactor authentication involves the use of two or more proof factors to validate a reported identity. It is often synonymous with two-factor authentication (2FA), although some applications are beginning to require three proof factors.

Password management references automated tools that store, generate, update, and protect stored passwords for designated accounts.

Passwordless authentication involves any identity validation scheme that does not require the use of stored passwords, but that most often uses a strong cryptographic scheme that supports user authentication without the need for multiple layers of proof factors.

Single Sign-On (SSO) involves authentication of users to allow for persistent use of multiple services during a session without the need to reauthenticate.

Business Continuity/Disaster Recovery (BC/DR) refers to the processes and infrastructure required to maintain or restore normal business operations both during and after major disasters which usually (but not always) caused by natural or non-malicious causes.

Cloud backup refers to the tools and systems required to securely maintain backup storage of on-line data, images, and other resources in a publicly available cloud system.

Data center backup refers to the tools and systems required to securely maintain backup storage of on-line data, images, and other resources in a conventional or virtual data center.

Infrastructure and directory resilience refers to the processes, tools, and infrastructure required to maintain reliable operation of these services with high availability.

Ransomware prevention refers to the collective security, technical, procedural, legal, business, and organizational tools, techniques, and initiatives required to reduce the risk of ransomware attacks.

A cloud access security broken (CASB) is a premise or cloud-hosted system that serves as an intermediary between users and cloud service providers.

Cloud data encryption involves the use of cryptography to protect data stored in cloud service provider-hosted systems.

Cloud security compliance references the processes, tools, and systems required to assess, manage, maintain, and verify the degree to which a given cloud-based system meets regulatory, technical, policy, or business-oriented security compliance requirements.

Cloud visibility references the insights provided via collection, processing, and analysis of static and run-time information about the security posture and status of a cloud-based system.

Cloud workload protection involves the cybersecurity functions and procedures required to prevent, detect, or respond to cyber threats targeting applications, systems, software, and other workloads hosted by cloud service providers or in virtualized data centers.

Multi-cloud security refers to the challenge of addressing cyber threats in enterprise environments that utilize multiple, heterogeneous capabilities from different public cloud service providers.

Public cloud security refers to the commercial solutions available to reduce the risk of cyber threats to data, systems, and infrastructure offered by cloud service and SaaS providers.

Cloud Security Posture Management (CSPM) involves the tools, processes, and capabilities required to maintain accurate visibility into threat and vulnerability-related aspects of public cloud services, applications, and infrastructure.

Cloud data fragmentation involves the process of breaking up stored data into pieces, sometimes called shards, to improve resiliency and reduce insider threats from cloud administrators.

Data classification refers to the process of tagging known organization data based on its type, value, and sensitivity.

Data discovery refers to the process of identifying organizational data of value, resulting in unknown data being reclassified as known.

Data encryption is the process of using cryptographic algorithms and keys to obfuscate information to ensure confidentiality, integrity, and other desired security properties.

Data inventory management refers to the processes, tools, and infrastructure required to maintain an accurate record of all organizational data of value.

Data leakage protection (DLP), sometimes also referred to as data leakage prevention, refers to the processes, tools, and infrastructure required to enforce organizational data security policies based on user authorizations.

Database security refers to the methods employed to protect structured data stored in database programs and systems.

Digital rights management (DRM) involves the use of cryptography to protect the intellectual property rights of data or content owners.

Privacy platforms are designed to support organizational privacy goals through automated assessments, user interactions, and incident tracking.

Quantum cryptography is the science of using quantum mechanical properties for cryptographic algorithm, infrastructure, and protocol design.

Secrets management refers to the processes, tools, and infrastructure required to protect organizational credentials such as passwords, keys, and tokens.

Voice encryption is used over mobile, landline, and other media to protect the confidentiality of sensitive human conversations.

Data Access Control is a security function that involves policy-based mediation of who can access what data under which conditions.

Anti-phishing solutions are designed to reduce the risks associated with employees or citizens clicking on email links that can lead to malware infections or related cyber breaches.

The DMARC email authentication protocol combines the DomainKeys Identified Mail (DKIM) standard with the Sender Policy Framework (SPF) standard to protect domains from being used for business email compromise (BEC), phishing emails, and other threats that involve spoofed sender identity.

Email encryption involves the use of cryptography to improve the disclosure and integrity properties of email for enterprise.

A secure email gateway (SEG) implements security policy enforcement by monitoring and filtering email for unwanted Spam, malware attachments, or other fraudulent content.

Antivirus software is designed to prevent, detect, and remove malware from PCs, servers, and other devices.

Browser isolation is a security technique in which web browsing executes inside an isolated environment such as a sandbox container on the PC or a process running in the cloud.

Client-Side Security is an approach to web security in which the client, usually the browser, plays a central role in the protection of the local endpoint.

Content Disarm and Reconstruction (CDR) is a security file sanitization method that removes malware from files through a process of file flattening, active content removal, and file cleansing.

Endpoint Detection and Response (EDR) refers to commercial product and service offerings that extend deployed endpoint security tools to include continuous monitoring and proactive response to detected threats.

File integrity management (FIM) is a security verification method that measures the integrity of a given piece of software, often through comparison to a known baseline.

Internet of Things (IoT) security refers to the processes, tools, and infrastructure required to protect devices such as motion sensors, smart thermostats, cameras, smart light bulbs, and other connected gadgets from cyber threats.

Directory Service security refers to the processes, tools, and infrastructure required to prevent, detect, and respond to cyber threats targeting utilities such as Microsoft Active Directory.

Asset Management involves the tools, processes, and infrastructure required to manage, administer, and protect corporate assets usually based on an accurate and complete inventory.

Business application security refers to the processes, tools, and infrastructure required to prevent, detect, and respond to cyber threats targeting premise-based business applications or SaaS-based services such as SAP or Salesforce.

Database security involves the protection functions, often including encryption or masking, required to protect structured data from disclosure and integrity threats.

Enterprise Asset Inventory refers to the process, tools, and infrastructure required to discover, identify, catalogue, and manage the valued assets in an organization.

Operating system security refers to the processes, tools, and infrastructure required to prevent, detect, and respond to cyber threats targeting Windows, Linux, or cloud operating systems.

Physical security, in the context of cyber, involves the protection of facilities and equipment from targeted vandalism, theft, and other malicious activity.

Rules management is an administrative task that allows security tool operators, often involving firewalls, to optimize security policy rules that govern security.

Secure collaboration refers to the business process tools and activity that allow for people to securely work together, share information, and coordinate their functions.

Secure file sharing involves the tools and infrastructure that support the secure transfer, storage, and combined usage of documents, media, and other files between different individuals and groups.

Cloud forensics refers to the application of digital tools to recover and forensically investigate data and information stored in cloud-based systems.

Digital forensics is a specialized branch of forensic science that involves the recovery and analysis of data to support investigations of cyber-crimes and breaches.

The tools, systems, and infrastructure related to eDiscovery are designed to support the identification, collection, and storage of information related to lawsuits or other legal actions.

Law enforcement support references the use of digital forensics tools, systems, and infrastructure to assist law enforcers in their criminal investigations.

Mobile forensics refers to the application of digital tools to recover and forensically investigate data and information stored on mobile devices.

Automated compliance support references the use of tools and a technology platform to assist with security compliance tasks, initiatives, and programs.

Compliance and regulatory support involves the general professional service, managed service, or platform-based assistance to enterprise teams in the tasks required to meet the necessary security requirements.

Cyber Insurance is a financial product involving transfer of cyber risks from an enterprise to an insurance company.

Risk management services involve the use of quantitative calculations, often integrated into an automated tool, to assist an enterprise in performing cyber risk assessment, cyber risk simulations, and cyber risk-based decision making.

SaaS compliance services involves the use of software-as-a-service accessible over the Internet to support the compliance needs of an enterprise.

Security Metrics references the use of cyber risk measurements and an associated set of quantitative goals and benchmarks to optimize cybersecurity management in an enterprise.

Account Take-Over (ATO) Security refers to the techniques, tools, and processes required to reduce the threat of fraudsters illegally using bots to gain access to a targeted bank, eCommerce, or other on-line account to perform fraudulent transactions.

Anti-fraud analytics are designed to support prevention, detection, and analysis of improper transactions through use of combined automation and human-based measures.

eCommerce Fraud Protection involves the use of anti-fraud analytics and prevention, detection and response technology to reduce the risk of fraud in commercial transactions on the Internet.

Web Fraud Protection involves the use of anti-fraud analytics and prevention, detection and response technology to reduce the risk of fraud in commercial transactions on web applications.

Hardware security refers to the use of physical devices to improve the security of a system versus using software only. Firmware is the underlying instruction layer which guide how the hardware operates (e.g., BIOS).

Mainframe security involves the tools, processes, and infrastructure required to protect mainframe-resident data from unauthorized access.

Authorization involves the process of managing permissions to access resources based on security policies, roles, and privileges.

Cloud infrastructure entitlement management (CIEM) involves coordinated administration and protection of entitlements across multi-cloud environments.

Consumer identity and access management (CIAM) involves the tools, services, processes, and infrastructure required to securely capture and manage consumer identity information, and to control consumer access to applications, services, and data.

Identity governance and administration (IGA) refers to the orchestration, using through a centralized infrastructure, of all identity management, access control, and related IT security compliance requirements.

Identity services offer storage and management of digital identities, which might in turn be used by companies, service providers, and other organizations to control access to resources.

Privileged access management (PAM) refers to the control and protection of elevated privileges that provide access to the most sensitive and critical resources in an organization.

Attack surface protection involves the use of technology to reduce cyber threats to any visible entry or access points to an infrastructure.

Deception security involves the legal use of computing traps and lures to detect on-going attacks and to observe the tactics and techniques of an adversary.

Intrusion detection systems (IDS) involved active detection of attack indicators using signatures, behaviors, and models.

Intrusion prevention systems (IPS) involved active detection and mitigation (often with source IP address shunning) of attack indicators using signatures, behaviors, and models.

User behavioral analytics (UBA) refers to the use of technology to detect suspicious

Insider threat detection involves the tools, processes, and infrastructure required to minimize the threat that compromised or disgruntled insiders with privileged access can disclose or damage corporate resources.

Extended Detection and Response (XDR) refers to managed detection and response solutions that utilize a diverse set of data sources.

Managed detection and response (MDR) is an outsourced managed service involving active monitoring, intelligence, and response support based on collection and processing of relevant security data from customer networks.

Mobile app security involves cyber threat protection, detection, and response for public and private mobile apps.

Mobile device management (MDM) is a software tool used to support IT administrative control and protection of smartphones, tablets, and other endpoints.

Mobile device security refers to the tools, processes, and infrastructure required to protect smartphones, tablets, and Internet of Things (IoT) devices from cyber threats.

Mobility infrastructure security refers to the protection of all systems, networks, tools, and processes that support the provision of mobile services such as Wi-Fi, 4G/LTE, and 5G.

Cloud firewalls are software devices that enforce security policies to protect cloud-resident applications from attacks.

Domain name security (DNS) involves any type of tool, system, process, or coordinated procedures designed to reduce threats to DNS-related infrastructure.

Distributed denial of service (DDOS) attacks involve overwhelming a target, usually a website, with a flood of traffic, requests, or other activity designed to render that system unusable for authorized purposes.

Network access control (NAC) involves enforcement of security policies for devices and systems that are accessing or connecting to networks.

Network detection and response (NDR) is a commercial solution that involves monitoring of network traffic, analyzing collected data for evidence of threat, and taking response action with the customer.

Network monitoring involves collection and processing of network traffic for evidence of anomalies, indicators, or other attributes.

Next generation firewall (NGFW) devices enforce security policies between different networks based on a combination of packet-level data (5-tuple) and application-level information.

Secure Access Service Edge (SASE) is a model of next generation business networking where security and management are performed primarily in the cloud.

Secure Remote Access (SRA) involves the tools required to support secure connectivity for employees and other authorized entities to corporate resources from remote locations.

Software-Defined Wide Area Network (SD-WAN) is a modern virtualized WAN technology in which the control plane is centralized into the cloud and used to manage and secure the underlying data plane.

Virtual firewalls are security solutions designed for deployment to software environments, including cloud operating systems, where a hardware appliance cannot be used.

Virtual private network (VPN) refers to the systems and infrastructure required to support secure access for users to data center resources over the Internet.

Zero trust network access (ZTNA) is a service involving brokered logical access to resources based on identity rather than a perimeter-based method.

Microsegmentation is a security design and implementation strategy in which logical or physical controls are used to separate one asset from another so as to reduce the risk of cascading attacks via lateral traversal.

Industrial control system (ICS) visibility involves tools, systems, and infrastructure required to provide real-time, continuous data, information, and insights into operational technology systems in ICS environments.

Industrial control system (ICS) mitigation involves tools, systems, and infrastructure required to provide real-time, continuous policy enforcement for operational technology systems in ICS environments.

Supervisory Control and Data Acquisition (SCADA) security involves tools, systems, and infrastructure required to provide protection of supervisory management in operational technology (OT) environments.

Unidirectional gateways provide data diode functionality plus additional management capability to ensure that data cannot flow, including often in a physically provable manner (e.g., using lasers) from one network to another

Vehicle security is growing category of cybersecurity which deals with prevention, detection, and response to malicious threats to connected and autonomous cars and other moving vehicles.

Certification authority (CA) services are provided by trusted entities that issue digital certificates in support of cryptographic protocols such as transport layer security (TLS).

Cryptographic lifecycle security refers to the tools, processes, and infrastructure required to identify, manage, and maintain all cryptographic suites and protocols deployed across an enterprise.

Secure Sockets Layer (SSL), also known as Transport Layer Security (TLS), provides privacy, authentication, and data integrity for Internet sessions, and is supported by Certification Authorities (CAs).

Security Assessment is a process in which third-party experts review the relevant aspects of a security program, system, or other resource for the purpose of making recommendations for improvement.

Security Awareness and Training involves the learning resources and tasks required to help employees and other designated individuals and groups make good personal and group decisions about security.

Security coaching involves personalized guidance for cybersecurity executives from experienced professionals on leadership, management, and other skills.

Security industry research and advisory services involve professional analysts offering insights and guidance into commercial cyber security markets, trends, and vendors.

Security research and development (R&D) (also known as security research) involves the unconstrained exploration of new ideas, concepts, technologies, and systems by expert professionals empowered to be creative.

Security strategy refers to the enterprise protection decisions and plans that result from detailed exploration of the various options that exist for cyber security projects, programs, and infrastructure.

Value added resellers (VARs) provide vendor-related procurement services, often bundled with professional services and solution support.

Virtual CISO services involve outsourced enterprise security team management and leadership functions to a third-party team or consultant.

Government information assurance refers to cybersecurity solution offerings that are specifically designed for Federal Government customers.

Incident response support involves the processes, tools, and infrastructure to anticipate, identify, contain, and eliminate cyber incidents.

Log management refers to the processes, tools, and infrastructure to collect, manage, protect, and utilize audit records and log information collected from relevant systems.

A security information and event management (SIEM) is a set of tools and services that collect data through connectors to support visibility and analysis of an organization’s cybersecurity systems.

Security orchestration, automation, and response (SOAR) is a category of cybersecurity solution that combines threat and vulnerability management, security incident response, and security operations automation into a common platform.

SOC as a Service (SOCaaS) is a cloud-based service that offers security operations center (SOC) capabilities to customers.

SOC automation refers to processes, tools, and infrastructure required to replace manual SOC capabilities with automated capabilities.

SOC simulation range training involves specially designed incident scenarios to help SOC teams develop new skills and learn methods to cooperate on security incidents.

Threat hunting tools support security analysts proactive search for weaknesses that could be exploited by malicious adversaries.

Automated Penetration Testing involves use of a platform and set of tools to reduce the manual processes associated with ethical hacking, red team, and related security test activities.

Breach and Attack Simulation (BAS) platforms provide continuous validation of deployed controls through simulated tests on a target network.

Bug Bounty and Crowdsourced Security Testing programs are designed to leverage large groups of vetted ethical hackers to locate vulnerabilities that might be exploited by malicious actors.

Blue/Red/Purple Team engagements involves various combinations of offensive and defense actors working

Penetration Testing involves heuristic or brute force probing, scanning, and ethical hacking of target systems by vetted experts to identify vulnerabilities that might be exploited by malicious actors.

DevOps Security references the technology and process enhancements used to integrate cybersecurity into the modern software development lifecycle.

Infrastructure as Code (IaC) Security involves addressing cybersecurity risks during the management and provisioning of virtual systems through machine-readable files.

Software Process Maturity involves the degree to which a software development team is properly embedding and utilizing proper cybersecurity controls during the DevOps lifecycle.

Digital Risk Protection (DRP) involves the collection of threat intelligence from sources including the Dark Web, social media, and mobile apps to help enterprise teams, groups, and even individuals protect themselves from cyber threats or identify that a threat action has already occurred.

Patch management involves the processes, tools, and infrastructure required to maintain desired levels of security patching within an organization.

Security scanning is a general reference to any processes, tools, and infrastructure used to systematically review, collect, and derive data from targeted systems such as networks, inventory, and even data using an automated platform.

Security scoring involves the use of algorithms to use data collected about how an organization operates to calculate a numeric score that reflects their cyber risk posture.

Third-party security involves the processes, tools, and infrastructure required to minimize the risk of cyber threats from supply chain partners and vendors.

Threat intelligence consists of actionable cybersecurity insights gained from the collection of data from multiple applicable sources including on the Internet, Dark Web, and other forums.

Threat sharing support involves any procedures or platforms that assist in the cooperative sharing of threat-related information between coordinated partners to help reduce cyber risk.

Bot Management is a security function that involves differentiating automated attacks from normal human access and mitigating any bot-related tasks that violate policy or attempt to exploit some vulnerability.

Content Security involves the tools, processes, and infrastructure to protect content, which can range from music and entertainment to corporate records and documents, from unauthorized use, theft, or sharing.

A secure web gateway (SWG) enforces security policies for users with browsers and protects them from unwanted malicious or inappropriate content.

A web application firewall (WAF) enforces security policy and provides run-time protection for web applications from malicious attacks such as SQL injection and cross-site scripting exploits.

Web proxy servers enforce security policies and offer run-time protection for web servers or browsing clients through intelligent forwarding and filtering of web communications.

Website scanning involves the use of customized tools and platforms to systematically review the security aspects of a website or set of web applications.

Board Communications, in the context of cyber risk, refers to degree to which the security team, including the Chief Information Security Officer (CISO), effectively shares and coordinates with the Board and other senior leadership teams.

Budget management (i.e., budgeting), in the context of cyber risk, refers to the degree to which the enterprise security team takes steps to meet its budget and financial goals.

Business Alignment, in the context of cyber risk, refers to the degree to which business units, organizational leaders, employees, and other stakeholders accept and support the security objectives, programs, and initiatives established by the Chief Information Security Officer (CISO).

Certification and training, in the context of cyber risk, refers to the attainment of suitable external education and learning goals, including membership or validation from the right industry or sector groups.

Leadership Skills, in the context of cyber risk, refers to the approach taken to ensure that all business units, managers, employees, and other stakeholders understand the security goals and objectives of the organization.

Personal Productivity, in the context of cyber risk, refers to the methods used by managers, employees, and staff to ensure good success in planning, completing, and coordinating all work activities.

Policies and Strategy, in the context of cyber risk, refers to the process of determining goals, objectives, and implementation approaches for enterprise cybersecurity.

Recruiting, Hiring, and Retention, in the context of cyber risk, refers to the process of finding and keeping security team members and experts.

Team Management, in the context of cyber risk, refers to the techniques used to ensure successful project and program completion within time and financial goals.