glossary · field definitions

Security terms, explained by the engineers who test for them.

If you are buying a pentest, evaluating a finding, or preparing for an audit, these are the terms worth understanding precisely. Definitions written by the people who run the engagements, not a marketing team.

01. definitions

Terms from the engagements.

Ordered by buyer relevance — the terms that come up in audits and scoping calls first, attack technique terms after.

compliance

Attestation letter

The signed document auditors attach to the penetration testing control. Names the engineer, states scope, methodology, and retest outcome. Most firms skip the named-engineer requirement; most auditors now ask for it.

deliverables

Penetration test report

The primary deliverable from a security engagement. Covers every finding, CVSS 4.0 severity, working PoC, and retest outcome. Three distinct audiences use it: engineering team, auditor, and security leadership.

PCI DSS

Cardholder data environment

Every system that stores, processes, or transmits cardholder data — and every system connected to them. PCI DSS Req 11.3 requires penetration testing of the full CDE boundary annually. Scope creep is the most common mistake.

AI security

Prompt injection

An attack where malicious instructions embedded in input cause an LLM to ignore its system prompt. Indirect injection — planted in documents, emails, and tool outputs the LLM reads — is the harder problem to defend.

red team

Purple team

Offensive and defensive teams working together to test detection coverage technique by technique. The red team executes an ATT&CK technique; the blue team watches whether the SIEM catches it. Gaps are closed during the exercise.

methodology

Threat modeling

A structured process for mapping what attackers want, how they could get it, and where defenses are thin — before the penetration test runs. The threat model drives pentest scope and makes the engagement more targeted.

deliverables

Proof of concept exploit

The working demonstration that a vulnerability is real and exploitable in your specific system — not a scanner guess. Proves the finding, quantifies the risk accurately, and gives engineering a test case for the fix.

How these are written

These definitions come from questions that come up repeatedly in scoping calls, audit prep meetings, and post-engagement debriefs. Not from a content calendar.

The goal is to give you the practitioner's version: what the term actually means in the context of buying a pentest, preparing for an audit, or triaging a finding. Wikipedia and NIST cover the regulatory definitions; we cover what you need to know to make a decision.

For deeper technical writing on attack patterns and field observations, see our articles and field notes.

Past the definitions and ready to scope?

30-minute scoping call covers your environment, your compliance deadline, and what the engagement should produce. Free. No NDA required for the first call.

Book a 30-min scoping call See pricing