# Glossary

This glossary section includes common terminology used with the Pen Testing as a Service (PTaaS) module.

A particular location that a vulnerability could be found, such as an IP address, a web server, or a source code file.

A container for related data and projects. A business unit can represent a company, a department or business unit, or something as specific as an individual application or network.

A list of items that must be followed throughout the course of a project.

The association of findings belonging to a specific vulnerability to a NetSPI Platform primary finding.

Common Platform Enumerations

For more information, see https://nvd.nist.gov/products/cpe.

Common Vulnerabilities and Exposures.

For more information, see https://cve.mitre.org/.

Common Vulnerability Scoring System.

For more information, see https://www.first.org/cvss/.

Common Weakness Enumeration.

For more information, see https://cwe.mitre.org/.

A container for data imported from a scanning or testing tool.

A file related to a project, such as a report or scope information.

A container for data and information related to penetration tests and vulnerability scans. This includes data sources, assets, checklists, documents, and workspaces.

The act of taking advantage of a vulnerability.

A single occurrence of a detected vulnerability on a particular asset.

The first published instance in a set of duplicates.

An instance that has already been discovered before, paired with a Global Instance.

An area in a NetSPI Platform workspace that contains an organized list of findings.

A construct used by the NetSPI Platform to link a finding to a primary finding.

A container for instances belonging to a particular combination of asset and primary finding.

An instance created manually instead of automatically imported from scan data.

A generic vulnerability write-up that crosses all workspaces, projects, and organizations. A primary finding contains all of the relevant information about a vulnerability without being specific to any asset or environment.

A component of a primary finding that determines the information associated with a finding, such as the vulnerability description, business impact, instructions, and references.

National Institute of Standards and Technology.

For more information, see https://www.nist.gov/.

National Vulnerability Database.

For more information, see https://nvd.nist.gov/.

Open Web Application Security Project.

For more information, see https://www.owasp.org.

A list of questions used to identify key information about the project, such as what needs to be scanned or tested.

The potential loss or damage resulting from an vulnerability being exploited.

The intent to cause harm or damage to an asset.

A confirmation of a vulnerability fix.

See Primary finding variation.

Evidence that a vulnerability exists on an asset as described by a reported instance.

A security flaw found on an asset.

A data container to review, manage, and update findings.

This glossary section includes common terminology used with the Breach and Attack Simulation (BAS) module.

Full

Logging, detection, or alerts were observed during the test.

None

Logging, detection, or alerts were not observed during the test.

Partial

Logging, detection, or alerts were only generated for a subset of the environment or unit test variations.

Untested

The unit test has not been performed.

Logged

Logs are records of events. They often include network, application, database, and endpoint events. Without proper logging, detections and alerts cannot be created for incident response teams.

Detected

Refers to any event that has been identified as anomalous or possible malicious behavior. However, some detections may not generate an alert or response.

Alerted

Refers to any event that has been identified as malicious and requires triage from the incident response team based on criteria defined by the security operations runbooks.

Responded

Refers to the ticket or email generated by an alert that triggers the incident response team to begin triaging the event.

Prevented

To what degree did the controls prevent potentially malicious behaviors/events from occurring based on detections.

Accepted Risk

A finding can be marked as an "Accepted Risk" and will no longer appear as a threat in need of remediation.

Agent

NetSPI's Breach and Attack Simulation agent is a non-persistent piece of software that runs in-memory. It is used to run the plays and playbooks.

Alerted

An alert refers to any event that has been identified as malicious and requires triage from the ​incident response team based on criteria defined by the security operations runbooks.​

Default Operation

By default, an operation called "All Procedures" is created. This operation contains all current, as well as future, procedures.

Detected

A detection refers to any event that has been identified as anomalous or possible ​malicious behavior. However, some detections may not generate an alert or response.​

Heatmap

The heatmap dashboard is designed to present the tactics, techniques, and procedures ​associated with your operation in the context of a more traditional ​MITRE ATT&CK heatmap format.​

Logged

Logs are records of events. They often include network, application, database, and endpoint events. Without proper logging, detections and alerts cannot be created for incident response teams.​

Malware

Malicious software designed to disrupt, damage, or gain unauthorized access to a computer system or network.

Operation

Operations define the scope of plays, playbooks, and the agents they run on.​ They also define the scope of the detective control coverage tracking.​

Play

Automation for a specific manual procedure.​

Playbook

A collection of plays that can be executed in a predefined order to simulate threats.​

Prevented

To what degree did the controls prevent potentially malicious behaviors/events from ​occurring based on detections. ​

Procedure

This refers to the sequence of actions performed to execute a technique. The procedure involves detailed descriptions of the procedure, manual attack instructions, detection and prevention recommendations, other educational content and references.

Responded

This refers to the ticket or email generated by an alert that triggers the incident response team​ to begin triaging the event.

Tactic

The threat actor's intended goal and reason for performing an action.

Technique

The broad description of how a threat actor accomplishes their goal.

Threat Actor

An individual or group that intentionally cause harm to digital devices or systems.

Timeline

The timeline dashboard is designed to help you track your detective control coverage ​for an operation over time. Here you can see where you have gotten better and worse.​

Workspace

The workspace is designed to provide insights into your current detective control coverage. ​It helps you learn about, test, measure, and track all the tactics, techniques, and procedures ​associated with your operation.​

This glossary section includes common terminology used with the External Attack Surface Management (EASM) module.