# Glossary The glossary of terms below is intended to help you understand any aspects of the NetSPI Platform that may be unfamiliar. The terms included here are grouped by module: Pen Testing as a Service (PTaaS), Breach and Attack Simulation (BAS), and External Attack Surface Management (EASM). +++ PTaaS glossary ## PTaaS glossary This glossary section includes common terminology used with the Pen Testing as a Service (PTaaS) module. ### Asset A particular location that a vulnerability could be found, such as an IP address, a web server, or a source code file. ### Business unit A container for related data and projects. A business unit can represent a company, a department or business unit, or something as specific as an individual application or network. ### Checklist A list of items that must be followed throughout the course of a project. ### Correlation The association of findings belonging to a specific vulnerability to a NetSPI Platform primary finding. ### CPE Common Platform Enumerations For more information, see [https://nvd.nist.gov/products/cpe](https://nvd.nist.gov/products/cpe). ### CVE Common Vulnerabilities and Exposures. For more information, see [https://cve.mitre.org/](https://cve.mitre.org/). ### CVSS Common Vulnerability Scoring System. For more information, see [https://www.first.org/cvss/](https://www.first.org/cvss/). ### CWE Common Weakness Enumeration. For more information, see [https://cwe.mitre.org/](https://cwe.mitre.org/). ### Data source A container for data imported from a scanning or testing tool. ### Document A file related to a project, such as a report or scope information. ### Engagement A container for data and information related to penetration tests and vulnerability scans. This includes data sources, assets, checklists, documents, and workspaces. ### Exploit The act of taking advantage of a vulnerability. ### Instance A single occurrence of a detected vulnerability on a particular asset. ### Global Instance The first published instance in a set of duplicates. ### Duplicate Instance An instance that has already been discovered before, paired with a Global Instance. ### Finding tree An area in a NetSPI Platform workspace that contains an organized list of findings. ### Correlation reference A construct used by the NetSPI Platform to link a finding to a primary finding. ### Finding A container for instances belonging to a particular combination of asset and primary finding. ### Manual instance An instance created manually instead of automatically imported from scan data. ### Primary finding A generic vulnerability write-up that crosses all workspaces, projects, and organizations. A primary finding contains all of the relevant information about a vulnerability without being specific to any asset or environment. ### Primary finding variation A component of a primary finding that determines the information associated with a finding, such as the vulnerability description, business impact, instructions, and references. ### NIST National Institute of Standards and Technology. For more information, see [https://www.nist.gov/](https://www.nist.gov/). ### NVD National Vulnerability Database. For more information, see [https://nvd.nist.gov/](https://nvd.nist.gov/). ### OWASP Open Web Application Security Project. For more information, see [https://www.owasp.org](https://www.owasp.org). ### Questionnaire A list of questions used to identify key information about the project, such as what needs to be scanned or tested. ### Risk The potential loss or damage resulting from an vulnerability being exploited. ### Threat The intent to cause harm or damage to an asset. ### Validation A confirmation of a vulnerability fix. ### Variation See Primary finding variation. ### Verification Evidence that a vulnerability exists on an asset as described by a reported instance. ### Vulnerability A security flaw found on an asset. ### Workspace A data container to review, manage, and update findings. +++ BAS glossary ## BAS glossary This glossary section includes common terminology used with the Breach and Attack Simulation (BAS) module. ### **Detection Levels Definitions** **Full** : Logging, detection, or alerts were observed during the test. **None** : Logging, detection, or alerts were not observed during the test. **Partial** : Logging, detection, or alerts were only generated for a subset of the environment or unit test variations. **Untested** : The unit test has not been performed. --- ### **Visibility Levels Definitions** **Logged** : Logs are records of events. They often include network, application, database, and endpoint events. Without proper logging, detections and alerts cannot be created for incident response teams. **Detected** : Refers to any event that has been identified as anomalous or possible malicious behavior. However, some detections may not generate an alert or response. **Alerted** : Refers to any event that has been identified as malicious and requires triage from the incident response team based on criteria defined by the security operations runbooks. **Responded** : Refers to the ticket or email generated by an alert that triggers the incident response team to begin triaging the event. **Prevented** : To what degree did the controls prevent potentially malicious behaviors/events from occurring based on detections. --- ### **Miscellaneous A-Z definitions** **Accepted Risk** : A finding can be marked as an "Accepted Risk" and will no longer appear as a threat in need of remediation. **Agent** : NetSPI's Breach and Attack Simulation agent is a non-persistent piece of software that runs in-memory. It is used to run the plays and playbooks. **Alerted** : An alert refers to any event that has been identified as malicious and requires triage from the ​incident response team based on criteria defined by the security project's run books.​ **Default Project** : By default, a project called "All Procedures" is created. This project contains all current, as well as future, procedures. **Detected** : A detection refers to any event that has been identified as anomalous or possible ​malicious behavior. However, some detections may not generate an alert or response.​ **Heatmap** : The heatmap dashboard is designed to present the tactics, techniques, and procedures ​associated with your project in the context of a more traditional ​MITRE ATT&CK heatmap format.​ **Logged** : Logs are records of events. They often include network, application, database, and endpoint events. Without proper logging, detections and alerts cannot be created for incident response teams.​ **Malware** : Malicious software designed to disrupt, damage, or gain unauthorized access to a computer system or network. **Project** : Projects define the scope of plays, playbooks, and the agents they run on.​ They also define the scope of the detective control coverage tracking.​ **Play** : Automation for a specific manual procedure.​ **Playbook** : A collection of plays that can be executed in a predefined order to simulate threats.​ **Prevented** : To what degree did the controls prevent potentially malicious behaviors/events from ​occurring based on detections. **Procedure** : This refers to the sequence of actions performed to execute a technique. The procedure involves detailed descriptions of the procedure, manual attack instructions, detection and prevention recommendations, other educational content and references. **Responded** : This refers to the ticket or email generated by an alert that triggers the incident response team​ to begin triaging the event. **Tactic** : The threat actor's intended goal and reason for performing an action. **Technique** : The broad description of how a threat actor accomplishes their goal. **Threat Actor** : An individual or group that intentionally cause harm to digital devices or systems. **Timeline** : The timeline dashboard is designed to help you track your detective control coverage ​for a project over time. Here you can see where you have gotten better and worse.​ **Workspace** : The workspace is designed to provide insights into your current detective control coverage. ​It helps you learn about, test, measure, and track all the tactics, techniques, and procedures ​associated with your project.​ +++ EASM glossary ## EASM glossary This glossary section includes common terminology used with the External Attack Surface Management (EASM) module. +++