CELVEX GroupCELVEX Group Free Scan
Glossary

Plain-English security terms.

Every acronym you'll see on this site, explained the way we'd explain it to a curious 12-year-old. Bookmark this page and come back whenever a three-letter-word appears uninvited.

RCERemote Code Execution
An attacker can run their own commands on your server, as if they had the keys to the front door. The most severe class of web bug — once an attacker has RCE, everything else is optional.
SSRFServer-Side Request Forgery
Tricking your server into fetching things for the attacker, like sending your butler to the wrong address. In the cloud, SSRF often leads straight to stolen administrative credentials.
SQLiSQL Injection
Sneaking extra instructions into a database question so the database coughs up data it shouldn't — credit cards, password hashes, private messages. Still one of the top three causes of mass breaches.
XSSCross-Site Scripting
Planting hostile code on a trusted page so other visitors' browsers run it without realizing. Often used to hijack logged-in sessions or steal form inputs.
CVECommon Vulnerabilities and Exposures
A public ID number given to a known software flaw so everyone talks about the same bug. Example: CVE-2024-6387 is the 2024 SSH regression known as regreSSHion.
CVSSCommon Vulnerability Scoring System
A 0-to-10 score rating how bad a security flaw is. 10 means drop everything; 4 means schedule it. We report CVSS on every finding.
CISA KEVKnown Exploited Vulnerabilities
The US government's list of bugs attackers are actively using right now. If a bug is on KEV, the attack is already happening — fix it first.
SASTStatic Application Security Testing
Reading the source code to find bugs before the software ever runs. Good at breadth, bad at context — which is why SAST tools have infamously high false-positive rates.
DASTDynamic Application Security Testing
Poking the running app from the outside to see what breaks, like a burglar rattling doorknobs. DAST is what Celvex Sentry does, but with attack-path chaining added on top.
WAFWeb Application Firewall
A bouncer sitting in front of your website, blocking obviously bad requests. Good against noise, bypassable by any motivated attacker — don't confuse a WAF with a fix.
SIEMSecurity Information and Event Management
A giant security logbook that watches every system and flags suspicious patterns. Useful after an attack to know what happened; our Attack-and-Detect Pairing tests prove your SIEM would actually catch it.
EDREndpoint Detection and Response
Guard software on each laptop or server that spots attackers and cuts them off. Complementary to what we do — EDR watches the endpoints; we watch the attack surface they sit on.
MITRE ATT&CKAdversarial Tactics, Techniques & Common Knowledge
A free playbook listing every known attacker move, so defenders know what to look for. Our tests map cleanly to ATT&CK so you can report coverage in a language your board already speaks.
SOC 2Service Organization Control 2
A trust audit proving you handle customer data safely — required by most B2B buyers before they sign. Our Compliance Assurance tests map findings directly to SOC 2 common criteria.
PCI-DSSPayment Card Industry Data Security Standard
The rulebook for anyone who touches credit card numbers. Break it and you lose the ability to take cards — which, for most businesses, means losing the business.
HIPAAHealth Insurance Portability and Accountability Act
US law forcing strict protection of medical records and patient data. Penalties reach seven figures per incident.
ISO 27001International Standard for Information Security Management
A globally recognized security certification that tells buyers you've got your house in order. Often a gate for international enterprise deals.
SPFSender Policy Framework
A public list of who's allowed to send email from your domain, blocking impersonators. Without SPF, anyone can send email that looks like it came from you.
DKIMDomainKeys Identified Mail
A tamper-proof stamp on outgoing email that proves it really came from you. Gmail and Outlook now silently spam-fold mail that isn't DKIM-signed.
DMARCDomain-based Message Authentication, Reporting & Conformance
The rulebook telling the internet what to do with fake emails pretending to be yours: ignore, quarantine, or reject outright.
TLSTransport Layer Security
The padlock that scrambles data between a visitor's browser and your site so eavesdroppers see gibberish. The little green lock in the URL bar — that's TLS.
SSHSecure Shell
A locked-down remote control for logging into servers over the internet without being spied on. An SSH key leak is typically game over for the server it unlocks.
IAMIdentity and Access Management
The system that decides who's allowed into which rooms of your digital building. Misconfigured IAM is how most cloud breaches actually escalate.
CNAMECanonical Name (DNS record)
An internet nickname pointing one web address at another. Mishandled — e.g., a subdomain still pointing at a cloud service you stopped paying for — it hands your subdomain to strangers.
CDNContent Delivery Network
A worldwide mirror system that serves your site from the closest city to each visitor. Cloudflare, Fastly, Akamai are the big ones.
SBOMSoftware Bill of Materials
An ingredient label for your software listing every third-party part inside it. Required by the US government for federal suppliers and increasingly demanded by enterprise buyers.
APIApplication Programming Interface
The doorways your software opens so other programs can talk to it — often the softest target in a modern stack, because APIs are usually less scrutinized than the web pages in front of them.
PoCProof of Concept
A working demo of an attack, proving the flaw is real and not theoretical. Every Celvex Sentry finding ships with one — if we can't reproduce it, we don't report it.

Ready to see these terms in the wild?

Run a Free Exposure Check on your own domain. Every finding comes back translated into plain English, not security jargon.

Run a free scan