Learn the vocabulary
Plain-English definitions of the cybersecurity terms enterprise buyers encounter most often. Written by certified Infilux practitioners (OSCP, CISSP, CISA, ISO 27001 LA). 40-80 word direct answers, plus deeper context, key points, and frequently-asked-questions.
What is VAPT?
VAPT — Vulnerability Assessment and Penetration Testing — is a two-phase security exercise that first scans an asset for known weaknesses (the VA phase) and then attempts to exploit them under controlled conditions to confirm real-world impact (the PT phase). It produces a prioritized risk report with proof-of-concept evidence, severity scoring (CVSS), and remediation guidance. Used by banks, fintechs, SaaS, and healthcare to meet ISO 27001, SOC 2, RBI, and PCI-DSS testing requirements.
What is EASM?
External Attack Surface Management (EASM) is a continuous, attacker's-eye-view inventory of every internet-facing asset that belongs to your organisation — subdomains, exposed services, open ports, third-party dependencies, leaked credentials, lookalike domains, expired SSL certificates, and forgotten cloud assets. Unlike traditional vulnerability scanning, EASM operates from the public internet without any internal access, surfacing shadow IT and supply-chain exposures that internal tools miss.
What is Red Teaming?
Red Teaming is an objective-based adversary simulation that tests how well your detection-and-response capability holds up against a realistic, multi-month attack — not whether a single vulnerability exists. Red teams operate against agreed objectives (exfiltrate payroll, compromise the CFO's mailbox, plant code in production), using MITRE ATT&CK techniques across initial access, privilege escalation, lateral movement, and persistence. The deliverable is a story about how your blue team performed, not a list of CVEs.
What is SOC as a Service?
SOC as a Service is outsourced 24×7 threat detection, triage, and incident response, delivered by a managed security service provider. The MSSP runs the SIEM, tunes the detection rules, monitors alerts around the clock, escalates confirmed incidents on agreed SLAs (Infilux's is 15 minutes for critical), and provides monthly reporting. It is the fastest path to mature SOC capability for organisations that lack the headcount or 24×7 coverage to build one internally.
What is Dark Web Monitoring?
Dark Web Monitoring is the continuous surveillance of criminal forums, paste sites, ransomware leak blogs, Telegram channels, and underground marketplaces for any mention of your organisation — leaked employee credentials, stolen customer data, source-code dumps, brand impersonation, or imminent attack chatter. When a match is found, the monitoring platform issues a real-time alert so you can rotate credentials, prepare a regulatory notification, or initiate incident response before the data is weaponised.
What is GRC Compliance?
GRC stands for Governance, Risk and Compliance — the operational discipline of running security and privacy as a managed programme. Governance defines who decides what (RACI, board reporting, policy authority). Risk identifies, measures, and treats threats to the business (risk register, controls, residual risk). Compliance demonstrates that controls work and meet external requirements (ISO 27001, SOC 2, DPDP, GDPR, HIPAA, RBI CSF, DORA). A GRC platform automates evidence collection, control testing, and audit reporting across all three.
What is ISO 27001?
ISO/IEC 27001:2022 is the international standard for an Information Security Management System (ISMS). It defines how an organisation systematically identifies information assets, assesses threats, selects controls (Annex A lists 93 of them across 4 themes), implements them, and continuously improves. Certification — issued by an accredited body after a third-party audit — is a globally recognised proof of security maturity, required by most enterprise customers and many regulators worldwide.
What is SOC 2?
SOC 2 (System and Organisation Controls, Type 2) is an AICPA-defined audit report on a service organisation's controls measured against the five Trust Services Criteria — Security, Availability, Processing Integrity, Confidentiality, Privacy. A licensed CPA firm performs the audit and issues the report. SOC 2 is the de facto requirement for B2B SaaS vendors selling into US enterprise; it provides reasonable assurance to your buyers that you operate the controls you claim to.
What is Zero Trust?
Zero Trust is a security model that treats every user, device, and service as untrusted by default — regardless of whether they sit inside or outside the corporate network. Every access request is independently authenticated, authorised, and policy-evaluated based on identity, device posture, location, and context. The phrase 'never trust, always verify' captures the model. It replaces the legacy castle-and-moat perimeter with continuous verification at every resource.
What is MITRE ATT&CK?
MITRE ATT&CK is an open knowledge base of adversary tactics, techniques, and procedures (TTPs) observed in real-world attacks, organised across 14 tactical categories (initial access, execution, persistence, privilege escalation, defence evasion, credential access, discovery, lateral movement, collection, command-and-control, exfiltration, impact, etc.). Security teams use it to measure detection coverage, structure red-team objectives, and standardise threat intelligence reporting. It is the de facto common language for offensive security worldwide.