Reference
Cybersecurity Glossary
Plain-language definitions of the terms that show up in real infrastructure investigations. Each entry includes how the concept is used in practice and where it intersects with the rest of the graph.
Attack Surface
An attack surface is the complete set of points — domains, subdomains, IP addresses, exposed services, third-party integrations — where an unauthorized actor could probe, interact with, or attempt to enter an organization's systems.
Autonomous System (ASN)
An Autonomous System is a network — or group of IP prefixes — operated by a single organization with one consistent routing policy. Each AS is identified by a unique Autonomous System Number (ASN) assigned by a Regional Internet Registry, and uses BGP to exchange routes with other ASNs.
BGP Hijacking
BGP hijacking is the unauthorized announcement of IP prefixes by an autonomous system that does not own them. Because BGP has no built-in authentication, peers may accept the false announcement and start routing traffic for the hijacked prefix to the wrong network — enabling interception, surveillance, or denial of service.
BGP Routing
Border Gateway Protocol (BGP) is the routing protocol that connects autonomous systems across the internet. It decides how traffic flows between organizations by exchanging announcements about which IP prefixes each network can reach. Every packet that crosses an organizational boundary is routed by BGP.
Bulletproof Hosting
Bulletproof hosting is hosting that is deliberately resistant to abuse complaints, takedown notices, and law-enforcement requests. Operators advertise tolerance for content that mainstream providers remove — phishing kits, malware C2, spam infrastructure, illegal content — usually by operating in jurisdictions with weak enforcement and aggressive customer protection.
C2 (Command and Control) Infrastructure
Command-and-control (C2) infrastructure is the network of servers, domains, and channels an attacker uses to control compromised systems after initial access. C2 is how malware on a victim's machine receives instructions, exfiltrates data, and is updated. Mapping C2 is mapping the attacker's nervous system.
Certificate Transparency
Certificate Transparency (CT) is a public-log system that records every TLS certificate issued by participating Certificate Authorities. Every modern browser refuses certificates that are not in CT, which means defenders, brand-protection teams, and attackers all have access to a near-complete public ledger of who has been issued certificates for which hostnames.
Co-hosted Domains
Co-hosted domains are hostnames that resolve to the same IP address — meaning they share a server. In bulk shared hosting this is benign and meaningless; in attacker infrastructure, co-hosting is one of the strongest signals available, because operators routinely group campaign assets on the same machine.
Cypher (Query Language)
Cypher is a declarative query language for graph databases. Originally developed at Neo4j and now standardized as openCypher (and ISO/IEC GQL), Cypher uses ASCII-art-like patterns — (a)-[:KNOWS]->(b) — to describe nodes, edges, and traversals. It reads like a sentence and maps directly to how analysts already think about graph problems.
DNS
The Domain Name System (DNS) is the address book of the internet. It translates human-readable hostnames like example.com into the IP addresses, mail servers, and other records computers actually use to communicate. Almost every internet transaction begins with a DNS lookup.
DNSSEC
DNSSEC (Domain Name System Security Extensions) is a set of DNS protocol extensions that add cryptographic signatures to DNS records. Validating resolvers can use those signatures to confirm that an answer came from the legitimate authoritative server and was not modified in transit.
Domain Generation Algorithm (DGA)
A Domain Generation Algorithm (DGA) is a piece of malware logic that algorithmically produces a steady stream of pseudo-random domain names — often hundreds or thousands per day — for use as command-and-control rendezvous points. The malware tries to resolve each one until it finds a domain the attacker has registered, defeating static blocklists.
Fast Flux DNS
Fast flux is a DNS technique that rapidly rotates the IP addresses associated with a hostname — sometimes every few minutes — across a large pool of compromised hosts. The hostname stays alive while the IPs underneath churn, which makes IP-based blocking ineffective and helps malicious infrastructure stay reachable.
Indicator of Compromise (IOC)
An Indicator of Compromise (IOC) is a forensic artifact — an IP address, domain, file hash, URL, registry key, or network signature — whose presence on a system or in network traffic suggests the system has been targeted, infected, or breached. IOCs are how defenders translate threat intelligence into things they can actually search for.
Infrastructure Intelligence
Infrastructure intelligence is the real-time collection, correlation, and analysis of internet infrastructure data — BGP routing, DNS, hosting, WHOIS, DNSSEC, certificate transparency — so security teams can detect, attribute, and respond to threats based on how attackers actually deploy their tools.
Knowledge Graph
A knowledge graph is a data structure that represents real-world entities as nodes and the relationships between them as edges. Both nodes and edges carry typed properties. The shape is purpose-built for the multi-hop questions analysts actually ask — "show me everything connected to X within N steps along these specific relationships."
Model Context Protocol (MCP)
Model Context Protocol (MCP) is an open standard introduced by Anthropic in late 2024 that lets AI assistants connect to external tools and data sources through a uniform interface. Instead of every model integrating every tool one by one, an MCP server exposes its capabilities and any MCP-aware client — Claude Desktop, Cursor, VS Code, custom agents — can use them.
Passive DNS (pDNS)
Passive DNS is the historical record of every DNS resolution observed in the wild — capturing every hostname-to-IP mapping over time without ever issuing a query of its own. Where active DNS gives you the answer right now, passive DNS gives you every answer the system ever returned, with timestamps, so you can replay the past.
Reverse DNS / PTR
Reverse DNS (rDNS) is the lookup that goes the other way: given an IP address, return the hostname assigned to it. The mapping is published as PTR records under the special .in-addr.arpa (IPv4) and .ip6.arpa (IPv6) zones, and is controlled by whoever owns the IP block — the network operator, not the domain owner.
Threat Hunting
Threat hunting is the proactive, hypothesis-driven search for adversaries inside an environment — under the assumption that prevention will fail and that automated detection has missed something. Hunters start with a hypothesis ("if X actor were here, we would see Y"), gather evidence, and either confirm an intrusion or sharpen detection for next time.
Threat Intelligence
Threat intelligence is information about cyber threats — the actors, campaigns, tools, and infrastructure behind attacks — that has been collected, analysed, and refined into context defenders can act on. The goal is not raw data; it is helping security teams make faster, better-informed decisions about what to block, what to investigate, and what to ignore.
Typosquatting
Typosquatting is the registration of domain names that imitate a legitimate brand — usually by exploiting common typos, character substitutions, or visually similar Unicode characters. The squatter relies on users mistyping a URL or failing to spot a swapped character, then collects the misdirected traffic for phishing, malvertising, or credential theft.
WHOIS
WHOIS is the public registration record for domain names and IP allocations. It tells you who registered a domain (or who an IP block is assigned to), through which registrar, when, and how to contact them. WHOIS has been the canonical answer to "who owns this" on the internet since the early 1980s.