Intelligence 101 · Updated Q2 2026

The cybersecurity & threat intelligence glossary.

70+ practitioner-grade definitions covering the dark web, ransomware, stealer logs, fraud, vulnerability management, and modern threat intelligence —every term plain-English, hyperlinkable, and ready to drop into a brief.

70+ terms Quarterly refresh Anchor-linkable Plain English

Advanced persistent threat (APT): A highly capable, often nation-state-sponsored threat actor or group whose goal is to gain undetected, long-term access to a target network. APTs typically establish persistence, install backdoors, and quietly exfiltrate data rather than cause obvious damage. Groups are tracked under a range of naming conventions (e.g., APT28, Lazarus).
AI threat intelligence: The use of artificial intelligence —large language models, classifiers, and automated reasoning —to accelerate the detection, triage, correlation, and analyst workflows inside cyber threat intelligence programs.
AlphaBay: A long-running darknet marketplace originally launched in 2014 and considered one of the most influential illicit markets ever. AlphaBay was seized in Operation Bayonet (July 2017) and relaunched in August 2021 by one of the original administrators. Common categories include drugs, fraud listings (cards, fullz), and how-to guides.
Anonymous: A decentralized hacktivist collective active since the late 2000s, known for high-profile DDoS, defacement, and data-leak operations against governments, agencies, and corporations. There is no formal membership —anyone aligning with the brand can claim it —which makes attribution difficult.
Artificial intelligence (AI): The branch of computer science focused on building systems that perform tasks normally requiring human intelligence —perception, reasoning, learning, and decision-making over data.
Attack surface: The complete set of points at which a system, application, or network can be attacked. It includes known and unknown vulnerabilities, exposed services, weak configurations, and any other potential avenue for unauthorized access.

Bitcoin (BTC): The first decentralized cryptocurrency (2009), secured by cryptography and a public blockchain. Despite the rise of privacy coins like Monero, Bitcoin remains the most widely accepted currency in cybercriminal commerce.
Botnet: A network of devices infected with malware and remotely controlled by an operator. Botnets power DDoS attacks, credential stuffing, spam delivery, and large-scale data harvesting.
Brand impersonation: Creating fake websites, social profiles, mobile apps, or domains that mimic a legitimate brand to defraud users, steal credentials, or damage reputation.
Business email compromise (BEC): A category of email-driven fraud in which attackers impersonate executives, vendors, or partners to redirect payments or extract sensitive corporate information.

CISA: The U.S. Cybersecurity and Infrastructure Security Agency —the federal agency responsible for protecting U.S. critical infrastructure, coordinating cyber defense across government, and publishing widely-used advisories (e.g., the KEV catalog).
Clop (Cl0p): An extortion ransomware family active since 2019, operating under a Ransomware-as-a-Service model and rooted in the CryptoMix lineage. Clop is best known for mass exploitation of zero-days in managed file-transfer products (notably MOVEit in 2023), which compromised hundreds of organizations worldwide.
Compromised credentials: Login data (typically username/email + password, sometimes session tokens) obtained illicitly through phishing, malware, breaches, or stuffing. Compromised credentials are the single most common precursor to account takeover and intrusion.
Continuous threat exposure management (CTEM): A program-level approach for continuously discovering, prioritizing, and validating exposures across the attack surface —combining asset discovery, vulnerability data, threat intelligence, and validation testing.
Corporate security: The combined strategies, controls, and operations an organization uses to protect people, facilities, intellectual property, and operations from internal and external threats.
Credential stuffing: Automated reuse of leaked username/password pairs against unrelated services, exploiting password reuse to take over accounts at scale.
Crypting: The practice of encrypting or obfuscating malicious code so it evades detection by security software and sandbox analysis.
CVE (Common Vulnerabilities and Exposures): A standard identifier system (CVE-YYYY-NNNNN) used to catalog and reference publicly disclosed software and hardware vulnerabilities.
CVSS: The Common Vulnerability Scoring System —a standardized framework for rating the severity of vulnerabilities, used by defenders to triage and prioritize remediation.
Cyber threat intelligence (CTI): The data, context, and analysis used to detect, prioritize, and counter cyber threats. CTI focuses specifically on cyber risks; the broader term "threat intelligence" can also include physical and geopolitical threat streams.
Cyberattack: A deliberate, malicious act that compromises the confidentiality, integrity, or availability of systems, networks, or data —including exploitation, ransomware, DDoS, and data theft.
Cybersecurity: The practice of protecting systems, networks, and data from unauthorized access, breach, and attack —through people, processes, and technology.

Dark web: The portion of the internet reachable only through anonymity-preserving overlay networks such as Tor or I2P. Hosts forums, markets, leak sites, and other content that benefits from operator and visitor anonymity.
Darknet: An overlapping term with "dark web," typically used to describe the encrypted, access-controlled networks themselves rather than specific sites on them.
Data breach: An incident in which sensitive data is exposed, accessed, or stolen by an unauthorized party —through accident, negligence, or targeted attack.
Data leak: Unintentional disclosure of confidential data, often through misconfiguration, insider error, or careless handling. Distinguished from a breach by the absence of an external attacker, though the terms are used interchangeably in practice.
DDoS (Distributed Denial-of-Service): An attack that floods a target system or network with traffic from many sources to exhaust resources and make it unavailable to legitimate users.
Deep web: Content not indexed by standard search engines —including login-protected pages, dynamic queries, intranets, and databases. Reachable with a normal browser if you have the URL and credentials.
DevSecOps: An approach that integrates security practices and tooling into every stage of the software development lifecycle, rather than bolting them on at the end.
Digital risk: The full range of negative outcomes —security incidents, brand damage, regulatory exposure, financial loss —that can arise from an organization's use of digital technology and online channels.

Eavesdropping: An attack in which a threat actor intercepts data in transit —for example, on an unencrypted Wi-Fi network —to capture credentials or sensitive content.
Ethereum (ETH): A decentralized, programmable blockchain platform whose native currency (Ether) is widely used both legitimately and in cybercriminal commerce.
Executable: A binary file that the operating system can run directly. In a malware context, the executable is the component that performs the malicious behavior on the victim machine.
Executive protection: The combined physical and digital security disciplines aimed at safeguarding executives and other high-value individuals from threats —including cyber-enabled stalking, doxxing, and impersonation.
Exploit: A technique or piece of code that takes advantage of a vulnerability, typically to gain unauthorized access or execute attacker-controlled code.
External threat intelligence: Threat data and analysis sourced from outside an organization —open-source feeds, commercial intelligence vendors, ISACs, and underground monitoring —used to enrich internal telemetry.

Fetty: Slang used in some underground communities to refer to fentanyl.
Forum: An online discussion board where users exchange knowledge, tooling, and offers. Many deep- and dark-web forums focus on cybercrime, fraud, or extremist topics and rely on anonymity networks.
FUD: Either "fully undetectable" —referring to malware that current AV products fail to flag —or "fear, uncertainty, and doubt," referring to the sensationalization of threats in marketing or media.
Fullz: "Full packages" of an individual's personally identifiable information (name, DOB, SSN, address, account numbers, etc.) —sufficient to commit identity theft. Routinely sold on dark web markets.

Hacktivism: The use of cyber operations —defacements, DDoS, leaks —to advance a political, social, or ideological cause.
High-fidelity intelligence: Intelligence that is detailed, specific, and well-corroborated enough to drive confident action —as opposed to noisy or low-confidence indicators.

Impersonation: Posing as a legitimate user, service, or system to gain unauthorized access or trick a target into taking a damaging action.
Indicator of compromise (IOC): A piece of forensic evidence —file hash, IP, domain, URL, mutex, channel handle —associated with malicious activity. IOCs feed detection rules and hunt queries.
Infostealer: A malware family designed to harvest credentials, cookies, autofill data, crypto wallets, and machine fingerprints from infected devices. Output is packaged as a "stealer log" and sold or traded in underground markets.
Insider threat: The risk posed by people with legitimate access —employees, contractors, partners —who intentionally or accidentally misuse that access to harm the organization.
Intelligence: The discipline of collecting, analyzing, and delivering information that supports a decision-maker. The mission of any intelligence function is action —not data accumulation.
Internet of Things (IoT): The network of everyday devices and machinery connected to the internet —sensors, cameras, industrial controls —which expand both efficiency and attack surface.

Joker's Stash: One of the largest illicit payment-card shops in history, operating from 2014 until its shutdown in early 2021. Known for high-validity card data not available elsewhere.

Kernel: The core of an operating system, mediating between applications and hardware. Code running in the kernel has the highest privilege on the machine, which is why kernel-level malware is so consequential.
Kill switch: Logic embedded in malware that halts execution when certain conditions are met —e.g., the host's locale matches a region the operator wants to avoid.
Killnet: A pro-Kremlin hacktivist collective active since 2022, best known for DDoS campaigns and data-exfil attacks against Western government and private-sector targets.

Leak site: A public site —usually hosted on Tor —where a ransomware or extortion group publishes data exfiltrated from victims who refuse to pay. Used as both pressure and proof.
Litecoin (LTC): A blockchain-based cryptocurrency launched in 2011, offering faster block times than Bitcoin.
Logs: An umbrella term for credential bundles —typically username/password pairs and associated session data. Often sourced from infostealer malware ("stealer logs"), data dumps, or breaches.

Malware: "Malicious software." Any code purpose-built to harm or exploit systems, networks, or users —including ransomware, spyware, infostealers, viruses, worms, and trojans.
Marketplace: An online venue facilitating the exchange of goods or services. In the underground, marketplaces host illicit listings —drugs, fraud kits, malware, access —and are routinely targeted by law enforcement.
MFA bypass: Any technique used to defeat multi-factor authentication, including session-cookie theft, OTP phishing, push-notification fatigue, and SIM-swap attacks.
MITRE ATT&CK: A globally adopted knowledge base that catalogs attacker tactics, techniques, and procedures (TTPs) under standardized identifiers. Used to map detections, attribute behavior, and structure red-team operations.
Monero (XMR): A privacy-focused cryptocurrency that hides sender, receiver, and amount on-chain. Frequently preferred by underground actors for its untraceability.

Neuro-linguistic programming (NLP, social-engineering sense): A discredited 1970s "self-improvement" framework occasionally referenced in fraud and conspiracy communities as a social-engineering or persuasion technique. Distinct from natural-language processing in machine learning.

Open-source intelligence (OSINT): Intelligence derived from publicly available data —social media, news, blogs, paste sites, public databases, and many dark web sources —collected and analyzed in support of a defined requirement.
Operational security (OPSEC): The discipline of protecting individual data items that could, when aggregated, reveal the identity, location, or methods of an actor or operation.

Pastebin (paste sites): Plain-text hosting services such as Pastebin (founded 2002) where users anonymously share snippets. Commonly used by attackers to drop credential dumps, configs, or proof-of-leak content.
Patch Tuesday: The second Tuesday of each month, when Microsoft releases its scheduled security updates. Many other vendors have aligned their cadences, so the day frequently produces hundreds of CVE disclosures at once.
Phishing: A class of social-engineering attacks —typically delivered by email —that trick victims into providing credentials, opening malicious files, or visiting attacker-controlled sites.
Primary source collection (PSC): Collecting data directly from original sources (forums, channels, marketplaces, leak sites) according to your own intelligence requirements —rather than relying solely on a vendor's pre-packaged feed.

Ransomware: Malware that encrypts a victim's files (or locks systems outright) and demands payment for restoration. Modern ransomware almost always also exfiltrates data and extorts on the threat of publication.
Ransomware-as-a-Service (RaaS): A subscription / affiliate model in which a core operator provides the ransomware, infrastructure, and brand, and affiliates carry out the intrusion in exchange for a revenue share.
Remote access trojan (RAT): Malware that gives an operator interactive remote control of an infected machine —file system, processes, screen, keyboard —as if they were sitting at the console.
Risk: The forecast and evaluation of business exposure to potential events, paired with the controls used to avoid or reduce their impact.

Scammer: An actor who defrauds others by offering goods, services, or payments they have no intention of fulfilling.
SIM swap: Transferring a victim's phone number to a SIM controlled by the attacker —typically by social-engineering carrier support or working with an insider —to intercept SMS-based MFA codes and take over accounts.
Smishing: Phishing delivered by SMS. Victims receive a text message that prompts them to click a malicious link or call a fraudulent number.
Social engineering: Manipulating people into granting access, taking damaging actions, or revealing information. Includes pretexting, baiting, MFA-fatigue prompts, and impersonation.
Spoofing: Falsifying the apparent source of data —email headers, IP addresses, caller ID, sender domains —to make malicious content appear trustworthy.
Stealer: A class of malware focused specifically on theft of credentials, tokens, files, wallets, and machine fingerprints. RedLine, Lumma, and Vidar are well-known modern examples.

Threat actor: Any individual, group, or entity with both the capability and the intent to harm systems, networks, or data —motivated by financial gain, ideology, geopolitics, or personal goals.
Threat intelligence: The data, context, and analysis used to detect, prioritize, and counter cyber and physical threats so that organizations can prevent or contain attacks.
Threat intelligence software: Tooling that collects, normalizes, enriches, and analyzes threat data —often combining a TIP (threat intelligence platform), an analyst workspace, and integrations into SIEM, SOAR, and EDR.
Tor (The Onion Router): A global anonymity network that routes traffic through multiple encrypted relays, concealing the user's origin. Originally proposed in 1995 (US Naval Research Lab) and operated since 2004 by the Tor Project, Tor underpins much of the dark web.
Typosquatting: Registering a misspelled or look-alike domain name to harvest mistyped traffic —used for phishing, ad fraud, brand impersonation, and malware delivery.

User agent: Software acting on behalf of a user —most commonly a browser. The user-agent string identifies browser, OS, and device characteristics to web servers.
User Datagram Protocol (UDP): A connectionless transport protocol that sends datagrams without delivery guarantees. Lightweight and fast, but easily spoofed —frequently abused in DDoS amplification attacks.

Vishing: "Voice phishing" —fraudulent phone calls (or voicemails) in which scammers impersonate banks, tax authorities, or law enforcement to pressure victims into revealing credentials, payment data, or PII.
Vulnerability: A weakness in a system, component, or process that can be exploited to violate a security boundary —for example, by escalating privilege or accessing protected data.
Vulnerability intelligence: A specialized form of threat intelligence focused on the discovery, scoring, contextualization, and exploitation status of CVEs and other software defects.
Vulnerability management: The repeating program of discovering, prioritizing, and remediating vulnerabilities across an organization's assets —driven by risk context, not just raw CVSS scores.

Watering hole attack: An attack in which a threat actor compromises a website that the intended victims are likely to visit, then serves them malware or harvests their credentials when they do.
Web shell: A small script planted on a compromised web server that gives the attacker persistent remote command execution. Commonly written in PHP, ASPX, or JSP and used as a backdoor.
Worm: Self-propagating malware that infects new hosts on its own —typically by exploiting network-reachable vulnerabilities —and continues operating on hosts it has already infected.

Yahoo Boys: A loose label for Nigerian fraud rings historically known for "419" advance-fee scams, now expanded to a wider range of romance, BEC, and crypto fraud schemes.
Yandex: A Russian internet services company best known for its search engine, popular across Russian-speaking regions, with adjacent products including payments, maps, and email.

Zero day: A previously unknown or unpatched vulnerability. Zero-days are highly valuable to APTs and may be sold for six- and seven-figure sums in private markets.
Zero Trust: A security model that assumes no implicit trust based on network location. Every access request is authenticated, authorized, and continuously validated —typically combined with strong identity, device posture, and granular policy.

Definitions paraphrased and adapted from publicly available cybersecurity references including Flashpoint's Intelligence 101 glossary, CISA, MITRE ATT&CK, and the NVD. Additions and edits by the DarkWeb LLC research team.

Need a term we missed?

Drop us a note —we'll add it in the next quarterly update.

Suggest a term

The cybersecurity & threat intelligence glossary.

No matches

Need a term we missed?