Reference
Cybersecurity, AI & Cloud Glossary
This glossary defines terms HashiraX uses across penetration testing, DevSecOps, AI engineering, and cloud deployment. Each definition links to the canonical source where one exists.
Security
- OWASP
- The Open Worldwide Application Security Project — a non-profit publishing widely-adopted security standards, including the OWASP Top 10 and OWASP ASVS.
- OWASP Top 10
- Ranked list of the ten most critical web application security risks, updated every 3-4 years by the OWASP Foundation. Current edition: 2021. View list.
- OWASP ASVS
- Application Security Verification Standard — a checklist of security controls organized into three levels (1-3) used to verify the security posture of web applications. Reference.
- PTES
- Penetration Testing Execution Standard — a methodology defining the seven phases of a penetration test from pre-engagement to reporting. Reference.
- CVSS
- Common Vulnerability Scoring System — an industry-standard numeric scale (0.0-10.0) for measuring the severity of security vulnerabilities. Current version: 3.1. Reference.
- CVE
- Common Vulnerabilities and Exposures — a public list of disclosed security vulnerabilities, each assigned a unique CVE-YYYY-NNNN identifier. Reference.
- ISO 27001
- International standard for Information Security Management Systems (ISMS), specifying requirements for establishing, implementing, maintaining and continually improving information security. Reference.
- NIST Cybersecurity Framework
- Voluntary risk-based framework published by the U.S. National Institute of Standards and Technology with five functions: Identify, Protect, Detect, Respond, Recover. Reference.
- SAST
- Static Application Security Testing — analysis of source code, bytecode, or binaries for security vulnerabilities without executing the application. Runs early in the CI pipeline.
- DAST
- Dynamic Application Security Testing — runtime testing that probes a deployed application for security weaknesses by sending crafted requests and observing responses.
- DevSecOps
- Practice of integrating security checks (SAST, DAST, dependency scanning, IaC scanning) directly into the DevOps CI/CD pipeline rather than treating security as a separate gate.
- Zero Trust
- Security model in which no user or device is trusted by default, even inside the network perimeter. Every request must be authenticated, authorized, and continuously validated.
- Content Security Policy (CSP)
- HTTP response header that restricts which resources (scripts, styles, images) a browser may load for a page — a primary defense against Cross-Site Scripting (XSS).
- HSTS
- HTTP Strict Transport Security — a response header that tells browsers to always use HTTPS for the domain, preventing protocol-downgrade attacks.
- Web Application Firewall (WAF)
- Reverse-proxy filter that inspects incoming HTTP traffic and blocks common attack patterns (SQL injection, XSS, RCE) before they reach the application.
AI & LLMs
- RAG
- Retrieval-Augmented Generation — an LLM application architecture where relevant document chunks from a vector database are fetched at query time and provided as context to the model, reducing hallucination.
- LLM
- Large Language Model — a neural network trained on a large text corpus capable of generating, summarizing, and reasoning about natural language. Examples: GPT-4, Claude, Gemini, Llama.
- Prompt Injection
- Class of LLM vulnerabilities where adversarial input embedded in user prompts or retrieved documents causes the model to deviate from intended behavior.
- Vector Database
- Database optimized for storing and querying high-dimensional embedding vectors via approximate nearest-neighbor search. Examples: Pinecone, Weaviate, pgvector, Qdrant.
Web & Cloud
- Core Web Vitals
- Google's three user-experience metrics for ranking: Largest Contentful Paint (LCP), Interaction to Next Paint (INP), and Cumulative Layout Shift (CLS).
- Generative Engine Optimization (GEO)
- Practice of optimizing content and structured data so it gets cited by AI search engines like ChatGPT, Claude, Perplexity, Google AI Overviews and Bing Copilot — the LLM-era equivalent of traditional SEO.
- llms.txt
- Proposed plain-text file at site root that gives LLM agents a curated overview of the site, its services, and key pages — analogous to robots.txt but written for AI consumption. Reference.
- Schema Markup
- Structured data added to HTML pages using the schema.org vocabulary (usually as JSON-LD) so search engines and LLMs can interpret page content with high confidence. Reference.
- CDN
- Content Delivery Network — geographically distributed servers that cache and serve content close to end users. Cloudflare, Fastly, Akamai, and CloudFront are common providers.
- Infrastructure-as-Code (IaC)
- Practice of declaring cloud infrastructure (servers, networks, databases) in version-controlled configuration files (Terraform, Pulumi, CloudFormation) rather than clicking through dashboards.
Need help applying any of these in your stack? Get a free 30-minute discovery call or run a free site scan.