Cybersecurity Glossary
Plain-English definitions for the terms we use.
VAPT, OWASP, MITRE ATT&CK, OSCP, SOC 2, ISO 27001, CERT-In, DPDPA, CREST, IRAP, Essential Eight — what each term means and where it shows up in a Certbar engagement.
- VAPT Methodology
- VAPT (Vulnerability Assessment & Penetration Testing) is the term Indian regulators and security teams use to describe a security audit that combines automated scanning with hands-on exploitation by certified offensive engineers. Vulnerability Assessment finds known weaknesses at scale; Penetration Testing proves which ones an attacker would actually weaponise. Outside India the same engagement is usually called "penetration testing" or "pen test." VAPT Services →
- Penetration Testing Methodology
- Penetration testing is the controlled, simulated attack of a real adversary against your applications, cloud, network, identity, and people — performed by certified offensive engineers to find exploitable weaknesses before someone with worse intent does. Every Certbar pentest engagement ends with two artefacts: a board-ready brief in business language and a technical report mapped to OWASP, MITRE ATT&CK, and the compliance framework you report against. Penetration Testing Services →
- Red Team Assessment Methodology
- A Red Team Assessment is a goal-oriented, multi-vector simulation of how a real threat actor would attempt to achieve a specific objective (steal data, deploy ransomware, exfiltrate credentials) across phishing, physical access, network, application, and identity vectors. Unlike a scoped pentest, a red team tests the entire detect-and-respond capability — including the security operations centre — and is mapped to MITRE ATT&CK techniques. Red Team Assessment →
- OWASP Top 10 Framework
- The OWASP Top 10 is a standard awareness document for developers and web application security, published by the Open Worldwide Application Security Project (OWASP). It represents broad consensus about the most critical security risks to web applications. Every Certbar web application pentest tests for every Top 10 category and maps findings back to the corresponding entry.
- MITRE ATT&CK Framework
- MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a globally-accessible knowledge base of adversary tactics and techniques based on real-world observations. Every Certbar finding is tagged with its corresponding ATT&CK technique ID so a defender's detection engineering team can build coverage directly from the report.
- OSCP Certification
- OSCP (Offensive Security Certified Professional) is a hands-on penetration testing certification issued by Offensive Security (now OffSec). It is widely regarded as the most credible entry-level practical certification because the exam requires the candidate to compromise multiple machines in a 24-hour lab and submit a professional report. Certbar's pentest team is OSCP-led — every engagement has at least one OSCP-certified engineer.
- CERT-In Regulatory
- CERT-In (Indian Computer Emergency Response Team) is the national agency for responding to computer security incidents, operating under India's Ministry of Electronics and Information Technology. CERT-In maintains a list of "empanelled" Information Security Auditors whose reports are accepted by Indian regulators (RBI, SEBI, IRDAI, NPCI). Certbar is CERT-In Empanelled. About Certbar →
- DPDPA 2023 Regulatory
- The Digital Personal Data Protection Act, 2023 (DPDPA) is India's comprehensive data protection law, enacted in August 2023. It governs the processing of digital personal data, defines obligations of Data Fiduciaries, and grants rights to Data Principals. Significant penalties for non-compliance. Operational obligations include security safeguards, breach notification, consent management, and DPIA for significant data fiduciaries. DPDP Act Consulting →
- ISO/IEC 27001:2022 Standard
- ISO/IEC 27001:2022 is the international standard that specifies requirements for establishing, implementing, maintaining, and continually improving an Information Security Management System (ISMS). The 2022 revision introduced Annex A.8.29 specifically covering security testing in operational environments — pentest reports are typical evidence. Certbar is ISO 27001:2022 certified. ISO 27001 Consulting →
- SOC 2 Standard
- SOC 2 is an attestation report defined by the American Institute of Certified Public Accountants (AICPA) that evaluates a service organisation's controls against the Trust Services Criteria (Security, Availability, Confidentiality, Processing Integrity, Privacy). Pen-test evidence maps to Common Criteria CC7.1 (Detection & Monitoring) and CC8.1 (Change Management). Type I is point-in-time; Type II observes operating effectiveness over 9-12 months. SOC 2 Consulting →
- PCI DSS 4.0 Standard
- PCI DSS (Payment Card Industry Data Security Standard) 4.0 is the security standard for organisations that handle branded credit cards. Requirement 11.4.x mandates internal and external penetration testing, including segmentation testing where applicable. Certbar produces QSA-ready evidence packs covering 11.4.1 through 11.4.7. PCI Consulting →
- HIPAA Regulatory
- HIPAA (Health Insurance Portability and Accountability Act) is US legislation governing the protection of Protected Health Information (PHI). The Security Rule (45 CFR Part 164 Subpart C) §164.308(a)(8) requires periodic technical evaluation — pentest reports are the most common evidence. HIPAA-aware pentests include a PHI-handling narrative. HIPAA Consulting →
- GDPR Regulatory
- GDPR (General Data Protection Regulation) is the EU regulation on data protection and privacy, also adopted by the UK as UK GDPR post-Brexit. Article 32 (Security of Processing) requires appropriate technical and organisational measures — pentest evidence supports this. Certbar GDPR-aware reports include personal-data exposure findings and DPIA-supporting evidence. GDPR Consulting →
- CREST Certification
- CREST is an international not-for-profit accreditation and certification body that represents the technical information security industry. CREST firm membership is a key trust signal for UK enterprises, Australian government supply chains, and increasingly Canadian financial institutions. Certbar's methodology is CREST-aligned; firm membership is targeted for 2026.
- Essential Eight Framework
- The Essential Eight is a set of eight mitigation strategies recommended by the Australian Signals Directorate (ASD): Application Control, Patch Applications, Configure MS Office Macros, User Application Hardening, Restrict Administrative Privileges, Patch Operating Systems, Multi-Factor Authentication, and Daily Backups. Maturity is assessed at four levels (0-3). Certbar pentests for Australian clients include Essential Eight maturity evidence. Australia Penetration Testing →
- IRAP Regulatory
- IRAP (Information Security Registered Assessors Program) is administered by the Australian Signals Directorate and assesses cybersecurity controls against the Information Security Manual (ISM) for federal and state government supply chains. Certbar produces IRAP-format pentest reports suitable for IRAP-assessor evidence packs.
- PTaaS Service Model
- PTaaS (Penetration Testing as a Service) is a delivery model that combines manual pentesting with a SaaS platform for live findings, ticket-system integrations (Jira/Slack/ServiceNow), automated retest scheduling, and credit-based pricing. Compared to traditional one-off engagements, PTaaS shortens time-to-first-finding from weeks to days. Certbar offers PTaaS for clients with continuous testing needs.
- ASM Service Model
- ASM (Attack Surface Management) is the continuous discovery, inventory, classification, and prioritisation of an organisation's external internet-facing assets — including shadow IT, abandoned subdomains, leaked credentials, exposed services, and certificate misconfigurations. The goal is to reduce the attack surface before an attacker discovers it. Attack Surface Management →
- MDR Service Model
- MDR (Managed Detection and Response) is an outsourced cybersecurity service combining technology (SIEM/EDR/XDR) and human expertise to provide 24/7 threat detection, investigation, and active response. Differs from MSSP in being response-capable rather than just alerting. Certbar's 24/7 SOC delivers MDR with sub-hour MTTR on critical alerts. 24/7 SOC Monitoring →
- Zero Trust Architecture
- Zero Trust is a security architecture model that operates on the principle that no user, device, or network segment should be trusted by default, regardless of whether it is inside or outside the corporate perimeter. Implementations centre on continuous verification, least-privilege access, micro-segmentation, and strong identity. Often implemented via Identity and Access Management (IAM) and Conditional Access policies.
Vulnerability Assessment & Penetration Testing.
Hands-on exploitation by a certified offensive engineer.
Multi-vector adversary emulation across phishing, physical, network, app, identity.
The canonical list of the 10 most critical web application security risks.
A globally-accessible knowledge base of adversary tactics and techniques.
Offensive Security Certified Professional — hands-on penetration testing certification.
India's Computer Emergency Response Team — empanels security auditors.
India's Digital Personal Data Protection Act, 2023.
International standard for information security management systems.
Service Organisation Controls report under AICPA Trust Services Criteria.
Payment Card Industry Data Security Standard, version 4.0.
Health Insurance Portability and Accountability Act (US) — Security Rule.
EU General Data Protection Regulation.
Council of Registered Ethical Security Testers — UK/AU/CA-leaning accreditation body.
ASD's eight mitigation strategies for Australian organisations.
Australian Information Security Registered Assessors Program.
Penetration Testing as a Service — platform-delivered continuous pentest.
Attack Surface Management — continuous external asset discovery.
Managed Detection and Response — outsourced 24/7 security operations.
"Never trust, always verify" security architecture model.