A
- Adversary simulation
- A controlled exercise that emulates the tactics, techniques and procedures of a specific threat actor to test detection and response, distinct from a vulnerability-finding pentest.
- Annex A control (ISO 27001)
- One of the 93 controls in ISO/IEC 27001:2022 Annex A, organised into Organisational, People, Physical and Technological control families.
- Asset criticality
- The business value of an asset, used to weight risk scoring. A vulnerability on a payments database scores higher than the same vulnerability on a marketing landing page.
- Attack surface
- The full set of assets, accounts and entry points an external or internal attacker could reach. Modern attack-surface management treats this as a continuous discovery problem, not a one-off inventory.
- Audit trail
- A tamper-evident, time-ordered record of every state change relevant to a control. Without an audit trail, an auditor cannot verify what actually happened.
C
- CDE (Cardholder Data Environment)
- The PCI-DSS scope: every system that stores, processes, transmits or could affect the security of cardholder data.
- CIS Controls
- A community-maintained set of prioritised cybersecurity controls. Useful as a baseline; not a substitute for ISO 27001 or NIS2-aligned evidence.
- CISA KEV
- The US Known Exploited Vulnerabilities catalogue. A useful signal of in-the-wild exploitation, but not a substitute for contextual prioritisation in your environment.
- CISO
- Chief Information Security Officer. Increasingly a personally-accountable role under NIS2 management-body provisions.
- CRA
- EU Cyber Resilience Act — the EU regulation that makes cybersecurity a CE-marking obligation for products with digital elements.
- CTI
- Cyber Threat Intelligence — actor, malware and TTP information curated against the threats that matter to your sector and geography.
- CVE
- Common Vulnerabilities and Exposures — the global identifier scheme for publicly-disclosed vulnerabilities, maintained by MITRE.
- CVSS
- Common Vulnerability Scoring System — a score of vulnerability severity in the abstract. Useful for triage at internet scale; insufficient as a sole prioritisation input in a real environment.
D
- DORA
- Digital Operational Resilience Act — the EU regulation enforcing ICT risk management and resilience for financial entities, applicable since January 2025.
- DREAD
- A threat-modelling scoring methodology covering Damage, Reproducibility, Exploitability, Affected users and Discoverability. Used as one of the six factors in the Centraleyezer contextual risk score.
E
- EDR
- Endpoint Detection and Response — host-based telemetry and response capability, distinct from antivirus by its visibility into process trees and behavioural analytics.
- EPSS
- Exploit Prediction Scoring System — a probabilistic estimate of exploitation in the wild for a given CVE. Best read alongside contextual factors, not as a standalone priority.
- Essential entity (NIS2)
- A NIS2 classification with the heaviest obligations. Includes large entities in energy, transport, banking, healthcare, drinking water, digital infrastructure and public administration.
- Evidence (audit)
- Documentary proof that a control was operating as intended, in the period under audit. Logs, reports, screenshots and signed approvals are all evidence; verbal assurance is not.
G
- GDPR Article 32
- The GDPR clause that requires "appropriate technical and organisational measures" to protect personal data, including encryption, integrity, availability and resilience.
- GDPR Article 33
- The GDPR clause that requires notification of a personal-data breach to the supervisory authority within 72 hours of the controller becoming aware of it.
- GEO
- Generative Engine Optimisation — the discipline of making content discoverable and citable by generative AI assistants such as ChatGPT, Claude, Perplexity and Gemini.
I
- IEC 62443
- The international standard for industrial automation and control systems security. Required reading for OT environments.
- Important entity (NIS2)
- A NIS2 classification one tier below essential, with proportionate but still substantial obligations.
- Incident
- An event that has compromised, or is reasonably suspected to have compromised, the confidentiality, integrity or availability of an information asset. Reportable under NIS2 (Article 23) and GDPR (Article 33) on tight timelines.
- ISMS
- Information Security Management System — the documented set of policies, procedures, controls and risk treatments that ISO 27001 certifies.
J
- JSON-LD
- A schema.org-encoded JSON block embedded in an HTML page that makes its meaning machine-readable. Strongly preferred by both Google and AI assistants.
K
- KEV
- See CISA KEV.
L
- llms.txt
- A small, well-known text file at the root of a website that gives generative AI assistants a curated, machine-readable summary of the site. Companion to llms-full.txt for long-form ingestion.
M
- MITRE ATT&CK
- The global knowledge base of adversary tactics and techniques, used to align red team objectives with detection coverage.
- MSSP
- Managed Security Service Provider — an organisation that operates security tools and processes on behalf of customers. Centraleyezer offers MSSP-native multi-tenancy.
N
- NIS2
- EU directive 2022/2555. Makes cybersecurity risk management a board-level legal obligation for essential and important entities across 18 sectors. Transposed into Romanian law in 2024.
O
- OT
- Operational Technology — the systems that control physical processes, distinct from IT. Common in energy, manufacturing, water and transport.
- OWASP Top 10
- A community-maintained list of the most common web-application security risks. A baseline for application pentests; not the entire test scope.
P
- PCI-DSS
- Payment Card Industry Data Security Standard. Version 4.0 became fully effective on 31 March 2025.
- Phishing
- Social-engineering attacks delivered via email or messaging that aim to harvest credentials, deploy malware or trigger fraudulent actions. Most-tested-against control in the Sandline catalogue.
- PoC (Proof of Concept)
- A demonstration that a vulnerability is exploitable in a specific environment. Required for findings to be auditable and prioritisable.
R
- RBVM
- Risk-Based Vulnerability Management — the discipline of prioritising vulnerabilities by business risk in the specific environment, rather than by raw severity score.
- Red team
- A multi-week, objective-driven adversary simulation. Distinct from a penetration test by scope, persistence and the inclusion of social engineering and physical access where authorised.
- Remediation
- The work of fixing a vulnerability, distinct from detecting it. The Sandline programme tracks remediation to fix verification, not to ticket creation.
S
- SBOM
- Software Bill of Materials — a machine-readable list of components, libraries and licences in a software product. Required by the EU Cyber Resilience Act.
- SIEM
- Security Information and Event Management — the platform that aggregates logs and alerts from across an environment for correlation and investigation.
- SLA
- Service Level Agreement — a contractual time-bound commitment. In the Sandline programme, every remediation has an SLA tied to its risk score.
T
- TIBER-EU
- The European Central Bank framework for threat intelligence-based ethical red-teaming. The methodology DORA Article 13 effectively requires for significant financial entities.
- TLPT
- Threat-Led Penetration Testing — DORA’s term for adversary simulation of significant financial entities, aligned with TIBER-EU.
- TTP
- Tactics, Techniques and Procedures — the structured way of describing what an adversary actually does, codified in MITRE ATT&CK.
V
- Vulnerability
- A weakness in a system, control or process that could be exploited by a threat. The unit of work in a vulnerability management programme.
- Vulnerability handling (CRA)
- The Annex II obligation to identify, document, address and disclose vulnerabilities in products with digital elements placed on the EU market.
Z
- Zero-day
- A vulnerability for which no public patch exists at the time of discovery. Higher prioritisation only when exploitation is observed in your environment or sector.