CVSS
Industry-standard vulnerability severity scoring. CVSS 3.1 (and the newer 4.0) produces a 0-10 score with Critical (9.0-10.0), High (7.0-8.9), Medium (4.0-6.9), Low (0.1-3.9). Based on exploitability, impact, and environmental factors.
More from General
CVE
Public identifier assigned to a specific disclosed vulnerability in the format CVE-YYYY-NNNNN. MITRE assigns CVE IDs through CNAs (CVE Numbering Authorities). National Vulnerability Database (NVD) adds severity scoring (CVSS) and impact analysis.
CWE
Classification system for software weaknesses. Each vulnerability maps to one or more CWEs. E.g., CWE-79 (XSS), CWE-89 (SQL injection), CWE-78 (Command injection). CWE Top 25 lists the most dangerous weaknesses.
OSINT
Gathering intelligence from publicly available sources. Websites, social media, DNS records, code repositories, breach data, court records. Standard initial phase of penetration testing engagements. Tools: Shodan, Censys, Maltego, the Harvester, Recon-ng.
Social Engineering
Manipulating humans to obtain unauthorized access or information. Common categories: phishing (email), vishing (voice), smishing (SMS), pretexting (invented scenario). Responsible for the majority of breaches. Scattered Spider, BEC actors, and most APTs rely heavily on social engineering.
Apply this to your environment
Our engagements address concepts like cvss in practice — not just definitions, but how the attack patterns apply to your stack and how to remediate.