Cybersecurity Fundamentals
Learn cybersecurity concepts from the experts who test the world's most critical systems. Written by offensive security practitioners who conduct thousands of assessments each year.
68 guides
Offensive Security & Testing
14Methodologies security teams use to proactively find and fix vulnerabilities before attackers do.
What is Penetration Testing?Simulating real-world cyberattacks to identify vulnerabilities in systems, networks, and applications.
What is Red Teaming?Goal-oriented adversary simulation testing people, processes, and technology against real attack tactics.
What is Purple Teaming?Collaborative exercise where offensive and defensive teams improve detection and response together.
What is Adversary Emulation?Intelligence-driven testing replicating exact TTPs of specific threat actors relevant to your organization.
What is Offensive Security?Proactive security using attacker tactics and procedures to find and fix vulnerabilities.
What is Breach and Attack Simulation (BAS)?Automated, continuous testing that validates whether security controls detect and prevent attacks.
What is Ethical Hacking?Authorized security testing using the same tools and techniques as malicious hackers.
What is Continuous Security Testing?Always-on assessment replacing point-in-time testing with ongoing validation of controls and defenses.
What is Continuous Penetration Testing?Ongoing testing that adapts to your evolving attack surface throughout the year.
What is Continuous Offensive Security?Persistent offensive testing that maintains continuous coverage across your environment.
What is Security Validation?Continuously verifying that security controls perform as expected against real-world attack techniques.
What is Penetration Testing as a Service (PTaaS)?Subscription-based penetration testing delivering continuous security validation.
What is Managed Offensive Security?Outsourced offensive security combining pen testing, red teaming, and continuous validation.
The Business Case for Continuous Security ValidationWhy continuous validation delivers better outcomes than periodic testing alone.
Exposure & Attack Surface Management
12How organizations discover, monitor, and reduce the digital footprint attackers can target.
What is Attack Surface Management?Discovering, classifying, and monitoring all external-facing assets and exposures.
What is External Attack Surface Management (EASM)?Discovering and monitoring internet-facing assets, including unknown and unmanaged exposures.
What is Continuous Threat Exposure Management (CTEM)?Gartner's framework for proactively managing threat exposure through a five-stage cycle.
What is Vulnerability Management?Identifying, evaluating, prioritizing, and remediating vulnerabilities across your technology stack.
What is Risk-Based Vulnerability Management?Prioritizing remediation based on actual exploitability, business context, and threat intelligence.
What is a Vulnerability Assessment?Systematic process of identifying, quantifying, and prioritizing security vulnerabilities.
What is Cyber Threat Intelligence?Collecting and analyzing threat data to produce actionable intelligence driving security decisions.
Exposure Management StrategyMoving beyond vulnerability management to a comprehensive exposure management approach.
What is Cyber Asset Attack Surface Management (CAASM)?Tools aggregating asset data from multiple sources into a unified inventory.
What is Threat Modeling?Identifying potential threats and vulnerabilities in a system's design before exploitation.
Alert Fatigue and False PositivesWhy more alerts mean less security and how to reduce noise in your environment.
The Cost of a Data BreachWhat security leaders need to know about breach costs and prevention economics.
Application & Cloud Security
10Specialized testing approaches for modern application architectures and cloud environments.
What is Application Security Testing?Testing software applications for security vulnerabilities throughout the development lifecycle.
What is Cloud Security Testing?Security assessment of cloud infrastructure across AWS, Azure, GCP, and multi-cloud environments.
What is API Security Testing?Testing APIs for authentication flaws, authorization bypasses, and business logic issues.
What is SAST (Static Application Security Testing)?Source code analysis identifying vulnerabilities by examining code without executing it.
What is DAST (Dynamic Application Security Testing)?Runtime testing probing running applications from the outside to find vulnerabilities.
What is IoT Security Testing?Security evaluation of connected devices covering firmware, hardware, and wireless protocols.
What is DevSecOps?Integrating security into every phase of the software development lifecycle.
AI Security GovernanceHow security leaders should govern AI adoption, from LLM testing to enterprise AI risk management.
Zero Trust ArchitectureMoving beyond the buzzword to practical zero trust implementation strategies.
Security Vendor ConsolidationReducing tool sprawl without increasing risk across your security stack.
Security Posture & Asset Management
5How organizations gain visibility into their security posture and manage modern asset inventories.
What is Security Posture Management?Assessing, measuring, and improving overall security readiness across your infrastructure.
Cybersecurity Maturity AssessmentBenchmarking your security program maturity from NIST CSF and CIS Controls to CMMC.
Third-Party Risk ManagementValidating third-party security including supply chain risk and vendor risk quantification.
What is Cyber Asset Attack Surface Management (CAASM)?Aggregating asset data from multiple sources into a unified, queryable inventory.
What is Threat Modeling?Identifying potential threats and vulnerabilities in a system's design before exploitation.
Comparisons & Decision Guides
10Side-by-side comparisons to understand the differences between related security concepts.
SAST vs DASTHow static and dynamic application security testing differ, and why most programs need both.
Penetration Testing vs Vulnerability ScanningThe difference between automated vulnerability detection and human-led exploitation testing.
Red Team vs Penetration TestingHow scoped pen tests differ from full-scope adversary simulations.
Offensive Security vs Defensive SecurityHow proactive attack simulation and reactive defense complement each other.
CTEM vs Vulnerability ManagementHow Gartner's CTEM framework extends and evolves traditional vulnerability management.
Continuous vs Annual Penetration TestingWhy annual pen tests leave blind spots and how continuous testing closes the gap.
Red Team vs Blue Team vs Purple TeamHow offensive, defensive, and collaborative security teams operate and when to use each.
BAS vs Penetration TestingWhen automated attack simulation complements human-led pen testing.
Attack Surface Management vs Vulnerability ManagementHow ASM's asset discovery focus differs from VM's remediation focus.
Penetration Testing vs Bug BountyStructured assessments vs crowdsourced vulnerability discovery, and when each makes sense.
How-To Guides
4Practical, step-by-step guides for building and running security programs.
How to Choose a Penetration Testing CompanyWhat to look for in a pen testing provider, from methodology to reporting quality.
How to Scope a Penetration TestDefining test boundaries, selecting testing types, and setting expectations.
How to Build an Attack Surface Management ProgramStep-by-step guide from initial asset discovery through continuous monitoring.
How to Implement a CTEM ProgramPractical roadmap for operationalizing Gartner's CTEM framework.
Compliance & Penetration Testing
7How penetration testing satisfies specific compliance frameworks and what auditors expect.
Penetration Testing for PCI DSS ComplianceHow pen testing satisfies PCI DSS 4.0.1 Requirement 11.4 including scope and frequency.
Penetration Testing for SOC 2 ComplianceHow pen testing supports SOC 2 Trust Services Criteria for Type I and Type II reports.
Penetration Testing for HIPAA ComplianceAddressing HIPAA Security Rule technical safeguards and what covered entities need to know.
Penetration Testing for ISO 27001How pen testing maps to ISO 27001 Annex A controls and supports the ISMS improvement cycle.
Cyber Insurance RequirementsHow the tightening cyber insurance market is driving demand for continuous testing evidence.
Compliance FatigueBuilding one security testing program that satisfies SOC 2, ISO 27001, HIPAA, and PCI DSS.
FedRAMP ComplianceHow FedRAMP 20x is transforming authorization timelines for cloud service providers.
Security Leadership & Strategy
8Strategic guidance for CISOs and security leaders on communicating risk, measuring ROI, and building resilient programs.
Communicating Cyber Risk to the BoardTranslating security findings into business language for board-level reporting.
Cybersecurity ROIHow to quantify return on security investments using validated risk reduction.
Cybersecurity Budget PlanningBuilding a defensible security budget aligned with risk reduction and business outcomes.
Cybersecurity Metrics & KPIsThe metrics that matter for security leaders, from MTTR to board-level reporting.
Cyber Risk Quantification (CRQ)How CRQ frameworks like FAIR translate security findings into financial impact.
Mean Time to Remediate (MTTR)Why MTTR is becoming a board-level KPI and how to measure it accurately.
M&A Cybersecurity Due DiligenceHow offensive testing reveals hidden risk beyond questionnaires during acquisitions.
CISO Priorities for 2026What security leaders should prioritize based on what real attackers are exploiting.