5 exercises on the vocabulary of offensive security — the verbs and nouns you read in threat-intel briefings, pentest reports, and incident write-ups.
Key patterns in this set
launch / mount an attack — initiate an offensive operation
attack surface (what is exposed) vs attack vector (how it is reached)
build a threat model — structured analysis of assets and threats
phishing campaign — a coordinated wave of fraudulent messages
brute force → privilege escalation → lateral movement — the attack chain
0 / 5 completed
1 / 5
A threat-intelligence briefing reads:
"At 03:14 UTC the adversary ___ a coordinated attack against our edge gateways, combining credential stuffing with a volumetric DDoS to mask the real intrusion."
Which verb is the standard collocation for initiating an attack?
Launch an attack.
"Launch an attack" is the standard security collocation for actively initiating an offensive operation. The close synonym is "mount an attack", which carries a sense of organised, sustained effort ("the group mounted a sophisticated supply-chain attack").
launch / mount an attack — initiate it
carry out / conduct an attack — perform it
thwart / repel / fend off an attack — defend successfully
"Started an attack" is grammatically fine but flat and rare in professional writing. "Opened an attack" and "did an attack" are not idiomatic in English security prose. Remember the actor too: a threat actor or adversary launches an attack against a target.
2 / 5
An architecture review note states:
"Exposing the admin panel to the public internet dramatically increases the ___ — every additional open port and endpoint is one more thing an attacker can probe."
Which term describes the total set of points where an attacker could try to get in?
Attack surface.
The "attack surface" is the sum of all points (endpoints, ports, APIs, inputs, dependencies) where an unauthorised user could try to enter or extract data. A core goal of hardening is to reduce / minimise the attack surface.
attack surface — everything exposed to attack
attack vector — a specific path/method used (e.g. phishing email, unpatched CVE)
blast radius — how far damage spreads once a component is compromised
Do not confuse attack surface (what is exposed) with attack vector (how it is reached). "Attack radius/zone/field" are not standard terms. Usage: "removing the legacy SOAP API shrank our attack surface significantly."
3 / 5
A security design document says:
"Before writing any code, the team built a ___: enumerating assets, trust boundaries, and the ways an attacker might abuse each data flow."
Which term names this structured analysis of potential threats?
Threat model.
A "threat model" is a structured representation of a system's assets, trust boundaries, data flows, and the threats against them. The activity is "threat modelling", and you "build / create / perform a threat model".
build a threat model — produce the analysis
STRIDE / DREAD — common threat-modelling frameworks
trust boundary — where data crosses between zones of different trust
"Threat sheet/plan/list" are not the established term. A threat model answers four questions: What are we building? What can go wrong? What are we going to do about it? Did we do a good job? Usage: "we threat-model every new microservice before it ships."
4 / 5
An incident summary reads:
"The initial foothold came from a targeted ___ — a convincing email impersonating IT support that tricked three employees into entering their credentials on a fake portal."
Which collocation describes this kind of fraudulent-email operation?
Phishing campaign.
A "phishing campaign" is a coordinated set of fraudulent messages designed to trick recipients into revealing credentials or running malware. "Campaign" is the standard noun for an orchestrated wave of attacks.
spear-phishing — targeted at specific individuals
whaling — phishing aimed at executives
smishing / vishing — phishing via SMS / voice
Verbs: attackers "run / launch a phishing campaign"; defenders "detect / block" it. "Phishing project/program/session" are not idiomatic. Related foothold terms: credential harvesting, payload, landing page. Usage: "the red team ran a phishing campaign and 18% of staff clicked the link."
5 / 5
A pentest report describes the attacker's progression:
"After cracking a weak service account password by ___, the attacker achieved ___ from a standard user to SYSTEM, then performed ___ to reach the domain controller."
Which set of terms correctly fills the three blanks?
Brute force — systematically trying many passwords/keys until one works ("brute-force the login", "a brute-force attack"); contrast a dictionary attack
Privilege escalation — gaining higher rights than granted; vertical (user→admin) vs horizontal (one user→another). "Escalate privileges to root/SYSTEM."
Lateral movement — pivoting from one compromised host to others across the network to reach the real target
The other options are invented paraphrases that no security professional uses. These map onto the MITRE ATT&CK phases Credential Access → Privilege Escalation → Lateral Movement. Usage: "the attacker used brute force for initial access, then privilege escalation and lateral movement to reach the DC."