Glossary
Last updated: May 25, 2026
A
AI SAST
This is an AI-powered static application security testing used by Fluid Attacks in its Continuous Hacking Advanced plan. AI SAST quickly and accurately assesses an application's source code through multi-file analysis to understand its context and detect high-risk security vulnerabilities that simple scanners often overlook.
Application security posture management (ASPM)
ASPM is a cybersecurity approach that delivers a unified, real-time view of an organization's application security posture across the entire software development lifecycle. Acting as a unifying layer above disparate security tools, ASPM ingests and correlates findings from sources such as SAST, DAST, SCA, CI/CD pipelines, and cloud infrastructure, transforming scattered alerts into actionable intelligence. Rather than simply cataloguing vulnerabilities, ASPM contextualizes findings using risk-based prioritization, weighing factors such as exploitability, reachability, and proximity to sensitive data, so that teams address what genuinely threatens the business first. It also automates remediation workflows, enforces security policies, and generates SBOMs, enabling organizations to scale their security programs proportionally with the pace of modern development.
B
Black-box testing
Black-box testing is a service where the pentester does not have access to source code or information on the project's infrastructure, having only access to IPs and URLs associated with environments where the project is deployed.
C
CI/CD pipeline
A CI/CD pipeline is a series of organized steps or tasks that, mainly in an automated way, allow the successful and fast release of a new software version. Among the activities that take place are the compilation of the source code, the distribution of packages, the execution of quality and security tests and the deployment to different environments.
CI Gate
The CI Gate is a Docker-based tool provided by Fluid Attacks that connects to the platform from within a CI/CD pipeline to check whether the evaluated repository has open vulnerabilities, and can be configured to break the build when policy-breaking findings are present. It supports all major CI/CD platforms, including GitHub Actions, GitLab CI, Azure DevOps, and Jenkins. See CI Gate installation for setup instructions.
Cloud security posture management (CSPM)
CSPM is a set of practices for monitoring and managing security configurations and compliance with standards across cloud resources. It assesses IaC scripts, container images, and cloud environments and services to identify misconfigurations, policy violations, and other security issues. This technique is used in Fluid Attacks' Continuous Hacking.
Continuous deployment (CD)
CD is a process that follows the CI. When merged, the different code changes made by developers shape a software product that can be deployed in a test or production environment. Automated procedures are executed to build the product, verify that it meets acceptance requirements and perform a proper deployment at the expected time, often directly to the end users.
Continuous integration (CI)
CI is a practice in which a development team constantly uploads changes, either additions or removals, to a central repository. Automated procedures are run each time to validate that the modifications made to the code meet predefined requirements and to ensure that they integrate smoothly into the software.
CVSS
The Common Vulnerability Scoring System (CVSS) is a free and open industry standard for assessing the severity of computer system security vulnerabilities. CVSS attempts to assign severity scores to vulnerabilities, allowing responders to prioritize responses and resources according to risks. Scores are calculated based on a formula that depends on several metrics that approximate the ease and impact of exploitation. Scores range from 0 to 10, with 10 being the most severe.
CVSSF
The CVSSF is a risk-exposure metric developed by Fluid Attacks by applying an exponential transformation to the standard CVSS base score. Unlike CVSS, which uses a linear 0.0-10.0 scale and groups scores into qualitative bands (low, medium, high, critical), CVSSF makes high- and critical-severity vulnerabilities contribute disproportionately more to the aggregated total, reflecting the compounding nature of risk. This design prevents large volumes of low-severity findings from obscuring the impact of a small number of critical ones. The result is a single value representing overall risk exposure across a system, enabling security teams to prioritize remediation efforts based on genuine threat impact rather than raw vulnerability counts.
D
DevSecOps
DevSecOps is a software development approach that integrates security practices throughout the entire CI/CD pipeline, from initial design to deployment and monitoring. Rather than treating security as a final step, DevSecOps embeds automated security testing, code analysis, and compliance checks into the development workflow, enabling teams to identify and remediate vulnerabilities early, reduce remediation costs, and ship more secure software without slowing down delivery. Fluid Attacks supports DevSecOps practices through tools like the CI Gate and standalone scanners.
Dynamic application security testing (DAST)
DAST is a security testing technique for detecting security vulnerabilities in an application. It assesses the running software without accessing its source code by using various attack vectors in search of unexpected behavior and weaknesses related to its deployment configuration, data and business logic. This technique is used in Fluid Attacks' Continuous Hacking.
F
False negative
A false negative is an erroneous report indicating that a vulnerability does not exist or is absent. For information on how to report one, refer to the page False negatives.
False positive
A false positive is an erroneous alert indicating that a vulnerability is present. For information on how to report one, refer to the page False positives.
G
Gray-box testing
Gray-box testing is a service that combines elements of both black-box testing and white-box testing. The tester has partial knowledge of the system under evaluation, such as access to architectural diagrams, some credentials, or limited source code, but not full visibility into the implementation. This approach allows testers to simulate attacks from a partially informed adversary, often uncovering vulnerabilities that neither purely internal nor purely external testing would find.
Group
A group in Fluid Attacks' platform is the organizational unit used to manage a product's security testing. It contains the targets of evaluation, that is, the Git repositories and environments that are in scope for security testing, as well as the reported vulnerabilities, analytics, and policies associated with that product. Groups belong to an organization and are managed through the Fluid Attacks platform.
H
Health Check
Health Check is part of Fluid Attacks' Continuous Hacking solution and consists of performing PTaaS, secure code review and reverse engineering on the software the client developed before purchasing the Advanced plan.
Health Check is optional, but if it is not executed, parts of the application will not be tested, and, therefore, the possibility of vulnerabilities with the risk of exploitation will remain (in this case, the accuracy SLA does not apply).
I
Infrastructure as code (IaC)
IaC is the practice of defining and managing computing infrastructure through machine-readable configuration files rather than through manual processes or interactive tools. These files describe servers, networks, storage, and other resources in a version-controlled, reproducible format. From a security standpoint, IaC scripts can introduce misconfigurations and policy violations that are assessed through cloud security posture management (CSPM).
M
Mailmap
Mailmap is a table that organizes and unifies the different email addresses and names employed by the authors or contributors.
Mobile application security testing (MAST)
MAST is a methodology that combines various techniques and tools to identify vulnerabilities, misconfigurations, and privacy issues in mobile applications throughout their lifecycle. It integrates automated scanning with manual expert analysis to address the unique challenges of mobile environments, including diverse operating systems, device variety, and platform-specific security mechanisms. MAST evaluates both static code and runtime behavior, covering data handling, authentication, permissions, and backend API security. This technique is used in Fluid Attacks' Continuous Hacking.
O
Organization
An organization in Fluid Attacks' platform is the top-level entity that groups together all of a company's security testing activity. It contains one or more groups, each of which corresponds to a product or system under evaluation. Organization-level settings include member management, billing, policies, and aggregated analytics across all groups. Learn more about navigating the platform in the Fluid Attacks platform section.
P
Penetration testing as a service (PTaaS)
PTaaS is a cybersecurity assessment method in which skilled human testers (aka ethical pentesters or pentesters) actively and continuously simulate real-world cyberattacks on infrastructure, applications, and other IT systems. PTaaS primarily aims to identify and exploit vulnerabilities that are out of reach for automated tools, combining them, even, to find out how big an impact they can have in the evaluated application's security. This technique is used in Fluid Attacks' Continuous Hacking.
R
Reachability
Reachability is a characteristic verified by SAST in which the known vulnerable functions of your application's direct dependencies are effectively called by your application, thus generating a higher risk of the vulnerability being exploited in the context of your application. The report that a dependency vulnerability is reachable cuts through the noise of potential vulnerabilities and highlights the ones that need immediate attention.
Reattack
A reattack is the process of re-evaluating a reported vulnerability after a developer has applied a fix, to verify whether the remediation was effective. In Fluid Attacks' platform, users can request a reattack on individual vulnerable locations. The security team then attempts to exploit the vulnerability again and updates its status to either confirmed fixed or still vulnerable. Learn how to request and track reattacks in Verify fixes with reattacks.
Reverse engineering (RE)
RE is an outside-in process of deconstructing software for analyzing and understanding its design, structure, and functionality in depth. In RE, experts (aka reverse engineers), helped by tools, unravel the source code and its components and functions to discover how that specific technology works and whether it has security issues. This technique is used in Fluid Attacks' Continuous Hacking.
S
SARIF
The Static Analysis Results Interchange Format (SARIF) is an open standard (OASIS) for representing the output of static analysis tools. SARIF files use a JSON-based schema to capture findings such as vulnerability locations, severity levels, rule descriptions, and remediation hints in a structured, machine-readable format that integrates with a wide range of development platforms, including GitHub and GitLab. Fluid Attacks' standalone scanners support SARIF output. See GitHub Actions integration for an example of using SARIF with Fluid Attacks' scanners.
Secret scanning
Secret Scanning is the automated practice of searching through code, configuration files, infrastructure, pipelines, and other places where teams store and discuss software, to find exposed credentials such as API keys, passwords, cloud access keys, and tokens that could grant unauthorized access to systems. A robust secret scanning program not only detects exposed secrets but also assesses their validity, pinpoints their location, and guides teams through revocation, rotation, and remediation.
Secure code review (SCR)
SCR is the systematic inspection of source code by human reviewers to identify security flaws and ensure adherence to security standards. This expert analysis often uncovers severe and complex vulnerabilities beyond the capabilities of automated tools alone. This technique is used in Fluid Attacks' Continuous Hacking.
Software bill of materials (SBOM)
An SBOM is a comprehensive inventory of all components and dependencies, as well as their associated metadata, that make up a software application. Therefore, SBOMs provide insights into a software product's composition and potential vulnerabilities inherited from third-party code.
Software composition analysis (SCA)
SCA is a technique for identifying and analyzing third-party components and dependencies in software. Regarding security, SCA assesses libraries, frameworks, and packages to determine their versions and detect vulnerabilities, conflicting licenses and other software quality issues. This technique is used in Fluid Attacks' Continuous Hacking.
Static application security testing (SAST)
SAST is a security testing technique for identifying security vulnerabilities in an application's source code. It examines the non-running code to look for programming patterns, misconfigurations, and insecure practices that attackers could exploit. This technique is used in Fluid Attacks' Continuous Hacking.
T
Target of Evaluation (ToE)
The ToE is the product or system that will be the subject of Fluid Attacks' security testing. It is mainly defined by adding Git repositories and environments in the Scope section of a group on the Fluid Attacks platform.
Treatment
A treatment is the decision a team makes on how to handle a reported vulnerability when it cannot be immediately remediated. Fluid Attacks' platform offers several treatment options, such as accepting the risk for a defined period, or accepting it permanently, each requiring a justification. Treatments allow teams to track and manage vulnerabilities that are known but not yet fixed, and they are visible in the vulnerabilities section of the platform.
V
Vulnerability
A vulnerability is a weakness or flaw in a software system, configuration, or process that could be exploited by a threat actor to compromise the confidentiality, integrity, or availability of assets. In Fluid Attacks' platform, a vulnerability is a specific finding reported by the security testing team or automated tools, associated with a location in the code or environment, and tracked through its lifecycle — from detection to remediation or accepted risk. Vulnerabilities are organized and managed in the vulnerabilities section of the platform.
W
Weakness
A weakness is a category of software defect or design flaw that can give rise to vulnerabilities. Weaknesses are described at a higher level of abstraction than vulnerabilities: a single weakness type may underlie many specific vulnerabilities across different systems. Fluid Attacks maps its findings to weaknesses as cataloged in its Criteria weakness database.
White-box testing
White-box testing is a service where the pentester has all the information privileges such as Git repositories, credentials, source code and environments.
Billing FAQ
Find here the answers to the most frequently asked questions about the active authors in projects with Fluid Attacks and the billing of their work.
CVSSF metric
Find out the CVSSF metric of Fluid Attacks, why it was created, and how it can be helpful in your company's risk exposure management.