Understanding how attacks work starts with understanding where they come from. This page walks you through the key concepts — from the surfaces attackers target to the standards used to catalog what they find.

Attack surfaces

Your attack surface is the complete set of ways an attacker can interact with or send input to a system. Every entry point is a potential vector: email, USB drives, Wi-Fi, Bluetooth, downloaded software, web forms, API endpoints, and even third-party libraries your application depends on. The larger your attack surface, the more opportunities an attacker has. Reducing it — by disabling unused features, closing unnecessary ports, and auditing dependencies — is one of the most effective things you can do to improve security. Common attack surface categories:
  • Server-side inputs — login forms, search bars, file uploads, URL parameters, HTTP headers, cookies, and REST/GraphQL APIs
  • Client-side targets — the browser DOM, localStorage/sessionStorage, and third-party scripts (analytics, ads, widgets)
  • Network layer — unencrypted HTTP traffic that exposes headers, passwords, and session IDs in transit
  • Supply chain — vulnerabilities in packages and libraries your project pulls in (e.g., node_modules, requirements.txt)
  • Human element — social engineering that targets users directly, bypassing technical controls entirely

Vulnerabilities

A vulnerability is a weakness in software, hardware, configuration, or processes that an attacker can exploit to violate security. Vulnerabilities exist in virtually every system; the question is whether they are known, disclosed, and patched.

Zero-day vulnerabilities

A zero-day is a vulnerability that the vendor does not yet know about — or has not yet patched — so defenders have had zero days to respond. An exploit that uses a zero-day can compromise a fully up-to-date machine. Zero-days are actively bought and sold by intelligence agencies, criminal groups, and brokers, making them among the most dangerous assets in the threat landscape.

Vulnerability standards

Two key systems help the security community track and communicate about vulnerabilities consistently.

CVE — Common Vulnerabilities and Exposures

CVE assigns a unique, standardized identifier to each publicly disclosed vulnerability. The format is CVE-YEAR-NUMBER. You can look up any CVE at cve.org. A single attack can exploit multiple CVEs: the Stuxnet worm (2010) used at least five, including CVE-2010-2568 (a Windows LNK file vulnerability) and CVE-2008-4250 (a Windows Server Service vulnerability).

NVD — National Vulnerability Database

The NVD is a U.S. government database that catalogs known vulnerabilities, indexed by CVE IDs. It adds enriched metadata — including CVSS severity scores — that CVE alone does not provide. Security scanners and patch management tools query the NVD to identify which known vulnerabilities affect your installed software.
CVSS (Common Vulnerability Scoring System) rates vulnerability severity from 0.0 to 10.0. A score of 9.0 or above is “Critical”. Use this score to prioritize which vulnerabilities you patch first, but always factor in your specific environment and exposure.

Major attack categories

Malware

Software intentionally designed to cause harm, steal data, or act against the interests of the user. Malware is delivered through documents, installers, games, and more.

Botnets & DDoS

Networks of compromised machines used to flood targets with traffic, making services unavailable to legitimate users.

Backdoors

Hidden functionality at the hardware or firmware level that grants secret access, often impossible to remove with standard software tools.

Social Engineering

Attacks that manipulate humans rather than machines — phishing, spoofing, and pretexting exploit trust rather than code.

Malware types

Malware is an umbrella term. Understanding the subcategories helps you recognize behavior and apply the right defenses.
TypeHow it spreadsPrimary harm
VirusAttaches to files; activates when the file runsData corruption, system damage
WormSelf-replicates across networks with no user actionNetwork congestion, mass infection
TrojanDisguises itself as legitimate softwareOpens backdoors, steals credentials
RansomwareDelivered via phishing or exploitEncrypts files and demands payment
Worms are particularly dangerous because they spread without any user interaction. The Morris Worm (1988) took down thousands of machines on the early internet. WannaCry (2017), a modern ransomware worm, spread to over 230,000 systems in 150 countries in a single day by exploiting a Windows SMB vulnerability. Ransomware has become the dominant financially motivated threat. Attackers encrypt your data and demand payment — often in cryptocurrency — before restoring access. Regular offline backups are your strongest mitigation. Trojans are especially deceptive because they appear useful. A “free game” or cracked application that installs credential-stealing software in the background is a classic trojan scenario.

Botnets and DDoS

A botnet is a network of compromised machines (called bots or zombies) that an attacker controls through a command-and-control (C2) server. Individual machines are infected through malware and often show no obvious symptoms, making them difficult for owners to detect. Botnets power Distributed Denial of Service (DDoS) attacks: the attacker directs thousands of bots to simultaneously flood a target with requests, overwhelming its capacity and making it unavailable to legitimate users. Modern DDoS attacks can reach hundreds of gigabits per second. Defenses against DDoS include rate limiting, traffic scrubbing services, and load balancing. However, botnets also conduct credential stuffing, spam campaigns, and cryptocurrency mining — DDoS is only one use case.

Backdoors

A hardware backdoor is hidden functionality built into a device at the hardware or firmware level. Unlike software backdoors, they often survive operating system reinstalls and cannot be removed with standard tools. The Intel Management Engine (ME) has historically raised concerns in this area because it runs independently of the main CPU and OS. Hardware backdoors pose a risk even on fully patched, fully updated machines.