What is AES-256 encryption?

AES-256 (Advanced Encryption Standard with a 256-bit key) is the gold standard symmetric encryption algorithm used by VPNs, governments, and banks. It would take longer than the age of the universe to brute-force a single AES-256 key. When a VPN says it uses AES-256, it means your data is protected by military-grade encryption.

A DNS leak occurs when your device sends DNS queries outside the encrypted VPN tunnel, exposing your browsing activity to your ISP even while connected to a VPN. A quality VPN with a built-in DNS leak protection feature routes all DNS queries through its own servers so nothing escapes.

What is a VPN kill switch?

A kill switch is a VPN safety feature that automatically blocks all internet traffic if the VPN connection drops. Without it, your real IP address would briefly be exposed during reconnection. Think of it as a dead man's switch for your privacy.

What does no-log policy mean?

A no-log policy (or zero-log policy) means the VPN provider does not record your browsing activity, IP address, connection timestamps, or any data that could be used to identify you. The best providers have their no-log claims independently audited by third-party security firms.

What is split tunneling in a VPN?

Split tunneling lets you route some of your internet traffic through the VPN while other traffic goes directly through your normal connection. For example, you might route your banking app through the VPN while letting Netflix connect directly for better streaming speed.

What is the Five Eyes alliance?

Five Eyes is an intelligence-sharing alliance between the United States, United Kingdom, Canada, Australia, and New Zealand. These countries can share surveillance data with each other, which is why privacy-conscious users prefer VPN providers headquartered outside Five Eyes (and the broader Nine Eyes and 14 Eyes) jurisdictions.

WireGuard is a modern, open-source VPN protocol known for its speed, simplicity, and security. Its entire codebase is roughly 4,000 lines — compared to OpenVPN's 100,000+ — making it far easier to audit and less likely to contain hidden bugs. Most leading VPN providers now use WireGuard as their default protocol.

What is deep packet inspection?

Deep Packet Inspection (DPI) is a technique used by ISPs, governments, and firewalls to analyze the contents of data packets as they travel across a network. DPI can identify and block VPN traffic, which is why obfuscated protocols like Shadowsocks disguise VPN packets to look like ordinary HTTPS traffic.

VPN & Cybersecurity Glossary: 50+ Terms Explained

By Marron J Washington | March 2026 | 15 min read

Whether you're a privacy newbie trying to figure out what on earth a "kill switch" is, or a seasoned security pro looking for a clean reference you can bookmark and share, this glossary has you covered. We've assembled 50+ of the most important VPN and cybersecurity terms, defined in plain English — no PhD required, but no dumbing down either. Welcome to the definitive reference.

A

AES-256

AES-256 (Advanced Encryption Standard, 256-bit key) is the symmetric encryption algorithm that secures the vast majority of VPN connections, government communications, and banking systems. To put the "256-bit" in perspective: there are more possible key combinations than atoms in the observable universe. Brute-forcing it is not a plan — it's a fantasy. When a VPN says it uses AES-256, that's the good stuff.

Ad Blocker

An ad blocker is software that prevents advertisements from loading in your browser or app. Beyond improving your experience (fewer seizure-inducing banner ads), it also stops tracking pixels, prevents malvertising attacks — malware delivered through ad networks — and reduces page load times. Some VPNs include network-level ad blocking that works across all apps on your device, not just the browser.

Anonymous Browsing

Anonymous browsing is the practice of navigating the internet without revealing your real identity or IP address. A VPN gets you partway there by masking your IP, but true anonymity requires eliminating cookies, browser fingerprinting, account logins, and payment traces as well. Think of it as a spectrum: a VPN makes you much harder to identify, not invisible.

Authentication

Authentication is the process of verifying that something or someone is who they claim to be. In VPN contexts, authentication ensures your device is talking to the correct VPN server and not an impostor. In everyday security, authentication is why you enter a password, scan your fingerprint, or tap an authenticator app — it's the bouncer at the door of any secure system.

B

Bandwidth

Bandwidth refers to the maximum data transfer rate of a network connection — how much data can flow through the pipe per second. VPN providers often advertise "unlimited bandwidth," meaning they won't throttle or cap your data. Some budget plans do impose monthly data limits (like Vizoguard Basic's 100 GB/month). Higher bandwidth means faster downloads, smoother streaming, and lower latency for video calls.

Browser Fingerprinting

Browser fingerprinting is a tracking technique that identifies you not by cookies but by the unique combination of your browser version, installed fonts, screen resolution, time zone, GPU, and dozens of other attributes. Advertisers and trackers use it to follow you across the web even after you clear cookies and enable private browsing. It's the reason "incognito mode" is not the privacy shield most people think it is. A VPN doesn't solve fingerprinting — but it's one layer of defense in a broader privacy setup.

C

ChaCha20

ChaCha20 is a modern stream cipher that serves as a high-performance alternative to AES-256, particularly on devices that lack hardware-accelerated AES (like older Android phones and lower-end routers). WireGuard uses ChaCha20-Poly1305 as its cipher suite, which is why WireGuard can be faster than AES-based VPN protocols on mobile hardware. Same level of security as AES-256 — just a different (and equally strong) mathematical approach.

CIDR

CIDR (Classless Inter-Domain Routing, pronounced "cider") is a compact notation for specifying IP address ranges. For example, 192.168.1.0/24 represents all 256 addresses from 192.168.1.0 to 192.168.1.255. VPN administrators use CIDR notation to define which IP ranges route through the tunnel and which bypass it (split tunneling rules). You'll also see it in firewall configurations and routing tables.

Censorship Circumvention

Censorship circumvention is the use of technology to access internet content that has been blocked by a government, ISP, or network administrator. VPNs are a primary tool for circumvention, routing your traffic through servers in unrestricted countries. In countries with sophisticated firewalls (like China's Great Firewall), standard VPN protocols get blocked — which is why obfuscated protocols like Shadowsocks were specifically designed to look like innocent HTTPS traffic and slip through.

Connection Logging

Connection logging refers to a VPN provider recording metadata about your sessions — such as when you connected, what server you used, and how long you were online. Some providers log this for troubleshooting while claiming a "no-log policy." The distinction matters: a provider can truthfully have no content logs while still keeping connection metadata. Always read the fine print. The gold standard is third-party audited zero-log policies.

Cookie

A cookie is a small text file that a website stores in your browser to remember information about you — your login session, shopping cart items, or (less helpfully) your browsing behavior for ad targeting. Third-party cookies, set by advertising networks rather than the site you're visiting, are the primary tool of cross-site tracking. Most major browsers have phased them out, but their legacy infrastructure persists in many ad tech stacks.

D

DDoS (Distributed Denial of Service)

A DDoS attack floods a target server or network with so much traffic from so many sources (often a botnet of hijacked computers) that it becomes overwhelmed and stops responding to legitimate requests. Gamers and content creators are frequent targets. A VPN can help prevent DDoS attacks against you personally by hiding your real IP address — attackers can't flood your connection if they can't find it.

DNS (Domain Name System)

DNS is the internet's phone book. When you type "vizoguard.com" into a browser, a DNS server translates that human-readable name into the numeric IP address (like 104.21.33.80) that computers actually use to route traffic. Without DNS, you'd have to memorize IP addresses for every website. VPNs route your DNS queries through their own servers to prevent your ISP from seeing which sites you're visiting.

DNS Leak

A DNS leak occurs when your VPN is supposed to be hiding your traffic, but your DNS requests sneak out the side door like a teenager at prom. Specifically: your device sends DNS queries outside the encrypted tunnel — straight to your ISP's servers — exposing which websites you're looking up even though your connection data is encrypted. Quality VPNs include DNS leak protection and route all queries through their own resolver.

Dark Web

The dark web is a portion of the internet that requires special software (primarily Tor) to access. It's not indexed by search engines and not reachable via a standard browser. While it has legitimate uses — anonymous journalism, privacy-preserving communication in authoritarian countries — it's also home to illegal marketplaces. A VPN alone does not give you access to the dark web; Tor does. But using both together adds an additional layer of anonymity.

Data Encryption

Data encryption is the process of scrambling information using a mathematical algorithm so that only someone with the correct decryption key can read it. VPNs encrypt all data traveling between your device and the VPN server. Encryption is why a hacker intercepting your traffic on a coffee shop Wi-Fi sees random gibberish instead of your passwords and messages. Modern encryption algorithms like AES-256 and ChaCha20 are effectively unbreakable with current computing technology.

Deep Packet Inspection (DPI)

Deep Packet Inspection is a surveillance and filtering technique used by ISPs and governments to analyze the full contents of network packets — not just the destination address, but the actual payload. DPI can identify VPN protocols, detect specific applications, and block or throttle particular types of traffic. This is how governments block VPNs at the network level. Obfuscation techniques like those used in Shadowsocks disguise VPN packets to evade DPI.

E

Encryption

Encryption is the foundational technology underlying virtually all internet security. It converts readable data (plaintext) into an unreadable format (ciphertext) using a cryptographic algorithm and a key. Only holders of the corresponding decryption key can reverse the process. Everything from your HTTPS web sessions to your VPN tunnel to your iMessage conversations uses encryption. Without it, the internet would be the world's largest unsecured open-air market.

End-to-End Encryption (E2EE)

End-to-end encryption ensures that only the sender and the intended recipient can read a message. Unlike standard encryption (where the service provider can decrypt and read your data on their servers), E2EE means the provider never holds the decryption key — so even if they're hacked or served a court order, they can't hand over your message contents. Signal, WhatsApp (for messages), and ProtonMail use E2EE. Note: a VPN encrypts your connection to the internet, but it doesn't automatically encrypt messages between you and another person.

Evil Twin Attack

An evil twin attack is when a hacker sets up a rogue Wi-Fi hotspot with the same name (SSID) as a legitimate network — say, "Airport_Free_WiFi" — to trick unsuspecting users into connecting to it. Once you're on the attacker's network, they can intercept all your unencrypted traffic, redirect you to fake websites, and harvest credentials. A VPN encrypts your traffic even on evil twin networks, making the attack largely ineffective.

F

Firewall

A firewall is a security system that monitors and controls incoming and outgoing network traffic based on predefined rules. Think of it as a very diligent traffic cop stationed at the entrance to a network — it checks every car (packet) and waves through the legitimate ones while turning away anything suspicious. Firewalls can operate at the hardware level (like a router's built-in firewall), the OS level (Windows Firewall, UFW on Linux), or the application level.

Five Eyes (Nine Eyes, 14 Eyes)

The Five Eyes is an intelligence-sharing alliance between the US, UK, Canada, Australia, and New Zealand. These countries share surveillance data with each other — meaning a subpoena served to a US company could yield data about a UK user's activity. The Nine Eyes adds Denmark, France, Netherlands, and Norway. The 14 Eyes extends to Belgium, Germany, Italy, Spain, and Sweden. Privacy-focused VPN users pay attention to where a VPN provider is incorporated, because jurisdiction determines who can compel them to hand over data.

G

Geo-blocking

Geo-blocking is the practice of restricting access to content based on the user's geographic location. Netflix shows different libraries in different countries; some sports broadcasts are blacked out in certain regions; government websites may be inaccessible from abroad. VPNs let you route your traffic through a server in a different country, presenting that country's IP address to the destination site and effectively teleporting past the geographic restriction.

GDPR (General Data Protection Regulation)

GDPR is the European Union's landmark data privacy law that came into force in 2018. It gives EU residents rights over their personal data — including the right to access it, correct it, delete it, and know who's processing it. It also imposes strict obligations on any company that handles EU residents' data, regardless of where that company is based. GDPR violations can result in fines up to 4% of a company's global annual revenue. It's the reason every website started showing cookie consent banners.

H

HTTPS

HTTPS (HyperText Transfer Protocol Secure) is the encrypted version of HTTP — the protocol your browser uses to communicate with websites. The "S" stands for Secure, meaning the connection between your browser and the web server is encrypted via TLS. HTTPS protects your data from being read or tampered with in transit. Crucially, HTTPS encrypts the content of your requests, but your ISP can still see the domain name you're visiting. A VPN hides even that.

Homoglyph Attack

A homoglyph attack (also called a lookalike domain attack) exploits the visual similarity between different Unicode characters to create fraudulent domain names. For example, replacing the Latin "a" in "apple.com" with a Cyrillic "а" that looks identical on screen but resolves to a completely different domain. Victims type what they think is a legitimate URL and land on a phishing site instead. This is why careful URL inspection — and a VPN or security tool with phishing domain blocking — matters.

I

IP Address

An IP address (Internet Protocol address) is a unique numerical label assigned to every device on a network. It serves two purposes: identifying your device and providing its location in the network so data can be routed correctly. Your IP address reveals your approximate geographic location and is tied to your ISP account — making it a primary identifier for online surveillance. Hiding your IP address with a VPN replaces your real IP with the server's IP, masking your location and identity from websites and advertisers.

ISP (Internet Service Provider)

Your ISP is the company that provides your internet connection — think Comcast, AT&T, BT, or your local cable company. Your ISP sits between you and the rest of the internet, which means they can see every website you visit, every app you use, and when you use them. In many countries, ISPs are legally permitted to log this data and sell it to advertisers. A VPN encrypts your traffic so your ISP can see that you're connected to a VPN server but cannot see what you're doing beyond that.

IKEv2 (Internet Key Exchange version 2)

IKEv2 is a VPN tunneling protocol developed by Microsoft and Cisco. It's particularly well-suited to mobile devices because of its MOBIKE (Mobility and Multihoming Protocol) feature, which lets you seamlessly switch between Wi-Fi and cellular networks without dropping the VPN connection. It's fast, stable, and natively supported by iOS, Windows, and macOS. For general desktop use, WireGuard has largely superseded it in performance benchmarks.

K

Kill Switch

A kill switch is a VPN safety net that automatically blocks all internet traffic if the VPN connection drops unexpectedly. Without it, the split second between a VPN disconnect and reconnect is enough to expose your real IP address and send unencrypted traffic. With it, your internet just stops until the VPN reconnects — no leaks. If you're doing anything where privacy is non-negotiable, a kill switch is non-negotiable. Vizoguard includes a kill switch on all plans.

Key Exchange

Key exchange is the cryptographic process by which two parties establish a shared secret key over an insecure channel — without ever directly transmitting the key itself. The most common method is Diffie-Hellman key exchange, which uses mathematical operations that are easy to perform but practically impossible to reverse. In VPN protocols, key exchange happens during the handshake phase when your client connects to the server, establishing the encrypted tunnel before any data flows.

L

Latency

Latency is the time it takes for a data packet to travel from your device to a server and back — measured in milliseconds (ms). Lower is better. VPNs add some latency because traffic must travel to a VPN server before reaching its destination. A well-run VPN with servers near your location adds only 1-10ms — imperceptible in daily use. Connecting to a VPN server on the other side of the planet for a game server in your city, however, will not end well. Choose servers wisely.

Logging Policy

A VPN's logging policy is its written commitment — and ideally audited practice — describing exactly what data it records about your activity. Policies range from "full logs" (connection times, IP addresses, browsing history — the privacy equivalent of a goldfish bowl) to "zero logs" (literally nothing stored about your session). Always read the actual policy document, not just the marketing headline. Third-party audits by firms like Cure53 or Deloitte are the best evidence that a zero-log claim is real.

M

MITM (Man-in-the-Middle Attack)

A man-in-the-middle attack occurs when an attacker secretly intercepts and potentially alters communications between two parties who believe they're talking directly to each other. Imagine passing notes in class, only to discover the person in the middle has been reading every note and occasionally swapping them for fake ones. On public Wi-Fi, MITM attacks are a primary threat — an attacker on the same network can intercept unencrypted traffic. See how to stay safe on public Wi-Fi. A VPN defeats MITM by encrypting all traffic end-to-end between your device and the VPN server.

Malware

Malware (malicious software) is any software designed to damage, disrupt, or gain unauthorized access to a system. The malware family includes viruses, trojans, ransomware, spyware, adware, and worms. Learn more about malware types and how they spread. A VPN does not protect against malware you download or execute — that's the domain of antivirus and endpoint security tools. However, some VPN providers block known malware distribution domains at the network level.

Multi-hop VPN

A multi-hop VPN (also called double VPN) routes your traffic through two or more VPN servers in sequence before it exits to the internet. The result: even the first server only knows your real IP, and only the last server knows your destination — no single server has both pieces of information. It's the VPN equivalent of a relay race where no single runner knows both the start and finish line. Multi-hop adds latency and overhead but dramatically increases anonymity for high-risk use cases.

N

No-Log Policy

A no-log policy (see also: zero-log policy) is a VPN provider's commitment not to record your browsing activity, IP address, connection timestamps, session duration, or any other data that could identify or incriminate you. It's the single most important differentiator between trustworthy VPNs and data-harvesting ones. The catch: anyone can claim a no-log policy. Look for providers that have been independently audited and whose claims have been validated under real-world conditions (such as successfully resisting government data requests). Vizoguard's privacy architecture is built around zero-logging.

NAT (Network Address Translation)

NAT is a technique used by routers to allow multiple devices on a private network to share a single public IP address. Your home router uses NAT: your laptop, phone, and smart TV all have private IP addresses (like 192.168.x.x) that are translated to your single public IP before traffic leaves your network. VPNs use NAT on their server side as well. NAT is also why port forwarding is necessary for certain applications — incoming connections can't find the right device without an explicit mapping.

O

Obfuscation

Obfuscation in VPN contexts refers to disguising VPN traffic to make it look like ordinary HTTPS web traffic, defeating deep packet inspection systems that would otherwise detect and block it. It's the difference between wearing a disguise and going out in costume — except the costume is "regular person browsing the web" and the disguise is "actually a VPN tunnel." Protocols like Shadowsocks and obfs4 (used by Tor bridges) are built specifically for obfuscation. Essential in countries with aggressive internet censorship.

OpenVPN

OpenVPN is an open-source VPN protocol that has been the industry workhorse since 2001. It's battle-tested, extensively audited, and compatible with virtually every operating system and platform. Its 100,000+ line codebase makes it harder to audit than newer alternatives, and it's generally slower than WireGuard. But its maturity means its vulnerabilities are well-catalogued and patched. Many enterprise VPNs and providers still default to OpenVPN for maximum compatibility.

P

Packet Sniffing

Packet sniffing is the practice of capturing and inspecting data packets as they travel across a network. Legitimate uses include network troubleshooting and security analysis. Malicious uses include stealing credentials and session tokens from unencrypted connections. Tools like Wireshark make packet sniffing trivial on open networks — which is exactly why you should never use public Wi-Fi without a VPN. When traffic is encrypted by a VPN, packet sniffers capture only meaningless ciphertext.

Phishing

Phishing is a social engineering attack where criminals impersonate trusted entities (banks, employers, government agencies, popular services) to trick victims into revealing credentials, downloading malware, or transferring money. The name comes from "fishing" — baiting the hook and waiting for someone to bite. Learn how to recognize and block phishing attacks. Modern phishing has evolved beyond obvious misspelled emails into highly convincing, personalized spear-phishing campaigns that fool even security professionals.

Port Forwarding

Port forwarding (also called port mapping) is a networking technique that directs incoming traffic on a specific port number to a specific device on a private network. It's how you'd host a game server at home or remotely access a device behind a router. Some VPN providers offer static IP addresses with port forwarding, which is useful for torrenting, self-hosting, or accessing home devices remotely. Most standard consumer VPN plans do not include port forwarding.

Protocol

In networking, a protocol is a standardized set of rules that governs how data is transmitted between devices. VPN protocols (like WireGuard, OpenVPN, IKEv2, and Shadowsocks) define how your encrypted tunnel is built, how authentication works, and how data is packaged and delivered. The choice of protocol affects speed, security, and the ability to evade censorship. Think of protocols as different transportation methods — all get you from A to B, but via very different routes and at different speeds.

Proxy Server

A proxy server acts as an intermediary between your device and the internet, forwarding your requests on your behalf. Like a VPN, it can hide your IP address and bypass geo-restrictions. Unlike a VPN, a standard proxy does not encrypt your traffic — it just changes your apparent location. See the full VPN vs proxy comparison. Proxies are faster and simpler but provide no privacy from your ISP or anyone monitoring the connection. For serious privacy needs, use a VPN.

PGP (Pretty Good Privacy)

PGP is an encryption program created by Phil Zimmermann in 1991 that provides cryptographic privacy and authentication for data communication — most famously, email. It uses a combination of public-key and symmetric-key cryptography: you publish a public key that anyone can use to encrypt a message to you, and only your private key can decrypt it. PGP is still widely used by journalists, security researchers, and privacy advocates. Its open standard, OpenPGP, is implemented in tools like GPG (GNU Privacy Guard).

R

Ransomware

Ransomware is malware that encrypts your files and demands payment (typically in cryptocurrency) to restore access. It's one of the most destructive and profitable forms of cybercrime — hospitals, city governments, and major corporations have all paid millions in ransom. A VPN does not protect against ransomware directly (it's typically delivered via phishing or compromised software), but blocking known malicious domains and regularly backing up data are the primary defenses. If you're hit: don't pay. Restore from backups.

Router VPN

A router VPN is a VPN configured directly on a router rather than on individual devices. The benefit: every device that connects to that router — phones, laptops, smart TVs, gaming consoles, IoT devices — is automatically protected by the VPN without needing any separate apps installed. The downside: router VPNs are harder to set up, can be slower depending on the router's hardware, and require a router that supports VPN client firmware (like DD-WRT or Tomato).

S

Shadowsocks

Shadowsocks is an open-source encrypted proxy protocol originally created in China to circumvent the Great Firewall. Unlike traditional VPN protocols, which have recognizable traffic signatures that DPI systems can identify and block, Shadowsocks disguises traffic as ordinary HTTPS. It's not technically a VPN — it's a SOCKS5 proxy with encryption — but it provides similar benefits with far better censorship resistance. Vizoguard uses Shadowsocks-based infrastructure specifically because it reliably works in restricted regions where OpenVPN and WireGuard get blocked.

Split Tunneling

Split tunneling is a VPN feature that lets you decide which apps or websites use the VPN tunnel and which connect to the internet directly. For example: route your work email and sensitive banking through the VPN, but let Netflix stream directly for maximum speed. It gives you fine-grained control over your privacy and performance trade-offs. The flip side: apps not going through the VPN are unprotected — so decide carefully what's in and what's out.

SOCKS5

SOCKS5 is a proxy protocol that routes your traffic through a proxy server without modifying or encrypting the data packets. Compared to HTTP proxies, SOCKS5 works with any type of traffic (not just web browsing) — games, BitTorrent, messaging apps. Unlike VPNs, SOCKS5 doesn't encrypt traffic, but it's faster because of the reduced overhead. Shadowsocks is built on top of SOCKS5 with added encryption. SOCKS5 proxies are commonly offered by VPN providers as a supplement to the main VPN connection.

SSL/TLS

SSL (Secure Sockets Layer) and its modern successor TLS (Transport Layer Security) are cryptographic protocols that provide secure communication over the internet. HTTPS uses TLS to encrypt the connection between your browser and a web server. Despite TLS being the current standard since the mid-2000s, "SSL" persists as casual shorthand for both. When you see a padlock icon in your browser's address bar, TLS is doing the work. OpenVPN also uses TLS for authentication during the handshake phase.

Spyware

Spyware is malware that secretly monitors your activity and sends data back to the attacker — keystrokes, screen captures, webcam footage, login credentials, browsing history. The insidious part: it's designed to be invisible. You might run spyware on your device for months without knowing. Some commercial "stalkerware" products sold as parental monitoring or employee surveillance tools share the same architecture. Endpoint security software and regular system audits are the primary defenses.

Spoofing

Spoofing is the act of impersonating something trusted — an IP address, email sender, DNS response, caller ID, or even a website — to deceive the target into trusting malicious traffic or content. IP spoofing can be used to disguise the source of DDoS attacks. Email spoofing makes phishing emails appear to come from legitimate senders. DNS spoofing redirects users to fraudulent sites. A VPN protects against some forms of spoofing by verifying server identity through cryptographic certificates during the handshake.

T

Tor (The Onion Router)

Tor is a privacy network that routes your internet traffic through a series of volunteer-operated servers (called nodes or relays), each encrypting the connection so no single node knows both the origin and destination of your traffic. The "onion" metaphor comes from this layered encryption. Tor provides stronger anonymity than a VPN but is significantly slower (due to multiple hops) and can't bypass censorship in countries that block Tor directly. Some users combine Tor and a VPN for maximum privacy — though this adds complexity.

Tunneling

Tunneling is the process of encapsulating one network protocol inside another, creating a private channel — a "tunnel" — through a public network. VPN tunneling wraps your regular internet traffic (HTTP, HTTPS, streaming protocols) inside an encrypted VPN protocol envelope, shielding it from inspection while it travels across the public internet. The tunnel analogy is apt: everything that happens inside is invisible to observers on the outside, even though the outer shell travels the same public infrastructure.

Two-Factor Authentication (2FA)

Two-factor authentication requires you to provide two separate forms of verification to log into an account — typically something you know (a password) and something you have (a code from an authenticator app, a hardware key, or a text message). Even if an attacker obtains your password, they can't access your account without the second factor. Enable 2FA on every service that offers it: your email, financial accounts, VPN account, and password manager. It's the single highest-impact security improvement most people can make today.

Trojan

A trojan (or trojan horse) is malware disguised as legitimate software. Like the legendary wooden horse, it appears harmless — a free game, a cracked app, a "helpful" utility — but contains malicious code that activates once installed. Trojans can install backdoors, download additional malware, steal data, or recruit your device into a botnet. The primary defense: only download software from official sources, verify checksums when available, and keep your endpoint security software updated.

V

VPN (Virtual Private Network)

A VPN is software that creates an encrypted tunnel between your device and a remote server, routing your internet traffic through that server before it reaches the open internet. The result: your real IP address is hidden, your data is unreadable to observers, and your apparent location shifts to wherever the VPN server is. Read the full guide to what a VPN is and how it works. VPNs are used for privacy protection, censorship circumvention, secure remote work, and accessing geo-restricted content.

VPN Client

A VPN client is the software application installed on your device — your laptop, phone, or tablet — that establishes and manages the VPN connection. It handles authentication, negotiates the encrypted tunnel with the VPN server, manages DNS, and typically provides a kill switch. The client is what you interact with: clicking "Connect," choosing a server location, and monitoring your connection status. Without a client, you'd have to configure the VPN manually through your OS settings — possible but tedious.

VPN Server

A VPN server is the remote machine operated by the VPN provider that your client connects to. It decrypts your incoming traffic, forwards your requests to their destinations on the open internet, receives the responses, encrypts them, and sends them back through the tunnel to you. To the outside world, all requests appear to come from the VPN server's IP address. The geographic location of servers determines which regions you can "appear" to be in and affects connection latency.

VPN Tunnel

The VPN tunnel is the encrypted channel established between your device and the VPN server. Everything that passes through it — your web requests, streaming data, messages — is encapsulated in encrypted packets that look like random data to anyone observing the connection. The tunnel is established during the handshake phase (key exchange and authentication) and maintained for the duration of your VPN session. If the tunnel drops, a kill switch cuts your internet connection to prevent data from leaking outside it.

W

WireGuard

WireGuard is a modern open-source VPN protocol designed by Jason Donenfeld and first released in 2015. Its defining characteristic is radical simplicity: roughly 4,000 lines of code versus OpenVPN's 100,000+, making it far easier to audit and less likely to contain hidden vulnerabilities. It uses state-of-the-art cryptography (ChaCha20-Poly1305 for encryption, Curve25519 for key exchange) and consistently outperforms older protocols in speed benchmarks. WireGuard is now the default protocol for many leading VPN providers and is included in the Linux kernel since 5.6.

Warrant Canary

A warrant canary is a regularly published statement by a company asserting that it has not received any secret government subpoenas, national security letters, or gag orders. The "canary" logic: if the statement disappears or changes, users infer the company received a secret legal order it's prohibited from disclosing. It's a clever legal workaround — companies can't always announce they've received a court order, but they also can't be compelled to lie by claiming they haven't. Privacy-focused VPN providers commonly maintain warrant canaries.

Z

Zero-Day Exploit

A zero-day exploit takes advantage of a software vulnerability that the developer is unaware of — so there have been "zero days" to develop and release a patch. Zero-days are the most dangerous type of vulnerability because there's no available fix at the time of attack. Nation-state hackers and sophisticated criminal groups stockpile zero-days for targeted attacks. The term also applies to the day a vulnerability becomes publicly known but before a patch is released ("zero days to patch"). Keeping software updated minimizes — though never eliminates — exposure.

Zero-Knowledge Proof

A zero-knowledge proof is a cryptographic method by which one party (the prover) can demonstrate to another party (the verifier) that they know a piece of information — without revealing the information itself. Example: proving you know a password without sending the password. In privacy technology, zero-knowledge proofs enable systems like anonymous authentication, private auditing, and privacy-preserving blockchain transactions. It's magic that's also math.

Zero-Log Policy

A zero-log policy is a VPN provider's commitment that it records absolutely no data about your online activity, connections, or identity — not even connection timestamps or server assignments. Distinguished from "no browsing logs" policies, which may still retain connection metadata. A genuine zero-log policy means that even if a server were seized or a court order issued, there would be nothing to hand over. Policies should be independently verified through third-party audits to be trusted. It's the cornerstone of any privacy-first VPN.

Put these terms to work with a VPN that lives up to them.

Zero-log policy. AES-256 encryption. Kill switch. Shadowsocks obfuscation. One app, every device.

Get Basic — $24.99/yr Get Pro — $99.99/yr