- Network Security — protects traffic, infrastructure, and connectivity. Addresses DDoS attacks, intrusion, and man-in-the-middle attacks.
- Application Security — protects software and web applications. Addresses cross-site scripting (XSS), SQL injection, and API abuse.
- Cloud Security — protects cloud environments and services. Addresses misconfigurations, account hijacking, and sensitive data exposure.
- Endpoint Security — protects devices including laptops, phones, and servers. Addresses ransomware attacks, malware, and credential theft.
- Information Security — protects data wherever it lives. Addresses data theft, exfiltration, and insider threats.
- Identity and Access Management (IAM) — protects user identity and access rights. Addresses credential attacks and privilege escalation.
- IoT Security — protects connected devices and operational technology. Addresses device hijacking and botnet recruitment.
- Operational Security — protects processes, procedures, and human decisions. Addresses human error, supply chain attacks, and OPSEC failures.
Cybersecurity is not one discipline. It is eight overlapping domains, each protecting a different layer of an organisation’s digital environment. A ransomware attack exploits endpoint security weaknesses. A DDoS attack overwhelms network infrastructure. A phishing campaign targets identity and access controls. Cross-site scripting exploits application vulnerabilities.
Understanding the different types of cybersecurity matters because each type addresses a distinct attack surface with distinct tools, techniques, and expertise. An organisation that invests heavily in network security but neglects cloud security is exposed at the layer threat actors are increasingly targeting. Knowing the types tells you where the gaps are.
This guide covers all eight types of cybersecurity in 2026: what each one protects, the specific cyber threats it addresses, the tools that deliver it, and how they connect to each other.
All 8 types of cybersecurity at a glance
| Type | What it protects | Key threats it addresses | Core tools |
|---|---|---|---|
| Network security | Traffic, infrastructure, connectivity | DDoS, intrusion, man-in-the-middle | IDS/IPS, firewalls, VPN, SASE |
| Application security | Software and web applications | XSS, SQL injection, API abuse | WAF, SAST, DAST, CSSLP |
| Cloud security | Cloud environments and services | Misconfig, account hijack, data exposure | CSPM, CASB, cloud-native SIEM |
| Endpoint security | Devices: laptops, phones, servers | Ransomware, malware, credential theft | EDR/XDR, MDM, AV |
| Information security | Data wherever it lives | Data theft, exfiltration, insider threats | DLP, encryption, access controls |
| Identity and access management | User identity and access rights | Credential attacks, privilege escalation | MFA, SSO, PAM, Zero Trust |
| IoT security | Connected devices and OT systems | Device hijack, botnet recruitment | Network segmentation, firmware mgmt |
| Operational security | Processes, procedures, decisions | Human error, supply chain, OPSEC failures | IR plans, change management, audits |
The 8 types of cybersecurity explained
1 Network security
Network security protects the infrastructure that carries data between systems: routers, switches, firewalls, wireless access points, VPNs, and the connections between cloud environments and on-premise systems. If an attacker gains access to the network layer, they can intercept traffic, redirect communications, disrupt availability, and move laterally between systems without touching any application or endpoint directly.
The primary threats network security defends against are distributed denial of service (DDoS) attacks, which flood infrastructure with traffic to overwhelm availability; man-in-the-middle attacks, which intercept communications between two parties; and unauthorised network intrusion, which is the first step in most multi-stage breaches.
- Key tools: Firewalls, IDS/IPS (Intrusion Detection and Prevention Systems), network segmentation, VPNs, Zero Trust Network Access (ZTNA), Secure Access Service Edge (SASE)
- 2026 context: SASE has become the dominant architecture for organisations with hybrid workforces. It combines network security and wide-area networking into a single cloud-delivered service, removing the need for traffic to backhaul through a central data centre before reaching cloud applications.
2 Application security
Application security covers the protection of software throughout its development lifecycle and during operation. Every application that handles sensitive data, processes user input, or connects to other systems is a potential entry point. Vulnerabilities in application code are exploited at scale: the OWASP Top 10 list of web application vulnerabilities has remained largely consistent for over a decade because developers continue to introduce the same classes of flaws.
Cross-site scripting (XSS) allows attackers to inject malicious scripts into web pages viewed by other users, stealing session tokens and sensitive information. SQL injection manipulates database queries to extract or modify data. API security failures expose backend logic and data to unauthorised access. All three are application-layer vulnerabilities that network firewalls cannot detect or block.
- Key tools: Web Application Firewalls (WAF), SAST (Static Application Security Testing), DAST (Dynamic Application Security Testing), Snyk, Checkmarx, OWASP ZAP
- Key certification: CSSLP (Certified Secure Software Lifecycle Professional)
3 Cloud security
Cloud security protects data, applications, and infrastructure hosted in cloud environments across AWS, Azure, GCP, and SaaS platforms. As organisations shift workloads to cloud, the attack surface shifts with them. The most common cloud security failures are not sophisticated attacks. They are misconfigurations: a storage bucket left publicly accessible, an IAM role with excessive permissions, an API endpoint exposed without authentication.
Cloud environments also introduce the shared responsibility model: the cloud provider secures the underlying infrastructure, but the customer is responsible for securing everything deployed on top of it. Many breaches occur in the gap between what organisations assume the provider covers and what they are actually responsible for.
- Key tools: Cloud Security Posture Management (CSPM), Cloud Access Security Broker (CASB), cloud-native SIEM integration (AWS GuardDuty, Microsoft Defender for Cloud), KSPM for Kubernetes environments
- 2026 context: ISC2 identifies cloud security as the second most demanded cybersecurity skill globally. Every major breach report in 2025 included at least one cloud misconfiguration as an enabling factor.
The unique challenge of cloud security: On-premise environments have a defined perimeter. Cloud environments do not. Every misconfigured resource, over-permissioned service account, and unsecured API is effectively internet-facing. Continuous posture management, not periodic audits, is the standard for cloud security in 2026.
4 Endpoint security
Endpoint security protects the devices that connect to an organisation’s environment: laptops, desktops, mobile phones, tablets, and servers. Each device is a potential entry point for threat actors. Ransomware attacks almost always execute on endpoints first, encrypting local files and spreading to connected network shares. Malware delivered via phishing emails executes on the victim’s device. Credential theft tools run as processes on compromised endpoints.
Traditional antivirus tools detect known threats by signature. They fail against polymorphic malware that rewrites itself to evade detection. Endpoint Detection and Response (EDR) platforms use behavioural analysis to identify threats by what they do, not what they look like. XDR extends this across endpoints, email, network, and cloud simultaneously.
- Key tools: EDR platforms (CrowdStrike Falcon, SentinelOne, Microsoft Defender for Endpoint), Mobile Device Management (MDM), XDR platforms
- 2026 context: Remote and hybrid work has expanded the endpoint surface dramatically. Personal devices on home networks, connecting to corporate cloud resources, represent the most difficult endpoint management challenge in modern enterprise security.
5 Information security
Information security protects data itself: its confidentiality, integrity, and availability regardless of where it resides or how it moves. The CIA triad, confidentiality (only authorised parties can access data), integrity (data is accurate and unmodified), and availability (data is accessible when needed), is the foundational framework for this domain.
Threat actors steal data to sell, to leverage for extortion, or to gain competitive intelligence. Insider threats, whether malicious employees or negligent ones, exfiltrate sensitive data through authorised channels that perimeter controls cannot detect. Data Loss Prevention (DLP) tools monitor for and block sensitive data leaving the organisation through email, file transfers, and cloud uploads.
- Key tools: DLP platforms, encryption (at rest and in transit), sensitivity labelling, Microsoft Purview, backup systems with immutable storage
- Regulatory context: GDPR, HIPAA, and PCI DSS all mandate specific information security controls. A breach involving personal data triggers mandatory notification obligations regardless of which security type failed to prevent it.
6 Identity and access management (IAM)
Identity has become the primary attack surface in modern environments. In cloud-native architectures, where there is no physical perimeter, identity is the perimeter. Attackers do not break in. They log in. The 2024 Change Healthcare breach exploited stolen credentials with no multi-factor authentication in place. The 2024 Snowflake campaign compromised hundreds of organisations through credential stuffing against accounts without MFA.
IAM controls who can access what, under what conditions, and for how long. Zero Trust architecture treats every access request as untrusted by default and verifies identity continuously rather than only at login. Privileged Access Management (PAM) applies additional controls to accounts with administrative access, which are the highest-value targets for attackers seeking to escalate privileges across computer systems.
- Key tools: MFA, Single Sign-On (SSO), Privileged Access Management (CyberArk, BeyondTrust), Identity Governance (SailPoint, Saviynt), Azure Active Directory, Okta
- Key principle: Least privilege access. Every user, service account, and system should have access only to what it needs to function. Nothing more.
7 IoT security
IoT security protects internet-connected devices beyond traditional computing: industrial control systems, medical devices, smart building infrastructure, cameras, manufacturing equipment, and consumer IoT. These devices often run embedded operating systems with minimal security controls, receive infrequent or no firmware updates, and connect directly to corporate networks or the internet.
Threat actors compromise IoT devices to recruit them into botnets for DDoS attacks, to use as pivot points for lateral movement into corporate networks, or to directly manipulate physical systems in operational technology environments. The December 2025 Aisuru-Kimwolf botnet attack, which reached 31.4 terabits per second, was composed primarily of compromised IoT devices.
- Key controls: Network segmentation to isolate IoT devices from critical systems, firmware management and patch schedules, device inventory and monitoring, disabling default credentials, replacing end-of-life devices that cannot be patched
- 2026 context: Industrial IoT and OT (operational technology) security has become a national security concern. Attacks on power grids, water treatment facilities, and manufacturing systems via compromised IoT infrastructure are a documented and growing threat.
8 Operational security
Operational security covers the processes, procedures, and human decisions that protect or expose an organisation’s sensitive information and systems. It is the domain that addresses the human layer: how data is handled day to day, how access is provisioned and revoked, how incidents are managed, and how third-party relationships are governed.
Most breach investigations find that at least one operational failure contributed to the incident: a vendor credential that was never deprovisioned, an incident response plan that existed but had never been tested, a change to a production system that bypassed the approval process. Supply chain attacks, like SolarWinds in 2020 and Change Healthcare in 2024, exploit the operational security failures of vendor management.
- Key controls: Documented and tested incident response plans, access provisioning and deprovisioning processes, change management procedures, vendor risk management programmes, regular security audits
- The human element: Phishing, social engineering, and insider threats all succeed at the operational layer. Security awareness training, a strong reporting culture, and clear acceptable-use policies are the operational controls that address these vectors.
Which type of cybersecurity addresses which threat?
Cyber attacks do not map neatly to a single security type. Most breaches cross multiple domains. Understanding which type is the primary defence for each threat helps security teams prioritise investment.
| Cyber threat | Primary type | Why that type |
|---|---|---|
| Ransomware attack | Endpoint security | Ransomware executes on devices, encrypts local and network files |
| DDoS attack | Network security | Floods network infrastructure to overwhelm availability |
| Phishing / credential theft | IAM | Goal is credential capture to bypass identity controls |
| Cross-site scripting (XSS) | Application security | Exploits web application input handling to inject malicious code |
| Cloud misconfiguration | Cloud security | Exposed storage, over-permissioned roles, unprotected APIs |
| IoT botnet recruitment | IoT security | Unpatched devices hijacked for DDoS or lateral movement |
| Insider data theft | Information security | Sensitive data exfiltrated via authorised channels by malicious insiders |
| Supply chain attack | Operational security | Third-party vendor compromise reaches internal systems via trusted access |
No single type of cybersecurity stops all attacks. A mature security posture requires all eight types working together. The 2024 Change Healthcare breach involved identity failures (no MFA), operational failures (vendor access not monitored), and endpoint failures (ransomware execution). Any one of those controls, properly implemented, would have reduced the impact.
Build the skills across all types of cybersecurity
Each of the eight cybersecurity types above requires professionals who understand both the theory and the tools. Network security needs engineers who can read packet captures. Cloud security needs analysts who can interpret CloudTrail logs. IAM needs specialists who can design zero trust architectures. Incident response needs professionals who can contain a breach at 2am.
In conclusion
Cybersecurity is eight interconnected domains, not one. Ransomware attacks endpoint security. DDoS targets network infrastructure. Phishing exploits identity controls. Cloud misconfigurations expose data. XSS breaks application security. IoT devices expand the attack surface. Human decisions undermine all of it. Supply chain attacks cross every boundary.
Understanding the types of cybersecurity tells you where your exposure is and which professionals, tools, and controls address each layer. Organisations that treat it as a single problem consistently leave gaps in the domains they have not mapped to a specific owner and a specific set of controls.
Explore the Metana Cybersecurity Bootcamp
See how fast you can build the skills employers are hiring for across all eight cybersecurity domains.
Explore at metana.io/cybersecurity-bootcamp →FAQ
What are the main types of cybersecurity?
The eight main types of cybersecurity are network security, application security, cloud security, endpoint security, information security, identity and access management (IAM), IoT security, and operational security. Each type protects a distinct layer of an organisation’s digital environment and addresses different cyber threats.
What type of cybersecurity is most important?
No single type is most important in isolation. Identity and access management has become increasingly critical as credential-based attacks now account for the majority of initial access in breaches. Cloud security is the fastest-growing priority as organisations shift workloads off-premise. A breach in any one type can cascade across all others.
What is the difference between network security and information security?
Network security protects the infrastructure and channels that data travels through: firewalls, routers, traffic flows. Information security protects the data itself wherever it resides, at rest on a server, in transit across a network, or in use by an application. Network security stops attackers from reaching data. Information security ensures data is protected even if an attacker reaches it.
Why is cloud security a separate type of cybersecurity?
Cloud environments introduce attack surfaces, threat models, and security controls that do not exist on-premise. Misconfigured storage, over-permissioned IAM roles, exposed APIs, and the shared responsibility model all require cloud-specific security approaches. Traditional network perimeter tools cannot detect or address these threats, which is why cloud security has become a distinct and critical domain.
What cybersecurity type addresses ransomware attacks?
Ransomware primarily requires endpoint security controls: EDR platforms that detect ransomware behaviour before encryption completes, network segmentation that limits lateral spread, and backup systems that allow recovery without paying a ransom. Identity and access management also plays a role, as many ransomware attacks begin with compromised credentials used to gain initial access.
Sources and further reading
All data, statistics, and claims in this article are drawn from the following sources:
- IBM Cost of a Data Breach Report 2025 — average breach cost $4.4M, impact of automated response.
- World Economic Forum Future of Jobs Report 2025 — cybersecurity skills projected growth, information security analysts top 15 fastest-growing professions.
- CISA Known Exploited Vulnerabilities (KEV) Catalogue — authoritative list of vulnerabilities under active exploitation.
- National Institute of Standards and Technology (NIST) Cybersecurity Framework 2.0 — Identify, Protect, Detect, Respond, Recover functions.
