Glossary P

PaaS provides a managed platform for deploying and running applications without managing the underlying operating system, runtime, or infrastructure. Heroku, Fly.io, and Google App Engine are PaaS offerings. PaaS sits between IaaS (you manage VMs) and SaaS (fully managed products), abstracting infrastructure while giving developers control over application code.

A package manager automates installing, updating, and resolving dependencies for software projects by maintaining a registry of versioned packages and a lockfile that pins exact dependency versions. npm, pnpm, and Yarn manage JavaScript packages; pip handles Python; Cargo manages Rust. Lockfiles are critical for reproducible builds — they ensure all developers and CI environments use identical dependency trees.

PagerDuty is a digital operations management platform that aggregates alerts from monitoring systems and routes them to on-call engineers through phone calls, SMS, push notifications, and Slack. It provides on-call scheduling, escalation policies, incident timelines, and analytics for measuring operational performance. PagerDuty is the dominant commercial incident alerting platform in enterprise DevOps.

Pair programming is an agile practice where two developers work together at one workstation — a driver writes code while a navigator reviews and thinks about design. Roles rotate frequently. Pairing produces higher code quality, faster knowledge transfer, and fewer defects than solo development, though it increases apparent labor cost. Remote pairing is common using screen sharing and collaborative IDEs.

PAM controls and monitors access to privileged accounts — root, admin, and service accounts — that have elevated permissions to critical systems. PAM solutions vault credentials, enforce just-in-time access, record privileged sessions, and alert on anomalous privileged activity. Compromised privileged accounts are among the most impactful attack vectors; PAM reduces the risk of lateral movement and persistence.

Parameterized queries separate SQL code from user-supplied data by using placeholders that the database engine fills in after parsing the query structure. This prevents SQL injection by ensuring user input is always treated as a data value, never as executable SQL syntax. Parameterized queries are the most effective and reliable defense against SQL injection and should be used in all database interactions that incorporate variable data.

Path traversal attacks exploit insufficient validation of file paths to access files outside the intended directory. By inserting sequences like `../` into file path parameters, attackers can read sensitive files such as `/etc/passwd`, application configuration files, or private keys. Prevention requires canonicalizing paths before use and validating that the resolved path is within an allowed base directory.

PBAC is an access control model that evaluates centrally-managed policies to make authorization decisions, combining attributes, context, and rules. Tools like OPA implement PBAC by evaluating Rego policies against request context. PBAC is more flexible than RBAC and more centralized than ABAC, making it suitable for microservices authorization and multi-cloud environments.

PCI DSS is a set of security standards designed to ensure that all companies that process, store, or transmit credit card information maintain a secure environment. Compliance requires implementing controls across network security, access management, encryption, monitoring, and vulnerability management. Non-compliance can result in fines and loss of payment processing privileges.

PEFT refers to a family of fine-tuning techniques that update only a small fraction of a pre-trained model's parameters while achieving performance comparable to full fine-tuning. Methods include LoRA, adapters, prefix tuning, and prompt tuning. PEFT dramatically reduces compute, memory, and storage requirements, making fine-tuning accessible on consumer hardware.

Penetration testing is a simulated cyberattack against systems, networks, or applications to identify exploitable vulnerabilities before real attackers do. Pen testers use the same tools and techniques as malicious actors but with explicit authorization and defined scope. Findings are documented in reports with risk ratings and remediation guidance.

Penetration testing (pen testing) is an authorized simulated cyberattack on a system to evaluate its security posture and identify exploitable vulnerabilities. Testers use the same techniques as malicious attackers — reconnaissance, exploitation, and post-exploitation — to demonstrate real-world attack impact. Pen test findings are typically ranked by risk and presented with remediation guidance, complementing automated scanning with human creativity and judgment.

Permission boundaries are AWS IAM policies that set the maximum permissions an IAM entity (user or role) can have, regardless of what identity-based policies grant. They prevent privilege escalation by ensuring that even if a developer grants themselves or a role additional permissions, those permissions cannot exceed what the boundary allows. Permission boundaries are essential in delegation scenarios where teams manage their own IAM roles within security guardrails established by a central security team.

Perplexity is a metric for evaluating language models that measures how well the model predicts a held-out text sample. It is the exponentiated average negative log-likelihood per token — lower perplexity indicates the model assigns higher probability to the test text. Perplexity is a standard intrinsic evaluation metric but correlates imperfectly with downstream task performance.

PETs are tools and techniques that minimize personal data collection and processing while still enabling useful functionality. Examples include differential privacy (adding statistical noise to aggregate queries), k-anonymity (ensuring individuals are indistinguishable in datasets), data masking, and synthetic data generation. Regulators increasingly expect PETs to be considered when designing data-processing systems.

Phishing is a social engineering attack where adversaries impersonate trusted entities to trick users into revealing credentials, installing malware, or authorizing fraudulent transactions. Spear phishing targets specific individuals with personalized content, while whaling targets executives. Technical mitigations include email authentication (DMARC, SPF, DKIM), anti-phishing browser protections, MFA, and security awareness training.

pip-audit is a Python tool developed by PyPA and Google that audits Python environments and requirement files for packages with known vulnerabilities. It queries the Open Source Vulnerabilities (OSV) database and Python Packaging Advisory Database for vulnerability data. pip-audit integrates into Python CI pipelines similarly to npm audit for JavaScript, providing automated dependency vulnerability detection for Python projects.

Pipeline as code is the practice of defining CI/CD pipeline configuration in version-controlled files (Jenkinsfile, .github/workflows/*.yml, .gitlab-ci.yml) rather than through GUI-based configuration. Treating pipelines as code enables code review, change history, and branch-specific pipeline variations. It is foundational to reproducible and auditable software delivery.

Public key cryptography uses mathematically linked key pairs — a public key for encryption or signature verification and a private key for decryption or signing — enabling secure communication without prior secret exchange. RSA, ECDSA, and Ed25519 are widely used asymmetric algorithms. PKC underpins TLS, SSH, JWT signing, code signing, and the entire PKI ecosystem.

PKI is the framework of hardware, software, policies, and procedures for creating, managing, distributing, and revoking digital certificates. It enables secure electronic communication through asymmetric cryptography, supporting use cases like TLS/SSL, code signing, email encryption, and mutual authentication between services.

The plan/apply workflow is Terraform's two-step process for infrastructure changes: `terraform plan` generates a preview of what will change without making any modifications, and `terraform apply` executes those changes. This workflow enables code review of infrastructure changes before execution and is the basis for GitOps-style infrastructure pipelines where plans are reviewed in pull requests.

Platform engineering is the discipline of building internal developer platforms (IDPs) that provide self-service infrastructure, deployment tooling, and operational capabilities to application teams. Platform teams abstract away cloud complexity, enforce security and compliance guardrails, and enable developers to deploy and operate services without deep infrastructure expertise. It is an evolution of DevOps practices at scale.

A security playbook is a documented set of steps for responding to a specific type of security incident, such as ransomware, phishing, or data breach. Well-written playbooks reduce response time, ensure consistency, and preserve institutional knowledge across analyst shifts. SOAR platforms execute playbooks as automated workflows, with manual steps for decisions requiring human judgment.

A Pod Disruption Budget (PDB) limits the number of pods from a deployment or replica set that can be voluntarily disrupted simultaneously — during node drains, cluster upgrades, or maintenance. PDBs ensure that rolling maintenance operations don't take too many replicas offline at once, maintaining service availability. They are essential for zero-downtime cluster upgrades.

Kubernetes Pod Security Standards (PSS) define three security profiles — Privileged, Baseline, and Restricted — that control the security context settings allowed for pods in a namespace. The Restricted profile enforces best practices like non-root execution, dropping all Linux capabilities, read-only root filesystems, and disabling privilege escalation. Pod Security Admission (PSA), the built-in enforcement mechanism replacing PodSecurityPolicy, applies these standards at the admission stage.

Podman is a daemonless, rootless container engine that provides a Docker-compatible CLI without requiring a privileged background daemon. It improves security by running containers as the invoking user's identity and supports OCI standards natively. Podman is the default container runtime on RHEL and is widely used in security-conscious enterprise environments.

Policy as code expresses security and governance rules as machine-readable code stored in version control, enabling automated enforcement, peer review of policy changes, and consistent application across environments. Tools like OPA, Kyverno, HashiCorp Sentinel, and AWS Config Rules implement policy as code for Kubernetes, infrastructure, and cloud configuration. Policy as code brings software engineering practices (testing, review, versioning) to security policy management.

A postmortem (or post-incident review) is a structured retrospective conducted after an incident to analyze its root causes, contributing factors, and timeline. Blameless postmortems focus on systemic improvements rather than individual fault. The written postmortem document — including a timeline, impact analysis, and action items — is shared broadly to spread learning across the organization.

Security posture drift occurs when cloud infrastructure configuration deviates from approved security baselines over time due to manual changes, automated provisioning without proper guardrails, or configuration changes that bypass IaC workflows. CSPM tools detect drift by continuously comparing actual cloud resource configurations against expected state. Immutable infrastructure patterns and GitOps workflows reduce drift by ensuring all changes are code-reviewed and applied through automated pipelines.

PPO is a reinforcement learning algorithm used in RLHF to fine-tune language models based on reward signals from a reward model. It constrains policy updates to stay close to the previous policy (via a clipping objective), ensuring stable training. PPO-based RLHF powered InstructGPT and ChatGPT, though its complexity has led to the adoption of simpler alternatives like DPO.

Precision is the fraction of retrieved or predicted items that are relevant or correct, calculated as true positives divided by all positive predictions. In information retrieval, high precision means the model returns few irrelevant results. Precision is typically reported alongside recall, and their tradeoff is summarized by the F1 score.

A private endpoint (AWS PrivateLink, Azure Private Link, GCP Private Service Connect) provides private connectivity to a cloud service from within a VPC without traffic traversing the public internet. Private endpoints assign the service a private IP address in the VPC, enabling secure, low-latency access to S3, RDS, and SaaS services from private subnets. They eliminate egress costs for supported services.

Private endpoints (Azure) and Private Service Connect (GCP) provide private IP addresses within a customer's virtual network for accessing managed cloud services, routing traffic entirely within the cloud provider's network. By binding a managed service (Azure Storage, Cloud SQL) to a private endpoint, customers prevent traffic from traversing the public internet and can apply network security groups to control access. Private endpoints are a key control for data exfiltration prevention in regulated cloud environments.

AWS PrivateLink enables private connectivity between VPCs and AWS services (or partner services) without exposing traffic to the public internet. Traffic traverses the AWS backbone network through VPC endpoints, eliminating the need for internet gateways, NAT gateways, or public IP addresses for service-to-service communication. PrivateLink is essential for meeting data sovereignty requirements, reducing internet exposure of sensitive service endpoints, and connecting SaaS services into customer VPCs securely.

Privilege escalation occurs when an attacker gains elevated permissions beyond what was initially granted. Vertical escalation moves from a low-privilege account to a higher-privilege one (e.g., user to admin), while horizontal escalation allows access to resources of other users at the same privilege level. It is commonly achieved by exploiting misconfigurations, vulnerabilities in setuid binaries, or flaws in access control logic.

Cloud privilege escalation refers to techniques where an attacker with limited cloud permissions gains higher privileges by exploiting misconfigurations in IAM policies, resource-based policies, or trust relationships. Common paths include using `iam:CreatePolicyVersion` to replace an existing policy, assuming a more privileged role via `sts:AssumeRole`, or exploiting `lambda:UpdateFunctionCode` to modify a Lambda function's execution role. CIEM tools model these privilege escalation paths to proactively identify and remediate high-risk permission combinations.

Progressive delivery is a deployment strategy that releases new versions incrementally to subsets of users, using real-time metrics to validate health before expanding the rollout. It encompasses canary deployments, blue-green deployments, feature flags, and traffic splitting. Progressive delivery reduces deployment risk by limiting the blast radius of problematic changes.

Prometheus is an open-source monitoring system that scrapes metrics from HTTP endpoints, stores them in a time-series database, and evaluates alerting rules using its PromQL query language. Its pull-based model and multi-dimensional data model (labels) make it highly flexible. Prometheus is the de facto metrics standard in Kubernetes environments and integrates natively with Grafana for visualization.

A prompt is the input text provided to a language model that specifies the task, context, and desired output format. Prompt construction significantly impacts output quality, and prompts can include instructions, examples, role descriptions, and conversation history. The term has expanded to include system prompts, user messages, and tool results in multi-turn API interactions.

Prompt engineering is the practice of designing and optimizing input prompts to elicit desired behaviors from language models without modifying model weights. Techniques include chain-of-thought, few-shot examples, role assignment, output format constraints, and task decomposition. As model capabilities have grown, the boundary between prompt engineering and AI product design has blurred.

Prompt injection is a security vulnerability where malicious content in user inputs or retrieved documents overrides a system prompt's instructions, causing the AI to behave in unintended ways. Indirect prompt injection occurs when the malicious instruction is embedded in external data (web pages, documents) retrieved by an agent. Defending against prompt injection requires input sanitization, privilege separation, and output monitoring.

Pruning reduces model size by removing weights, neurons, attention heads, or layers that contribute minimally to model performance. Structured pruning removes entire components (suitable for hardware acceleration), while unstructured pruning creates sparse weight matrices. Pruned models typically require retraining or distillation to recover accuracy and can be further compressed with quantization.

Pub/Sub decouples message producers (publishers) from consumers (subscribers) through a message broker. Publishers send messages to named topics; subscribers receive all messages on topics they subscribe to, without knowing about publishers. This enables fan-out (one message to many consumers), temporal decoupling (consumers don't need to be online when messages are published), and service independence.

A pull request (PR) is a mechanism for proposing and reviewing code changes before they are merged into a target branch. PRs provide a structured space for code review, automated CI checks, security scans, and approval workflows. They are the primary collaboration unit in trunk-based development and the enforcement point for branch protection rules.

Pulumi is an infrastructure-as-code platform that uses general-purpose programming languages (TypeScript, Python, Go, C#) to define and provision cloud infrastructure. Unlike Terraform's HCL DSL, Pulumi enables loops, conditionals, functions, and type safety natively. It supports all major cloud providers and Kubernetes, with a state management service similar to Terraform Cloud.

A PWA is a web application that uses service workers, manifests, and modern browser APIs to deliver app-like experiences — including offline functionality, push notifications, and home screen installation. PWAs work on any platform with a standards-compliant browser, providing a cross-platform alternative to native apps. Service workers intercept network requests to serve cached content when offline.