Such threats and loopholes are basically the same commonly used as references for VA-PT testing. For example, according to OWASP top 10 for web applications they are:
Broken Access Control
Vulnerable and Outdated Components
Identification and Authentication Failures
Software and Data Integrity Failures
Security Logging and Monitoring Failures
Server-Side Request Forgery
The main difference in their use is that such threats are applied against zero-day vulnerabilities, which are vulnerabilities either unknown to the organization (i.e., it does not know they should require mitigation) or known but for which a patch has not been developed yet.
Until the zero-day vulnerabilities are mitigated, hackers can exploit them to compromise information security. For such situations, the application of control 6.1.4 Contact with special interest groups, for earlier identification of zero-day vulnerabilities, is highly recommended.
These articles will provide you with a further explanation about OWASP and special interest groups: