A
payload is the malicious code that executes after exploitation — a reverse shell, Meterpreter session, ransomware encryptor, or command execution capability.
In pen testing: exploit (gets in) + payload (what happens after). Metasploit framework separates exploits from payloads — mix and match. Staged payloads download additional code; stageless payloads are self-contained.