Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management. Read the Report ›

Version 2.0

Cybersecurity Style Guide


a vs. an

Use “an” when the next word begins with a vowel sound when spoken, regardless of spelling. A hybrid test. A unified problem. A Xerox machine. An HTTP issue. An SSH tunnel. An underlying cause. An XSS attack.

a11y (n.)

Short for accessibility. Often used in relation to technology. The 11 represents the 11 letters removed from the middle of the word. Pronounced like “ally” or “accessibility.”


abort (v.)

Avoid using this term unless it’s in quoted code. Try force quit, interrupt, or reboot instead.

A/B testing (n. or v.)

An experiment that involves showing different versions to different users.

abuse (n.)

Avoid using this term. Try misuse or malicious use instead.

abuse (v.)

Avoid using this term. Try alter, automate, compromise, deface, exhaust, exploit, force, impersonate, intentionally misuse, leverage, manipulate, reuse indefinitely, take advantage of, or a context-specific verb.


-accessible (adj.)

Always hyphenate.

access point (AP) (n.)

Pronounced as letters. Spell out on first use.

ACE (n.)

Arbitrary code execution or access control entry. Spell out on first use.


ACID (n.)

Atomicity, consistency, isolation, durability.


ACL, ACLs (n.)

Access control list. Spell out on first use.

adb or adb

Android Debug Bridge. adb is both a command-line tool and a specific command. When writing about the command, use the tech font.

ad hoc (adj.)

Describes immature security infrastructure. In networks (especially wireless ones), ad hoc means decentralized.

admin or admin (n.)

Short for administrator. Write in the normal font if referring to admin privileges. If referring to the admin role or username, use the tech font.

adversary (n.)

Do not use this term in formal writing; use attacker or malicious user instead. In cryptography, it has a mathematical meaning, as in global passive adversary (GPA).


Advanced Encryption Standard. Do not spell out; briefly define on first use.

Agile (n.)

A software development approach involving continuous iterative changes, cross-functional teams, and a short feedback cycle.

agnostic (adj.)

Describes an entity that does not have a preference for any particular product, as in platform agnostic. Corporate jargon; use sparingly.

AI (n.)

Artificial intelligence. In technical fields, this term primarily describes machine learning strategies. It has taken on a broader meaning in popular culture. AI can also refer to Amnesty International. Spell out on first use when writing for a general audience.


A suite of tools for testing Wi-Fi network security.

air-gapped (adj.)

Air-gapped systems are disconnected from insecure networks and the internet.

Ajax request or AJAX request (n.)

Asynchronous JavaScript and XML. Do not spell out.



An API management provider.


Amazon AI.


An online retailer based in China.

allowlist, allowlisting (n. or v.)

Bishop Fox’s preferred alternative term to whitelisting. Rephrase to avoid using this term as a verb in formal writing.

alphanumeric (adj.)

Describes strings that contain letters and numbers, but not special characters, punctuation, or spaces.


Put a space after the number, as in “4 a.m. GMT.” Include the time zone if referring to a testing window or specific event. Avoid using military (24-hour) time unless relevant to the context.



Ask me anything. A crowdsourced style of Q&A popularized by Reddit. Can also refer to the American Medical Association, so spell out in non-Q&A contexts.

Amazon Mechanical Turk (MTurk)

An online crowdsourced marketplace where users complete Human Intelligence Tasks (HITs) for money.


Amazon Web Services (AWS)

Spell out on first use. After that, abbreviate as either AWS or Amazon. When discussing individual services within AWS, refer to Amazon’s documentation.

Ex: AWS IAM, Amazon RDS


Use sparingly in formal writing.


Google’s mobile operating system.

angle bracket (n.)

The [ < ] and [ > ] characters.



A JavaScript framework.


Animated emoji created by Apple in 2017.



An international group of 4chan hacktivists with a Guy Fawkes mask symbol.

anonymous (adj.)


Ex: anonymous access



A stateful configuration management suite for Linux systems.

ansible (n.)

A fictional instantaneous hyperspace communication device named by Ursula K. Le Guin.


An internet service provider. Originally stood for America Online.


AP, APs (n.)

Short for access point or Associated Press. Both are pronounced as letters. Spell out on first use to clarify your intended meaning.

Aperture Science

A fictional research company from the Portal series of video games.

API, APIs (n.)

Application programming interface. How software interacts with other software.

APK, .apk file

Android package.

app vs. application

Smart devices like phones and tablets have apps; computers have applications. App can also be a shortened form of application. To the security industry, they are all exploitable.


Technology company founded by Steve Jobs and Steve Wozniak in 1976.

application security (n.)

An alternate term for information security.


APT (n.)

Application penetration testing, advanced persistent threat, or advanced packaging tool. Spell out on first use in public-facing documents.

arbitrary (adj.)

Ex: arbitrary code execution


An animated spy TV show that inspired the name of the Bishop Fox Danger Drone. Also the name of an RSA security product.

Arduino (n.)

Pronounced “ar-dweeno.”


A type of RISC architecture for microprocessors, primarily used in smartphones and tablets. Define briefly on first use.


Advanced Research Projects Agency Network; the original internet. Do not spell out.


artificial ignorance (n.)

A process of removing normal activity from noisy data sets. Also used to describe flaws in artificial intelligence programs. Define on first use.


American Standard Code for Information Interchange. Pronounced “ask-ee.” Do not spell out.


Application-specific integrated circuit. Less commonly, a programming language related to BASIC. Do not spell out.


Address space layout randomization.


Abstract Syntax Notation One.


ASP, ASPs (n.)

Short for application service provider or Active Server Pages, a precursor to ASP.NET.





Authentication Server Response. Spell out on first use.

asset (n.)

Assets are systems, software, applications, libraries, personnel, equipment, or anything else an organization values and wants to protect.

ASV, ASVs (n.)

Approved scanning vendor. Spell out on first use.



Application Security Verification Standard. Spell out on first use.



Short for automated teller machine or “at the moment.” “ATM machine” is redundant.

atomic (adj.), atomicity (n.)

A database transaction property. Transactions can be atomic or non-atomic.


at-rest (adj.), at rest

Ex: It uses at-rest encryption. Encrypt data at rest.

attributes (n.)

If it’s a type of attribute, use the normal font. If it’s a specific attribute, use the tech font, as in “a username attribute.”

audiovisual (AV) (adj. or n.)

Avoid using as a noun in formal writing.


AUP, AUPs (n.)

Acceptable use policy. Spell out on first use.

auth (n.)

Short for authentication or authorization. Sometimes written as AuthN and AuthZ, respectively, to clarify which word is abbreviated. Spell out on first use to avoid confusion.

autocomplete (n. or v.)

A generic term for an application feature that predicts the rest of the word or phrase as a user types.

autocorrect (n. or v.)

A generic term for an application feature that fixes identified mistakes in typed words.

automation (n.)

The automatic operation of required processes.

AV (adj. or n.)

Antivirus or audiovisual. Pronounced as letters or the whole word.


availability (n.)

The responsiveness of a system. Denial-of-service attacks affect a system’s availability.


A programming language used primarily for text processing.



A cloud computing service operated by Microsoft.

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.