New from Ponemon Institute: The State of Offensive Security in 2023. Read the Report ›
Use “an” when the next word begins with a vowel sound when spoken, regardless of spelling. A hybrid test. A unified problem. A Xerox machine. An HTTP issue. An SSH tunnel. An underlying cause. An XSS attack.
Short for accessibility. Often used in relation to technology. The 11 represents the 11 letters removed from the middle of the word. Pronounced like “ally” or “accessibility.”
Avoid using this term unless it’s in quoted code. Try force quit, interrupt, or reboot instead.
An experiment that involves showing different versions to different users.
Avoid using this term. Try misuse or malicious use instead.
Avoid using this term. Try alter, automate, compromise, deface, exhaust, exploit, force, impersonate, intentionally misuse, leverage, manipulate, reuse indefinitely, take advantage of, or a context-specific verb.
Pronounced as letters. Spell out on first use.
Arbitrary code execution or access control entry. Spell out on first use.
Access control list. Spell out on first use.
Spell out on first use.
Android Debug Bridge. adb is both a command-line tool and a specific command. When writing about the command, use the tech font.
Describes immature security infrastructure. In networks (especially wireless ones), ad hoc means decentralized.
Short for administrator. Write in the normal font if referring to admin privileges. If referring to the
admin role or username, use the tech font.
Do not use this term in formal writing; use attacker or malicious user instead. In cryptography, it has a mathematical meaning, as in global passive adversary (GPA).
Advanced Encryption Standard. Do not spell out; briefly define on first use.
A software development approach involving continuous iterative changes, cross-functional teams, and a short feedback cycle.
Describes an entity that does not have a preference for any particular product, as in platform agnostic. Corporate jargon; use sparingly.
Artificial intelligence. In technical fields, this term primarily describes machine learning strategies. It has taken on a broader meaning in popular culture. AI can also refer to Amnesty International. Spell out on first use when writing for a general audience.
A suite of tools for testing Wi-Fi network security.
Air-gapped systems are disconnected from insecure networks and the internet.
An API management provider.
An online retailer based in China.
Bishop Fox’s preferred alternative term to whitelisting. Rephrase to avoid using this term as a verb in formal writing.
Describes strings that contain letters and numbers, but not special characters, punctuation, or spaces.
Put a space after the number, as in “4 a.m. GMT.” Include the time zone if referring to a testing window or specific event. Avoid using military (24-hour) time unless relevant to the context.
Ask me anything. A crowdsourced style of Q&A popularized by Reddit. Can also refer to the American Medical Association, so spell out in non-Q&A contexts.
An online crowdsourced marketplace where users complete Human Intelligence Tasks (HITs) for money.
Spell out on first use. After that, abbreviate as either AWS or Amazon. When discussing individual services within AWS, refer to Amazon’s documentation.
Ex: AWS IAM, Amazon RDS
Use sparingly in formal writing.
An international group of 4chan hacktivists with a Guy Fawkes mask symbol.
A stateful configuration management suite for Linux systems.
A fictional instantaneous hyperspace communication device named by Ursula K. Le Guin.
Short for access point or Associated Press. Both are pronounced as letters. Spell out on first use to clarify your intended meaning.
A fictional research company from the Portal series of video games.
Application programming interface. How software interacts with other software.
Smart devices like phones and tablets have apps; computers have applications. App can also be a shortened form of application. To the security industry, they are all exploitable.
Spell out on first use.
Technology company founded by Steve Jobs and Steve Wozniak in 1976.
Application penetration testing, advanced persistent threat, or advanced packaging tool. Spell out on first use in public-facing documents.
Ex: arbitrary code execution
An animated spy TV show that inspired the name of the Bishop Fox Danger Drone. Also the name of an RSA security product.
A type of RISC architecture for microprocessors, primarily used in smartphones and tablets. Define briefly on first use.
Advanced Research Projects Agency Network; the original internet. Do not spell out.
A process of removing normal activity from noisy data sets. Also used to describe flaws in artificial intelligence programs. Define on first use.
In technical fields, this term primarily describes machine learning strategies. It has taken on a broader meaning in popular culture.
American Standard Code for Information Interchange. Pronounced “ask-ee.” Do not spell out.
Application-specific integrated circuit. Less commonly, a programming language related to BASIC. Do not spell out.
Short for application service provider or Active Server Pages, a precursor to ASP.NET.
Authentication Server Response. Spell out on first use.
Assets are systems, software, applications, libraries, personnel, equipment, or anything else an organization values and wants to protect.
Short for automated teller machine or “at the moment.” “ATM machine” is redundant.
A database transaction property. Transactions can be atomic or non-atomic.
Ex: It uses at-rest encryption. Encrypt data at rest.
A sequence of attacker actions.
If it’s a type of attribute, use the normal font. If it’s a specific attribute, use the tech font, as in “a
Acceptable use policy. Spell out on first use.
Short for authentication or authorization. Sometimes written as AuthN and AuthZ, respectively, to clarify which word is abbreviated. Spell out on first use to avoid confusion.
A generic term for an application feature that predicts the rest of the word or phrase as a user types.
A generic term for an application feature that fixes identified mistakes in typed words.
The automatic operation of required processes.
Antivirus or audiovisual. Pronounced as letters or the whole word.
The responsiveness of a system. Denial-of-service attacks affect a system’s availability.
Amazon Web Services.