Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management. Read the Report ›

Version 2.0

Cybersecurity Style Guide


H-1B visa (n.)

A U.S. work visa for specialty occupations.


H.264 (n.), H.264-encoded (adj.)

A video compression standard.

hack (n. or v.)

Do not use in formal writing. Try exploit, access, steal, or a more context-specific verb. In old-school discussions, hacking vs. cracking was an important distinction between the exploratory intent of hackers accessing systems without authorization vs. the often criminal intent of crackers accessing and damaging those same systems.

hacker (n.)

Do not use in formal writing. Use attacker, external threat, malicious user, consultant, security researcher, data scientist, or their job title, depending on the context.

Hacker Dojo

A Bay Area tech community center founded in 2009.


A vulnerability coordination and bug bounty platform.


A 1995 movie about hacking the planet.


Hacker Summer Camp

An unofficial title for the grouping of security conferences in Las Vegas every year in late summer.

Hack the Box

A site for practicing pen testing.



An Apache framework for storing and processing big data.

HAL 9000

A fictional AI from 2001: A Space Odyssey.

Halt and Catch Fire

AMC TV show about hacking, set in the 1980s.


hamburger button (n.)

An icon with three horizontal lines that shows hidden menu options when selected. If the three lines are reduced to dots, it can be called a kebab menu instead.

hang (v.)

When a server or computer hangs, it is nonresponsive. If the requesting computer gives up waiting for a response, it times out.

hard drive (n.)

If it’s a type of drive, use the normal font, as in “SATA drive.” If discussing a drive by name, use the tech font, as in “the C: drive.”

harden (v.), hardening (n. or v.)

To configure applications, systems, or services in a more secure manner, often using common guidelines.

-hardening (n. or adj.)

Always hyphenate.

Ex: host-hardening, system-hardening

hard token (n.)

A physical device used in multi-factor authentication, such as a YubiKey fob. Also called a hardware token.


A tool used for password recovery.

hashtag or # (n.)

Call the [ # ] character a hashtag when indicating a category. Otherwise it’s a pound sign. To avoid confusion with cryptographic hashes, avoid calling this character a hash.

Ex: #poundsign #octothorpe

HAZOP (n.)

A hazard and operability study.


HCI (n.)

Human-computer interaction. Spell out on first use.



High-Definition Multimedia Interface. Do not spell out.

HDTV, HDTVs (n.)

High-definition television. Do not spell out.


An OpenSSL bug.

Hello World

Traditionally, this is the first program written when learning a programming language.

hex (n.), hex-encoded (adj.)

Short for hexadecimal, the base-16 number system.

HID, HIDs (n.)

Human interface device. The USB Rubber Ducky is a keyboard HID. Spell out on first use.


HIDS, HIDSes (n.)

Host-based intrusion detection system. Spell out or define on first use. Avoid using the acronym in the plural if possible.


high-privilege (adj.)

Describes an account or user with elevated permissions. To avoid ambiguity, use the name of the role or permission instead of this term on first mention.


high-res (adj.)

Short for high-resolution, as in images or video. Pronounced “high-rezz.” Informal.


hijack, hijacking (n. or v.)

An umbrella term for attacks that take over controls or assume the role of a user and compromise the system. Avoid the verb when possible in formal writing. Try take over or take advantage of instead.


The Health Insurance Portability and Accountability Act. Pronounced as “hippa.” Spell out on first use.

HITL (adj. or n.)

Human-in-the-loop. Describes simulations that involve human interaction to modify the automated steps of a process. Spell out on first use.


HTTP Live Streaming. A communications protocol. Spell out on first use.


HMAC (n.)

Hash-based message authentication code. Pronounced as “H-mack.” Do not spell out; briefly define on first use.


An open source email server for Windows.



Apple smart speaker.

honey (n.)

Often used as a prefix when describing decoys or bait used as part of security monitoring.

Ex: honey account, honeypot, honeytoken

honeybot (n.)

A Twitterbot troll.


Hackers On Planet Earth. A conference that is typically held every two years in New York City.



A reverse engineering tool.

-hosted (adj.)

Always hyphenate.

Ex: self-hosted


hosts (n.)

Use the tech font, as in


HOTP, HOTPs (n.)

HMAC-based one-time password. Pronounced as letters. Spell out on first use.


hotspot (n.)


hot-swap (v.), hot-swapping (n.)

To change out parts of a machine without interrupting the system.


how-to (n. or adj.), how to (adv.)

Ex: We published a how-to. This is how to do it.


A security tool. Pronounced as “H-ping.”

HPP (n.)

HTTP parameter pollution. Spell out on first use.

HRNG (n.)

Hardware random number generator. Sometimes spelled as HWRNG on Linux systems. Spell out on first use.

HSM, HSMs (n.)

Hardware security module. Spell out on first use.


HTTP Strict Transport Security. Spell out on first use.

h/t or H/T

Hat tip. A way of thanking someone online for being or providing a source. Informal.



Hypertext Markup Language. Do not spell out.


Hypertext transfer protocol. Pronounced as letters. Do not spell out.


http://, https://

No need to include these in URIs unless the presence or lack of secure HTTP is relevant to the narrative.


HTTP method or HTTP verb

The first word in an HTTP request. Write in the normal font.



A flag for protecting HTTP cookies from cross-site scripting attacks.



A group of vulnerabilities in CGI environments that involve the HTTP Proxy header. It was disclosed in 2016.

HTTP response splitting (n.)

A web application vulnerability.

HTTP status (n.)

Information provided in the first line in an HTTP response. Capitalize HTTP statuses in the normal font as if they were titles. Use quotation marks if they might be confused with nearby text.

Ex: 200 OK, 404 Page Not Found, HTTP 413 Request Entity Too Large, 500 Internal Server Error


A kernel-mode driver.

human-in-the-loop (HITL) (adj. or n.)

Simulations that involve human interaction to modify the automated steps of a process. Spell out on first use.

Hunt the Wumpus

A 1970s computer game that is now used to teach basic programming skills.

hyperdrive (n.)

A fictional fast travel system in Star Wars that allows ships to travel into hyperspace at lightspeed.

hypertext (n.)

The “HT” in HTML and HTTP.


hyperthreading (HT) (n.)

An Intel technology that allows simultaneous processing of multiple tasks on a single CPU core. Also known as simultaneous multithreading. Always spell out.


hypervisor (n.)

Also known as a virtual machine monitor (VMM).


This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.