Bishop Fox named “Leader” in 2024 GigaOm Radar for Attack Surface Management. Read the Report ›

Version 2.0

Cybersecurity Style Guide


P2P (adj.)

Short for “peer-to-peer.” Pronounced as letters or the whole phrase. Spell out in public-facing documents.


PaaS (n.)

Platform as a service. Pronounced as the whole phrase or “pass.” Spell out on first use.


Private automatic branch exchange. An enterprise telephone switching system. Pronounced as “Pabb-ex.” Spell out on first use.

page hijacking (n.), page-hijacking (adj.)

Ex: a page-hijacking attack

pages (n.)

If it’s a specifically titled web page, capitalize as in “the Forgot Password page.”

pain point (n.)

Corporate jargon; OK if used sparingly.

PAM (n.)

Privileged access management or privileged account management. Spell out on first use.


PAN, PANs (n.)

Primary account number or personal area network. Spell out on first use to clarify your intended meaning.


PAN truncation (n.)

A credit card number display that only shows the last 4 digits.

Ex: *********1234

parameterized query (n.)

Also called a prepared statement.

parameters (n.)

If writing about a type of parameter, use the normal font. If it’s a named parameter, use the tech font, as in “siteCode parameter.”


A programming language.

password mullet (n.)

The password creation pattern that starts with a capital letter and ends with a number or special character. Coined by Kyle Rankin.

Ex: Password1!

password spraying (n.), password-spraying (adj.)

An attack in which one password is tried against many accounts. Also known as horizontal password brute-forcing.


Process for Attack Simulation and Threat Analysis. A risk-based threat methodology. Pronounced as “pasta.” Spell out or briefly define on first use.


A text storage site.


pastebin (v. or n.)

This either refers to any text storage site or to the act of publishing something (like credit card numbers) anonymously on the internet, not necessarily on Pastebin. The verb is informal.

patch (n. or v.)

An update to existing software that adds or enhances features, fixes bugs, or both.

path traversal (n.)

Also known as directory traversal.


A website where subscribers set up recurring payments to specific creators in exchange for perks.


Penny Arcade Expo. A series of gaming conventions. Pronounced as “packs.”


A mobile payment service.

paywall (n. or v.)

Avoid using this as a verb in formal writing. Try “blocked by a paywall” or “required a login” instead.

PBKDF (n.)

Password-based key derivation function. Generally used interchangeably with cryptographic hash functions, although there are technical distinctions. Do not spell out.


PC, PCs (n.)

Personal computer. Can refer to any laptop or specifically a machine that runs Windows. Avoid using in formal writing; instead specify the operating system, as in a Windows machine.

PCB, PCBs (n.)

Printed circuit board. Spell out on first use.


Short for the Payment Card Industry or Peripheral Component Interconnect. Spell out on first use to clarify your intended meaning.


Payment Card Industry Data Security Standard(s). Spell out on first use.


Peripheral Component Interconnect Express. A serial expansion bus standard. Briefly explain on first use in public-facing documents.


Perl Compatible Regular Expressions. A free library. Spell out on first use.

PDB, .pdb file

Program database file.


PDQ Deploy

A patch management tool.


“Problem exists between keyboard and chair.” User error. Pronounced as “peb-cack.” Informal.

penetration testing, pen testing (n.)

Security testing in which evaluators mimic real-world attacks to identify ways to circumvent the security features of an application, system, or network. Penetration testers look for chains of vulnerabilities that can be used together to gain more privileged or overall access. Often informally shortened to pen testing or pentesting.

percussive maintenance (n.)

Fixing things by hitting them. Informal.

peripheral (n.)

An auxiliary device, a piece of equipment, or an accessory.


A programming language.

permissions (n.)

If writing about a type of permission, use the normal font. If naming a specific permission, use the tech font, as in ”SET_ALARM permissions.”


Personal security. Used in military contexts. Spell out in public-facing documents.


persistence (n.), persistent (adj.)

Persistent access means an attacker continues to access a system or application over a long period of time.

petabyte (PB) (n.)

1,000 terabytes.


A ransomware attack that hit in June 2017.



An open source firewall.


Pretty Good Privacy. An encryption program. Do not spell out.


phase (n.), Phase 1

If writing about phases generically, lowercase. If dividing a project into sections, capitalize individual phases, as in Phase 2.


PHI (n.)

Protected health information. Pronounced as letters. Spell out on first use.


An Adobe graphics editor.


Short for PHP: Hypertext Preprocessor. Do not spell out.

PHP magic method (n.)

A PHP method that can be used to change the language’s behavior.

Ex: __construct, __get, __set

PHR, PHRs (n.)

Personal health record. Spoken out loud as the whole phrase. Spell out on first use.


A Python serialization and deserialization module. It is not secure. A Python object hierarchy may be pickled and unpickled. The output of the pickle module may be called a pickle, styled in normal font.

pickled (adj.), pickling (n.)

Describes a Python object hierarchy that has been converted into a byte stream using the pickle function.


PID, PIDs (n.)

Process identifier or persistent identifier. Pronounced as letters or “pid.” Spell out on first use.

PII (n.)

Personally identifiable information. Pronounced as letters. Spell out on first use.

Ex: full name, DOB, home address, phone number, email address

PIN, PINs (n.)

Personal identification number. “PIN number” is redundant. Pronounced as “pin.” Do not spell out.

ping (v., n., or adj.)

To initiate contact and wait for a response. Sometimes specifically refers to using the ping utility. Use the tech font when referring to the utility itself.

piracy (n.)

Also called software piracy.

pivot point (n.)

A foothold that an attacker can use to gain further access into a system. The point at which an attack switches between horizontal and vertical privilege escalation strategies.


An open source analytics program that has been renamed Matomo.

pixel (px) (n.)

When describing the dimensions of an image, list width then height with an “x” between, as in 1000x1000-pixel image. Put a space between the number and unit. No commas.

PKI (n.)

Public key infrastructure. Spell out on first use.

plain text (n.)

Text that is unformatted (i.e., not rich text).


plaintext (n.)

Can refer to unencrypted text (like cleartext) or the input to a cryptographic system. In our reports, it is not a synonym with cleartext. Define briefly on first use to clarify your intended meaning.

playlist (n.)


PLD (n.)

Short for payload. Informal. Spell out on first use.


A programming language used by Oracle.

plugin (n.)

Also called an add-on or extension. Use the normal font, as in “the LastPass Chrome plugin.”


Put a space after the number, as in 2 p.m. PST. Include the time zone if referring to a testing window or specific event. Avoid using military (24-hour) time unless relevant to the context.


PO, POs (n.)

Purchase order. Corporate jargon. Spell out on first use.

PoC, PoCs (n.)

Could refer to a “proof of concept,” a “point of contact” within the client company, or a person of color. Pronounced as letters, the phrase, or “pock.” Spell out on first use to clarify your meaning.

podcasts (n.)

Capitalize podcast names and use the normal font, as in Security Weekly.

PoE (n.)

Power over Ethernet. Spell out on first use.


Padding Oracle on Downgraded Legacy Encryption. A Man-in-the-Middle attack. Do not spell out.


POP (n.), POP3

Procedure-oriented programming, point of presence, point of purchase, or Post Office Protocol. Spell out on first use to clarify your intended meaning.


port (n.)

Use this term in formal writing, but “jack” is fine elsewhere.

Ex: USB port

Portal, Portal 2

Video games in which the main character, Chell, uses a portal-shooting gun to bypass obstacles and enemies.

portal (n.)

An entranceway, such as an employee login page.

port numbers

Write without commas in the normal font (port 3389) unless it appears at the end of an IP address (

post (v. or n.)


post-apocalyptic (adj.)
post-exploitation (adj. or n.)

Any actions an attacker takes in a system after it is compromised. For example, a pen tester may search for data and configurations to determine the ultimate impact of an exploit.

Postgres or PostgreSQL

A type of database.

POST request (n.)


power cycle (v.)

Turn it off and on again.

power user (n.)

A user with advanced knowledge of a particular software.

preflight (n.)

In CORS, the browser sends an OPTIONS request before the actual request to check that the server’s response headers allow the user-agent to send the request. The request is dropped if the server response does not allow the request.

preimage (n.)

An algorithm input.

Ex: cryptographic preimage attacks

prepared statement (n.)

Also called a parameterized query.

pre-signed (adj.)

Describes an AWS S3 URL that contains authorization for accessing the data in the URL itself. To avoid redundancy, do not use to describe other resources that have been signed.

Ex: pre-signed URL


Pretty Theft

A BeEF phishing module.

primitive (n.)

Cryptographic primitives are basic algorithms used to build cryptographic systems.


principle of least privilege (n.)

The concept that users should have only the permissions necessary for their role in a system, not more.

prioritize (v.)

This can mean to rank vulnerabilities by severity level in an environment.

privesc or privilege escalation (n.)

A common strategy for attackers: start as a low-privilege user and find flaws in permissions to gain admin credentials.

-privilege, privileged (adj.)

When describing a user’s level of privilege, we prefer to use a hyphen, as in a high-privilege user rather than “a highly privileged user.”

Ex: a low-privilege user, a privileged user

PRNG, PRNGs (n.)

Pseudo-random number generator. (Pseudo refers to the fact that computers cannot make true random numbers; it is not a judgment about their RNG security or quality.) Pronounced as letters. Spell out or briefly define on first use.



An application monitoring tool used during security assessments.


A Windows monitoring tool. The application is named Process Monitor but is often shortened to Procmon.

prod (n. or adj.)

A system in production, as opposed to a system in development (dev). Informal.

programming language (n.)

There are many subcategories, such as compiled vs. interpreted languages, high-level vs. low-level languages, and domain-specific vs. general purpose languages. Scripting languages are programming languages, but markup languages are not.

programming logic

Write coding syntax and commands in tech font to distinguish them outside of code snippets.

Ex: if statement, for loop, exit() function

proof of concept (n.), proof-of-concept (adj.) (PoC)

Ex: The team created a proof of concept. It was a proof-of-concept payload.



provision (v.)

Ex: “to provision one cluster on each account”

proxy, proxying (v. or n.)

To move data through an intermediary server. Proxy can refer to the intermediary or the act of moving the data.

PS2, PS3, PS4

PlayStation consoles.


PSK, PSKs (n.)

Pre-shared key. Spell out on first use.

PSR, PSRs (n.)

PHP Standards Recommendation. A PHP specification. Recommendation items are numbered beginning with PSR-0. Spell out on first use to avoid confusion with the Bishop Fox product security review service line.

public key, public key encryption (n.)

A public key is a type of cryptographic key that has a matching private key.


purple team (n. or v.)

A security testing approach that combines aspects of red teaming and blue teaming.


A Windows SSH and Telnet client. Pronounced like “putty.”


A Windows tool for retrieving LM and NTLM hashes in an Active Directory environment.


pwn (v. or n.)

To defeat, to own. Pwn rhymes with own. Informal when used by itself, but often appears within names of security tools.

The Pwnie Awards

An annual awards ceremony for hackers that takes place during Black Hat. Pwnie is pronounced as “pony.”

Pwn Plug

A tool used in physical assessments that looks like a power adapter.


A programming language that encourages Monty Python references in tool names.

This site uses cookies to provide you with a great user experience. By continuing to use our website, you consent to the use of cookies. To find out more about the cookies we use, please see our Privacy Policy.