New from Ponemon Institute: The State of Offensive Security in 2023. Read the Report ›
Software as a service. Pronounced as “sass.” Spell out on first use.
An alternative term to whitelisting. Use this term to match client preference in client-facing documents.
Repeatedly stealing money in very small quantities.
In encryption, salted code has random values sprinkled in it to make it more difficult to decode. If two users have the same password, salting ensures that their hashes won’t be the same.
Security Account Manager. A registry file in Microsoft systems that serves as a password database. Also refers to the Sequence Alignment Map file format. Pronounced as “samm.”
Spell out on first use to distinguish the acronym from standard operating procedures.
A testing environment that is isolated from production or a restricted operating system environment for running unverified programs.
Modifying privileges in a system past the manufacturer’s intention in order to gain root access. More generic than “jailbreak.”
Describes content (usually user input) that has been stripped of unwanted characters to prevent code injection.
The SysAdmin Audit Network Security Institute. Pronounced as “sans.” Do not spell out.
Simple Authentication and Security Layer. Pronounced as “sassle.” Spell out on first use.
Supervisory control and data acquisition. A control system architecture. Spell out on first use.
Programming language meant to address criticisms of Java.
Short for Secure Channel. A Windows SSP. Pronounced as “S-channel.”
The agreed-upon list of applications and environments that an assessment team tests during an engagement.
The gradual expansion of the scope of a project over time. Informal.
A TV show about hacking that ran from 2014 to 2017.
Secure copy protocol. Use the tech font when writing about the command. Spell out on first use.
A script can retrieve (scrape) all of the data from a web page in lieu of an API retrieving the specifically desired information.
Don’t use these terms in formal writing unless the method of capture is relevant to the narrative. We recommend calling them figures or using terms that are related to the content, as in “the login page below.”
A hacker who only knows how to run existing scripts, but not how to write their own. Informal.
An Agile framework. Also the name of meetings within that system.
Small Computer System Interface. A parallel interface. Pronounced as “skuzzy.”
Non-obscene words are sometimes blocked because they contain a banned string of letters, such as “sex” in “Sussex.”
Software development kit. Spell out on first use.
Software development lifecycle. Sometimes written as SDL. Spell out on first use.
A type of trolling that involves persistently asking questions in bad faith. Informal.
Ex: second-order SQL injection
A flag for protecting HTTP cookies from Man-in-the-Middle attacks.
Ex: The system is secure by default. The system has a secure-by-default configuration.
To describe the specific impact of a breach, you can say that information was exposed, disclosed, obtained, or stolen.
Code or another tool (as opposed to policy) that enforces repeatable security. There are preventive controls, detective controls, and corrective controls.
A Netflix tool for AWS configuration monitoring.
Use the normal font with quotation marks for prompts, as in “What was the name of your favorite unpaid internship?”
The generally maligned practice of making a system extremely complex in the hope that it will prevent anyone from figuring out how to hack it.
A collective of industry volunteers who help others solve information security issues. https://securitywithoutborders.org/
A string of bits used to generate a pseudo-random number for encryption.
Do not use. When referring to splitting up network parts, use segment or separate.
Describes a typically insecure cryptographic certificate that has itself as a source of trust.
Also written as SemVer and semver. A versioning system that organizes major, minor, and patch versions.
Ex: 1.0.2, 3.5.16-beta
Search engine optimization. Spell out on first use.
The process of turning a data structure into a data stream that can be more easily stored or transmitted.
Write the names and types of servers in the normal font, as in “SMTP server.”
A Java program that handles requests for a server.
A web application attack in which a victim’s session token is set to a known value, allowing it to be hijacked.
Secure Hash Algorithm. SHA is a series of cryptographic hash functions. In informal writing, these are often written lowercase and without hyphens, as in “sha256.” Pronounced as “shah.” Do not spell out.
Short for command shell. Informally, you can gain, get, pop, spawn, or drop a shell. Use obtain a shell or gain persistent remote access in formal writing.
Ex: reverse shell, root shell, webshell
A GNU Bash vulnerability. Also known as Bashdoor.
A search engine for devices connected to the internet.
A shortened filename. Also called an 8.3 filename.
Standing behind someone to steal their passwords or other information. Informal.
A program that translates Markdown into HTML.
¯_(ツ)_/¯ is an elaborate emoticon that expresses indifference or a lack of an answer. Sometimes appears in a simplified form as vOv.
Always hyphenate in adjectives.
Ex: client-side, server-side
Security information and event management. Pronounced as “sim” or “see-em.” Spell out on first use.
Avoid using as a verb if possible. Try identify instead.
A long, signed integer type of data.
A generic term for the tech industry based in the greater San Francisco Bay Area. Also the name of an HBO TV show about a startup company called Pied Piper.
A black market website that was operational between 2011 and 2014.
To isolate or separate. Corporate jargon; use sparingly.
Isolated departments within an organization. Corporate jargon; use sparingly.
Session Initiation Protocol. Spoken out loud as the whole phrase. Spell out on first use.
Security incident response plan. IR plan and CSIRT may be more familiar terms for your audience. Spell out on first use.
sitemap file contains the site map.
A modern feature that is styled to look like an older, physical version.
Ex: the floppy disk Save button, the shopping cart icon used by online retailers
The fictional AI tech by Cyberdyne Systems that led to the creation of the Terminator.
An IPv6 attack that exploits the Stateless Address Autoconfiguration process.
A user-friendly URL. Informal.
A programming language.
An internet-enabled cell phone.
Server Message Block. Pronounced as letters. Spell out on first use.
Subject matter expert. Pronounced as “smee,” letters, or the whole phrase. Spell out on first use.
A public encryption key standard for MIME data.
Short for SMS phishing. A type of social engineering attack that uses text messages to target individuals. Briefly define on first use.
To monitor and capture data packets that pass through a network.
An amount of quoted code. In formal writing, we use a code excerpt instead.
A network monitoring tool.
An open source security tools company. Pronounced as “sneak” or “snick.”
Shout out. A way to publicly thank someone online. Informal.
Start of Authority or service-oriented architecture. Spell out on first use to clarify your intended meaning.
Security operations center. Pronounced as “sock.” Spell out on first use.
System on chip. Spell out on first use.
For types of socket, use the normal font. For a specific socket, put the socket type in the tech font, as in
Socket Secure protocol. Do not spell out.
A hacking group also known as APT28 or Fancy Bear.
In contrast to hard programming skills, these are communication skills like listening, presenting, and interpersonal networking.
Short for software token. Used to generate a push notification or OTP on an authentication app as part of a multi-factor authentication process.
Pronounced as “sah-dur.”
SSD is short for solid state drive.
DEF CON radio.
Same-origin policy or standard operating procedure. Pronounced as letters. Spell out on first use.
Statement of Work. Pronounced as letters. Spell out on first use.
Avoid using in formal writing, unless it is the technical term specific to the technology that is being discussed. Try start or create instead.
Tailored phishing attacks that are aimed at a specific target.
Ex: client-specific, task-specific
A flaw that affects Intel, AMD, and ARM chipsets. It was publicly disclosed in January 2018. The James Bond supervillain organization is SPECTRE.
Spring Expression Language.
A spelling bee competition for hackers that took place at HOPE 13, DEF CON 26, and DEF CON 27. It used this style guide as the word list.
Sender Policy Framework. Spell out on first use to avoid confusion with the sunscreen rating system.
Avoid using in formal writing. Try launch, instantiate, power on, or create instead.
A SIEM tool.
Service principal name. Pronounced as letters or the whole phrase. Spell out on first use.
To create a fraudulent, attacker-controlled replica of legitimate data (e.g., a website).
Corporate jargon; use sparingly.
A Java application framework.
A programming language. Precede with “a” in phrases like “a SQL query.” Pronounced as “sequel” or as letters.
SQL injection. An application vulnerability. Pronounced as “sequel-eye.” Spell out on first use.
A tool that finds and exploits SQL injections.
A web proxy.
Solid state drive. A drive with no moving parts. Spell out on first use.
Secure Shell protocol. It always uses TCP port 22. Do not spell out unless defining the term.
Solid state hybrid drive. Spell out on first use.
Server Side Includes. A programming language. Spell out on first use.
Service set identifier. The human-readable name of a Wi-Fi network. Spell out on first use in public-facing documents.
The Secure Sockets Layer protocol, which is outdated and vulnerable to the POODLE attack. Do not spell out unless defining the term.
An SSL research effort from Qualys.
Secure Sockets Layer/Transport Layer Security. Communications security protocols. Do not spell out unless defining the term.
Social Security number. Don’t capitalize “number.” Spell out on first use.
Security support provider. Spell out on first use.
Server-side template injection. Spell out on first use.
Does not need to be staged.
Ex: a stageless Meterpreter payload
Ex: Start up the laptop. A startup company.
Describes a protocol in which recipients of a request can track the session from previous requests.
Describes a protocol where the session state is tracked in each request without referring to previous communications.
A video game distribution platform.
A strategy of hiding information to avoid its capture rather than openly disguising it through cryptography.
A surveillance tool that appears as a Wi-Fi network but actually takes information from the devices that connect to it.
Structured Threat Information Expression. A language used for threat analysis.
The effect states that requesting the internet to not do something will cause the internet to deliberately do that thing more.
A string of characters written directly into the code.
A worm that sabotaged Iranian uranium enrichment in 2010.
know.bishopfox.com is a subdomain of
A browser security feature.
Noun form of “subvert.” Avoid using this to mean a “sub” version. Use minor version, patch, or just version instead.
Superuser do. Write in the normal font if referring to sudo privileges. If referring to the command sudo, use the tech font.
Someone who has sudo privileges. Informal. In formal writing, try “user with sudo privileges” if it’s not part of a set expression.
The sudo configuration file.
Corporate jargon for planned phasing out. OK to use sparingly in the infinitive. Also try no longer support or decommission.
If writing about a type of superclass, use the normal font. If it’s the name of a superclass, use the tech font, as in
A type of hackathon party that started in the Bay Area and now has global offshoots.
Open source software framework and tools to build, design, and document APIs.
Society for Worldwide Interbank Financial Telecommunication. Do not spell out.
Ex: SWIFT network
A PHP framework.
Displaying text within code in different colors based on keywords or categories. We do not use syntax highlighting in client-facing reports.
If writing about a specific system, use the tech font, as in “the
dev_test system.” Otherwise, use the normal font.