The Infosec Phrasebook | Andrew Nesbitt

Spend enough time around security people and you pick up a second vocabulary. It has a faintly military air and a noticeable per-syllable markup on vendor invoices.

Defense in depth: coding.

Zero trust: auth.

Least privilege: the permissions you forgot to grant.

Attack surface: your code.

Blast radius: everyone else’s code.

Hardening: turning things off.

Air gap: a USB stick.

Shift left: make it the developer’s problem.

Threat model: a Google Doc.

Tabletop exercise: a meeting about the Google Doc.

Compensating control: we didn’t fix it.

Risk acceptance: we didn’t fix it, in writing.

Remediation: a Jira epic.

Assume breach: we got breached.

CVE: cirriculem vitae enhancement.

CVSS 9.8: please answer the phone.

Lateral movement: ssh.

Exfiltration: curl.

Supply chain security: running npm install, nervously.

Security posture: vibes.

Then there’s cyber, which gets prefixed to all of the above and increasingly used on its own. Cyber risk, cyber hygiene, cyber resilience, Cyber Essentials, “I work in cyber”. I have been on the internet long enough to remember when cyber was a verb, and what it meant when a stranger in an AOL chatroom asked if you wanted to. I cannot watch a minister say it into a microphone without that association firing, and at this point I’ve stopped expecting it to fade.

Related posts

Incident Report: CVE-2024-YIKES<br>Feb 3, 2026A series of unfortunate events.

Composer's dependency policies<br>May 29, 2026uBlock Origin for composer install

Protestware for coding agents<br>May 28, 2026printMessageForCodingAgents()

GitHub Actions security in Python packages<br>May 25, 2026Thank you Dr. Zizmor

Signing is for the bad days<br>May 24, 2026TUF, in-toto, and Sigstore only look pointless while nothing is on fire