Militaristic language
Avoid using terms associated with violence and military actions unless you are referring to physical combat operations.
In the context of cybersecurity at Microsoft, use the following recommendations in the table of militaristic terms.
| Use this | Not this |
|---|---|
| address; protect against; respond to | combat; fight; eliminate |
| cyberattack chain | (cyber) kill chain |
| cyberattacker; bad actor; threat actor | attacker; adversary |
| impact | blast radius |
| multilayered approach; defense-in-depth cybersecurity | defense-in-depth approach |
| protect; safeguard; defend | guard; ward |
| secured | locked down |
| security; protection; defense | fortifications; first line of defense; frontlines |
| security teams; security analysts; defenders | frontline analysts |
| vulnerabilities; points of access; external exposure | external attack surface |
Attack It’s ok to use attack if there’s context in front of it describing what kind of attack it is. For example, say, Early detection is critical to preventing damage from malware attacks instead of Get protection from sophisticated attacks.
If there’s no context before attack that describes what kind of attack it is, add cyber- in front of threat so it reads cyberattack, all one word, no space, no hyphen.
Example
Uncover and defend against advanced cyberattacks across your entire digital estate.
Defend, defense, and defenses It’s ok to use defend and defenses if there’s context in the same sentence that makes it clear they’re referring to cybersecurity.
Examples
Learn how to defend your cloud and on-premises workloads.
Extend your defenses across endpoints and clouds with Microsoft Security.
External attack surface It’s ok to use this phrase when discussing external attack surface management, external attack surface management capabilities, or the product Microsoft Defender External Attack Surface Management.
Don’t use the phrase external attack surface when referring to a customer’s points of access that are potentially vulnerable to an attack. Use vulnerabilities, points of access, or external exposure instead.
Threat It’s ok to use threat if there’s context in front of it describing what kind of threat it is.
Example
Explore an integrated identity threat and response solution.
If there’s no context before threat that describes what kind of threat it is, add cyber- in front of threat so it reads cyberthreat, all one word no space no hyphen.
Example
Identify and remediate cyberthreats in the cloud and on-premises.
Threat intelligence It’s ok to use threat intelligence if the surrounding context makes it clear it’s related to cybersecurity. Don’t shorten to threat intel.
Example
Get actionable insights into new and emerging cyberthreats with dynamic threat intelligence.
Never use These terms are overtly militaristic and should never be used in the context of cybersecurity at Microsoft (though they may be used to refer to physical combat operations):
air cover
bomb, email bomb, mail bomb, time bomb
enemy, enemies, enemy lines
go on the offensive
invade, invasion
missile, torpedo
nuke, go nuclear
strike
troops
See also Bias-free communication
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for