Militaristic language

Avoid using terms associated with violence and military actions unless you are referring to physical combat operations.

In the context of cybersecurity at Microsoft, use the following recommendations in the table of militaristic terms.

Use this Not this
address; protect against; respond to combat; fight; eliminate
cyberattack chain (cyber) kill chain
cyberattacker; bad actor; threat actor attacker; adversary
impact blast radius
multilayered approach; defense-in-depth cybersecurity defense-in-depth approach
protect; safeguard; defend guard; ward
secured locked down
security; protection; defense fortifications; first line of defense; frontlines
security teams; security analysts; defenders frontline analysts
vulnerabilities; points of access; external exposure external attack surface

Attack It’s ok to use attack if there’s context in front of it describing what kind of attack it is. For example, say, Early detection is critical to preventing damage from malware attacks instead of Get protection from sophisticated attacks.

If there’s no context before attack that describes what kind of attack it is, add cyber- in front of threat so it reads cyberattack, all one word, no space, no hyphen.

Uncover and defend against advanced cyberattacks across your entire digital estate.

Defend, defense, and defenses It’s ok to use defend and defenses if there’s context in the same sentence that makes it clear they’re referring to cybersecurity.

Learn how to defend your cloud and on-premises workloads. Extend your defenses across endpoints and clouds with Microsoft Security.

External attack surface It’s ok to use this phrase when discussing external attack surface management, external attack surface management capabilities, or the product Microsoft Defender External Attack Surface Management.

Don’t use the phrase external attack surface when referring to a customer’s points of access that are potentially vulnerable to an attack. Use vulnerabilities, points of access, or external exposure instead.

Threat It’s ok to use threat if there’s context in front of it describing what kind of threat it is.

Explore an integrated identity threat and response solution.

If there’s no context before threat that describes what kind of threat it is, add cyber- in front of threat so it reads cyberthreat, all one word no space no hyphen.

Identify and remediate cyberthreats in the cloud and on-premises.

Threat intelligence It’s ok to use threat intelligence if the surrounding context makes it clear it’s related to cybersecurity. Don’t shorten to threat intel.

Get actionable insights into new and emerging cyberthreats with dynamic threat intelligence.

Never use These terms are overtly militaristic and should never be used in the context of cybersecurity at Microsoft (though they may be used to refer to physical combat operations):

air cover
bomb, email bomb, mail bomb, time bomb
enemy, enemies, enemy lines
go on the offensive
invade, invasion
missile, torpedo
nuke, go nuclear

See also Bias-free communication