{
  "$type": "site.standard.document",
  "bskyPostRef": {
    "cid": "bafyreid6akya63dt6ewfi4mu5z23fsxcu5or3f4oolpy646ymscuh2hh64",
    "uri": "at://did:plc:vzenumnmvvg6xrdnzya4ofix/app.bsky.feed.post/3mnb4grva6ag2"
  },
  "path": "/2026/06/01/the-infosec-phrasebook.html",
  "publishedAt": "2026-06-01T10:00:00.000Z",
  "site": "https://nesbitt.io",
  "textContent": "Spend enough time around security people and you pick up a second vocabulary. It has a faintly military air and a noticeable per-syllable markup on vendor invoices.\n\n_Defense in depth_ : coding.\n\n_Zero trust_ : auth.\n\n_Least privilege_ : the permissions you forgot to grant.\n\n_Attack surface_ : your code.\n\n_Blast radius_ : everyone else’s code.\n\n_Hardening_ : turning things off.\n\n_Air gap_ : a USB stick.\n\n_Shift left_ : make it the developer’s problem.\n\n_Threat model_ : a Google Doc.\n\n_Tabletop exercise_ : a meeting about the Google Doc.\n\n_Compensating control_ : we didn’t fix it.\n\n_Risk acceptance_ : we didn’t fix it, in writing.\n\n_Remediation_ : a Jira epic.\n\n_Assume breach_ : we got breached.\n\n_CVE_ : curriculum vitae enhancement.\n\n_CVSS 9.8_ : please answer the phone.\n\n_Lateral movement_ : ssh.\n\n_Exfiltration_ : curl.\n\n_Supply chain security_ : running `npm install`, nervously.\n\n_Security posture_ : vibes.\n\nThen there’s _cyber_ , which gets prefixed to all of the above and increasingly used on its own. Cyber risk, cyber hygiene, cyber resilience, Cyber Essentials, “I work in cyber”. I have been on the internet long enough to remember when cyber was a verb, and what it meant when a stranger in an AOL chatroom asked if you wanted to. I cannot watch a minister say it into a microphone without that association firing, and at this point I’ve stopped expecting it to fade.",
  "title": "The Infosec Phrasebook",
  "updatedAt": "2026-06-01T10:00:00.000Z"
}