5 exercises — each question asks whether a given expression is a natural English collocation used by native speakers.
How to approach True or False collocations
Ask yourself: would a native speaker say this naturally, or does it sound translated?
Check the verb: many errors come from using a generic verb (do/make) instead of the precise one
Some expressions sound almost right — the difference is often one word
0 / 5 completed
1 / 5
True or False: 'exploit a vulnerability' is the correct English collocation used in cybersecurity.
TRUE — "exploit a vulnerability" is core cybersecurity vocabulary.
The word exploit functions as both a verb and a noun in security contexts, making it versatile and essential to learn:
exploit a vulnerability ✅ — "Attackers exploited a vulnerability in the login form."
exploit a flaw ✅ — "The researchers exploited a flaw in the cryptographic implementation."
exploit a weakness ✅ — broader, used in threat modelling
exploit a zero-day ✅ — a vulnerability with no existing patch
As a noun: "The team released an exploit for the CVE."
Related vocabulary by role:
discover / find / identify a vulnerability ✅ — researchers and defenders
disclose a vulnerability ✅ — responsible disclosure to the vendor
patch / mitigate a vulnerability ✅ — defenders fixing it
exploit a vulnerability ✅ — attackers taking advantage of it
CVE vocabulary: critical/high/medium/low severity, CVSS score, proof-of-concept exploit. "Use a vulnerability" ❌ and "abuse a vulnerability" ❌ are both non-standard.
2 / 5
True or False: 'do an attack' is the natural English expression for describing a cyberattack.
FALSE — "do an attack" is not natural English in security contexts.
Security professionals and journalists use precise verbs that carry specific nuances:
launch an attack ✅ — most common; implies initiating: "The threat actors launched a DDoS attack."
execute an attack ✅ — technical precision: "The malware executes the attack in three stages."
carry out an attack ✅ — implies deliberate planning: "The group carried out a sophisticated supply-chain attack."
mount an attack ✅ — slightly formal, often in military/security contexts
conduct an attack ✅ — formal, used in reports and analysis
Specific attack types use their own verbs:
run a phishing campaign ✅
perform a penetration test ✅
execute a SQL injection ✅
"Do an attack" ❌ sounds like a direct translation and would not appear in any security report, CVE description, or threat intelligence briefing. The more precise your vocabulary, the more credible you sound in security discussions.
3 / 5
True or False: 'patch a bug' is a natural English collocation in security and software development contexts.
TRUE — "patch a bug" and "patch a vulnerability" are both natural collocations.
The word patch works as both a noun and a verb in software development and security:
As a verb:
patch a bug ✅ — apply a targeted fix to a specific defect
patch a vulnerability ✅ — "The vendor patched the vulnerability within 48 hours."
patch the system ✅ — apply updates to an OS or application
As a noun:
release a patch ✅ — "Microsoft released a patch for the critical flaw."
apply a patch ✅ — "Apply the security patch before the deadline."
security patch ✅ — a fix specifically for a security vulnerability
hotfix ✅ — an emergency patch deployed immediately
Notable: Patch Tuesday — Microsoft's monthly security patch release cycle (second Tuesday of each month).
"Fix a bug" ✅ is also natural and perhaps more common informally. "Patch" often implies a targeted code change, while "fix" is broader. Both are correct and used by native speakers.
4 / 5
True or False: 'make an audit' is the natural English phrase for conducting a formal security review.
FALSE — "make an audit" is not standard English in professional or security contexts.
"Make" does not collocate naturally with "audit" in native professional English. The correct collocations:
conduct an audit ✅ — most formal, preferred in reports: "The firm conducted a full security audit."
run an audit ✅ — common in technical and DevSecOps contexts: "Run a dependency audit with npm audit."
perform an audit ✅ — formal: "Perform a quarterly access control audit."
carry out an audit ✅ — formal, implies deliberate process
commission an audit ✅ — hire an external firm to perform it
Types of audits in software/security:
security audit — comprehensive review of security posture
code audit — review of source code for vulnerabilities
penetration test — simulated attack to find weaknesses
compliance audit — check against standards like ISO 27001, SOC 2
"Do an audit check" ❌ is doubly wrong — "do" + "audit" is non-native, and "audit check" is redundant. "Audit" already implies a check.
5 / 5
True or False: 'harden the system' is a real security collocation meaning to reduce a system's attack surface.
TRUE — "harden the system" and "server hardening" are established information security terms.
Hardening is the process of reducing a system's attack surface by removing unnecessary services, applying the principle of least privilege, configuring firewalls, and applying security patches.
harden a system ✅ — "Harden the web server before exposing it to the internet."
harden a server ✅ — "Server hardening is a mandatory step in our deployment checklist."
OS hardening ✅ — hardening the operating system (remove unused services, set permissions)