5 exercises on saying security acronyms the way appsec professionals do — insider word forms like "sea-surf", "are-back" and "jot" versus spelled-out initialisms.
Key patterns
Insider word forms — CSRF "sea-surf", RBAC "are-back", JWT "jot", CORS "corz", WAF "waff"
Spelled out — XSS, CVE, MFA, 2FA, PKI, SSO
Read the digit — 2FA "TWO-EFF-AY" (say the number "two")
Inherits SQL — SQLi follows your SQL form ("sequel-eye" or spelled out)
0 / 5 completed
1 / 5
How is CSRF (Cross-Site Request Forgery) most commonly pronounced by security engineers?
CSRF — commonly "sea-surf".
The widely used spoken nickname is "sea-surf" /ˈsiːsɜːrf/, popularised because it is memorable and easy to say. The strictly spelled-out form "SEE-ESS-ARE-EFF" is also correct and used in formal settings.
Collocations: a CSRF token, CSRF protection, vulnerable to CSRF, the anti-CSRF middleware. CSRF tricks a logged-in user's browser into making an unwanted request. Contrast with XSS (Cross-Site Scripting), a different attack — they are often confused by newcomers but are distinct vulnerabilities.
2 / 5
How are XSS and CVE pronounced?
XSS and CVE are spelled out.
XSS — "EKS-ESS-ESS" /ɛks ɛs ɛs/ (Cross-Site Scripting). It is abbreviated XSS rather than CSS to avoid clashing with Cascading Style Sheets. You will sometimes hear the casual "excess", but the letter-by-letter form is standard.
CVE — "SEE-VEE-EE" /siː viː iː/ (Common Vulnerabilities and Exposures), the public catalogue of known flaws, each with an ID like CVE-2024-12345.
Collocations: a stored XSS, reflected XSS, patch the CVE, a critical CVE, assigned a CVE number. Do not say "cave" — that loses the identifier feel and can be misheard.
3 / 5
How are 2FA and MFA pronounced?
2FA and MFA are read out, digit and letters included.
2FA — "TWO-EFF-AY" /tuː ɛf eɪ/ (Two-Factor Authentication). The leading "2" is spoken as the number "two".
Collocations: enable 2FA, set up MFA, enforce MFA across the org, an MFA prompt, turn on two-factor. Note people freely say the expanded "two-factor" as a phrase too. Neither acronym folds into a word — "tofa" and "muffa" are not real usage. Related: SSO "ESS-ESS-OH" (Single Sign-On) is likewise spelled out.
4 / 5
How are RBAC and JWT pronounced in practice?
RBAC and JWT both have popular spoken word forms.
RBAC — commonly "are-back" /ˈɑːrbæk/ ("R" + "back"), Role-Based Access Control. The fully spelled-out "ARE-BEE-AY-SEE" is also heard.
JWT — officially pronounced "jot" /dʒɒt/ per the RFC 7519 spec authors. Many engineers nonetheless spell it out as "JAY-DOUBLE-YOU-TEE", which is equally understood.
Collocations: RBAC policies, map roles in RBAC, issue a JWT, verify the JWT signature, a JWT bearer token. Knowing "jot" is a nice marker of familiarity, but never assume it will be misunderstood if you spell it out instead.
5 / 5
How are CORS and SQLi pronounced?
CORS is a word; SQLi builds on "SQL".
CORS — "corz" /kɔːrz/, said as a word rhyming with "cause"/"corps" (Cross-Origin Resource Sharing). The letters form a clean syllable.
SQLi — "sequel-eye" or "ESS-QUE-ELL-EYE" (SQL Injection). It inherits whichever SQL pronunciation the speaker uses, plus a trailing "eye" for the "i".
Collocations: a CORS error, CORS preflight, relax the CORS policy, blind SQLi, an SQLi payload, parameterise queries to prevent SQLi. Related security acronyms in this family: WAF "waff" /wɒf/ (Web Application Firewall, said as a word) and PKI "PEE-KAY-EYE" (Public Key Infrastructure, spelled out).