🧭 Security Vocabulary Hub
11 categories, 255 exercises. One map for every security English topic on Coders Lingo.
The security English landscape, in plain terms
Broadly, the eleven categories below split into four groups. Foundations and design (Cybersecurity Practitioner English, Security Architecture Language, Cryptography & PKI Language, Identity & Access Management) covers the vocabulary of understanding threats and designing systems to resist them. Building and operating securely (DevSecOps Pipeline Language, SOC & Security Operations) covers the vocabulary of automated security gates in CI/CD and human-led monitoring of live systems. Testing and disclosure (Penetration Testing Communication, Security Disclosure Language, Software Supply Chain Security) covers the vocabulary of actively finding, reporting, and coordinating fixes for vulnerabilities — including ones introduced by third-party dependencies. Finally, governance (Compliance & Regulatory Language, plus the cross-cutting Security Exercise Lab) covers the audit and regulatory vocabulary, and a mixed practice set that reinforces terms from across the whole cluster.
These categories are not duplicates of each other, even where the icons and topics look similar at a glance. Each card below states in one line exactly what makes that category distinct, so you can jump directly to the vocabulary you actually need rather than working through overlapping material.
The 11 security vocabulary categories
- Intermediate – Advanced
Cybersecurity Practitioner English
Threat modeling vocabulary, CVE advisory language, and zero trust architecture communication — a general security engineer entry point.
Not a duplicate because: The broadest, most general-purpose security category — start here if you are new to security vocabulary.
- Advanced
Security Architecture Language
STRIDE, attack trees, trust boundaries, attack surface, and defence in depth — how architects design and discuss secure systems before code is written.
Not a duplicate because: Design-time vocabulary — securing a system on paper, before it is built or attacked.
- Intermediate – Advanced
Cryptography & PKI Language
TLS handshake language, certificate and PKI vocabulary, JWT claims, and OAuth 2.0 grant types.
Not a duplicate because: The cryptographic building blocks underneath every secure system — certificates, keys, and tokens, not processes or teams.
- Advanced
Identity & Access Management
OAuth 2.0, OIDC, JWT, SAML, RBAC, zero trust, and passwordless authentication vocabulary.
Not a duplicate because: The vocabulary of proving who you are and what you are allowed to do — authentication and authorisation specifically, not general defence.
- Intermediate – Advanced
DevSecOps Pipeline Language
SAST/DAST, security gates, secret scanning, container image scanning, and vulnerability remediation vocabulary for CI/CD.
Not a duplicate because: Security vocabulary specific to the build/deploy pipeline — automated checks and gates, not human-facing operations.
- Advanced
SOC & Security Operations
SIEM, alert triage, threat hunting, threat intelligence, SOAR playbooks, and SOC communication.
Not a duplicate because: The day-to-day vocabulary of defenders monitoring live systems in a security operations centre — detection and response, not design or pipelines.
- Advanced
Penetration Testing Communication
Scoping, Rules of Engagement, pentest reports, CVSS scoring, vulnerability disclosure, and remediation tracking.
Not a duplicate because: The vocabulary of an active, adversarial testing engagement — how testers and clients talk through the process, not everyday defence.
- Advanced
Security Disclosure Language
CVE advisory writing, bug bounty reports, coordinated disclosure, security bulletins, and vendor response communication.
Not a duplicate because: Vocabulary for reporting and responding to a vulnerability once it is found — the communication process, not the technical testing itself.
- Advanced
Software Supply Chain Security
SBOM, SLSA framework, dependency vulnerabilities, and artifact signing vocabulary.
Not a duplicate because: Securing the software you did not write yourself — dependencies, build provenance, and third-party artifacts.
- Intermediate – Advanced
Compliance & Regulatory Language
GDPR, SOC 2, ISO 27001, and PCI DSS compliance vocabulary for engineers in regulated environments.
Not a duplicate because: Legal, audit, and regulatory vocabulary — what an auditor or compliance officer needs, distinct from technical defence terms.
- Intermediate – Advanced
Security Exercise Lab
A mixed practical lab covering OWASP Top 10, CVE/CVSS scoring, STRIDE threat modeling, pentest language, incident communication, and secure code review.
Not a duplicate because: A cross-cutting practice lab that mixes terms from several of the other ten categories in one set — use it to test recall across the whole cluster.
Frequently asked questions
Why are there so many separate security vocabulary categories on Coders Lingo?
Security English has split into distinct professional registers depending on the job: a SOC analyst triaging alerts uses different vocabulary from a security architect designing trust boundaries, and both differ from an auditor discussing SOC 2 controls. Rather than force this into one oversized category, Coders Lingo splits it into eleven focused categories so each stays specific and practical. This hub is the map that ties them together.
Which security category should I start with?
If you are new to security vocabulary generally, start with Cybersecurity Practitioner English — it covers foundational terms like threat modeling, CVEs, and zero trust that the more specialised categories build on. From there, branch by role: architects should go to Security Architecture Language, defenders monitoring live systems should go to SOC & Security Operations, and anyone integrating security into CI/CD should go to DevSecOps Pipeline Language.
What is the difference between "Pentest Communication" and "Security Disclosure Language"?
Pentest Communication covers the vocabulary of an active, scoped testing engagement — Rules of Engagement, CVSS scoring, and the pentest report itself. Security Disclosure Language covers what happens once a vulnerability is found and needs to be reported and coordinated — CVE advisories, bug bounty reports, and vendor communication. A pentester writing up findings will use both.
How is "Identity & Access Management" different from "Cryptography & PKI"?
Cryptography & PKI Language covers the underlying cryptographic building blocks — TLS handshakes, certificates, JWT claims, and OAuth grant types at the protocol level. Identity & Access Management is the layer built on top of those primitives: OAuth flows, OIDC, SAML, RBAC, and passwordless authentication as experienced by a user or an application. IAM uses cryptographic terms but focuses on the authentication and authorisation outcome, not the underlying math.
Isn't "Compliance & Regulatory Language" the same topic as "Security Architecture Language"?
No. Security Architecture Language is technical — STRIDE threat modeling, attack trees, and defence in depth are about how a system is designed to resist attack. Compliance & Regulatory Language is legal and procedural — GDPR, SOC 2, ISO 27001, and PCI DSS vocabulary is about proving to an external auditor that controls exist and are followed. An engineer can design a secure system and still fail a compliance audit over documentation, so both vocabularies are needed.
What does the Security Exercise Lab add that the other ten categories don't already cover?
The Security Exercise Lab is a cross-cutting practice set rather than a new topic — it mixes OWASP Top 10, CVSS scoring, STRIDE, pentest language, incident communication, and secure code review into one set of exercises. Use the other ten categories to build vocabulary in each specific discipline, then use the lab to test recall across the whole security cluster at once.
How many total exercises are covered across the security vocabulary cluster?
The eleven categories in this hub cover 255 exercises in total, ranging from foundational cybersecurity vocabulary to advanced, role-specific terminology for architects, SOC analysts, pentesters, and compliance teams. Each category is self-contained, so you can start with whichever matches your current role.