The most useful phrases in a modern security programme are the ones that cannot be argued with. “The platform gives us coverage.”, “We have visibility.”, “The tool supports MFA.”
Each one is calm, professional, and technically defensible. Each one can also be doing something quietly different from what the room hears.
How the grammar works
Three small grammatical moves do most of the heavy lifting.
The first is capability standing in for implementation: “The platform supports MFA”, “Defender has ransomware protection”, “Our firewall can do segmentation”.
All of these may be technically true while operationally meaningless on their own. A feature sitting disabled behind a licensing tier, a compatibility concern, or three years of deferred political negotiation is still a feature. The checkbox exists. The protection may not. The reassurance is generated by the checkbox, not by its state.
The second is telemetry standing in for comprehension: “We would see it in the logs”, “The SOC has eyes on that”, “Sentinel would alert”.
These could be the hallucination of omniscience not produced by LLM’s, but by dashboards. In practice, ingestion is throttled by licensing economics, retention can be shorter than anyone admits, parsers can drop fields nobody noticed, analysts perhaps triage by volume rather than significance, and a sophisticated attacker can have calibrated their behaviour to sit just under reporting thresholds.
Maybe the map gets mistaken for sensory perception. The organisation may believe it is watching the room because it can see the lights on the camera.
The third is the past tense standing in for the present state: “We have hardened the environment”, “We have segmented the network”, “We have baselined to CIS (or some other alphabet soup that can baselined to)”.
These could describe historical events, often performed once, by people who have since left, against an environment that has since drifted. Hardening is not a thing that is had. It is a thing continuously verified, and most environments quietly accumulate exceptions like sediment. Segmentation diagrams in particular can tend toward aspirational cartography: the picture is correct, the network a polite suggestion.
Once noticing these three moves, they are difficult to unsee. Most reassuring sentences in a mature security programme are doing one of them, sometimes even two at once.
Why the language passes the audit
The dangerous part, and the reason this style of language is so durable, is that none of these phrases are fully false. That is “the thing”.
“The control is designed to mitigate that risk” is not a lie. It is a description of intent. Whether the control is actually enabled, tuned, monitored, owned, tested, or capable of surviving a real adversary is a separate question, and the sentence does not ask it. The grammar is engineered to imply effectiveness without ever having to assert it.
This is legal-safe language masquerading as engineering confidence. It works beautifully in audit reports, board papers, and procurement justifications, because each individual phrase is defensible in isolation.
“Aligned with NIST”, “Supports zero trust principles”, “Has visibility into east-west traffic”.
Read one at a time, and every claim sounds reasonable. Read them together, and they describe a security programme that may or may not actually exist, depending on which week you arrive and who answers the door.
The same vocabulary recurs across the industry because it has been quietly optimised for survivability. “Coverage” is safer than “protection”. “Maturity” is safer than “competence”. “Alignment” is safer than “compliance”. “Capability” is safer than “outcome”. Each substitution reduces the testable claim. None of them quite remove it. The result is a fluent dialect that produces enormous quantities of reassurance per unit of measurable defence.
Adversaries, unhelpfully, do not read in this dialect. They read in terms of capability that is actually configured, telemetry that is actually retained, and controls that are actually functioning on the day they show up. An audit and an attacker grade the same environment on different ways, and only one of them issues a report you get to negotiate.
Do a (quiet) test
There is a small exercise that works surprisingly well in meetings, though it is worth deploying sparingly to preserve marriages and employment.
When a reassuring phrase lands in the room, try more or less silently (in your head or actually spoken) substituting the most pessimistic plausible reading, and see whether the comfort survives.
“The platform gives us coverage” can be heard as
“logs are technically being ingested from some subset of systems, with a retention period nobody has checked recently, parsed by rules nobody has tuned, into a tool that nobody has time to investigate”.
“We have a playbook for that” becomes
“a document exists, possibly accurate at the time of writing, describing a scenario that bears an unspecified resemblance to the one currently unfolding”.
“We have segmented the network” could simply mean
“a diagram exists”.
“Best practice” can be changed into
“we are doing what other organisations claim to be doing, on the assumption that they are not lying, this applied to our context as well, and that the practice still works against current adversaries”.
“Defence in depth” can for example, translate to
“we have several controls, all of which may share the same blind spot, none of which has been tested in combination”.
If the room or you (if not spoken aloud) still feels comfortable after the substitution, the phrase was doing real informational work, and the comfort was earned. If the room flinches, the phrase was doing something else. That flinch is the signal.