University of Wisconsin–Madison
colorful abstract grid lines

The colors of cybersecurity

The CISO’s Perspective—Special Edition Blog


For years, the cybersecurity community has labeled functions or identified different teams by colors—with examples to include “whitelists” for good websites and “blacklists” for bad sites, users, and IP addresses.

April Wright presented an interesting paper at the 2017 BlackHat USA convention entitled “Orange is the New Purple”—the colors assigned to various teams and functions represent specific attributes or missions of those teams.

Based on the concept of mixing primary colors of red, blue and yellow and under the additive principle, you get secondary colors; which expand the options and variations to use in naming. For example, industry has red teams who conduct mock attacks or penetration testing on networks. There are also yellow team developers who could be brought in by a third party and blue teams that focus on defensive or incident response strategies.

A little feature and primary color mixing and we end up with green teams who take coding, programming and developer (yellow) skills and apply defender (blue) strategies, which are useful in systems and applications development, while orange teams (yellow and red) act as conduits between red and yellow teams. Purple teams may represent the combining skills found in red and blue teams to improve the campaign plans for invasive information operations. For those monochrome fanatics, we have white hat and black hat hackers, where the colors identify whether their skills are defensive (good) or offensive (bad/criminal).

All these color teams or attributes are necessary in a fully functional cybersecurity ecosystem.

But we no longer live in an environment where we can label white as good, black as bad, red as attackers, or yellow as not inclusive third parties.

As technologists, we also need to deal with old school thinking with such terms as “master” and “slave” when talking about data backups and recordings. Generational backup strategies we used to call “grandfather, father and son” are no longer appropriate.

Time for change

Where we used colors, offensive terms and jargon or shorthand for technical terms, we must now commit to using more accurate and less offensive terms. Perhaps we could go toward using the tech speak? Or, maybe coin new terms that are more accurate but less confusing or offensive. Just for the fun of it—I have included a table of some of my favorite suggestions here:

Function or Attribute Old New
Listings of known bad websites, IP addresses, usernames, etc. Blacklist Deny List
Listings of acceptable websites, IP addresses, usernames, etc. Whitelist Allow List
Offensive security or “ethical hacking” of any type. This could include authorized penetration testing, physical hacks, black-box testing, web app scanning, compliance validation. This could also include use of social engineering techniques as part of phishing drills. Red Team Cyber Offense
Cybersecurity exercise coordination cells. Those who act as referees during exercises, including tabletop events, limited objective experiments, or specific component testing in a real-world scenario. White Team Cyber Exercise Cell
Teams of developers, programmers, application designers, software engineers or architects. Yellow Team DevSecOps Team
Primary record, file or recording of data. Master Primary
Secondary record, file or recording of data. Slave Secondary
Ethical hackers who focus on testing cyber defenses as part of an organized corporate development process, cybersecurity plan or strategy. White Hat Hacker Penetration Tester
Criminal hackers that concentrate on malicious breaking cyber defenses for money or fame. Black Hat Hacker Criminal
Hacker who exploits a weakness in cyber defense to bring the weakness to the attention of the owner, with the goal of improving security. Gray Hat Hacker Hacktivist
Older, more experienced IT or cybersecurity personality. One sought after for wisdom born from study and experience over a lifetime. Gray Beard Bob (have you seen him lately?)

Change is good

We learn when we are taught technical terms the way they should be used. We reinforce that learning when we continue to use the proper terms. Developing slang and jargon may save time. But choosing terms that are insensitive defeats the learning, especially if you are the one offended.

Security management must see offense, defense, analysts, audit and testing teams as part of the same united front, with shared goals and metrics.

Here at UW–Madison, we are all Badgers who wear cardinal and white. Here at DoIT, we are all professionals who are system architects and administrators, human resources specialists, application developers and integrators, network engineers, cybersecurity professionals, finance and purchasing experts, administrative professionals, printers, project and program managers, with some being experts in media and communications.

Let’s make the change and toss the old terms and invite new, accurate and non-offensive ways to express who we are and what we do.

If not now, when? If not us, who?