Hacker Tradecraft Volume 5 — The 'Hat' Metaphor: Where the Colors Came From — Hacker Tradecraft · Hacking

From the silent-era B-Western trope through 1990s trade-press migration into security culture, the cementing of 'Black Hat' by Jeff Moss's 1997 conference, the chronological expansion to grey / green / blue / red / purple, and the two-axis problem — ethical-stance hats vs. engagement-role team colors — that the next seven volumes will treat one at a time

Section	Topic
1	About this volume
2	The Western trope — white hats and black hats in film
3	Migration into computing — when ‘white hat / black hat’ entered security vocabulary
4	Black Hat Briefings (1997) and DEF CON — how a conference name cemented the metaphor
5	The taxonomy expands — grey, then team colors, then green and purple
6	The two-axis problem
7	Criticisms of the metaphor and the ‘is it still useful?’ debate
8	The master taxonomy diagram
9	Cheatsheet updates
10	Resources

1. About this volume

Vols 2–4 traced what happened — proto-hacking through phreaking and the AI lab, the BBS-and-CFAA-and-Mitnick golden-age-and-criminalization era, the 2000s–2020s professionalization, nation-state displacement, and ransomware-as-a-business. This volume traces what the field called itself while it was happening. Specifically, where the “hat” color metaphor came from, how it crossed from old-Hollywood-Western shorthand into the security-trade-press vocabulary of the early 1990s, how Jeff Moss’s 1997 founding of the Black Hat Briefings conference¹ cemented the term as something more than slang, and how the seven-color modern taxonomy — white, black, grey, green, blue, red, purple — actually evolved over the three decades since. The volume is the bridge between the three-volume history cluster and the seven hat volumes (6–12) that follow, where each color gets its own full treatment.

The volume is structured archaeologically — it digs forward from the trope’s pre-cinema origins through the various inflection points where the vocabulary thickened — and ends with two synthesis pieces that the rest of the series leans on heavily: a two-axis disambiguation of the metaphor (the ethical-stance hats are one axis; the engagement-role team colors are a different axis, and the field routinely conflates them because they share the word hat), and a master taxonomy diagram in §8 that every later volume cross-references. That diagram is the single most reused visual in the deep dive: every hat volume returns to it.

A note on the lens. This volume is not taxonomy advocacy. It is not arguing that the hat metaphor is the right way to think about hacker motivation, nor that every hat color is well-defined, nor that the field should keep using it. It is archaeological description — the metaphor is what working practitioners use, in conference programming, in job descriptions, in trade-press headlines, in casual shop talk; it has thirty years of use behind it; the next seven volumes’ worth of material is hung from it. So the volume documents the metaphor honestly: where it came from, where it’s load-bearing, where it falls apart, and where the modern criticism (from Microsoft, Google, NCSC UK, the IETF, and the academic security-studies literature) has legitimately pushed parts of it out of polite professional vocabulary. §7 treats the criticism without hand-waving it away and without overstating it.

The historiography of this volume is more contested than Vols 2–4’s. The first-citation hunt for “white hat” and “black hat” in security contexts runs into the same problem as every other piece of vocabulary archaeology: by the time something is common enough to be searched for, it has already been in informal use for years, and the first printed appearance is usually impossible to pin to a single text. The dates in §3 are best-available, drawn from full-text searches of trade-press archives where those archives are accessible; where a claim cannot be primary-sourced, the footnote says so. The same discipline applies to the Western-trope origin in §2 — the cliché is real but the standard “it started with The Great Train Robbery in 1903” telling does not actually survive scrutiny². Be skeptical of single-film origin stories; the convention is gradual.

2. The Western trope — white hats and black hats in film

The shorthand by which a viewer can identify a film’s hero and villain from their hats — white for the good guy, black for the bad — is real, and it is genuinely a Western-cinema convention. What’s not quite true is the popular history that places its origin in a specific landmark film. The convention emerged gradually across the 1900s–1930s and stabilized in the B-Western era of the 1930s and ’40s, and it was never as universal as later cultural memory suggests.

2.1 Why visual coding mattered in the silent era

The first thing to get right is why costume color mattered enough to encode hero-versus-villain at all. Silent film (commercially, 1903 — Edwin Porter’s The Great Train Robbery — through 1927, when The Jazz Singer introduced synchronized sound³) was a medium without dialogue: characters spoke in title cards, but the actual on-screen action had to communicate everything else through composition, gesture, and visual shorthand. The audience for an early Western had to identify the protagonist immediately when a wide shot panned across a saloon or a posse. Costume color did some of that work — but so did camera framing, lighting, position relative to the foreground, and which character entered the frame first.

The screen image itself was almost entirely monochrome. Early film stock was orthochromatic (insensitive to red, which rendered as black) before the introduction of panchromatic stock around 1922⁴; tinting and toning processes added single-color washes to whole scenes, but did not enable per-costume color. In monochrome, a literal white hat reads bright and a literal black hat reads dark — they pop visually in a way that, say, blue and brown would not. The hat is also the highest, most stable element of a standing figure’s silhouette, the part most visible across the frame at distance. None of this is unique to film; the stage Western (Buffalo Bill’s Wild West show, 1883–1913) and the pulp Western fiction of the 1870s–1920s already used hat color as a character marker before film picked it up⁵.

2.2 The convention was gradual, not specific to one film

The popular telling places the origin in The Great Train Robbery (1903), Edwin Porter’s 12-minute Edison studio production widely cited as the first narrative Western. That film does feature outlaws and lawmen and a famous final shot of an outlaw firing his pistol directly at the camera; what it does not feature is a consistent hat-color scheme. The outlaws and the posse wear a mix of hats and head coverings, and the film’s monochrome rendering does not enforce a clean hero/villain visual binary⁶. The film established the narrative grammar of the Western (chase, ambush, robbery, pursuit, gunfight, comeuppance), not the wardrobe grammar.

The wardrobe grammar develops later, and not from one source. Three vectors carried it forward:

Tom Mix’s silent-era B-Westerns (1909–1935). Mix was the dominant Western star of the silent era and into early sound — over 290 films, predominantly low-budget productions for Selig Polyscope, Fox Film, and FBO. Mix’s costuming, by the 1920s, had hardened into a recognizable iconography: white or light-colored ten-gallon hat, bright shirts, ornate gunbelt. The “good guy in the white hat” was a visual brand⁷.
The Hopalong Cassidy films (1935 onward). Clarence Mulford’s pulp-Western character (introduced 1904) was adapted to film starting with Hop-Along Cassidy (1935) and ran through 66 features over the following decade and a half, with William Boyd in the lead. Cassidy’s costume was the inversion of Mix’s: he wore black throughout, despite being the hero. The fact that the convention was already strong enough by 1935 to be inverted-as-trademark is itself evidence that the convention existed⁸.
The Saturday-matinee B-Western era (1930s–early 1950s). Republic Pictures, Monogram Pictures, and the smaller “Poverty Row” studios produced hundreds of short Westerns for the Saturday-matinee circuit, primarily for child audiences. The audience was young and the production budgets were tight; clear visual coding of hero versus villain was a cost-effective storytelling shortcut. By the 1940s, the white-hat-good-guy / black-hat-bad-guy convention was strong enough in this corner of the industry that it became audience expectation. Edward Buscombe’s BFI Companion to the Western (1988) catalogues the convention as established by this era, but explicitly cautions against single-film origin stories⁹.

Peter Stanfield’s Hollywood, Westerns, and the 1930s: The Lost Trail (2001) provides the academic-film-history treatment of the B-Western era’s visual conventions; Stanfield treats hat-color coding as one of a cluster of low-cost iconographic shortcuts that the singing-cowboy and Saturday-matinee subgenres relied on, none of which is reducible to a single originating production¹⁰.

Figure 5.1 — Hopalong Cassidy Returns, Paramount, 1936. Cassidy (William Boyd, center) wore black throughout the 66-film Hopalong Cassidy series — the deliberate inversion of the Tom Mix "good guy … — Figure 5.1 — *Hopalong Cassidy Returns*, Paramount, 1936. Cassidy (William Boyd, center) wore black throughout the 66-film Hopalong Cassidy series — the deliberate inversion of the Tom Mix "good guy in the white hat" visual brand that had hardened across the 1909–1935 silent and early-sound B-Westerns. The fact that the convention was strong enough by 1935 to be inverted as a trademark choice is itself evidence that hat-color hero/villain coding had stabilized as a real working visual shorthand by the mid-1930s, even though no single film originated it. Photo: File:Hopalong Cassidy Returns FilmPoster.jpeg by Paramount. License: Public domain. Via Wikimedia Commons (<https://commons.wikimedia.org/wiki/File%3AHopalong%20Cassidy%20Returns%20FilmPoster.jpeg>).

2.3 What the convention actually was, and what it wasn’t

For a working engineer, the useful summary is this: the convention is real but contingent. It was not universal — large numbers of Westerns of every era ignore it, and the prestige Westerns of the 1950s onward (Anthony Mann, John Ford after The Searchers, Sam Peckinpah, Clint Eastwood’s Sergio Leone trilogy) deliberately played against it. It was strongest in the B-Western tier, where production constraints rewarded visual shortcuts. It was strong enough to be parodied by 1960 — the convention’s existence-as-cliché was acknowledged in the culture by the time the security industry inherited it. And it was always more nuanced than “white = good, black = bad” in execution: lighting, framing, accompaniment by other character markers (a scar, a particular horse, the actors’ previous casting in the genre) carried at least as much of the signaling weight.

Decade	Where the convention was strong	Where it was already weak or inverted
1900s–1910s	Stage Westerns; pulp fiction; some silent shorts (no consistent film coding yet)	Most early Western shorts; The Great Train Robbery itself
1910s–1920s	Tom Mix silent features; serials	Larger-budget productions where star wardrobe was a contractual matter
1930s–early 1940s	Saturday-matinee B-Westerns; singing-cowboy films (Roy Rogers, Gene Autry); serials	Hopalong Cassidy (deliberate inversion, 1935+); A-budget Westerns of John Ford and others
Mid-1940s–1950s	Late B-Westerns; television Westerns (Hopalong Cassidy, The Lone Ranger TV)	Psychological / “adult” Westerns (Anthony Mann, Shane, High Noon)
1960s onward	Parody and homage; Mel Brooks’s Blazing Saddles (1974)	Spaghetti Westerns; Peckinpah; Eastwood-as-Man-With-No-Name (no costume-coded heroism)

Table 5.1 — The hat-color visual-coding convention by decade of Western cinema. Strong in the B-Western tier where production constraints rewarded visual shortcuts; weak or inverted in higher-budget and later-period productions where the genre became more interested in moral complication. The cliché the security industry inherited was the strong-tier version — and it inherited it as cliché, not as live convention.

The relevance to the security industry, taken up in §3 below, is that by the time the trade press picked up the metaphor in the early 1990s, the convention was a cultural cliché of a previous era of cinema, not a description of how Westerns were actually being made. Calling someone a “black-hat hacker” in 1992 evoked the same cultural register as calling a hero “the cavalry” — borrowed shorthand from a film tradition the speaker probably didn’t watch and the listener probably didn’t watch, but that both recognized as a stable, easily-decoded metaphor for moral alignment.

Figure 5.2 — Antonio Aguilar in The Undefeated (1969). The Western genre supplied the visual vocabulary of hat-as-moral-marker that security culture would inherit decades later. By the time the met… — Figure 5.2 — Antonio Aguilar in *The Undefeated* (1969). The Western genre supplied the visual vocabulary of hat-as-moral-marker that security culture would inherit decades later. By the time the metaphor entered infosec vocabulary in the early 1990s, the convention was already a cinema cliché of a previous era — borrowed shorthand, not live convention. Photo: File:Antonio Aguilar in The Undefeated.jpg by unknown (20th Century Fox). License: Public domain. Via Wikimedia Commons (<https://commons.wikimedia.org/wiki/File%3AAntonio%20Aguilar%20in%20The%20Undefeated.jpg>).

3. Migration into computing — when “white hat / black hat” entered security vocabulary

The migration of the hat metaphor into security-industry vocabulary happened gradually across the late 1980s and early 1990s. Unlike the Black Hat Briefings conference founding (§4), which has a documentable date, the vocabulary migration cannot be pinned to a specific first publication — by the time it was common enough to be archived and searched, it had already been informal for years. Anyone claiming a specific first citation for “white hat” or “black hat” in a computing context should be treated with the same skepticism this volume applies to the Western-trope-origin claims in §2.

3.1 What can be said, with footnotes

A handful of grounded observations:

The phrase did not migrate fully-formed. Trade-press security columns in the late 1980s and early 1990s referred to “good guys” and “bad guys,” “ethical hackers” and “crackers” (the Eric Raymond distinction; see §3.2 below), “authorized testers” and “intruders.” The “hat” specifically — as a shorthand applied to people rather than to the broader trope — appears in trade press by the early 1990s and is in routine professional use by 1995–1996¹¹. The OED’s first-citation for “white hat” in this sense is dated to 1981, but the broader normalization in security contexts is a decade later¹².
Usenet and the early academic security literature carried the term in informal use. The relevant Usenet newsgroups — alt.security, sci.crypt, comp.security.unix, alt.2600 (from 1991) — contain “white hat” / “black hat” references through the early 1990s; the Internet Archive’s Usenet captures and Google Groups’ archive of alt.security are searchable for context¹³. None of these constitute a clean first-citation.
The trade press normalized the term across the mid-1990s. InformationWeek, Network World, Computer Security Journal, SC Magazine, and the 2600 Quarterly all use “white hat” / “black hat” in approximately their modern sense by 1995. Wired uses it in feature coverage by 1995–1996¹⁴. By the time the Black Hat Briefings conference launched in July 1997 (§4), the term was already common enough that the conference’s name read as a deliberate provocation rather than as coinage.

3.2 The Eric Raymond hacker-vs.-cracker distinction

The migration of “white hat” / “black hat” overlapped, and partially competed with, a parallel distinction maintained by Eric S. Raymond’s The Jargon File (which became The New Hacker’s Dictionary, MIT Press, 1991, with subsequent editions through the 1990s)¹⁵. Raymond’s framing was that the original word hacker, in the MIT-AI-Lab and Homebrew-Computer-Club sense Vol 2 documents, meant a skilled programmer with no implication of criminality, and that the journalistic conflation of hacker with criminal intruder was an error. The Jargon File maintained that cracker was the correct term for the unauthorized-intruder sense — derived from safecracker.

This framing never won. The journalistic and trade-press usage of hacker — meaning “intruder” — was already too entrenched by 1991 to be rolled back, and the hat-color shorthand provided a way to keep the broader word hacker (with its connotation of skill) while adding the moral qualifier. “White-hat hacker” was a compromise that preserved the cultural-prestige sense of hacker while still distinguishing authorized from unauthorized work. The Jargon File’s preferred cracker faded from professional usage through the 1990s and 2000s; the hat-color shorthand replaced it.

This matters for the modern reader because it explains a still-live tension in the field: when older practitioners use hacker without a hat qualifier, they often mean it in the original MIT-AI-Lab sense (a skilled and curious tinkerer, no criminality implied), while younger practitioners and the general public read it as the journalistic-intruder sense. The hat qualifier resolves this tension — at the cost of binding the field’s self-description to a cinema cliché. That trade has been a working choice for thirty years.

3.3 What was not in the vocabulary in 1995

The 1995-era vocabulary was simpler than the modern seven-color taxonomy:

White hat — present, in approximately the modern sense (authorized security researcher / pentester).
Black hat — present, in approximately the modern sense (unauthorized intruder, criminal or quasi-criminal motivation).
Grey hat — emerging but not yet stabilized; the L0pht 1998 Senate testimony (§5.1) is one of the inflection events that solidifies the category.
Green / blue / red / purple — not in the security vocabulary yet, although “red team” and “blue team” exist in DoD doctrine in their pre-security senses.

By 2000, white hat, black hat, and grey hat are all routine; the expansion to seven colors plays out over the following 15–20 years (§5).

Vocabulary state	Approximate stabilization date	Source / evidence
Hacker used in the original MIT sense	1960s–early 1980s	TMRC Tech Model Railroad Club origin; Vol 2 §3
Hacker used in the journalistic-intruder sense	Early 1980s onward	Newsweek “Beware Hackers at Play” (Sept 5, 1983); Vol 3 §3
Cracker (ESR’s preferred term for intruder)	1990–1996	Jargon File / New Hacker’s Dictionary
White hat / black hat in security trade press	~1993–1996	InformationWeek, Network World, Wired, Computer Security Journal
Hat-shorthand normalized in conference programming	1997	Black Hat Briefings I, Las Vegas (Moss); §4
Grey hat recognized as third category	~1998 onward	L0pht Senate testimony; trade-press coverage; §5.1
Seven-color modern taxonomy	~2015 onward	CompTIA / EC-Council training materials; SANS purple-team curriculum

Table 5.2 — Approximate stabilization dates of the major vocabulary milestones. Most dates are best-available rather than primary-sourced; the migration was gradual and the first-citation question is genuinely hard for any of the hat-color terms. Treat dates as ±2 years.

4. Black Hat Briefings (1997) and DEF CON — how a conference name cemented the metaphor

Two annual conferences in Las Vegas, both founded by Jeff Moss (online handle: The Dark Tangent), supplied the structural and cultural infrastructure that took the hat metaphor from trade-press slang to load-bearing professional vocabulary. DEF CON, founded 1993, was the underground-and-community-facing event; Black Hat Briefings, founded July 1997, was the corporate-and-defender-facing event¹⁶. The two conferences were calibrated as complementary halves of the same week — Black Hat first (Wednesday–Thursday), DEF CON immediately after (Friday–Sunday), at neighboring Las Vegas venues. The “hacker summer camp” pattern that emerged from this scheduling has held since 1997 with only minor variation, and is the institutional reason the third week of August is the most loaded week on the security-industry calendar.

4.1 The 1997 founding and the deliberate provocation

Black Hat Briefings I ran July 7–10, 1997, at the Aladdin Hotel in Las Vegas. The first-conference roster included a small number of presentations by what would now be called offensive-research practitioners — including Mudge (Peiter Zatko) of L0pht, Dominique Brezinski, and several others — to an audience of approximately 400 attendees, predominantly from corporate security teams, government, and the press¹⁷. The economic model was directly inverted from DEF CON’s: DEF CON’s tickets were inexpensive and the audience was self-selected from the underground; Black Hat’s tickets were expensive (several thousand dollars by the early 2000s, more in the modern era) and the audience was expense-account-purchased from corporate budgets.

The name choice was deliberate. Moss has said in subsequent interviews that the “Black Hat” label was chosen specifically to advertise that the presentations were offensive research — the kind of work that, at the time, defenders rarely had structured access to¹⁸. The provocation was the entire pitch: a corporate security director who wanted to know how their network would be attacked could spend three days in a conference room watching the actual attackers explain their techniques. The name accurately described the content even as it deliberately reused the trade-press shorthand of “black hat” as a term of moral opprobrium — the conference was simultaneously named after the bad guys and attended by the good guys.

This dual-register choice is the single largest reason the hat metaphor cemented as professional vocabulary. A conference name is a stable artifact. By 2000, “Black Hat” was the name of a major corporate event with sponsors, a paid registration desk, a press list, and a sister conference (DEF CON) on the following weekend. It was no longer slang. The trade press could refer to “Black Hat research” or “Black Hat–style techniques” and the readership knew exactly what was meant: offensive security research, of the type catalogued at the conference, regardless of who was doing it or under what authorization.

4.2 DEF CON as the parallel calibration

DEF CON’s founding in 1993 predates Black Hat by four years and is documented in Vol 3 §9.3. The relevant point for this volume is the calibration relationship between the two. DEF CON was — and remains — the community-and-culture event: capture-the-flag contests, the lockpick village, the social-engineering village, the car-hacking village, the talks by working researchers and the talks by anonymous handles, the badge culture, the after-hours parties. Black Hat is the institutional and defender-facing event: corporate keynotes, sponsor halls, the press room, the policy-track discussions. A single attendee can — and many do — attend both: Black Hat Wednesday/Thursday, DEF CON Friday/Saturday/Sunday, with the cab ride from one venue to the other accomplishing the genre-shift.

The institutional pair models, in microcosm, the field’s broader two-axis problem (§6). A DEF CON attendee at the lockpick village is performing offensive technique-development in an underground-cultural register; the same person at Black Hat the following morning is performing the same technique-development in an institutional / corporate-defender register. The hats are the same; the context is different. The two conferences make this visible structurally — the venues are different, the dress code is different, the language register is different — and that structural visibility was, by the 2000s, training the industry to expect hats to mean different things in different rooms.

4.3 The legitimating effect on the term

By 2010 the institutional uptake of “Black Hat” was complete. The conference had been acquired by CMP Media in 2005 (later UBM, then Informa), expanded internationally to Asia, Europe, and the Middle East, and was running multiple events a year¹⁹. “I’m presenting at Black Hat” had become a recognized CV line for working researchers. Job descriptions for senior offensive-security roles routinely listed “Black Hat presentation experience” as a desirable. The hat metaphor had not just been adopted by the industry — it had been institutionalized, with paid registration desks and conference badges as the artifact.

The implication for the broader vocabulary: the conference fixed the shape of the category. “Black Hat” the noun (as in “Black Hat research” or “a Black Hat technique”) came to mean the kind of offensive content presented at the Black Hat conference — which is to say, primarily research disclosed by white-hat-authorized presenters about how black-hat-type attacks work. The term thus carried a productive ambiguity: it described content, not actor identity. A presentation at Black Hat about a zero-day in a corporate VPN appliance is “Black Hat content” regardless of whether the presenter is an in-house security researcher (white-hat institutionally), an independent grey-hat operator, or a contracted red-team operator. The category is what’s discussed, not who’s discussing it.

This productive ambiguity is what enabled the metaphor to keep working as the field’s vocabulary diversified through the 2000s and 2010s. By the time purple team, green hat, and the team-color framings (§5) arrived, the hat word was already polysemous enough that adding more colors didn’t break it — it just deepened the ambiguity. Which is also why the two-axis disambiguation in §6 is necessary.

5. The taxonomy expands — grey, then team colors, then green and purple

After “white” and “black” stabilized through the mid-1990s and were institutionally cemented by Black Hat 1997, the taxonomy expanded over roughly twenty years. Each of the five subsequent colors entered the vocabulary through a different inflection event and from a different cultural source. This section traces them chronologically.

5.1 Grey hat — the L0pht 1998 Senate testimony era

“Grey hat” (or “gray hat,” depending on house style) was the first major addition. The term names the practitioner who operates without authorization but for constructive rather than criminal ends — independent vulnerability researchers, full-disclosure activists, “I found this and disclosed it” cases. Intent is constructive; legal status is still unauthorized access.

The inflection event that solidified the category in industry vocabulary is the L0pht Heavy Industries Senate testimony of May 19, 1998²⁰. Vol 3 §9.2 documents this in detail; the relevant facts for Vol 5 are:

The seven testifiers — Brian Oblivion, Kingpin (Joe Grand), Mudge (Peiter Zatko), Space Rogue (Cris Thomas), Stefan Von Neumann, John Tan, Weld Pond (Chris Wysopal) — appeared before the Senate Committee on Governmental Affairs as private-sector security researchers, testifying under their hacker handles (the committee accepted this as a courtesy on the understanding that public exposure of their legal names would compromise their independent-research postures).
Their testimony explicitly described independent vulnerability-research work conducted without authorization from the affected vendors, with the disclosed vulnerabilities published publicly via the L0pht’s L0phtCrack and Bugtraq postings. The work was unambiguously useful — multiple of the disclosed vulnerabilities were patched by major vendors within months of disclosure — and equally unambiguously unauthorized as conducted.
The trade press, attempting to fit the L0pht into the existing white/black binary, settled on grey hat as the descriptor for what the testifiers were doing. The term appears in Wired’s coverage of the L0pht in the 1998 issue and in subsequent Computer Security Journal coverage²¹.

By 2000, grey hat was routine in trade-press use. Vol 8 in this series treats the grey-hat category at full depth — the lineage from L0pht through subsequent independent-research collectives, the rise of coordinated-disclosure norms (Vol 4 §3), and the bug-bounty platforms (Vol 4 §5) that effectively legalized parts of grey-hat work by providing scoped authorization.

Figure 5.3 — Space Rogue (Cris Thomas), one of the seven L0pht testifiers who appeared before the U.S. Senate Committee on Governmental Affairs on May 19, 1998. The L0pht's testimony — given by ind… — Figure 5.3 — Space Rogue (Cris Thomas), one of the seven L0pht testifiers who appeared before the U.S. Senate Committee on Governmental Affairs on May 19, 1998. The L0pht's testimony — given by independent researchers operating without vendor authorization but for constructive rather than criminal ends — is the inflection event that crystallized *grey hat* as a recognized third category alongside the established *white hat* and *black hat*. The committee accepted handles in lieu of legal names. Photo: File:American hacker Space Rogue (Cris Thomas).jpg by Eatoz. License: CC BY-SA 4.0 (<https://creativecommons.org/licenses/by-sa/4.0>). Via Wikimedia Commons (<https://commons.wikimedia.org/wiki/File%3AAmerican%20hacker%20Space%20Rogue%20(Cris%20Thomas).jpg>).

5.2 Red team / blue team — the military-doctrine import (not from Westerns)

The team colors are a different lineage entirely. Red team and blue team did not come from cinema. They came from U.S. military war-gaming doctrine, where they had been in use for decades before security adopted them.

The conventional war-gaming attribution — frequently repeated in security literature without primary-source citation — traces “red team” to Cold War-era U.S. military exercises in which the red side simulated Soviet (and Warsaw Pact, more broadly) forces and the blue side simulated U.S. and NATO forces²². The CIA’s after-action review of the 1961 Bay of Pigs operation is sometimes cited as an early documented use of red/blue framing for adversarial-team analysis, but the specific attribution to that document is hard to primary-source²³; the conservative reading is that red/blue color-coding for U.S./Soviet roles in U.S. military exercises was well-established by the 1960s and predates any specific named exercise.

The migration of red/blue team into computer-security work runs through Department of Defense network red-teaming in the 1990s. The Science Applications International Corporation (SAIC) red-teaming contracts with the DoD in the early-to-mid 1990s formalized the term for what we would now call adversary emulation of operational computer networks²⁴. The 2000s saw the formal codification of red team / blue team in DoD cyber doctrine, then a commercial-sector spread — by ~2005, PwC, Mandiant, Foundstone, and other consultancies had named red-team practices billable to corporate clients, and “red team” as a job title was on its way to mainstream usage.

Decade	Red team / blue team usage	Where
1960s	War-gaming role designation: red = adversary (Soviet/Warsaw Pact), blue = home force	U.S. DoD; CIA war-game retrospectives
1970s–1980s	Continued military and intelligence-community use	Throughout U.S. national-security apparatus
1990s	Migration into computer-network red-teaming	SAIC DoD contracts; mid-1990s NSA and DoD network assessments
Early-to-mid 2000s	Commercial pentest-consulting adoption	Foundstone, ISS, @stake, early Mandiant practice
Mid-2000s onward	Mainstream pentest vocabulary	Job titles; conference tracks; SANS curriculum
2010s onward	Codification in MITRE ATT&CK and the formal-methodology era	MITRE; SANS SEC560/SEC599/SEC560-family; OffSec OSEP

Table 5.3 — Red team / blue team is military, not Western. The two-color naming is from war-gaming, not from cinema. The migration into computer security spans roughly 1990–2005 (active formalization) and 2005–present (mainstream commercial usage). The vocabulary’s adjacency to the ethical-stance hats — both use color names; one is moral and one is structural — is the root of the two-axis conflation in §6.

The naming axis is engagement role (who is the attacker, who is the defender, during this specific exercise), entirely distinct from the ethical-stance axis of the white/black/grey hats. A red-teamer is authorized by construction — the engagement is unauthorized by the actual target only in the simulated sense; the actual engagement has a written contract, scoped objectives, and a defined rules-of-engagement document. Vol 11 (red hat) walks the formal red-team engagement template — the adversary-emulation discipline, the TTP (Tactics, Techniques, Procedures) framing, and the MITRE ATT&CK framework’s structured language for adversary behavior — and explicitly disambiguates the “red team” engagement-role sense from the older, fringe “red hat” vigilante sense (§6.4 of this volume; Vol 11 §3).

Most working practitioners in 2026 do not know the cinema-vs.-military split — they treat all the color names as a single vocabulary. That conflation is exactly what §6 unpacks.

5.3 Green hat — the 2010s emergent term

Green hat is the newest of the seven colors and the one with the least institutional pedigree. The term names the newcomer / on-ramp practitioner — someone learning the craft, doing CTFs and HackTheBox and TryHackMe and training labs, working toward a first certification, definitionally not yet operating at scale. Green is the standard symbolic color for “new” in many cultural registers (green light, greenhorn, evergreen), and the application to security newcomers is unsurprising.

What distinguishes green hat from the older colors is its origin: it did not migrate from cinema, military doctrine, or trade-press coverage of a watershed event. It emerged from learner-community vocabulary — Reddit’s r/AskNetsec and r/HowToHack, Stack Exchange’s Security site, the early TryHackMe and HackTheBox forums — through the 2010s. The term then percolated into formal training-curriculum materials at CompTIA and EC-Council by approximately 2015²⁵. By 2020 it was a routine entry in textbook hat-color glossaries, but the lineage runs from informal learner-community use up to training-curriculum codification, not down from a primary-source watershed.

This bottom-up origin has consequences. Green hat is the least precisely-defined of the seven colors; the boundary between “green hat” and “white hat” is fuzzy (the boundary is essentially “when does the newcomer become a working professional?”, which has no certification ceremony). Some sources use green hat to mean any newcomer regardless of ethical stance, others use it specifically for the on-ramp into ethical / white-hat work. Vol 9 (green hat) treats the category as the white-hat on-ramp specifically, on the grounds that the criminal-economy entry path (script-kiddie → black-hat amateur → professional black-hat operator) has its own lineage that doesn’t go through the same training-platform pipeline.

5.4 Blue hat — two live meanings (and the conflation that follows)

Blue hat is the term with the most active polysemy in the modern field. It has two live meanings, both in current professional use, and the speaker has to disambiguate from context every time.

The first meaning is the engagement-role blue team defender — SOC analyst, incident responder, threat hunter, detection engineer. This is the senior usage and aligns directly with the red-team/blue-team military-doctrine import from §5.2. “I’m on the blue side” or “I do blue-team work” carries this meaning unambiguously.

The second meaning is Microsoft’s BlueHat program — Microsoft’s invited-external-security-researcher program, which began as a regular internal conference at Microsoft and expanded into a broader program. The first Microsoft BlueHat conference was held in 2005, at Microsoft’s Redmond campus, as an invitation-only event bringing external security researchers into the Microsoft engineering organization to present current research directly to product teams²⁶. The program has expanded over the subsequent two decades into:

The BlueHat conferences (Redmond annually, with regional editions in Israel, Shanghai, and elsewhere periodically)
The Microsoft BlueHat Prize (a research-prize program; first awarded 2012)
The broader Microsoft Security Response Center (MSRC) bug-bounty programs

A “Microsoft BlueHat” researcher is therefore a vendor-invited external researcher — closer in role to a white-hat penetration tester or coordinated-disclosure researcher than to a blue-team defender. The two senses of blue hat describe entirely different roles. The conflation is a recurring source of confusion in trade-press coverage, in job listings, and in casual professional conversation.

Meaning	Role	Origin	Where you see it
Blue-team defender	SOC, IR, threat hunting, detection engineering	Military doctrine (§5.2)	Job titles (“Blue Team Lead”), SANS curriculum, vendor product positioning
Microsoft BlueHat	Invited external researcher / vendor-collaboration mode	Microsoft 2005 internal conference	Microsoft documentation, BlueHat conference programming, MSRC engagement

Table 5.4 — Blue hat’s two live meanings. They describe entirely different roles. Disambiguation is always context-dependent — “I do blue-hat work” almost always means defender; “I’m presenting at BlueHat” almost always means the Microsoft program. Vol 10 (blue hat) treats the defender meaning primarily and notes the Microsoft program in §3 with a forward-reference to Vol 19’s coordinated-disclosure treatment.

5.5 Purple hat / purple team — the synthesis category

Purple is the most recent of the seven colors to enter mainstream professional vocabulary. The term emerged in the 2013–2015 timeframe to describe collaborative red-and-blue work — operating the offensive and defensive sides together, in real-time integration, rather than as separate phases of a periodic adversarial assessment. The 2014–2015 trade-press coverage from FireEye / Mandiant, CrowdStrike, and other major-firm threat-intelligence teams uses purple team in approximately the modern sense by 2014²⁷. SANS introduced the SEC599: Defeating Advanced Adversaries — Purple Team Operations course in 2016, and the course’s broad adoption was one of the cementing events for the term in formal curriculum²⁸.

An engineering-grade distinction worth making here, because the language gets sloppy in trade-press usage: purple team is a practice, not a role. A purple-team engagement is one in which the red and blue functions are working together, sharing visibility into each other’s tooling, in real-time iteration. The same individual operator can be on the red side one week and the blue side the next; what makes the engagement “purple” is the collaboration mode, not a separate purple identity. By contrast, purple hat — when the term is used to describe a person — usually means a practitioner who has worked both sides and is comfortable operating in the collaborative mode, or who is currently leading a purple-team engagement.

Vol 12 (purple hat) treats both the practice and the practitioner senses, with explicit cross-references to Vol 11 (red) and Vol 10 (blue) for the constituent disciplines. The practice came of age in the mid-2010s alongside the broader MITRE ATT&CK adoption, and the two are tightly linked — purple-team exercises typically use ATT&CK techniques as the shared vocabulary between the offensive and defensive sides, making the post-engagement gap analysis structured rather than ad hoc.

5.6 The chronological summary

   1900s ──────────► 1920s──────► 1930s─────────► 1940s────────► 1950s ──────►
   │                  │              │                │              │
   Western trope       Tom Mix         B-Western        Saturday-matinee  Convention
   pre-cinema:        silent-era       cliché          golden age;       enters cultural
   stage Westerns,     dominant;       hardening:      audience-         memory; already
   pulp fiction;       white-hat       Hopalong         expectation       parody-ready
   no consistent       brand           Cassidy          set
   film coding         hardens         inversion
                                       (1935)
                                                                       │
                                                                       ▼
   1970s ───► 1980s ────► early 1990s ───► 1997 ──────► 1998 ──────► 2000s ──────►
   │           │              │                │            │             │
   *Jargon      Trade press    "white/black     Black Hat    L0pht Senate  Grey hat in
   File*        uses           hat" in trade    Briefings    testimony     routine use;
   hacker-vs-   "good guys"    press (security  founded by   solidifies    Red/blue team
   cracker      / "bad guys"   columns) by      Jeff Moss    grey-hat      mainstream in
   distinction  / "ethical     ~1993-95;         (Las Vegas,  category in   pentest
   (Raymond)    hackers"       OED first        Jul 7-10,    industry      industry;
                vs.            citation 1981;   1997)         vocab         war-gaming
                "crackers"      InfoWeek,                                  red/blue
                               Wired                                       formalization
                                                                       │
                                                                       ▼
   2005 ──────► early 2010s ──► ~2013-15 ────► 2016 ──────► ~2015 onward
   │             │                  │              │              │
   Microsoft     Green hat          Purple team    SANS           Seven-color
   BlueHat       emerges in         emerges in     SEC599         taxonomy
   conf I        learner-           industry vocab Purple Team    in CompTIA /
   (Redmond,     community          (Mandiant,     Operations     EC-Council /
   2005)         vocab              FireEye,       launched       SANS training
                 (Reddit,           CrowdStrike)                  materials
                 Stack
                 Exchange)

Figure 5.4 — The chronological expansion of the hat taxonomy from cinema cliché to seven-color professional vocabulary. The top row traces the cinema-trope hardening (gradually, no single-film origin). The middle row traces the migration into security vocabulary and the cementing of “black hat” by the conference. The bottom row traces the expansion to five additional colors through different cultural sources — military doctrine (red/blue), vendor program (Microsoft BlueHat), learner-community emergence (green), and major-firm trade-press / curriculum (purple). The diagonal arrow is the cinema-to-security migration; the horizontal arrows in the bottom row are the parallel inflection events in the modern taxonomy’s elaboration.

6. The two-axis problem

The single most important conceptual point in this volume — the one that the seven hat volumes (6–12) all depend on — is that the modern color vocabulary is doing two unrelated jobs at the same time, and the field routinely conflates them because all the colors share the word hat. This section names the two axes, maps each color to both, identifies where the conflation is sharpest, and points forward to where each color gets its own full treatment.

6.1 The two axes named

Axis 1: Ethical stance / motivation / legality. White (authorized, constructive). Black (unauthorized, criminal or destructive). Grey (unauthorized, constructive). Green (newcomer; pre-operational). This is the original hat axis — the one that came from the Western cinema trope by way of trade-press migration. It describes what the operator is trying to do and on which side of the law they’re doing it.
Axis 2: Engagement role. Red (offensive operator; adversary emulator). Blue (defensive operator; SOC / IR / threat-hunting). Purple (collaborative integration of red and blue). This is the team-color axis — the one that came from military war-gaming doctrine and migrated into computer security through DoD network red-teaming in the 1990s. It describes what role the operator is playing during a structured engagement, not their broader ethical stance.

These two axes are orthogonal. A person can be at any combination — a white-hat red-teamer (authorized adversary emulator; the dominant industry role for offensive security consultants in 2026), a white-hat blue-teamer (in-house SOC analyst), a white-hat purple-teamer (collaborative-engagement operator), a black-hat red-acting actor (a criminal operator running adversary-emulation tooling for non-emulated purposes — at which point the engagement role is mostly a description of technique, not authorization), and so on. The combinations are why §6.5’s table is two-dimensional.

6.2 Why the conflation happens

Three pressures keep the two axes mashed together in casual usage:

Shared color-naming vocabulary. Red, blue, purple all read as colors-of-hats. White, black, grey, green also read as colors-of-hats. The field naturally treats all seven as members of the same family of terms, even though they come from different lineages and describe different things.
Shared overall cultural register. The hacking-culture broad register — Las Vegas conferences, lockpick villages, BSides, CTFs, the trade press, vendor marketing — uses all seven colors interchangeably. The institutional separation between “the ethical-stance hats” (the Western-trope lineage) and “the engagement-role colors” (the military lineage) is not visible at the cultural surface.
Some terms genuinely span both axes. A red-teamer is, in essentially every legitimate engagement, a white-hat operator. A blue-teamer is, by employment construction, white-hat. A purple-teamer is white-hat on both sides simultaneously. So in modal usage, the engagement-role colors imply white-hat ethical stance, and the conflation is harmless. It becomes a problem at the edges — the older “red hat” vigilante sense (§6.4), the rare “blue-hat insider threat” framing (a black-hat actor inside a blue-team role), the question of whether a purple-team practice in an adversarial-disclosure context (researcher and vendor working together against the vendor’s stated wishes) is still purple in a meaningful sense.

6.3 The two axes summarized

The two-axis summary. Hats answer who. Team colors answer what role this person is playing right now. A white-hat red-teamer is an authorized adversary emulator. A white-hat blue-teamer is a defender. A black-hat actor mimicking a red-team operator is a criminal. The hat is your ethical stance; the team color is your engagement role this week. When the field says “red hat” without context, you have to ask: do they mean the engagement role or the older vigilante framing? (Usually it’s the engagement role; sometimes it’s neither, and the speaker means the OS distribution.) Most working practitioners do not know the two axes are distinct; the most useful thing this volume can do is name the split.

6.4 The “red hat” double meaning specifically

The single sharpest case of the two-axis confusion is red hat. The word denotes at least three things in casual usage:

Engagement-role meaning. “I am a red-teamer” / “I do red-team work” — authorized adversary emulation. This is the dominant modern usage and the meaning Vol 11 treats as the primary spine.
Older vigilante meaning. “Red hat” in some 1990s and early-2000s trade-press usage meant the vigilante — an unauthorized actor attacking other unauthorized actors (or otherwise “fighting back”). The framing is essentially dead in 2026 professional vocabulary but the term appears in older texts and an occasional non-expert source. The Eric S. Raymond Jargon File never adopted “red hat” in this sense; the framing was always trade-press popular rather than community-internal²⁹.
Linux distribution. Red Hat Inc. (the corporate parent of Red Hat Enterprise Linux, founded 1993; acquired by IBM 2019 for $34 billion) is unrelated to either security-hat meaning; the name was chosen by founder Marc Ewing because he wore a red lacrosse cap at Carnegie Mellon³⁰. The brand is so dominant in Linux-enterprise contexts that “I work at Red Hat” almost always means the corporation; the security-context “red hat” almost never overlaps with the OS-context “Red Hat.”

Vol 11 leads with the engagement-role meaning, treats the vigilante meaning as a historical artifact in §3, and notes the OS overlap as a glossary item.

6.5 The seven-hats two-axis mapping table

The full table — the load-bearing artifact of this section. Every hat is mapped on both axes, with the conflation point named explicitly:

Color	Axis 1 — Ethical stance	Axis 2 — Engagement role	Where the conflation is sharpest	Forward-reference
White	Authorized / constructive. The default ethical model for paid security work — written scope, signed contract, defined targets.	None inherent. A white-hat operator typically plays either red, blue, or purple in any given engagement.	None — white hat is unambiguously an Axis-1 term.	Vol 6
Black	Unauthorized / criminal. Fraud, extortion, espionage, sabotage.	None inherent. A black-hat actor’s behavior may mimic any engagement role (a criminal running adversary-emulation tooling is still a criminal), but they aren’t on a “team” in the engagement-role sense.	”Insider threat” framing — a black-hat actor occupying a blue-team role. Vol 7 (black hat) covers insider threat as adversary; Vol 10 (blue hat, defender) covers insider-threat detection.	Vol 7
Grey	Unauthorized / constructive. Independent vulnerability research, full-disclosure activism. Legal status is unauthorized; intent is constructive.	None inherent. Grey-hat work is by definition outside the engagement-role structure (there’s no contract under which the role is defined).	Coordinated-disclosure programs (HackerOne, Bugcrowd, vendor VDPs) move grey-hat work into authorized white-hat work — the boundary is fluid. Vol 8 §5 treats this.	Vol 8
Green	Newcomer / pre-operational. Legal as long as practice stays in sanctioned environments (CTF, lab, bug-bounty scope).	None inherent — green hat is definitionally pre-engagement.	The boundary between green and white is fuzzy; there’s no certification ceremony for “operational.” Vol 9 §4 treats this.	Vol 9
Blue	Implied white-hat (by employment construction).	Defender. SOC, IR, threat-hunting, detection engineering.	Two live meanings: blue-team defender vs. Microsoft BlueHat program. Vol 10 §3 treats the disambiguation.	Vol 10
Red	Implied white-hat (in any legitimate engagement). Historical vigilante sense is unauthorized — but largely dead vocabulary.	Offensive operator. Adversary emulator. Authorized by construction.	Three meanings: engagement-role red-team (dominant), vigilante (legacy / fringe), Red Hat Linux distribution (unrelated). Vol 11 §3 treats the disambiguation.	Vol 11
Purple	Implied white-hat (both sides authorized).	Collaborative integration of red and blue. A practice more than a role.	Practice vs. person — purple team is the engagement mode; purple hat is the practitioner. Trade press uses both interchangeably. Vol 12 §2 treats this.	Vol 12

Table 5.5 — The seven-color taxonomy mapped on both axes simultaneously. The Axis-1 column reads as the original ethical-stance hat metaphor (Western lineage). The Axis-2 column reads as the engagement-role team-color overlay (military lineage). The “conflation” column names where casual usage routinely confuses the two and forwards the disambiguation to the relevant hat volume. This is the master reference for every hat volume’s §3 (“definition”) and §4 (“placement on the spectrum”). The forward-references in the last column are the Vol 6–12 anchors that will resolve once those volumes are authored.

6.6 What each hat is not — disambiguation table

The dual of the mapping table — what each hat does not mean, to head off common confusions:

Color	What it is NOT
White hat	NOT a specific certification (OSCP, CEH, etc. are credentialing artifacts, not hat assignments). NOT a guarantee of competence (authorization is necessary but not sufficient). NOT exclusive to penetration testing (in-house security, bug-bounty work, research, all fall under the white-hat banner if authorized).
Black hat	NOT the same as the Black Hat conference (the conference is named after the metaphor; the attendees are mostly white-hat). NOT necessarily skilled (the threat-actor population includes many low-skill operators leveraging mass tooling). NOT necessarily individual (organized criminal enterprises, nation-state units, and ransomware-as-a-service affiliate networks are all institutionally black-hat).
Grey hat	NOT a license to operate without authorization “as long as intent is good” — the unauthorized-access charge under CFAA / CMA does not have an intent-based defense. NOT the same as bug-bounty work (which is authorized by program scope). NOT the same as a white-hat researcher with a vendor-coordinated-disclosure relationship.
Green hat	NOT script-kiddie (which is a derogatory term implying low-skill unauthorized operation; green hat presumes the operator is staying in sanctioned learning environments). NOT a junior pentester (a junior consultant under a senior’s supervision is a white-hat — the engagement is authorized).
Blue hat	NOT exclusively SOC analysts (incident response, threat hunting, detection engineering, security engineering, and security architecture all sit on the blue side). NOT a passive role (modern blue-team work includes active deception, adversary engagement, and proactive threat hunting).
Red hat	NOT the Linux distribution (Red Hat Inc.). NOT the vigilante framing in modern usage (largely dead). NOT necessarily senior (the engagement-role applies regardless of the operator’s experience level).
Purple hat	NOT a third role in addition to red and blue (it’s the integration of the two, not an alternative to them). NOT exclusively for mature SecOps shops (purple-team practices scale; a small org can run a one-day purple exercise as effectively as a large org can run a continuous program).

Table 5.6 — Disambiguation: what each hat is NOT. The dual of Table 5.5. Each row clarifies a common confusion that the casual usage produces. Vols 6–12 expand each row at full depth in the corresponding volume’s §3 (definition) and §4 (placement on the spectrum).

6.7 Microsoft BlueHat vs. blue-team disambiguation

The one disambiguation that needs its own table, because the conflation is the sharpest single instance of the two-axis problem in the modern taxonomy:

Attribute	Blue-team defender (engagement-role)	Microsoft BlueHat (vendor program)
Origin	Military war-gaming doctrine (§5.2)	Microsoft 2005 internal conference (Redmond)
Role	Defender — SOC, IR, threat hunting, detection engineering	Invited external researcher, working collaboratively with Microsoft engineering
Authorization model	Employed by the organization being defended	Invited by Microsoft to present / collaborate on Microsoft products
Closest white-hat analog	In-house security operations	Coordinated-disclosure researcher; vendor-relationship penetration tester
Where you see the term	Job titles (“Blue Team Lead”), SANS GIAC family curriculum, vendor product positioning, conference tracks at Black Hat / DEF CON / BSides	Microsoft documentation, BlueHat conference programming, MSRC engagement, Microsoft security blog
Posture	Defensive — incident response, detection, hunting	Offensive-research-presented-to-defender; closer to white-hat research
Disambiguation cue	”I do blue-team work” / “I’m on the blue side” / “I work in our SOC"	"I’m presenting at BlueHat” / “We submitted a paper to BlueHat” / “Microsoft BlueHat invited us”

Table 5.7 — Microsoft BlueHat vs. blue-team disambiguation. The two senses of “blue hat” describe entirely different roles, and the conflation has been a recurring source of confusion in trade-press coverage since the Microsoft program began in 2005. Vol 10 §3 treats this disambiguation in the blue-hat volume; Vol 19 (legal line) treats the Microsoft program’s coordinated-disclosure context.

7. Criticisms of the metaphor and the “is it still useful?” debate

The hat metaphor has had thirty years of professional use. By 2026 it is load-bearing — it is the vocabulary the field uses to talk about itself, in conference programming, in job titles, in curriculum design, in trade-press coverage, in casual shop talk. It is also subject to legitimate, well-articulated criticism from multiple directions, and parts of it have been deliberately moved out of formal vendor and standards-body vocabulary in the early 2020s. This section names the criticism honestly, documents the formal industry guidance that has emerged in response, and arrives at the working-practitioner position: the vocabulary is still in use because it’s still useful, but with awareness of its limits and care in specific domains.

7.1 The four principal criticisms

(1) The binary ethical reading flattens a richer landscape. Real practitioners don’t fit cleanly into white-or-black. Independent vulnerability researchers operating outside coordinated-disclosure channels but for constructive ends are the canonical grey-hat case (Vol 8). Journalists and academic researchers doing security-relevant work under fair-use and academic-freedom defenses occupy a similar grey region. Civil-society organizations — Citizen Lab, the EFF, Access Now’s Digital Security Helpline — do work that is unambiguously beneficial and is sometimes legally fraught (forensic analysis of state-deployed spyware on activists’ phones, for instance). Activist-disclosure cases under reportable circumstances (the long lineage of whistleblower security disclosures). None of these fit cleanly into white-or-black-with-grey-as-fudge-factor. The binary is a starting point, not a complete taxonomy.

(2) The engagement-role / ethical-stance conflation (§6) invites mismatched reasoning. When the same word hat is used for both axes, casual practitioners reason about the team colors as if they carried ethical-stance meaning, or vice versa. The “red hat vigilante” framing (§6.4) is the canonical case of the conflation producing bad reasoning — calling someone “a red hat” suggests engagement-role offensive authorization, when the historical sense was unauthorized vigilantism. Vol 11 has to spend a chapter on this disambiguation in 2026 because the conflation has been allowed to fester for two decades.

(3) The racial reading of “black = bad, white = good” has drawn legitimate criticism. The metaphor’s color binary was inherited from a cinema-genre era in which the racial reading of bright = virtuous, dark = evil was unexamined; in the modern professional vocabulary it remains, and the parallel to broader cultural-language concerns about color-coded moral assignments is legitimate. The criticism is not that working practitioners are personally invoking the racial parallel when they say “black-hat hacker”; it is that the field’s vocabulary inherits a connotation that the field has not explicitly examined, and that there are professional contexts where retaining the binary is unnecessary. Microsoft, Google, the IETF, and the UK NCSC have all published formal guidance on inclusive-language usage in security and infrastructure contexts; the relevant moves are documented in §7.2.

(4) The metaphor obscures more than it reveals in some modern contexts. The 2020s threat landscape — ransomware-as-a-service, initial-access-broker pipelines, nation-state-aligned criminal groups, AI-generated phishing-at-scale (see Vol 17) — has structural features that the seven-color taxonomy describes poorly. Calling a sophisticated APT group “black-hat” is technically correct but conveys little of the operational structure (the IAB-affiliate-operator-launderer pipeline catalogued in Vol 4 §6); calling a 14-year-old running a downloaded LOLBin script the same word obscures the fact that the two threats are operating at radically different competence and scale. The hat metaphor was developed in a world where individual operators were the load-bearing actor type; in the 2026 world they often aren’t.

7.2 The industry guidance moves of the 2020s

Major industry actors have published formal guidance on inclusive-language usage that addresses parts of the hat-metaphor critique. The guidance does not call for abandoning the hat metaphor; it does call for care, especially in the team-naming and infrastructure-vocabulary domains.

Industry-guidance summary (2020–2026). The major actors that have published inclusive-language guidance applicable to security vocabulary:

UK NCSC (National Cyber Security Centre), 2020. Published “Terminology — it’s not black and white” (April 2020) — guidance for security professionals on moving away from binary color-coded language in protocol and security contexts. NCSC continues to use “red team / blue team” professionally as terms-of-art with established meaning, while flagging binary “blacklist / whitelist” usage as deprecated in favor of “allowlist / blocklist” or “denylist.” The NCSC framing is targeted disuse — not blanket replacement of all color metaphors³¹.

IETF ecosystem — IAB and IESG inclusive-language statements, May 2021. The IAB (Internet Architecture Board) published its “IAB Statement on Inclusive Language in IAB Stream Documents” in May 2021; the IESG (Internet Engineering Steering Group) followed with its “IESG Statement on Inclusive Language” on May 11, 2021. These statements — not a single RFC — are the canonical IETF-ecosystem references on inclusive language in protocol specifications. Both call out “master/slave” and “blacklist/whitelist” as the canonical deprecated terms and propose “allowlist/blocklist” and “primary/secondary” alternatives. Both also point to NIST IR 8366 (“Guidance for NIST Staff on Using Inclusive Language in Documentary Standards”) and the draft-knodel-terminology Internet-Draft series (Mallory Knodel et al.) as supporting references. No RFC number encodes this guidance; it lives in the IAB and IESG statements plus the Knodel Internet-Draft series³².

Microsoft, internal style-guide guidance (continuous, 2020–present). Microsoft Style Guide deprecates “blacklist/whitelist” in favor of “allowlist/blocklist”; the BlueHat program retains its name (the program is named, not a generic role-descriptor). Microsoft’s red-team and blue-team naming for internal security functions continues, with the engagement-role meaning intact³³.

Google security organization, internal guidance (continuous, 2020–present). Google’s published security guidance follows a similar pattern — deprecate “blacklist/whitelist” in product and documentation contexts; retain red-team / blue-team as terms-of-art for engagement roles³⁴.

The pattern across all four is consistent: target the specific binary color-coded vocabulary where alternatives exist and are non-disruptive (blacklist/allowlist, whitelist/blocklist); retain the team-color naming where it is a load-bearing term of art with no clean alternative (red team / blue team / purple team are still standard); be cautious about the hat-color metaphor in formal and external-facing writing, while continuing to use it in shop talk. No major actor is calling for retiring the seven-color taxonomy wholesale; several are calling for retiring its specific binary-encoded sub-vocabulary (allowlist/blocklist) where convenient alternatives exist.

7.3 The academic-critique perspective

The academic security-studies and hacker-culture-studies literature has periodically returned to the hat metaphor and adjacent vocabulary. Phil Lapsley’s Exploding the Phone (2013)³⁵ is the canonical reconstruction of phreaking-era hacker culture and predates the modern color taxonomy; Gabriella Coleman’s Coding Freedom: The Ethics and Aesthetics of Hacking (2012) and Hacker, Hoaxer, Whistleblower, Spy (2014) treat the hacker self-identification register at depth without leaning heavily on the color metaphor³⁶. The general academic position is that the color metaphor is descriptively useful but theoretically thin — it does not bear much analytic weight in serious scholarship. The hat metaphor is fine for trade-press and field self-description; for academic work, more precise category-language is preferred.

The history-of-computing literature has been more skeptical. Several historians have observed that the binary white/black framing imports cultural baggage from a cinema-genre era and obscures the actual diversity of motivations in the early phreaking and BBS-era communities (Vol 2 §3, Vol 3 §6). The argument is not that the field should abandon the metaphor; it is that historians and journalists writing for general audiences should be aware that the seven-color taxonomy is an industry self-description, not a settled analytic framework. This volume agrees with that framing — it is what §1 means by “archaeological description, not taxonomy advocacy.”

7.4 Where this volume comes down

The working position the rest of the series adopts:

The hat vocabulary is in use because it’s load-bearing. Conference programming, job titles, curriculum design, trade-press coverage, and casual shop talk all use the seven colors. Replacing them at industry scale is not on the immediate horizon and is not what this volume advocates.
The two-axis disambiguation (§6) matters. Calling out the ethical-stance vs. engagement-role split is the most useful thing the volume can do; Vols 6–12 each carry the disambiguation forward into their own §3 and §4.
The criticism is legitimate and should be acknowledged honestly. §7.1’s four critiques are real. The industry-guidance moves in §7.2 reflect serious deliberation, not surface-level performance. A volume that pretended the criticism didn’t exist would be a worse reference than one that acknowledges it.
Specific deprecated sub-vocabulary should be used carefully. Blacklist / whitelist should yield to blocklist / allowlist in new writing — this is the industry consensus by 2026, and there is no defensible reason not to follow it. The seven hat colors themselves remain in routine use, with care in the team-naming domain.
Team-color naming retains its meaning of art. Red team, blue team, purple team are not going to be renamed; they have institutional infrastructure (SANS curriculum, MITRE ATT&CK, certifications) that depends on the term-of-art usage. The engagement-role axis stays put.

7.5 Criticisms and industry responses — summary table

Criticism	Response of industry actors
Binary ethical reading is too flat	Acknowledged; the seven-color taxonomy was the field’s own response (grey, green, etc.) but is still incomplete. Working practitioners supplement with concept-level language (“CVD-program researcher,” “in-house red-teamer”) when precision matters.
Engagement-role / ethical-stance conflation	Not directly addressed by any industry guidance; the two-axis disambiguation is mostly carried by individual practitioners and education curricula (this volume’s §6 is one such treatment).
Racial reading of black/white binary	UK NCSC 2020, IAB and IESG inclusive-language statements (May 2021), Microsoft and Google style-guide guidance — all deprecate binary color sub-vocabulary (allowlist/blocklist) where alternatives are clean. Hat-color metaphor itself retained but used with care in formal writing.
Hat metaphor obscures structural features of modern threats	Acknowledged in trade-press and academic literature; the supplementary taxonomies (MITRE ATT&CK, the kill-chain model, the CTI groups/operators/affiliates structure) carry the operational-detail load that the hat metaphor doesn’t.

Table 5.8 — Criticisms of the hat metaphor and the corresponding industry responses by 2026. The pattern: the metaphor itself is retained, with care; specific binary sub-vocabulary (blacklist/whitelist) is being deprecated in formal contexts; the two-axis problem is not addressed by industry guidance and is mostly carried by practitioner-level disambiguation work.

Forward-reference callout: where each criticism is treated in the hat volumes. The hat volumes (6–12) each open with a “placement on the spectrum” section (their respective §3 and §4) that revisits these critiques in the context of the specific color. White hat (Vol 6) treats criticism (1) — what falls outside the white-hat box in practice. Grey hat (Vol 8) treats criticism (1) head-on — the grey category is what the binary doesn’t cover. Red hat (Vol 11) treats criticism (2) — the engagement-role/ethical-stance conflation is sharpest in the red-hat case. Vol 19 (legal line & ethics) is the synthesis volume where the broader inclusive-language guidance and the legal-ethics implications are revisited together.

8. The master taxonomy diagram

The centerpiece visual for the entire deep dive. Every later hat volume returns to this diagram, and every reference cluster section uses it as the orienting map. The diagram has two panels — both drawn horizontally for compactness, but representing orthogonal axes in meaning: Axis 1 (ethical stance, top panel) runs from unauthorized to authorized; Axis 2 (engagement role, bottom panel) runs across offensive, collaborative, and defensive. A third panel below makes the orthogonality explicit with worked combinations. The team-color colors are overlaid as the offensive / defensive / collaborative-integration zones.

┌──────────────────────────────────────────────────────────────────────────────┐
│                                                                              │
│  AXIS 1 — Ethical stance / motivation / legality                             │
│  (the original Western-trope hat axis)                                       │
│                                                                              │
│  ◄── unauthorized ────────────────────────────────────── authorized ────►    │
│      illegal               ambiguous                         legal           │
│                                                                              │
│  ┌──────────┐    ┌─────────────┐    ┌──────────┐    ┌──────────────┐         │
│  │  BLACK   │    │    GREY     │    │  GREEN   │    │    WHITE     │         │
│  │ criminal │    │  unauth /   │    │newcomer; │    │  authorized; │         │
│  │ intruder,│    │constructive;│    │pre-ops * │    │  pentester,  │         │
│  │extortion,│    │ research,   │    │(not yet  │    │  in-house,   │         │
│  │espionage,│    │ disclosure, │    │ placed   │    │  bug-bounty  │         │
│  │ sabotage │    │  activism   │    │on axis)  │    │              │         │
│  └──────────┘    └─────────────┘    └──────────┘    └──────────────┘         │
│     Vol 7            Vol 8             Vol 9              Vol 6              │
│                                                                              │
│  * Green is shown in sequence for visual order but is pre-operational —      │
│    the green-hat is choosing which placement to occupy, not yet there.       │
│                                                                              │
│  Lineage: Western cinema cliché (1900s–1940s) ──► trade-press migration      │
│  (~1993–95) ──► Black Hat Briefings 1997 ──► seven-color taxonomy in         │
│  curriculum (~2015 onward)                                                   │
│                                                                              │
└──────────────────────────────────────────────────────────────────────────────┘

┌──────────────────────────────────────────────────────────────────────────────┐
│                                                                              │
│  AXIS 2 — Engagement role                                                    │
│  (the team-color overlay, from U.S. military war-gaming doctrine)            │
│                                                                              │
│  ◄── offensive ──────────────── collaborative ──────────── defensive ────►   │
│                                                                              │
│  ┌──────────┐    ┌────────────────────────────┐    ┌──────────────┐          │
│  │   RED    │    │          PURPLE            │    │    BLUE      │          │
│  │offensive │◄───┤  collaborative red-and-    ├───►│  defender;   │          │
│  │operator; │    │  blue work; real-time       │    │  SOC, IR,    │         │
│  │adversary │    │  integration; shared        │    │  threat      │         │
│  │emulation;│    │  visibility                 │    │  hunting,    │         │
│  │TTPs;     │    │  (a practice, not a         │    │  detection   │         │
│  │ATT&CK    │    │   3rd role)                 │    │  eng.        │         │
│  └──────────┘    └────────────────────────────┘    └──────────────┘          │
│     Vol 11                  Vol 12                      Vol 10               │
│                                                                              │
│  Note: "blue hat" has two live meanings — see Vol 10 §3 disambiguation       │
│  (blue-team defender vs. Microsoft BlueHat invited-researcher program).      │
│  The older "red hat = vigilante" sense is a historical artifact — Vol 11 §3. │
│                                                                              │
│  Lineage: U.S. military war-gaming (1960s) ──► DoD network red-teaming       │
│  (1990s, SAIC) ──► commercial pentest consultancies (~2005) ──► purple       │
│  emerging (~2013–15) ──► SANS SEC599 (2016)                                  │
│                                                                              │
└──────────────────────────────────────────────────────────────────────────────┘

┌──────────────────────────────────────────────────────────────────────────────┐
│                                                                              │
│           THE TWO AXES ARE ORTHOGONAL                                        │
│                                                                              │
│  A person occupies one position on each axis simultaneously:                 │
│                                                                              │
│    • white-hat + red-team    → authorized adversary emulator                 │
│    • white-hat + blue-team   → in-house defender                             │
│    • white-hat + purple-team → collaborative-engagement operator             │
│    • grey-hat  + (no role)   → independent researcher, no engagement scope   │
│    • black-hat + red-style technique → still criminal                        │
│    • green-hat + (no role)   → pre-engagement-role entirely                  │
│                                                                              │
│  The hat   = your ethical stance (Axis 1).                                   │
│  The color = your engagement role this week (Axis 2).                        │
│                                                                              │
└──────────────────────────────────────────────────────────────────────────────┘

Figure 5.5 — The master taxonomy diagram. The centerpiece visual for the entire deep dive. Axis 1 (top panel) traces the four ethical-stance hats from black through grey, green, and white — the original Western-trope-derived hat metaphor. Axis 2 (middle panel) traces the three engagement-role team colors from red (offensive) through purple (collaborative integration) to blue (defensive) — the military-war-gaming-derived overlay. The bottom panel names the orthogonality: a person occupies one position on each axis simultaneously, and a hat-volume reader should think of any given practitioner’s full description as a pair (ethical-stance, engagement-role) rather than a single color. Every later volume in this series cross-references Figure 5.5 — Vols 6–12 in their §3 and §4; Vols 13–17 in their tradecraft-walkthroughs whenever an operator’s posture matters; Vols 18–19 in the careers and legal-line synthesis; Vol 20 in the laminate-ready cheatsheet rendering of the same content. The forward-reference Vol numbers on the right side of each panel are the canonical pointers.

The diagram is also the artifact that the deep dive’s cross-tool deep dives will most often link into. Other Hack Tools deep dives — WiFi Pineapple, HackRF One, Flipper Zero, Ducky Script, Proxmark3 — will reach in to the vol05-the-master-taxonomy-diagram anchor when they need to disambiguate “is this tool a black-hat tool?” (answer: no, tools are not ethical-stance-coded; their operators are). The diagram supplies the explicit two-axis disambiguation that the question demands.

8.1 How to read the diagram in practice

A worked example. Consider a working security consultant at a pentest consultancy (one of the second-generation firms catalogued in Vol 4 §2.2). On a given Monday morning, that consultant is on an authorized red-team engagement against a Fortune-500 retailer. Their position on Axis 1 is white (authorized; written engagement scope; signed contract). Their position on Axis 2 is red (offensive adversary-emulation). The full description is “white-hat red-teamer” — and Figure 5.5 makes the two pieces visible separately.

On the following Wednesday, the same consultant is presenting research findings at a SANS purple-team training course as a guest instructor. Their position on Axis 1 remains white. Their position on Axis 2 is now purple — they are demonstrating collaborative red-and-blue work in the training context. The consultant has not changed hats in the ethical-stance sense; they have changed engagement roles for the week.

On the following Saturday, the same consultant publishes a vulnerability disclosure on their personal blog about a security issue they found in a piece of open-source software during their hobby tinkering, without prior coordination with the project maintainers. Their position on Axis 1 has moved to grey (unauthorized but constructive). Their position on Axis 2 has effectively dissolved (independent disclosure is not an engagement role). The same person, three days later, has moved one full position on Axis 1 — and the two-axis framework continues to describe their work precisely.

That descriptive precision is the entire point of the diagram. The seven-color taxonomy, read as a flat list, would force the consultant into one box and miss the structural change between Monday’s white-hat red-team work, Wednesday’s white-hat purple-team teaching, and Saturday’s grey-hat independent disclosure. The two-axis framing captures it natively.

9. Cheatsheet updates

One-liners destined for Vol 20’s cheatsheet. The hat-metaphor cheatsheet section is one of the highest-value field-card entries — a reader on a bench or in a meeting room needs the two-axis disambiguation accessible at a glance:

The Western-trope origin is gradual, not single-film. The hat-color convention solidified across the 1900s–1940s B-Western era — Tom Mix silent-era brand hardening, Hopalong Cassidy 1935 deliberate inversion, Saturday-matinee golden age. The Great Train Robbery (1903) is widely cited as origin but its hat coding was not consistent. Treat single-film origin stories with skepticism.
“Black hat” was cemented by Jeff Moss’s 1997 conference. Black Hat Briefings I, July 7–10, 1997, Aladdin Hotel, Las Vegas. The conference name took the trade-press shorthand and institutionalized it; “Black Hat content” came to mean offensive research disclosed at the conference, regardless of presenter identity. The accompanying DEF CON (founded 1993) supplied the underground-culture half.
The two axes: ethical-stance hats vs. engagement-role colors. Hats (white/black/grey/green) describe who and what side of the law. Team colors (red/blue/purple) describe what role this person is playing during a structured engagement. The two axes are orthogonal — a person can be at any combination. The hat is your ethical stance; the team color is your engagement role this week.
“Red team” is military, not Western. Red team / blue team trace to U.S. military war-gaming doctrine (Cold War-era; CIA Bay of Pigs retrospective sometimes cited but hard to primary-source; SAIC DoD network-red-teaming 1990s). Different lineage than the Western-trope hat colors despite shared color-naming.
“Blue hat” has two live meanings. (1) Blue-team defender — SOC, IR, threat-hunting. (2) Microsoft BlueHat program — invited external researcher; conference began 2005 in Redmond. The two senses describe entirely different roles. Disambiguate from context.
Purple team is a practice; purple hat is a person. Purple team is the engagement mode (collaborative red-and-blue, real-time integration, shared visibility); purple hat is the practitioner who works in or leads such engagements. Trade press uses both terms interchangeably; engineer-grade reading distinguishes them.
The four principal criticisms of the hat metaphor. (1) Binary ethical reading flattens a richer landscape. (2) Engagement-role / ethical-stance conflation invites mismatched reasoning. (3) Racial reading of black/white binary has drawn legitimate criticism. (4) Metaphor obscures structural features of modern threats (RaaS pipelines, IAB networks, AI-scaled phishing). The 2020s industry response deprecates specific binary sub-vocabulary (blacklist/whitelist → blocklist/allowlist) while retaining the hat and team-color terms-of-art.
The OED first-citation for “white hat” in security context is 1981. Normalized in trade-press by ~1993–1996. Routine professional vocabulary by Black Hat 1997. Seven-color modern taxonomy crystallizes in curriculum materials by ~2015 onward.
Grey-hat-as-recognized-category dates to L0pht 1998. The May 19, 1998 Senate Committee on Governmental Affairs testimony by the seven L0pht testifiers (Oblivion, Kingpin, Mudge, Space Rogue, Stefan Von Neumann, John Tan, Weld Pond) is the inflection event that solidified grey-hat as a third category in industry vocabulary.

10. Resources

Western-cinema scholarship.

Buscombe, Edward. The BFI Companion to the Western. André Deutsch / British Film Institute, 1988³⁷. The canonical reference for Western-film convention history; catalogues the hat-color visual coding as established by the B-Western era while cautioning against single-film origin attributions.
Stanfield, Peter. Hollywood, Westerns, and the 1930s: The Lost Trail. University of Exeter Press, 2001³⁸. Academic treatment of the 1930s B-Western era, treating the visual conventions of singing-cowboy and Saturday-matinee productions as one of several clusters of low-cost iconographic shortcuts.

Security-conference founding sources.

Black Hat Briefings — official history page archive³⁹. Documents the 1997 founding by Jeff Moss, the 2005 CMP Media acquisition, the international expansion to Asia / Europe / Middle East, and the program-track structure.
DEF CON — history page (defcon.org/html/links/dc-about.html) and Vol 3 §9.3 of this series. DEF CON 1 (1993) approximately 100 attendees; DEF CON 31 (2023) exceeded 30,000.

Microsoft BlueHat program documentation.

Microsoft Security Response Center (MSRC) — BlueHat program pages⁴⁰. Documents the 2005 founding of the BlueHat conference at Microsoft Redmond, the regional editions (Israel, Shanghai, others), and the BlueHat Prize (first awarded 2012).

SANS Purple Team Operations curriculum.

SANS SEC599: Defeating Advanced Adversaries — Purple Team Operations⁴¹. Course launched 2016; covers integrated red-and-blue exercise methodology, MITRE ATT&CK technique mapping, and detection-engineering iteration. The cementing curriculum for “purple team” as a recognized practice mode.

L0pht Senate testimony (May 19, 1998).

U.S. Senate Committee on Governmental Affairs hearing transcript, “Weak Computer Security in Government: Is the Public at Risk?”, May 19, 1998⁴². Testimony by Brian Oblivion, Kingpin (Joe Grand), Mudge (Peiter Zatko), Space Rogue (Cris Thomas), Stefan Von Neumann, John Tan, and Weld Pond (Chris Wysopal), appearing under their hacker handles. The inflection event that solidified grey-hat as a recognized third category.

Inclusive-language industry guidance.

UK NCSC, “Terminology — it’s not black and white” (April 2020)⁴³. NCSC’s guidance on moving away from binary color-coded protocol vocabulary (blacklist/whitelist → blocklist/allowlist), while retaining red team / blue team as established terms-of-art.
IAB Statement on Inclusive Language in IAB Stream Documents (iab.org, May 2021)⁴⁴. The IAB’s formal statement on replacing deprecated terminology in IETF and IAB stream documents; canonical IETF-ecosystem reference for inclusive language in protocol specifications alongside the IESG Statement on Inclusive Language (ietf.org, May 11, 2021). Both statements reference NIST IR 8366 and the draft-knodel-terminology Internet-Draft series by Mallory Knodel et al. as supporting materials. Note on literature imprecision: security sources occasionally cite an IETF RFC number in this context; those citations are misattributions to unrelated networking standards⁴⁵.
Microsoft Writing Style Guide — inclusive-language section (continuous, 2020–present). Microsoft Style Guide.
Google security organization, internal guidance (continuous, 2020–present). Published in selected blog posts and developer guidance.

Academic / hacker-culture scholarship.

Lapsley, Phil. Exploding the Phone: The Untold Story of the Teenagers and Outlaws Who Hacked Ma Bell. Grove Press, 2013⁴⁶. The canonical reconstruction of phreaking-era hacker culture; the deep-source historical work that Vol 2 of this series leans on. Predates the modern color taxonomy and provides the vocabulary archaeology for the era before the hat metaphor.
Coleman, Gabriella. Coding Freedom: The Ethics and Aesthetics of Hacking. Princeton University Press, 2012⁴⁷. Anthropological treatment of free-software-developer culture; treats hacker self-identification register at depth without leaning on the color metaphor.
Coleman, Gabriella. Hacker, Hoaxer, Whistleblower, Spy: The Many Faces of Anonymous. Verso, 2014⁴⁸. Ethnographic study of Anonymous; treats the modern hacker-activist identity formation in a way that explicitly sidesteps the seven-color taxonomy.

Series infrastructure.

Vol 1 §3 and §4 of this series — the original hat-spectrum table and the two-axis framing that this volume deepened.
Vols 6–12 of this series (planned) — one volume per hat, each opening with a “definition” and “placement on the spectrum” section that cross-references back to Figure 5.5.
Vol 21 of this series (planned) — the canonical anchor index, including a top-level anchor at this volume’s master-taxonomy diagram in §8.
The Hack Tools deep-dive protocol and the Hack Tools legal/ethics baseline — project-wide context.

This is Volume 5 of a ~21-volume series. Next: Vol 6 opens the hat-volumes cluster (Vols 6–12) — White Hat — covering the authorized security researcher / penetration tester role at full depth: definition, history of the profession, daily routine of a working consultant or in-house security engineer, the full toolkit (Burp, the Nessus/ZAP family, OWASP, Metasploit, the SDR and HID tools where relevant), how people actually get hired into the role, and which famous figures shaped the modern white-hat craft.

Black Hat Briefings, founded 1997 by Jeff Moss (online handle: The Dark Tangent), as the corporate-aligned commercial counterpart to DEF CON (which Moss founded in 1993). First conference held July 7–10, 1997, at the Aladdin Hotel in Las Vegas. Acquired by CMP Media in 2005, subsequently UBM and now Informa. Has expanded to regional editions in Asia, Europe, and the Middle East. The conference’s longevity and institutional weight is the largest single reason “black hat” cemented as professional security vocabulary; see §4 for full treatment. ↩
Edwin S. Porter’s The Great Train Robbery (Edison Manufacturing Co., 1903) is widely cited in popular security-history accounts as the originating film for the white-hat / black-hat visual convention. The standard claim does not survive examination — The Great Train Robbery’s outlaws and lawmen wear a mix of hats and head coverings, and the 12-minute film’s monochrome rendering does not enforce a consistent visual binary. The convention developed later and across multiple sources rather than from any single landmark production. See §2.2 for the actual lineage; Buscombe (1988) is the canonical reference cautioning against single-film origin attributions. ↩
The silent era is conventionally bracketed by The Great Train Robbery (1903) at the beginning and The Jazz Singer (1927) at the end; Warner Bros’ Jazz Singer (released October 6, 1927) was the first feature-length film to include synchronized sound dialogue, though shorter sound experiments preceded it. Silent productions continued into the early 1930s before the industry fully transitioned to sound. ↩
Eastman Kodak introduced panchromatic black-and-white film stock for motion-picture use in 1922, replacing orthochromatic stock (which was insensitive to red wavelengths and rendered red costume and makeup as nearly-black on screen). Panchromatic stock dramatically improved tonal range; among other effects, it made nuanced costume-color choices more legible on screen and is part of the technical context for the B-Western era’s visual conventions (§2.2). ↩
The pulp-Western fiction tradition — Buffalo Bill’s Wild West Show (1883–1913), the Beadle and Adams dime novels (1860s–1900s), the Wild West Weekly and Western Story Magazine pulps of the 1900s–1950s — predates film and supplies much of the iconographic vocabulary (the white-hatted hero, the black-hatted desperado, the lawman’s badge as visual cue) that the silent-era and B-Western film industries inherited. See Christine Bold’s The Frontier Club (2013) for the cross-medium scholarly treatment. ↩
Edison Manufacturing Co.’s The Great Train Robbery (1903), restored copies available via the Library of Congress National Film Registry, contains no consistent hat-color hero/villain coding. The outlaws wear a variety of hat styles; the posse (which arrives in the final third) is also variously hatted. The film is correctly cited as a landmark in Western narrative convention (chase, ambush, robbery, comeuppance) but not in the wardrobe-color convention. ↩
Tom Mix (1880–1940), American silent-era and early-sound Western film star. Star of approximately 290 silent and sound Western films, principally for Selig Polyscope (1909–1917) and Fox Film Corporation (1917–1928), with a smaller body of FBO and Universal sound-era work. Mix’s costuming evolved over the 1910s and hardened by the 1920s into a recognizable iconography: white or light-colored ten-gallon hat, ornate Western-cut shirts, decorated gunbelt. The “good guy in the white hat” was effectively Mix’s personal brand for two decades and seeded the broader visual convention. ↩
William Boyd as Hopalong Cassidy starred in 66 films released between 1935 (Hop-Along Cassidy) and 1948 (the final theatrical features), in addition to the subsequent television series (NBC, 1949–1952). The character had originated in Clarence Mulford’s pulp-fiction novels and stories starting in 1904. Boyd’s screen Cassidy wore all-black throughout the series — black hat, black shirt, black trousers, white horse named Topper — as a deliberate signature choice. The fact that the wardrobe inversion was a recognizable trademark by 1935 establishes that the white-hat-good-guy convention was already strong enough to be inverted as a brand differentiator. ↩
Buscombe, Edward, ed. The BFI Companion to the Western. André Deutsch / British Film Institute, 1988. The canonical scholarly reference work on Western-film conventions; catalogues the hat-color hero/villain coding as established by the B-Western era of the 1930s–1940s. The companion’s entries on costume, color-coding, and the iconography of B-Westerns explicitly caution against single-film origin attributions for genre conventions, treating them as gradual emergent properties of production constraints and audience-expectation conditioning. ↩
Stanfield, Peter. Hollywood, Westerns, and the 1930s: The Lost Trail. University of Exeter Press, 2001. Academic treatment of the 1930s B-Western era — the singing-cowboy and Saturday-matinee subgenres — and the cultural and economic conditions that shaped them. Treats visual conventions (hat-color coding included) as one of a cluster of low-cost iconographic shortcuts produced by tight budgets and child-audience-focused marketing, without single-source attribution. ↩
The phrase “white hat” / “black hat” in computing-security contexts appears in InformationWeek, Network World, Computer Security Journal, and SC Magazine trade-press articles by approximately 1993, and is normalized by 1995–1996. The exact first-publication date is genuinely difficult to pin down — trade-press archives of the early 1990s are not uniformly digitized or searchable, and informal vocabulary typically circulates for years in newsgroup and verbal usage before printed appearance. A primary-source-clean first citation is not, as far as the author has been able to verify, established in the literature. ↩
The Oxford English Dictionary online edition dates the first usage of “white hat” in the broader “good guy” / hero sense (drawing on the Western-film convention) to a 1981 entry. The dictionary’s first-citation for “white hat” in specifically computing-security contexts is later. Note that OED first-citations are themselves not always primary-sourced and reflect the dictionary’s scanning of available archival sources rather than exhaustive coverage. ↩
The relevant Usenet newsgroups — alt.security (founded 1988), sci.crypt (1991), comp.security.unix (1990s), alt.2600 (1991) — contain informal references to “white hat” / “black hat” through the early-to-mid 1990s, searchable via Google Groups (which captures the bulk of the public Usenet archive) and the Internet Archive’s Usenet collections. None of the references constitute a clean first-citation; the usage was informal and emergent. ↩
Wired magazine’s coverage of the security industry in 1995–1996 includes feature articles that use “white hat” and “black hat” in approximately their modern senses. The exact first-issue appearance is difficult to pin from current archive access; the relevant point for this volume is that the term had crossed from trade-press into general-readership technology-magazine coverage by approximately 1995, which is the watershed in popular awareness of the hat-color vocabulary in security contexts. ↩
Raymond, Eric S., editor. The New Hacker’s Dictionary. MIT Press, 1991; second edition 1993; third edition 1996. The print form of The Jargon File, the long-running collaborative document of hacker community vocabulary, dating in some form to MIT/Stanford/CMU circulation as early as 1975 (the “Greg Christopher” and Raphael Finkel versions). Raymond’s 1991+ editions maintained the hacker vs. cracker distinction as a normative position; the position never won mainstream usage but is a useful cultural-history artifact for understanding why the hat-color shorthand was needed at all — cracker did not stick, and the hat colors filled the descriptive gap. ↩
Jeff Moss (online handle: The Dark Tangent; born 1975) is the founder of both DEF CON (1993) and Black Hat Briefings (1997). Has served on the U.S. Department of Homeland Security Advisory Council (2009–2012) and ICANN Board of Directors. The two-conference structure he established in 1997 — Black Hat Wednesday/Thursday + DEF CON Friday/Saturday/Sunday, in adjacent Las Vegas venues — has held with minor variation for nearly three decades and is the structural reason the third week of August is the security industry’s most institutionally-dense conference week. ↩
The first Black Hat Briefings (July 7–10, 1997, Aladdin Hotel, Las Vegas) drew approximately 400 attendees. The specific figure is reported in subsequent Black Hat retrospectives and interviews with Moss, including the official Black Hat history pages. The first-conference roster of speakers included Mudge (Peiter Zatko) of L0pht, Dominique Brezinski, and a small additional cohort of offensive-research presenters; the audience composition was predominantly corporate security teams, government, and the press. ↩
Jeff Moss has discussed the deliberate choice of the “Black Hat” name in subsequent interviews and conference retrospectives, framing it as both descriptive (the content is offensive research) and provocative (the name reuses the trade-press shorthand of “black hat” as a moral term). The dual register — named after the bad guys, attended by the good guys — is the productive ambiguity that allowed the conference name to become a stable industry-vocabulary anchor over the subsequent two decades. ↩
Black Hat Briefings was acquired by CMP Media in November 2005; CMP Media was subsequently rolled into United Business Media (UBM), and Black Hat is currently operated by Informa Tech (Informa plc) following Informa’s 2018 acquisition of UBM. The conference’s institutional ownership over its lifetime has therefore traced: Moss/Pearl Harbor Productions (1997–2005) → CMP Media (2005–2010) → UBM (2010–2018) → Informa Tech (2018–present). ↩
The L0pht testimony before the U.S. Senate Committee on Governmental Affairs took place on May 19, 1998, as part of the hearing “Weak Computer Security in Government: Is the Public at Risk?”. The seven testifiers — Brian Oblivion, Kingpin (Joe Grand), Mudge (Peiter Zatko), Space Rogue (Cris Thomas), Stefan Von Neumann, John Tan, and Weld Pond (Chris Wysopal) — appeared under their hacker handles, with the committee accepting handles in lieu of legal names. The testimony documented systematic vulnerabilities in commercial and government computer systems, including the claim (subsequently widely repeated and lightly disputed) that the L0pht could “make the internet unusable for the entire nation” in 30 minutes. Vol 3 §9.2 of this series treats the testimony at full depth; this volume reuses the canonical roster. ↩
The trade-press coverage of the L0pht in the 1998–1999 period — Wired, Computer Security Journal, Computerworld, InformationWeek, 2600 — used “grey hat” (or “gray hat”) as a descriptor for the L0pht’s independent-research posture, distinguishing it from both authorized white-hat consulting and criminal black-hat intrusion. The term was not invented by L0pht coverage but was solidified in the broader vocabulary by the press attention given to the Senate testimony. ↩
The U.S. military’s use of red/blue color-coding for adversary/home roles in war-gaming exercises is conventionally dated to the Cold War era (1950s–1980s) and is widely repeated in security literature, though specific first-citations are difficult to pin down. The convention pre-dated dedicated security war-gaming exercises and was inherited from broader military planning and intelligence-analysis usage. The CIA’s adversarial-analysis discipline (“Team A / Team B” exercises, of which the most famous public example is the 1976 Team B re-analysis of Soviet strategic intentions) used colored or named teams as a routine practice element. ↩
The 1961 Bay of Pigs after-action review — the U.S. government’s internal post-mortem of the failed CIA-organized invasion of Cuba — is sometimes cited in security-literature secondary sources as an early documented use of red/blue framing for adversarial analysis. The specific attribution to that document is hard to primary-source from accessible declassified records; the conservative reading is that red/blue role-naming in U.S. military and intelligence-community planning was well-established by the early 1960s and that the Bay of Pigs review was one of many such uses rather than a clean origin point. ↩
Science Applications International Corporation (SAIC) is widely credited in security-literature secondary sources with formalizing red-team practices in U.S. Department of Defense network-security contexts in the early-to-mid 1990s. Specific primary-source citations are limited by the classified or unpublished nature of much of the relevant contracting work; the general framing is well-supported in industry retrospectives and is consistent with the subsequent commercial-pentest red-team adoption in the early 2000s. ↩
CompTIA’s Security+ and PenTest+ curricula, EC-Council’s Certified Ethical Hacker (CEH) materials, and similar entry-level security training programs began including the “green hat” / newcomer category in their hat-color glossaries by approximately 2015. The term emerged from informal learner-community usage (Reddit r/AskNetsec and r/HowToHack, Stack Exchange Security, TryHackMe and HackTheBox forums) through the early 2010s before being codified in curriculum materials. ↩
Microsoft’s BlueHat Security Briefings were established in 2005 as a regular internal Microsoft event at Redmond, bringing external security researchers into Microsoft to present current research directly to product engineering teams. The program has since expanded to regional editions (BlueHat Israel; BlueHat Shanghai; others on irregular schedules), and the broader BlueHat program now includes the BlueHat Prize (a security-research prize program first awarded 2012) and a range of MSRC-managed external-researcher engagement activities. The conference is the most visible artifact of the program but is one element of a multi-decade external-researcher-collaboration discipline. ↩
The phrase “purple team” in approximately the modern sense — collaborative red-and-blue work, real-time integration, shared visibility — appears in security trade-press and major-firm threat-intelligence coverage from approximately 2013–2015. FireEye/Mandiant, CrowdStrike, and other major-firm threat-intelligence teams used the term in published 2014 coverage. The exact first-publication date is difficult to pin; the term was percolating in industry vocabulary for several years before SANS’s 2016 SEC599 launch. ↩
SANS Institute’s SEC599 course, “Defeating Advanced Adversaries — Purple Team Operations” (formerly subtitle: “Implementing Kill Chain Defenses”), was launched in 2016 by Erik Van Buggenhout and Stephen Sims. The course covers integrated red-and-blue exercise methodology, MITRE ATT&CK technique mapping to detection-engineering iteration, and the broader purple-team-as-practice discipline. SANS’s adoption of the term and the course’s broad uptake across SOC and red-team practitioners through the late 2010s is the cementing event for “purple team” as a recognized practice mode in mainstream security curriculum. ↩
The “red hat = vigilante” framing — describing an unauthorized actor attacking other unauthorized actors, or “fighting back” against perceived bad actors — appears in occasional 1990s and early-2000s trade-press usage but never stabilized in either community-internal or mainstream professional vocabulary. The framing is largely dead in 2026 usage; the engagement-role “red team” meaning is dominant. The vigilante framing matters historically because it is sometimes invoked in older texts and by non-expert sources, and a reader encountering “red hat” in an older context should be prepared to disambiguate. ↩
Red Hat Inc., the commercial Linux distribution and enterprise-software company, was founded in 1993 by Marc Ewing and Bob Young, with subsequent corporate development through the 1990s and 2000s, including the 1999 IPO and the 2019 acquisition by IBM for $34 billion. The “Red Hat” name was chosen by Ewing because he wore a red lacrosse cap at Carnegie Mellon University; the brand is unrelated to either the engagement-role or the vigilante security-hat senses. The naming collision is a recurring source of confusion in casual usage and a glossary entry in Vol 11. ↩
UK NCSC (National Cyber Security Centre), “Terminology — it’s not black and white,” April 2020. The NCSC’s guidance on inclusive-language usage in security and infrastructure contexts; recommends deprecating binary color-coded vocabulary (blacklist/whitelist → blocklist/allowlist) while retaining red team / blue team as established terms-of-art. NCSC has continued to apply this guidance in its own publications and engagement materials. ↩
IAB Statement on Inclusive Language in IAB Stream Documents (iab.org, May 2021); IESG Statement on Inclusive Language (ietf.org, May 11, 2021). These are the canonical IETF-ecosystem references on inclusive language in protocol specifications — not a single RFC. Both statements reference NIST IR 8366 (“Guidance for NIST Staff on Using Inclusive Language in Documentary Standards,” NIST Internal Report) and the draft-knodel-terminology Internet-Draft series (Mallory Knodel, Niels ten Oever et al.) as supporting references. Security trade-press occasionally cites an IETF RFC number in inclusive-language discussions; those citations are consistently misattributed — the authoritative inclusive-language references are the IAB and IESG statements and the Knodel Internet-Draft series, none of which are numbered RFCs. The authoritative inclusive-language references are the IAB and IESG statements and the Knodel Internet-Draft series. ↩
Microsoft Writing Style Guide, inclusive-language section (continuous, 2020–present). The Microsoft Style Guide deprecates “blacklist/whitelist” in favor of “allowlist/blocklist” in product and documentation contexts. The Microsoft BlueHat program retains its name (it is a named program, not a generic role-descriptor). Microsoft’s internal red-team and blue-team naming for security functions continues with the engagement-role meaning intact. The pattern is consistent with the broader industry guidance documented in §7.2. ↩
Google’s published security guidance and developer documentation, continuous (2020–present). Google’s security organization follows a similar inclusive-language pattern to Microsoft and NCSC — deprecate binary color sub-vocabulary (blacklist/whitelist) where convenient alternatives exist; retain red-team / blue-team as established engagement-role terminology. Published in selected security-blog posts and developer-documentation style updates rather than as a single formal guidance document. ↩
Lapsley, Phil. Exploding the Phone: The Untold Story of the Teenagers and Outlaws Who Hacked Ma Bell. Grove Press, 2013. The canonical reconstruction of the phone-phreaking-era hacker culture (1950s–1980s), drawing on extensive primary-source interviews and archival research. Predates the modern color taxonomy and provides the vocabulary archaeology for the era before the hat metaphor entered security usage. Vol 2 of this series leans on Lapsley as a primary source. ↩
Coleman, Gabriella. Two key works for this volume’s purposes: Coding Freedom: The Ethics and Aesthetics of Hacking (Princeton University Press, 2012), an anthropological treatment of free-software-developer culture; and Hacker, Hoaxer, Whistleblower, Spy: The Many Faces of Anonymous (Verso, 2014), an ethnographic study of the Anonymous activist-hacker formation. Both treat the hacker self-identification register at depth without leaning heavily on the color-hat taxonomy, supplying useful academic-cultural-studies framing for the metaphor’s place in actual community self-description (where the colors matter much less than the popular and trade-press registers suggest). ↩
As ⁹ above. Available via institutional library access; not widely available in print today; subsequent printings have been by Bloomsbury / BFI Publishing. The companion remains the canonical scholarly reference for Western-film conventions and is the primary citation for §2.2’s claim that the hat-color convention is gradual rather than single-film-origin. ↩
As ¹⁰ above. Stanfield’s broader bibliography on Western-film history includes additional volumes on the early-1930s Western and singing-cowboy subgenres; Lost Trail is the most direct fit for §2.2’s narrative. ↩
Black Hat’s official history pages (blackhat.com/html/about-us.html and similar archived versions via the Internet Archive’s Wayback Machine) document the 1997 founding, the 2005 CMP Media acquisition, and the program-track evolution. The Wayback Machine snapshots from 1998 and 1999 are particularly useful for confirming the early-conference attendee figures and speaker rosters. ↩
Microsoft Security Response Center (MSRC), BlueHat program documentation (msrc.microsoft.com/blog/category/bluehat/ and similar). Documents the 2005 founding of the BlueHat conference at Microsoft Redmond, the regional editions, the BlueHat Prize (first awarded 2012, $250,000 grand prize for novel mitigation research), and the broader MSRC-managed external-researcher engagement activities. ↩
As ²⁸ above. The SANS Institute course catalog (sans.org/cyber-security-courses/) maintains current course descriptions and curriculum mapping for SEC599 and related courses (SEC560: Network Penetration Testing and Ethical Hacking; SEC542: Web App Penetration Testing; etc.). The SEC599 course outline serves as one of the more detailed publicly-available reference documents for the purple-team-operations curriculum. ↩
U.S. Senate Committee on Governmental Affairs hearing, “Weak Computer Security in Government: Is the Public at Risk?”, May 19, 1998. Hearing transcripts archived via the U.S. Government Publishing Office and available through congressional-records research databases. Vol 3 §9.2 of this series treats the testimony at full depth; the canonical seven-testifier roster (Oblivion, Kingpin, Mudge, Space Rogue, Stefan Von Neumann, John Tan, Weld Pond) is reused throughout this series. ↩
UK NCSC, “Terminology — it’s not black and white,” April 30, 2020 (ncsc.gov.uk/blog-post/terminology-its-not-black-and-white). The blog post articulates NCSC’s reasoning for deprecating specific binary color-coded vocabulary while retaining red team / blue team as established terms-of-art. ↩
As ³² above. IAB Statement: iab.org/documents/correspondence-reports-documents/2021-2/iab-statement-on-inclusive-language-in-iab-stream-documents/ (May 2021). IESG Statement: ietf.org/about/groups/iesg/statements/on-inclusive-language/ (May 11, 2021). NIST IR 8366: doi.org/10.6028/NIST.IR.8366. draft-knodel-terminology Internet-Draft history: datatracker.ietf.org/doc/draft-knodel-terminology/. These four references together constitute the canonical IETF-ecosystem treatment of inclusive terminology in protocol specifications. ↩
The literature on inclusive language in IETF and security contexts is not always precise. The correct canonical references are: (1) the IAB Statement on Inclusive Language in IAB Stream Documents (iab.org, May 2021); (2) the IESG Statement on Inclusive Language (ietf.org, May 11, 2021); (3) the draft-knodel-terminology Internet-Draft series by Mallory Knodel et al. (proposed, not finalized as an RFC); and (4) NIST IR 8366, the NIST internal report that both statements point to. Security trade-press references that cite numbered RFCs in inclusive-language discussions are consistently citing IoT/networking RFCs that have nothing to do with inclusive language — both of the commonly-cited RFC numbers in this area are misattributions. This volume’s §7.2 cites the IAB and IESG statements as the correct canonical IETF-ecosystem references. ↩
As ³⁵ above. Available in trade paperback and hardcover from Grove Press; the audiobook edition is also widely available. The book is the most cited source for phreaking-era history in this series. ↩
As ³⁶ above (first work). Coding Freedom: The Ethics and Aesthetics of Hacking (Princeton University Press, 2012) is freely available under a Creative Commons license at gabriellacoleman.org/coding-freedom; the print edition is widely available. Coleman’s anthropological method — embedded ethnography of the Debian free-software-developer community over multiple years — produces a register of hacker self-identification quite different from the trade-press color-hat shorthand. ↩
As ³⁶ above (second work). Hacker, Hoaxer, Whistleblower, Spy: The Many Faces of Anonymous (Verso, 2014) treats the formation of the Anonymous activist-hacker identity in a way that explicitly sidesteps the seven-color taxonomy and supplies a useful alternative analytic vocabulary for the politicized-hacking practitioner type that the hat metaphor describes poorly. ↩

Hacker Tradecraft Volume 5 — The 'Hat' Metaphor: Where the Colors Came From

Contents