‘Military-grade security’ is a category error.

‘Military-grade security’ is a category error. I read this on an article and it made me think.

When people (usually sales or marketing) say it, they want you to hear: strong, serious, dependable. What it often means is: built for a different environment, with a different definition of success.

The military buys for a mission. Sometimes that mission is harsh weather, mud, salt water, vibration, careless handling, and the certainty that things will be lost, stolen, or destroyed. If you have ever used Rite in the Rain notebooks, you have seen what that looks like when it is done well. You can write in rain, in grime, and even after the notebook has been submerged. That is ‘military-grade’ in the literal sense: it survives field conditions.

But none of that is what most organisations mean when they say ‘security’.

Security is not about surviving a helicopter ride. It is about surviving people. Adversaries. Mistakes. Misconfigurations. Stolen credentials. Privilege escalation. Quiet lateral movement. Slow data exfiltration. Ransomware that spreads faster than your incident response process.

So ‘military-grade security’ usually signals the wrong axis of quality. It is ruggedness theatre. It borrows authority from somewhere else.

If you want a phrase that does real work, replace it with three questions:

• Which standard? Name it. Not ‘best practice’, not ‘bank-level’, not ‘enterprise-ready’. A real standard, with a scope.
• What scope? Whole product or one feature? Default config or a hardened deployment that nobody actually runs?
• Where is the evidence? Independent audit, test results, documented controls, public incident learnings, a track record of fixes.

Marketing wants you to trust the adjective. Practitioners need to trust the mechanism.

Rite in the Rain earns its claim because the failure mode is obvious: you drop it in water and you keep writing. Security claims should be just as testable. If they are not, ‘military-grade’ is not reassurance. It is fog.