arete – Matt Shannon, Security Pro

Fat Isn’t Evil: It’s Essential

Picking up from where we left off last week — we’ve already dismantled the myths around protein and carbohydrates, now it’s time to put the final macronutrient into proper context.

In Week 3, we covered nutrient timing and why eating with intention matters. In Week 4, we cleared the air around carbs, showing they’re a necessary tool for fueling performance, not something to fear.

This week, we’re doing the same with fat, one of the most demonized and misunderstood components of the human diet.

Why This Matters:

Most people trying to ‘eat healthy’ unknowingly sabotage their energy, focus, and results by fearing fat. Understanding the truth lets you make smarter, less stressful choices in and out of the gym.

The Problem: Fat Got Blamed for What Sugar (and Sedentary Living) Did

The war on fat started in the 1970s and 80s, pushing people toward fat-free everything, from cookies to frozen dinners. What happened next?
• Obesity skyrocketed.
• Type 2 diabetes surged.
• People got sicker, not healthier.

Why? Because removing fat didn’t remove the problem. It just made food more processed, more sugary, and less satisfying.

Question:

Ever skip the avocado on your salad because you thought it was ‘too fattening’, then ended up hungry an hour later? Now, youre beginning to pick up what I’m puttin’ down.

What Fat Actually Does in the Body

Fat isn’t the enemy. It’s a required nutrient for:
• Hormone production (testosterone, estrogen, cortisol)
• Brain health and cognition
• Joint lubrication and recovery
• Fat-soluble vitamin absorption (A, D, E, and K)
• Cellular structure (yes, your cells are literally built from it)

But here’s the key: fat is fuel for low-intensity output and recovery, not high-performance explosive training. That’s where carbs step in.

Quick Fat Facts:

• Unsaturated fats (olive oil, nuts, avocado, fatty fish) support heart and brain health.

• Saturated fats (animal fats, butter, coconut oil) are fine in moderation, especially from whole foods.

• Trans fats (partially hydrogenated oils) are in a different league; avoid them entirely. They wreak havoc on cholesterol and inflammation.

You need both fat and carbs, but at the right doses for the right goals.

Data Point:

Fat slows gastric emptying, helping you feel fuller for longer—a secret weapon against late-night snacking (British Journal of Nutrition, 2021).

Why “Healthy Fats” Doesn’t Mean “Unlimited Fats”

Yes, olive oil, avocado, nuts, and salmon are great, but overconsumption is still overconsumption.

Fat is energy-dense.
• 1 gram of fat = 9 calories
• That’s more than double protein or carbs (4 calories per gram)

So while you need it, you don’t need as much as you might think, especially if you’re already fueling with protein and carbs.

Most Common Fat Mistake:

Dousing salads, veggies, or “healthy” bowls with extra oil or nuts. Even good fats add up fast, so measure, don’t guess.

What This Looks Like in Practice

Swap:

Instead of fat-free salad dressing (loaded with sugar), use olive oil and vinegar for flavor, better absorption of nutrients, and longer-lasting energy.

Here’s how to build smart, balanced fat intake into your day:

• Add a thumb-sized portion of fat to your main meals (nuts, oil, nut butter, avocado)
• Don’t dump oil or butter onto every dish “for health;” it adds up fast
• Keep fats lighter pre-workout, so digestion doesn’t slow you down
• Post-workout, prioritize protein + carbs, not a heavy fat load
• Evening meals can include more fats to help slow digestion and promote satiety

You don’t need to avoid fat, you need to respect it.

Visual Analogy:

Think of fat as the steady-burning logs on a campfire versus using pine needles: the dry pine needles can get the fire going, but don’t last. The logs are for warmth that lasts all night.

Now that we’ve set the record straight, here’s how to use fat like an anti-hero: deliberately, strategically, and never just because the label says “healthy.”

Action Challenge

For the next 3 days:
• Track how much fat you’re eating (rough estimate is fine)
• Identify where it’s coming from (meals vs snacks vs sauces/oils)
• Adjust one meal per day to intentionally include a measured fat source (e.g., 1 tbsp olive oil, 1/4 avocado, or 10 almonds)

You’ll start to see how easily fat sneaks in and how powerful it can be when used deliberately.

Coach’s Corner

• Fat is a recovery nutrient, not a performance one.
• Don’t go to war with it, just don’t treat it like a free-for-all either.
• Balance is your ally. Fat has its place, use it like a tool, not a reward.

What’s Coming Next

You’ve now got a full picture of the big three macros, but how do you put them together? In Week 6, we’ll map out what a real-world performance meal looks like, and how to adjust it for your goals, whether that’s training, leaning out, or staying sharp at work.

In Defense of Carbs: Energy, Recovery, and the Science You Need

Most people fear carbs because they’ve been sold the idea that carbs equal fat gain. But for anyone who trains, thinks deeply, or recovers with intent, carbs aren’t optional; they’re essential.

This isn’t about eating gummy bears or Pop-Tarts and calling it “fuel.” It’s about understanding the physiological role of carbohydrates and using them to enhance output, mood, muscle retention, and recovery.

Let’s break it down.

1. Carbs = Performance

Glycogen (stored carbs) is your muscle’s preferred fuel during strength training, sparring, sprints, or any high-output effort. Without enough:

Strength drops
Endurance tanks
Motor control falters

Carbs refill that tank. Fewer reps and less intensity? That’s not a motivation problem; it might be a glycogen one. There’s a term known as “bonking” in a workout. To “bonk” in a workout is to reach the functional depletion of glycogen, brought on by exercise. In other words, it’s the condition in which your muscles run out of fuel, with profound effects on performance and well-being. And how do you avoid it? Adequate carbohydrate fueling for your level of performance.

Science Sidebar: When you eat carbs, insulin helps shuttle glucose into muscle cells to refill glycogen. This is why carbs matter most around activity, not when you’re sedentary. Research shows that athletes and active individuals who time carbs around exercise have better performance and recovery (Burke et al., 2011).

2. Carbs = Cognitive Clarity

Your brain runs on glucose. Low-carb fog is real. It shows up in several ways, such as decision fatigue, irritability, difficulty focusing, and a short attention span. Yes, ketones can serve as a backup fuel, but they’re not the most efficient during high-stress or high-focus days.

Carbs sharpen cognition, boost mood, and reduce stress response.

3. Carbs = Recovery and Muscle Retention

Carbs after training:

Restore depleted glycogen
Support protein synthesis
Lower post-training cortisol

They’re also “protein-sparing,” meaning your body doesn’t need to break down muscle for energy.

4. Carbs = Hormonal Stability

Low-carb diets for too long can suppress:

Thyroid output (especially T3)
Leptin (your satiety and metabolic rate signal)
Sleep quality and parasympathetic recovery

Especially for athletes, hard trainers, or people under high stress, this is a deal-breaker.

5. Carbs = Better Sleep

Moderate carbs in the evening:

Support serotonin → melatonin conversion
Lower cortisol
Help shift the body into parasympathetic mode.

Sleep: Carbs help lower cortisol levels and promote relaxation. Carbs also help raise serotonin, a neurotransmitter that supports relaxation and sleep. It’s one reason why a small carb snack before bed can improve sleep quality for some people. This is why low-carb diets can sometimes disrupt sleep.

Pro tip: Avoid eating after 8:00 PM. If you must have something, keep it light and digestible:

1 banana
1 scoop whey
1 Fairlife 26g protein shake
Optional: 1 tbsp PB2

That’s ~350 kcal – just enough to support recovery without interrupting your sleep cycle.

The Real Issue Isn’t Carbs, It’s Unstructured Eating

People don’t “gain fat” from potatoes. They gain fat from:

Chronic snacking
Emotional eating
Under-fueling during the day and overeating at night

Carbs are fine; reactivity and randomness aren’t.

Coach’s Notes: Carb needs vary from person to person; listen to your body and adjust based on your activity, stress, and recovery.

Start with structure, not restriction.
Place carbs around output: morning, post-training, early dinner.
Observe how your sleep and recovery improve when you fuel with intention.

As silly as it may sound, a palm-sized portion of rice, potatoes, or fruit is a good place to start if you don’t want to count grams. Use your hand as a guide for portions.

Bonus tip: Carbs that are high in fiber, like fruit, potatoes, and whole grains, not only support performance, but also feed your gut microbiome, helping with digestion and immunity. And just in case you need a reminder, any fruit or vegetable is a carbohydrate source. Some are better than others, but the key is to eat the ones you like vs. trying to force yourself to eat anything you don’t like.

Suggested Reading:

Good Calories, Bad Calories – Gary Taubes
A well-researched, critical look at nutritional dogma and food myths, especially around carbs and fat.

Myth: Carbs make you fat. Truth: Excess calories, not carbs, drive weight gain.

Carbs don’t kill gains; they help sustain them. Used wisely, they improve output, cognition, mood, sleep, and recovery. However, as with any caloric intake, excess leads to consuming more calories than you burn, i.e., a caloric surplus = “weight gain.”

Action Challenge:

Track your carb intake for 3 days, but not just the grams. Track when and why you ate when you did:

Was it training-related?
Emotional?
Habitual?
Based on energy need?

Awareness creates clarity, and clarity can help drive consistency.

Next Week: You’ve dialed in protein and carbs. Now we’ll cover the most misunderstood macronutrient of all: fats.

How to use them for satiety, hormones, and cognitive support without overdoing it.

Does Nutrient Timing Matter? Yes, But Not the Way You Think

Stop obsessing over windows. Start building systems.

If you train hard, care about body composition, and want real-world energy, you’ve probably heard people say:

“You have to eat protein within 30 minutes of lifting.”
“Don’t eat carbs after 8 PM.”
“Fasting boosts growth hormone, just train fasted.”
“Breakfast is optional if your willpower is high enough.”

None of this is completely wrong, but none of them is 100% valid or effective for all, so don’t waste any mental space on them and focus on what’s been proven to work over decades.

Let’s cut through the BS.

The Truth About Nutrient Timing

Nutrient timing can matter, but it’s not the magic some claim, and it’s not completely useless like others claim.

It doesn’t override your daily totals. But it does influence:

How well you train.
How fast you recover.
How consistent is your energy, mood, and hunger?

Here’s the simplified hierarchy:

Daily intake = most important
Meal timing = performance lever
Meal composition = precision tool
Supplement timing = tiny bonus

Myth: If you miss the post-workout window, your workout is wasted.
Fact: Muscle protein synthesis remains elevated for hours; what matters most is your overall daily intake and rhythm.

Science Sidebar: Why does timing matter? Protein synthesis is elevated for several hours after training, so spacing protein throughout the day maximizes muscle repair. Carbohydrates around workouts help refill glycogen and lower stress hormones like cortisol.

What You Need to Know

1. Protein Timing

Protein intake is about distribution, not hitting a “window.”

Aim for:

25–40g of protein per meal
Every 3–5 hours
Starting within 1–2 hours of waking
Ending within 2 hours post-training

Even distribution improves muscle protein synthesis, recovery, and satiety. Research shows that even protein distribution (every 3–5 hours) is linked to greater muscle protein synthesis and recovery (Areta et al., 2013).

2. Carbohydrate Timing

Carbs are fuel, especially around training.

Pre-workout: 30–60g (1–2 hours prior)
Post-workout: 30–60g + protein (within 1–2 hours)

This replenishes glycogen, blunts cortisol, and enhances recovery.
It’s not “dirty.” It’s just useful.

3. Fat Timing

Fat slows digestion. That’s helpful during the day but not ideal around training.

Keep fat moderate pre-workout. Go higher-fat during lower-carb meals later in the day.

Fat: It’s less about timing, more about portion. Eating a high-fat meal before training can slow digestion and make some people feel sluggish. Experiment with your pre-workout meals to find what feels best.

Generally: moderate fat at main meals, lower fat pre/post-workout.

Example Timing Strategy (Strength Training Day)

When I started having a balanced meal within 90 minutes of training, my recovery and afternoon energy noticeably improved.

8:00 AM: 3 eggs, oats, berries (protein + carbs + fat)
12:00 PM: Chicken, veggies, avocado (protein + carbs + fat)
3:00 PM: Pre-workout shake 1 scoop whey + 50g carbs from a fruit source
5:00 PM: Train
6:30 PM: Post-workout, beef and sweet potato + Kerry gold butter (protein + carbs + fat)
730/8 PM: Greek yogurt + whey or casein and a handful of nuts

Total protein: ~180-200g
Balanced carbs, front-loaded around training
Fats used to stabilize energy later

Action Challenge:

Pick one meal to move closer to your training time and one post-workout meal to optimize.

Your goal:

Protein: 30g
Carbs: 30–50g
Minimal fat
Eaten within 1–2 hours of finishing your workout

Coach’s Corner:

Don’t try to “hack” your metabolism with clever meal timing.
Build rhythm that supports your output.
Use timing to reduce stress, not increase it.

Key Takeaway:

Nutrient timing isn’t magic; it’s just another way to support what matters most: consistency and recovery.

Timing isn’t a rulebook. It’s a framework. Daily totals matter most, but if you train hard, timing helps you show up stronger, recover faster, and stay more consistent.

Next Week: The Carbohydrate Question

Once your daily intake is dialed in and you start thinking about timing, the next question always comes up:

“Do carbs still matter? Or should I be avoiding them?”

That’s where we’re headed next. In Week 4, we’ll break down the truth about carbs. Not hype. Not fear. Just what they actually do, and how to use them to train, recover, and function better in daily life.

Zen and the Art of AWS Security Domain 4: Identity and Access Management | Controlling Access Without Losing Control

There is a principle taught early in martial disciplines:

“Position determines outcome long before the strike is thrown or submission is attempted.”

Identity and Access Management (IAM) is that principle made concrete in AWS.

Most breaches do not begin with sophisticated exploits. They begin with credentials that worked exactly as designed.

An over-permissive role. A forgotten trust relationship. A policy that was “temporary” and became permanent. For example, the 2019 Capital One breach was enabled by overly permissive roles and misconfigured permissions, allowing an attacker to move laterally and access sensitive data.

This is why Domain 4 carries the highest exam weight. Not because IAM is complicated, but because everything else depends on it.

If identity boundaries fail, encryption doesn’t matter. If access is wrong, detection only tells you what already happened. If trust is misplaced, infrastructure becomes irrelevant.

IAM is not about users. It’s about control.

And control, done well, is quiet.

1. AWS’s Philosophy of Identity

AWS operates on a core assumption:

Every request is an identity problem before it is a security problem.

There is no implicit trust. There is no “inside the network.”
There is only:

• Who is making the request
• What they are allowed to do
• Under what conditions

IAM exists to answer those questions every single time, without exception. The exam tests whether you understand this philosophy, not whether you can recite practice exam answers.

2. The IAM Mental Model (This Wins Exams)

Think of IAM as four concentric controls, not a flat permission system:

Authentication — Who are you?
Authorization — What are you allowed to do?
Boundaries — What can never be exceeded?
Conditions — Under what circumstances is access allowed?

If you read exam questions through this lens, the “best” answer becomes obvious.

3. Core IAM Building Blocks (Exam-Critical)

IAM Users and Legacy by Design

IAM users represent long-lived human identities.

AWS exam posture:
• Avoid when possible
• Prefer federation
• If used → MFA required

Exam takeaway: If the question involves humans, AWS prefers federated access, not IAM users.

IAM Roles Are The Center of Gravity

Roles are temporary, assumable identities.

They are used for:
• AWS services accessing AWS services
• Cross-account access
• Federated users
• Least-privilege design

Roles eliminate long-lived credentials.

Exam mental model: If access is temporary, automated, or cross-account → IAM Role.

Policies — Permissions, Not People

Policies define what can be done.

Three types matter on the exam:
• Identity-based policies
• Resource-based policies
• Permission boundaries

AWS evaluates permissions as:

Explicit deny → Allow → Default deny

No exceptions.

Exam trap: More permissions is never the right answer. More precise permissions always are.

Permission Boundaries: Where’s the Ceiling?

Boundaries define the maximum possible permissions, regardless of attached policies.

Used heavily in:
• Delegated administration
• CI/CD pipelines
• Guardrails for developers

Exam mental model: If the question mentions “limit what a role could ever do” → Permission Boundary.

Service Control Policies (SCPs) The Absolute Wall

SCPs operate at the AWS Organizations level.

They do not grant access. They only restrict.

If an SCP denies an action, nothing below it can override that denial.

Exam mental model: If the question involves organizational guardrails → SCPs.

4. Federation: AWS’s Preferred Human Access Model

AWS strongly prefers identity federation:

• SAML 2.0
• OIDC
• IAM Identity Center (SSO)

Benefits:
• Centralized identity lifecycle
• No long-lived AWS credentials
• Enforced MFA
• Conditional access

Exam signal phrases:
• “Corporate directory”
• “Single sign-on”
• “Temporary access”
• “Centralized identity”

All roads lead to federation + roles.

5. Conditions: Context Is Control

IAM Conditions are where AWS becomes surgical.

Common exam-tested conditions:
• Source IP
• MFA present
• Time of day
• AWS service
• Resource tags
• Requested region

Conditions turn identity into context-aware control.

Exam takeaway: If the question asks for fine-grained control without complexity, the answer is conditions.

6. Cross-Account Access (High-Frequency Exam Topic)

AWS expects you to design for multiple accounts.

Correct pattern:
• Role in target account
• Trust policy allows the source account
• Least-privilege permissions
• Optional external ID (third-party access)

Never share credentials across accounts.

Exam mental model: Cross-account always equals assume role, never IAM users.

7. Detection & IAM (Where Domains Interlock)

IAM does not exist in isolation.

Best-practice IAM designs integrate with:
• CloudTrail (every API call)
• Access Analyzer (policy exposure)
• GuardDuty (anomalous behavior)

Exam insight: Strong IAM assumes monitoring, not trust.

8. The Human Parallel: Trust Without Naivety

In martial training, trust is earned through repetition, not assumption.

You trust:
• Position
• Distance
• Timing

Not hope. Hope is not a strategy. IAM operates the same way.

Social engineering succeeds when identity systems assume intent. AWS IAM succeeds because it assumes nothing.

Every action is verified.
Every permission is scoped.
Every boundary is enforced.
Every one is checked and then double-checked.

9. Exam Patterns That Matter

If you remember nothing else, remember this:

• Humans → Federation
• Services → Roles
• Limits → Boundaries / SCPs
• Temporary → AssumeRole
• Fine control → Conditions
• Cross-account → Trust policies

AWS rewards restraint.

NIST CSF and CIS Controls both emphasize least privilege, role-based access, and periodic permission review as foundational security practices.

10. Closing: The Quiet Discipline of Identity

IAM is not exciting.
It doesn’t feel dynamic.
It doesn’t make dashboards light up.

But it is the decisive domain.

When identity is right:
• Breaches are smaller
• Incidents are quieter
• Recovery is faster
• Governance becomes natural

On the exam and in the real world, IAM rewards deliberate action, not aggressive decision-making. Security without pessimism continues here. Not by adding power but by placing it exactly where it belongs.

In AWS, as in martial arts, the quietest sentinel is often the hardest to defeat.

The Art of Cyberwar | Part XIII | The Use of Spies

The principles:

“Knowledge of the enemy’s dispositions can only be obtained from other men.”

“However, spies cannot be usefully employed without a certain intuitive sagacity.”

“Be subtle and use your spies for every kind of business.”

“Hence, it is only the enlightened ruler and the wise general who will use the highest intelligence of the army for purposes of spying, and thereby they achieve great results.”

The Quiet After the Fire

After the smoke clears, the last weapon isn’t destruction; it’s knowledge. Sun Tzu closes his book here, not with conquest, but with insight. The general who knows through others, he says, wins without fighting. The one who fights without knowing spends blood buying what wisdom could have earned.

In modern form, intelligence replaces escalation. Information, verified and interpreted, is the ultimate force multiplier.

The Five Spies

Sun Tzu’s framework remains elegant and practical. He identifies five types of spies, each still alive and well in today’s cyber and geopolitical landscape.

Local spies = insiders, collaborators, citizens.
- Modern analogue: human intelligence, insider threat programs, whistleblowers, or local analysts embedded in culture.
- Lesson: you can’t know an environment without someone who breathes its air.
Inward spies – the enemy’s own people who provide insight.
- Modern analogue: defectors, double agents, internal whistleblowers, or compromised insiders in adversary organizations.
- In cyber: infiltration of adversary forums, threat actor telemetry, or behavioral analysis of attacker TTPs.
Converted spies – enemy agents who have been turned.
- Modern analogue: captured malware turned into indicators, enemy disinformation repurposed for exposure.
- Intelligence and counterintelligence merge – data becomes self-revealing.
Doomed spies – agents sent with false information, knowing they will be sacrificed.
- Modern analogue: honeypots, decoy networks, misinformation campaigns used to draw out adversaries.
- Lesson: deception has cost; calculate it.
Surviving spies – those who return with verified knowledge.
- Modern analogue: analysts who gather, vet, and integrate multiple data sources to produce actual intelligence.
- Lesson: data isn’t knowledge until it’s interpreted and fed back into strategy.

The five together form a complete intelligence loop: gather, plant, deceive, sacrifice, verify.
Today, we refer to this as the intelligence cycle.

Information as the New Espionage

We live in an age where everything and everyone collects or steals your data. Apps harvest movement. Sensors record temperature and tone. Governments build databases so vast they blur into prophecy.

But the principle hasn’t changed: intelligence is not about having information – it’s about understanding what matters and when.

A terabyte of telemetry means nothing without discernment. One well-placed attacker can outperform a thousand firewalls.

Foreign Policy and the Failure of Insight

Throughout the 20th century, U.S. foreign policy often suffered from information abundance but a lack of the ability to interpret the intelligence it had gathered.

Pearl Harbor: a multitude of signals existed, but interpretation failed.
Vietnam: metrics replaced meaning – body counts masquerading as progress.
Iraq WMDs: intelligence distorted to paint a specific picture rather than inform decision-making.
Afghanistan: decades of data existed without a clear endgame, destroyed thousands of American lives, and wasted trillions of taxpayers’ dollars.

Each case proves Sun Tzu’s point: “If you know neither the enemy nor yourself, you will succumb in every battle.”

Intelligence was there, but self-awareness wasn’t. Knowing isn’t only about them; it’s about seeing what you refuse to see in yourself.

Cyber Intelligence: Seeing Without Touching

In cybersecurity, the “spies” are telemetry, sensors, analysts, and sometimes friendly adversaries.
Every alert, log, and anomaly is a scout’s report. But like all intelligence, its value depends on interpretation.

Local spies: internal logs and behavior analytics.
Inward spies: penetration testing, red-team operations, insider threat programs.
Converted spies: captured malware and attacker infrastructure repurposed for defense.
Doomed spies: honeypots, deception networks, and fake data seeds.
Surviving spies: analysts, threat-hunters, and intel-sharing alliances.

The objective is clarity without exposure, to see everything while remaining unseen. Fire consumes, intelligence illuminates.

The Moral Dimension of Knowing

Intelligence work carries moral weight. Spies, human or digital, trade in trust. Sun Tzu demands that the general handle them with the highest regard: reward them generously, guard them carefully, and never waste them carelessly.

The ethical parallel today is privacy. The line between intelligence and intrusion is measured in intent and restraint. Knowledge gathered without purpose is voyeurism. Knowledge used without reflection is manipulation.

Sun Tzu’s ideal: learn enough to prevent war, not to justify one.

Strategic Lessons for Leaders

Listen to your scouts.
Truth often arrives quietly, wrapped in discomfort. Leaders who dismiss dissent lose foresight.
Reward information honestly.
Transparency and gratitude feed the flow of truth; fear and ego choke it.
Centralize interpretation, not collection.
Many sensors, one mind – unified analysis, decentralized data.
Balance secrecy with accountability.
Intelligence held too tightly becomes blindness.
Use information to avoid fire.
The goal of knowledge is to make destruction unnecessary.

From Fire to Silence

The transition from Attack by Fire to Use of Spies is the book’s moral hinge. After escalation comes discernment; after destruction, discipline.

Sun Tzu understood what modern states and corporations often forget: Force is crude, information is subtle – and subtlety wins the wars that power cannot.

In cybersecurity, this is the move from reaction to anticipation. In foreign policy, it’s the evolution from aggression to diplomacy. In leadership, it’s the shift from command to comprehension.

The best security posture isn’t dominance – it’s awareness. The most powerful army is one that rarely fights.

Epilogue — The Quiet Art

The Art of War ends not with blood or banners, but with silence, a stillness that comes from mastery.

True security, like true wisdom, is invisible.
It doesn’t announce itself.
It doesn’t need to.

When you know yourself and your adversary, every threat is already half-dissolved. When you act only when necessary, victory becomes maintenance rather than spectacle. And when you can learn from what moves unseen, you stop fighting the same battles over and over again.

As Operation Aurora proved, a sophisticated cyber espionage campaign that quietly infiltrated major tech companies, the side with better intelligence rarely needs to escalate; quiet knowledge can outmaneuver brute force.

That’s the art of cyberwar – when you know yourself and your adversary, every threat is already half-dissolved. When you act only when necessary, victory becomes maintenance rather than spectacle. And when you can learn from what moves unseen, you stop fighting the same battles over and over again.

That is the final lesson of Sun Tzu, and of cyberwar:
Not destruction, but understanding.
Not conquest, but control of your own attention.
Not escalation, but insight.

Not noise, but silence.

The art is not in the fight, but in the knowing. Return always to the principle: “Knowledge of the enemy’s dispositions can only be obtained from other men.”

And, in the end, mastery is realizing you rarely need to fight at all.

How Much Protein Do You Actually Need?

Forget hype. Here’s what science and results actually say.

Protein is the most misunderstood macronutrient in nutrition. It’s essential for more than just muscles or fitness; protein underpins your energy, brain function, and long-term health.
Most people fall into one of two groups:

Under-eaters, living off snacks, smoothies, and “light” meals.
Over-obsessors, hitting 300 grams a day and still thinking it’s not enough.

Both miss the point.

The goal isn’t to chase numbers; it’s to consistently eat enough to support muscle, recovery, cognition, and metabolic health.

Let’s walk through what actually matters and help you stop guessing.

The Real Job of Protein

Protein isn’t a magic fat burner. It’s not a cheat code. It’s a raw material, and your body needs it daily for:

Muscle repair and growth
Tendon and ligament recovery
Immune system function
Neurotransmitter production
Skin, hair, and tissue health

No fad diet, cleanse, or cutting phase changes that. Protein is required every day, not just “on training days.”

Think of protein as the bricks and mTOR as the foreman. Without enough bricks, the foreman can’t build or repair anything.

Trust “The Science“: Protein activates a pathway called mTOR, which acts as your body’s ‘growth command center.’ When you eat enough protein, mTOR signals your cells to repair, build muscle, and recover efficiently. Skimp on protein, and that signal never fires at full strength.

Multiple studies show that eating 25–40g of protein per meal maximizes muscle protein synthesis in adults (Morton et al., 2018). People who consistently meet their protein needs tend to retain more muscle as they age and recover faster from injuries.

Myth-busting:

Myth: “Too much protein will damage your kidneys.”

Reality: For healthy people, there’s no evidence that moderate-to-high protein intake harms kidney health. (See: National Kidney Foundation, 2017)

How Much Protein You Actually Need

Here’s what current science says, without the influencer fluff:

Sedentary	0.6 – 0.8 g/lb
General Training	0.8 – 1.0 g/lb
Strength / Hypertrophy	1.0 – 1.2 g/lb
Cutting / Deficit	1.2 – 1.4 g/lb

All ranges above are based on your target body weight, not your current weight, and definitely not your high school dream-physique weight. If you’re 180-200 pounds and lifting 3–5x/week, your target likely falls around 180–200g/day — not 300g+ and not 80g from “lean” meals and vibes. Now, depending on how much intensity you’re cranking up, you’ll have an additional need for carbohydrates, not protein.

Practical Ways to Hit Your Target

Protein isn’t just chicken breast and powder. Here’s what works for me and examples of how I actually hit my numbers every day without burning out:

Solid protein sources (per serving):

Chicken, turkey, smoked salmon, tuna, shrimp, beef, eggs
Greek yogurt, cottage cheese
Whey, casein, or egg white protein (smartly used, not overused)
Protein-forward meal replacements (e.g., a “complete” protein shake, a FairLife, RX bars, jerky only when needed/planned)

Underrated strategies:

Aim for 25–50g of protein per meal, instead of grazing on 10g snacks. A palm-sized portion of chicken, tofu, or fish is usually around 25g of protein—use your hand as a guide if you don’t want to count.
Don’t rely on just dinner to “catch up”
Use high-protein staples to plug into busy days (e.g. 8 oz chicken = ~50g, two scoops whey = 21-25g, ½ cup of yogurt + ½ cup of cottage cheese + 1 cup of fruit of your choice)

You don’t need a perfect plan. You need a repeatable system. A “protein-first” mindset simplifies the rest of your day.

Week Two Action Challenge:

Pick 3 protein staples that match your schedule and eat them for the next 3 days.

These should give you 30–40g per meal.
Rotate them between breakfast, lunch, dinner, or post-training
Make it frictionless, not fancy.

The goal: clarity, consistency, and a structure that supports your real life.

Protein isn’t just for athletes; it’s for everyone who wants to stay strong, energized, and resilient for life. Just like with your habits, it’s about building a system that makes the right choice automatic.

Coach’s Corner:

Protein is the most forgiving macro, but only if you get enough.
Hit your baseline. Track it once, then automate it.
Build around meals, not snacks.

Key Takeaway:

Protein isn’t about hitting a magic number; it’s about consistently meeting your needs so you can reach your life and training goals, whatever those are.

Once you get it right, energy balance improves, recovery speeds up, and hunger stabilizes.

Everything else becomes easier.

That’s all for this week. Let me know if this helps!

Zen and the Art of AWS Security Domain 3: Infrastructure Security | Choosing and Holding the Right Ground

There’s an old principle in strategy that applies as cleanly to cloud architecture as it does to combat: “The battle is often decided before the first move is made.”

In AWS, that decision is infrastructure security. Not firewalls alone. Not encryption alone. Not identity alone.

Infrastructure security is about where you place systems, how they connect, and what paths are intentionally left open, or closed, long before an attacker arrives.

If Detection is awareness, and Incident Response is discipline, then Infrastructure Security is terrain. And AWS cares deeply about terrain.

1. AWS’s Philosophy of Infrastructure Security

AWS assumes three things that shape every exam question in this domain:

Networks are software-defined, not physical perimeters
Segmentation beats fortification
Blast radius matters more than absolute prevention

This is why AWS infrastructure security is built around:

isolation
segmentation
least connectivity
explicit network paths
and controlled exposure

If an answer choice tries to “lock everything down globally,” it’s usually wrong. AWS prefers intentional exposure over accidental openness.

2. The Core Infrastructure Security Pillars

Infrastructure security questions almost always reduce to one (or more) of these pillars:

Network isolation
Traffic control
Private connectivity
Service exposure boundaries
DDoS resilience

If you can identify which pillar is being tested, the correct answer becomes obvious.

3. VPC Design: Isolation Is the Default

At the heart of AWS infrastructure security is the VPC.

Exam truth: If a resource doesn’t need to be public, it shouldn’t be.

High-yield concepts:

Private subnets for most workloads
Public subnets only for controlled ingress/egress
NAT Gateways for outbound-only access
No direct internet exposure—ever—unless required

Exam mental model: Public access is a deliberate exception, not the baseline.

4. Security Groups vs. NACLs – This Still Trips People Up

AWS loves testing this distinction.

Security Groups

Stateful
Instance-level
Allow rules only
Primary enforcement point

Network ACLs

Stateless
Subnet-level
Allow and deny rules
Coarse-grained control

Exam shortcut: If the question is about precise control, use Security Groups. If it’s about broad subnet filtering, use NACLs. If both appear as options, AWS usually wants Security Groups.

5. Controlling Traffic Paths, Not Just Blocking Traffic

Infrastructure security isn’t just about denial; it’s about routing intentionally.

Key services:

VPC Route Tables
Internet Gateways
NAT Gateways
VPC Endpoints (Gateway & Interface)

High-yield exam concept:

If AWS services should be accessed without traversing the internet, the answer is almost always: VPC Endpoints

This shows up constantly for:

S3
DynamoDB
KMS
Secrets Manager
Systems Manager

Mental model: Private traffic beats filtered public traffic every time.

6. Load Balancing and Exposure Control

AWS does not expect you to expose instances directly.

Instead:

ALB for HTTP/HTTPS
NLB for high-performance TCP/UDP
Internal load balancers for private services

Exam rule:
If traffic needs inspection or TLS termination → ALB
If performance and static IPs matter → NLB

Direct instance exposure is almost always a wrong answer.

7. DDoS Protection: Built-In, Not Bolted On

AWS assumes you will be targeted.

Infrastructure security includes:

AWS Shield Standard (always on)
AWS Shield Advanced (for high-risk workloads)
CloudFront + WAF for edge protection

Exam pattern: If the question involves:

volumetric attacks
Layer 7 threats
global availability

The answer usually includes:
CloudFront
AWS WAF
Shield

Defense through scale is a core AWS advantage.

8. The Exam Patterns That Matter

Pattern #1 Reduce Blast Radius

Choose:

smaller subnets
separate VPCs
multiple accounts

Over:

one massive flat network

Pattern #2 Prefer Private Connectivity

VPC endpoints beat:

public endpoints
IP whitelisting
internet gateways

Pattern #3 Use Managed Services When Possible

AWS prefers:

managed load balancers
managed DDoS protection
managed routing

Less custom = less risk.

9. The Martial Parallel: Choosing the Ground

In strategy, you don’t fight everywhere.

You choose:

narrow paths
defensible positions
terrain that limits your opponent’s options

Infrastructure security does the same thing. A flat network invites chaos. A segmented network channels behavior. Attackers aren’t always stopped; they’re contained. And containment wins.

For example, a major breach in 2019 exploited a flat network without segmentation, allowing attackers to move laterally across dozens of workloads. Had strict subnetting and NACLs been in place, the impact would have been far smaller.

10. Closing: Architecture Is the First Defense

Infrastructure security is quiet.

When it’s done right:

nothing dramatic happens
nothing breaks
nothing escalates

But when it’s wrong, no amount of detection or response can save you.

AWS rewards architects who:

think in boundaries
design for failure
assume compromise
and limit consequences

CIS Control 13 and NIST CSF both emphasize network segmentation and limiting exposure as foundational security practices.

A frequent pitfall is relying solely on Security Groups for segmentation, especially in environments with compliance or subnet-level boundary requirements, and overlooking the value of NACLs for coarse-grained, subnet-level protection. In layered security, redundancy is a strength. And with the VPC Reachability Analyzer, AWS now makes it easier than ever to verify and audit your network paths.

As AWS’s Well-Architected Framework advises: “Apply security at all layers.” These principles echo patterns are seen in AWS re:Invent security keynotes and in major cloud breach postmortems.

Security without pessimism continues here.

Not by building walls everywhere but by choosing the right ground and holding it calmly.

In AWS, as in strategy, victory belongs to those who shape the ground before the battle begins.

Remember, cloud security evolves quickly; architects who regularly review new AWS features and industry breach lessons maintain the sharpest edge. But for the exam, stay focused on what’s covered in the content outline provided by AWS for the exam. After you pass, you can ad lib. Until then, stay focused on the material that AWS expressly states is covered on the exam.

The Art of CyberWar | Part XII | Attack by Fire

The Principle: When you use fire to attack, you must be prepared for the wind.
— Sun Tzu

The Nature of Fire

Fire is decisive. It consumes, clears, and purifies, but it also spreads beyond intention. Sun Tzu treats fire as both a weapon and a warning. It can destroy an enemy’s stores, flush troops from cover, and sow panic, but he cautions that those who ignite must control the wind, or the flame will turn back.

In today’s language: escalation is easy, judicious control is hard.

Fire is unbridled energy without patience. It is force unbound. And every era finds its own version of it.

The Five Fires

Sun Tzu names five types of fire attack, each with a direct modern analogue:

Burning soldiers in their camp → Disrupting people directly.
- In cyber: targeting individual accounts, identity systems, or human processes.
- In policy: attacking morale or legitimacy through propaganda or sanctions that hit civilians.
Burning stores → Destroying logistics.
- In cyber: supply-chain attacks, ransomware on infrastructure.
- In statecraft: economic blockades or precision strikes on fuel, transport, or data centers.
Burning baggage trains → Breaking the flow of resources.
- In the cloud: DDoS, bandwidth throttling, or disrupting APIs that feed dependent systems.
- In foreign policy: disrupting trade routes or financial systems to strangle supply.
Burning arsenals and magazines → Targeting capability itself. A modern example: the 2014 Sony Pictures hack, in which wiper malware destroyed not only data but also the ability to operate, crippling the company’s digital arsenal and serving as a stark warning about escalation risk. Another hallmark example: Stuxnet (2010), which physically crippled Iranian centrifuges, showing that digital “fire” can leap into the physical world.
- In digital: destroying code repositories, zero-day leaks, and wiper malware.
- In war: targeting industrial bases, weapons stockpiles, or satellite networks.
Burning the enemy’s army → Direct annihilation.
- The catastrophic option, physical or digital scorched earth.

Each carries the same risk Sun Tzu warned of: heat spreads.

America’s Century of Fire
Throughout the 20th century, U.S. foreign policy repeatedly learned and forgot this lesson.

WWII: strategic firebombing of Tokyo and Dresden, the atomic bombings of Hiroshima and Nagasaki, tactically decisive, highly questionable morally.
Vietnam: napalm, Agent Orange – the war’s imagery consumed America’s moral capital as surely as the jungle burned. Devastating to the local population and our own troops.
Desert Storm & Shock and Awe: firepower became performance, televised precision, hiding the longer political firestorm and over-commitment of our resources to highly specious ends.
Sanctions & Cyber: modern equivalents – economic or informational fire meant to distract, mislead, or coerce without bullets, still spreading collateral damage.

Each use of fire achieved an objective, yet each left embers that smoldered for decades.

Sun Tzu would call that victory without wisdom.

Digital Flame

In cyberspace, fire is code that destroys. The world learned this with Stuxnet, NotPetya, WannaCry, and countless destructive campaigns. They burned quietly, jumped borders, and torched billions in collateral damage. WannaCry (2017) swept the globe in hours, crippling hospitals, shipping, and businesses—making clear that digital fires can cause humanitarian consequences.

Cloud fire spreads faster than any fuel; a single misconfigured credential can ignite an entire ecosystem. Because dependencies are invisible, contagion is immediate. A wiper designed for one network cripples dozens more; an exploit posted online becomes a global inferno in hours.

Fire is the easiest attack to ignite and the hardest to contain.

Rules for Using Fire

Sun Tzu’s cautions translate cleanly:

Control the wind. Understand the environment – network topology, public opinion, and global law. Fire turns on those who don’t map their dependencies. NotPetya (2017) began as a targeted disruption but, due to dependencies and lack of containment, rapidly spread worldwide, demonstrating why “controlling the wind” remains critical in cyber conflict.
Use the right conditions. Don’t ignite in drought. If tension is already high, socially and economically, the situation will escalate.
Prepare relief efforts. Have recovery plans before striking. Burn only what you can rebuild. After World War II, the Marshall Plan rebuilt war-torn Europe, demonstrating that post-conflict relief shapes both legitimacy and future stability. In 2021, the Colonial Pipeline ransomware attack forced the rapid restoration of critical infrastructure; companies with effective recovery plans minimized chaos and reputational fallout.
Know the cost of smoke. Collateral damage is visibility: reputational, legal, and diplomatic.
Do not rely on fire to win the war. Fire wins battles but breeds resistance.

In short: destruction without reconstruction is self-immolation.

Morale, Leadership, and Control

A general’s job isn’t only to unleash power; it’s to sustain the will that wields it.
Fire exhausts armies. Soldiers fighting amid smoke need clear purpose, rations, and rest.

Sun Tzu demands that the commander ensure his troops are fed, disciplined, and respected so that they fight even in dire moments.

In modern organizations, the same holds: leaders who push teams through endless “incident fire drills” without rest destroy readiness. Respect sustains endurance.

Discipline without compassion breeds burnout; compassion without standards breeds chaos. Balance is command.

Deception, Propaganda, and Manufactured Heat

Every effective campaign uses perception. Propaganda creates the illusion of fire where there is none, or conceals weakness behind the smoke of strength. The ancient principle survives in every medium: shape belief, shape behavior.

States convince citizens of a constant threat: “War is peace. Freedom is slavery. Ignorance is strength,” and the historical manipulation line, “Who controls the past controls the future: who controls the present controls the past.”
Companies market vulnerability to sell security.
Attackers simulate breaches to force reactions.

Fire doesn’t only burn, it solidifies and blinds. The wise strategist uses deception to conserve energy, not to irreparably manipulate trust.

Never lose sight of this: truth is a finite resource. Burn it, and nothing grows afterward.

Fight Only When Necessary

War, Sun Tzu reminds us, is terrible. Mr. Lee added, “It is well that war is so terrible, or we should grow too fond of it.” That’s the heart of this chapter: the seduction of power. Fire feels decisive, satisfying, purgative. That’s why restraint is the highest discipline.

In cybersecurity, it means choosing containment over retaliation. In policy, it means diplomacy before bombing. In leadership, it implies correction before firing squads of blame.

Every unnecessary blaze consumes future strength.

Calculation Before Ignition

Fire is the last stage of calculation, not the first. The general who wins has already counted everything: fuel, wind, timing, morale, and escape.

In modern form:

Map dependencies before deploying destructive countermeasures.
Assess public and legal consequences.
Coordinate allies and containment plans.
Pre-position humanitarian or restoration resources.

Fire launched without calculation simply becomes arson.

Cybersecurity Playbooks for Fire Scenarios

1. Contain Destructive Malware (Wiper Fire)

Disconnect affected systems immediately.
Activate offline backups; rebuild from clean images.
Communicate fast, silence breeds rumor.
Forensics after containment, not before.

2. Respond to Supply-Chain Fire

Freeze code releases; verify signatures.
Segregate affected components; rotate secrets.
Coordinate public disclosure and patch windows.

3. Counter Disinformation Blaze

Pre-draft communications for false narratives.
Verify sources, issue simple factual statements.
Avoid panic amplification, don’t fuel the fire.

4. Plan for Strategic Retaliation

Establish legal oversight for counter-operations.
Define thresholds: attribution confidence, proportionality, and reversibility.
Keep diplomatic channels open even during the heat.

Fire is part of war, but the goal is to end fires faster than they spread.

Ethics and Aftermath

Fire makes headlines; rebuilding never does. Yet the moral credit of a nation, or a company, depends on what follows destruction, relief, restitution, and transparency, turning survival into legitimacy. The Marshall Plan after WWII showed that true victory is measured by the ability to restore and build anew, not just destroy. Sun Tzu closes this chapter by warning that a commander who burns recklessly endangers his own state.

That warning scales perfectly to global networks: a destructive exploit today may torch tomorrow’s allies.

Bridge to Chapter XIII | The Use of Spies

Once the fire burns out, what remains is smoke, which conceals movement. Which leads us back to our opening principle: “When you use fire to attack, you must be prepared for the wind.” Next: how to “see without burning” or, the art of intelligence, deception, and misdirection on the modern battlefield. (Think Operation Fortitude, the WWII deception that enabled D-Day by fooling the enemy without a shot being fired.) Sun Tzu ends his book not with force but with intelligence. He knew that knowledge prevents the need for fire in the first place.

“After the flames, gather information from the ashes.” The next and final lesson, The Use of Spies, is about seeing without burning, learning through observation, infiltration, and trust. Fire wins battles; intelligence prevents wars.

Zen and the Art of AWS Security Domain 2 | Incident Response | Moving Decisively Without Panic

There’s another saying in martial arts that belongs here:

“Precision is the byproduct of preparation.”

Most people imagine incident response as chaos, alarms blaring, dashboards lighting up, people scrambling to “do something.”
AWS sees it differently.

In AWS, incident response is not about reacting fast. It’s about responding correctly because the thinking has already been done.

This is why Incident Response is Domain 2 on the AWS Security Specialty exam.
Detection tells you something happened. Incident response determines whether that moment becomes a lesson…or a catastrophe.

If Detection is awareness, Incident Response is discipline.

1. AWS’s Philosophy of Incident Response

AWS assumes something most organizations don’t like to admit:

You will be breached.

Not because you failed, but because distributed systems, human behavior, and adversaries guarantee it eventually.

So AWS builds incident response around four principles:

Prepare before you need to respond
Automate wherever possible
Contain first, investigate second
Preserve evidence at all times

Case in Point: In 2020, an AWS customer discovered malware on an EC2 instance. Rather than terminating the instance immediately, they isolated it and used AWS Systems Manager to collect forensic data and take a snapshot for later analysis. This preserved critical evidence, helped identify the attack vector, and enabled a safe recovery. This demonstrates why AWS incident response stresses containment and evidence preservation over knee-jerk actions.

The exam does not reward heroics. It rewards process.

If an answer involves “quickly log in and manually fix things,” it’s usually wrong.

AWS prefers:

playbooks
isolation
snapshots
automation
reversible actions

Calm beats clever. Repeatable beats reactive.

2. The Incident Response Lifecycle (AWS’s Mental Model)

Every AWS incident response scenario maps to this flow:

Detect
Contain
Investigate
Eradicate
Recover
Improve

The exam often hides this structure inside long scenarios. Your job is to recognize which phase you’re in.

Most trick questions exist because candidates skip straight to step 4.

AWS almost never does.

3. High-Value AWS Services for Incident Response

This is not a list of tools, it’s a map of intent.

AWS Systems Manager | The Hands

Used for:

isolating EC2 instances
running commands safely
patching during response
gathering forensic data

Exam model:
If you need controlled access without SSH → Systems Manager.

Exam pattern callout: If the question asks about controlled access to EC2 without SSH or managing instances at scale, think Systems Manager.

One-line summary: Systems Manager gives you safe, auditable access, even when credentials are compromised.

AWS Lambda | The Reflex

Used for:

automated containment
GuardDuty-triggered responses
account-level actions

Exam model:
If the response must be immediate and automated → Lambda.

Exam pattern callout: If the scenario mentions automated containment or event-driven response, Lambda is your go-to.

One-line summary: Lambda lets you respond at machine speed, eliminating delays that attackers exploit.

Amazon S3 (with versioning & immutability) The Evidence Locker

Used for:

forensic artifacts
logs
snapshots

Exam model:
If evidence integrity matters → S3 + versioning + encryption.

Exam pattern callout: If evidence integrity or chain of custody is a concern, S3 with versioning and encryption is the answer.

One-line summary: S3 is your evidence locker, versioned, encrypted, and built for forensic preservation.

EC2 Snapshots & AMIs | The Time Machine

Used for:

forensic analysis
rollback
investigation without touching live systems

Exam model:
If the instance is compromised → snapshot first, analyze later.

AWS IAM | The Circuit Breaker

Used for:

disabling credentials
rotating keys
applying SCPs during containment

Exam model:
If credentials may be compromised → reduce blast radius immediately.

Security Hub | The Command Table

Used for:

tracking response status
correlating findings
documenting remediation

Exam model:
Security Hub doesn’t respond; it coordinates.

Exam pattern callout: If the question asks about centralizing findings, orchestrating response, or tracking incident status, Security Hub is the answer.

One-line summary: Security Hub coordinates your response—ensuring nothing slips through the cracks.

4. Exam Patterns That Matter (This Is Where Points Are Won)

Pattern #1 | Containment Always Comes First

If the question asks:

“What should you do first?”

The answer is almost never “analyze.”

It’s:

isolate the resource
revoke credentials
stop data exfiltration

Pattern #2 | Do Not Destroy Evidence

Deleting instances, logs, or resources is almost always wrong.

AWS prefers:

snapshots
copies
forensic isolation

Pattern #3 | Automation > Manual Actions

If you see:

repeated incidents
time-sensitive threats
scale mentioned

Choose:
Event-driven automation

Pattern #4 | Least Privilege During Chaos

AWS exams love scenarios where responders accidentally make things worse.

Correct answers:

temporary roles
scoped permissions
reversible actions

5. The Human Factor: Panic Is the Real Vulnerability

Incident response fails more often due to psychology than tooling.

Attackers rely on:

urgency
fear
confusion
authority pressure

This is social engineering at scale.

Historically, the same dynamics show up in crisis response:

rushed decisions
overcorrections
irreversible actions taken “just in case”

AWS incident response philosophy actively resists this.

Preparedness replaces adrenaline.
Playbooks replace improvisation.

In martial terms:
You don’t speed up , you slow down.

And paradoxically, that’s what makes you faster.

6. The Martial Parallel: Calm Is a Weapon

In training, you learn this early:

If your breath is shallow, your vision narrows.
If your vision narrows, you miss openings.
If you miss openings, you cannot be counter-offensive, and you get hit.

Incident response is the same.

Detection creates awareness.
Response tests composure.

Your tools don’t save you.
Your preparation does.

7. Closing: Responding Without Becoming the Incident

AWS does not reward panic. The exam doesn’t either.

Domain 2 is about proving you can:

think in sequences
protect evidence
contain damage
recover deliberately
and learn without blame

Security without pessimism continues here.

Not with fear.
Not with force.

But with prepared calm.

Detection lets you see the punch coming. Incident response determines whether you step aside…or swing wildly, only making it worse.

AWS incident response is about calm, not heroics. Playbooks, automation, and containment turn chaos into clarity. That’s how you turn a breach into a lesson, not a catastrophe. Preparation and composure, not improvisation, win the day in the cloud.

The Art of Cyberwar | Part XI | The Nine Situations

The principles: Begin by seizing something which your opponent holds dear; then he will be amenable to your will.

…Concentrate your energy and hoard your strength.

The principle on which to manage an army is to set up one standard of courage which all must reach.

Whoever is first in the field and awaits the coming of the enemy will be fresh for the fight. – Sun Tzu

Context and Purpose
Sun Tzu’s Nine Situations maps the kinds of ground and circumstance a commander can face – from favorable positions to trap-laden ground. Each situation demands a different posture: sometimes you press; sometimes you withdraw; sometimes you wait. The lesson is tactical discrimination: don’t treat every fight the same.

In the modern world, those “situations” are organizational states: besieged systems, fleeting windows of access, deep entrenchment, overextended operations. Knowing which box you’re in changes everything you do next.

Leadership and Morale: The Human Center
Before tactics, a note about people. Sun Tzu insists that a general must know his soldiers. That’s not a platitude; it’s an operational fact.

Morale is intelligence: exhausted teams miss indicators, fail to follow playbooks, and make desperate mistakes.
Leadership is maintenance: rotating shifts, realistic on-call expectations, paid recovery time after incidents, and clear chains of command preserve discipline.
Respect plus standards: treat your people with dignity and hold them to standards. Leniency breeds sloppiness; cruelty breeds silence. Both are fatal.

A leader who ignores morale loses the fight long before the enemy arrives. That’s as true for an infantry company as for an incident response roster.

Deception and Perception Management
Sun Tzu: All war is based on deception. In practice, that means shaping what the opponent and the population believe.

Information operations: propaganda, curated narratives, and coordinated messaging have always been instruments of power. Orwell’s line, “We have always been at war with Eastasia,” is a cautionary parable about manufactured consensus.
Modern analogue: in cyber, deception shows up as honeypots, false telemetry, and misinformation campaigns; in statecraft, as narratives that create vulnerability or strength where none objectively exists.
Ethical frame: defenders use deception for detection and deception to raise the cost for attackers (e.g., canary tokens). Democracies must guard against the weaponization of truth at home; businesses must avoid misleading stakeholders.

Deception works because humans fill gaps with a story. Control the story; you alter the field.

Fight Only When Necessary
Sun Tzu and Mr. Lee agree: war is terrible; fight sparingly. The principle is simple: act only when the expected gain exceeds the cost.

Cost-calculation is non-negotiable: time, attention, capital, reputational risk.
In cyber: a public takedown, a disclosure, or active defense escalation must be measured against downtime, legal exposure, and adversary escalation risk.
In policy: interventions must have clear exit conditions and sustained domestic support. If you cannot sustain it, don’t start it.

Discipline supersedes impulse.

“If the Enemy Leaves a Door Open, Rush In” to Follow the Energy
Sun Tzu’s pragmatic injunction to exploit openings is simple: when an opponent’s guard falls, capitalize immediately. In fighting, it’s like watching for your opponent to drop their hands or go for a spinning attack; in security, it’s a window of opportunity for decisive action.

Cyber example (defense): detect a lateral movement attempt and immediately isolate the segment, block the credential, and pivot forensic capture. The quicker the isolation, the smaller the blast radius.
Cyber example (offense/emulation): when a red-team discovers a misconfiguration, follow the chain-of-trust to map further exposures before the window closes.
Business/policy: when a competitor shows strategic weakness (supply disruption, PR crisis), acting quickly with a measured offer can consolidate position. But always have your logistics in place; quick gains that can’t be held are hollow.

Following the energy multiplies the effect, but only if you’ve done the work beforehand to sustain the ground you’ve gained.

The Nine Situations, Condensed & Modernized:

Dispersive ground – you’re among your people; maintain cohesion.
Cyber: internal incidents; prioritize comms and transparent leadership. (e.g., during the 2021 Log4Shell crisis, organizations that communicated quickly and openly with their teams contained risk more effectively.)
Facile ground – easy ground, many exits; avoid traps of complacency.
Cyber: dev/test environments misused as production; lock and audit.
Contentious ground – disputed control.
Cyber: contested supply chains; prioritize integrity of build pipelines.
Open ground – mobility advantage.
Cyber: cloud-native agility, move quickly, but instrument heavily. (Example: When a vulnerability like Heartbleed emerges, organizations that can rapidly update and redeploy cloud resources while monitoring all endpoints gain a decisive edge.)
Intersecting ground – convergence of routes/partners.
Cyber: shared services; segregate trust boundaries and enforce SLAs.
Serious ground – stakes are high; commit only with full readiness.
Cyber: critical infrastructure; assume regulation and public scrutiny.
Difficult ground – constrained movement.
Cyber: legacy stacks; carve compensating controls and minimize exposure.
Hemmed-in ground (trapped) – the enemy can encircle.
Cyber: breached islands due to vendor lock-in; prepare out-of-band recovery. (e.g., during the NotPetya outbreak, companies with alternate vendors or recovery paths minimized downtime, while others suffered prolonged outages.)
Desperate ground – fight with everything; no other option.
Cyber: blind-fire incident with full emergency playbook; declare crisis, invoke war-room, use all hands.

Each situation requires a plan in advance, not improvisation in the heat of chaos. For those new to Sun Tzu: dispersive ground means your own territory, open ground is the public cloud, and hemmed-in ground is where your options are tightly constrained.

Prescriptive Playbooks (Operational Guide)
Below are short playbooks, or practical checklists, you can paste into an incident binder.

A. Besieged System (Hemmed-in/Trapped Ground)

Isolate affected segments (network ACLs, VLANs).
Enable out-of-band admin (jump boxes, console access).
Invoke containment RTO/RPO playbook.
Engage legal & communications.
Stand up a dedicated recovery team; rotate shifts.
After action: root cause, patch, and inventory third parties.

B. Fleeting Access (Open/Facile Ground)

Capture forensic snapshot immediately (memory, session tokens).
Harvest IOC, block indicators at perimeter.
Perform rapid threat hunting to see lateral movements.
Patch/vault credentials, revoke tokens.
Debrief and harden the vector.

C. Retreat & Reconstitute (Dispersive/Retreat Scenario)

Execute planned fallback to secondary infrastructure.
Verify backups and boot from immutable images.
Communicate to stakeholders with controlled cadence.
Rebuild in clean environment; stage verification before full restore.

D. Stronghold Defense (Steep/High Ground/Serious Ground)

Minimize human access; require jump hosts & MFA.
Immutable logging to secure audit trails.
Periodic red-team tests; continuous monitoring.
Harden supply lines: vendor SLAs, redundancy, and a tested DR plan.

E. Rapid Exploitation (If a Door Opens)

Pre-authorize small rapid-response teams for exploitation windows.
Legal/ethics checklist signed off on in advance.
Capture intelligence, seal pivot paths, and convert to defense artifacts (detections, blocks).

Each playbook starts with people: assign roles, cap on-duty hours, and rehearse quarterly.

Final Thought: Calculation, Culture, and the Necessity of Restraint
Sun Tzu’s closing insistence, calculate before battle, remains the core discipline. The leader who wins has already counted costs, supply, morale, and terrain. The one who loses discovers those facts mid-fight.

That brings us back to the principles that opened this chapter:

Seize what the opponent holds dear: not for theater, but to create leverage and force predictable reactions.
Concentrate energy and hoard strength: preserve focus, avoid waste, and don’t spend force just to feel decisive.
Set one standard of courage: culture must hold under pressure, or your best playbooks become paper.
Be first in the field and wait: preparedness buys calm, and calm buys time – it’s the rarest advantage in crisis.

In cyber and statecraft, the rule remains unchanged: prepare, preserve people, exploit opportunities, deceive judiciously, and fight only when victory is likely and sustainable. As Robert E. Lee warned, “It is well that war is so terrible, otherwise we should grow too fond of it.” So only fight when you have no other option. When you do fight, move decisively, use the force necessary to end the threat, and leave no doubt in your opponent’s mind so they will never make that mistake again.