The Art of Cyberwar | Part VII | Maneuvering

Chapter VII’s artwork conveys the essence of Sun Tzu’s Maneuvering with clarity and grandeur. A lone commander surveys a vast, unfolding landscape of troops in motion, symbolizing disciplined rhythm rather than frantic pace. The terrain’s natural flow mirrors the movement of cloud-age systems, and the light breaking across the valley evokes strategic awareness dawning before action. It is a rare blend of historical resonance and modern metaphor, a visual philosophy.

Movement After Position

The Principle: “We may take it then that an army without its baggage-train is lost; without provisions it is lost; without bases of supply it is lost.” — Sun Tzu

The Art of Coordinated Movement

A cybersecurity team detects a breach at 2 AM. They have the skills, the tools, and the authority to act. But without coordination, that capability becomes chaos, analysts duplicating work, containment efforts conflicting, and communication breaking down. By dawn, the advantage is gone.

In February 1943, American forces faced German tanks at Kasserine Pass in North Africa. They had the weapons, the numbers, the training. What they lacked was coordination between units and effective air-ground communication. The result? The first major American defeat of WWII was not due to a lack of capability, but to failure to maneuver as a unified force.

Fifteen months later, those same American forces learned the lesson. On June 6, 1944, D-Day coordinated 12 nations, over 7,000 vessels, and 160,000 troops across five beaches in a single operation. Not because they suddenly acquired better weapons, but because they mastered maneuvering. Kasserine Pass taught them that capability without coordination is chaos. Normandy proved that coordination transforms capability into victory.

Eighty years later, the battlefield is digital, but the lesson remains the same.

Sun Tzu called this the difference between movement and maneuvering.

Maneuvering is the discipline of transforming positional advantage into progress without depleting resources. Though movement may appear straightforward (advance, pivot, respond), it demands careful coordination. Without coordination, movement breeds confusion and disorder, undermining any initial advantage.

In Brazilian Jiu-Jitsu, there’s a fundamental principle: position before submission. A novice rushes for the choke. A master secures the proper position, seeks control, applies the proper pressure, isolates the arm, and then the finish is there for the taking. The submission becomes inevitable because the position made it so.

Maneuvering works the same way: structured movement from an established position. Not frenetic action. Coordinated, calculated movement in advance.

Whether in military operations, government, or cybersecurity, the true challenge lies in maintaining momentum while preserving balance. Effective teams favor structured, intentional movement, not just speed.

This is the heart of maneuvering: composure, intent, and clarity. Act from principle, not anxiety.

The Maneuvering Decision Matrix

Sun Tzu understood that effective maneuvering requires reading the moment, knowing when to accelerate, when to pause, and when to let the environment dictate pace.

Modern leaders need the same discernment:

When to Accelerate:

  • The advantage is clear and actionable.
  • Resources are sufficient.
  • Team alignment is strong.
  • Opponent is vulnerable

When to Pause:

  • Visibility is degraded
  • Fatigue is setting in across the team.
  • Purpose has become uncertain.
  • Information remains incomplete

When to Let Environment Dictate:

  • The opponent is making mistakes.
  • Terrain is shifting faster than you can control
  • Patience offers a strategic advantage.
  • Reactive movement would expose weakness.

This isn’t indecision. It’s tactical discipline. The fighter who controls tempo controls the outcome.

Tempo and Terrain

In both war and cybersecurity, timing determines outcomes more than sheer speed. When to act matters more than how quickly you act.

Sun Tzu cautioned that armies advancing too rapidly become fatigued, while those moving too slowly forfeit initiative. Balance requires understanding rhythm, discerning when to accelerate, when to pause, and when to let the environment set the pace.

Today, that terrain is digital.

The modern battlefield consists of networks, cloud environments, and global systems. Effective cybersecurity professionals study the digital landscape to move with intent, not to avoid movement altogether.

In the cloud era, terrain isn’t geography, it’s architecture.

Latency, visibility, and complexity shape what’s possible. The most secure organizations extend beyond perimeter defense by developing a comprehensive understanding of their operational landscape. They design systems where quick tactical movements don’t create strategic vulnerabilities.

The Cyber Battlefield: Coordination Over Chaos

In cybersecurity, effective maneuvering means more than quick patching or immediate responses. It requires aligning teams, especially during high-pressure situations.

  • Incident response represents maneuvering under pressure: containment, communication, and recovery.
  • Threat intelligence involves maneuvering through uncertainty—transforming fragmented information into actionable insights without prematurely acting on incomplete data.
  • Automation functions as the logistical backbone, the supply chain supporting frontline operations. When automation fails, even highly skilled analysts face burnout.

Many security operations centers (SOCs) miss this point. Constant urgency and nonstop action may seem productive, but endless motion risks exhaustion and reduced effectiveness.

Authentic maneuvering is characterized by calm, control, deliberation, and focus.

  • Wing Chun’s centerline theory offers a simple, direct, economical model. SOC analysts don’t need fifty tools—they need the right three, automated properly, with clear escalation paths. Economy of force.
  • The central point: when your playbook drives decisions, you maneuver. When alerts drive decisions, you react.

Cloud Mobility: The Terrain in Flux

The shift to cloud computing redefined what “maneuvering” means. In the old world, servers stayed put. Now, data, workloads, and identities move across providers, borders, and legal frameworks.

In this environment, organizational strength comes not from rigidly restricting movement, but from orchestrating secure and transparent operations.

Cloud maneuvering looks like:

  • Workloads shifting across regions without breaking compliance
  • Data flowing securely through APIs without leaving blind spots
  • Teams pivoting incident response playbooks across hybrid environments in real time

Cloud environments reward planning for motion. Organizations win by designing for agile, secure movement, not by resisting change.

In 2023, a Fortune 500 company’s cloud migration stalled not because of technical limitations, but because their security team designed for a static perimeter. When workloads needed to shift regions for compliance, every move required manual review.

Organizations that assume static conditions are at a disadvantage.

This aligns with the martial principle of flow: Rigid fighters’ break. Rigid systems break faster.

Foreign Policy and the Cost of Motion

Nations, too, confuse movement with progress. America’s 20th-century record is full of lessons in tempo and fatigue.

But no example better illustrates the danger of resource-driven maneuvering than what led to the attack on Pearl Harbor.

The Pearl Harbor Lesson: When Resources Force Your Hand

Japan’s attack wasn’t born from ambition, it was forced by logistics. The U.S., Britain, and the Dutch enforced the ABCD embargo, cutting off:

  • Oil
  • Rice
  • Steel
  • Rubber
  • Machine parts

Japan imported 90% of its oil. Cut off from fuel, it faced two choices: fight or run out of energy and food entirely.

Sun Tzu wrote: “Throw your men into death ground, and they will fight.”

Japan was placed on death ground by resource denial. Their maneuver, the attack itself, was coordinated brilliantly. Six aircraft carriers, 353 aircraft, precise timing across multiple strike waves.

Tactically, it was masterful.

But strategically? Admiral Yamamoto knew: “I fear all we have done is awaken a sleeping giant.”

A lingering question remains: was America truly sleeping? WWI had concluded only 20 years earlier. Before WWII, WWI was considered the deadliest war in human history, earning the moniker “The Great War” for its immense scale and death toll of approximately 20 million lives. Its unprecedented destruction set it apart from previous conflicts. So, America was hardly asleep. Back to Pearl Harbor.

The lesson isn’t about the attack’s execution. It’s about what happens when maneuvering is dictated by desperation rather than position. When resources force your hand, even perfect coordination can’t save you.

Sun Tzu’s calculus applies: survival-driven movement, no matter how well-executed, is still reactive. And reactive maneuvering rarely wins wars.

The United States later encountered similar challenges in Vietnam, Iraq, and Afghanistan, where rapid action outpaced strategic learning. Momentum itself became a compelling but hazardous force.

Diplomacy is maneuvering in another realm.

In contrast, contemporary policy frequently equates reaction with strategy, prompting responses to every crisis even when restraint or delay might prove more advantageous.

Sun Tzu’s wisdom cuts through centuries: “If you know neither the terrain nor the season, you march to fatigue, not to victory.”

The Logistics of Cyber Power

For cybersecurity professionals, logistics consists not of physical supplies, but of bandwidth, personnel, and operational clarity.

Sustained operations aren’t feasible if systems are overburdened, personnel remain on constant alert, and every issue is treated as critical.

Good logistics in cyberspace means disciplined prioritization:

  • Which assets are mission-critical?
  • Which alerts deserve escalation?
  • What response cadence prevents burnout?

Sun Tzu would call this “feeding the army.” In today’s language, it’s resource stewardship.

An effective CISO ensures security professionals maintain resilience and don’t become exhausted before adversaries lose their resolve.

The data shows progress. Organizations took an average of 241 days to identify and contain breaches in 2025, down from 287 days in 2021. Not because threats got easier, but because purple-teamers got better at coordinated response. They learned to maneuver.

Maneuvering the Human Factor

The most challenging aspect of coordination isn’t the technical infrastructure; it’s the human element. While individuals contribute creativity, they also introduce unpredictability.

The numbers confirm what practitioners already know: 88% of cybersecurity breaches are caused by human error. Not zero-days. Not sophisticated malware. Human mistakes. The technology isn’t the weak link—the coordination of people using that technology is.

Sun Tzu understood morale as a weapon system. He coordinated hearts and minds before he coordinated units.

The same applies to martial arts and security culture.

  • In Muay Thai, they call it ring generalship, the fighter who controls space controls pace. The same applies to security teams. Leaders who set tempo, who decide when to press and when to absorb pressure, create the conditions for team effectiveness.
  • The most effective cybersecurity teams operate like jazz ensembles, distributed but synchronized. Training, communication, and trust are the modern equivalents of morale.

This is modern maneuvering: achieving precision in movement without relying solely on hierarchical control.

The Risk of Endless Marching

Sun Tzu cautioned that armies remaining in the field for extended periods experience internal decline. This phenomenon appears today as burnout, alert fatigue, and continuous red team exercises that fail to produce lasting improvements.

Organizations that never rest eventually turn on themselves. This applies equally to companies and nations.

Movement should support strategic objectives, not substitute for them. Effective leadership requires recognizing when to pause, regroup, and restore organizational strength.

Without periodic rest, strength deteriorates into strain, and resilience devolves into attrition.

The Bridge to Variation

The final lesson of maneuvering emphasizes humility: movement does not constitute mastery; it serves as its test.

Any army, individual, or system that acquires the ability to move must subsequently develop adaptability: the capacity to alter rhythm, diversify tactics, and confound adversaries who anticipate predictability.

Leading us back to the initial principle: “We may take it then that an army without its baggage-train is lost; without provisions it is lost; without bases of supply it is lost.”

Maneuvering determines survival. Variation determines victory.

But first, you must learn to move without falling apart. Master coordination before you attempt improvisation. Secure your supply lines before you advance.

Because, as Sun Tzu understood, an army that moves with discipline can adapt. An army that moves with chaos can only collapse. The next chapter explores variation, but only those who’ve mastered maneuvering will recognize when to use it.

Meal Prep for Real Life: How to Cook Once, Eat All Week

Meal prep isn’t just for the ultra-disciplined or Insta-famous. Sure, you’ve seen those photos: Tupperware lined up like soldiers, meals color-coded, macros counted. But let’s be real, that’s not most people’s life.

What if you could meal prep without spending eight hours every Sunday or needing a second fridge? Real meal prep isn’t about perfection; it’s about persistence and readiness. It’s about building a system that fits your training, work, and flexibility needs. When you fuel your life with intention, everything else sharpens into place.

Step One: Choose Your “Prep Style”

There are three main approaches to meal prep, and the one that’s best for you depends on your schedule and personality:

  1. Batch Prep (Traditional): Make full meals ahead of time. Roast a tray of chicken thighs, cook up a pot of rice, and steam some broccoli. Stack them, label them, done. Good for those who like structure and predictability.
  2. Buffet Prep (Modular): Prep components instead of full meals. Think proteins (ground beef, eggs), starches (sweet potatoes, oats), and fats (olive oil, avocado). Mix and match daily based on cravings or training demands.
  3. Half-Prep (Hybrid): Prep only the time-consuming tasks, like chopping vegetables or marinating proteins, so cooking during the week is more efficient but still flexible.

Step Two: Focus on Your Macro Anchors

Every meal should hit three pillars:

  • Protein: This is your building block. Prep double what you think you need. Think grilled chicken, grass-fed, slow-cooked pork shoulder, hard-boiled eggs, and Greek yogurt.
  • Smart Carbs: These are your fuel tanks. Rotate between your favorite veggies, white rice, potatoes, and fruit. Make them in bulk and store flat in zip-top bags to save space.
  • Healthy Fats: Olive oil, nuts, avocado, seeds. Never forget flavor is fuel, too. Keep these on hand for fast drizzles or topping swaps.

Make meals that tick the macro boxes without requiring a calculator. Example?

  • Ground turkey (who doesn’t love leftovers?) + sautéed kale + roasted sweet potato + a sprinkle of feta and olive oil.
  • Scrambled eggs + pepper and onions + chopped spinach + avocado.

Easily repeatable, nourishing, and delicious.

Step Three: Make Friends with Your Freezer

Your freezer isn’t just for waffles and ice cream. It’s your long-term meal prep MVP. Here’s how to make it work for you:

  • Buy bulk frozen vegetables and fruits.
  • Freeze leftover portions of chili, stew, or curry in single-serve containers.
  • Portion “smoothie” bags with fruits, nut butters, and protein powder. Blend them up and freeze them ahead of time – easy-peasy.
  • Store cooked rice or roasted veggies flat in freezer bags for quick reheats.

Pro tip: Label and date everything. No mystery meals!

Step Four: Build In the “Rescue Meals”

Life happens. You’ll miss a prep day, forget your lunch, or get stuck in traffic. That’s when “rescue meals” save the day:

  • Package tuna or salmon + cucumber and tomato slices + olive oil
  • Grilled steak + half a sweet potato with a dash of cinnamon + two slices of crispy bacon.
  • Hard-boiled eggs + fruit of your choice + handful of almonds

Not fancy. But fast, macro-friendly, and better than skipping meals or panic-ordering pizza.

Step Five: Keep it Repeatable

The secret to success isn’t variety, it’s consistency. Most people thrive on 2-3 breakfast options, 3-4 go-to lunches, and 4-5 dinner templates. Boring? Maybe. But boring builds bodies. Save your culinary creativity for the weekends if that’s your thing.

Meal prep isn’t about being a hero. It’s about staying disciplined and staying in the fight.

The win is showing up to train with fuel already in the tank. The win is making your life easier, one container at a time. Prep is something to be proud of and it’s a version of self-respect you can see every day.

Pick your style and start prepping, your future self will thank you.

Security Without the Skepticism: Password Managers – Modern-Day Trust Issues in a Zero-Trust World

Trusting the One Tool Rule Them All

Cybersecurity presents a paradox: we are taught to be wary of everyone online, yet we’re expected to trust one application with all our passwords.

That’s a BIG ask.

Password managers claim to offer both convenience and security. They eliminate the need for sticky notes, memory tricks, and risky repeated logins. Yet, handing over the credentials to your digital life may feel risky, as if you’re leaving your house key under someone else’s doormat.

Even people who are good with technology feel this hesitation. Trusting one place with everything can seem like putting all your eggs in one basket.

How Password Managers Actually Work

At their best, password managers create a secure vault for your passwords. This vault is protected by a master password that only you know.

They use zero-knowledge encryption, so even the company that stores your vault cannot see your data.

That’s how it’s supposed to work. In reality, people hesitate because of things like:

  • High-profile breaches (e.g., LastPass, 2022)
  • Syncing fears (“What if my vault gets intercepted?”)
  • Human error (“What if I forget my master password?”)

Even though the underlying technology is strong, public trust wavers each time a major breach is reported. People remember negative headlines more than encryption details.

Control vs. Convenience

Using a password manager isn’t just a technical choice; it’s also a psychological one.

Humans like to be in control, especially when it comes to security. We equate manual effort with safety. Typing passwords ourselves feels safer than letting software do it, even when we know the software is objectively smarter than we are.

However, for many, convenience ultimately prevails: after trying a password manager, the newfound ease often surpasses early distrust.

This dynamic shows that modern security requires balance: people want independence, but security improves with some delegation to trusted tools.

When Trust Breaks Down

No password manager is immune to risk, but relying on weaker alternatives such as reused passwords or predictable patterns leaves you even more vulnerable. Minimizing trust is about minimizing risk, not eliminating it.

If a vault provider is breached, attackers still face encryption. But if you reuse one password across five sites, there’s no barrier at all.

So, it’s less about trusting the tool absolutely, and more about managing where that trust sits:

  • Choose providers with open security audits.
  • Enable MFA on your vault.
  • Keep the master password offline, not saved, not synced.

The core issue isn’t the tool itself, but the risk of blind faith. Sometimes, people subconsciously seek blind faith from such tools.

Zero-Trust Starts with You

Zero-trust isn’t just a corporate buzzword; it’s a mindset. Assume every system can fail. Build layers so failures aren’t fatal.

For password managers, apply zero-trust this way:

  • Separate critical credentials (server logins, service accounts, etc.) from general logins.
  • Regularly export and back up encrypted copies to an offline location.
  • Keep MFA active everywhere.

Aim for persistence and resilience, not perfection.

Culture Over Blame

We often criticize people for using sticky notes, but we don’t always show them better ways.

Security maturity grows when using a password manager feels normal, not nerdy. Encourage colleagues and family to use them and to question them. Healthy skepticism keeps systems honest.

A culture of curiosity always beats compliance.

Final Thought

Zero-trust is about choosing where to place your trust, not avoiding it altogether. Good judgment is at the heart of modern security.

Password managers aren’t a magic fix. They’re just one important layer of security, and they work well if you stay alert.

In the end, good security comes from making careful, informed choices about trust, not just believing in technology without question.

That’s not being skeptical, that’s working to overcome modern-day trust issues in a zero-trust world.

The Art of Cyberwar | Part VI | Weak Points and Strong

matt shannon art of cyberware chapter VI weak points an strong

The principle:
“So in war, the way is to avoid what is strong and to strike at what is weak.”

Strength and Weakness Are Temporary

Sun Tzu emphasized that strength and weakness are dynamic rather than static. Although this principle may seem self-evident, it is often overlooked in practice. Many individuals disregard straightforward strategies, mistakenly believing that complexity is required. This oversight often leads to the violation of previous strategic principles or “lessons learned”, indicating a lack of genuine understanding.

It is essential to recognize that what appears robust today may become fragile in the future, while seemingly vulnerable elements can become decisive with time and increased awareness.

Power, whether military or digital, shifts with context.

The critical factor is not the quantity of resources, but the ability to perceive the entire operational landscape. Vulnerabilities arise not only from an adversary’s strengths, but also from areas where situational awareness is lacking and the speed at which adaptation occurs when new realities emerge.

In contemporary contexts, both nations and security architects often neglect this fundamental principle. There is a tendency to focus on constructing increasingly formidable defenses rather than developing adaptive strategies. Regardless of the scale of these defenses, adversaries require only minor vulnerabilities to compromise their effectiveness. Always remember, your adversaries only need to find a tiny leak in the walls to bring the entire system down.

Predictability: The Modern Weakness

Even the most secure fortresses eventually become familiar terrain for attackers. Cyber adversaries do not rely on brute force; instead, they employ strategic analysis. They examine organizational habits and exploit vulnerabilities such as unpatched servers, unmanaged privileged or service accounts, unchanged passwords, and the susceptibility of executives to social engineering.

Their success depends not on force, but on the predictability of organizational behaviors.

Nations exhibit similar vulnerabilities. Bureaucratic routines solidify into doctrine, which can devolve into dogma. Adversaries exploit these predictable patterns, waiting for repetition before executing successful attacks.

Historical events, such as the Pearl Harbor attack, the September 11 attacks, the Gulf of Tonkin incident, and numerous cyber intrusions, demonstrate that deficiencies in critical thinking, complacency, rigidity, and hubris significantly increase the likelihood of successful surprise attacks.

When Comfort Masquerades as Strength

Many organizations and governments allocate excessive resources to familiar areas, fostering a false sense of security. This environment allows risks to proliferate unnoticed, undermining overall resilience.

Cybersecurity teams often spend millions fortifying infrastructure while leaving users untrained.

Organizations frequently monitor technical metrics while neglecting human behavior. The most significant vulnerabilities often arise from areas presumed to be under adequate management.

System failures are typically attributable not to insufficient funding, but to misaligned priorities.

This pattern is evident at the national level as well. Large militaries and substantial budgets often obscure underlying fragilities, including slow adaptation, reliance on outdated assumptions, unstable alliances, and insufficient strategic foresight regarding emerging forms of conflict.

Historical Lessons of Misguided Strength

The First World War began with nations convinced that industrial might and rigid plans guaranteed victory. Those plans dissolved within months under the weight of modern weapons and static thinking.

During the Vietnam War, a major power misinterpreted its capacity for endurance as a guarantee of superiority. The Viet Cong’s guerrilla tactics transformed conventional advantages into significant liabilities.

Even the rapid success of Operation Desert Storm fostered complacency. Efficiency was mistaken for enduring security, and the perceived triumph was erroneously interpreted as evidence of invincibility.

Each era reaffirms the principle that the most conspicuous assets are not necessarily the most powerful.

Flexibility as True Power

Sun Tzu’s insight was to conceptualize power as dynamic movement. He advocated that a general should emulate water, seeking the path of least resistance and adapting to the terrain.

Within the cyber domain, the operational landscape evolves rapidly, with new threats, actors, and vulnerabilities emerging on a continual basis.

In this context, strength is defined by agility:

  • Rotate keys and credentials regularly.
  • Automate but verify.
  • Decentralize authority so teams can act without waiting for hierarchy.

The most effective defenders are those who demonstrate the greatest adaptability, learning and evolving more rapidly than adversaries can adjust their tactics.

Lao Tzu’s Echo

Lao Tzu put it simply:

“Water overcomes the stone not by strength, but by persistence.”

Endurance surpasses dominance. Properly understood, flexibility is not a sign of weakness but of resilience, characterized by the capacity to absorb disruption and recover to an original state.

In the digital context, resilience is reflected in recovery planning, redundancy, and organizational culture. The true measure of strength is not the infrequency of failure, but the speed of recovery following a compromise.

Turning Weakness Into Insight

All systems possess inherent flaws. Denial of these vulnerabilities allows them to remain concealed until a crisis occurs. Proactive defenders employ audits, red-team exercises, and transparent communication to identify weaknesses at an early stage.

Transparency transforms potential liabilities into opportunities for organizational learning.

Nations could use the same humility.

Public acknowledgment of mistakes enhances credibility, whereas concealment increases risk. The most resilient governments are not those without flaws, but those capable of adapting transparently before their constituents.

From Awareness to Action

Identifying vulnerabilities constitutes only part of the challenge; addressing them effectively demands both discipline and restraint.

In cybersecurity, this approach entails prioritizing remediation over self-congratulation, thorough preparation prior to disclosure, and critical evaluation before taking action.

In policy contexts, this requires deliberate prioritization, engaging only in actions where the anticipated outcomes justify the associated costs.
Misapplied strength can become a source of vulnerability, whereas a thorough understanding of weaknesses can provide strategic foresight.

The Next Step: The Flow of Force

Sun Tzu ends this chapter with motion: the strong shifting to the weak, the weak transforming to the strong.

He implies that awareness must evolve into timing. The wise general aligns his force with the moment, not against it. And that, “All men can see the tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved.”

This concept serves as a transition to the subsequent lesson, which focuses on the dynamics of energy in motion and the strategic management of power with balance and rhythm.

We’ve learned where to stand. Next, we’ll learn how to move. As Master Tzu concludes Chapter VI:

Military tactics are like unto water; for water in its natural course runs away from high places and hastens downwards. Water shapes its course according to the nature of the ground over which it flows; the soldier works out his victory in relation to the foe whom he is facing. Therefore, just as water retains no constant shape, so in warfare there are no constant conditions.

Leading us directly back to this lesson’s seemingly simple principle: “So in war, the way is to avoid what is strong and to strike at what is weak.”

Feast Like a Pro: Gratitude, Gains & Turkey Day Tactics

The table is set. The family is gathered. That golden bird’s resting for its moment of glory. And you? You’re not just another guest, you’re the standard‑bearer. Training hard doesn’t hibernate because of a holiday. Neither does integrity, nor does your plate.

If you’ve spent years training in the trenches, on the mats, under the barbell, through years of high-demand cycles, you know one thing: what you do in ordinary weeks sets up your success in the extraordinary ones. Thanksgiving falls in the extraordinary category, but it doesn’t need to wreck your rhythm. It can elevate it.

Why Thanksgiving can work to your advantage

Many of those holiday staples are good food choices: turkey provides lean protein, sweet potatoes offer fiber and micronutrients, and greens contribute volume and nutrient density.

The catch isn’t the food, it’s the habits before and after that singular day that matter far more.

Let’s keep the feast, skip the fallout.

Three rules to guide you at the table

  1. Start Strong
    Don’t arrive famished. Your engine shouldn’t be at the red‑line before the first bite. A balanced breakfast, eggs and veggies, cottage cheese and berries, or Greek yogurt and nuts, all keep hunger in check and your nervous system grounded. Research confirms that skipping breakfast often triggers overeating and leaves you feeling exhausted.
  2. Always Balance Your Plate
    Picture any other day’s nutrition: lean protein to anchor (such as turkey, beef, or ham), colorful vegetables or salad for volume, and limited starchy sides unless your training week demands them. Watch the gravy and sauces, those are where the hidden (and delicious) calories hide.
  3. Mind the Velocity
    Feasting is a moment. Not a month. At the end of the meal, don’t fear choosing to eat something you love: pie, sides, or other family favorites. But just enjoy semi-reasonable portions. Experts show that a single large meal won’t derail you long‑term. So, don’t live in fear of enjoying yourself. Your habits of hard training and clean eating will remain just as they were the day before Thanksgiving. Finish the meal with water, a walk, or even a short mobility circuit. Movement after eating boosts digestion and circulation, and helps you avoid the all‑too‑familiar food coma. But don’t be weird about it!

A bit of real-life experience:

I’ve seen high-level athletes treat Turkey Day like a dead zone. They think “holiday = derail.” Instead, I coach it like any other session: first of all, your habits and discipline got you here. After that, it’s just preparation, execution, and recovery. You arrive with your baseline, you feast with intention, you leave the table with your standards intact. That same mindset built you under the barbell and in the academy; it works here, too.

This week’s actionable plan

  • Open your day with intention: Have a solid breakfast, something you’d have on a heavy training day.
  • Scan the table before loading your plate: protein first, then vegetables, and then one or two sides you love.
  • Pick one indulgence: It’s OK. But make it a choice, not a subconscious default.
  • Finish strong with movement: a 15–20 minute walk, foam roll, or light mobility work post-meal. But again, don’t be weird about it. Don’t be “that guy.”
  • Back to normal tomorrow: One meal doesn’t define you. Your pattern does.

Ultimately, it isn’t about perfection. It’s about being present with your family and friends. Celebrating with those you care about, giving thanks, and still showing up for your future self, too.

Training, eating, and living at a high level don’t pause for holidays; they simply work in harmony with them.

Security Without Pessimism: The Forgotten Factor – Physical Security in a Digital World

The Door We Forgot to Lock

We’ve built firewalls as strong as fortresses.
Encrypted everything that moves.
Multi-factored ourselves into oblivion.

And then someone leaves their laptop open at a coffee shop. Or walks away from a conference table with a session still active. Or prints sensitive data and tosses it in the trash can.

This is the paradox of modern security: we protect our digital data but overlook simple, everyday risks. Physical security is still important. We just don’t talk about it as much anymore.

What “Digital-Only” Security Misses

When we hear “security breach,” we usually think of hackers or malware. However, physical security mistakes can cause real harm, sometimes even faster than a cyberattack.

Here’s what slips through:

  • Leaving devices unattended: logged in, open, and easy for someone to take.
  • Shoulder surfing: someone quietly reading your screen over your shoulder on a plane or in a shared workspace.
  • Lost or stolen hardware: phones, drives, or tablets that still have cached credentials.
  • Shared spaces: whiteboards covered with client data or passwords written down temporarily.

The problem isn’t that we don’t know better; it’s just habit. We secure our digital accounts but often leave physical spaces unprotected.

Out of Sight, Out of Mind

People react most to what they can see, like a phishing email or a warning message on their screen.

But physical threats often go unnoticed because they seem so normal.

Most people don’t worry when someone glances at their laptop screen in an airport lounge or when they leave their badge on the desk. This is called familiarity fatigue. When something becomes routine, we stop seeing it as a risk.

Attackers rely on this kind of oversight.

Where Security Actually Breaks

Physical security mistakes don’t look dramatic. They just look like everyday life.

  • Leaving a laptop open during lunch.
  • Traveling with client data on a USB.
  • Propping open a badge-secured door “for convenience.”

These actions aren’t intentional; they’re simply small mistakes. Each one seems minor, but together they add up. Because these mistakes happen in everyday situations, they rarely make the news.

But in many breach reports, these are often the first step.

Practical Habits That Actually Stick

You don’t need to completely change your security setup. You just need to be more aware of your surroundings.

Here’s what helps:

  • Lock your screens, not just the doors. Even if you step away for a few seconds, lock it.
  • Be alert in public places. If you’re working remotely, try to sit with your back to a wall.
  • Don’t leave devices unattended. Treat your laptop and phone like your passport; always keep them with you.
  • A clean desk helps you stay focused. Don’t leave sensitive notes on sticky pads.
  • Practice Badge discipline. It’s not paranoia; it’s protocol.

Security isn’t just about policies. It’s about your daily habits and routines.

The Quiet Kind of Accountability – Always Culture Over Blame

Physical security isn’t exciting, so people often overlook it. But teams that pay attention to it usually do better than those that don’t.

Instead of blaming people, make good security habits normal:

  • Make “lock check” part of stand-ups.
  • Reward awareness, not just detection.
  • Model the habits yourself.

It’s not about being paranoid. It’s about being aware, knowing your surroundings, what’s open, and who might be watching.

Final Thought

Digital security protects your entire network infrastructure, but physical security protects what’s happening right now. Password managers, firewalls, and multi-factor authentication don’t help if someone takes a device that’s still logged in. So pay attention to your surroundings. Sometimes, the real threat isn’t in your inbox, it’s right next to you.

This isn’t about creating fear. It’s about being more mindful of your daily habits and routines.

The Art of Cyberwar, Part V | Energy | The Use of Force

the art of cyberwar part V energy and the use of force. matt shannon cloud security.

The principles:
In all fighting, the direct method may be used for joining battle, but indirect methods will be needed in order to secure victory.

Indirect tactics, efficiently applied, are inexhaustible as Heaven and Earth, unending as the flow of rivers and streams; like the sun and moon, they end only to begin anew; like the four seasons, they pass away to return once more.

The Power of Controlled Motion

Sun Tzu’s fifth chapter deals with energy, not as brute strength, but as direct application of force.

He warned that a commander must know when to cultivate and store power and when to release it. Misapplied use of Energy burns itself out. However, when energy is focused, it bends the world to its will.

It’s an idea that translates effortlessly to today’s digital battlefield. Nations, like networks, often fail not because of a lack of capability, but because of a lack of control.

True mastery isn’t in how much force you can deploy. It’s in knowing how little you need to. It’s akin to the idea that, sure, you can kill a fly with a hammer, but is it the most effective tool at your disposal?

The Cost of Unchecked Energy

American Diplomatic and Military History is full of examples of lawmakers mistaking our capacity for clarity.

In Korea, overwhelming U.S. power pushed back North Korean forces, only to overextend toward China’s border and trigger an entirely new front. And thus, we have burdened ourselves with maintaining the “38th parallel” ever since.

In Vietnam, energy became inertia, force applied endlessly without definition, draining political and moral capital alike. If only the “peacemakers” at the Treaty of Versailles had let Ho Chi Minh deliver his speech on the Rights of Man, perhaps there would have been no quagmire in Southeast Asia to begin with. A guerrilla war that would take nearly 60,000 American lives and lead to what became known as the “Vietnam Syndrome.”

In Iraq, “shock and awe” demonstrated that a singular “tactical victory” can be swift, while a strategic victory remains elusive. Notwithstanding the entire list of false pretenses that led to the invasion of Iraq to begin with.

Each conflict began with a belief in momentum and ended with war fatigue. Demonstrating once again, force without direction always collapses under its own weight.

The lesson isn’t that force is wrong; it’s that force, when misapplied and unguided, becomes self-consuming. Power is not infinite. Neither is attention, money, or public trust.

The Cyber Equivalent: Sprawl and Burnout

Organizations repeat these same mistakes in digital form.

A breach occurs, and the reflex is to rush to acquire new tools, policies, and budgets, thereby triggering a cyberwar “surge.”

New dashboards, new alert monitoring, and new vendors lead to a surge in activity, while clarity plummets.

This is cyber energy without strategy, effort disconnected from insight.

As Sun Tzu also said: Amid the turmoil and tumult of battle, there may be seeming disorder and yet no real disorder at all; amid confusion and chaos, your array may be without head or tail, yet it will be proof against defeat.

Teams exhaust themselves chasing incidents instead of patterns. Leaders demand constant escalation, not realizing that perpetual crisis is its own vulnerability.

The result mirrors the national trap: motion is mistaken for genuine progress. The ability to endure is mistaken for endurance.

Energy as Rhythm, Not Frenzy

Sun Tzu described two forms of force:

  • Normal energy — the steady discipline that sustains the fight.
  • Extraordinary energy — the precise, unexpected burst that wins it.

In cybersecurity, the equivalent is security posture and precision in the application of policies.

Normal energy is the quiet work of patching, monitoring, and awareness training. Extraordinary energy is the calm, swift, and accurate incident response that turns chaos into closure.

Both are needed. But one cannot exist without the other. A team that never rests has no energy left to strike when it matters most.

It’s the same in martial arts.

In Wing Chun:
Normal energy = quality structure and energy sensitivity.
Extraordinary energy = the skill to deliver a singular, intercepting strike that ends the exchange.

Muay Thai:
Normal energy = footwork, guard, pacing.
Extraordinary energy = the slashing elbow, a stabbing teep, or perfectly placed knee.

BJJ:
Normal training energy = position, pressure, framing.
Extraordinary training energy = the ability to feel a submission triggered by feeling the opponent’s mistake. Or in Mandarin it’s an old idea called Wu Wei, or effortless action. Meaning, I don’t present the opportunity to attack; the enemy presents it to me, like water finding a leak in the dam.

A Security Team that never rests has no energy left for anything extraordinary.

Good CISOs, like good generals, good fighters, and good grapplers, understand rhythm. They know when to conserve strength so that action, when it comes, is clean and effective.

As Master Tzu also knew, “When he utilises combined energy, his fighting men become as it were like unto rolling logs or stones.” Leading to, … “the energy developed by good fighting men is as the momentum of a round stone rolled down a mountain thousands of feet in height. So important is the subject of energy.

Diplomacy and the Misuse of Force

In diplomacy, the same physics apply. The U.S. has often wielded immense power but uneven patience.

Moments like the Marshall Plan and the Cuban Missile Crisis demonstrated the value of precision, employing limited force, clear objectives, and a proportional response.

But elsewhere, the misapplication of force became diplomatic impotence on full display. Prolonged occupations and open-ended interventions constantly drain strategic reserves of will and trust.

Every drone strike, every unconstitutional data collection program, every new cyber warfare doctrine carries a similar risk: that power’s convenience will overshadow its consequence.

The Taoist counterpoint from Lao Tzu still resonates to this day:

“He who knows when to stop never finds himself in trouble.”

Knowing when not to act is the highest use of force. It’s the difference between control and compulsion.

The Lesson for Cyber Strategy

A strong digital defense isn’t constant action, it’s intelligent action.

Practical translation:

  • Automate the repeatable.
  • Escalate only with context.
  • Protect attention as aggressively as data.
  • Reserve extraordinary effort for extraordinary situations.

Energy mismanaged becomes sprawl. Energy focused becomes resilience.

It’s never the size of the arsenal. It’s the precision of the response.

Momentum and the Myth of Constant Action

Modern life rewards constant motion, refresh, respond, and reply.
In cybersecurity and foreign policy alike, stillness feels dangerous to the untrained mind.

But strategy lives in the pause between movements. Quality fighting skills are always more effective when you can strike on the half-beat, a fundamental separator on the mats, and on digital and physical battlefields.

Force has a short half-life. When it’s used endlessly, it decays quickly and fades into the ether. When it’s reserved for the right moment, it changes everything.

A breach contained quietly is often a bigger victory than a public takedown.
A crisis de-escalated without violence often preserves more stability than any show of strength.

Knowing When to “Flow With the Go”

As one of the greatest living legends in Brazilian Jiu-Jitsu, Rickson Gracie once said, “In Jiu Jitsu we flow with the go.”

Meaning:

  • don’t fight force with tension
  • stay aware but not trapped by focus
  • stay smooth and adaptive
  • flow with the opponent’s energy
  • let well-trained instinct and structure guide you

That metaphor fits the digital era perfectly. The best blue or purple teamers, like the best leaders, don’t fight the current; they learn to read it and swim with it, not against it.

Lao Tzu would say that “the soft overcomes the hard,” not through weakness but adaptability. Force channeled through awareness is stronger than force spent in anger.

In warfare and cybersecurity alike, energy is a currency. Spend it recklessly and you’ll be empty when it matters. Spend it wisely and you’ll be leading on the battlefield.

Final Reflection

Knowing how to use force is knowing its limits.
Sun Tzu and Lao Tzu shared the same truth from opposite angles:
Power must be balanced by patience.
Energy must be stored as much as it is spent.

History punishes those who forget this. So does network and security architecture.

The art isn’t in using force; it’s in knowing when the situation calls for little, none, or overwhelming force.

That’s not mysticism. That’s strategic maintenance. And it’s as accurate in security architecture as it is on the battlefield.

All of these lessons point us directly back to our opening principles: “In all fighting, the direct method may be used for joining battle, but indirect methods will be needed to secure victory.” And, “Indirect tactics, efficiently applied, are inexhaustible as Heaven and Earth, unending as the flow of rivers and streams; like the sun and moon, they end only to begin anew; like the four seasons, they pass away to return once more.

The wise strategist learns to move the same way.

Fuel to Perform: The Athlete’s Edge in Everyday Eating

If you show up on the mats, under the barbell, or work hard to refine your gymnastic skills with any kind of serious intent, you’re not just training. You’re preparing and refining, often asking your body to do more than the day before. In our world, what you eat becomes the difference between a “good session” and a “great session,” and between strategic recovery and systemic breakdown. It’s the small details that separate showing up from showing out!

Let’s skip the noise and get tactical: how do semi-competitive athletes or serious recreational competitors fuel performance when life’s messy—work, travel, kids, and tired mornings? Let’s make it real.

The Big Picture

Research shows nutrient timing matters, especially around workouts. The ISSN says, “Purposeful ingestion of nutrients at various times throughout the day” (source) supports strength, power, body composition, and performance.

But for your average serious athlete? The “anabolic window” isn’t a specific, narrow window where you must cram in a meal. That “window” is basically as wide as a garage door. You don’t need perfect timing; it’s about being prepared at the right time.

Three Fuel Strategies That Work

1. Pre-training Anchor Meal
Eat something 60-90 minutes before your session: a moderate amount of carbs, lean protein, and a lighter amount of fat. Example: oatmeal with banana + a scoop of whey or Greek yogurt. Why? You’re topping off glycogen and priming your engine. If you train early and can’t eat, choose a liquid option: an easy-to-digest protein and carb-balanced smoothie.

2. In Training Mini Feeding (When It’s Longer or More Intense)
If your session lasts more than 60 minutes or you’re doing back-to-back days, plan a quick carb hit mid-session (30–60g) and hydrate thoroughly. Why? To prevent an energy crash during your training and help protect your neurologic control.

3. Post Training Recovery Meal
Hit carbs + protein within 1–2 hours after intense work. Aim for a carb-to-protein ratio of roughly 3:1 to 4:1. Why? To replenish muscle glycogen, repair muscle, and prepare for your next session. Example: 4-6oz chicken breast, 1/2 sweet potato, 1 cup of roasted veggies drizzled with garlic-infused olive oil + 1 banana + 1 tbsp peanut butter.

How to adjust for workload (without going neurotic)

• Light day/skill day: Reduce carbs by ~20–30% and keep protein moderate.
• Heavy day/max effort session: Increase carbs by 10–20%, keep protein steady.
• Rest day: Keep protein consistent, reduce carbs/fats based on hunger, not fear.

You don’t need daily macro spreadsheets. Just know your baseline, use a fuel strategy, and build awareness. This gets easier each week and with every rep.

matt shannon glory days of crossfit


Notes from the Field

I’ve watched CrossFit athletes and tactical team members burn themselves out because they consistently skipped their pre-session carbs or failed to track and meet their protein intake for 2 or 3 consecutive days. When your training really matters, you have to treat eating like it’s a part-time job. I’ve run a meal prep business, coached fighters, been a fighter, and lived and trained overseas. I know that life because I’ve lived and breathed it for years. Fueling with purpose is fundamental.

Super Simple Action Steps You Can Take This Week

Pick one heavy training day and one rest/light day. Write down your usual food. For the heavy day, increase pre- and post-training carbs. On a rest day, maintain a steady protein intake and reduce carbohydrates by approximately 20%. Have a pre-workout anchor meal 60 minutes before a session. Note your energy, focus, and performance.

Log your post-training recovery meal within 2 hours after a session—get your carb and protein hit. Track how you feel the next day.

The key takeaways: Fuel consistently, match carbs to your workload, prioritize recovery, and make eating part of your training routine.

Train. Eat. Recover. Repeat.

If you’re training to lead from the front, fuel like someone already ahead of the pack.

Security Without the Pessimism: Phishing 2.0 – How Smart People Still Get Hooked

When Experience Becomes the Blind Spot

You’ve been in tech long enough to spot the obvious scams. They have bad grammar, sketchy links, and the “urgent” password resets that scream, “It’s a trap.”

Modern phishing is designed for experienced professionals, people just like you.

The senior engineer who knows better.
The manager who moves fast.
The admin is juggling too many tabs.

Phishing 2.0 targets the confident, not the naive.

Because overconfidence, that quiet, “I’d never fall for that,” is exactly what gets exploited.

How Phishing Evolved While We Were Busy

Old-school phishing was obvious: typos, weird logos, fake banks. Now? It’s clean, professional, and personalized.

Attackers scrape LinkedIn, GitHub, and Slack leaks, as well as any other platform where they can learn who you are and how you communicate. Then they build emails that sound right.

“Following up on that architecture review.”
“Can you sign off on the AWS access request?”

No panic. No red flags. Just believable context. Phishing’s power now lies in familiarity, not just deception.

The Psychology And Why Smart People Click Anyway

It’s not ignorance. It’s pattern recognition. Your brain runs on shortcuts. You see what fits your norm and fill in the rest. “This feels familiar, so it’s safe.”

Layer on fatigue, distraction, or context switching, and even the most security-conscious person can click the wrong thing.

Attackers don’t need to outsmart you, they just need to catch you mid-scroll.

The Real Tricks How Phishers Use Your Own Systems Against You

Phishing 2.0 thrives inside your workflow:

  • Cloud notifications: “New file shared with you.”
  • Team apps: Slack, Notion, or Asana lookalikes.
  • Vendor portals and HR systems: identical clones.
  • QR codes: the new “scan to verify” scam.

Attackers don’t mimic strangers anymore; they mimic your routine.

The antidote, and our greatest protection, is patience.

Forget fear. Focus on tempo.

Build a habit of thinking first, then reacting. Believe me, I know it sounds elementary and maybe even silly, but people do it every day. It reminds me of the old saying from the range: “ready, fire, aim” versus “ready, aim, fire.” People are often too quick to react without pausing to think first.

That moment of pause between seeing and clicking is what saves the enterprise. So, always:

  • Hover first. Always.
  • Verify context: Does it match your current workflow?
  • Cross-check by text or chat before responding.
  • Trust your instinct; hesitation usually means something’s off.

Security isn’t about paranoia. It’s about building patience as your strongest defense.

Culture Over Blame

Curiosity beats compliance. Blaming users for falling for a phishing attempt isn’t awareness training or good security; it’s just scapegoating. People click because they’re human, not because they don’t care.

If your environment rewards speed over care, mistakes are inevitable. Instead of punishment, build openness to conversation. A strong security culture treats “I think I clicked something bad” as a start, not a sin.

Curiosity beats complacency every time.

Final Thought

Phishing 2.0 isn’t just a tech problem; it’s a problem of pace. Attackers take advantage of our work tempo. The faster we move, the easier it is to miss what matters.

The best security upgrade?

Breathe. Scan well. Challenge every unfamiliar link or request. Pause before you click, verify before you act, and encourage your team to do the same.

That’s not being cynical or pessimistic.
That’s the difference: real security means trained, patient awareness every day.