High-intensity training is humbling. Fatigue strips away polish and shows where your skills really break down. As the old saying goes, “the iron never lies,” and neither does the clock. Chaos reveals the gaps.
We like to think we’re smooth and calm under pressure, until that pressure arrives. The same principle applies whether you’re under a heavy barbell, in the final round of a sparring session, or defending a network: stress exposes your true level of expertise.
In a breach, system failure, or when your team runs on caffeine and instinct, you see what you practiced well and where things collapse.
Here’s why training under ideal conditions often lets us down, and why we must look beyond comfort:
How to Train for Chaos * Red-team drills. Simulate unexpected, worst-case attacks, not the ones you anticipate. * Tabletop exercises. Practice response under a running clock; short timeframes sharpen decisions. * Fatigue training. Follow the playbook while tired, short-staffed, or distracted because reality won’t wait or be kind.
Training in perfect conditions makes you comfortable, but it doesn’t make you stronger. You build real resilience when things get tough and you keep going anyway. Always strive to step out of your comfort zone.
The goal isn’t perfection but adapting to exposure, building composure, and staying focused when plans collapse.
The Martial Parallel
Sparring isn’t about perfect technique; it’s about applying skills under unpredictable pressure. You rarely win every round, but you improve because chaos clarifies. If you win every round, find new partners! Progress demands resistance.
In cybersecurity, the same holds true. Incidents are sparring. They test you, which can be painful, but they can also be educational. You learn to breathe, recognize patterns more quickly, react decisively, and stay calm when alarms go off.
Real strength isn’t proven in stillness; it’s proven in motion. Resilience is forged where control slips away.
Progress isn’t linear. Martial artists learn this the hard way. One day you nail a three punch combo finished with a clavicle crushing elbow; the next, you stumble over the same movement combination you were hitting regularly just a couple days before. Some weeks, you level up quickly, while others days you’ll hit stumbling blocks. Always approach your wins and losses with the same humility.
Cybersecurity follows the same rhythm. Just as martial artists face setbacks, security professionals experience their own ups and downs. You patch systems, close vulnerabilities, and tighten configurations. Then a new zero-day vulnerability emerges, or an audit reveals previously unaddressed blind spots. It feels like sliding backward.
That slide isn’t a failure, it’s where progress truly forms.
The Myth of Linear Progress
We often imagine progress as, although slow, always moving upward. Reality is less predictable.
Perfection Bias We assume improvement should always feel smooth. However, mastery, in both martial arts and cybersecurity, is a jagged path. The dips are where the depth develops.
The Comparison Trap We see others’ highlight reels, the black belt breaking boards, or the company posting its “zero vulnerabilities” report, and mistake it for constant progress. Behind every clean result lies a mess of mistakes, patches, and failed tests.
Forgetting That Setbacks Build Strength Regression often signals deeper adaptation in progress. In training, it’s when you refine mechanics. In security, it’s when you reinforce foundations.
Why Steps Back Matter
Plateaus and regressions aren’t detours; they’re checkpoints. They test persistence. Anyone can stay motivated when everything goes as planned; resilience forms when it doesn’t.
They reveal gaps in fundamentals. A failed pen test or misconfigured IAM or conditional access policy highlights what needs real attention. They build humility and precision. Overconfidence blinds; setbacks sharpen focus.
On the mats and in the SOC, mastery isn’t about avoiding mistakes, it’s about learning faster from them.
The Cybersecurity Parallel
You don’t know what you don’t know so every incident teaches you something you didn’t know you needed to learn. Every vulnerability scan reveals details you may have overlooked. It isn’t failure. It’s your system adapting, like a martial artist’s mind & body.
A martial artist doesn’t quit after a rough sparring session. They analyze what went wrong, refine their techniques, and return smarter & stronger. Security teams should do the same. A missed vulnerability isn’t a defeat; it’s a mirror. It can show you where your technique slipped & where to tighten your counter-offensive skills.
From the Mats to the Data Center
Both disciplines thrive on discipline, reflection, and repitition:
Training drills = Routine audits. Each repetition builds muscle memory for fighters and for security teams.
Pad work and shadow boxing = Playbooks and runbooks. Practicing in controlled settings builds confidence under pressure.
Sparring = Incident Response sims. You can’t simulate chaos perfectly, but you can train to be calm, and respond correctly, in chaos. That’s why you just keep training and doing reps over and over because each time your partner responds differently but you’re learning to respond with the correct technique every time.
Every repetition, every submission attempt, every punch, every kick, or incident response builds competence and confidence. Every CVE update, OWASP update or vulnerability scan creates visibility and awareness.
The Real Skill of a Black Belt: The Ability to Adapt and Overcome
In martial arts, the belt color doesn’t make you untouchable; it signifies you’ve learned and adapted more than others. In cybersecurity, it’s the same. The strongest organizations aren’t flawless; they’re mobile, agile and when necessary, hostile.
Adaptation beats perfection. Reflection beats reaction. Resilience beats your comfort zone. So the next time your scan lights up with new vulnerabilities or your red team exposes a blind spot, don’t get discouraged. It’s just another training session.
Final Thought
Progress, whether in close range combat or in your code, isn’t about avoiding setbacks. It’s about showing up again after them. The real win isn’t being unbreakable, it’s being unshakable.
Keep patching. Keep learning. Keep moving. Progress isn’t linear, but staying adaptive always drives you forward. Or, as it was once famously said, “Be water my friend.”
There’s a moment most people don’t talk about when they post their certifications, it’s that part where you stare at the screen, waiting for the result to load, rehearsing how you’ll feel either way.
That was me, after months of studying, rewrites, retakes, and nights when the last thing I wanted to see was another port, protocol, or payload.
I’d already passed the CompTIA trifecta, A+, Network+, Security+, and each one felt like a step forward. But PenTest+ was different. It wasn’t just about memorization. It forced me to think like an adversary, to build a structured approach out of controlled chaos. It was humbling.
There were setbacks. Long hours after long workdays. Missed weekends. That quiet voice that says, maybe this one’s just too much right now.
But that’s where persistence replaces motivation. I tell my students and training partners the same thing I remind myself: motivation gets you started, discipline keeps you moving.
When that “Pass” finally appeared on the screen, it wasn’t triumph, it was relief. And gratitude. Because every failed scan, every misconfigured lab, every late-night tracing network maps, they built the competence that makes the win real.
The truth is, no certification on its own changes who you are. The process does. The grind does. The decision to sit back down after the first, second, or third setback does.
In cybersecurity, as in martial arts, you don’t earn a belt to prove you’re done. You earn it because you’ve decided you’re not done yet.
And that lesson, more than any flag on a résumé, is what makes the next challenge possible.
Role-Based Access Control (RBAC): Ensure that only authorized personnel have access to sensitive data. Assign permissions based on roles and responsibilities.
Multi-Factor Authentication (MFA): Require MFA for accessing sensitive systems and data to add an extra layer of security.
2. Regular Security Training and Awareness
Staff Training: Conduct regular cybersecurity training sessions for teachers, administrators, and support staff to recognize phishing attempts, social engineering, and other common threats.
Student Awareness: Educate students about safe online behaviors, the importance of password security, and how to avoid suspicious links and downloads.
3. Use Strong Password Policies
Complex Passwords: Enforce the use of strong, complex passwords that include a mix of letters, numbers, and special characters.
Password Management: Encourage the use of password managers to help staff and students manage their passwords securely.
4. Network Security
Firewalls: Deploy firewalls to protect the school’s network from unauthorized access and malicious traffic.
Intrusion Detection and Prevention Systems (IDPS): Implement IDPS to monitor and respond to potential threats in real time.
Segmentation: Segment the network to limit access to sensitive data and reduce the attack surface.
5. Data Encryption
Encryption at Rest and in Transit: Ensure that all sensitive data is encrypted both when stored and when transmitted over the network.
Secure Communication Channels: Use secure protocols like HTTPS, SSL/TLS, and VPNs for remote access and data transfer.
6. Regular Updates and Patch Management
Software Updates: Keep all software, including operating systems, applications, and security tools, up to date with the latest patches and security fixes.
Automated Patch Management: Use automated tools to manage and apply patches consistently and promptly.
7. Regular Backups and Disaster Recovery Planning
Data Backups: Perform regular backups of critical data and store them securely offsite or in the cloud.
Disaster Recovery Plan: Develop and regularly test a disaster recovery plan to ensure quick recovery from data breaches, ransomware attacks, or other disruptions.
8. Endpoint Security
Antivirus and Anti-Malware: Install and maintain up-to-date antivirus and anti-malware solutions on all devices.
Mobile Device Management (MDM): Use MDM solutions to manage and secure mobile devices used by students and staff.
9. Application Security
Secure Software Development: Ensure that applications developed or used by the school follow secure coding practices and are regularly tested for vulnerabilities.
Third-Party Applications: Vet and monitor third-party applications for security compliance before integrating them into the school’s IT environment.
10. Physical Security
Secure Access to Facilities: Implement physical security controls like locks, access badges, and surveillance cameras to protect areas where sensitive data is stored.
Device Management: Ensure that devices such as laptops, tablets, and USB drives are securely stored and tracked.
11. Incident Response and Management
Incident Response Plan: Develop and maintain a comprehensive incident response plan outlining steps to take in the event of a data breach or security incident.
Regular Drills: Conduct regular incident response drills to ensure that staff are prepared to handle security incidents effectively.
12. Compliance and Auditing
Regulatory Compliance: Ensure compliance with relevant regulations such as FERPA (Family Educational Rights and Privacy Act) and COPPA (Children’s Online Privacy Protection Act).
Regular Audits: Conduct regular security audits and assessments to identify and address vulnerabilities and ensure ongoing compliance with security policies.
Discovery and fingerprinting are where recon stops being guesswork and starts being a map. Over the next few weeks I’ll dig into Nmap and other recon tools — for now, here’s a compact, practical list of Nmap switches worth committing to memory for pentesting exams and real-world ops. Don’t just memorize the letters — learn the purpose and the use case.
Quick legal note: Only scan systems you own or have explicit permission to test. Unauthorized scanning can be illegal and definitely burns bridges.
Basic target input / listing
nmap -iL targets.txt Scan targets from a file. Use when you have a long list to automate.
nmap -iR 100 Scan 100 random hosts. Good for practice/learning about global scanning patterns in a lab.
nmap 192.168.1.10 -sL List-only — no probes. Use to verify target resolution without touching ports.
Host discovery vs port scan
nmap 192.168.1.1/24 -sn Ping/host discovery only (no port scan). Fast way to find live hosts on a subnet.
nmap 192.168.1.1-5 -Pn Skip host discovery (treat hosts as up). Useful when ICMP/ARP are blocked but you still want to try ports.
Port specification
nmap 192.168.1.1 -p 21 Scan a single port (FTP, in this example).
nmap 192.168.1.1 -p 21-100 Scan a specific port range. Use when you want targeted scanning (faster than full 65k).
nmap 192.168.1.1 -O Remote OS detection (TCP/IP stack fingerprinting). Useful when you need OS-level attack vectors.
nmap 192.168.1.1 -A Aggressive: OS detection + version detection + scripts + traceroute. Good for a quick, deep look — loud and obvious on the network.
Timing / IDS evasion
Timing templates adjust scan speed and stealth. Choose based on network reliability and detection risk.
-T0Paranoid — ultra-slow. Used to evade IDS or noisy logging systems.
-T1Sneaky — very slow.
-T2Polite — slows scans to reduce bandwidth/impact on target.
-T3Normal — default.
-T4Aggressive — faster, assumes stable network.
-T5Insane — very fast; only on extremely reliable links or internal lab networks.
Stealth check in an IDS lab: nmap -T1 -sV <host> → slow timing to reduce IDS noise.
Full noisy recon in a lab environment: nmap -A -T4 <target> → quick comprehensive view.
Closing — don’t memorize blindly
The exam question isn’t “what flag is X” — it’s “which flag solves this problem.” Memorize the purpose and practice applying them in labs. Over the coming weeks I’ll publish deeper examples for each of these switches, show script usage, and map Nmap output to real exploitation workflows.
Well, well, well, the world has changed a lot since my last post. Definitely have a lot of irons in the fire as the old saying goes. Currently working on the PenTest+ certification from CompTIA. I’ll be following that up with the CEH exam. Between those two certs I’ll be working on and getting the ISACA’s Cybersecurity Audit Certificate. 2024 is shaping up to be another great year!
A1. Incline curls 10, 10, 10, 10 – :03 second lowering/eccentric load; rest 0 A2. Seated hammer curls 20, 20, 20, 20; rest 0 A3. Standard EZ bar curl 20, 20, 20, 20; rest 2mins B1. Bench dips 20 x 3; rest 0 B2. Banded press downs 20, 20, 20; rest 0 – pause for two deep nasal breaths at the top of every 5th rep B3. Triceps push-ups max effort/push to failure; rest 2mins C1. EZ bar close grip curls 15, 15, 15; rest 0 – try to stay at the same weight for all 3 movements C2. EZ bar drag curls 15, 15, 15; rest 0 C3. EZ bar overhead triceps exts. 20, 20, 20; rest 1 + 7 n 7 for 7 7 Hang power cleans & push press 7 walk out burpees without the pushup
On Monday I accepted an offer to begin teaching, part-time, for Chegg/Thinkful.com in their Cyber Security program. I’m really looking forward to helping the next wave of cyber sec professionals. It’ll be another great way to help keep up with current trends, continue to reinforce the fundamentals, and also share past and present experiences with a wide swath of new IT pros. Who knows, before long I just might be able to start posting videos of training and teaching again.
Current affairs:
The bravest are surely those who have the clearest vision of what is before them, glory and danger alike, and yet notwithstanding, go out to meet it.
When I first wrote this, I wasn’t chasing promotions or algorithms. I was just trying to keep showing up to train, to learn, to get a little better each day. Back then, “rep after rep” was more than a training mantra. It was a way to stay grounded when progress felt invisible.
The hardest part wasn’t physical. It was the repetition, the daily grind that felt endless. Whether I was refining form under the barbell or troubleshooting code that refused to run, the challenge was the same: staying patient when nothing seemed to move forward.
Some days you make the lift. Some days the lift makes you. But the point is always to come back tomorrow.
At some point, I stopped expecting each session, physical or mental, to feel like a breakthrough. The breakthrough was the habit itself. The more I showed up, the more the process began to reveal patterns: what worked, what didn’t, and how small adjustments compound over time.
In strength and in cybersecurity, consistency is the quiet multiplier. Each drill, each review, each run-through, one more rep toward mastery.
That same mindset carries through everything I do now — training teams, hardening systems, or writing content. I don’t chase perfect outcomes anymore. I look for steady iterations. A little tighter form. A cleaner line of code. A stronger policy.
That’s how resilience is built, not simply through intensity, but through consistency.
Progress doesn’t shout. It stacks. And one day, you realize the work that used to test you has become the warm-up.
Training for the day:
7 mins of:
7 Banded Sumos
7 Banded bodyweight squats w/moderate band
7 Calf raises
+
A. Back Squat 10, 10,10,10; rest 2/2:30 – 10 RM-ish
B1. Heels elevated air squats x 10 x 3; rest :10
B2. RDL w/an empty bar, sweep away — lumbar focus x 15 x 3; rest 1
C. SL RDL stability, unloaded x 10 x 3; — 5 per leg; rest 1
+
10min alt EMOM:
20 Step-ups – 10 per
15 push-ups
Martial skill work — 5 x 5 min rounds of Z2-Z4 striking, upper push/pull bodyweight movements in trapping/grappling range, and take down defense/sprawling/working underhook escapes et cetera.
Today in my world of Linux and pentesting I worked on building out an Active Directory Lab and worked on the initial attack vectors when attacking an AD based system. Things like LLMNR Poisoning, Capturing NTLMv2 Hashes with Responder, Password Cracking with Hashcat, LLMNR Poisoning Defense, SMB Relay Attacks, Discovering Hosts with SMB Signing Disabled, Start SMB Relay Attack Defenses, & Gaining Shell Access.
Training: A1. Seated Arnold rotations x 20, 20, 20; rest :30 A2. Banded triceps press down 20, 20, 20; rest 1 B1. SA DB row x 10-12 reps x 3; @31X1 on the first 5 reps rest :10 secs b/t arms B2. Snatch grip BTN press w/an empty bar x 15 x 3; rest 1 C1. Assisted pullups using barbell and feet in pullup cage x 6-8 x 3; rest :0 C2. DB push press 15, 15, 15; rest 1 D1. DB shrugs 30, 30, 30, 30; rest :30 D2. Banded upright row 25, 25, 25, 25; rest 90
5 sets of :30secs of work/:30 secs of rest :30secs KBS – 2pd. :30secs rest :30 secs pushups :30secs rest :30 secs DB RDL – 55/h :30secs rest :30secs 24” box step-ups :30secs rest
Today’s professional training covered Linux User Accounts and Groups along with Managing File Ownership and Permission. Then in network penetration we covered privilege using Sudo + about hour of training over at tryhackme.
Warm-up – 10 mins of: 5 air squats 10 banded shoulder pass-throughs 15 banded good mornings 30 Shoulder ROT/stability – 10 to horizontally to the chest, 10 semi-vertically front/down to clavicles, 10 BTN, then…
7 sets of: 6 goblet reverse lunges per leg 3 goblet step-ups per leg 3 goblet squats 6 SA KB Press per arm 6 SA KB Row per arm 6 SA KB Swing per arm
Martial skill work
45 mins of JKD and Wing Chun striking + short-range kicking and counter wrestling
Today’s studies included: Linux: working toward mastery of the CLI & searching and extracting data from files and archiving. I also focused my practical network penetration testing studies to privilege escalation in a Linux environment.
Matt Shannon, Security Pro 