Leadership – Matt Shannon, Security Pro

Zen and the Art of AWS Security Domain 6: Security Foundations and Governance | Holding the Line Without Rigidity

“When the structure is sound, movement becomes effortless.”

Most people expect security foundations and governance to be boring. Policy documents. Checklists. Frameworks. Meetings.

AWS, and seasoned security architects, know better.

Security Foundations and Governance are not about control. They are about alignment.

They are what allow everything else, detection, response, infrastructure, identity, and data protection, to function without friction. This is why Domain 6 exists. And why it quietly determines whether every other domain succeeds or fails.

1. What AWS Means by “Security Foundations”

AWS does not treat security foundations as a product or a service. They treat them as operating conditions.

Security foundations answer questions like:
• Who is responsible for what?
• How are decisions made?
• How do we know when something is “secure enough”?
• How do we scale security without slowing delivery?

In AWS terms, foundations are built on:

• Shared Responsibility
• Well-Architected principles
• Standardized controls
• Continuous improvement
• Clear ownership

If those are missing, everything else becomes reactive.

Key Takeaway: On the exam and in real life, assume security foundations are always present, not optional. If a question describes a scenario with ambiguous responsibility, pause and seek alignment before acting.

2. The Shared Responsibility Model: The First Gate

Every AWS security exam, especially the Security Specialty, tests one thing relentlessly: Do you understand what AWS secures…and what you must secure yourself?

AWS is responsible for:

• Physical data centers
• Underlying hardware
• The cloud infrastructure itself

You are responsible for:

• Identity and access
• Network controls
• Data protection
• OS and application security
• Configuration

Governance begins the moment you clearly accept that responsibility.

Most real-world failures, and many exam traps, happen when responsibility is blurred.

3. Governance Is How You Scale Trust

Governance is not about saying “no.” It’s about creating guardrails so teams can move quickly without breaking things.

AWS governance relies on:

• AWS Organizations
• Service Control Policies (SCPs)
• Account separation
• Tagging standards
• Centralized logging and monitoring
• Defined escalation paths

Exam cue: If AWS wants you to prevent risky behavior without managing individual permissions, the answer is almost always SCPs.

Governance operates above IAM, not instead of it.

4. Well-Architected Security Pillar: The Quiet Backbone

The AWS Well-Architected Framework is foundational to this domain.

The Security Pillar emphasizes:

• Strong identity foundations
• Traceability
• Infrastructure protection
• Data protection
• Incident response

You’ve already studied all of these.

Domain 6 exists to show how they fit together.

AWS wants you to think:

• Holistically
• Long-term
• With trade-offs in mind

On the exam, this shows up as:

• “Which solution is the most scalable?”
• “Which approach reduces operational overhead?”
• “Which option aligns with AWS best practices?”

Governance favors simplicity, repeatability, and clarity.

5. Policies, Standards, and Automation

In AWS, policy without automation is aspirational. Automation without policy is dangerous.

Strong governance includes:

• Infrastructure as Code (CloudFormation, Terraform)
• Automated security checks
• Preventive controls (SCPs, Config rules)
• Detective controls (GuardDuty, Security Hub)
• Corrective actions (Lambda-based remediation)

Exam cue: If the question says, “ensure compliance continuously”, the answer involves automation, not manual review. Governance is what turns security into a system, not a on-going project.

Top 3 Exam Gotchas: Domain 6

Over-relying on IAM and neglecting the power of Service Control Policies (SCPs) for organization-wide governance.
Focusing on manual reviews instead of leveraging automation for continuous compliance.3. Choosing the most restrictive answer on the exam rather than the one that balances security, cost, and operational impact.
Key Takeaway: The “safe” answer is not always the correct one—look for governance and automation at scale.

6. Risk Management: Choosing, Not Eliminating

AWS does not expect you to eliminate all risk.

They expect you to:

• Identify it
• Understand it
• Accept, mitigate, or transfer it intentionally

This is why governance includes:

• Risk registers
• Compliance mappings
• Business context
• Cost-awareness

On the exam:

The “best” answer is rarely the most restrictive one. It is the one that balances security, cost, and operational impact.

Scenario Example: Rapid Growth, Real Governance

In 2024, a fintech company went from 10 to 60 AWS accounts in under six months. Security needed to prevent resource creation outside of approved regions and enable GuardDuty everywhere automatically.

Best Approach: The team used AWS Organizations to apply SCPs for region lockdown, combined with automated account bootstrapping scripts that enabled GuardDuty by default. This solution leveraged automation and organizational guardrails—demonstrating mature, real-world AWS security thinking.

Key Takeaway: AWS rewards answers that use policy-driven, automated, and scalable solutions, exactly as in this scenario.

7. The Martial Parallel: Structure Enables Freedom

In martial arts, beginners see rules as limitations.

Advanced practitioners see them as:

• Stability
• Efficiency
• Freedom under pressure and much more

A strong stance doesn’t restrict movement; it enables it. Security foundations work the same way.

When governance is clear:

• Teams move faster
• Incidents resolve cleaner
• Mistakes are contained
• Learning compounds

When governance is weak:

• Everything feels urgent
• Security becomes adversarial
• Teams work around controls instead of with them

8. Exam Patterns for Domain 6

Here’s how AWS tests this domain:

• Account-level controls → AWS Organizations + SCPs
• Preventing risky actions globally → SCPs
• Balancing speed and security → Guardrails, not micromanagement
• Scaling security → Automation and standardization
• Aligning with best practices → Well-Architected Framework

If the question asks:

“Which solution is easiest to manage at scale?”

Exam cue: Choose the centralized, automated, policy-driven option.

Final Capstone: The Six Domains as One System

Let’s put it all together.

Domain 1 — Detection
See clearly. You can’t secure what you can’t observe.
Detection creates awareness and prevents surprise.

Domain 2 — Incident Response
Move decisively without panic. Preparation and clarity turn chaos into choreography.

Domain 3 — Infrastructure Security
Shape the terrain. Segmentation, isolation, and least exposure reduce blast radius before attacks happen.

Domain 4 — Identity and Access Management
Decide who can act. Identity is the new perimeter. Precision here determines everything else.

Domain 5 — Data Protection
Guard what truly matters. Encryption, key management, and lifecycle controls protect the mission itself.

Domain 6 — Security Foundations and Governance
Hold the line without rigidity. Governance aligns people, process, and technology into a system that scales.

The Quiet Truth at the Center of AWS Security

AWS security is not about fear.
It is not about heroics.
It is not about locking everything down.

It is about clarity, balance, and intention.

The exam rewards those who:
• Pause before reacting
• Think in systems, not silos
• Choose scalable solutions
• Respect trade-offs
• Trust structure over force

That’s Zen. That’s architectural mastery. You’re ready.

When you sit for the exam, remember:
Awareness first.
Structure second.
Action last.

Everything else follows naturally.

Verification & Citations Framework | “Leave No Doubt”

Primary AWS Sources to Reference:

• AWS Shared Responsibility Model
• AWS Well-Architected Framework (Security Pillar)
• AWS Organizations Documentation
• Service Control Policies (SCPs)
• AWS Security Best Practices Whitepaper
• AWS Security Specialty Exam Guide (Domain 6)

Verification Boxes (Suggested Placement):

• After Shared Responsibility section
• After SCPs / Governance section
• After Well-Architected references

Quick Reference Checklist: Domain 6 – Security Foundations & Governance

Key Takeaways (Scan before the exam!)

– Shared Responsibility Model: Always clarify what AWS secures vs. what you control.

– Use AWS Organizations and SCPs for policy-driven, organization-wide governance.

– Automate compliance: favor Infrastructure as Code, automated checks, and auto-enablement of detective/preventive controls.

-Lean one the AWS Well-Architected Framework forbest practice alignment.

– Favore scalable, centralized, and policy-drive solutionsy in exam scenarios.- Always check the latest AWS documentation—services and features evolve quickly.

Final Tip: For scenario-based questions, ask: “Is this solution scalable, automated, and centralized?” If so, it’s likely the best choice.

Change Awareness Note:

AWS governance services evolve regularly. Always validate SCP behavior, Organizations features, and Well-Architected guidance against current AWS documentation. For the latest on each topic, see:

Shared Responsibility Model

AWS Well-Architected Framework

AWS Organizations

Service Control Policies

AWS Security Best Practices

Security Specialty Exam Guide

The Art of Cyberwar | Part XIII | The Use of Spies

The principles:

“Knowledge of the enemy’s dispositions can only be obtained from other men.”

“However, spies cannot be usefully employed without a certain intuitive sagacity.”

“Be subtle and use your spies for every kind of business.”

“Hence, it is only the enlightened ruler and the wise general who will use the highest intelligence of the army for purposes of spying, and thereby they achieve great results.”

The Quiet After the Fire

After the smoke clears, the last weapon isn’t destruction; it’s knowledge. Sun Tzu closes his book here, not with conquest, but with insight. The general who knows through others, he says, wins without fighting. The one who fights without knowing spends blood buying what wisdom could have earned.

In modern form, intelligence replaces escalation. Information, verified and interpreted, is the ultimate force multiplier.

The Five Spies

Sun Tzu’s framework remains elegant and practical. He identifies five types of spies, each still alive and well in today’s cyber and geopolitical landscape.

Local spies = insiders, collaborators, citizens.
- Modern analogue: human intelligence, insider threat programs, whistleblowers, or local analysts embedded in culture.
- Lesson: you can’t know an environment without someone who breathes its air.
Inward spies – the enemy’s own people who provide insight.
- Modern analogue: defectors, double agents, internal whistleblowers, or compromised insiders in adversary organizations.
- In cyber: infiltration of adversary forums, threat actor telemetry, or behavioral analysis of attacker TTPs.
Converted spies – enemy agents who have been turned.
- Modern analogue: captured malware turned into indicators, enemy disinformation repurposed for exposure.
- Intelligence and counterintelligence merge – data becomes self-revealing.
Doomed spies – agents sent with false information, knowing they will be sacrificed.
- Modern analogue: honeypots, decoy networks, misinformation campaigns used to draw out adversaries.
- Lesson: deception has cost; calculate it.
Surviving spies – those who return with verified knowledge.
- Modern analogue: analysts who gather, vet, and integrate multiple data sources to produce actual intelligence.
- Lesson: data isn’t knowledge until it’s interpreted and fed back into strategy.

The five together form a complete intelligence loop: gather, plant, deceive, sacrifice, verify.
Today, we refer to this as the intelligence cycle.

Information as the New Espionage

We live in an age where everything and everyone collects or steals your data. Apps harvest movement. Sensors record temperature and tone. Governments build databases so vast they blur into prophecy.

But the principle hasn’t changed: intelligence is not about having information – it’s about understanding what matters and when.

A terabyte of telemetry means nothing without discernment. One well-placed attacker can outperform a thousand firewalls.

Foreign Policy and the Failure of Insight

Throughout the 20th century, U.S. foreign policy often suffered from information abundance but a lack of the ability to interpret the intelligence it had gathered.

Pearl Harbor: a multitude of signals existed, but interpretation failed.
Vietnam: metrics replaced meaning – body counts masquerading as progress.
Iraq WMDs: intelligence distorted to paint a specific picture rather than inform decision-making.
Afghanistan: decades of data existed without a clear endgame, destroyed thousands of American lives, and wasted trillions of taxpayers’ dollars.

Each case proves Sun Tzu’s point: “If you know neither the enemy nor yourself, you will succumb in every battle.”

Intelligence was there, but self-awareness wasn’t. Knowing isn’t only about them; it’s about seeing what you refuse to see in yourself.

Cyber Intelligence: Seeing Without Touching

In cybersecurity, the “spies” are telemetry, sensors, analysts, and sometimes friendly adversaries.
Every alert, log, and anomaly is a scout’s report. But like all intelligence, its value depends on interpretation.

Local spies: internal logs and behavior analytics.
Inward spies: penetration testing, red-team operations, insider threat programs.
Converted spies: captured malware and attacker infrastructure repurposed for defense.
Doomed spies: honeypots, deception networks, and fake data seeds.
Surviving spies: analysts, threat-hunters, and intel-sharing alliances.

The objective is clarity without exposure, to see everything while remaining unseen. Fire consumes, intelligence illuminates.

The Moral Dimension of Knowing

Intelligence work carries moral weight. Spies, human or digital, trade in trust. Sun Tzu demands that the general handle them with the highest regard: reward them generously, guard them carefully, and never waste them carelessly.

The ethical parallel today is privacy. The line between intelligence and intrusion is measured in intent and restraint. Knowledge gathered without purpose is voyeurism. Knowledge used without reflection is manipulation.

Sun Tzu’s ideal: learn enough to prevent war, not to justify one.

Strategic Lessons for Leaders

Listen to your scouts.
Truth often arrives quietly, wrapped in discomfort. Leaders who dismiss dissent lose foresight.
Reward information honestly.
Transparency and gratitude feed the flow of truth; fear and ego choke it.
Centralize interpretation, not collection.
Many sensors, one mind – unified analysis, decentralized data.
Balance secrecy with accountability.
Intelligence held too tightly becomes blindness.
Use information to avoid fire.
The goal of knowledge is to make destruction unnecessary.

From Fire to Silence

The transition from Attack by Fire to Use of Spies is the book’s moral hinge. After escalation comes discernment; after destruction, discipline.

Sun Tzu understood what modern states and corporations often forget: Force is crude, information is subtle – and subtlety wins the wars that power cannot.

In cybersecurity, this is the move from reaction to anticipation. In foreign policy, it’s the evolution from aggression to diplomacy. In leadership, it’s the shift from command to comprehension.

The best security posture isn’t dominance – it’s awareness. The most powerful army is one that rarely fights.

Epilogue — The Quiet Art

The Art of War ends not with blood or banners, but with silence, a stillness that comes from mastery.

True security, like true wisdom, is invisible.
It doesn’t announce itself.
It doesn’t need to.

When you know yourself and your adversary, every threat is already half-dissolved. When you act only when necessary, victory becomes maintenance rather than spectacle. And when you can learn from what moves unseen, you stop fighting the same battles over and over again.

As Operation Aurora proved, a sophisticated cyber espionage campaign that quietly infiltrated major tech companies, the side with better intelligence rarely needs to escalate; quiet knowledge can outmaneuver brute force.

That’s the art of cyberwar – when you know yourself and your adversary, every threat is already half-dissolved. When you act only when necessary, victory becomes maintenance rather than spectacle. And when you can learn from what moves unseen, you stop fighting the same battles over and over again.

That is the final lesson of Sun Tzu, and of cyberwar:
Not destruction, but understanding.
Not conquest, but control of your own attention.
Not escalation, but insight.

Not noise, but silence.

The art is not in the fight, but in the knowing. Return always to the principle: “Knowledge of the enemy’s dispositions can only be obtained from other men.”

And, in the end, mastery is realizing you rarely need to fight at all.

The Art of CyberWar | Part XII | Attack by Fire

The Principle: When you use fire to attack, you must be prepared for the wind.
— Sun Tzu

The Nature of Fire

Fire is decisive. It consumes, clears, and purifies, but it also spreads beyond intention. Sun Tzu treats fire as both a weapon and a warning. It can destroy an enemy’s stores, flush troops from cover, and sow panic, but he cautions that those who ignite must control the wind, or the flame will turn back.

In today’s language: escalation is easy, judicious control is hard.

Fire is unbridled energy without patience. It is force unbound. And every era finds its own version of it.

The Five Fires

Sun Tzu names five types of fire attack, each with a direct modern analogue:

Burning soldiers in their camp → Disrupting people directly.
- In cyber: targeting individual accounts, identity systems, or human processes.
- In policy: attacking morale or legitimacy through propaganda or sanctions that hit civilians.
Burning stores → Destroying logistics.
- In cyber: supply-chain attacks, ransomware on infrastructure.
- In statecraft: economic blockades or precision strikes on fuel, transport, or data centers.
Burning baggage trains → Breaking the flow of resources.
- In the cloud: DDoS, bandwidth throttling, or disrupting APIs that feed dependent systems.
- In foreign policy: disrupting trade routes or financial systems to strangle supply.
Burning arsenals and magazines → Targeting capability itself. A modern example: the 2014 Sony Pictures hack, in which wiper malware destroyed not only data but also the ability to operate, crippling the company’s digital arsenal and serving as a stark warning about escalation risk. Another hallmark example: Stuxnet (2010), which physically crippled Iranian centrifuges, showing that digital “fire” can leap into the physical world.
- In digital: destroying code repositories, zero-day leaks, and wiper malware.
- In war: targeting industrial bases, weapons stockpiles, or satellite networks.
Burning the enemy’s army → Direct annihilation.
- The catastrophic option, physical or digital scorched earth.

Each carries the same risk Sun Tzu warned of: heat spreads.

America’s Century of Fire
Throughout the 20th century, U.S. foreign policy repeatedly learned and forgot this lesson.

WWII: strategic firebombing of Tokyo and Dresden, the atomic bombings of Hiroshima and Nagasaki, tactically decisive, highly questionable morally.
Vietnam: napalm, Agent Orange – the war’s imagery consumed America’s moral capital as surely as the jungle burned. Devastating to the local population and our own troops.
Desert Storm & Shock and Awe: firepower became performance, televised precision, hiding the longer political firestorm and over-commitment of our resources to highly specious ends.
Sanctions & Cyber: modern equivalents – economic or informational fire meant to distract, mislead, or coerce without bullets, still spreading collateral damage.

Each use of fire achieved an objective, yet each left embers that smoldered for decades.

Sun Tzu would call that victory without wisdom.

Digital Flame

In cyberspace, fire is code that destroys. The world learned this with Stuxnet, NotPetya, WannaCry, and countless destructive campaigns. They burned quietly, jumped borders, and torched billions in collateral damage. WannaCry (2017) swept the globe in hours, crippling hospitals, shipping, and businesses—making clear that digital fires can cause humanitarian consequences.

Cloud fire spreads faster than any fuel; a single misconfigured credential can ignite an entire ecosystem. Because dependencies are invisible, contagion is immediate. A wiper designed for one network cripples dozens more; an exploit posted online becomes a global inferno in hours.

Fire is the easiest attack to ignite and the hardest to contain.

Rules for Using Fire

Sun Tzu’s cautions translate cleanly:

Control the wind. Understand the environment – network topology, public opinion, and global law. Fire turns on those who don’t map their dependencies. NotPetya (2017) began as a targeted disruption but, due to dependencies and lack of containment, rapidly spread worldwide, demonstrating why “controlling the wind” remains critical in cyber conflict.
Use the right conditions. Don’t ignite in drought. If tension is already high, socially and economically, the situation will escalate.
Prepare relief efforts. Have recovery plans before striking. Burn only what you can rebuild. After World War II, the Marshall Plan rebuilt war-torn Europe, demonstrating that post-conflict relief shapes both legitimacy and future stability. In 2021, the Colonial Pipeline ransomware attack forced the rapid restoration of critical infrastructure; companies with effective recovery plans minimized chaos and reputational fallout.
Know the cost of smoke. Collateral damage is visibility: reputational, legal, and diplomatic.
Do not rely on fire to win the war. Fire wins battles but breeds resistance.

In short: destruction without reconstruction is self-immolation.

Morale, Leadership, and Control

A general’s job isn’t only to unleash power; it’s to sustain the will that wields it.
Fire exhausts armies. Soldiers fighting amid smoke need clear purpose, rations, and rest.

Sun Tzu demands that the commander ensure his troops are fed, disciplined, and respected so that they fight even in dire moments.

In modern organizations, the same holds: leaders who push teams through endless “incident fire drills” without rest destroy readiness. Respect sustains endurance.

Discipline without compassion breeds burnout; compassion without standards breeds chaos. Balance is command.

Deception, Propaganda, and Manufactured Heat

Every effective campaign uses perception. Propaganda creates the illusion of fire where there is none, or conceals weakness behind the smoke of strength. The ancient principle survives in every medium: shape belief, shape behavior.

States convince citizens of a constant threat: “War is peace. Freedom is slavery. Ignorance is strength,” and the historical manipulation line, “Who controls the past controls the future: who controls the present controls the past.”
Companies market vulnerability to sell security.
Attackers simulate breaches to force reactions.

Fire doesn’t only burn, it solidifies and blinds. The wise strategist uses deception to conserve energy, not to irreparably manipulate trust.

Never lose sight of this: truth is a finite resource. Burn it, and nothing grows afterward.

Fight Only When Necessary

War, Sun Tzu reminds us, is terrible. Mr. Lee added, “It is well that war is so terrible, or we should grow too fond of it.” That’s the heart of this chapter: the seduction of power. Fire feels decisive, satisfying, purgative. That’s why restraint is the highest discipline.

In cybersecurity, it means choosing containment over retaliation. In policy, it means diplomacy before bombing. In leadership, it implies correction before firing squads of blame.

Every unnecessary blaze consumes future strength.

Calculation Before Ignition

Fire is the last stage of calculation, not the first. The general who wins has already counted everything: fuel, wind, timing, morale, and escape.

In modern form:

Map dependencies before deploying destructive countermeasures.
Assess public and legal consequences.
Coordinate allies and containment plans.
Pre-position humanitarian or restoration resources.

Fire launched without calculation simply becomes arson.

Cybersecurity Playbooks for Fire Scenarios

1. Contain Destructive Malware (Wiper Fire)

Disconnect affected systems immediately.
Activate offline backups; rebuild from clean images.
Communicate fast, silence breeds rumor.
Forensics after containment, not before.

2. Respond to Supply-Chain Fire

Freeze code releases; verify signatures.
Segregate affected components; rotate secrets.
Coordinate public disclosure and patch windows.

3. Counter Disinformation Blaze

Pre-draft communications for false narratives.
Verify sources, issue simple factual statements.
Avoid panic amplification, don’t fuel the fire.

4. Plan for Strategic Retaliation

Establish legal oversight for counter-operations.
Define thresholds: attribution confidence, proportionality, and reversibility.
Keep diplomatic channels open even during the heat.

Fire is part of war, but the goal is to end fires faster than they spread.

Ethics and Aftermath

Fire makes headlines; rebuilding never does. Yet the moral credit of a nation, or a company, depends on what follows destruction, relief, restitution, and transparency, turning survival into legitimacy. The Marshall Plan after WWII showed that true victory is measured by the ability to restore and build anew, not just destroy. Sun Tzu closes this chapter by warning that a commander who burns recklessly endangers his own state.

That warning scales perfectly to global networks: a destructive exploit today may torch tomorrow’s allies.

Bridge to Chapter XIII | The Use of Spies

Once the fire burns out, what remains is smoke, which conceals movement. Which leads us back to our opening principle: “When you use fire to attack, you must be prepared for the wind.” Next: how to “see without burning” or, the art of intelligence, deception, and misdirection on the modern battlefield. (Think Operation Fortitude, the WWII deception that enabled D-Day by fooling the enemy without a shot being fired.) Sun Tzu ends his book not with force but with intelligence. He knew that knowledge prevents the need for fire in the first place.

“After the flames, gather information from the ashes.” The next and final lesson, The Use of Spies, is about seeing without burning, learning through observation, infiltration, and trust. Fire wins battles; intelligence prevents wars.

The Art of Cyberwar | Part XI | The Nine Situations

The principles: Begin by seizing something which your opponent holds dear; then he will be amenable to your will.

…Concentrate your energy and hoard your strength.

The principle on which to manage an army is to set up one standard of courage which all must reach.

Whoever is first in the field and awaits the coming of the enemy will be fresh for the fight. – Sun Tzu

Context and Purpose
Sun Tzu’s Nine Situations maps the kinds of ground and circumstance a commander can face – from favorable positions to trap-laden ground. Each situation demands a different posture: sometimes you press; sometimes you withdraw; sometimes you wait. The lesson is tactical discrimination: don’t treat every fight the same.

In the modern world, those “situations” are organizational states: besieged systems, fleeting windows of access, deep entrenchment, overextended operations. Knowing which box you’re in changes everything you do next.

Leadership and Morale: The Human Center
Before tactics, a note about people. Sun Tzu insists that a general must know his soldiers. That’s not a platitude; it’s an operational fact.

Morale is intelligence: exhausted teams miss indicators, fail to follow playbooks, and make desperate mistakes.
Leadership is maintenance: rotating shifts, realistic on-call expectations, paid recovery time after incidents, and clear chains of command preserve discipline.
Respect plus standards: treat your people with dignity and hold them to standards. Leniency breeds sloppiness; cruelty breeds silence. Both are fatal.

A leader who ignores morale loses the fight long before the enemy arrives. That’s as true for an infantry company as for an incident response roster.

Deception and Perception Management
Sun Tzu: All war is based on deception. In practice, that means shaping what the opponent and the population believe.

Information operations: propaganda, curated narratives, and coordinated messaging have always been instruments of power. Orwell’s line, “We have always been at war with Eastasia,” is a cautionary parable about manufactured consensus.
Modern analogue: in cyber, deception shows up as honeypots, false telemetry, and misinformation campaigns; in statecraft, as narratives that create vulnerability or strength where none objectively exists.
Ethical frame: defenders use deception for detection and deception to raise the cost for attackers (e.g., canary tokens). Democracies must guard against the weaponization of truth at home; businesses must avoid misleading stakeholders.

Deception works because humans fill gaps with a story. Control the story; you alter the field.

Fight Only When Necessary
Sun Tzu and Mr. Lee agree: war is terrible; fight sparingly. The principle is simple: act only when the expected gain exceeds the cost.

Cost-calculation is non-negotiable: time, attention, capital, reputational risk.
In cyber: a public takedown, a disclosure, or active defense escalation must be measured against downtime, legal exposure, and adversary escalation risk.
In policy: interventions must have clear exit conditions and sustained domestic support. If you cannot sustain it, don’t start it.

Discipline supersedes impulse.

“If the Enemy Leaves a Door Open, Rush In” to Follow the Energy
Sun Tzu’s pragmatic injunction to exploit openings is simple: when an opponent’s guard falls, capitalize immediately. In fighting, it’s like watching for your opponent to drop their hands or go for a spinning attack; in security, it’s a window of opportunity for decisive action.

Cyber example (defense): detect a lateral movement attempt and immediately isolate the segment, block the credential, and pivot forensic capture. The quicker the isolation, the smaller the blast radius.
Cyber example (offense/emulation): when a red-team discovers a misconfiguration, follow the chain-of-trust to map further exposures before the window closes.
Business/policy: when a competitor shows strategic weakness (supply disruption, PR crisis), acting quickly with a measured offer can consolidate position. But always have your logistics in place; quick gains that can’t be held are hollow.

Following the energy multiplies the effect, but only if you’ve done the work beforehand to sustain the ground you’ve gained.

The Nine Situations, Condensed & Modernized:

Dispersive ground – you’re among your people; maintain cohesion.
Cyber: internal incidents; prioritize comms and transparent leadership. (e.g., during the 2021 Log4Shell crisis, organizations that communicated quickly and openly with their teams contained risk more effectively.)
Facile ground – easy ground, many exits; avoid traps of complacency.
Cyber: dev/test environments misused as production; lock and audit.
Contentious ground – disputed control.
Cyber: contested supply chains; prioritize integrity of build pipelines.
Open ground – mobility advantage.
Cyber: cloud-native agility, move quickly, but instrument heavily. (Example: When a vulnerability like Heartbleed emerges, organizations that can rapidly update and redeploy cloud resources while monitoring all endpoints gain a decisive edge.)
Intersecting ground – convergence of routes/partners.
Cyber: shared services; segregate trust boundaries and enforce SLAs.
Serious ground – stakes are high; commit only with full readiness.
Cyber: critical infrastructure; assume regulation and public scrutiny.
Difficult ground – constrained movement.
Cyber: legacy stacks; carve compensating controls and minimize exposure.
Hemmed-in ground (trapped) – the enemy can encircle.
Cyber: breached islands due to vendor lock-in; prepare out-of-band recovery. (e.g., during the NotPetya outbreak, companies with alternate vendors or recovery paths minimized downtime, while others suffered prolonged outages.)
Desperate ground – fight with everything; no other option.
Cyber: blind-fire incident with full emergency playbook; declare crisis, invoke war-room, use all hands.

Each situation requires a plan in advance, not improvisation in the heat of chaos. For those new to Sun Tzu: dispersive ground means your own territory, open ground is the public cloud, and hemmed-in ground is where your options are tightly constrained.

Prescriptive Playbooks (Operational Guide)
Below are short playbooks, or practical checklists, you can paste into an incident binder.

A. Besieged System (Hemmed-in/Trapped Ground)

Isolate affected segments (network ACLs, VLANs).
Enable out-of-band admin (jump boxes, console access).
Invoke containment RTO/RPO playbook.
Engage legal & communications.
Stand up a dedicated recovery team; rotate shifts.
After action: root cause, patch, and inventory third parties.

B. Fleeting Access (Open/Facile Ground)

Capture forensic snapshot immediately (memory, session tokens).
Harvest IOC, block indicators at perimeter.
Perform rapid threat hunting to see lateral movements.
Patch/vault credentials, revoke tokens.
Debrief and harden the vector.

C. Retreat & Reconstitute (Dispersive/Retreat Scenario)

Execute planned fallback to secondary infrastructure.
Verify backups and boot from immutable images.
Communicate to stakeholders with controlled cadence.
Rebuild in clean environment; stage verification before full restore.

D. Stronghold Defense (Steep/High Ground/Serious Ground)

Minimize human access; require jump hosts & MFA.
Immutable logging to secure audit trails.
Periodic red-team tests; continuous monitoring.
Harden supply lines: vendor SLAs, redundancy, and a tested DR plan.

E. Rapid Exploitation (If a Door Opens)

Pre-authorize small rapid-response teams for exploitation windows.
Legal/ethics checklist signed off on in advance.
Capture intelligence, seal pivot paths, and convert to defense artifacts (detections, blocks).

Each playbook starts with people: assign roles, cap on-duty hours, and rehearse quarterly.

Final Thought: Calculation, Culture, and the Necessity of Restraint
Sun Tzu’s closing insistence, calculate before battle, remains the core discipline. The leader who wins has already counted costs, supply, morale, and terrain. The one who loses discovers those facts mid-fight.

That brings us back to the principles that opened this chapter:

Seize what the opponent holds dear: not for theater, but to create leverage and force predictable reactions.
Concentrate energy and hoard strength: preserve focus, avoid waste, and don’t spend force just to feel decisive.
Set one standard of courage: culture must hold under pressure, or your best playbooks become paper.
Be first in the field and wait: preparedness buys calm, and calm buys time – it’s the rarest advantage in crisis.

In cyber and statecraft, the rule remains unchanged: prepare, preserve people, exploit opportunities, deceive judiciously, and fight only when victory is likely and sustainable. As Robert E. Lee warned, “It is well that war is so terrible, otherwise we should grow too fond of it.” So only fight when you have no other option. When you do fight, move decisively, use the force necessary to end the threat, and leave no doubt in your opponent’s mind so they will never make that mistake again.

The Art of Cyberwar | Part X | Terrain

The principles:

“The natural formation of the country is the soldier’s best ally; make use of it to your advantage.”

“When the general is weak and without authority; when his orders are not clear and distinct; when there are no fixed duties assigned to officers and men, and the ranks are formed in a slovenly haphazard manner, the result is utter disorganization.”

“The general who advances without coveting fame and retreats without fearing disgrace, whose only thought is to protect his country and do good service for his sovereign, is the jewel of the kingdom.” — Sun Tzu

Ground First

Sun Tzu makes a simple demand: know the ground on which you stand.

The proper ground turns disadvantage into leverage. The wrong ground turns strength into exposure. Terrain is not merely soil; it is topology, logistics, law, culture, and architecture. In the modern world, it includes cloud regions, compliance borders, identity planes, and network topology. Choose well, and the fight often narrows into something you can actually win.

This is not an abstract chapter. It’s a practical one.

If you’ve ever seen a breach unfold, you’ve witnessed terrain deciding outcomes in real time: attackers rarely “win” because they are stronger; they win because they enter through easy ground, move through poorly observed corridors, and reach valuable systems before defenders can orient.

The defender’s job is to resist. It is to shape the ground, so the adversary’s best options become expensive, loud, or impossible.

Types of Terrain – What They Feel Like, What They Demand

Sun Tzu names a wide variety of ground. In practice, the terrain we face, militarily, digitally, and politically, collapses into recurring patterns: open, narrow, steep, encircled, and expansive.

Each demands a distinct strategy. Each punishes a different kind of arrogance.

Open Ground – Fast, visible, unforgiving

Open ground is where you can be seen.

In war, it is flat land with no cover: movement is easy, concealment is costly, and discipline decides whether speed becomes an advantage or panic. Detection and clean maneuvering are important because contact is constant.

In cybersecurity, open ground is your public-facing surface area: internet-exposed services, public APIs, external portals, and remote access entry points. This is not where you want complexity. You want ruthless simplicity, fewer doors, fewer endpoints, fewer exceptions, paired with strong telemetry. Frameworks like the CIS Controls and NIST CSF explicitly prioritize inventorying and minimizing public-facing assets—making clarity and control here a universal best practice.

Open ground is also where deception works best. Decoys, false signals, and baited paths can pull an enemy out of position. In cyber, honeypots and canary tokens do the same: they invite movement into visibility and turn curiosity into evidence.

Real-world case: In 2021, the Microsoft Exchange Server vulnerabilities (ProxyLogon) exposed thousands of organizations’ email systems to the internet. Attackers rapidly exploited unpatched, public-facing assets—demonstrating why CIS Controls and NIST CSF stress the importance of inventory and minimizing the external attack surface.

Open ground isn’t “unsafe.” It’s honest. It shows you what you built.

Narrow Ground – Chokepoints, bridges, legacy stacks

Narrow ground is where everything funnels.

In military history, chokepoints decide battles because geometry becomes force. A smaller army can hold a larger one, not by being stronger, but by limiting the enemy’s options. Just think of the legendary last stand of Leonidas and the Battle of Thermopylae.

In cyber and cloud, narrow ground is often the infrastructure everyone relies on and no one wants to touch: legacy integrations, VPN tunnels, identity gateways, brittle on-prem choke points, systems tied to modern workflows by thread and habit. They become bridges. Bridges become targets.

If you harden one thing this quarter, harden your chokepoints, segment around them. Add compensating controls. Increase logging where applicable. Treat narrow terrain as sacred because when it fails, everything behind it is exposed. The MITRE ATT&CK framework’s focus on lateral movement and privilege escalation highlights why chokepoints must be secured and closely monitored.

Mini-case: The 2021 Colonial Pipeline ransomware attack targeted a single VPN account—an overlooked chokepoint with no multi-factor authentication. This breach underscores the criticality of securing and monitoring privileged access pathways.

Martial principles show up cleanly here. Wing Chun teaches that in close range, cutting angles and superior structure become everything. Trapping is about denying your opponent options. Narrow terrain does the same: it constrains movement and penalizes sloppy positioning.

Steep Ground – Visibility and defensibility, limited mobility

Steep ground is an advantage you must maintain.

High ground offers visibility and defensive leverage, but you don’t sprint on it. Movement becomes deliberate. Once you lose it, regaining it costs more than taking it did.

In cyber/cloud terms, the “steep ground” is where you place your crown jewels: production enclaves, privileged access vaults, critical logging pipelines, backup infrastructure, and identity governance, zones with strict access controls, immutable logs, and minimal pathways. NIST Special Publication 800-53 and CIS Controls both emphasize layered defenses and strong separation for critical assets, reinforcing the need for deliberate, hardened environments.

These environments should feel “steep” to anyone moving through them, including your own staff. That friction is the point. Steep terrain ensures enforcement of control.

Industry example: Major cloud providers routinely isolate customer data and management functions in highly restricted “steep ground” zones, applying controls from NIST SP 800-53 and CIS to prevent lateral movement and ensure containment if a breach occurs.

In Jiu Jitsu, this is akin to mount or back control: you don’t rush to snatch up a submission. You stabilize, isolate, and apply pressure through position and then finish. The defender who gets impatient on steep ground usually falls off it.

Encircled Ground – When you risk being surrounded

Encircled terrain is where isolation becomes lethal.

In war, encirclement breaks supply lines, erodes morale, and forces rash decisions. In cyber, encirclement often begins as “convenience” and ends as captivity: vendor dependencies, brittle third-party integrations, shadow IT no one owns, “critical” workflows held together by one person’s tribal knowledge.

The danger is that encirclement rarely feels dramatic at first. It feels normal until you need to restore. Until a vendor is down. Until the contract becomes leverage. Until the only admin is on PTO and the incident is already in motion.

Encircled ground demands exits: recovery paths, out-of-band access, air-gapped backups, and playbooks that restore connectivity without improvisation. CIS Control 11 and the NIST CSF Recovery Function both emphasize the importance of tested backup and recovery plans, as reliance on a single vendor or system is a strategic vulnerability.

Recent headline: In the wake of the 2022 Okta breach, organizations that relied exclusively on one identity provider faced business continuity risks. Those with tested out-of-band recovery and contractual exit clauses, as recommended by CIS and NIST, were able to restore operations more quickly.

If you don’t have those, you don’t have resilience. You have hope.

Expansive Ground – Flat, wide, tempting for overreach

Expansive terrain invites ambition. It also hides risk.

Movement feels easy because there’s “room,” but oversight drops as the supply lines lengthen. This is how empires, and cloud estates, collapse: not from one failure, but from accumulated, ungoverned territory.

In cyber, expansive ground is sprawl: dozens of cloud accounts, multiple providers, endless permissions, duplicated tools, integrations stacked on integrations. Sprawl isn’t evil. It’s simply unmanaged terrain.

Expansive ground demands scalable governance: infrastructure-as-code policies, automated compliance, continuous asset inventory, and hard limits on “just one more integration.” Otherwise, you end up “owning” too many things to defend any of them properly. Both NIST CSF and the CIS Controls call for continuous asset management and automated enforcement to keep sprawl in check.

This is where adversaries thrive, inside your noise.

Example: Several high-profile breaches, including Capital One (2019), were linked to sprawling cloud environments where asset management and policy enforcement lagged behind rapid deployment. This highlights why NIST CSF and CIS Controls call for continuous inventory and automated governance.

Choosing the Ground – Offense Through Selection

A leader’s first tactical choice is where to fight. Good generals choose terrain that favors their force and punishes the enemy’s approach. That’s a decision, not a reflex.

In cybersecurity, this is how you win before the breach: place valuable services behind hardened, observable layers and force attackers into monitored choke points. Make lateral movement steep. Make privilege escalation loud. Make time and friction the price of progress.

In cloud architecture, it refers to trust zones and least-privilege boundaries that govern movement, much as terrain shapes an army’s movement. If an adversary wants access, they must climb and be exposed while doing it.

In foreign policy, it means choosing diplomatic and economic levers rather than landing zones that stretch logistics and public support. Sometimes the “terrain” is public will. Sometimes it’s alliance cohesion. Sometimes it’s your economy. Burn those, and you’ve lost the campaign even if you win the first clash.

Choosing ground is an active defense. It doesn’t surrender initiative; it shapes the enemy’s options.

This is where martial deception becomes a strategy. A feint isn’t a lie, it’s an invitation. In Wing Chun, you draw the reach, trap the limb, clear the line, and strike at the same time. In Muay Thai, you show the jab to invite a teep to sweep the leg. In Jiu Jitsu, you offer the submission attempt you’re prepared to counter. Terrain selection works the same way: you present what looks like access, but what you built is a corridor of control.

Leadership, Discipline, and Knowing Your Soldiers

Sun Tzu insists a general must know his troops. That’s leadership in a sentence.

A leader’s indecision, ego, or poor communication is as lethal as bad geography. Poor leaders over-commit, under-communicate, or ignore warnings. They treat friction as disobedience and clarity as optional. That is how organizations drift into the “slovenly haphazard” disorder Sun Tzu warns about: plenty of tools, no coherence.

Discipline matters. Soldiers and engineers, treated with respect but held to standards, perform under pressure. Leniency breeds sloppiness; cruelty breeds silence. Both are operational risks.

Know your teams: strengths, fatigue thresholds, and tempo. Rotate duty. Limit emergency hours. Maintain training. In cloud and cyber, this includes on-call limits, respect for sleep, post-incident retrospectives, and psychological safety to report near-misses before they become incidents.

Morale shows up earlier than metrics. Leaders build the culture that sustains long campaigns.

Calculation Before Battle – The Work of Winning

Sun Tzu elevates calculation above impulse: the commander who measures many variables before engagement usually wins; the one who does not, loses.

This calculation is methodical: map terrain, count supplies (capacity), estimate enemy options, and plan contingencies.

In cyber, that means knowing your attack surface, understanding threat actor patterns, identifying likely pivot points, and building tested response runbooks. Rehearse, not because you expect a breach, but because you refuse to improvise under duress.

In the cloud, this entails calculating blast radius, recovery objectives, and the cost of complexity relative to the cost of resilience. It also means choosing fewer tools and mastering them, because every new platform is a new terrain you must defend.

In policy, it means calculating costs in treasure, trust, and time. Private-sector analogs are attention, capital, and brand.

Winning is the product of preparation. You cannot improvise a viable posture in a crisis.

Specific Strategies by Terrain – Practical Moves

Open ground: prioritize speed and detection; keep public assets to a minimum; deploy decoys and canaries; monitor aggressively. (CIS Controls 1, 7; NIST CSF Identify & Protect).
Narrow ground: enforce access controls and logging; funnel traffic through audited gateways; validate identity aggressively. (MITRE ATT&CK, NIST CSF Detect)
Steep ground: design immutable environments and strict separation; place critical controls in high-ground enclaves with minimal human pathways. (NIST SP 800-53, CIS Control 13)
Encircled ground: ensure out-of-band recovery, air-gapped backups, manual admin paths; maintain contractual exit clauses with vendors. (NIST CSF Recovery, CIS Control 11)
Expansive ground: prune and consolidate; adopt infrastructure-as-code policies and automated compliance; set hard limits on new integrations. (CIS Control 1, NIST CSF Asset Management)

Every choice reduces the opponent’s options and preserves the defender’s leverage. In practice, aligning terrain strategies with proven frameworks isn’t bureaucracy; it’s how you translate doctrine into daily operations.

Parallels: Rome, Corporations, and Nations

Rome didn’t fail because it was weak; it failed because it could no longer pay for its expansion. The pattern repeats: a leader mistakes reach for control, stretches supply lines, and forgets the home base.

In business, over-expansion without integration kills cash flow and culture. In policy, interventions without sustainable objectives are hollow support. In cyber, growth without governance turns territory into liability.

The remedy is the same: select advantageous ground, keep logistics tight, and honor the limits of what you can sustain.

Closing: Ground, People, Calculation

Terrain teaches humility. It forces honesty about supply lines, political will, and human limits. Leaders must select ground that fits their forces, know their people well enough to deploy them without breaking them, and calculate relentlessly before contact. The best strategy isn’t the loudest; it’s the one most rigorously mapped to the ground and standards that define your domain.

Sun Tzu’s point is blunt: the general who prepares wins because he has already made many small victories before the first clash. The rest simply discover, too late, what the ground beneath them already knew.

The Next Step: Situations Reveal the Ground

Sun Tzu ends this chapter the way a good fighter ends an exchange: not with noise, but with control.

Terrain is not merely where you fight; it is what the fight allows. It determines which tactics are available, which movements are costly, and which victories are possible without incurring blood, bandwidth, or morale costs. The wise commander doesn’t “try harder” on bad ground. He changes the angle, changes the conditions, and shapes the enemy’s options.

Muay Thai does it with ring craft: take space, cut off exits, force exchanges where your strikes land cleanly. Jiu Jitsu does it with: position, then control, then submission, and sometimes with a ruthless setup: allowing the opponent to chase the submission you expected, only to counter when they overextend.

Terrain works the same way. Choose it well, and you’re not only defending but shaping the enemy’s approach until their “attack” becomes the opening you built the environment to reveal.

That leads us directly back to the principles that opened this chapter:

“The natural formation of the country is the soldier’s best ally; make use of it to your advantage.” Because once you understand the ground, you stop fighting the fight the enemy wants, and start forcing the battle they cannot win.

And when leadership is weak, orders are unclear, and duties are unfixed, the result is exactly what Sun Tzu promised: utter disorganization, not because the enemy was brilliant, but because the ground exposed what was already unstable.

The highest standard remains unchanged: the general who advances without vanity and retreats without fear, whose only thought is to protect his people and do good service, is the jewel of the kingdom.

Bridge to Part XI – The Nine Situations

Terrain teaches you what is possible. The Nine Situations teaches you what to do when possibility collapses into reality, when you’re advancing, retreating, encircled, trapped, deep in enemy ground, or approaching decisive contact.

It is a doctrine of movement under pressure: acting in accordance with circumstances without losing coherence.

You’ve learned how to read the ground.
Next, you’ll learn how to fight on it.

Security Without the Pessimism | Capstone: The Human Architecture of Resilience

There’s a moment in every incident, and in every life, when things go sideways.
An urgent alert comes in at 2 a.m.
The phone buzzes with something you didn’t want to see.
The room suddenly feels smaller.
Your pulse skyrockets ahead of your ability to reason.

That’s the pivot point.

Not the breach, not the threat actor, not the malware strain. The moment your mind decides whether to rush, freeze, or breathe.

And if the past two decades in cybersecurity have taught us anything, it’s this: The most overlooked control isn’t technical at all — it’s the ability to think clearly under pressure.

You can build the best firewall on earth, layer your identity stack, and lock down every endpoint within reach. But if the wrong person panics at the wrong moment? Your architecture won’t crumble, but your response will.

And the irony is that the same pattern shows up everywhere.
In the gym.
In martial arts.
In American foreign policy across multiple generations.
In corporate culture.
In our personal lives.

Technology changes. Tools evolve.
But human behavior remains the battlefield.

This capstone is about that battlefield, the one beneath all the dashboards and diagrams.
The human architecture of resilience.

Not fear.
Not pessimism.
Not endless warnings.
Just clarity, culture, awareness, and depth.

I. The Calm Before the Click: Thinking Clearly Under Pressure

Cybersecurity professionals often discuss “root cause.”
The CVE.
The misconfig.
The missing patch.
The malicious link.

But if you trace incidents far enough back, you rarely find a purely technical failure.
You find someone who was tired.
Someone who rushed.
Someone is overloaded with tasks, tabs, or alerts.
Someone who clicked before the mind caught up.

Attackers have known this longer than we have.
Social engineering is, at its core, the psychological equivalent of an ambush.
It doesn’t rely on brilliance — it relies on rhythm.
Interrupt someone’s rhythm, and you can make them do almost anything.

History played the same game long before phishing emails existed.

During WWI, the U.S. population had no appetite for a European conflict until the Committee on Public Information mastered message engineering on a national scale.

During Vietnam, selective narratives were used to anchor the Gulf of Tonkin resolution, one of the clearest examples of how urgency overrides discernment.

After 9/11, emotional exhaustion and fear gave the green light to decisions that would shape two decades of conflict, including the push toward Iraq in 2003 on intelligence the government already knew was questionable at best.

The pattern is timeless: pressure → perception drops → people accept what they would normally question.

In cybersecurity, that’s the moment a breach begins. Not when the payload deploys, but the moment someone stops breathing long enough to see clearly.

Martial arts teach this early: when your structure collapses, so does your mind. The fight is rarely won by the strongest, but by the one who stays calm.

Cybersecurity isn’t so different. We need quieter minds, not louder alarms. Consider the Apollo 13 mission: when an oxygen tank exploded in space, it wasn’t advanced technology alone that saved the crew—it was the unwavering composure, clear communication, and problem-solving focus of both astronauts and mission control. Their story remains a testament to the power of preparation, training, and the human spirit under pressure.

Psychological research supports this need for balance: the Yerkes-Dodson Law demonstrates that while a certain level of stress can sharpen performance, too much leads to mistakes and paralysis. It’s not the loudest alarms or the highest stress that produce the best outcomes, but the ability to operate with steady focus under pressure.

II. Security Isn’t a Toolset. It’s a Culture.

This is the part vendors never put in their brochures.
Tools matter, of course they do, but they’re not the foundation.
If a team’s culture is fractured, fearful, or fatigued, the best tool becomes another dashboard no one trusts.

A culture of security is built on three traits: Curiosity. Communication. Psychological safety.

Curiosity is the click buffer. It’s the pause before the action. It’s the “does this feel right?” instinct that catches what technology misses.

Communication is the force multiplier. If people don’t feel comfortable asking questions, you don’t have a security program; you have a façade. The worst breaches happen in organizations where employees believe that reporting something suspicious will get them punished.

Psychological safety is the foundation beneath it all. You cannot build defense through fear.
If people feel judged, they go silent. And silence is where threat actors win.

Across American history, the same dynamic appears at scale. Governments that relied on controlling the narrative rather than fostering transparency created long-term instability.
Nations that punished dissent instead of listening to it made poorer decisions, walked into unnecessary conflicts, or ignored early warnings because no one felt safe raising them.

In cybersecurity, the equivalent is leadership that says: “If you click a bad link, come to us immediately, you’re part of the solution, not the problem.”

Culture isn’t a policy. Culture is what happens when no one is watching.

III. The Invisible Threat: Complacency

Complacency is the enemy that feels like a friend. It arrives quietly. It shows up after long stretches of “nothing happened.” It hides behind phrases like:

“We’ve never had an incident.”
“We’ve always done it this way.”
“Our tools would catch that.”

Every major breach you can name—SolarWinds, Equifax, Colonial Pipeline—roots itself in complacency somewhere: A missed update. An over-trusted vendor. An assumption that the environment was safer than it actually was. The 2013 Target data breach is a sobering example: multiple security alarms were triggered, but critical warnings were overlooked amidst noise and unclear processes. The failure wasn’t just technical—it was cultural and human. True resilience is built not on more tools, but on clear communication, shared responsibility, and organizational discipline.

There’s a parallel here, too, in public psychology. Before WWI, the U.S. believed oceans protected it.

Before the Vietnam War, we believed that superior technology guaranteed strategic clarity.
Before 9/11, we believed asymmetrical warfare couldn’t reach our shores.
Before the Iraq invasion, many believed intelligence agencies couldn’t be wrong.

Every time, familiarity dulled skepticism. Certainty replaced awareness.

Threat actors exploit the same weakness in cybersecurity: When we stop questioning our own assumptions, we hand them the keys.

But the solution isn’t paranoia. It’s presence—the discipline to stay aware without fear, engaged without burning out, and to use quiet periods to strengthen fundamentals rather than relax them.

Martial artists call this “maintaining the white belt mentality.” It’s the idea that no matter how skilled you become, your awareness must remain humble. The strike you don’t see coming isn’t the strongest; it’s the one you assumed wouldn’t land.

IV. Defense in Depth Begins With Humans in Depth

Defense in depth is usually presented as a diagram: Layers. Controls. Policies. Logging. Detection.

But the deepest layer is always the human beings behind the console.

Humans who communicate clearly under pressure.
Humans who don’t panic.
Humans who collaborate instead of silo.
Humans who maintain integrity even when no one is watching.

You can’t automate those traits.
You can only cultivate them.

A resilient team has depth:
Depth of character.
Depth of discipline.
Depth of humility.
Depth of trust.

Leadership plays a massive role here.
A leader who panics creates a cascading failure.
A leader who hides incidents creates blind spots.
A leader who blames creates avoidance.

But a leader who stays calm?
A leader who listens?
A leader who respects the intelligence of their team?

That kind of leadership becomes its own security layer, the kind attackers can’t penetrate.

Martial philosophy applies here beautifully:
The master doesn’t fight everything.
The master knows when not to fight.
The master conserves energy, maintains structure, and remains sufficiently present to move precisely when needed.

That’s cybersecurity at its best. Not a flurry of tools or panic-driven responses. But steady awareness, grounded action, and a team that trusts itself. The response to the Stuxnet worm demonstrated the power of multidisciplinary collaboration: security researchers, government agencies, and private-sector teams worked together to analyze, share intelligence, and adapt rapidly. Their coordinated effort underscores that no single individual or technology has all the answers—resilience is a collective achievement.

V. The Four Pillars of Real Resilience

Looking back across this entire series, four fundamentals keep appearing.

1. Calm

The ability to breathe before acting. Security begins in the mind, not the machine.

2. Culture

Tools help. Culture protects. Culture catches what software can’t.

3. Awareness

Not paranoia, presence. The discipline to question, verify, and stay awake to the world around you.

4. Depth

Technical depth is valuable. Human depth is irreplaceable. Depth fuels resilience in every domain: networks, clouds, teams, and nations.

These aren’t pessimistic ideas. These are empowering ideas. They’re principles that make security feel less like fear and more like clarity.

Threat actors depend on confusion. They depend on fatigue. They depend on people who doubt their instincts.

A calm mind. A strong culture. A present awareness. A deep team.

That’s how you win. Not loudly, but with consistency.

VI. Final Thought: Security Is a Human Practice Before It’s a Technical One

If there’s a thesis to Security Without the Pessimism, it’s this: Security isn’t something we bolt onto systems. It’s something we build into ourselves.

The work isn’t glamorous or cinematic. It’s often quiet, slow, and unrecognized. But it matters, because every decision and moment of awareness contributes to something bigger than any one of us, a culture of resilience.

So here’s the takeaway: You don’t need pessimism to stay secure. You just need presence. You need clarity and people who care enough to pause, communicate, and stay humble.

That’s the foundation of a safer digital world, built one calm, aware, disciplined human at a time.

The Art of Cyberwar | Part IX | The Army on the March

“The Army on the March” — Illustrated for The Art of Cyberwar, Part IX. This artwork evokes the visual language of classical Chinese scroll painting, capturing the essence of Sun Tzu’s Chapter IX with striking thematic fidelity. The scene unfolds in layers across a sweeping golden landscape: tightly ordered battalions march along mountain paths, supply barges cross a winding river, and distant formations assemble beneath the rising sun. Each element reflects the logistical burden, psychological tension, and environmental dependence that define an army deep into foreign territory.
At the foreground, a lone commander on horseback surveys the terrain, flanked by advisors whose varied stances suggest counsel, observation, and caution. His elevated vantage mirrors Sun Tzu’s emphasis on awareness — the practice of reading fatigue, momentum, and environmental signals before they harden into irreversible consequences. The river crossing, perilous and slow, symbolizes the fragility of overextension; the distant city, shimmering beyond the horizon, represents both ambition and the looming threat of exhaustion.
The overall composition blends serenity with strain, grandeur with vulnerability. In doing so, it transforms ancient military wisdom into a timeless reminder for modern strategists: every march requires vigilance, and every expansion carries its cost.

The Principle:

“When you leave your own country behind, and take your army across neighboring territory, you find yourself in a position of dependence on others. There you must watch for signs of strain.”— Sun Tzu

The Signs Before the Fall

Sun Tzu’s ninth chapter is about perception.

Here he shifts from action to awareness. It’s about how a commander reads fatigue, imbalance, and internal decay before they destroy an army from within.

This is not simply a lesson in combat, but more importantly, it’s a lesson in foresight. This is a crucial distinction that often separates a near-flawless victory from a crushing defeat.

Because every empire, every enterprise, every cyber defense effort eventually faces the same drift:

expansion that outruns understanding
momentum that hides exhaustion
ambition that blinds leadership
reach that exceeds resources

Armies break this way.
Companies implode this way.
Nations lose coherence this way.

In martial arts, this is the moment a fighter looks powerful, but their footwork is mis-aligned, the subtle tell of hand movement, the delayed return to guard, or the half-beat of hesitation that usually precedes success but this time leads to being hit.

Sun Tzu teaches us: if you can’t read the signs, you can’t survive the march.

Overreach: The Eternal Temptation

History loves proving this point.

Rome’s legions stretched from Britain to Mesopotamia until it could no longer feed its own frontiers. Britain built an empire “over all seas,” only to watch its overstretched supply lines rot from within.

The United States, victorious after World War II, constructed a global presence so vast that presence itself began replacing purpose.

Sun Tzu warned: The longer the march, the more fragile the army becomes.

Modern America has been marching for generations, militarily, economically, digitally, and each expansion has carried both pride and price.

Corporations experience the same decay. Cloud ecosystems suffer it even faster. What begins as strength, scale, reach, integration, becomes fragility when maintenance exceeds cost-tolerance.

In martial arts, overreach is the fighter who throws too many power shots, chasing a knockout rather than reading the opponent. They exhaust themselves long before the opponent is even breathing heavily.

Strength without pacing is just a longer route to collapse.

The Weight of Infinite Reach

In cybersecurity, overreach becomes complexity collapse.

Each new department adopts a new tool. Each executive demands a new dashboard. Each vendor promises a universal cure.

Suddenly:

no one sees the whole system
logs pile up unread
alerts become background noise
integrations multiply into untraceable webs
dependencies form faster than they can be understood

What once felt powerful becomes paralyzing.

Foreign policy suffers the same rhythm on a grander scale.

WWI.
WWII.
The Cold War.
Korea.
Vietnam.
Bosnia
Iraq.
Afghanistan.

Each began with a clean, confident objective. Most devolved into attrition, mission creep, and moral fatigue. It can confidently be argued that mission creep began with WWI, but that’s a conversation for another time.

Sun Tzu would summarize it simply: When the troops are weary and the purpose uncertain, the general has already lost.

In BJJ, this is the fighter who scrambles nonstop, burning energy on transitions without securing position. Sometimes, not even needing to scramble or change position, but hasn’t trained long enough to even know that.

In boxing, it’s the puncher throwing combinations without footwork. The fighter simply stands in place, wondering why his punches never land.

In Kali, it’s the practitioner who commits too aggressively, losing awareness of angles and openings.

The march becomes too long.
The lines become too thin.
And collapse becomes inevitable.

Business: The Corporate Empire Syndrome

Businesses suffer the same fate as empires.

Growth attracts attention. Attention fuels pressure to expand. Expansion becomes compulsive.

Suddenly, the company is chasing:

ten markets
ten products
ten strategies
ten “high-priority” initiatives

Each of these demanding its own “army.”

The parallels to national instability are perfect:

Expansion without integration
Strategy scaling faster than understanding.
Leaders mistaking size for stability.

Eventually, the weight becomes unsustainable.

The company can no longer “feed the army.”
Costs rise.
Culture cracks.
Purpose fades.

What killed Rome wasn’t the final battle; it was the slow erosion of balance across its territory.

Most businesses die the same way, and so do most digital ecosystems.

In Wing Chun, this is the collapse of structure, the moment you can see a fighter trying to do too much, forgetting the centerline, being everywhere except where they need to be.

Overreach is always invisible until it isn’t.

The Modern March: Cyber Empires and Digital Fatigue

Our networks are the new empires.

Every integration is a border.
Every API is a supply line.
Every vendor is an ally whose failure becomes your crisis, and you can never plan for when that crisis comes.

Cloud architecture multiplied this exponentially.

Organizations now live everywhere and nowhere at once.

Sun Tzu’s image of an army dependent on supply lines maps perfectly to modern digital infrastructure:

Multi-cloud systems
SaaS sprawl
CI/CD pipelines with invisible dependencies
Third-party integrations with inherited vulnerabilities

When visibility fades, risk multiplies. When dependencies become opaque, consequences become catastrophic.

A company that cannot trace its supply chain of code is like an army that has lost its map.

One outage.
One breach.
One geopolitical tremor.

And the entire formation can buckle.

We call this “scalability.”
Sun Tzu would call it: Marching too far from home.

Reading the Dust Clouds

Sun Tzu taught his officers to read subtle signs:

dust patterns revealing troop movement
birds startled into flight
soldiers’ voices around the fire
the speed of camp construction
the tone of marching feet

Modern versions of those signs are just as revealing:

Escalating ‘critical’ alerts no one addresses
Morale fading under constant pressure
Defensive posture maintained through inertia
Strategies repeated because they worked once, not because they work now
Partners showing hesitation before they show defection

In WWI, the Lusitania offered one of the clearest “dust clouds” in modern history.

Germany declared unrestricted submarine warfare. British intelligence knew passenger liners were targets. The Lusitania was warned. The U.S. was warned. Even the ship’s cargo, which included munitions, made it a predictable target.

Yet the warnings were dismissed.
The signs were clear.
The perception failed.

And America’s reaction, too, was predictable; a “neutral nation” was pushed closer to war by a tragedy entirely foreseeable. Some might argue that certain American politicians sought to force the US into the war. Again, that’s a discussion for another time.

Sun Tzu’s maxim remains timeless: The first to lose perception always loses position.

The Cost of Endless Motion

Overextension rarely appears dramatic at first.

It looks like success:

revenue rising
troops advancing
dashboards expanding
integrations multiplying

Then the consequences arise:

fatigue
erosion
misalignment
burnout
doubt

You begin fighting just to justify how far you’ve marched.

In cybersecurity, this is the company chasing every vulnerability without fixing their architecture.

In foreign policy, it’s the nation fighting endless “small wars” that collectively cost more than stability ever would.

In boxing, it’s the fighter who keeps moving forward until they walk into exhaustion, not a punch.

In Kali, it’s the flow practitioner who adds complexity until their movement becomes noise rather than intent.

Sun Tzu warned: An army that has marched a thousand li must rest before battle.

Modern systems rarely rest. We only measure uptime, not wisdom.

Restraint as Renewal

The answer isn’t retreat, it’s an informed, measured rhythm.

Knowing when to:

advance
consolidate
recover
regroup
reconsider the terrain

Strategic restraint is not weakness. It is self-preservation.

Rome could have lasted longer by fortifying fewer borders. Corporations could thrive longer by protecting focus instead of chasing scale. Nations could endure longer by strengthening their homeland defenses before ever wasting a single dime projecting power abroad.

Sun Tzu’s art was never about conquest. It was about sustainability.

Victory without stability is just defeat on layaway.

Awareness in Motion

Awareness is the antidote to overreach.

It requires honest measurement:

what’s working
what’s weakening
what’s cracking
what’s already lost

It requires humility: no army, business, or nation can move indefinitely without rest.

In cybersecurity, awareness is visibility.
In leadership, it’s listening.
In foreign policy, it’s simply remembering.

Awareness doesn’t stop momentum. It calibrates it.

It’s the half-beat between breaths that keeps the system alive.

Bridge to Chapter X | Terrain

Sun Tzu ends this chapter by looking outward again.

Once you’ve learned to read fatigue, imbalance, and decay within, the next step is to read the environment beyond.

The internal determines how you survive the external.

Which returns us to the opening principle: When you leave your own country behind…you find yourself in a position of dependence on others.

An army on the march teaches us to see ourselves. Chapter X Terrain teaches us to read the world:

its obstacles
its openings
its deception
its opportunities
its traps

Awareness of self means little without awareness of landscape. That’s where the next battle begins.

The Art of Cyberwar | Part VIII | Variation in Tactics

The principle: “There are not more than five musical notes, yet the combinations of these five give rise to more melodies than can ever be heard.” — Sun Tzu

Adaptation Over Assumption

In Maneuvering, we learned the art of movement and how to turn posture into progress. Now Sun Tzu takes the next step: variation.

Variation is the discipline of adaptation. Not improvisation for its own sake. It’s controlled flexibility and fluidity; the kind that keeps a force alive while in motion.

Sun Tzu’s warning is ruthless: Predictability is the slow death of strategy. Every organization that wins too long risks repeating itself.

Every CISO, every architect, every nation-state faces the same danger: When your patterns stabilize, your adversary’s job gets easier.

Attackers study rhythm.
They hunt repetition.
They exploit formula.

What you repeat becomes your weakness.

Static Defenses, Dynamic Threats

In cybersecurity, repetition feels like discipline:

the same checklists
the same daily, weekly or quarterly assessments
the same scanning cadence
the same unchanged playbooks

It feels stable but it’s stagnation dressed as process.

Meanwhile attackers evolve hourly.

Their payloads morph.
Their lures update.
Their timing adapts to human fatigue cycles.

They don’t overpower blue teamers; they systematically outlearn them.

Sun Tzu’s guidance, “alter your plans according to circumstances,” isn’t merely poetic.

It’s operational doctrine. Security isn’t a system. Security is a cycle.

Every breach teaches.
Every false alarm reveals.
Every routine day hides patterns waiting to be broken.

The teams that adapt fastest aren’t the biggest.

They’re the most fluid and adaptable.

Variation is awareness in motion.

Red Teams, Blue Teams, and the Dance of Adaptation

Variation is the heartbeat of adversarial testing. Red teams live in uncertainty: improvisation, deception, broken rhythm. Blue teams train in structure: detection, containment, resilience.

A mature organization doesn’t let them exist as siloed tribes. It merges them into purple teaming, where the creativity of offense and the rigor of defense evolve together.

Red exposes blind spots.
Blue turns discovery into discipline.
Together they adapt.

This is the martial logic of sparring:

Wing Chun’s angle changes, where the same attack comes from different entries vs simply straight lines.
Muay Thai’s broken rhythm, where timing destroys expectation.
BJJ’s transition → position → submission sequence, where variation becomes game, set, match.

Each engagement becomes rehearsal for reality. You’re not preparing for yesterday’s threat. You’re learning from tomorrow’s rehearsal. That’s Sun Tzu’s Variation: adaptation as preparation.

Cloud Security: Adaptation as Architecture

Cloud environments shift constantly:

APIs update
services deprecate
compliance rules revise
identity models evolve
integrations multiply

Static thinking is fatal in a fluid system. Cloud security is variation embodied.

Infrastructure-as-code lets architecture evolve at speed. Automation turns intent into consistent action, but without visibility, variation becomes drift.

Sun Tzu’s metaphor of water fits perfectly: Water adapts to its container yet always seeks its level.

Cloud engineers do the same:

change with the environment, without losing alignment
allow flexibility, without losing control
evolve configurations, without losing accountability

Adaptation is necessary. Principles are non-negotiable.

Foreign Policy and the Trap of Predictability

Nations decay when their doctrine ossifies.

The American foreign policy establishment has often fallen into this trap over and over again:

Cold War containment repeated even after the context changed.
counterinsurgency tactics applied to environments that defied them
interventions driven by reflex rather than awareness

Vietnam: A doctrine built for conventional warfare in Europe applied to guerrilla conflict in jungle terrain. The U.S. measured success through body counts and attrition, while the enemy measured it through will and time. Same playbook, wrong war. Predictable escalation met adaptive resistance.

Afghanistan: Twenty years of rotating commanders, each bringing their own tactical variation, but all operating under the same strategic assumption—that nation-building through military presence could succeed where it had failed for empires before. The tactics changed every 18 months with each new general. The doctrine never did. The enemy simply waited.

Iraq 2003: Intelligence assumptions treated as certainties. A swift conventional victory followed by the assumption that democratic institutions could be installed through force. When insurgency emerged, the U.S. applied a counterinsurgency doctrine designed for different conflicts. By the time adaptation occurred (the Surge), years of predictable responses had already created the conditions for ISIS.

But perhaps the most revealing pattern is the rhetorical one: every emerging threat becomes “the new Hitler,” every conflict the next World War II.

Saddam Hussein was Hitler.
Gaddafi was Hitler.
Milosevic was Hitler.
Assad was Hitler.

The framing never changes. The enemy is always being Chamberlain in 1939 and being “appeasers of Hitler.” The infantile argument is always to stave off the newest existential threat to humanity. This isn’t strategy, it’s intellectual predictability masquerading as moral rectitude and always sticking by the banal cliche “never again,” whether is really applies or not.

World War II was a unique conflict: a mechanized, industrial-scale war between nation-states with clear battle lines, total mobilization, and, foolishly, unconditional surrender as the objective. Applying that framework to insurgencies, civil wars, and regional conflicts doesn’t just fail tactically, it reveals a dangerous inability to see the situation as it actually is.

The Hitler analogy serves a purpose: it short-circuits debate, frames inaction as appeasement, and makes intervention seem inevitable. But it’s also the ultimate form of strategic predictability. When every threat is Hitler, every response becomes World War II, and variation dies.

Variation in statecraft means reading each situation fresh, not recycling last decade’s doctrine into a new century, and certainly not recycling a doctrine from 80 years ago. In each case, tactical adjustments happened but strategic doctrine remained rigid. That’s the opposite of Sun Tzu’s teaching: vary tactics, never principles. These conflicts varied neither.

The Global War on Terror: The Ultimate Failure of Variation

And then there’s the final, most damning example of strategic predictability: Ahmed al-Sharaa, originally known as Abu Mohammed al-Jolani, who once led al-Qaeda’s Al-Nusra Front or Jabhat al-Nusra in Syria and spent years detained by U.S. forces as a terrorist in Iraq, was welcomed to the White House in November 2025 by President Trump.

He once had a $10 million U.S. bounty on his head. He founded al-Nusra Front, al-Qaeda’s Syrian branch. Now he’s a partner in the Global War on Terror.

This isn’t adaptation. This is strategic incoherence dressed as pragmatism.

Twenty-four years after 9/11, after trillions spent, after Afghanistan and Iraq, after “we don’t negotiate with terrorists” became doctrine, the United States now supports the former head of the very organization we invaded multiple countries to destroy.

The justification? He helps combat ISIS. The same ISIS that emerged from the predictable chaos of the Iraq War. The same conflict where al-Sharaa himself fought as a leading al-Qaeda member against U.S. forces.

This is what happens when doctrine ossifies while reality shifts. When every threat is framed through the same lens (“the new Hitler”), when every intervention follows the same playbook, when strategic thinking atrophies into bureaucratic reflex you end up shaking hands with yesterday’s enemy because you can’t recognize that your framework has failed.

Sun Tzu’s warning rings clear: predictability invites exploitation. The GWOT’s predictable responses—invasion, occupation, counterinsurgency, withdrawal created a cycle that adversaries learned to exploit.

They adapted. We repeated.

And now, the former al-Qaeda commander who once fought U.S. forces receives a hero’s welcome at the seat of American power. Not because the threat changed. Because we ran out of variations on the same failed strategy.

Predictability in diplomacy invites miscalculation.
Predictability in force posture invites escalation.
Predictability in cyber deterrence invites probing.

Again, as an example, at the extreme end of predictability lies Pearl Harbor.

Japan didn’t strike out of pure ambition; it struck because the U.S. cut off:

90% of its oil
vital steel
food
rubber
machinery
industrial materials

A nation deprived of resources enters what Sun Tzu called death ground, the place where maneuver becomes inevitable.

Predictable embargo.
Predictable deterioration.
Predictable desperation.
Predictable strike.

Sun Tzu understood the principle: the more rigid your doctrine, the more your opponent will shift. Nations, like networks, must evolve, or decay through repetition.

Variation Without Confusion

Adaptability is not inconsistent. Sun Tzu warned that blind variation, change for its own sake,
creates disorder.

The rule is simple: Vary your tactics. Never vary your principles.

In cybersecurity, the principles are visibility, trust, and accountability.
In cloud architecture, they are governance and clarity.
In foreign policy, they are restraint and realism.

Change how you respond.
Never change why you respond.

That’s how variation becomes strength rather than noise.

Modern Lessons in Motion

Across every domain, the real art lies in learning faster than you decay:

In cybersecurity, adapt playbooks to every alert, not just every quarter.
In cloud: treat configuration as a living organism, not a static diagram.
In diplomacy: update doctrine before circumstances force your hand.

Predictability invites attack.
Curiosity creates resilience.

Sun Tzu didn’t worship flexibility. He prized awareness in motion, responsiveness guided by principle.

That is how you survive modern complexity: move → learn → realign → repeat.

That’s variation.

From Variation to Awareness

Variation teaches movement. The next lesson teaches perception.

In Chapter IX, The Army on the March, Sun Tzu turns to the signals that guide a force in motion, how to read the terrain, sense morale, detect fatigue, and recognize when momentum turns into danger.

If Variation in Tactics is about adapting to survive, The Army on the March is about understanding the signs that tell you whether your adaptation is working.

Bringing us full circle to our opening principle: “There are not more than five musical notes, yet the combinations of these five give rise to more melodies than can ever be heard.”

In our next installment, we’ll discuss perception and reality in networks, in nations, in martial skill, and most critically, in ourselves.

The Art of Cyberwar | Part VII | Maneuvering

Chapter VII’s artwork conveys the essence of Sun Tzu’s Maneuvering with clarity and grandeur. A lone commander surveys a vast, unfolding landscape of troops in motion, symbolizing disciplined rhythm rather than frantic pace. The terrain’s natural flow mirrors the movement of cloud-age systems, and the light breaking across the valley evokes strategic awareness dawning before action. It is a rare blend of historical resonance and modern metaphor, a visual philosophy.

Movement After Position

The Principle: “We may take it then that an army without its baggage-train is lost; without provisions it is lost; without bases of supply it is lost.” — Sun Tzu

The Art of Coordinated Movement

A cybersecurity team detects a breach at 2 AM. They have the skills, the tools, and the authority to act. But without coordination, that capability becomes chaos, analysts duplicating work, containment efforts conflicting, and communication breaking down. By dawn, the advantage is gone.

In February 1943, American forces faced German tanks at Kasserine Pass in North Africa. They had the weapons, the numbers, the training. What they lacked was coordination between units and effective air-ground communication. The result? The first major American defeat of WWII was not due to a lack of capability, but to failure to maneuver as a unified force.

Fifteen months later, those same American forces learned the lesson. On June 6, 1944, D-Day coordinated 12 nations, over 7,000 vessels, and 160,000 troops across five beaches in a single operation. Not because they suddenly acquired better weapons, but because they mastered maneuvering. Kasserine Pass taught them that capability without coordination is chaos. Normandy proved that coordination transforms capability into victory.

Eighty years later, the battlefield is digital, but the lesson remains the same.

Sun Tzu called this the difference between movement and maneuvering.

Maneuvering is the discipline of transforming positional advantage into progress without depleting resources. Though movement may appear straightforward (advance, pivot, respond), it demands careful coordination. Without coordination, movement breeds confusion and disorder, undermining any initial advantage.

In Brazilian Jiu-Jitsu, there’s a fundamental principle: position before submission. A novice rushes for the choke. A master secures the proper position, seeks control, applies the proper pressure, isolates the arm, and then the finish is there for the taking. The submission becomes inevitable because the position made it so.

Maneuvering works the same way: structured movement from an established position. Not frenetic action. Coordinated, calculated movement in advance.

Whether in military operations, government, or cybersecurity, the true challenge lies in maintaining momentum while preserving balance. Effective teams favor structured, intentional movement, not just speed.

This is the heart of maneuvering: composure, intent, and clarity. Act from principle, not anxiety.

The Maneuvering Decision Matrix

Sun Tzu understood that effective maneuvering requires reading the moment, knowing when to accelerate, when to pause, and when to let the environment dictate pace.

Modern leaders need the same discernment:

When to Accelerate:

The advantage is clear and actionable.
Resources are sufficient.
Team alignment is strong.
Opponent is vulnerable

When to Pause:

Visibility is degraded
Fatigue is setting in across the team.
Purpose has become uncertain.
Information remains incomplete

When to Let Environment Dictate:

The opponent is making mistakes.
Terrain is shifting faster than you can control
Patience offers a strategic advantage.
Reactive movement would expose weakness.

This isn’t indecision. It’s tactical discipline. The fighter who controls tempo controls the outcome.

Tempo and Terrain

In both war and cybersecurity, timing determines outcomes more than sheer speed. When to act matters more than how quickly you act.

Sun Tzu cautioned that armies advancing too rapidly become fatigued, while those moving too slowly forfeit initiative. Balance requires understanding rhythm, discerning when to accelerate, when to pause, and when to let the environment set the pace.

Today, that terrain is digital.

The modern battlefield consists of networks, cloud environments, and global systems. Effective cybersecurity professionals study the digital landscape to move with intent, not to avoid movement altogether.

In the cloud era, terrain isn’t geography, it’s architecture.

Latency, visibility, and complexity shape what’s possible. The most secure organizations extend beyond perimeter defense by developing a comprehensive understanding of their operational landscape. They design systems where quick tactical movements don’t create strategic vulnerabilities.

The Cyber Battlefield: Coordination Over Chaos

In cybersecurity, effective maneuvering means more than quick patching or immediate responses. It requires aligning teams, especially during high-pressure situations.

Incident response represents maneuvering under pressure: containment, communication, and recovery.
Threat intelligence involves maneuvering through uncertainty—transforming fragmented information into actionable insights without prematurely acting on incomplete data.
Automation functions as the logistical backbone, the supply chain supporting frontline operations. When automation fails, even highly skilled analysts face burnout.

Many security operations centers (SOCs) miss this point. Constant urgency and nonstop action may seem productive, but endless motion risks exhaustion and reduced effectiveness.

Authentic maneuvering is characterized by calm, control, deliberation, and focus.

Wing Chun’s centerline theory offers a simple, direct, economical model. SOC analysts don’t need fifty tools—they need the right three, automated properly, with clear escalation paths. Economy of force.
The central point: when your playbook drives decisions, you maneuver. When alerts drive decisions, you react.

Cloud Mobility: The Terrain in Flux

The shift to cloud computing redefined what “maneuvering” means. In the old world, servers stayed put. Now, data, workloads, and identities move across providers, borders, and legal frameworks.

In this environment, organizational strength comes not from rigidly restricting movement, but from orchestrating secure and transparent operations.

Cloud maneuvering looks like:

Workloads shifting across regions without breaking compliance
Data flowing securely through APIs without leaving blind spots
Teams pivoting incident response playbooks across hybrid environments in real time

Cloud environments reward planning for motion. Organizations win by designing for agile, secure movement, not by resisting change.

In 2023, a Fortune 500 company’s cloud migration stalled not because of technical limitations, but because their security team designed for a static perimeter. When workloads needed to shift regions for compliance, every move required manual review.

Organizations that assume static conditions are at a disadvantage.

This aligns with the martial principle of flow: Rigid fighters’ break. Rigid systems break faster.

Foreign Policy and the Cost of Motion

Nations, too, confuse movement with progress. America’s 20th-century record is full of lessons in tempo and fatigue.

But no example better illustrates the danger of resource-driven maneuvering than what led to the attack on Pearl Harbor.

The Pearl Harbor Lesson: When Resources Force Your Hand

Japan’s attack wasn’t born from ambition, it was forced by logistics. The U.S., Britain, and the Dutch enforced the ABCD embargo, cutting off:

Oil
Rice
Steel
Rubber
Machine parts

Japan imported 90% of its oil. Cut off from fuel, it faced two choices: fight or run out of energy and food entirely.

Sun Tzu wrote: “Throw your men into death ground, and they will fight.”

Japan was placed on death ground by resource denial. Their maneuver, the attack itself, was coordinated brilliantly. Six aircraft carriers, 353 aircraft, precise timing across multiple strike waves.

Tactically, it was masterful.

But strategically? Admiral Yamamoto knew: “I fear all we have done is awaken a sleeping giant.”

A lingering question remains: was America truly sleeping? WWI had concluded only 20 years earlier. Before WWII, WWI was considered the deadliest war in human history, earning the moniker “The Great War” for its immense scale and death toll of approximately 20 million lives. Its unprecedented destruction set it apart from previous conflicts. So, America was hardly asleep. Back to Pearl Harbor.

The lesson isn’t about the attack’s execution. It’s about what happens when maneuvering is dictated by desperation rather than position. When resources force your hand, even perfect coordination can’t save you.

Sun Tzu’s calculus applies: survival-driven movement, no matter how well-executed, is still reactive. And reactive maneuvering rarely wins wars.

The United States later encountered similar challenges in Vietnam, Iraq, and Afghanistan, where rapid action outpaced strategic learning. Momentum itself became a compelling but hazardous force.

Diplomacy is maneuvering in another realm.

In contrast, contemporary policy frequently equates reaction with strategy, prompting responses to every crisis even when restraint or delay might prove more advantageous.

Sun Tzu’s wisdom cuts through centuries: “If you know neither the terrain nor the season, you march to fatigue, not to victory.”

The Logistics of Cyber Power

For cybersecurity professionals, logistics consists not of physical supplies, but of bandwidth, personnel, and operational clarity.

Sustained operations aren’t feasible if systems are overburdened, personnel remain on constant alert, and every issue is treated as critical.

Good logistics in cyberspace means disciplined prioritization:

Which assets are mission-critical?
Which alerts deserve escalation?
What response cadence prevents burnout?

Sun Tzu would call this “feeding the army.” In today’s language, it’s resource stewardship.

An effective CISO ensures security professionals maintain resilience and don’t become exhausted before adversaries lose their resolve.

The data shows progress. Organizations took an average of 241 days to identify and contain breaches in 2025, down from 287 days in 2021. Not because threats got easier, but because purple-teamers got better at coordinated response. They learned to maneuver.

Maneuvering the Human Factor

The most challenging aspect of coordination isn’t the technical infrastructure; it’s the human element. While individuals contribute creativity, they also introduce unpredictability.

The numbers confirm what practitioners already know: 88% of cybersecurity breaches are caused by human error. Not zero-days. Not sophisticated malware. Human mistakes. The technology isn’t the weak link—the coordination of people using that technology is.

Sun Tzu understood morale as a weapon system. He coordinated hearts and minds before he coordinated units.

The same applies to martial arts and security culture.

In Muay Thai, they call it ring generalship, the fighter who controls space controls pace. The same applies to security teams. Leaders who set tempo, who decide when to press and when to absorb pressure, create the conditions for team effectiveness.
The most effective cybersecurity teams operate like jazz ensembles, distributed but synchronized. Training, communication, and trust are the modern equivalents of morale.

This is modern maneuvering: achieving precision in movement without relying solely on hierarchical control.

The Risk of Endless Marching

Sun Tzu cautioned that armies remaining in the field for extended periods experience internal decline. This phenomenon appears today as burnout, alert fatigue, and continuous red team exercises that fail to produce lasting improvements.

Organizations that never rest eventually turn on themselves. This applies equally to companies and nations.

Movement should support strategic objectives, not substitute for them. Effective leadership requires recognizing when to pause, regroup, and restore organizational strength.

Without periodic rest, strength deteriorates into strain, and resilience devolves into attrition.

The Bridge to Variation

The final lesson of maneuvering emphasizes humility: movement does not constitute mastery; it serves as its test.

Any army, individual, or system that acquires the ability to move must subsequently develop adaptability: the capacity to alter rhythm, diversify tactics, and confound adversaries who anticipate predictability.

Leading us back to the initial principle: “We may take it then that an army without its baggage-train is lost; without provisions it is lost; without bases of supply it is lost.”

Maneuvering determines survival. Variation determines victory.

But first, you must learn to move without falling apart. Master coordination before you attempt improvisation. Secure your supply lines before you advance.

Because, as Sun Tzu understood, an army that moves with discipline can adapt. An army that moves with chaos can only collapse. The next chapter explores variation, but only those who’ve mastered maneuvering will recognize when to use it.

The Art of Cyberwar | Part VI | Weak Points and Strong

matt shannon art of cyberware chapter VI weak points an strong

The principle:
“So in war, the way is to avoid what is strong and to strike at what is weak.”

Strength and Weakness Are Temporary

Sun Tzu emphasized that strength and weakness are dynamic rather than static. Although this principle may seem self-evident, it is often overlooked in practice. Many individuals disregard straightforward strategies, mistakenly believing that complexity is required. This oversight often leads to the violation of previous strategic principles or “lessons learned”, indicating a lack of genuine understanding.

It is essential to recognize that what appears robust today may become fragile in the future, while seemingly vulnerable elements can become decisive with time and increased awareness.

Power, whether military or digital, shifts with context.

The critical factor is not the quantity of resources, but the ability to perceive the entire operational landscape. Vulnerabilities arise not only from an adversary’s strengths, but also from areas where situational awareness is lacking and the speed at which adaptation occurs when new realities emerge.

In contemporary contexts, both nations and security architects often neglect this fundamental principle. There is a tendency to focus on constructing increasingly formidable defenses rather than developing adaptive strategies. Regardless of the scale of these defenses, adversaries require only minor vulnerabilities to compromise their effectiveness. Always remember, your adversaries only need to find a tiny leak in the walls to bring the entire system down.

Predictability: The Modern Weakness

Even the most secure fortresses eventually become familiar terrain for attackers. Cyber adversaries do not rely on brute force; instead, they employ strategic analysis. They examine organizational habits and exploit vulnerabilities such as unpatched servers, unmanaged privileged or service accounts, unchanged passwords, and the susceptibility of executives to social engineering.

Their success depends not on force, but on the predictability of organizational behaviors.

Nations exhibit similar vulnerabilities. Bureaucratic routines solidify into doctrine, which can devolve into dogma. Adversaries exploit these predictable patterns, waiting for repetition before executing successful attacks.

Historical events, such as the Pearl Harbor attack, the September 11 attacks, the Gulf of Tonkin incident, and numerous cyber intrusions, demonstrate that deficiencies in critical thinking, complacency, rigidity, and hubris significantly increase the likelihood of successful surprise attacks.

When Comfort Masquerades as Strength

Many organizations and governments allocate excessive resources to familiar areas, fostering a false sense of security. This environment allows risks to proliferate unnoticed, undermining overall resilience.

Cybersecurity teams often spend millions fortifying infrastructure while leaving users untrained.

Organizations frequently monitor technical metrics while neglecting human behavior. The most significant vulnerabilities often arise from areas presumed to be under adequate management.

System failures are typically attributable not to insufficient funding, but to misaligned priorities.

This pattern is evident at the national level as well. Large militaries and substantial budgets often obscure underlying fragilities, including slow adaptation, reliance on outdated assumptions, unstable alliances, and insufficient strategic foresight regarding emerging forms of conflict.

Historical Lessons of Misguided Strength

The First World War began with nations convinced that industrial might and rigid plans guaranteed victory. Those plans dissolved within months under the weight of modern weapons and static thinking.

During the Vietnam War, a major power misinterpreted its capacity for endurance as a guarantee of superiority. The Viet Cong’s guerrilla tactics transformed conventional advantages into significant liabilities.

Even the rapid success of Operation Desert Storm fostered complacency. Efficiency was mistaken for enduring security, and the perceived triumph was erroneously interpreted as evidence of invincibility.

Each era reaffirms the principle that the most conspicuous assets are not necessarily the most powerful.

Flexibility as True Power

Sun Tzu’s insight was to conceptualize power as dynamic movement. He advocated that a general should emulate water, seeking the path of least resistance and adapting to the terrain.

Within the cyber domain, the operational landscape evolves rapidly, with new threats, actors, and vulnerabilities emerging on a continual basis.

In this context, strength is defined by agility:

Rotate keys and credentials regularly.
Automate but verify.
Decentralize authority so teams can act without waiting for hierarchy.

The most effective defenders are those who demonstrate the greatest adaptability, learning and evolving more rapidly than adversaries can adjust their tactics.

Lao Tzu’s Echo

Lao Tzu put it simply:

“Water overcomes the stone not by strength, but by persistence.”

Endurance surpasses dominance. Properly understood, flexibility is not a sign of weakness but of resilience, characterized by the capacity to absorb disruption and recover to an original state.

In the digital context, resilience is reflected in recovery planning, redundancy, and organizational culture. The true measure of strength is not the infrequency of failure, but the speed of recovery following a compromise.

Turning Weakness Into Insight

All systems possess inherent flaws. Denial of these vulnerabilities allows them to remain concealed until a crisis occurs. Proactive defenders employ audits, red-team exercises, and transparent communication to identify weaknesses at an early stage.

Transparency transforms potential liabilities into opportunities for organizational learning.

Nations could use the same humility.

Public acknowledgment of mistakes enhances credibility, whereas concealment increases risk. The most resilient governments are not those without flaws, but those capable of adapting transparently before their constituents.

From Awareness to Action

Identifying vulnerabilities constitutes only part of the challenge; addressing them effectively demands both discipline and restraint.

In cybersecurity, this approach entails prioritizing remediation over self-congratulation, thorough preparation prior to disclosure, and critical evaluation before taking action.

In policy contexts, this requires deliberate prioritization, engaging only in actions where the anticipated outcomes justify the associated costs.
Misapplied strength can become a source of vulnerability, whereas a thorough understanding of weaknesses can provide strategic foresight.

The Next Step: The Flow of Force

Sun Tzu ends this chapter with motion: the strong shifting to the weak, the weak transforming to the strong.

He implies that awareness must evolve into timing. The wise general aligns his force with the moment, not against it. And that, “All men can see the tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved.”

This concept serves as a transition to the subsequent lesson, which focuses on the dynamics of energy in motion and the strategic management of power with balance and rhythm.

We’ve learned where to stand. Next, we’ll learn how to move. As Master Tzu concludes Chapter VI:

Military tactics are like unto water; for water in its natural course runs away from high places and hastens downwards. Water shapes its course according to the nature of the ground over which it flows; the soldier works out his victory in relation to the foe whom he is facing. Therefore, just as water retains no constant shape, so in warfare there are no constant conditions.

Leading us directly back to this lesson’s seemingly simple principle: “So in war, the way is to avoid what is strong and to strike at what is weak.”