resilience – Matt Shannon, Security Pro

Zen and the Art of AWS Security Domain 6: Security Foundations and Governance | Holding the Line Without Rigidity

“When the structure is sound, movement becomes effortless.”

Most people expect security foundations and governance to be boring. Policy documents. Checklists. Frameworks. Meetings.

AWS, and seasoned security architects, know better.

Security Foundations and Governance are not about control. They are about alignment.

They are what allow everything else, detection, response, infrastructure, identity, and data protection, to function without friction. This is why Domain 6 exists. And why it quietly determines whether every other domain succeeds or fails.

1. What AWS Means by “Security Foundations”

AWS does not treat security foundations as a product or a service. They treat them as operating conditions.

Security foundations answer questions like:
• Who is responsible for what?
• How are decisions made?
• How do we know when something is “secure enough”?
• How do we scale security without slowing delivery?

In AWS terms, foundations are built on:

• Shared Responsibility
• Well-Architected principles
• Standardized controls
• Continuous improvement
• Clear ownership

If those are missing, everything else becomes reactive.

Key Takeaway: On the exam and in real life, assume security foundations are always present, not optional. If a question describes a scenario with ambiguous responsibility, pause and seek alignment before acting.

2. The Shared Responsibility Model: The First Gate

Every AWS security exam, especially the Security Specialty, tests one thing relentlessly: Do you understand what AWS secures…and what you must secure yourself?

AWS is responsible for:

• Physical data centers
• Underlying hardware
• The cloud infrastructure itself

You are responsible for:

• Identity and access
• Network controls
• Data protection
• OS and application security
• Configuration

Governance begins the moment you clearly accept that responsibility.

Most real-world failures, and many exam traps, happen when responsibility is blurred.

3. Governance Is How You Scale Trust

Governance is not about saying “no.” It’s about creating guardrails so teams can move quickly without breaking things.

AWS governance relies on:

• AWS Organizations
• Service Control Policies (SCPs)
• Account separation
• Tagging standards
• Centralized logging and monitoring
• Defined escalation paths

Exam cue: If AWS wants you to prevent risky behavior without managing individual permissions, the answer is almost always SCPs.

Governance operates above IAM, not instead of it.

4. Well-Architected Security Pillar: The Quiet Backbone

The AWS Well-Architected Framework is foundational to this domain.

The Security Pillar emphasizes:

• Strong identity foundations
• Traceability
• Infrastructure protection
• Data protection
• Incident response

You’ve already studied all of these.

Domain 6 exists to show how they fit together.

AWS wants you to think:

• Holistically
• Long-term
• With trade-offs in mind

On the exam, this shows up as:

• “Which solution is the most scalable?”
• “Which approach reduces operational overhead?”
• “Which option aligns with AWS best practices?”

Governance favors simplicity, repeatability, and clarity.

5. Policies, Standards, and Automation

In AWS, policy without automation is aspirational. Automation without policy is dangerous.

Strong governance includes:

• Infrastructure as Code (CloudFormation, Terraform)
• Automated security checks
• Preventive controls (SCPs, Config rules)
• Detective controls (GuardDuty, Security Hub)
• Corrective actions (Lambda-based remediation)

Exam cue: If the question says, “ensure compliance continuously”, the answer involves automation, not manual review. Governance is what turns security into a system, not a on-going project.

Top 3 Exam Gotchas: Domain 6

Over-relying on IAM and neglecting the power of Service Control Policies (SCPs) for organization-wide governance.
Focusing on manual reviews instead of leveraging automation for continuous compliance.3. Choosing the most restrictive answer on the exam rather than the one that balances security, cost, and operational impact.
Key Takeaway: The “safe” answer is not always the correct one—look for governance and automation at scale.

6. Risk Management: Choosing, Not Eliminating

AWS does not expect you to eliminate all risk.

They expect you to:

• Identify it
• Understand it
• Accept, mitigate, or transfer it intentionally

This is why governance includes:

• Risk registers
• Compliance mappings
• Business context
• Cost-awareness

On the exam:

The “best” answer is rarely the most restrictive one. It is the one that balances security, cost, and operational impact.

Scenario Example: Rapid Growth, Real Governance

In 2024, a fintech company went from 10 to 60 AWS accounts in under six months. Security needed to prevent resource creation outside of approved regions and enable GuardDuty everywhere automatically.

Best Approach: The team used AWS Organizations to apply SCPs for region lockdown, combined with automated account bootstrapping scripts that enabled GuardDuty by default. This solution leveraged automation and organizational guardrails—demonstrating mature, real-world AWS security thinking.

Key Takeaway: AWS rewards answers that use policy-driven, automated, and scalable solutions, exactly as in this scenario.

7. The Martial Parallel: Structure Enables Freedom

In martial arts, beginners see rules as limitations.

Advanced practitioners see them as:

• Stability
• Efficiency
• Freedom under pressure and much more

A strong stance doesn’t restrict movement; it enables it. Security foundations work the same way.

When governance is clear:

• Teams move faster
• Incidents resolve cleaner
• Mistakes are contained
• Learning compounds

When governance is weak:

• Everything feels urgent
• Security becomes adversarial
• Teams work around controls instead of with them

8. Exam Patterns for Domain 6

Here’s how AWS tests this domain:

• Account-level controls → AWS Organizations + SCPs
• Preventing risky actions globally → SCPs
• Balancing speed and security → Guardrails, not micromanagement
• Scaling security → Automation and standardization
• Aligning with best practices → Well-Architected Framework

If the question asks:

“Which solution is easiest to manage at scale?”

Exam cue: Choose the centralized, automated, policy-driven option.

Final Capstone: The Six Domains as One System

Let’s put it all together.

Domain 1 — Detection
See clearly. You can’t secure what you can’t observe.
Detection creates awareness and prevents surprise.

Domain 2 — Incident Response
Move decisively without panic. Preparation and clarity turn chaos into choreography.

Domain 3 — Infrastructure Security
Shape the terrain. Segmentation, isolation, and least exposure reduce blast radius before attacks happen.

Domain 4 — Identity and Access Management
Decide who can act. Identity is the new perimeter. Precision here determines everything else.

Domain 5 — Data Protection
Guard what truly matters. Encryption, key management, and lifecycle controls protect the mission itself.

Domain 6 — Security Foundations and Governance
Hold the line without rigidity. Governance aligns people, process, and technology into a system that scales.

The Quiet Truth at the Center of AWS Security

AWS security is not about fear.
It is not about heroics.
It is not about locking everything down.

It is about clarity, balance, and intention.

The exam rewards those who:
• Pause before reacting
• Think in systems, not silos
• Choose scalable solutions
• Respect trade-offs
• Trust structure over force

That’s Zen. That’s architectural mastery. You’re ready.

When you sit for the exam, remember:
Awareness first.
Structure second.
Action last.

Everything else follows naturally.

Verification & Citations Framework | “Leave No Doubt”

Primary AWS Sources to Reference:

• AWS Shared Responsibility Model
• AWS Well-Architected Framework (Security Pillar)
• AWS Organizations Documentation
• Service Control Policies (SCPs)
• AWS Security Best Practices Whitepaper
• AWS Security Specialty Exam Guide (Domain 6)

Verification Boxes (Suggested Placement):

• After Shared Responsibility section
• After SCPs / Governance section
• After Well-Architected references

Quick Reference Checklist: Domain 6 – Security Foundations & Governance

Key Takeaways (Scan before the exam!)

– Shared Responsibility Model: Always clarify what AWS secures vs. what you control.

– Use AWS Organizations and SCPs for policy-driven, organization-wide governance.

– Automate compliance: favor Infrastructure as Code, automated checks, and auto-enablement of detective/preventive controls.

-Lean one the AWS Well-Architected Framework forbest practice alignment.

– Favore scalable, centralized, and policy-drive solutionsy in exam scenarios.- Always check the latest AWS documentation—services and features evolve quickly.

Final Tip: For scenario-based questions, ask: “Is this solution scalable, automated, and centralized?” If so, it’s likely the best choice.

Change Awareness Note:

AWS governance services evolve regularly. Always validate SCP behavior, Organizations features, and Well-Architected guidance against current AWS documentation. For the latest on each topic, see:

Shared Responsibility Model

AWS Well-Architected Framework

AWS Organizations

Service Control Policies

AWS Security Best Practices

Security Specialty Exam Guide

In Defense of Carbs: Energy, Recovery, and the Science You Need

Most people fear carbs because they’ve been sold the idea that carbs equal fat gain. But for anyone who trains, thinks deeply, or recovers with intent, carbs aren’t optional; they’re essential.

This isn’t about eating gummy bears or Pop-Tarts and calling it “fuel.” It’s about understanding the physiological role of carbohydrates and using them to enhance output, mood, muscle retention, and recovery.

Let’s break it down.

1. Carbs = Performance

Glycogen (stored carbs) is your muscle’s preferred fuel during strength training, sparring, sprints, or any high-output effort. Without enough:

Strength drops
Endurance tanks
Motor control falters

Carbs refill that tank. Fewer reps and less intensity? That’s not a motivation problem; it might be a glycogen one. There’s a term known as “bonking” in a workout. To “bonk” in a workout is to reach the functional depletion of glycogen, brought on by exercise. In other words, it’s the condition in which your muscles run out of fuel, with profound effects on performance and well-being. And how do you avoid it? Adequate carbohydrate fueling for your level of performance.

Science Sidebar: When you eat carbs, insulin helps shuttle glucose into muscle cells to refill glycogen. This is why carbs matter most around activity, not when you’re sedentary. Research shows that athletes and active individuals who time carbs around exercise have better performance and recovery (Burke et al., 2011).

2. Carbs = Cognitive Clarity

Your brain runs on glucose. Low-carb fog is real. It shows up in several ways, such as decision fatigue, irritability, difficulty focusing, and a short attention span. Yes, ketones can serve as a backup fuel, but they’re not the most efficient during high-stress or high-focus days.

Carbs sharpen cognition, boost mood, and reduce stress response.

3. Carbs = Recovery and Muscle Retention

Carbs after training:

Restore depleted glycogen
Support protein synthesis
Lower post-training cortisol

They’re also “protein-sparing,” meaning your body doesn’t need to break down muscle for energy.

4. Carbs = Hormonal Stability

Low-carb diets for too long can suppress:

Thyroid output (especially T3)
Leptin (your satiety and metabolic rate signal)
Sleep quality and parasympathetic recovery

Especially for athletes, hard trainers, or people under high stress, this is a deal-breaker.

5. Carbs = Better Sleep

Moderate carbs in the evening:

Support serotonin → melatonin conversion
Lower cortisol
Help shift the body into parasympathetic mode.

Sleep: Carbs help lower cortisol levels and promote relaxation. Carbs also help raise serotonin, a neurotransmitter that supports relaxation and sleep. It’s one reason why a small carb snack before bed can improve sleep quality for some people. This is why low-carb diets can sometimes disrupt sleep.

Pro tip: Avoid eating after 8:00 PM. If you must have something, keep it light and digestible:

1 banana
1 scoop whey
1 Fairlife 26g protein shake
Optional: 1 tbsp PB2

That’s ~350 kcal – just enough to support recovery without interrupting your sleep cycle.

The Real Issue Isn’t Carbs, It’s Unstructured Eating

People don’t “gain fat” from potatoes. They gain fat from:

Chronic snacking
Emotional eating
Under-fueling during the day and overeating at night

Carbs are fine; reactivity and randomness aren’t.

Coach’s Notes: Carb needs vary from person to person; listen to your body and adjust based on your activity, stress, and recovery.

Start with structure, not restriction.
Place carbs around output: morning, post-training, early dinner.
Observe how your sleep and recovery improve when you fuel with intention.

As silly as it may sound, a palm-sized portion of rice, potatoes, or fruit is a good place to start if you don’t want to count grams. Use your hand as a guide for portions.

Bonus tip: Carbs that are high in fiber, like fruit, potatoes, and whole grains, not only support performance, but also feed your gut microbiome, helping with digestion and immunity. And just in case you need a reminder, any fruit or vegetable is a carbohydrate source. Some are better than others, but the key is to eat the ones you like vs. trying to force yourself to eat anything you don’t like.

Suggested Reading:

Good Calories, Bad Calories – Gary Taubes
A well-researched, critical look at nutritional dogma and food myths, especially around carbs and fat.

Myth: Carbs make you fat. Truth: Excess calories, not carbs, drive weight gain.

Carbs don’t kill gains; they help sustain them. Used wisely, they improve output, cognition, mood, sleep, and recovery. However, as with any caloric intake, excess leads to consuming more calories than you burn, i.e., a caloric surplus = “weight gain.”

Action Challenge:

Track your carb intake for 3 days, but not just the grams. Track when and why you ate when you did:

Was it training-related?
Emotional?
Habitual?
Based on energy need?

Awareness creates clarity, and clarity can help drive consistency.

Next Week: You’ve dialed in protein and carbs. Now we’ll cover the most misunderstood macronutrient of all: fats.

How to use them for satiety, hormones, and cognitive support without overdoing it.

Does Nutrient Timing Matter? Yes, But Not the Way You Think

Stop obsessing over windows. Start building systems.

If you train hard, care about body composition, and want real-world energy, you’ve probably heard people say:

“You have to eat protein within 30 minutes of lifting.”
“Don’t eat carbs after 8 PM.”
“Fasting boosts growth hormone, just train fasted.”
“Breakfast is optional if your willpower is high enough.”

None of this is completely wrong, but none of them is 100% valid or effective for all, so don’t waste any mental space on them and focus on what’s been proven to work over decades.

Let’s cut through the BS.

The Truth About Nutrient Timing

Nutrient timing can matter, but it’s not the magic some claim, and it’s not completely useless like others claim.

It doesn’t override your daily totals. But it does influence:

How well you train.
How fast you recover.
How consistent is your energy, mood, and hunger?

Here’s the simplified hierarchy:

Daily intake = most important
Meal timing = performance lever
Meal composition = precision tool
Supplement timing = tiny bonus

Myth: If you miss the post-workout window, your workout is wasted.
Fact: Muscle protein synthesis remains elevated for hours; what matters most is your overall daily intake and rhythm.

Science Sidebar: Why does timing matter? Protein synthesis is elevated for several hours after training, so spacing protein throughout the day maximizes muscle repair. Carbohydrates around workouts help refill glycogen and lower stress hormones like cortisol.

What You Need to Know

1. Protein Timing

Protein intake is about distribution, not hitting a “window.”

Aim for:

25–40g of protein per meal
Every 3–5 hours
Starting within 1–2 hours of waking
Ending within 2 hours post-training

Even distribution improves muscle protein synthesis, recovery, and satiety. Research shows that even protein distribution (every 3–5 hours) is linked to greater muscle protein synthesis and recovery (Areta et al., 2013).

2. Carbohydrate Timing

Carbs are fuel, especially around training.

Pre-workout: 30–60g (1–2 hours prior)
Post-workout: 30–60g + protein (within 1–2 hours)

This replenishes glycogen, blunts cortisol, and enhances recovery.
It’s not “dirty.” It’s just useful.

3. Fat Timing

Fat slows digestion. That’s helpful during the day but not ideal around training.

Keep fat moderate pre-workout. Go higher-fat during lower-carb meals later in the day.

Fat: It’s less about timing, more about portion. Eating a high-fat meal before training can slow digestion and make some people feel sluggish. Experiment with your pre-workout meals to find what feels best.

Generally: moderate fat at main meals, lower fat pre/post-workout.

Example Timing Strategy (Strength Training Day)

When I started having a balanced meal within 90 minutes of training, my recovery and afternoon energy noticeably improved.

8:00 AM: 3 eggs, oats, berries (protein + carbs + fat)
12:00 PM: Chicken, veggies, avocado (protein + carbs + fat)
3:00 PM: Pre-workout shake 1 scoop whey + 50g carbs from a fruit source
5:00 PM: Train
6:30 PM: Post-workout, beef and sweet potato + Kerry gold butter (protein + carbs + fat)
730/8 PM: Greek yogurt + whey or casein and a handful of nuts

Total protein: ~180-200g
Balanced carbs, front-loaded around training
Fats used to stabilize energy later

Action Challenge:

Pick one meal to move closer to your training time and one post-workout meal to optimize.

Your goal:

Protein: 30g
Carbs: 30–50g
Minimal fat
Eaten within 1–2 hours of finishing your workout

Coach’s Corner:

Don’t try to “hack” your metabolism with clever meal timing.
Build rhythm that supports your output.
Use timing to reduce stress, not increase it.

Key Takeaway:

Nutrient timing isn’t magic; it’s just another way to support what matters most: consistency and recovery.

Timing isn’t a rulebook. It’s a framework. Daily totals matter most, but if you train hard, timing helps you show up stronger, recover faster, and stay more consistent.

Next Week: The Carbohydrate Question

Once your daily intake is dialed in and you start thinking about timing, the next question always comes up:

“Do carbs still matter? Or should I be avoiding them?”

That’s where we’re headed next. In Week 4, we’ll break down the truth about carbs. Not hype. Not fear. Just what they actually do, and how to use them to train, recover, and function better in daily life.

The Art of Cyberwar | Part XIII | The Use of Spies

The principles:

“Knowledge of the enemy’s dispositions can only be obtained from other men.”

“However, spies cannot be usefully employed without a certain intuitive sagacity.”

“Be subtle and use your spies for every kind of business.”

“Hence, it is only the enlightened ruler and the wise general who will use the highest intelligence of the army for purposes of spying, and thereby they achieve great results.”

The Quiet After the Fire

After the smoke clears, the last weapon isn’t destruction; it’s knowledge. Sun Tzu closes his book here, not with conquest, but with insight. The general who knows through others, he says, wins without fighting. The one who fights without knowing spends blood buying what wisdom could have earned.

In modern form, intelligence replaces escalation. Information, verified and interpreted, is the ultimate force multiplier.

The Five Spies

Sun Tzu’s framework remains elegant and practical. He identifies five types of spies, each still alive and well in today’s cyber and geopolitical landscape.

Local spies = insiders, collaborators, citizens.
- Modern analogue: human intelligence, insider threat programs, whistleblowers, or local analysts embedded in culture.
- Lesson: you can’t know an environment without someone who breathes its air.
Inward spies – the enemy’s own people who provide insight.
- Modern analogue: defectors, double agents, internal whistleblowers, or compromised insiders in adversary organizations.
- In cyber: infiltration of adversary forums, threat actor telemetry, or behavioral analysis of attacker TTPs.
Converted spies – enemy agents who have been turned.
- Modern analogue: captured malware turned into indicators, enemy disinformation repurposed for exposure.
- Intelligence and counterintelligence merge – data becomes self-revealing.
Doomed spies – agents sent with false information, knowing they will be sacrificed.
- Modern analogue: honeypots, decoy networks, misinformation campaigns used to draw out adversaries.
- Lesson: deception has cost; calculate it.
Surviving spies – those who return with verified knowledge.
- Modern analogue: analysts who gather, vet, and integrate multiple data sources to produce actual intelligence.
- Lesson: data isn’t knowledge until it’s interpreted and fed back into strategy.

The five together form a complete intelligence loop: gather, plant, deceive, sacrifice, verify.
Today, we refer to this as the intelligence cycle.

Information as the New Espionage

We live in an age where everything and everyone collects or steals your data. Apps harvest movement. Sensors record temperature and tone. Governments build databases so vast they blur into prophecy.

But the principle hasn’t changed: intelligence is not about having information – it’s about understanding what matters and when.

A terabyte of telemetry means nothing without discernment. One well-placed attacker can outperform a thousand firewalls.

Foreign Policy and the Failure of Insight

Throughout the 20th century, U.S. foreign policy often suffered from information abundance but a lack of the ability to interpret the intelligence it had gathered.

Pearl Harbor: a multitude of signals existed, but interpretation failed.
Vietnam: metrics replaced meaning – body counts masquerading as progress.
Iraq WMDs: intelligence distorted to paint a specific picture rather than inform decision-making.
Afghanistan: decades of data existed without a clear endgame, destroyed thousands of American lives, and wasted trillions of taxpayers’ dollars.

Each case proves Sun Tzu’s point: “If you know neither the enemy nor yourself, you will succumb in every battle.”

Intelligence was there, but self-awareness wasn’t. Knowing isn’t only about them; it’s about seeing what you refuse to see in yourself.

Cyber Intelligence: Seeing Without Touching

In cybersecurity, the “spies” are telemetry, sensors, analysts, and sometimes friendly adversaries.
Every alert, log, and anomaly is a scout’s report. But like all intelligence, its value depends on interpretation.

Local spies: internal logs and behavior analytics.
Inward spies: penetration testing, red-team operations, insider threat programs.
Converted spies: captured malware and attacker infrastructure repurposed for defense.
Doomed spies: honeypots, deception networks, and fake data seeds.
Surviving spies: analysts, threat-hunters, and intel-sharing alliances.

The objective is clarity without exposure, to see everything while remaining unseen. Fire consumes, intelligence illuminates.

The Moral Dimension of Knowing

Intelligence work carries moral weight. Spies, human or digital, trade in trust. Sun Tzu demands that the general handle them with the highest regard: reward them generously, guard them carefully, and never waste them carelessly.

The ethical parallel today is privacy. The line between intelligence and intrusion is measured in intent and restraint. Knowledge gathered without purpose is voyeurism. Knowledge used without reflection is manipulation.

Sun Tzu’s ideal: learn enough to prevent war, not to justify one.

Strategic Lessons for Leaders

Listen to your scouts.
Truth often arrives quietly, wrapped in discomfort. Leaders who dismiss dissent lose foresight.
Reward information honestly.
Transparency and gratitude feed the flow of truth; fear and ego choke it.
Centralize interpretation, not collection.
Many sensors, one mind – unified analysis, decentralized data.
Balance secrecy with accountability.
Intelligence held too tightly becomes blindness.
Use information to avoid fire.
The goal of knowledge is to make destruction unnecessary.

From Fire to Silence

The transition from Attack by Fire to Use of Spies is the book’s moral hinge. After escalation comes discernment; after destruction, discipline.

Sun Tzu understood what modern states and corporations often forget: Force is crude, information is subtle – and subtlety wins the wars that power cannot.

In cybersecurity, this is the move from reaction to anticipation. In foreign policy, it’s the evolution from aggression to diplomacy. In leadership, it’s the shift from command to comprehension.

The best security posture isn’t dominance – it’s awareness. The most powerful army is one that rarely fights.

Epilogue — The Quiet Art

The Art of War ends not with blood or banners, but with silence, a stillness that comes from mastery.

True security, like true wisdom, is invisible.
It doesn’t announce itself.
It doesn’t need to.

When you know yourself and your adversary, every threat is already half-dissolved. When you act only when necessary, victory becomes maintenance rather than spectacle. And when you can learn from what moves unseen, you stop fighting the same battles over and over again.

As Operation Aurora proved, a sophisticated cyber espionage campaign that quietly infiltrated major tech companies, the side with better intelligence rarely needs to escalate; quiet knowledge can outmaneuver brute force.

That’s the art of cyberwar – when you know yourself and your adversary, every threat is already half-dissolved. When you act only when necessary, victory becomes maintenance rather than spectacle. And when you can learn from what moves unseen, you stop fighting the same battles over and over again.

That is the final lesson of Sun Tzu, and of cyberwar:
Not destruction, but understanding.
Not conquest, but control of your own attention.
Not escalation, but insight.

Not noise, but silence.

The art is not in the fight, but in the knowing. Return always to the principle: “Knowledge of the enemy’s dispositions can only be obtained from other men.”

And, in the end, mastery is realizing you rarely need to fight at all.

The Art of Cyberwar | Part X | Terrain

The principles:

“The natural formation of the country is the soldier’s best ally; make use of it to your advantage.”

“When the general is weak and without authority; when his orders are not clear and distinct; when there are no fixed duties assigned to officers and men, and the ranks are formed in a slovenly haphazard manner, the result is utter disorganization.”

“The general who advances without coveting fame and retreats without fearing disgrace, whose only thought is to protect his country and do good service for his sovereign, is the jewel of the kingdom.” — Sun Tzu

Ground First

Sun Tzu makes a simple demand: know the ground on which you stand.

The proper ground turns disadvantage into leverage. The wrong ground turns strength into exposure. Terrain is not merely soil; it is topology, logistics, law, culture, and architecture. In the modern world, it includes cloud regions, compliance borders, identity planes, and network topology. Choose well, and the fight often narrows into something you can actually win.

This is not an abstract chapter. It’s a practical one.

If you’ve ever seen a breach unfold, you’ve witnessed terrain deciding outcomes in real time: attackers rarely “win” because they are stronger; they win because they enter through easy ground, move through poorly observed corridors, and reach valuable systems before defenders can orient.

The defender’s job is to resist. It is to shape the ground, so the adversary’s best options become expensive, loud, or impossible.

Types of Terrain – What They Feel Like, What They Demand

Sun Tzu names a wide variety of ground. In practice, the terrain we face, militarily, digitally, and politically, collapses into recurring patterns: open, narrow, steep, encircled, and expansive.

Each demands a distinct strategy. Each punishes a different kind of arrogance.

Open Ground – Fast, visible, unforgiving

Open ground is where you can be seen.

In war, it is flat land with no cover: movement is easy, concealment is costly, and discipline decides whether speed becomes an advantage or panic. Detection and clean maneuvering are important because contact is constant.

In cybersecurity, open ground is your public-facing surface area: internet-exposed services, public APIs, external portals, and remote access entry points. This is not where you want complexity. You want ruthless simplicity, fewer doors, fewer endpoints, fewer exceptions, paired with strong telemetry. Frameworks like the CIS Controls and NIST CSF explicitly prioritize inventorying and minimizing public-facing assets—making clarity and control here a universal best practice.

Open ground is also where deception works best. Decoys, false signals, and baited paths can pull an enemy out of position. In cyber, honeypots and canary tokens do the same: they invite movement into visibility and turn curiosity into evidence.

Real-world case: In 2021, the Microsoft Exchange Server vulnerabilities (ProxyLogon) exposed thousands of organizations’ email systems to the internet. Attackers rapidly exploited unpatched, public-facing assets—demonstrating why CIS Controls and NIST CSF stress the importance of inventory and minimizing the external attack surface.

Open ground isn’t “unsafe.” It’s honest. It shows you what you built.

Narrow Ground – Chokepoints, bridges, legacy stacks

Narrow ground is where everything funnels.

In military history, chokepoints decide battles because geometry becomes force. A smaller army can hold a larger one, not by being stronger, but by limiting the enemy’s options. Just think of the legendary last stand of Leonidas and the Battle of Thermopylae.

In cyber and cloud, narrow ground is often the infrastructure everyone relies on and no one wants to touch: legacy integrations, VPN tunnels, identity gateways, brittle on-prem choke points, systems tied to modern workflows by thread and habit. They become bridges. Bridges become targets.

If you harden one thing this quarter, harden your chokepoints, segment around them. Add compensating controls. Increase logging where applicable. Treat narrow terrain as sacred because when it fails, everything behind it is exposed. The MITRE ATT&CK framework’s focus on lateral movement and privilege escalation highlights why chokepoints must be secured and closely monitored.

Mini-case: The 2021 Colonial Pipeline ransomware attack targeted a single VPN account—an overlooked chokepoint with no multi-factor authentication. This breach underscores the criticality of securing and monitoring privileged access pathways.

Martial principles show up cleanly here. Wing Chun teaches that in close range, cutting angles and superior structure become everything. Trapping is about denying your opponent options. Narrow terrain does the same: it constrains movement and penalizes sloppy positioning.

Steep Ground – Visibility and defensibility, limited mobility

Steep ground is an advantage you must maintain.

High ground offers visibility and defensive leverage, but you don’t sprint on it. Movement becomes deliberate. Once you lose it, regaining it costs more than taking it did.

In cyber/cloud terms, the “steep ground” is where you place your crown jewels: production enclaves, privileged access vaults, critical logging pipelines, backup infrastructure, and identity governance, zones with strict access controls, immutable logs, and minimal pathways. NIST Special Publication 800-53 and CIS Controls both emphasize layered defenses and strong separation for critical assets, reinforcing the need for deliberate, hardened environments.

These environments should feel “steep” to anyone moving through them, including your own staff. That friction is the point. Steep terrain ensures enforcement of control.

Industry example: Major cloud providers routinely isolate customer data and management functions in highly restricted “steep ground” zones, applying controls from NIST SP 800-53 and CIS to prevent lateral movement and ensure containment if a breach occurs.

In Jiu Jitsu, this is akin to mount or back control: you don’t rush to snatch up a submission. You stabilize, isolate, and apply pressure through position and then finish. The defender who gets impatient on steep ground usually falls off it.

Encircled Ground – When you risk being surrounded

Encircled terrain is where isolation becomes lethal.

In war, encirclement breaks supply lines, erodes morale, and forces rash decisions. In cyber, encirclement often begins as “convenience” and ends as captivity: vendor dependencies, brittle third-party integrations, shadow IT no one owns, “critical” workflows held together by one person’s tribal knowledge.

The danger is that encirclement rarely feels dramatic at first. It feels normal until you need to restore. Until a vendor is down. Until the contract becomes leverage. Until the only admin is on PTO and the incident is already in motion.

Encircled ground demands exits: recovery paths, out-of-band access, air-gapped backups, and playbooks that restore connectivity without improvisation. CIS Control 11 and the NIST CSF Recovery Function both emphasize the importance of tested backup and recovery plans, as reliance on a single vendor or system is a strategic vulnerability.

Recent headline: In the wake of the 2022 Okta breach, organizations that relied exclusively on one identity provider faced business continuity risks. Those with tested out-of-band recovery and contractual exit clauses, as recommended by CIS and NIST, were able to restore operations more quickly.

If you don’t have those, you don’t have resilience. You have hope.

Expansive Ground – Flat, wide, tempting for overreach

Expansive terrain invites ambition. It also hides risk.

Movement feels easy because there’s “room,” but oversight drops as the supply lines lengthen. This is how empires, and cloud estates, collapse: not from one failure, but from accumulated, ungoverned territory.

In cyber, expansive ground is sprawl: dozens of cloud accounts, multiple providers, endless permissions, duplicated tools, integrations stacked on integrations. Sprawl isn’t evil. It’s simply unmanaged terrain.

Expansive ground demands scalable governance: infrastructure-as-code policies, automated compliance, continuous asset inventory, and hard limits on “just one more integration.” Otherwise, you end up “owning” too many things to defend any of them properly. Both NIST CSF and the CIS Controls call for continuous asset management and automated enforcement to keep sprawl in check.

This is where adversaries thrive, inside your noise.

Example: Several high-profile breaches, including Capital One (2019), were linked to sprawling cloud environments where asset management and policy enforcement lagged behind rapid deployment. This highlights why NIST CSF and CIS Controls call for continuous inventory and automated governance.

Choosing the Ground – Offense Through Selection

A leader’s first tactical choice is where to fight. Good generals choose terrain that favors their force and punishes the enemy’s approach. That’s a decision, not a reflex.

In cybersecurity, this is how you win before the breach: place valuable services behind hardened, observable layers and force attackers into monitored choke points. Make lateral movement steep. Make privilege escalation loud. Make time and friction the price of progress.

In cloud architecture, it refers to trust zones and least-privilege boundaries that govern movement, much as terrain shapes an army’s movement. If an adversary wants access, they must climb and be exposed while doing it.

In foreign policy, it means choosing diplomatic and economic levers rather than landing zones that stretch logistics and public support. Sometimes the “terrain” is public will. Sometimes it’s alliance cohesion. Sometimes it’s your economy. Burn those, and you’ve lost the campaign even if you win the first clash.

Choosing ground is an active defense. It doesn’t surrender initiative; it shapes the enemy’s options.

This is where martial deception becomes a strategy. A feint isn’t a lie, it’s an invitation. In Wing Chun, you draw the reach, trap the limb, clear the line, and strike at the same time. In Muay Thai, you show the jab to invite a teep to sweep the leg. In Jiu Jitsu, you offer the submission attempt you’re prepared to counter. Terrain selection works the same way: you present what looks like access, but what you built is a corridor of control.

Leadership, Discipline, and Knowing Your Soldiers

Sun Tzu insists a general must know his troops. That’s leadership in a sentence.

A leader’s indecision, ego, or poor communication is as lethal as bad geography. Poor leaders over-commit, under-communicate, or ignore warnings. They treat friction as disobedience and clarity as optional. That is how organizations drift into the “slovenly haphazard” disorder Sun Tzu warns about: plenty of tools, no coherence.

Discipline matters. Soldiers and engineers, treated with respect but held to standards, perform under pressure. Leniency breeds sloppiness; cruelty breeds silence. Both are operational risks.

Know your teams: strengths, fatigue thresholds, and tempo. Rotate duty. Limit emergency hours. Maintain training. In cloud and cyber, this includes on-call limits, respect for sleep, post-incident retrospectives, and psychological safety to report near-misses before they become incidents.

Morale shows up earlier than metrics. Leaders build the culture that sustains long campaigns.

Calculation Before Battle – The Work of Winning

Sun Tzu elevates calculation above impulse: the commander who measures many variables before engagement usually wins; the one who does not, loses.

This calculation is methodical: map terrain, count supplies (capacity), estimate enemy options, and plan contingencies.

In cyber, that means knowing your attack surface, understanding threat actor patterns, identifying likely pivot points, and building tested response runbooks. Rehearse, not because you expect a breach, but because you refuse to improvise under duress.

In the cloud, this entails calculating blast radius, recovery objectives, and the cost of complexity relative to the cost of resilience. It also means choosing fewer tools and mastering them, because every new platform is a new terrain you must defend.

In policy, it means calculating costs in treasure, trust, and time. Private-sector analogs are attention, capital, and brand.

Winning is the product of preparation. You cannot improvise a viable posture in a crisis.

Specific Strategies by Terrain – Practical Moves

Open ground: prioritize speed and detection; keep public assets to a minimum; deploy decoys and canaries; monitor aggressively. (CIS Controls 1, 7; NIST CSF Identify & Protect).
Narrow ground: enforce access controls and logging; funnel traffic through audited gateways; validate identity aggressively. (MITRE ATT&CK, NIST CSF Detect)
Steep ground: design immutable environments and strict separation; place critical controls in high-ground enclaves with minimal human pathways. (NIST SP 800-53, CIS Control 13)
Encircled ground: ensure out-of-band recovery, air-gapped backups, manual admin paths; maintain contractual exit clauses with vendors. (NIST CSF Recovery, CIS Control 11)
Expansive ground: prune and consolidate; adopt infrastructure-as-code policies and automated compliance; set hard limits on new integrations. (CIS Control 1, NIST CSF Asset Management)

Every choice reduces the opponent’s options and preserves the defender’s leverage. In practice, aligning terrain strategies with proven frameworks isn’t bureaucracy; it’s how you translate doctrine into daily operations.

Parallels: Rome, Corporations, and Nations

Rome didn’t fail because it was weak; it failed because it could no longer pay for its expansion. The pattern repeats: a leader mistakes reach for control, stretches supply lines, and forgets the home base.

In business, over-expansion without integration kills cash flow and culture. In policy, interventions without sustainable objectives are hollow support. In cyber, growth without governance turns territory into liability.

The remedy is the same: select advantageous ground, keep logistics tight, and honor the limits of what you can sustain.

Closing: Ground, People, Calculation

Terrain teaches humility. It forces honesty about supply lines, political will, and human limits. Leaders must select ground that fits their forces, know their people well enough to deploy them without breaking them, and calculate relentlessly before contact. The best strategy isn’t the loudest; it’s the one most rigorously mapped to the ground and standards that define your domain.

Sun Tzu’s point is blunt: the general who prepares wins because he has already made many small victories before the first clash. The rest simply discover, too late, what the ground beneath them already knew.

The Next Step: Situations Reveal the Ground

Sun Tzu ends this chapter the way a good fighter ends an exchange: not with noise, but with control.

Terrain is not merely where you fight; it is what the fight allows. It determines which tactics are available, which movements are costly, and which victories are possible without incurring blood, bandwidth, or morale costs. The wise commander doesn’t “try harder” on bad ground. He changes the angle, changes the conditions, and shapes the enemy’s options.

Muay Thai does it with ring craft: take space, cut off exits, force exchanges where your strikes land cleanly. Jiu Jitsu does it with: position, then control, then submission, and sometimes with a ruthless setup: allowing the opponent to chase the submission you expected, only to counter when they overextend.

Terrain works the same way. Choose it well, and you’re not only defending but shaping the enemy’s approach until their “attack” becomes the opening you built the environment to reveal.

That leads us directly back to the principles that opened this chapter:

“The natural formation of the country is the soldier’s best ally; make use of it to your advantage.” Because once you understand the ground, you stop fighting the fight the enemy wants, and start forcing the battle they cannot win.

And when leadership is weak, orders are unclear, and duties are unfixed, the result is exactly what Sun Tzu promised: utter disorganization, not because the enemy was brilliant, but because the ground exposed what was already unstable.

The highest standard remains unchanged: the general who advances without vanity and retreats without fear, whose only thought is to protect his people and do good service, is the jewel of the kingdom.

Bridge to Part XI – The Nine Situations

Terrain teaches you what is possible. The Nine Situations teaches you what to do when possibility collapses into reality, when you’re advancing, retreating, encircled, trapped, deep in enemy ground, or approaching decisive contact.

It is a doctrine of movement under pressure: acting in accordance with circumstances without losing coherence.

You’ve learned how to read the ground.
Next, you’ll learn how to fight on it.

The Art of Cyberwar | Part VII | Maneuvering

Chapter VII’s artwork conveys the essence of Sun Tzu’s Maneuvering with clarity and grandeur. A lone commander surveys a vast, unfolding landscape of troops in motion, symbolizing disciplined rhythm rather than frantic pace. The terrain’s natural flow mirrors the movement of cloud-age systems, and the light breaking across the valley evokes strategic awareness dawning before action. It is a rare blend of historical resonance and modern metaphor, a visual philosophy.

Movement After Position

The Principle: “We may take it then that an army without its baggage-train is lost; without provisions it is lost; without bases of supply it is lost.” — Sun Tzu

The Art of Coordinated Movement

A cybersecurity team detects a breach at 2 AM. They have the skills, the tools, and the authority to act. But without coordination, that capability becomes chaos, analysts duplicating work, containment efforts conflicting, and communication breaking down. By dawn, the advantage is gone.

In February 1943, American forces faced German tanks at Kasserine Pass in North Africa. They had the weapons, the numbers, the training. What they lacked was coordination between units and effective air-ground communication. The result? The first major American defeat of WWII was not due to a lack of capability, but to failure to maneuver as a unified force.

Fifteen months later, those same American forces learned the lesson. On June 6, 1944, D-Day coordinated 12 nations, over 7,000 vessels, and 160,000 troops across five beaches in a single operation. Not because they suddenly acquired better weapons, but because they mastered maneuvering. Kasserine Pass taught them that capability without coordination is chaos. Normandy proved that coordination transforms capability into victory.

Eighty years later, the battlefield is digital, but the lesson remains the same.

Sun Tzu called this the difference between movement and maneuvering.

Maneuvering is the discipline of transforming positional advantage into progress without depleting resources. Though movement may appear straightforward (advance, pivot, respond), it demands careful coordination. Without coordination, movement breeds confusion and disorder, undermining any initial advantage.

In Brazilian Jiu-Jitsu, there’s a fundamental principle: position before submission. A novice rushes for the choke. A master secures the proper position, seeks control, applies the proper pressure, isolates the arm, and then the finish is there for the taking. The submission becomes inevitable because the position made it so.

Maneuvering works the same way: structured movement from an established position. Not frenetic action. Coordinated, calculated movement in advance.

Whether in military operations, government, or cybersecurity, the true challenge lies in maintaining momentum while preserving balance. Effective teams favor structured, intentional movement, not just speed.

This is the heart of maneuvering: composure, intent, and clarity. Act from principle, not anxiety.

The Maneuvering Decision Matrix

Sun Tzu understood that effective maneuvering requires reading the moment, knowing when to accelerate, when to pause, and when to let the environment dictate pace.

Modern leaders need the same discernment:

When to Accelerate:

The advantage is clear and actionable.
Resources are sufficient.
Team alignment is strong.
Opponent is vulnerable

When to Pause:

Visibility is degraded
Fatigue is setting in across the team.
Purpose has become uncertain.
Information remains incomplete

When to Let Environment Dictate:

The opponent is making mistakes.
Terrain is shifting faster than you can control
Patience offers a strategic advantage.
Reactive movement would expose weakness.

This isn’t indecision. It’s tactical discipline. The fighter who controls tempo controls the outcome.

Tempo and Terrain

In both war and cybersecurity, timing determines outcomes more than sheer speed. When to act matters more than how quickly you act.

Sun Tzu cautioned that armies advancing too rapidly become fatigued, while those moving too slowly forfeit initiative. Balance requires understanding rhythm, discerning when to accelerate, when to pause, and when to let the environment set the pace.

Today, that terrain is digital.

The modern battlefield consists of networks, cloud environments, and global systems. Effective cybersecurity professionals study the digital landscape to move with intent, not to avoid movement altogether.

In the cloud era, terrain isn’t geography, it’s architecture.

Latency, visibility, and complexity shape what’s possible. The most secure organizations extend beyond perimeter defense by developing a comprehensive understanding of their operational landscape. They design systems where quick tactical movements don’t create strategic vulnerabilities.

The Cyber Battlefield: Coordination Over Chaos

In cybersecurity, effective maneuvering means more than quick patching or immediate responses. It requires aligning teams, especially during high-pressure situations.

Incident response represents maneuvering under pressure: containment, communication, and recovery.
Threat intelligence involves maneuvering through uncertainty—transforming fragmented information into actionable insights without prematurely acting on incomplete data.
Automation functions as the logistical backbone, the supply chain supporting frontline operations. When automation fails, even highly skilled analysts face burnout.

Many security operations centers (SOCs) miss this point. Constant urgency and nonstop action may seem productive, but endless motion risks exhaustion and reduced effectiveness.

Authentic maneuvering is characterized by calm, control, deliberation, and focus.

Wing Chun’s centerline theory offers a simple, direct, economical model. SOC analysts don’t need fifty tools—they need the right three, automated properly, with clear escalation paths. Economy of force.
The central point: when your playbook drives decisions, you maneuver. When alerts drive decisions, you react.

Cloud Mobility: The Terrain in Flux

The shift to cloud computing redefined what “maneuvering” means. In the old world, servers stayed put. Now, data, workloads, and identities move across providers, borders, and legal frameworks.

In this environment, organizational strength comes not from rigidly restricting movement, but from orchestrating secure and transparent operations.

Cloud maneuvering looks like:

Workloads shifting across regions without breaking compliance
Data flowing securely through APIs without leaving blind spots
Teams pivoting incident response playbooks across hybrid environments in real time

Cloud environments reward planning for motion. Organizations win by designing for agile, secure movement, not by resisting change.

In 2023, a Fortune 500 company’s cloud migration stalled not because of technical limitations, but because their security team designed for a static perimeter. When workloads needed to shift regions for compliance, every move required manual review.

Organizations that assume static conditions are at a disadvantage.

This aligns with the martial principle of flow: Rigid fighters’ break. Rigid systems break faster.

Foreign Policy and the Cost of Motion

Nations, too, confuse movement with progress. America’s 20th-century record is full of lessons in tempo and fatigue.

But no example better illustrates the danger of resource-driven maneuvering than what led to the attack on Pearl Harbor.

The Pearl Harbor Lesson: When Resources Force Your Hand

Japan’s attack wasn’t born from ambition, it was forced by logistics. The U.S., Britain, and the Dutch enforced the ABCD embargo, cutting off:

Oil
Rice
Steel
Rubber
Machine parts

Japan imported 90% of its oil. Cut off from fuel, it faced two choices: fight or run out of energy and food entirely.

Sun Tzu wrote: “Throw your men into death ground, and they will fight.”

Japan was placed on death ground by resource denial. Their maneuver, the attack itself, was coordinated brilliantly. Six aircraft carriers, 353 aircraft, precise timing across multiple strike waves.

Tactically, it was masterful.

But strategically? Admiral Yamamoto knew: “I fear all we have done is awaken a sleeping giant.”

A lingering question remains: was America truly sleeping? WWI had concluded only 20 years earlier. Before WWII, WWI was considered the deadliest war in human history, earning the moniker “The Great War” for its immense scale and death toll of approximately 20 million lives. Its unprecedented destruction set it apart from previous conflicts. So, America was hardly asleep. Back to Pearl Harbor.

The lesson isn’t about the attack’s execution. It’s about what happens when maneuvering is dictated by desperation rather than position. When resources force your hand, even perfect coordination can’t save you.

Sun Tzu’s calculus applies: survival-driven movement, no matter how well-executed, is still reactive. And reactive maneuvering rarely wins wars.

The United States later encountered similar challenges in Vietnam, Iraq, and Afghanistan, where rapid action outpaced strategic learning. Momentum itself became a compelling but hazardous force.

Diplomacy is maneuvering in another realm.

In contrast, contemporary policy frequently equates reaction with strategy, prompting responses to every crisis even when restraint or delay might prove more advantageous.

Sun Tzu’s wisdom cuts through centuries: “If you know neither the terrain nor the season, you march to fatigue, not to victory.”

The Logistics of Cyber Power

For cybersecurity professionals, logistics consists not of physical supplies, but of bandwidth, personnel, and operational clarity.

Sustained operations aren’t feasible if systems are overburdened, personnel remain on constant alert, and every issue is treated as critical.

Good logistics in cyberspace means disciplined prioritization:

Which assets are mission-critical?
Which alerts deserve escalation?
What response cadence prevents burnout?

Sun Tzu would call this “feeding the army.” In today’s language, it’s resource stewardship.

An effective CISO ensures security professionals maintain resilience and don’t become exhausted before adversaries lose their resolve.

The data shows progress. Organizations took an average of 241 days to identify and contain breaches in 2025, down from 287 days in 2021. Not because threats got easier, but because purple-teamers got better at coordinated response. They learned to maneuver.

Maneuvering the Human Factor

The most challenging aspect of coordination isn’t the technical infrastructure; it’s the human element. While individuals contribute creativity, they also introduce unpredictability.

The numbers confirm what practitioners already know: 88% of cybersecurity breaches are caused by human error. Not zero-days. Not sophisticated malware. Human mistakes. The technology isn’t the weak link—the coordination of people using that technology is.

Sun Tzu understood morale as a weapon system. He coordinated hearts and minds before he coordinated units.

The same applies to martial arts and security culture.

In Muay Thai, they call it ring generalship, the fighter who controls space controls pace. The same applies to security teams. Leaders who set tempo, who decide when to press and when to absorb pressure, create the conditions for team effectiveness.
The most effective cybersecurity teams operate like jazz ensembles, distributed but synchronized. Training, communication, and trust are the modern equivalents of morale.

This is modern maneuvering: achieving precision in movement without relying solely on hierarchical control.

The Risk of Endless Marching

Sun Tzu cautioned that armies remaining in the field for extended periods experience internal decline. This phenomenon appears today as burnout, alert fatigue, and continuous red team exercises that fail to produce lasting improvements.

Organizations that never rest eventually turn on themselves. This applies equally to companies and nations.

Movement should support strategic objectives, not substitute for them. Effective leadership requires recognizing when to pause, regroup, and restore organizational strength.

Without periodic rest, strength deteriorates into strain, and resilience devolves into attrition.

The Bridge to Variation

The final lesson of maneuvering emphasizes humility: movement does not constitute mastery; it serves as its test.

Any army, individual, or system that acquires the ability to move must subsequently develop adaptability: the capacity to alter rhythm, diversify tactics, and confound adversaries who anticipate predictability.

Leading us back to the initial principle: “We may take it then that an army without its baggage-train is lost; without provisions it is lost; without bases of supply it is lost.”

Maneuvering determines survival. Variation determines victory.

But first, you must learn to move without falling apart. Master coordination before you attempt improvisation. Secure your supply lines before you advance.

Because, as Sun Tzu understood, an army that moves with discipline can adapt. An army that moves with chaos can only collapse. The next chapter explores variation, but only those who’ve mastered maneuvering will recognize when to use it.

The Art of Cyberwar | Part VI | Weak Points and Strong

matt shannon art of cyberware chapter VI weak points an strong

The principle:
“So in war, the way is to avoid what is strong and to strike at what is weak.”

Strength and Weakness Are Temporary

Sun Tzu emphasized that strength and weakness are dynamic rather than static. Although this principle may seem self-evident, it is often overlooked in practice. Many individuals disregard straightforward strategies, mistakenly believing that complexity is required. This oversight often leads to the violation of previous strategic principles or “lessons learned”, indicating a lack of genuine understanding.

It is essential to recognize that what appears robust today may become fragile in the future, while seemingly vulnerable elements can become decisive with time and increased awareness.

Power, whether military or digital, shifts with context.

The critical factor is not the quantity of resources, but the ability to perceive the entire operational landscape. Vulnerabilities arise not only from an adversary’s strengths, but also from areas where situational awareness is lacking and the speed at which adaptation occurs when new realities emerge.

In contemporary contexts, both nations and security architects often neglect this fundamental principle. There is a tendency to focus on constructing increasingly formidable defenses rather than developing adaptive strategies. Regardless of the scale of these defenses, adversaries require only minor vulnerabilities to compromise their effectiveness. Always remember, your adversaries only need to find a tiny leak in the walls to bring the entire system down.

Predictability: The Modern Weakness

Even the most secure fortresses eventually become familiar terrain for attackers. Cyber adversaries do not rely on brute force; instead, they employ strategic analysis. They examine organizational habits and exploit vulnerabilities such as unpatched servers, unmanaged privileged or service accounts, unchanged passwords, and the susceptibility of executives to social engineering.

Their success depends not on force, but on the predictability of organizational behaviors.

Nations exhibit similar vulnerabilities. Bureaucratic routines solidify into doctrine, which can devolve into dogma. Adversaries exploit these predictable patterns, waiting for repetition before executing successful attacks.

Historical events, such as the Pearl Harbor attack, the September 11 attacks, the Gulf of Tonkin incident, and numerous cyber intrusions, demonstrate that deficiencies in critical thinking, complacency, rigidity, and hubris significantly increase the likelihood of successful surprise attacks.

When Comfort Masquerades as Strength

Many organizations and governments allocate excessive resources to familiar areas, fostering a false sense of security. This environment allows risks to proliferate unnoticed, undermining overall resilience.

Cybersecurity teams often spend millions fortifying infrastructure while leaving users untrained.

Organizations frequently monitor technical metrics while neglecting human behavior. The most significant vulnerabilities often arise from areas presumed to be under adequate management.

System failures are typically attributable not to insufficient funding, but to misaligned priorities.

This pattern is evident at the national level as well. Large militaries and substantial budgets often obscure underlying fragilities, including slow adaptation, reliance on outdated assumptions, unstable alliances, and insufficient strategic foresight regarding emerging forms of conflict.

Historical Lessons of Misguided Strength

The First World War began with nations convinced that industrial might and rigid plans guaranteed victory. Those plans dissolved within months under the weight of modern weapons and static thinking.

During the Vietnam War, a major power misinterpreted its capacity for endurance as a guarantee of superiority. The Viet Cong’s guerrilla tactics transformed conventional advantages into significant liabilities.

Even the rapid success of Operation Desert Storm fostered complacency. Efficiency was mistaken for enduring security, and the perceived triumph was erroneously interpreted as evidence of invincibility.

Each era reaffirms the principle that the most conspicuous assets are not necessarily the most powerful.

Flexibility as True Power

Sun Tzu’s insight was to conceptualize power as dynamic movement. He advocated that a general should emulate water, seeking the path of least resistance and adapting to the terrain.

Within the cyber domain, the operational landscape evolves rapidly, with new threats, actors, and vulnerabilities emerging on a continual basis.

In this context, strength is defined by agility:

Rotate keys and credentials regularly.
Automate but verify.
Decentralize authority so teams can act without waiting for hierarchy.

The most effective defenders are those who demonstrate the greatest adaptability, learning and evolving more rapidly than adversaries can adjust their tactics.

Lao Tzu’s Echo

Lao Tzu put it simply:

“Water overcomes the stone not by strength, but by persistence.”

Endurance surpasses dominance. Properly understood, flexibility is not a sign of weakness but of resilience, characterized by the capacity to absorb disruption and recover to an original state.

In the digital context, resilience is reflected in recovery planning, redundancy, and organizational culture. The true measure of strength is not the infrequency of failure, but the speed of recovery following a compromise.

Turning Weakness Into Insight

All systems possess inherent flaws. Denial of these vulnerabilities allows them to remain concealed until a crisis occurs. Proactive defenders employ audits, red-team exercises, and transparent communication to identify weaknesses at an early stage.

Transparency transforms potential liabilities into opportunities for organizational learning.

Nations could use the same humility.

Public acknowledgment of mistakes enhances credibility, whereas concealment increases risk. The most resilient governments are not those without flaws, but those capable of adapting transparently before their constituents.

From Awareness to Action

Identifying vulnerabilities constitutes only part of the challenge; addressing them effectively demands both discipline and restraint.

In cybersecurity, this approach entails prioritizing remediation over self-congratulation, thorough preparation prior to disclosure, and critical evaluation before taking action.

In policy contexts, this requires deliberate prioritization, engaging only in actions where the anticipated outcomes justify the associated costs.
Misapplied strength can become a source of vulnerability, whereas a thorough understanding of weaknesses can provide strategic foresight.

The Next Step: The Flow of Force

Sun Tzu ends this chapter with motion: the strong shifting to the weak, the weak transforming to the strong.

He implies that awareness must evolve into timing. The wise general aligns his force with the moment, not against it. And that, “All men can see the tactics whereby I conquer, but what none can see is the strategy out of which victory is evolved.”

This concept serves as a transition to the subsequent lesson, which focuses on the dynamics of energy in motion and the strategic management of power with balance and rhythm.

We’ve learned where to stand. Next, we’ll learn how to move. As Master Tzu concludes Chapter VI:

Military tactics are like unto water; for water in its natural course runs away from high places and hastens downwards. Water shapes its course according to the nature of the ground over which it flows; the soldier works out his victory in relation to the foe whom he is facing. Therefore, just as water retains no constant shape, so in warfare there are no constant conditions.

Leading us directly back to this lesson’s seemingly simple principle: “So in war, the way is to avoid what is strong and to strike at what is weak.”

The Art of Cyberwar, Part V | Energy | The Use of Force

the art of cyberwar part V energy and the use of force. matt shannon cloud security.

The principles:
In all fighting, the direct method may be used for joining battle, but indirect methods will be needed in order to secure victory.

Indirect tactics, efficiently applied, are inexhaustible as Heaven and Earth, unending as the flow of rivers and streams; like the sun and moon, they end only to begin anew; like the four seasons, they pass away to return once more.

The Power of Controlled Motion

Sun Tzu’s fifth chapter deals with energy, not as brute strength, but as direct application of force.

He warned that a commander must know when to cultivate and store power and when to release it. Misapplied use of Energy burns itself out. However, when energy is focused, it bends the world to its will.

It’s an idea that translates effortlessly to today’s digital battlefield. Nations, like networks, often fail not because of a lack of capability, but because of a lack of control.

True mastery isn’t in how much force you can deploy. It’s in knowing how little you need to. It’s akin to the idea that, sure, you can kill a fly with a hammer, but is it the most effective tool at your disposal?

The Cost of Unchecked Energy

American Diplomatic and Military History is full of examples of lawmakers mistaking our capacity for clarity.

In Korea, overwhelming U.S. power pushed back North Korean forces, only to overextend toward China’s border and trigger an entirely new front. And thus, we have burdened ourselves with maintaining the “38th parallel” ever since.

In Vietnam, energy became inertia, force applied endlessly without definition, draining political and moral capital alike. If only the “peacemakers” at the Treaty of Versailles had let Ho Chi Minh deliver his speech on the Rights of Man, perhaps there would have been no quagmire in Southeast Asia to begin with. A guerrilla war that would take nearly 60,000 American lives and lead to what became known as the “Vietnam Syndrome.”

In Iraq, “shock and awe” demonstrated that a singular “tactical victory” can be swift, while a strategic victory remains elusive. Notwithstanding the entire list of false pretenses that led to the invasion of Iraq to begin with.

Each conflict began with a belief in momentum and ended with war fatigue. Demonstrating once again, force without direction always collapses under its own weight.

The lesson isn’t that force is wrong; it’s that force, when misapplied and unguided, becomes self-consuming. Power is not infinite. Neither is attention, money, or public trust.

The Cyber Equivalent: Sprawl and Burnout

Organizations repeat these same mistakes in digital form.

A breach occurs, and the reflex is to rush to acquire new tools, policies, and budgets, thereby triggering a cyberwar “surge.”

New dashboards, new alert monitoring, and new vendors lead to a surge in activity, while clarity plummets.

This is cyber energy without strategy, effort disconnected from insight.

As Sun Tzu also said: Amid the turmoil and tumult of battle, there may be seeming disorder and yet no real disorder at all; amid confusion and chaos, your array may be without head or tail, yet it will be proof against defeat.

Teams exhaust themselves chasing incidents instead of patterns. Leaders demand constant escalation, not realizing that perpetual crisis is its own vulnerability.

The result mirrors the national trap: motion is mistaken for genuine progress. The ability to endure is mistaken for endurance.

Energy as Rhythm, Not Frenzy

Sun Tzu described two forms of force:

Normal energy — the steady discipline that sustains the fight.
Extraordinary energy — the precise, unexpected burst that wins it.

In cybersecurity, the equivalent is security posture and precision in the application of policies.

Normal energy is the quiet work of patching, monitoring, and awareness training. Extraordinary energy is the calm, swift, and accurate incident response that turns chaos into closure.

Both are needed. But one cannot exist without the other. A team that never rests has no energy left to strike when it matters most.

It’s the same in martial arts.

In Wing Chun:
Normal energy = quality structure and energy sensitivity.
Extraordinary energy = the skill to deliver a singular, intercepting strike that ends the exchange.

Muay Thai:
Normal energy = footwork, guard, pacing.
Extraordinary energy = the slashing elbow, a stabbing teep, or perfectly placed knee.

BJJ:
Normal training energy = position, pressure, framing.
Extraordinary training energy = the ability to feel a submission triggered by feeling the opponent’s mistake. Or in Mandarin it’s an old idea called Wu Wei, or effortless action. Meaning, I don’t present the opportunity to attack; the enemy presents it to me, like water finding a leak in the dam.

A Security Team that never rests has no energy left for anything extraordinary.

Good CISOs, like good generals, good fighters, and good grapplers, understand rhythm. They know when to conserve strength so that action, when it comes, is clean and effective.

As Master Tzu also knew, “When he utilises combined energy, his fighting men become as it were like unto rolling logs or stones.” Leading to, … “the energy developed by good fighting men is as the momentum of a round stone rolled down a mountain thousands of feet in height. So important is the subject of energy.”

Diplomacy and the Misuse of Force

In diplomacy, the same physics apply. The U.S. has often wielded immense power but uneven patience.

Moments like the Marshall Plan and the Cuban Missile Crisis demonstrated the value of precision, employing limited force, clear objectives, and a proportional response.

But elsewhere, the misapplication of force became diplomatic impotence on full display. Prolonged occupations and open-ended interventions constantly drain strategic reserves of will and trust.

Every drone strike, every unconstitutional data collection program, every new cyber warfare doctrine carries a similar risk: that power’s convenience will overshadow its consequence.

The Taoist counterpoint from Lao Tzu still resonates to this day:

“He who knows when to stop never finds himself in trouble.”

Knowing when not to act is the highest use of force. It’s the difference between control and compulsion.

The Lesson for Cyber Strategy

A strong digital defense isn’t constant action, it’s intelligent action.

Practical translation:

Automate the repeatable.
Escalate only with context.
Protect attention as aggressively as data.
Reserve extraordinary effort for extraordinary situations.

Energy mismanaged becomes sprawl. Energy focused becomes resilience.

It’s never the size of the arsenal. It’s the precision of the response.

Momentum and the Myth of Constant Action

Modern life rewards constant motion, refresh, respond, and reply.
In cybersecurity and foreign policy alike, stillness feels dangerous to the untrained mind.

But strategy lives in the pause between movements. Quality fighting skills are always more effective when you can strike on the half-beat, a fundamental separator on the mats, and on digital and physical battlefields.

Force has a short half-life. When it’s used endlessly, it decays quickly and fades into the ether. When it’s reserved for the right moment, it changes everything.

A breach contained quietly is often a bigger victory than a public takedown.
A crisis de-escalated without violence often preserves more stability than any show of strength.

Knowing When to “Flow With the Go”

As one of the greatest living legends in Brazilian Jiu-Jitsu, Rickson Gracie once said, “In Jiu Jitsu we flow with the go.”

Meaning:

don’t fight force with tension
stay aware but not trapped by focus
stay smooth and adaptive
flow with the opponent’s energy
let well-trained instinct and structure guide you

That metaphor fits the digital era perfectly. The best blue or purple teamers, like the best leaders, don’t fight the current; they learn to read it and swim with it, not against it.

Lao Tzu would say that “the soft overcomes the hard,” not through weakness but adaptability. Force channeled through awareness is stronger than force spent in anger.

In warfare and cybersecurity alike, energy is a currency. Spend it recklessly and you’ll be empty when it matters. Spend it wisely and you’ll be leading on the battlefield.

Final Reflection

Knowing how to use force is knowing its limits.
Sun Tzu and Lao Tzu shared the same truth from opposite angles:
Power must be balanced by patience.
Energy must be stored as much as it is spent.

History punishes those who forget this. So does network and security architecture.

The art isn’t in using force; it’s in knowing when the situation calls for little, none, or overwhelming force.

That’s not mysticism. That’s strategic maintenance. And it’s as accurate in security architecture as it is on the battlefield.

All of these lessons point us directly back to our opening principles: “In all fighting, the direct method may be used for joining battle, but indirect methods will be needed to secure victory.” And, “Indirect tactics, efficiently applied, are inexhaustible as Heaven and Earth, unending as the flow of rivers and streams; like the sun and moon, they end only to begin anew; like the four seasons, they pass away to return once more.

The wise strategist learns to move the same way.

The Art of Cyberwar | Part IV | Tactical Dispositions

the art of cyberwar - tactical dispositions. matt shannon cloud security.

The Principles:
“The good fighters of old first put themselves beyond the possibility of defeat, and then waited for an opportunity of defeating the enemy.”

“Thus it is that in war the victorious strategist only seeks battle after the victory has been secured, whereas he who is destined to be defeated, first fights, and afterwards looks for victory.” —Sun Tzu

Every data breach, foreign conflict, and policy error typically originates from an action taken without adequate prior positioning.

There is a common tendency to conflate activity with progress. Sun Tzu recognized that true invincibility is rooted in defense, while the opportunity for victory depends on the adversary.

In contemporary terms, this concept is referred to as defensive posture: the disciplined practice of preparation prior to visibility.

Defensive Positions

Effective cybersecurity teams secure their positions well in advance of any actual test. They maintain comprehensive awareness of data locations, access privileges, and the criticality of various systems. Such teams implement patches discreetly, monitor systems consistently, and design infrastructures to recover from failures rather than assuming failures will not occur.

That’s tactical disposition:

Enforcing least privilege to build resilience.
Applying timely patching to keep critical systems protected.
Building backups as integrated mechanisms for redundancy and recovery.
Running tabletop exercises to rehearse scenarios that organizations hope never occur.

This often-invisible work may appear inconsequential until it proves essential in critical moments.

When Nations Forget the Same Lesson

Historical evidence indicates that both nations and organizations seldom pause sufficiently to engage in strategic reflection.

Nations often amass extensive arsenals, initiate large-scale programs, and extend supply lines to project strength. However, when strength is dispersed excessively, it transforms into fragility, a phenomenon known as overreach. Overreach fundamentally undermines resilience.

The United States has frequently responded to perceived threats with disproportionate measures, conflating activity with effective strategy and reallocating resources without a long-term perspective. Engagements in wars and alliances often occur more rapidly than preparations for their potential consequences.

The consequences include wasted resources, public fatigue, and strategic exhaustion. All of which contribute to diminished geopolitical and geostrategic self-awareness.

According to Sun Tzu, achieving invincibility does not involve amassing weapons, engaging in unnecessary interventions, or imposing ineffective sanctions. Instead, it requires constructing economic, digital, and diplomatic systems capable of absorbing shocks while maintaining integrity. A resilient nation need not swing at every shadow.

Resource Stewardship

Cybersecurity is frequently perceived as a process of continual escalation, characterized by the addition of more tools, dashboards, and alerts.

However, each new platform introduces additional complexity, which in turn creates new potential attack surfaces.

Effective security practices may require declining adoption of the latest technologies and decommissioning unnecessary systems to simplify complex environments.

As Bruce Lee once said “I fear not the man who has practiced 10,000 kicks once, but I fear the man who has practiced one kick 10,000 times.”

Simplifying operations enables organizations to concentrate on mastering essential tools, particularly when resources are limited. The principles of simplicity, directness, and economy of motion are fundamental to effective practice.

Our government should also learn to exercise the same restraint. Faithful stewardship isn’t constant investment in everything; it’s a deliberate focus on what matters most.

This approach exemplifies strategic minimalism, which emphasizes the optimal utilization of public resources and, ultimately, enriches us all by conserving precious and limited resources.

Similarly, as America’s original Foreign Policy was initially articulated by John Quincy Adams on July 4th, 1821:

[America]…goes not abroad, in search of monsters to destroy. She is the well-wisher to the freedom and independence of all.

She is the champion and vindicator only of her own.

She will commend the general cause by the countenance of her voice, and the benignant sympathy of her example.

She well knows that by once enlisting under other banners than her own, were they even the banners of foreign independence,

She would involve herself beyond the power of extrication, in all the wars of interest and intrigue, of individual avarice, envy, and ambition, which assume the colors and usurp the standard of freedom.

The fundamental maxims of her policy would insensibly change from liberty to force…
She might become the dictatress of the world. She would be no longer the ruler of her own spirit…

[America’s] glory is not dominion, but liberty. Her march is the march of the mind. She has a spear and a shield: but the motto upon her shield is, Freedom, Independence, Peace. This has been her Declaration: this has been, as far as her necessary intercourse with the rest of mankind would permit, her practice.

This practical wisdom may appear boring. However, organizations and governments alike must identify their assets, maintain them, and protect only what can be effectively defended. Continuous review, revision, and updates are fundamental.

The Cost of Perpetual Readiness

Sun Tzu cautioned that armies maintained in the field for extended periods deplete their own strength. Contemporary parallels include budgets exhausted by perpetual emergencies and professionals experiencing burnout due to continuous false positives.

The solution lies in cultivating a well-developed security posture rather than succumbing to ongoing panic and overreaction.

Organizations should prepare comprehensively, rest intentionally, and engage only when strategically necessary.

This sequence, prioritizing defense before offense and clarity before action, establishes the resilience that many organizations seek.

Learning From Tactical Blindness

Security breaches frequently result from overlooked fundamentals, such as unpatched systems, insufficiently trained users, and unreviewed alerts.

Similarly, the escalation of wars or crises is often attributable to unexamined assumptions.
Both scenarios arise from neglecting the primary principle of tactical disposition: understanding one’s position before determining a course of action.

Modern Application

In cybersecurity: organizations should implement defense-in-depth strategies, automate routine checks, and prioritize cultivating awareness rather than fear. Emphasizing culture over blame.
In governance: it is essential to align objectives with available capacity, critically assess the true cost of each commitment, and recognize that restraint can be the most strategic option.

This parallel represents a recurring pattern rather than a mere metaphor.

Practitioner’s Questions To Ask Yourself:

Am I defending by hope instead of design?
Which tools add noise without adding clarity?
What assumptions have gone unchallenged for too long?
Where has “doing more” replaced “preparing better”?

Final Reflection

While invincibility is not the explicit objective, it is often the understated result of an effective security architecture. Complete protection cannot be guaranteed. However, it can be achieved through patience and persistence. Although this approach may lack glamour, in the ongoing struggle to maintain tactical disposition, it remains essential.

Sun Tzu’s good fighter was never reckless, never idle. He shaped his defenses so well that the enemy’s attacks lost meaning.

Nations and security architects should adopt similar practices. Consistently apply the principles of tactical disposition, exercise prudent stewardship of public resources, and cultivate strength, resilience, and wisdom.

The objective is not to engage in conflict frequently, but to do so only when absolutely necessary. Making it essential to fully understand and apply this story’s principles:

“The good fighters of old first put themselves beyond the possibility of defeat, and then waited for an opportunity of defeating the enemy.”

Multi-Factor Authentication: Boring, Annoying, Essential

In cybersecurity, we get excited about new technologies like AI, zero trust, and quantum encryption. But ask any practitioner what quietly stops the most breaches day to day? It’s still MFA.

Multi-Factor Authentication may not be exciting. It can slow people down and sometimes feels awkward. Even so, it remains one of the best ways to stop credential theft, which is the most common way attackers get into any network.

Why MFA Matters

• Passwords are weak. People reuse them across accounts, attackers buy them on the dark web, and “123456” still shows up in breach data.
• Phishing is effective. Users still click links and enter credentials. MFA blocks stolen passwords from being enough.
• Attacks are automated. Bots hammer login pages at scale. MFA breaks that automation by forcing a second factor.

Despite everything we know, MFA is still the easiest and most effective step in cyber defense. It often makes the difference between stopping an incident and having to respond to one.

The Pushback Problem

When we first rolled out MFA our district, the resistance was loud.

“It’s annoying.”
“It slows us down.”
“We don’t have time for that.”
“Why do I need this if I’m just checking email?”

At first, security changes can feel like a big hassle for everyone, whether you’re a teacher, technician, or leader. But a few seconds of extra effort can save us from days or even weeks of problems.

To make sure everyone accepted MFA, we took our time and built support step by step:

• Continuous staff education. Regular updates explained the “why” behind MFA, not just the “how.”
• Knowledge-base articles gave our help desk a clear playbook, no scrambling when someone was locked out or confused.
• Anticipating questions became part of the rollout strategy. From custodians logging into shared workstations to the superintendent approving district-wide communications, everyone got personalized guidance.

We kept the message clear: MFA is not a burden. It’s part of how we protect our entire staff and precious student PII, and PHI data. We aways have to remain FERPA, COPPA, CIPA, and PPRA compliant.

Over time, the complaints faded. Now, using MFA is second nature. It’s simply part of our routine.

The Fix

• Enforce MFA on all critical systems.
• Use phishing-resistant methods (authenticator apps, hardware keys) and worst-case scenario SMS.
• Train users that a few extra seconds of friction is the cost of resilience.

The Parallel

Using MFA is similar to wrapping your hands before boxing. It might seem tedious when you’re just getting started, but it protects you. If you skip it once, you might be fine, but skip it again, and you risk real trouble.

Security, like weightlifting, CrossFit, martial arts or meal prep it works best when the basics become instinct.

Again, MFA is boring. But, it’s also one of the most powerful shields you have.