Tag: Sun Tzu

The Art of Cyberwar | Part X | Terrain

The principles:

“The natural formation of the country is the soldier’s best ally; make use of it to your advantage.”

“When the general is weak and without authority; when his orders are not clear and distinct; when there are no fixed duties assigned to officers and men, and the ranks are formed in a slovenly haphazard manner, the result is utter disorganization.”

“The general who advances without coveting fame and retreats without fearing disgrace, whose only thought is to protect his country and do good service for his sovereign, is the jewel of the kingdom.” Sun Tzu

Ground First

Sun Tzu makes a simple demand: know the ground on which you stand.

The proper ground turns disadvantage into leverage. The wrong ground turns strength into exposure. Terrain is not merely soil; it is topology, logistics, law, culture, and architecture. In the modern world, it includes cloud regions, compliance borders, identity planes, and network topology. Choose well, and the fight often narrows into something you can actually win.

This is not an abstract chapter. It’s a practical one.

If you’ve ever seen a breach unfold, you’ve witnessed terrain deciding outcomes in real time: attackers rarely “win” because they are stronger; they win because they enter through easy ground, move through poorly observed corridors, and reach valuable systems before defenders can orient.

The defender’s job is to resist. It is to shape the ground, so the adversary’s best options become expensive, loud, or impossible.

Types of Terrain – What They Feel Like, What They Demand

Sun Tzu names a wide variety of ground. In practice, the terrain we face, militarily, digitally, and politically, collapses into recurring patterns: open, narrow, steep, encircled, and expansive.

Each demands a distinct strategy. Each punishes a different kind of arrogance.

Open Ground – Fast, visible, unforgiving

Open ground is where you can be seen.

In war, it is flat land with no cover: movement is easy, concealment is costly, and discipline decides whether speed becomes an advantage or panic. Detection and clean maneuvering are important because contact is constant.

In cybersecurity, open ground is your public-facing surface area: internet-exposed services, public APIs, external portals, and remote access entry points. This is not where you want complexity. You want ruthless simplicity, fewer doors, fewer endpoints, fewer exceptions, paired with strong telemetry. Frameworks like the CIS Controls and NIST CSF explicitly prioritize inventorying and minimizing public-facing assets—making clarity and control here a universal best practice.

Open ground is also where deception works best. Decoys, false signals, and baited paths can pull an enemy out of position. In cyber, honeypots and canary tokens do the same: they invite movement into visibility and turn curiosity into evidence.

Real-world case: In 2021, the Microsoft Exchange Server vulnerabilities (ProxyLogon) exposed thousands of organizations’ email systems to the internet. Attackers rapidly exploited unpatched, public-facing assets—demonstrating why CIS Controls and NIST CSF stress the importance of inventory and minimizing the external attack surface.

Open ground isn’t “unsafe.” It’s honest. It shows you what you built.

Narrow Ground – Chokepoints, bridges, legacy stacks

Narrow ground is where everything funnels.

In military history, chokepoints decide battles because geometry becomes force. A smaller army can hold a larger one, not by being stronger, but by limiting the enemy’s options. Just think of the legendary last stand of Leonidas and the Battle of Thermopylae.

In cyber and cloud, narrow ground is often the infrastructure everyone relies on and no one wants to touch: legacy integrations, VPN tunnels, identity gateways, brittle on-prem choke points, systems tied to modern workflows by thread and habit. They become bridges. Bridges become targets.

If you harden one thing this quarter, harden your chokepoints, segment around them. Add compensating controls. Increase logging where applicable. Treat narrow terrain as sacred because when it fails, everything behind it is exposed. The MITRE ATT&CK framework’s focus on lateral movement and privilege escalation highlights why chokepoints must be secured and closely monitored.

Mini-case: The 2021 Colonial Pipeline ransomware attack targeted a single VPN account—an overlooked chokepoint with no multi-factor authentication. This breach underscores the criticality of securing and monitoring privileged access pathways.

Martial principles show up cleanly here. Wing Chun teaches that in close range, cutting angles and superior structure become everything. Trapping is about denying your opponent options. Narrow terrain does the same: it constrains movement and penalizes sloppy positioning.

Steep Ground – Visibility and defensibility, limited mobility

Steep ground is an advantage you must maintain.

High ground offers visibility and defensive leverage, but you don’t sprint on it. Movement becomes deliberate. Once you lose it, regaining it costs more than taking it did.

In cyber/cloud terms, the “steep ground” is where you place your crown jewels: production enclaves, privileged access vaults, critical logging pipelines, backup infrastructure, and identity governance, zones with strict access controls, immutable logs, and minimal pathways. NIST Special Publication 800-53 and CIS Controls both emphasize layered defenses and strong separation for critical assets, reinforcing the need for deliberate, hardened environments.

These environments should feel “steep” to anyone moving through them, including your own staff. That friction is the point. Steep terrain ensures enforcement of control.

Industry example: Major cloud providers routinely isolate customer data and management functions in highly restricted “steep ground” zones, applying controls from NIST SP 800-53 and CIS to prevent lateral movement and ensure containment if a breach occurs.

In Jiu Jitsu, this is akin to mount or back control: you don’t rush to snatch up a submission. You stabilize, isolate, and apply pressure through position and then finish. The defender who gets impatient on steep ground usually falls off it.

Encircled Ground – When you risk being surrounded

Encircled terrain is where isolation becomes lethal.

In war, encirclement breaks supply lines, erodes morale, and forces rash decisions. In cyber, encirclement often begins as “convenience” and ends as captivity: vendor dependencies, brittle third-party integrations, shadow IT no one owns, “critical” workflows held together by one person’s tribal knowledge.

The danger is that encirclement rarely feels dramatic at first. It feels normal until you need to restore. Until a vendor is down. Until the contract becomes leverage. Until the only admin is on PTO and the incident is already in motion.

Encircled ground demands exits: recovery paths, out-of-band access, air-gapped backups, and playbooks that restore connectivity without improvisation. CIS Control 11 and the NIST CSF Recovery Function both emphasize the importance of tested backup and recovery plans, as reliance on a single vendor or system is a strategic vulnerability.

Recent headline: In the wake of the 2022 Okta breach, organizations that relied exclusively on one identity provider faced business continuity risks. Those with tested out-of-band recovery and contractual exit clauses, as recommended by CIS and NIST, were able to restore operations more quickly.

If you don’t have those, you don’t have resilience. You have hope.

Expansive Ground – Flat, wide, tempting for overreach

Expansive terrain invites ambition. It also hides risk.

Movement feels easy because there’s “room,” but oversight drops as the supply lines lengthen. This is how empires, and cloud estates, collapse: not from one failure, but from accumulated, ungoverned territory.

In cyber, expansive ground is sprawl: dozens of cloud accounts, multiple providers, endless permissions, duplicated tools, integrations stacked on integrations. Sprawl isn’t evil. It’s simply unmanaged terrain.

Expansive ground demands scalable governance: infrastructure-as-code policies, automated compliance, continuous asset inventory, and hard limits on “just one more integration.” Otherwise, you end up “owning” too many things to defend any of them properly. Both NIST CSF and the CIS Controls call for continuous asset management and automated enforcement to keep sprawl in check.

This is where adversaries thrive, inside your noise.

Example: Several high-profile breaches, including Capital One (2019), were linked to sprawling cloud environments where asset management and policy enforcement lagged behind rapid deployment. This highlights why NIST CSF and CIS Controls call for continuous inventory and automated governance.

Choosing the Ground – Offense Through Selection

A leader’s first tactical choice is where to fight. Good generals choose terrain that favors their force and punishes the enemy’s approach. That’s a decision, not a reflex.

In cybersecurity, this is how you win before the breach: place valuable services behind hardened, observable layers and force attackers into monitored choke points. Make lateral movement steep. Make privilege escalation loud. Make time and friction the price of progress.

In cloud architecture, it refers to trust zones and least-privilege boundaries that govern movement, much as terrain shapes an army’s movement. If an adversary wants access, they must climb and be exposed while doing it.

In foreign policy, it means choosing diplomatic and economic levers rather than landing zones that stretch logistics and public support. Sometimes the “terrain” is public will. Sometimes it’s alliance cohesion. Sometimes it’s your economy. Burn those, and you’ve lost the campaign even if you win the first clash.

Choosing ground is an active defense. It doesn’t surrender initiative; it shapes the enemy’s options.

This is where martial deception becomes a strategy. A feint isn’t a lie, it’s an invitation. In Wing Chun, you draw the reach, trap the limb, clear the line, and strike at the same time. In Muay Thai, you show the jab to invite a teep to sweep the leg. In Jiu Jitsu, you offer the submission attempt you’re prepared to counter. Terrain selection works the same way: you present what looks like access, but what you built is a corridor of control.

Leadership, Discipline, and Knowing Your Soldiers

Sun Tzu insists a general must know his troops. That’s leadership in a sentence.

A leader’s indecision, ego, or poor communication is as lethal as bad geography. Poor leaders over-commit, under-communicate, or ignore warnings. They treat friction as disobedience and clarity as optional. That is how organizations drift into the “slovenly haphazard” disorder Sun Tzu warns about: plenty of tools, no coherence.

Discipline matters. Soldiers and engineers, treated with respect but held to standards, perform under pressure. Leniency breeds sloppiness; cruelty breeds silence. Both are operational risks.

Know your teams: strengths, fatigue thresholds, and tempo. Rotate duty. Limit emergency hours. Maintain training. In cloud and cyber, this includes on-call limits, respect for sleep, post-incident retrospectives, and psychological safety to report near-misses before they become incidents.

Morale shows up earlier than metrics. Leaders build the culture that sustains long campaigns.

Calculation Before Battle – The Work of Winning

Sun Tzu elevates calculation above impulse: the commander who measures many variables before engagement usually wins; the one who does not, loses.

This calculation is methodical: map terrain, count supplies (capacity), estimate enemy options, and plan contingencies.

In cyber, that means knowing your attack surface, understanding threat actor patterns, identifying likely pivot points, and building tested response runbooks. Rehearse, not because you expect a breach, but because you refuse to improvise under duress.

In the cloud, this entails calculating blast radius, recovery objectives, and the cost of complexity relative to the cost of resilience. It also means choosing fewer tools and mastering them, because every new platform is a new terrain you must defend.

In policy, it means calculating costs in treasure, trust, and time. Private-sector analogs are attention, capital, and brand.

Winning is the product of preparation. You cannot improvise a viable posture in a crisis.

Specific Strategies by Terrain – Practical Moves

  • Open ground: prioritize speed and detection; keep public assets to a minimum; deploy decoys and canaries; monitor aggressively. (CIS Controls 1, 7; NIST CSF Identify & Protect).
  • Narrow ground: enforce access controls and logging; funnel traffic through audited gateways; validate identity aggressively. (MITRE ATT&CK, NIST CSF Detect)
  • Steep ground: design immutable environments and strict separation; place critical controls in high-ground enclaves with minimal human pathways. (NIST SP 800-53, CIS Control 13)
  • Encircled ground: ensure out-of-band recovery, air-gapped backups, manual admin paths; maintain contractual exit clauses with vendors. (NIST CSF Recovery, CIS Control 11)
  • Expansive ground: prune and consolidate; adopt infrastructure-as-code policies and automated compliance; set hard limits on new integrations. (CIS Control 1, NIST CSF Asset Management)

Every choice reduces the opponent’s options and preserves the defender’s leverage. In practice, aligning terrain strategies with proven frameworks isn’t bureaucracy; it’s how you translate doctrine into daily operations.

Parallels: Rome, Corporations, and Nations

Rome didn’t fail because it was weak; it failed because it could no longer pay for its expansion. The pattern repeats: a leader mistakes reach for control, stretches supply lines, and forgets the home base.

In business, over-expansion without integration kills cash flow and culture. In policy, interventions without sustainable objectives are hollow support. In cyber, growth without governance turns territory into liability.

The remedy is the same: select advantageous ground, keep logistics tight, and honor the limits of what you can sustain.

Closing: Ground, People, Calculation

Terrain teaches humility. It forces honesty about supply lines, political will, and human limits. Leaders must select ground that fits their forces, know their people well enough to deploy them without breaking them, and calculate relentlessly before contact. The best strategy isn’t the loudest; it’s the one most rigorously mapped to the ground and standards that define your domain.

Sun Tzu’s point is blunt: the general who prepares wins because he has already made many small victories before the first clash. The rest simply discover, too late, what the ground beneath them already knew.

The Next Step: Situations Reveal the Ground

Sun Tzu ends this chapter the way a good fighter ends an exchange: not with noise, but with control.

Terrain is not merely where you fight; it is what the fight allows. It determines which tactics are available, which movements are costly, and which victories are possible without incurring blood, bandwidth, or morale costs. The wise commander doesn’t “try harder” on bad ground. He changes the angle, changes the conditions, and shapes the enemy’s options.

Muay Thai does it with ring craft: take space, cut off exits, force exchanges where your strikes land cleanly. Jiu Jitsu does it with: position, then control, then submission, and sometimes with a ruthless setup: allowing the opponent to chase the submission you expected, only to counter when they overextend.

Terrain works the same way. Choose it well, and you’re not only defending but shaping the enemy’s approach until their “attack” becomes the opening you built the environment to reveal.

That leads us directly back to the principles that opened this chapter:

“The natural formation of the country is the soldier’s best ally; make use of it to your advantage.” Because once you understand the ground, you stop fighting the fight the enemy wants, and start forcing the battle they cannot win.

And when leadership is weak, orders are unclear, and duties are unfixed, the result is exactly what Sun Tzu promised: utter disorganization, not because the enemy was brilliant, but because the ground exposed what was already unstable.

The highest standard remains unchanged: the general who advances without vanity and retreats without fear, whose only thought is to protect his people and do good service, is the jewel of the kingdom.

Bridge to Part XI – The Nine Situations

Terrain teaches you what is possible. The Nine Situations teaches you what to do when possibility collapses into reality, when you’re advancing, retreating, encircled, trapped, deep in enemy ground, or approaching decisive contact.

It is a doctrine of movement under pressure: acting in accordance with circumstances without losing coherence.

You’ve learned how to read the ground.
Next, you’ll learn how to fight on it.

The Art of Cyberwar | Part IX | The Army on the March

“The Army on the March” — Illustrated for The Art of Cyberwar, Part IX. This artwork evokes the visual language of classical Chinese scroll painting, capturing the essence of Sun Tzu’s Chapter IX with striking thematic fidelity. The scene unfolds in layers across a sweeping golden landscape: tightly ordered battalions march along mountain paths, supply barges cross a winding river, and distant formations assemble beneath the rising sun. Each element reflects the logistical burden, psychological tension, and environmental dependence that define an army deep into foreign territory. At the foreground, a lone commander on horseback surveys the terrain, flanked by advisors whose varied stances suggest counsel, observation, and caution. His elevated vantage mirrors Sun Tzu’s emphasis on awareness — the practice of reading fatigue, momentum, and environmental signals before they harden into irreversible consequences. The river crossing, perilous and slow, symbolizes the fragility of overextension; the distant city, shimmering beyond the horizon, represents both ambition and the looming threat of exhaustion. The overall composition blends serenity with strain, grandeur with vulnerability. In doing so, it transforms ancient military wisdom into a timeless reminder for modern strategists: every march requires vigilance, and every expansion carries its cost.

The Principle:

“When you leave your own country behind, and take your army across neighboring territory, you find yourself in a position of dependence on others. There you must watch for signs of strain.”— Sun Tzu

The Signs Before the Fall

Sun Tzu’s ninth chapter is about perception.

Here he shifts from action to awareness. It’s about how a commander reads fatigue, imbalance, and internal decay before they destroy an army from within.

This is not simply a lesson in combat, but more importantly, it’s a lesson in foresight. This is a crucial distinction that often separates a near-flawless victory from a crushing defeat.

Because every empire, every enterprise, every cyber defense effort eventually faces the same drift:

  • expansion that outruns understanding
  • momentum that hides exhaustion
  • ambition that blinds leadership
  • reach that exceeds resources

Armies break this way.
Companies implode this way.
Nations lose coherence this way.

In martial arts, this is the moment a fighter looks powerful, but their footwork is mis-aligned, the subtle tell of hand movement, the delayed return to guard, or the half-beat of hesitation that usually precedes success but this time leads to being hit.

Sun Tzu teaches us: if you can’t read the signs, you can’t survive the march.

Overreach: The Eternal Temptation

History loves proving this point.

Rome’s legions stretched from Britain to Mesopotamia until it could no longer feed its own frontiers. Britain built an empire “over all seas,” only to watch its overstretched supply lines rot from within.

The United States, victorious after World War II, constructed a global presence so vast that presence itself began replacing purpose.

Sun Tzu warned: The longer the march, the more fragile the army becomes.

Modern America has been marching for generations, militarily, economically, digitally, and each expansion has carried both pride and price.

Corporations experience the same decay. Cloud ecosystems suffer it even faster. What begins as strength, scale, reach, integration, becomes fragility when maintenance exceeds cost-tolerance.

In martial arts, overreach is the fighter who throws too many power shots, chasing a knockout rather than reading the opponent. They exhaust themselves long before the opponent is even breathing heavily.

Strength without pacing is just a longer route to collapse.

The Weight of Infinite Reach

In cybersecurity, overreach becomes complexity collapse.

Each new department adopts a new tool. Each executive demands a new dashboard. Each vendor promises a universal cure.

Suddenly:

  • no one sees the whole system
  • logs pile up unread
  • alerts become background noise
  • integrations multiply into untraceable webs
  • dependencies form faster than they can be understood

What once felt powerful becomes paralyzing.

Foreign policy suffers the same rhythm on a grander scale.

WWI.
WWII.
The Cold War.
Korea.
Vietnam.
Bosnia
Iraq.
Afghanistan.

Each began with a clean, confident objective. Most devolved into attrition, mission creep, and moral fatigue. It can confidently be argued that mission creep began with WWI, but that’s a conversation for another time.

Sun Tzu would summarize it simply: When the troops are weary and the purpose uncertain, the general has already lost.

In BJJ, this is the fighter who scrambles nonstop, burning energy on transitions without securing position. Sometimes, not even needing to scramble or change position, but hasn’t trained long enough to even know that.

In boxing, it’s the puncher throwing combinations without footwork. The fighter simply stands in place, wondering why his punches never land.

In Kali, it’s the practitioner who commits too aggressively, losing awareness of angles and openings.

The march becomes too long.
The lines become too thin.
And collapse becomes inevitable.

Business: The Corporate Empire Syndrome

Businesses suffer the same fate as empires.

Growth attracts attention. Attention fuels pressure to expand. Expansion becomes compulsive.

Suddenly, the company is chasing:

  • ten markets
  • ten products
  • ten strategies
  • ten “high-priority” initiatives

Each of these demanding its own “army.”

The parallels to national instability are perfect:

  • Expansion without integration
  • Strategy scaling faster than understanding.
  • Leaders mistaking size for stability.

Eventually, the weight becomes unsustainable.

The company can no longer “feed the army.”
Costs rise.
Culture cracks.
Purpose fades.

What killed Rome wasn’t the final battle; it was the slow erosion of balance across its territory.

Most businesses die the same way, and so do most digital ecosystems.

In Wing Chun, this is the collapse of structure, the moment you can see a fighter trying to do too much, forgetting the centerline, being everywhere except where they need to be.

Overreach is always invisible until it isn’t.

The Modern March: Cyber Empires and Digital Fatigue

Our networks are the new empires.

Every integration is a border.
Every API is a supply line.
Every vendor is an ally whose failure becomes your crisis, and you can never plan for when that crisis comes.

Cloud architecture multiplied this exponentially.

Organizations now live everywhere and nowhere at once.

Sun Tzu’s image of an army dependent on supply lines maps perfectly to modern digital infrastructure:

  • Multi-cloud systems
  • SaaS sprawl
  • CI/CD pipelines with invisible dependencies
  • Third-party integrations with inherited vulnerabilities

When visibility fades, risk multiplies. When dependencies become opaque, consequences become catastrophic.

A company that cannot trace its supply chain of code is like an army that has lost its map.

One outage.
One breach.
One geopolitical tremor.

And the entire formation can buckle.

We call this “scalability.”
Sun Tzu would call it: Marching too far from home.

Reading the Dust Clouds

Sun Tzu taught his officers to read subtle signs:

  • dust patterns revealing troop movement
  • birds startled into flight
  • soldiers’ voices around the fire
  • the speed of camp construction
  • the tone of marching feet

Modern versions of those signs are just as revealing:

  • Escalating ‘critical’ alerts no one addresses
  • Morale fading under constant pressure
  • Defensive posture maintained through inertia
  • Strategies repeated because they worked once, not because they work now
  • Partners showing hesitation before they show defection

In WWI, the Lusitania offered one of the clearest “dust clouds” in modern history.

Germany declared unrestricted submarine warfare. British intelligence knew passenger liners were targets. The Lusitania was warned. The U.S. was warned. Even the ship’s cargo, which included munitions, made it a predictable target.

Yet the warnings were dismissed.
The signs were clear.
The perception failed.

And America’s reaction, too, was predictable; a “neutral nation” was pushed closer to war by a tragedy entirely foreseeable. Some might argue that certain American politicians sought to force the US into the war. Again, that’s a discussion for another time.

Sun Tzu’s maxim remains timeless: The first to lose perception always loses position.

The Cost of Endless Motion

Overextension rarely appears dramatic at first.

It looks like success:

  • revenue rising
  • troops advancing
  • dashboards expanding
  • integrations multiplying

Then the consequences arise:

  • fatigue
  • erosion
  • misalignment
  • burnout
  • doubt

You begin fighting just to justify how far you’ve marched.

In cybersecurity, this is the company chasing every vulnerability without fixing their architecture.

In foreign policy, it’s the nation fighting endless “small wars” that collectively cost more than stability ever would.

In boxing, it’s the fighter who keeps moving forward until they walk into exhaustion, not a punch.

In Kali, it’s the flow practitioner who adds complexity until their movement becomes noise rather than intent.

Sun Tzu warned: An army that has marched a thousand li must rest before battle.

Modern systems rarely rest. We only measure uptime, not wisdom.

Restraint as Renewal

The answer isn’t retreat, it’s an informed, measured rhythm.

Knowing when to:

  • advance
  • consolidate
  • recover
  • regroup
  • reconsider the terrain

Strategic restraint is not weakness. It is self-preservation.

Rome could have lasted longer by fortifying fewer borders. Corporations could thrive longer by protecting focus instead of chasing scale. Nations could endure longer by strengthening their homeland defenses before ever wasting a single dime projecting power abroad.

Sun Tzu’s art was never about conquest. It was about sustainability.

Victory without stability is just defeat on layaway.

Awareness in Motion

Awareness is the antidote to overreach.

It requires honest measurement:

  • what’s working
  • what’s weakening
  • what’s cracking
  • what’s already lost

It requires humility: no army, business, or nation can move indefinitely without rest.

In cybersecurity, awareness is visibility.
In leadership, it’s listening.
In foreign policy, it’s simply remembering.

Awareness doesn’t stop momentum. It calibrates it.

It’s the half-beat between breaths that keeps the system alive.

Bridge to Chapter X | Terrain

Sun Tzu ends this chapter by looking outward again.

Once you’ve learned to read fatigue, imbalance, and decay within, the next step is to read the environment beyond.

The internal determines how you survive the external.

Which returns us to the opening principle: When you leave your own country behind…you find yourself in a position of dependence on others.

An army on the march teaches us to see ourselves. Chapter X Terrain teaches us to read the world:

  • its obstacles
  • its openings
  • its deception
  • its opportunities
  • its traps

Awareness of self means little without awareness of landscape. That’s where the next battle begins.

The Art of Cyberwar | Part VIII | Variation in Tactics

The principle: “There are not more than five musical notes, yet the combinations of these five give rise to more melodies than can ever be heard.” — Sun Tzu

Adaptation Over Assumption

In Maneuvering, we learned the art of movement and how to turn posture into progress. Now Sun Tzu takes the next step: variation.

Variation is the discipline of adaptation. Not improvisation for its own sake. It’s controlled flexibility and fluidity; the kind that keeps a force alive while in motion.

Sun Tzu’s warning is ruthless: Predictability is the slow death of strategy. Every organization that wins too long risks repeating itself.

Every CISO, every architect, every nation-state faces the same danger: When your patterns stabilize, your adversary’s job gets easier.

Attackers study rhythm.
They hunt repetition.
They exploit formula.

What you repeat becomes your weakness.

Static Defenses, Dynamic Threats

In cybersecurity, repetition feels like discipline:

  • the same checklists
  • the same daily, weekly or quarterly assessments
  • the same scanning cadence
  • the same unchanged playbooks

It feels stable but it’s stagnation dressed as process.

Meanwhile attackers evolve hourly.

Their payloads morph.
Their lures update.
Their timing adapts to human fatigue cycles.

They don’t overpower blue teamers; they systematically outlearn them.

Sun Tzu’s guidance, “alter your plans according to circumstances,” isn’t merely poetic.

It’s operational doctrine. Security isn’t a system. Security is a cycle.

  • Every breach teaches.
  • Every false alarm reveals.
  • Every routine day hides patterns waiting to be broken.

The teams that adapt fastest aren’t the biggest.

They’re the most fluid and adaptable.

Variation is awareness in motion.

Red Teams, Blue Teams, and the Dance of Adaptation

Variation is the heartbeat of adversarial testing. Red teams live in uncertainty: improvisation, deception, broken rhythm. Blue teams train in structure: detection, containment, resilience.

A mature organization doesn’t let them exist as siloed tribes. It merges them into purple teaming, where the creativity of offense and the rigor of defense evolve together.

  • Red exposes blind spots.
  • Blue turns discovery into discipline.
  • Together they adapt.

This is the martial logic of sparring:

  • Wing Chun’s angle changes, where the same attack comes from different entries vs simply straight lines.
  • Muay Thai’s broken rhythm, where timing destroys expectation.
  • BJJ’s transition → position → submission sequence, where variation becomes game, set, match.

Each engagement becomes rehearsal for reality. You’re not preparing for yesterday’s threat. You’re learning from tomorrow’s rehearsal. That’s Sun Tzu’s Variation: adaptation as preparation.

Cloud Security: Adaptation as Architecture

Cloud environments shift constantly:

  • APIs update
  • services deprecate
  • compliance rules revise
  • identity models evolve
  • integrations multiply

Static thinking is fatal in a fluid system. Cloud security is variation embodied.

Infrastructure-as-code lets architecture evolve at speed. Automation turns intent into consistent action, but without visibility, variation becomes drift.

Sun Tzu’s metaphor of water fits perfectly: Water adapts to its container yet always seeks its level.

Cloud engineers do the same:

  • change with the environment, without losing alignment
  • allow flexibility, without losing control
  • evolve configurations, without losing accountability

Adaptation is necessary. Principles are non-negotiable.

Foreign Policy and the Trap of Predictability

Nations decay when their doctrine ossifies.

The American foreign policy establishment has often fallen into this trap over and over again:

  • Cold War containment repeated even after the context changed.
  • counterinsurgency tactics applied to environments that defied them
  • interventions driven by reflex rather than awareness

Vietnam: A doctrine built for conventional warfare in Europe applied to guerrilla conflict in jungle terrain. The U.S. measured success through body counts and attrition, while the enemy measured it through will and time. Same playbook, wrong war. Predictable escalation met adaptive resistance.

Afghanistan: Twenty years of rotating commanders, each bringing their own tactical variation, but all operating under the same strategic assumption—that nation-building through military presence could succeed where it had failed for empires before. The tactics changed every 18 months with each new general. The doctrine never did. The enemy simply waited.

Iraq 2003: Intelligence assumptions treated as certainties. A swift conventional victory followed by the assumption that democratic institutions could be installed through force. When insurgency emerged, the U.S. applied a counterinsurgency doctrine designed for different conflicts. By the time adaptation occurred (the Surge), years of predictable responses had already created the conditions for ISIS.

But perhaps the most revealing pattern is the rhetorical one: every emerging threat becomes “the new Hitler,” every conflict the next World War II.

  • Saddam Hussein was Hitler.
  • Gaddafi was Hitler.
  • Milosevic was Hitler.
  • Assad was Hitler.

The framing never changes. The enemy is always being Chamberlain in 1939 and being “appeasers of Hitler.” The infantile argument is always to stave off the newest existential threat to humanity. This isn’t strategy, it’s intellectual predictability masquerading as moral rectitude and always sticking by the banal cliche “never again,” whether is really applies or not.

World War II was a unique conflict: a mechanized, industrial-scale war between nation-states with clear battle lines, total mobilization, and, foolishly, unconditional surrender as the objective. Applying that framework to insurgencies, civil wars, and regional conflicts doesn’t just fail tactically, it reveals a dangerous inability to see the situation as it actually is.

The Hitler analogy serves a purpose: it short-circuits debate, frames inaction as appeasement, and makes intervention seem inevitable. But it’s also the ultimate form of strategic predictability. When every threat is Hitler, every response becomes World War II, and variation dies.

Variation in statecraft means reading each situation fresh, not recycling last decade’s doctrine into a new century, and certainly not recycling a doctrine from 80 years ago. In each case, tactical adjustments happened but strategic doctrine remained rigid. That’s the opposite of Sun Tzu’s teaching: vary tactics, never principles. These conflicts varied neither.

The Global War on Terror: The Ultimate Failure of Variation

And then there’s the final, most damning example of strategic predictability: Ahmed al-Sharaa, originally known as Abu Mohammed al-Jolani, who once led al-Qaeda’s Al-Nusra Front or Jabhat al-Nusra in Syria and spent years detained by U.S. forces as a terrorist in Iraq, was welcomed to the White House in November 2025 by President Trump.

He once had a $10 million U.S. bounty on his head. He founded al-Nusra Front, al-Qaeda’s Syrian branch. Now he’s a partner in the Global War on Terror.

This isn’t adaptation. This is strategic incoherence dressed as pragmatism.

Twenty-four years after 9/11, after trillions spent, after Afghanistan and Iraq, after “we don’t negotiate with terrorists” became doctrine, the United States now supports the former head of the very organization we invaded multiple countries to destroy.

The justification? He helps combat ISIS. The same ISIS that emerged from the predictable chaos of the Iraq War. The same conflict where al-Sharaa himself fought as a leading al-Qaeda member against U.S. forces.

This is what happens when doctrine ossifies while reality shifts. When every threat is framed through the same lens (“the new Hitler”), when every intervention follows the same playbook, when strategic thinking atrophies into bureaucratic reflex you end up shaking hands with yesterday’s enemy because you can’t recognize that your framework has failed.

Sun Tzu’s warning rings clear: predictability invites exploitation. The GWOT’s predictable responses—invasion, occupation, counterinsurgency, withdrawal created a cycle that adversaries learned to exploit.

They adapted. We repeated.

And now, the former al-Qaeda commander who once fought U.S. forces receives a hero’s welcome at the seat of American power. Not because the threat changed. Because we ran out of variations on the same failed strategy.

Predictability in diplomacy invites miscalculation.
Predictability in force posture invites escalation.
Predictability in cyber deterrence invites probing.

Again, as an example, at the extreme end of predictability lies Pearl Harbor.

Japan didn’t strike out of pure ambition; it struck because the U.S. cut off:

  • 90% of its oil
  • vital steel
  • food
  • rubber
  • machinery
  • industrial materials

A nation deprived of resources enters what Sun Tzu called death ground, the place where maneuver becomes inevitable.

  • Predictable embargo.
  • Predictable deterioration.
  • Predictable desperation.
  • Predictable strike.

Sun Tzu understood the principle: the more rigid your doctrine, the more your opponent will shift. Nations, like networks, must evolve, or decay through repetition.

Variation Without Confusion

Adaptability is not inconsistent. Sun Tzu warned that blind variation, change for its own sake,
creates disorder.

The rule is simple: Vary your tactics. Never vary your principles.

In cybersecurity, the principles are visibility, trust, and accountability.
In cloud architecture, they are governance and clarity.
In foreign policy, they are restraint and realism.

Change how you respond.
Never change why you respond.

That’s how variation becomes strength rather than noise.

Modern Lessons in Motion

Across every domain, the real art lies in learning faster than you decay:

  • In cybersecurity, adapt playbooks to every alert, not just every quarter.
  • In cloud: treat configuration as a living organism, not a static diagram.
  • In diplomacy: update doctrine before circumstances force your hand.

Predictability invites attack.
Curiosity creates resilience.

Sun Tzu didn’t worship flexibility. He prized awareness in motion, responsiveness guided by principle.

That is how you survive modern complexity: move → learn → realign → repeat.

That’s variation.

From Variation to Awareness

Variation teaches movement. The next lesson teaches perception.

In Chapter IX, The Army on the March, Sun Tzu turns to the signals that guide a force in motion,  how to read the terrain, sense morale, detect fatigue, and recognize when momentum turns into danger.

If Variation in Tactics is about adapting to survive, The Army on the March is about understanding the signs that tell you whether your adaptation is working.

Bringing us full circle to our opening principle: “There are not more than five musical notes, yet the combinations of these five give rise to more melodies than can ever be heard.”

In our next installment, we’ll discuss perception and reality in networks, in nations, in martial skill, and most critically, in ourselves.

The Art of Cyberwar | Part II | Let Your Great Object Be Victory

The principles:
“In war, let your great object be victory, not lengthy campaigns”…because “There is no instance of a country having benefited from prolonged warfare.”
— Sun Tzu, The Art of War, Chapter II

The Art of Cyberwar -- Part II -- Be Wary of Lengthy Campaigns

Historical precedent demonstrates that nations failing to adapt are often used as cautionary examples. Despite significant resources, the United States has not yet overcome this strategic challenge.

From Vietnam to Afghanistan, the United States has exemplified Sun Tzu’s warning by conflating endurance with strength and persistence with strategy. When military presence supersedes the objective of victory, campaigns extend beyond their intended purpose, resulting in significant human and material costs.

The Illusion of Victory

Following President George H. W. Bush’s declaration on March 1, 1991, that the United States had overcome the ‘Vietnam syndrome,’ national sentiment was celebratory. The Gulf War was conducted rapidly and with precision, widely broadcast as evidence of renewed national confidence. The conclusion of the Cold War was perceived as a triumph for democratic governance.

However, this perceived redemption represented a recurrence of previous strategic errors. The primary lesson of Vietnam—the futility of engaging in conflict without a defined objective—remained unheeded. Demonstrating rapid military success led to neglect of the risks associated with protracted engagements lacking clear victory conditions or exit strategies.

In subsequent decades, this hubris manifested in new conflicts. The invasions of Iraq and Afghanistan were initially framed as missions of defense and liberation, but evolved into prolonged operations characterized by strategic inertia. Between January 1968 and January 2022, the United States expended approximately $41 trillion on regime-change wars, supporting unstable governments, and reconstructing nations without explicit local consent.

When the conflict concluded in Kabul in August 2021, the resulting images closely resembled those from Saigon in 1975: helicopters evacuating personnel, abandonment of allied partners, and governmental collapse returning control to the previously ousted regime.

Two wars. Two generations. One unlearned truth:

“Contributing to maintain an army at a distance
causes the people to be impoverished.”

The resulting impoverishment extended beyond material losses to include diminished clarity, discipline, and strategic purpose.

The Cost of Long Wars

Sun Tzu recognized that prolonged conflict leads to internal deterioration. Geographic and temporal distance not only depletes resources but also impairs strategic perception.

Extended campaigns obscure strategic objectives and make it difficult to define victory when mere survival becomes the primary focus.

This confusion often results in a detrimental shift from strategic planning to operational maintenance.

The Cyber Parallel

A similar pattern is evident in contemporary cybersecurity. Prolonged defensive operations manifest as alert fatigue, excessive expenditures, and staff burnout. Continuous patching, monitoring, and incident response create an environment of persistent engagement. While terminology evolves, the underlying strategic mindset remains unchanged.

Cybersecurity teams often become engaged in repetitive activities, addressing recurring issues through marginally varied approaches without achieving lasting resolution.

This situation represents the cybersecurity equivalent of protracted military engagements, often referred to as ‘forever wars.’ Effective leaders, including Chief Information Security Officers (CISOs), recognize the importance of strategic restraint.

It is neither feasible nor advisable to attempt to defend all assets indiscriminately. The primary objective is not comprehensive awareness but rather targeted precision.

Security efforts should prioritize critical assets and aim to resolve threats efficiently rather than sustain ongoing conflict.

“The leader of armies is the arbiter of the people’s fate.”

Within organizational contexts, this leadership role may be assumed by a security architect, team leader, or any individual responsible for directing security resources. The fundamental responsibility remains the protection of the enterprise.

Victory Over Attrition

The primary cost of protracted conflicts, whether conventional or digital, is cumulative exhaustion. Achieving victory requires recognizing the appropriate moment to cease operations, consolidate gains, conduct assessments, and facilitate recovery.

Regardless of the domain, whether physical or digital, conflicts that lack a definitive conclusion cannot be considered genuine victories.

Once again, highlighting the timeless nature and importance of imbibing this story’s principles: “In war, let your great object be victory, not lengthy campaigns…”
because “There is no instance of a country having benefited from prolonged warfare.

The Art of Cyberwar | Part I | The Illusion of Truth

The principle:
All warfare is based on deception. —Sun Tzu

In warfare, there’s a certain irony in how often truth becomes a casualty before the first shot is ever fired. As an American, that line from The Art of War has always carried extra weight. Our history is full of moments when deception wasn’t just a tactic on the battlefield; it was the spark that lit the fuse.

From the smoke and mirrors of the Spanish-American War to the Gulf of Tonkin and the blurred motives of the Gulf Wars and the Global War on Terrorism, we’ve seen how perception shapes permission. Wars don’t always start because one side is stronger; they start because one story feels true enough to believe.

And since “All warfare is based on deception,” Sun Tzu went on to say:

When you’re able to attack, you must appear unable. When using our forces, we must seem inactive. When we are near, we must make the enemy believe we are far away. When we’re far away, we must make him believe we are nearby.

We must hold out bait to entice the enemy and then crush him. If he is superior in strength, evade him. If your opponent is overconfident in nature, seek to provoke him. Pretend to be weak, so that he may grow arrogant and attack when he otherwise wouldn’t. Attack him where he is unprepared, appear where you are not expected. If he is trying to take rest and recover, give him no rest. If his forces are united, divide them.

The general who loses a battle has made only a few calculations beforehand. Thus, many calculations lead to victory, and making only a few calculations ensures defeat. By paying attention to these points, I can foresee who is likely to win or lose.

Deception as Strategy

The principles articulated by Sun Tzu extend beyond the battlefield to broader strategic contexts. His observations highlight the value of misdirection for leaders and strategists. The objective is not to create disorder, but to control perception and attention. In both conventional warfare and digital security, success frequently depends on understanding the adversary’s perception of reality. This principle underpins the effectiveness and prevalence of social engineering tactics.

Contemporary deception strategies have shifted focus from traditional military maneuvers to achieving information dominance. Modern tools include manipulated narratives, deepfakes, phishing campaigns, propaganda, and misinformation. These methods target cognitive processes rather than physical harm. Once individuals accept misinformation as truth, further manipulation becomes significantly easier. The Committee on Public Information, the United States’ World War I propaganda agency, exemplifies institutionalized information control.

Cybersecurity’s Ethical Deception

In cybersecurity, deception is employed with the intent to enhance defense mechanisms. Techniques such as honeypots attract attackers, sandbox environments facilitate malware analysis, and red team exercises simulate adversarial tactics to maintain robust security postures.

In this context, deception functions as a defensive measure rather than an offensive tool. It is utilized to identify vulnerabilities rather than to exploit them. The underlying principle that can mislead a nation may, when applied ethically, serve to protect it. The distinction lies in the intent: defense and awareness as opposed to manipulation and illusion.

Both approaches depend on psychological insight and require strategic foresight. However, only defensive deception is fundamentally grounded in ethical integrity.

The Martial Mirror

Martial artists understand deception in its purest, most physical form. A feint isn’t a lie, it’s a question. In Wing Chun, they’re called “asking hands.” You draw your opponent’s attention, focus and/or movement one way to reveal where they’re vulnerable. The best fighters aren’t those who hide, but those who read intent faster than it’s shown. It’s why attacks on the halfbeat are so effective. But, that’s a lesson for another time.

Cybersecurity employs similar principles. Confrontation is not always optimal; instead, threats are redirected, absorbed, or neutralized preemptively. The discipline emphasizes anticipating patterns before they fully emerge, rather than merely reacting. This approach is often described as the art of fighting without fighting.

The Modern Maxim

“Deception reveals more than it hides, it shows what we most want others to believe.”

In this context, each act of deception simultaneously reveals underlying motives, strategies, and tactics.

For those responsible for safeguarding systems, individuals, or factual accuracy, the task often begins where clarity diminishes. The primary challenge is not to eliminate deception entirely, but to recognize and understand it without compromising ethical standards.

The initial action in any conflict, whether digital, physical, or psychological, is seldom a direct attack; it is often the creation of a narrative to tell. The essential responsibility is to accurately identify threats based on objective analysis, rather than relying solely on presented information. Illustrating the everlasting importance of learning the principle of this story: All warfare is based on deception.