Modern Adversary

Security’s Absurd Cycle

Nov 2025

As we focus on building, enhancing, and applying lessons learned from the services we provide at Black Arrows, I can't help but to realize a simple thing: security moves in cycles, and the difficulty stays constant, just the reasons change.

In the beginning, security was difficult because humans are fundamentally flawed. It wasn't about the cryptography being hard, it was about a person making a mistake, clicking something stupid, or just having a momentary lack of attention to detail. The job of information security was primarily to engineer simple, understandable defenses around the inherent fallibility of the user. For years, the community worked diligently behind the scenes, building solid foundations, trying to reduce the surface area that human nature could exploit.

We succeeded, in a way. The obvious doors were bolted shut, the simple phishing emails became slightly less effective, and we achieved a baseline of safety. But the success brought a different kind of difficulty, a new, self-imposed complexity that makes the old problems look trivial.

Security is now an incredibly complex mess, and not because the math got harder. It’s complex because of the sheer volume of bullshit we’ve integrated into our environments. Every new problem has been met with a wave of vendors offering solutions we didn't know we needed. These tools often solve nothing substantive, yet they demand resources, create mountains of noise, and, worst of all, introduce new, unexpected attack surfaces. The industry has traded simple, hard-to-solve human problems for a complicated, expensive, and opaque universe of vendor-driven complexity.

The technology itself, which should be bending to make our lives easier and simpler, is becoming more convoluted by the minute. Everything is layered, abstracted, and constantly changing, leaving security professionals chasing ghosts in systems built not for elegance, but for expediency and profit. The hardest part of the job today isn't protecting against the human element, but protecting the systems from the systems themselves. The cycle never ends, but the effort required to stay safe keeps climbing into the absurd.

This endless, exhausting cycle of chasing complexity suggests we've lost the thread. The only way to regain our strength, resiliency, and sanity isn't to buy the next black box solution, but to brutally pare back. We must embrace Security Brutalism, a philosophy that demands we strip away the abstraction, eliminate the unnecessary tools, and focus only on the fundamentals that genuinely mitigate risk. Let's build defenses that are simple, visible, and enduring, even if they aren't pretty, allowing us to spend less time managing vendor spreadsheets and more time engineering truly secure systems.