Modern Adversary

The Danger of Defending Yesterday

Sept 2021

Back in 2013 I wrote: "Security should not be a reaction to events. It should be proactive. The red team mindset builds this approach. It means thinking like an attacker, identifying what could be exploited, and staying several steps ahead. It means planning, preparing, and implementing detection and deception strategies before the first alert fires. This mindset makes future attacks harder to execute and less damaging when they come."

Yes. However... Let's go deeper into this.

Modern systems fail in familiar ways, but they are broken in unfamiliar ones. The difference matters. We have built a technology world that rewards optimization, speed, and comfort, while quietly penalizing the act of asking what could hurt us. Not what is likely, not what is trending, but what is possible. In security we like to talk about risk, but too often we mean cataloged risk, audited risk, risk that fits neatly into a spreadsheet. The real danger usually lives outside that frame, in places we have not named yet and therefore have not defended against.

One of my all time heroes in the world of red teaming said: "Entrenched social systems are incentivized to hold contrarian perspectives at bay. Regrettably, the defenses that preserve the status quo often fail against novel threats and hazards." (one of the Red Team Journal laws). That line lands hard because it is not just about security programs or governments. It applies to companies, cultures, and individuals. Anything stable enough to last will eventually resist the ideas most likely to save it. The immune system protects the body, but it can also reject the transplant that keeps it alive.

One of the reasons I delved deep into the world of adversarial simulation and how bad actors think is because I wanted to understand why humans were and are notoriously bad at preparing for failures they can’t yet imagine. We reason from precedent, not possibility, and mistake the absence of known threats for safety. When something has no name, no story, and no historical analogue, it rarely gets stress tested, red teamed, or taken seriously. Thinking two or three moves ahead is an attempt to outrun that cognitive lag, forcing scenarios into existence before they arrive unannounced, fully formed, and already too late to stop.

Security just makes this failure mode easier to see. Breaches rarely succeed because defenses are absent. They succeed because defenses are optimized for yesterday’s attacker. We build controls around compliance checklists, past incidents, and vendor promises, then act surprised when an adversary steps sideways instead of forward. The attacker does not care how much effort went into the plan. They only care where it breaks. This same pattern shows up in business continuity, personal resilience, and even relationships. We prepare for the problems we recognize and are blindsided by the ones we quietly assumed would never happen.

Thinking about what can hurt us is uncomfortable because it threatens the story we tell ourselves about control. It requires entertaining ideas that feel pessimistic or disloyal to the system we are part of. Yet this discomfort is the price of durability. Red teaming is not about paranoia. It is about respect for reality and an admission that complexity always leaks. The goal is not to predict the future perfectly, but to widen the set of futures we are capable of surviving.

Civilization evolved faster than cognition; we’re running modern worlds on ancient firmware. Five thousand plus years of known civilization on, our greatest limitation isn’t technology, it’s the imagination beaten into shape by a world that no longer exists. If we want secure systems, resilient organizations, and lives that do not shatter at the first unexpected impact, we have to make room for uncomfortable questions. What could hurt us if someone wanted it to. What breaks if assumptions fail. What happens when the thing we never planned for finally shows up. That mindset is not optional anymore. It is the cost of operating in a world that no longer forgives surprise.