Last October, I wrote an essay making the case for the absolute cybersecurity first principle.

The First Principle of Cybersecurity

One of my readers, Adrian Sanabria, who just happens to be a friend of mine and a member of the Cybersecurity Canon Committee to boot, asked me this question,

How do you connect the actions you take to the probability of an incident/breach?” How do you know that the thing you just did moved the needle?

He asked if I had other essays that explained this. It turns out that I do.

Inside Out Forecasts

If you haven’t read that one yet, go ahead. I’ll wait [Jeopardy Music plays in the background].

Adrian is likely scratching his head about this line from my essay:

We can tell the boss that because we invested X amount of dollars on a new security tool or a new security function, we reduced the probability of an adversary group damaging the business from 20 percent to 15 percent.

How do we know that the initial 20 percent is accurate? How do we know, with any precision, that we reduced that probability down to 15 percent because we deployed some new security tool? I want to be completely transparent about this. You can’t. There is no way to know these answers for sure.

My best friend, Steve Winterfeld, has a standard answer when his nieces ask questions like, “Why is the sky blue?” He says, “There is no way to know that.” You have to stay on your toes when you’re one of Steve’s nieces. It’s a misinformation environment.

It turns out though, he’s right. With most things, there is no easy answer available. There is no actuarial table stored in the bowels of the U.S. Government’s Bureau of Labor Statistics that will spit out the number with the five nines of precision that we all want. It doesn’t exist.

Probabilities are Messy

And I sense your frustration. That’s not a satisfactory answer. We don’t like that response. We just want to count all of the things, do some simple math, and be done with it; like find the number of bad things that have happened and divide that by the number of all bad things that could happen. We expect an exact number because, you know, it’s math. Truth be told, if we had it our way, we wouldn’t use probabilities at all. They are all so … messy.

But in the real world, we can’t count everything. Reality is messy. It rarely gives us clean yes-or-no answers or exact percentages of risk reduction. I’m reminded of a Neal Stephenson quote from his novel “Seveneves.” The moon has exploded (for reasons) and a (Doob) character is trying to calculate the orbital paths of millions of pieces of moon debris circling the earth.

“It is a statistical problem,” Doob said. “[On day one] it stopped being a Newtonian mechanics problem and turned into statistics. It has been statistics ever since.

— Stephenson, Neal. Seveneves (p. 423). William Morrow. Kindle Edition.

Doob can’t know the exact path of every orbital rock with absolute certainty. There are too many constantly changing variables that influence the outcome. What he can do is make a highly informed estimate because he’s an expert. He’s an astronomer, a television science communicator, and someone deeply familiar with orbital mechanics. He also relies on modeling software built by other experts who specialize in simulating objects in space. So no, he doesn’t know the answer with five nines of precision, but he has a strong estimate, one he is 90% confident in, and one he is confident enough to use for decision-making.

Substitute Doob for Any Infosec Professional

Who does Doob sound like to you? Well, let me be presumptuous and suggest that he is similar to all the infosec professionals on the planet with more than five years of experience under their belts. Just like Doob, they have seen some things. They are perfectly capable of estimating the risk reduction to the enterprise after the deployment of some new security tool. What they likely don’t know is how to do it because, you know, math is involved, and specifically messy probabilities. But it’s not that hard. There’s really no math involved at all; just a different way to think about the issue than the way we are used to. Even a no-math CISO like me can do it. We all have to learn how to think in terms of a range of possibilities.

Statisticians have been doing these calculations for a long time. I first heard about them reading two Cybersecurity Canon Hall of Fame books written on the subject.

• Measuring and Managing Information Risk: A FAIR Approach by Jack Freund, Jack Jones

• How to Measure Anything in Cybersecurity Risk by Douglas Hubbard and Richard Seiersen

But the the clearest explanation I’ve come across is from a new book published in 2026 by Tony Martin-Vegue: From Heatmaps to Histograms: A Practical Guide to Cyber Risk Quantification. Tony says that to establish this range of possibilities, to get a 90% confidence interval, we need to establish something called Percentile Values. The experts, let’s say your SOC team, must estimate three numbers

• P5: The Lower Bound (the lower 5th percentile). The team is 95% sure that this is the lowest value the real answer can be.

• P95: The Upper Bound (the upper 95th percentile.) The team is 95% sure that this is the highest value the real answer can be.

• P50: The Midpoint of the team’s belief. This is what the SOC experts think is probably the typical value (the median if you want to throw some math at it).

The interval from P5 to P95 contains the central 90% of the uncertainty range.”

When we told the boss that we’ve reduced the probability of an adversary group damaging the business from 20 percent to 15 percent because of a new tool deployment, what we really should have said is that we’ve reduced that percentage to between 13 to 17 percent with the most likely number being 15%.

Takeaway

With a nod to Steve’s nieces, I hope I clarified Adrian’s questions. Doob could not tell you exactly where every piece of moon debris would land. But he could tell you enough to make a decision. That is the standard we should hold ourselves to in cybersecurity risk: not certainty, but informed, calibrated, expert estimation expressed as a range. The expertise already lives inside your organization. We just have to refocus our experts on a different way to think about the problem.

Source

Rick Howard, 2025. The First Principle of Cybersecurity [Essay]. First Principles Newsletter - Substack, URL: https://diffuser.substack.com/p/the-first-principle-of-cybersecurity

References

Douglas Hubbard, Richard Seiersen, 2016. How to Measure Anything in Cybersecurity Risk [2018 Cybersecurity Canon Hall of Fame Book].

• Canon Review

• Amazon Affiliate Link

• Goodreads Summary

• Author Interview

Jack Freund, Jack Jones, 2014. Measuring and Managing Information Risk: A FAIR Approach [2017 Canon Hall of Fame Book].

• Goodreads Summary

• Canon Review

• Author Interview

• Buy at Amazon

Neal Stephenson (Author), Robinette Kowal (Narrator) and Will Damon (Narrator), 2015. Seveneves [Book]. Goodreads, URL: https://www.goodreads.com/book/show/22816087-seveneves

Philip E. Tetlock, Dan Gardner, 2015. Superforecasting: The Art and Science of Prediction [2023 Canon Hall of Fame Book]. Goodreads, URL: https://www.goodreads.com/book/show/23995360-superforecasting

• Goodreads Summary

• Canon Review

• Amazon Afiliate Link

• Author Video Interview

• Author Podcast Interview:

Rick Howard, 2023. Cybersecurity First Principles: A Reboot of Strategy and Tactics [2026 Canon Hall of Fame Book].

• CyberCanon URL: https://cybercanon.org/cybersecurity-first-principles-a-reboot-of-strategy-and-tactics/

• Goodreads URL: https://www.goodreads.com/book/show/75671183-cybersecurity-first-principles

• Buy URL: https://amzn.to/4mI7QMU

Tony Martin-Vegue, 2026. From Heatmaps to Histograms: A Practical Guide to Cyber Risk Quantification [2026 Canon Hall of Fame Nominated]. Goodreads, URL: https://www.goodreads.com/book/show/243058626-from-heatmaps-to-histograms?

The second rule of Dungeon Crawler Carl is that every problem Carl solves creates a worse problem. The first rule is that Carl will always try to solve the problem anyway. There is no third rule.

I finished the first book in the six-book series and immediately started this one.

The premise continues to be ridiculous: An alien corporation, Borant, destroys every human-made structure on Earth and repurposes the debris into an 18-level underground dungeon that spans the globe. Roughly 13 million humans (crawlers) survive and find their way into the dungeon’s first level; conscripted into a world-wide D&D game broadcast across the galaxy for alien entertainment. It’s The Hunger Games crossed with The Running Man crossed with World of Warcraft.

In book 2, The Royal Court of Princess Donut consists of

• Donut

• Carl (Still without long pants).

• Mongo the Velociraptor

• Mordecai (Donut’s manager)

• Katia Grim (a doppelganger separated from her “Brynhild’s Daughters” team)

The team stumbles into two quests and Carl learns something new about the game mechanics. He realizes that his team can do more than fight and kill mobs (monsters). They can also manipulate the system. The dungeon’s entertainment machinery has talk shows and non-player character (NPC) Elite Dramas (fully scripted, separately produced shows running inside the dungeon with its own writers, producers, and contractual obligations). It reminds me a bit of the HBO TV show Westworld. Savvy crawlers can threaten popular story arcs and bargain with the people producing the shows. Carl struck a deal with the Circus Quest writing team through Zev (a Borant PR manager for popular crawlers) where he would get to live and give them a better ending to their story.

By the end of the book, the Royal Court of Princess Donut has survived an eight-day floor timer, completed two quests, solved a murder mystery, saved thousands of NPCs and dozens of crawlers from a city-destroying explosion, and are in the top 10 of the crawler leaderboard. Carl and Donut have active bounties on their heads, and Carl is carrying an unstable super-weapon he can never safely use or discard. The Skull Empire is actively hostile to the group following Carl’s inflammatory political statements on a talk show, and Carl has a binding future commitment to appear on the “Vengeance of the Daughter” Elite Drama on Floor 6.

Carl's negotiated solution reversed a planned story arc in which the explosion was supposed to kill everyone. Because the team was so successful, the game’s AI driven loot system authorized the delivery of 83 Celestial boxes to all surviving crawlers involved, which would have bankrupted Borant (already strapped for cash.) Borant chose to use its contracted once-per-season veto to strip the team of their rightfully earned rewards. Call me crazy, but I’m thinking that the impact of Carl’s script change will come back to bite him in future books.

At the beginning of Book 2, there were ~3 million humans (crawlers) alive in the dungeon. By the end though, the dungeon has caused brutal attrition; somewhere below 600,000. Despite that one stark fact, the book is still funny, well written, and well acted. I’m totally enjoying myself.

Book three (The Dungeon Anarchist’s Cookbook (2021), here I come.

Source

Matt Dinniman, 2021. Carl’s Doomsday Scenario (Book 2) [Book]. Goodreads, URL: https://www.goodreads.com/book/show/212393364-carl-s-doomsday-scenario

References

Matt Dinniman (Author), Jeff Hays (Narrator), 2021. Dungeon Crawler Carl [Audio Book]. Soundbooth Theater - Audible, URL: <https://www.audible.com/pd/Dungeon-Crawler-Carl-Audiobook/B08V8B2CGV

Rick Howard, 2026. Dungeon Crawler Carl [Book Review]. First Principles Newsletter (Substack), URL: https://diffuser.substack.com/p/book-review-dungeon-crawler-carl

For the U.S. Memorial Day, officially the last Monday in May, I’m re-publishing my essay from last year that marked the holiday. Since then, the U.S. government has conducted one military operation and is in the middle of another in which armed forces personnel were either killed or injured:

• Operation Absolute Resolve (0 killed; roughly 6–7 wounded/injured): A successful mission in January 2026 to capture President Nicolás Maduro and his wife, Cilia Flores, in Venezuela.

• Operation Epic Fury (13 killed and 381 wounded so far). An ongoing mission that started on February 28, 2026 targeting Iranian leaders and defensive systems.

Most American citizens don’t really acknowledge the distinction between Veterans Day and Memorial day. Don’t get me wrong. We appreciate the two, three-day weekends, by attending parades, firing up the backyard grille for burgers and hotdogs, and maybe tipping our baseball caps to the veterans in the vicinity. This is all well and good.

But Veterans Day is a holiday that celebrates American military personnel. Memorial Day honors the fallen soldier. As author Tamra Bolton says,

“This is the day we pay homage to all those who didn’t come home. [Memorial Day] is not Veterans Day, it’s not a celebration, it is a day of solemn contemplation over the cost of freedom.”

A Memorial Day History

It all began almost immediately after the American Civil War (1861 to 1865). When the Confederate Army of Northern Virginia surrendered to General Grant at the Appomattox Court House in south-central Virginia, over six hundred thousand soldiers had perished; both from the Confederate and from the Union sides; at least two percent of the American population at the time; more lives than any conflict in U.S. history.

Just a month later, thousands of freed Black Americans in the ruined city of Charleston, South Carolina, commemorated a mass grave of union soldiers buried in an abandoned racecourse. 3,000 schoolchildren carrying roses, and hundreds of women carrying flower baskets with wreaths and crosses, sang the old Union marching song “John Brown’s Body” which is more famously known today as the “Battle Hymn of the Republic.”

Paul Robeson sings John Brown’s Body

By May the next year, 1866, according to Livia Albeck-Ripka of the NYTs, citizens of Waterloo, N.Y., “decorated their streets with flags at half-staff, draped with evergreens and mourning black.” The US Federal government, a century later, declared this commemoration as the official first Memorial Day.

That same year in Columbus, Mississippi, “women placed flowers on the graves of both Confederate and Union soldiers.” Just two years later, General John A. Logan, the commander in chief of the Grand Army of the Republic, a veteran of eight major civil war campaigns, established a national holiday with his signed general order number 11 saying,

“Their soldier-lives were the reveille of freedom to a race in chains, and their deaths, the tattoo of rebellious tyranny in arms.”

According to the USO (The United Service Organizations), on that date in May of 1868, “over 5,000 first-ever National Decoration Day participants decorated the graves of the 20,000 Union and Confederate soldiers buried at Arlington National Cemetery in Virginia.”

By the late 1800s, cities and communities across the United States began to observe the day and several states declared it a legal holiday. According to the New York Times, most referred to the day as “Decoration Day.” But as the country got involved in other wars (the Spanish-American War, World War 1, World War 2, the Korean war, and the Vietnam War), “Americans began referring to the observance as “Memorial Day,” not just to remember Civil War deaths, but to honor the American fallen from all wars.

In 1967, the U.S. Congress formally changed “Decoration Day” to “Memorial Day” and, in 1971, decreed that the holiday would land on the last Monday of May to ensure a three day weekend for federal workers.

Veteran Celebrations vs Memorials

But for me, it’s one thing to be a veteran of the US Armed Forces; a true and noble calling if there ever was one. It’s quite another thing though, to lay down your life in the name of a bigger idea; that all people are created equal, that they are endowed by their Creator with certain unalienable rights, that among these are Life, Liberty and the pursuit of Happiness. And, that to secure these rights, men and women must be ready to stand in the breach to protect them.

I’m reminded of President Franklin D. Roosevelt’s Bill of Rights proclamation in 1941:

“Those who have long enjoyed such privileges as we enjoy, forget in time, that men have died to win them.”

Or Winston Churchill’s WWII speech on the BBC about his citizen’s response in the Battle of Britain.

“Never in the field of human conflict, was so much owed, by so many, to so few.”

Or General George S. Patton’s hot take in 1945:

“It is foolish and wrong to mourn the men who died. Rather we should thank God such men [and women] lived.”

In President Lincoln’s condolence letter to Mrs. Bixby in Boston (She had lost five sons in the war), he succinctly expressed the country’s thoughts about our nation’s fallen sons and daughters:

“I feel how weak and fruitless must be any words of mine which should attempt to beguile you from the grief of a loss so overwhelming. But I cannot refrain from tendering to you the consolation that may be found in the thanks of the Republic they died to save. I pray that our Heavenly Father may assuage the anguish of your bereavement, and leave you only the cherished memory of the loved and lost, and the solemn pride that must be yours, to have laid so costly a sacrifice upon the altar of Freedom.

“… to have laid so costly a sacrifice upon the altar of Freedom.” That’s why we recognize Memorial Day.

And if you want to bring a tear to your idea, watch the scene from the movie, “Saving Private Ryan” where General George Marshall reads the letter. It gets me every time.

Saving Private Ryan Clip

Many years ago, when I was in the U.S. Army, I was stationed at the Pentagon. My unit visited Arlington Cemetery, the cemetery where the country buries its veterans, the home of the Tomb of the Unknown Soldier. I was so moved by the experience that I wrote an essay about it. It’s called “Reborn at Arlington.”

Dramatization

At my last job, I worked at a small startup cybersecurity podcasting company called N2K. We dramatized the below essay with music and sound. I’m very proud of it. Take a listen if you get the chance.

Reborn at Arlington: An Essay

1,500 US Army soldiers stood on the misty parade field at Fort Meyer waiting for the sun to rise. The leadership had scheduled another morale building (yet mandated) “fun run” where once a quarter, the entire unit comes together to do PT (Physical Training) in a show of ésprit de corps and unit cohesion. Since we were all stationed at the Pentagon, many of us had been in the Army for a while. We were a little broken down in the body department and had seen our fair share of these types of events. There we were, at the twilight of our careers, huddled in small groups during the dawn of one more PT morning.

Of course, there was the usual grumbling between the older soldiers asking one another if we were motivated yet, and if we had a cup of ésprit de corps to spare. But there was a sprinkling of young soldiers among us too, and their shiny new faces kept us old timers from getting too cynical and fussy.

As the sun poked up above the horizon, the Army’s Command Sergeant Major called the gaggle to attention and the formation began to run. The Non-Commissioned Officers (NCOs) led the assemblage in rousing voice and extolled the virtues of Granny, My Girl, and the C-130. Below the roar of the singing, just in the background, you could hear the footsteps of the 1500 strong pounding the pavement in syncopated rhythm.

The formation crested the hill overlooking Arlington Cemetery and the vista of Washington DC opened up before us. The Army Colors, at the front of the formation, started their descent towards the Cemetery just as the rising sun reached the top of the Washington Monument several miles distant. And still the singing and the pounding drove the formation as it snaked down the hill towards the front gates.

As the colors passed into the Cemetery, like a line of dominoes falling, the singing faded away. One platoon after the other fell silent in mute honor of our fallen comrades-in-arms laid to rest in the National Cemetery. As the voices muted, the only sound you could hear was the constant beat, beat, beat of the run and the Army colors whipping in the slight breeze. Nobody spoke except for the occasional NCO keeping everybody in step with a steady, but quiet, 1 - 2 - 3 - 4, 1 -2 - 3 - 4. It was serene. It was sublime.

Midway through the run, the Command Sergeant Major called the formation to a halt and commanded us to execute a right-face towards the middle of the cemetery. The morning sun had burned off the last vestiges of mist from the manicured lawns. The breeze trickled through the formation’s silence and the Army Colors at the front. And then we all heard it; that mournful sound of a single bugler playing Taps. He began low at first; almost whispering the sound through the horn. But slowly, his crescendo wrapped the listener into a cocoon of sadness, memory, and gratitude about the lives that could have been, or that was. On that misty morning, young and old soldiers alike shed mutual tears as the bugler played on.

When it was done and the silence greeted the end of the song, a chill went down my back. It occurred to me that we were not merely taking a morning jog anymore. We were actually passing in review. These fallen soldiers, some of whom had given the ultimate sacrifice for their country, and others who were prepared to do so, were watching us and sizing us up. I hoped that we could pass muster. I had this great desire to let them all know that we had the guide-on now and it was in good hands. We would not let them down.

I stood a little taller then. My old muscles didn’t ache so much. As we began to run home, the burden was a little lighter. As 1500 boarded the buses to head back to the Pentagon, I realized that this old soldier was less cynical today; less worn for wear. Although I may not have the shiny face of one of those new soldiers, I was reborn this morning. Together, both old and young, we will carry on.

References

Abraham Lincoln, 1863. The Gettysburg Address [Speech]. Abraham Lincoln Online. URL https://www.abrahamlincolnonline.org/lincoln/speeches/gettysburg.htm

Amanda Onion, Original 2009, Updated 2023. Memorial Day 2022: Facts, Meaning & Traditions [Essay]. HISTORY. URL https://www.history.com/topics/holidays/memorial-day-history

Bob Zeller, 2022. How Many Died in the American Civil War? [Essay]. HISTORY. URL https://www.history.com/news/american-civil-war-deaths

Brent Hugh, 2021. A Brief History of “John Brown’s Body” [Essay]. Digital History. URL https://www.digitalhistory.uh.edu/active_learning/explorations/brown/music1.cfm

JOHN LOGAN, 1868. Logan’s Order Mandating Memorial Day [Order]. John A. Logan College. URL https://www.jalc.edu/admissions/logans-order-mandating-memorial-day/

Livia Albeck-Ripka, 2023. A Brief History of Memorial Day [Essay]. The New York Times. URL https://www.nytimes.com/article/memorial-day-history.html

Michael Burlingame, 1995. New Light on the Bixby Letter [Analysis]. Journal of the Abraham Lincoln Association. URL https://quod.lib.umich.edu/j/jala/2629860.0016.107/--new-light-on-the-bixby-letter?rgn=main;view=fulltext

Morgan Phillips, 2026. Seven US service members injured in Venezuela raid to capture Maduro, official says [News]. Fox News, URL: https://www.foxnews.com/politics/seven-us-service-members-injured-venezuela-raid-capture-maduro-official-says

Rick Howard, 2024. Memorial Day special. [Podcast]. The CyberWire. URL https://drive.google.com/file/d/1NKZr4k2H3goJ98NzXwFpu6fyvz3xA3QM/view?usp=sharing

Ryan C. Berg, Mark Cancian, Joseph S. Bermudez Jr., Jennifer Jun, Henry Ziemer, Chris H. Park, 2026. Imagery from Venezuela Shows a Surgical Strike, Not Shock and Awe [Analysis]. Center for Strategic and International Studies (CSIS), URL: https://www.csis.org/analysis/imagery-venezuela-shows-surgical-strike-not-shock-and-awe

Staff, n.d. Letter to Mrs. Bixby [Letter]. Abraham Lincoln Online: Speeches. and Writings. URL https://www.abrahamlincolnonline.org/lincoln/speeches/bixby.htm

Staff, 2020. A Brief Biography of General John A. Logan [Biography]. John A. Logan College. URL https://www.jalc.edu/admissions/a-brief-biography-of-general-john-a-logan/

Staff, 2024. Civil War Timeline [WWW Document], American Battlefield Trust. URL https://www.battlefields.org/learn/articles/day-civil-war

Staff, 2026. Pentagon data: 13 US troops killed, 346 wounded in Operation Epic Fury [News]. Military Times, URL: https://www.militarytimes.com/news/your-military/2026/04/08/pentagon-data-13-us-troops-killed-346-wounded-in-operation-epic-fury/

Thomas Jefferson, 1776. Declaration of Independence: [Transcription]. National Archives. URL https://www.archives.gov/founding-docs/declaration-transcript

Paul Robeson, 2021. John Brown’s Body [Song]. YouTube. URL

General George Marshall, 2014. President Lincoln’s Letter to Mrs Bixby [Movie Clip - Saving Private Ryan]. YouTube. URL

Recommended for D&D fans.
Recommended for Hunger Games fans.
Recommended for lovers of great voice acting talent.

I just finished The Count of Monte Cristo. It was great but long; 60 hours in audio format. I needed a palate cleanser. I’ve been eyeing Dungeon Crawler Carl for a while now and thought it would be the perfect antidote to the sprawling French soap opera with a gazillion characters and set in the times of Napoleon.

I am an old Dungeons and Dragons (D&D) guy from way back. I played in college (early 1980s), joined an adult game in the mid 1990s, and then taught my son in the mid 2000s. Over the past decade, my son has surpassed the master by running his own D&D games at the local comic book store for pay (Dream Job).

Dungeon Crawler Carl is the first book in Matt Dinniman’s series. It is narrated by Jeff Hays who is an amazing actor. The audiobook feels like a full cast. In reality, it’s almost entirely performed by Hays. Incredible.

The premise is ridiculous and exquisite. An alien corporation, Borant, destroys every human-made structure on Earth, repurposing the debris into an 18-level underground dungeon spanning the globe. Out of the ~8 billion people living on earth before the attack, roughly 13 million survive after and find their way to one of 150,000 dungeon entrances. By entering, they are forced into a lethal, world-wide D&D game designed for alien entertainment and broadcast across the galaxy. It’s The Hunger Games crossed with The Running Man crossed with World of Warcraft.

Carl and his girlfriend’s cat, Princess Donut the Queen Anne Chonk, enter the dungeon and begin their descent. They survive by Carl’s common sense and Princess Donut’s personality. They gain experience, levels, and attract followers by killing monsters (mobs) with style.

And it’s funny (if you don’t count the slaughter of every human on the planet minus 13 million). Carl even has a catch phrase: “God Dammit Donut!”

As of this writing, there are six books in the series:

• Dungeon Crawler Carl (2021)

• Carl’s Doomsday Scenario (2021)

• The Dungeon Anarchist’s Cookbook (2021)

• The Gate of the Feral Gods (2022)

• The Butcher’s Masquerade (2022)

• The Eye of the Bedlam Bride (2023)

In this first book, the story follows a classic three act structure:

• Act 1: World destruction + forced entry

• Act 2: Learn rules + survive chaos

• Act 3: Exploit system + gain influence

And they get a baby velociraptor named Mongo, because, of course they do.

At the end, Carl and Donut (and Mongo) are ready to descend to the 3d level to choose their race and class. Carl has progressed to a Level 13 human and Donut has made it to a level 14 sapient cat. The human race survivor count has collapsed to 600,000.

Bottom line: I really like these characters. I can’t wait to read the second book. If you’re a D&D fan from somewhere back in the day, or are currently slashing your way through D&D campaigns with vigor, you will appreciate all of the D&D references. If you’re a newbie to the genre, the voice talent and expert storytelling will hook you. Yes, it’s a dumb premise but it’s told with style and skill. And the voice acting is fantastic.

Source

Matt Dinniman (Author), Jeff Hays (Narrator), 2021. Dungeon Crawler Carl [Audio Book]. Soundbooth Theater - Audible, URL: https://www.audible.com/pd/Dungeon-Crawler-Carl-Audiobook/B08V8B2CGV

References

Alexandre Dumas (Author), Robin Buss (Translator), Bill Homewood (Narrator), 1844. The Count of Monte Cristo [Book]. Narrated by Bill Homewood. Goodreads. URL https://www.goodreads.com/book/show/7126.The_Count_of_Monte_Cristo

Rick Howard, 2026. Wait and Hope: The Count of Monte Cristo [Book Review]. First Principles Newsletter Substack, URL: https://diffuser.substack.com/p/wait-and-hope

Staff, 2021. Dungeon Crawler Carl Wiki [Wiki]. Fandom, URL: https://dungeon-crawler-carl.fandom.com/wiki/Dungeon_Crawler_Carl_Wiki

I’ve been a fan of the MITRE ATT&CK framework for over a decade now. At a high level, it’s essentially an open-source intelligence report that captures the Tactics, Techniques, and Procedures (TTPs) of cyber adversary campaigns across the Intrusion Kill Chain. It is a structured knowledge base and taxonomy of observed adversary behavior built from public reporting and real-world observations. ATT&CK began with an APT-heavy focus, but today it tracks a broad set of publicly reported adversary activity clusters, including state-sponsored, criminal, and hybrid operations. It has become the industry’s de facto standard for representing and sharing adversary playbook intelligence.

This intelligence artifact, the framework, helps network defenders pursue their Threat-Led Defense prevention strategy. I called it something else in my book. I called it the Intrusion Kill Chain Prevention strategy.

Cybersecurity First Principles Book

In a previous essay (Source: The Kill Chain Rises from the Dead), I made the case that the number of unique adversary campaigns running on the internet on any given day is between 1,000 and 1,500. Unique, in this case, means that the sequence of intrusion kill chain steps is so different that it can’t be confused with another campaign’s sequence. Some campaigns use the same TTPs, sure, but in general, individual campaigns are singular.

What Does Threat-Led Defense Mean?

The main idea behind Threat-Led Defense (Intrusion Kill Chain Prevention) is to place obstacles in the way of every move that the adversary makes. To do that, network defenders deploy as many prevention controls as possible for every tool in their security stack and maps those controls to the campaign’s known TTPs. This strategy targets known adversary behavior specifically. That makes it a more active strategy, a more Spy vs Spy strategy, a strategy that engages with the adversary, like two boxers in a ring.

Contrast that to the Zero Trust strategy where network defenders deploy generic controls that might prevent any adversary from being successful. It’s passive, like putting a lock on your backyard fence gate to prevent thieves from getting in. You’re not reacting to what the bad guy is actually doing. You’re just ensuring that it’s not easy to break in. If you were reacting to what the bad guy was doing, you might grab a baseball bat from your daughter’s closet when you hear that noise in the middle of the night, head out to the backyard, and provide some disincentive for whomever is out there. That’s the difference. Threat-Led Defense is an active strategy and Zero Trust is passive.

How Do You Measure the Success of Your Threat-Led Defense Strategy?

Let’s say you’re an advocate of the Threat-Led Defense strategy and you have spent the last year deploying controls to your security stack toolset that map to the TTPs of the ATT&CK framework. How do you know how well you’re doing? Are any of your ATT&CK-mapped controls producing signal? It turns out that this is a far more complicated task than it sounds, really hard to deploy, and expensive to maintain. Here’s why.

If you’re a mid-sized to Fortune 500 company, the number of security stack tools that you manage is anywhere from 45 to 76 (Source: Organizations Now Have an Average 76 Security Tools to Manage). How do you know the configuration status of each of those tools in reference to the ATT&CK framework? A more pertinent question is this: are any of those ATT&CK-mapped controls actually seeing activity?

My colleague, María Luisa Redondo Velázquez (TK Elevator’s Global CISO), posted an essay on LinkedIn a couple of weeks ago about an open source effort to automate a dashboard for that very purpose. It’s called the MITRE ATT&CK Coverage Dashboard built by Chris Stelzer (Source: MITRE ATT&CK Coverage). It’s an automated, agentic workflow that produces a MITRE ATT&CK coverage assessment of your Microsoft Sentinel and Defender XDR environment in roughly 10 minutes, for about 15 cents in API costs.

It pulls categories of evidence from your environment like every ATT&CK-tagged analytic rule, every ATT&CK alert that fired in the last 30 days, the list of all Microsoft ATT&CK mappings from the Center for Threat-Informed Defense (CTID), and a bunch of other things in order to build the dashboard. The result if something like this:

So Close - But There Are Problems

This dashboard is enticing and it’s better than anything I’ve seen that tries to capture how protected you are in regard to MITRE ATT&CK. Particularly interesting to me is the “Combined Tactic Coverage (Rule-Based + Platform) section; a snapshot of how your Microsoft products are protecting your environment across the kill chain.

But there are problems with the chart too. Just in terms of “Chartology,” Chris uses a lot of colors and “scores” to indicate status but there is no explanation on the chart about what those colors or scores mean. If you’re an Edward Tufte fan, you will know what I mean.

More importantly, the chart doesn’t explain the nuance. For example, in the top-left-hand corner, the section called “MITRE Coverage Score,” the percentage in this example is only 45.1%. At first glance, that number might be alarmingly low. Contoso is only protected from 45% of the known ATT&CK Techniques. In reality, the Tactics and Techniques from the ATT&CK TTP triad aren’t normally granular enough to build a security control from. They are kind of high-order taxonomy categories. You typically don’t get the granularity you need to build a control until you collect the actual Procedures that the bad guys used in the campaign. A 45% score may or may not be good. Without knowing the denominator, the control quality, the enabled-vs-available distinction, and whether the mapped techniques matter to your threat model, the percentage is mostly decorative.

The last big problem with this chart is that it is focused on the wrong indicator: the Tactics and Techniques categories with no relation to any adversary campaign. For example, in the “Threat Scenario Gaps (SOC Optimization) section, you see “Credential Exploitation” counted 23 times. That sounds alarming, but is that 23 times from the same adversary campaign or is that 23 times from 23 different campaigns? The distinction matters.

What I Really Want to See

The first principle of the Threat-Led Defense strategy is not protecting yourself from every known TTP in MITRE ATT&CK with no relation to the adversary campaign. Achieving that is a tactical pursuit; a by-product of implementing the strategy. The first principle of the Threat-Led Defense strategy is deciding the probability that a specific adversary campaign is pointed at your environment.

For example, if Wicked Spider uses 100 total Procedures in its adversary campaign against Fortune 500 financials, and your security stack controls only fire on one of those Procedures, then the chances that Wicked Spider is in your network is small. But, if your security stack controls fire on 80 out of the 100 Procedures, then it’s likely that Wicked Spider is in your network.

What I want to see in my dashboard is simple. I want to see a matrix of adversary campaigns across the kill chain. In the first column, I want to list all 1500 adversary campaigns. In the second column, I want to list the number of security stack controls we have deployed against each adversary campaign and how many have fired in the last 30 days.

In the next 16 columns, I want to see ATT&CK’s kill chain phases (Recon, Resource Development, Delivery, Initial Access, Execution, Installation, Persistence, Privilege Escalation, Defense Evasion, Command and Control, Credential Access, Discovery, Lateral Movement, Collection, Exfiltration, and Impact), the number of controls we have deployed for each phase, and most importantly, how many controls have fired for each in the last 30 days. It should look something like this:

If you look at the Equation Group at the bottom of the chart, only one control has fired in the last 30 days. Whatever is going on there, it’s probably not the Equation Group.

By contrast, look at the DarkSide group at the top of the chart. 20 of our deployed controls have fired in the last 30 days. That’s a strong indicator that DarkSide is in our network. If that’s the case, it makes me wonder about the other 75 controls that aren’t firing. Either they are not very good controls to detect DarkSide activity or DarkSide has completely changed its attack campaign. Regardless, did I mention that DarkSide is in your network? It might be time to crank up the crisis response team.

Takeaway

ATT&CK coverage dashboards should move beyond aggregate tactic/technique coverage and support campaign-level investigative hypotheses: which adversary playbooks are we instrumented against, which procedure-level signals have fired recently, how unique are those signals, and what should the SOC investigate first?

MITRE ATT&CK coverage dashboards that measure the easy thing, how many TTPs your tools claim to cover, are useful. That’s not the same as knowing which adversary campaigns you are actually prepared to stop or which ones may already be knocking around your environment. The real question isn’t “What percentage of ATT&CK do we cover?” The real question is: “Which adversary playbooks are pointed at us, where are our controls deployed, and what evidence has fired recently?”

Source

María Luisa Redondo Velázquez, 2026. Measuring real MITRE ATT&CK coverage [Analysis]. LinkedIn, URL: https://www.linkedin.com/posts/marialuisaredondo_microsoftsecurity-defenderxdr-microsoftsentinel-share-7447744567044546560-v8Ub

Resources

Chris Stelzer, 2026. MITRE ATT&CK Coverage [Example Report]. SCStelz security-investigator - GitHub, URL: https://github.com/SCStelz/security-investigator/blob/main/reports/sentinel/mitre_coverage_example_report_2026040522_144021.md

Chris Stelzer, 2025. Security Investigation Automation System [Code Repository]. SCStelz security-investigator - GitHub, URL: https://github.com/SCStelz/security-investigator

Edward R. Tufte, 1990. Envisioning Information [Book]. Goodreads, URL: https://www.goodreads.com/book/show/17745.Envisioning_Information

Edward R. Tufte, 1997. Visual Explanations: Images and Quantities, Evidence and Narrative [Book]. Goodreads, URL: https://www.goodreads.com/book/show/17746.Visual_Explanations

Edward R. Tufte, 2006. Beautiful Evidence [Book]. Goodreads, URL: https://www.goodreads.com/book/show/17743.Beautiful_Evidence

Edward R. Tufte, 2020. Seeing with Fresh Eyes: Meaning, Space, Data, Truth [Book]. Goodreads, URL: https://www.goodreads.com/book/show/55610573-seeing-with-fresh-eyes

Phil Muncaster, 2021. Organizations Now Have an Average 76 Security Tools to Manage [Website Article]. Infosecurity Magazine, URL: https://www.infosecurity-magazine.com/news/organizations-76-security-tools/

Rick Howard, 2023. Cybersecurity First Principles: A Reboot of Strategy and Tactics [A 2026 Canon Hall of Fame Book]. Amazon. URL https://www.amazon.com/Cybersecurity-First-Principles-Strategy-Tactics-ebook/dp/B0C35HQFC3/ref=sr_1_1

Rick Howard, 2026. The Kill Chain Rises from the Dead [Explainer]. Rick’s First Principles Newsletter (Substack), URL: https://diffuser.substack.com/p/the-kill-chain-rises-from-the-dead

Rick Howard, 2025. The Next Evolution for the Intrusion Kill Chain Prevention Strategy [Explainer]. Rick’s First Principles Newsletter (Substack), URL: https://diffuser.substack.com/p/the-next-evolution-for-the-intrusion

Staff, 2026. Mappings Explorer [Platform Controls Wiki]. Center for Threat-Informed Defense, URL: https://center-for-threat-informed-defense.github.io/mappings-explorer/

Staff, 2026. Chris Stelzer Returns! Sentinel + XDR + MCP Server! (Episode 287) [Video]. The “AI” Security Insights Show - YouTube, URL:

Like every good zombie in my favorite horror movies, intrusion kill chain prevention refuses to die.

In April, MITRE released ATT&CK v19. If one of your infosec strategies is Threat Led Defense (Intrusion Kill Chain Prevention) and your intelligence team is collecting and transforming raw information into intelligence products using some variation of the Diamond Model, then you’re probably already paying attention to this release.

In a previous essay, I explained how the Lockheed Martin Kill Chain paper, the Department of Defense Diamond Model paper, the MITRE ATT&CK framework, and Tidal Cyber’s Threat Led Defense are all related (See Sources: The Next Evolution for the Intrusion Kill Chain Prevention Strategy). Pertinent to this essay is that the ATT&CK framework is the industry’s free, open source, de facto standard for representing and sharing adversary playbook intelligence and MITRE just gave it an upgrade.

Their intelligence analysts have been releasing an upgrade roughly twice a year since version 1 in 2013 (See infographic at the bottom). In this latest version, arguably the most significant change is to the Defense Evasion tactic. Before I dive into the details of that, let me refresh you on the key components of the ATT&CK taxonomy.

The MITRE ATT&CK Taxonomy

Campaigns

When a hacker group conducts a coordinated operation against a set of victims in pursuit of a specific objective, MITRE ATT&CK calls that effort a campaign. A campaign is a coherent series of intrusion activities that occur over a defined period of time and share common objectives, infrastructure, or tradecraft.

The operational steps used during a campaign often resemble the phases described in the Lockheed Martin Cyber Kill Chain model: reconnaissance, initial access, execution, persistence, lateral movement, and actions on objectives.

A hacker group may reuse elements of a campaign against multiple victims while adapting tactics, techniques, infrastructure, and malware as the operation evolves.

Intrusion Sets

An intrusion set is the long-lived adversary organization or operational team responsible for conducting one or more campaigns over time. Cyber threat intelligence analysts assign names to these intrusion sets in order to track their behavior, infrastructure, and historical operations.

Examples include:

• Charming Kitten: Iranian espionage-focused threat actor.

• Wizard Spider: Criminal syndicate associated with Ryuk and TrickBot operations.

• Volt Typhoon: Chinese attacks targeting critical infrastructure.

An intrusion set may conduct multiple campaigns with different objectives, victims, and operational playbooks.

For example, MITRE ATT&CK associates multiple campaigns with Charming Kitten, including:

• Newscaster Campaign: Long-term social engineering and credential theft.

• COVID/Medical Research Targeting: Espionage against healthcare and research organizations.

• Recruiting-lure operations similar to “Operation Dream Job”: Human targeting and malware delivery.

In short, a campaign is a specific operation. An intrusion set is the adversary organization conducting multiple campaigns over time.

Tactics:

Each campaign or intrusion set will have multiple steps that the hacker group must execute. Broadly speaking, this is the hacker group’s intent at each phase of the intrusion kill chain.

Techniques

For each tactic, there are one or more general-purpose methods hacker groups use to pursue the tactic.

Sub-Techniques:

For each technique, there are one or more variants hacker groups use.

Procedures:

For each technique or sub-technique, intelligence analysts collect the actual observed hacker behavior on the victim’s systems.

Example

• Campaign: KV Botnet Activity

• Intrusion Set: Volt Typhoon

• Kill Chain Phase: Actions on Objectives

• Tactic: Defense Evasion

• Technique: Command and Scripting Interpreter (T1059)

• Sub-technique: PowerShell (T1059.001)

• Procedure: Used native PowerShell commands and WMI to avoid dropping malware and blend into administrator activity

How Many Attack Campaigns in the World?

Specifically, at any given moment, how many distinct operational campaigns are simultaneously active across the internet?” The MITRE ATT&CK framework can’t answer that question. It’s not a live operational intelligence platform. It’s a curated historical knowledge base with manually modeled adversary behavior based on published reporting. It does not maintain real-time campaign counts, active operation telemetry, or continuously updated operational status. To find the number, we’re going to have to do some Fermi estimating.

The MITRE ATT&CK framework tracks roughly 190 different intrusion sets. Let’s assume that most have at least one campaign running at any given time and some might have two or three.

My best-order-of-magnitude estimate, based on the ATT&CK database, is that the range of active operational hacker campaigns running on the internet on any given day is between 500 and 1,000.

But, ATT&CK mostly tracks nation state activity with a handful of impactful cyber crime campaigns. If you include other security vendor’s estimates, like Microsoft , there are roughly 300 other unique cyber crime or hacktivist intrusion sets that run one or more campaigns. Combining the two, I will adjust my estimate upward. My new range is between 1,000 and 1,500 unique attack campaigns that are running on the internet for any given day.

That Seems Small

When asked the question, most infosec professionals think that range is too small. They usually estimate that the number has to be in the hundreds of thousands if not in the millions. The confusion stems from conflating the number of ongoing campaigns vs the number of targeted victims engaged in those campaigns.

Once a hacker team crafts a playbook that works in the wild, they don’t change it for every targeted victim. They just keep running the same playbook against multiple victims until some network defender forces them to stop. That means that the number of attacks in the wild could well be north of 100,000 if not a million. That’s why the problem feels so daunting.

But the actual number of distinct adversary playbooks running at any given moment, the playbook that we have to defend against, is only between 1,000 and 1,500. That’s the reason that threat led defense (intrusion kill chain prevention) is so compelling. It gives the network defender the advantage.

Threat Led Defense Gives the Defender the Advantage

Since there are only 1,500 adversary playbooks, it’s possible that we could deploy detection and prevention controls for every phase of the kill chain mapped to every tool in our security stack. These controls would be specific for every hacker campaign based on known TTPs.

Mature intrusion sets (like APT29, APT28, the Lazarus Group, and the Sandworm Team) contain between 20 and 60 steps (techniques) in their attack campaign. That means they have to string together a lot of things in order to complete their mission.

The beauty of the intrusion kill chain strategy (threat led defense) is that the network defender only has to prevent one of those techniques to defeat the attack; to break the attack chain. That’s what we mean with the phrase “The Kill Chain.” There are many places along the attack chain where the network defender can kill the attack. Even if the hacker group finds a work-around to our defensive measure at step 29, our prevention controls for steps 30-60 will kill the attack.

Hard to Do

In theory, this is a great approach. In practice though, it turns out that this is really hard to implement. It’s also quite expensive. Only large organizations with big intelligence teams and lots of money can afford it.

And, until recently, creating detection and prevention controls for every tool in your security stack mapped to MITRE’s TTPs hasn’t been that easy. Tactics, techniques, and sub-techniques are too generic in most cases to develop a meaningful prevention control. I mean, what firewall rule do you write to handle the following?

• Tactic: Defense Evasion

• Technique: Command and Scripting Interpreter (T1059)

• Sub-technique: PowerShell (T1059.001)

Those are just framing categories. What network defenders need are details on procedures, the third leg of the MITRE TTP triad.

Hope: Intrusion Kill Chain Prevention Strategy Rising from the Grave

Until recently, the MITRE ATT&CK framework has been light on documented procedures. It has been tough to get them from public reporting. They exist, but they are rare.

Last year, Tidal Cyber (a startup I advise), pointed their large language model at public intelligence reports looking for procedures. They have been wildly successful. In a short amount of time, they have collected some 20,000 procedure examples and shared them with the community via the ATT&CK framework and their own platform. It’s a game changer.

But, converting public reporting intelligence reports into prevention controls has, up until now, been mostly manual. Automating that task has always been in the “too hard to do” bucket. Network defenders were always afraid that they might break some material business process as a secondary effect. That means that transforming these relatively new 20,000 procedure examples into prevention controls are out of reach for most organizations. They don’t have the resources to manually go through the list.

Counterintuitively, the hope comes with Anthropic’s release of Mythos a few weeks ago; the AI tool designed to automatically discover software vulnerabilities and write exploit code to leverage them. Boards and infosec professionals have started to realize that automating responses to new threats like emerging exploit code might add enterprise risk by sometimes breaking things, but it may be the only way to prevent a catastrophic cyber event in the future. It’s the same idea for automating prevention control deployments based on procedures.

And, by the way, using AI tools goes both ways. If hackers can use AI to rapidly develop new exploit code, network defenders can use those same tools to automate their defensive response.

A year ago, if asked, I would have told you that threat led defense, the intrusion kill chain prevention strategy from my Cybersecurity First Principles book, is a failed strategy for most organizations.

First Principles Book

If you’re a Fortune 500 company, you can afford it. But the strategy is out of reach for most organizations. It’s the right idea but is too hard to implement. It can’t be a first principle strategy if it doesn’t apply to everybody.

Today though, with the advent of Tidal Cyber’s ability to automatically cull meaningful procedures from public intelligence reporting, and Mythos showing business leadership that reactive automation is the way to go, the strategy has gained new energy.

And that’s why I’m excited about the ATT&CK ver 19. It demonstrates that the strategy is evolving, changing as we learn how to do it better. In version 19, MITRE has decided to split the Defense Evasion tactic.

The Defense Evasion Split

According to MITRE’s Allison Henao and Alice Koeninger, the Defense Evasion tactic had become a placeholder.

With over 40 techniques under a single umbrella, Defense Evasion became something of a catch-all. A behavior landed there if it was evasion-adjacent, regardless of what the adversary was actually doing.

These techniques went back and forth between hacker groups trying to hide their presence (stealth) by making everything look normal and hacker groups actively taking over infrastructure so that they won’t get noticed (Impair Defenses). Clearly, those two sets of activities are not the same and require different responses.

To address the problem, MITRE has effectively retired the Defense Evasion tactic and replaced it with two separate tactics: Stealth and Impair Defenses.

Take away

I used to think intrusion kill chain prevention was strategically correct but operationally unrealistic. The theory was elegant. The implementation was brutal. Too much manual effort. Too much intelligence work. Too much tuning. Too many opportunities to break production systems. But AI changes the economics. Suddenly, collecting procedures at scale is possible. Mapping them to controls is possible. Automating defensive response is becoming possible. We may finally be approaching the moment where defenders can fight at machine speed without completely surrendering control to the machines. That’s why ATT&CK v19 matters. It’s not just another framework update. It’s evidence that the defensive model itself is evolving.

Note on the Infographic: This is my best guess reading through the MITRE documentation. If there are errors, that’s on me. If you find any, let me know. MITRE didn’t start officially versioning the framework until 2018. Prior, they just added new features to the website. I tried to capture the significant changes since the beginning.

Source

Amy L. Robertson, 2026. ATT&CK v19: The Defense Evasion Split, ICS Sub-Techniques, New AI & Social Engineering Coverage, and Detection Strategies for Mobile [Explainer]. MITRE ATT&CK® on Medium, URL: https://medium.com/mitre-attack/attack-v19-ff329cb65d66

References

Blake E. Strom, Andy Applebaum, Doug P. Miller, Kathryn C. Nickels, Adam G. Pennington, Cody B. Thomas, 2018. MITRE ATT&CKTM: Design and Philosophy [Paper]. MITRE. URL https://www.mitre.org/sites/default/files/publications/pr-18-0944-11-mitre-attack-design-and-philosophy.pdf

Eric Hutchins, Michael Cloppert, Rohan Amin, 2010. Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains [Paper]. Lockheed Martin Corporation. URL https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf

Jonathan Nunez, Carlos De Sola Caraballo, Jaime Anderson, 2026. Magic Quadrant for Cyberthreat Intelligence Technologies [Report]. Gartner, URL: https://www.gartner.com/doc/reprints?id=1-2NB75Z8E&ct=260505&st=sb

Lauren Lusty, Allison Henao, Alice Koeninger, 2026. Defense Evasion Split: A Tale of Two Tactics [Explainer]. MITRE ATT&CK® on Medium, URL: https://medium.com/mitre-attack/defense-evasion-split-5d533545fa32

Rick Howard, 2022. Kill chain trifecta: Lockheed Martin, ATT&CK, and Diamond. [Analysis]. The CyberWire. URL https://thecyberwire.com/podcasts/cso-perspectives/72/notes

Rick Howard, 2023. Cybersecurity First Principles: A Reboot of Strategy and Tactics [A 2026 Canon Hall of Fame Book]. Amazon. URL https://www.amazon.com/Cybersecurity-First-Principles-Strategy-Tactics-ebook/dp/B0C35HQFC3/ref=sr_1_1

Rick Howard, Blake Strom, 2023. MITRE ATT&CK Framework [Podcast]. The CyberWire. URL https://thecyberwire.com/podcasts/daily-podcast/1968/transcript

Rick Howard, 2025. The Next Evolution for the Intrusion Kill Chain Prevention Strategy [Explainer]. Rick’s First Principles Newsletter (Substack), URL: https://diffuser.substack.com/p/the-next-evolution-for-the-intrusion

Sergio Caltagirone, Andrew Pendergast, Christopher Betz, 2011. The Diamond Model of Intrusion Analysis. Center for Cyber Threat Intelligence and Threat Research [Paper]. https://www.activeresponse.org/. URL https://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf

Staff, 2024. Microsoft Digital Defense Report 2024 [Open Source Intelligence Report]. Microsoft Security Insider, URL: https://www.microsoft.com/en-us/security/security-insider/threat-landscape/microsoft-digital-defense-report-2024

Staff, 28 April 2026. Updates: MITRE ATT&CK 19 [Announcement]. MITRE ATT&CK, URL: https://attack.mitre.org/resources/updates/

I’ll start with the verdict: the Cybersecurity Canon Committee got this one exactly right. Code Girls: The Untold Story of the American Women Code Breakers Who Helped Win World War II absolutely belongs in the Hall of Fame, and I wholeheartedly endorse its induction.

If you think the history of cryptology in World War II begins and ends at Bletchley Park and Alan Turing, this book will correct that assumption fast. Mundy pulls back the curtain on a parallel American effort. They ran it at scale, under extreme secrecy, and it was largely powered by women. These exceptional cryptanalysts performed the bulk of the operational code breaking that helped win the war. This isn’t just a recovery of forgotten history; it’s a recalibration of where the real work got done.

I’ve been a fan-boy to the WWII code breaking efforts at Bletchley Park for many years now. Alan Turing is a personal computer science hero of mine. I first heard about his Enigma-busting exploits against German codes in my favorite hacker novel of all time, 1999’s Cryptonomicon, written by the Cybersecurity Canon Lifetime Achievement author, Neal Stephenson. Of course, the excellent 2014 movie The Imitation Game with Benedict Cumberbatch playing Turing is one of my favorites.

Sometimes it’s the people no one imagines anything of who do the things that no one can imagine. - The Imitation Game

It turns out that an entire group of other people that no one imagined anything of were doing similar work in the United States. I always knew that there were like-minded efforts going on in the Pacific Theater. I heard rumors of the Americans breaking various codes, like the team working for William Friedman that solved the Japanese Purple code, and the efforts of Joe Rochefort breaking the JN-25 code that led to victory at the Battle of Midway. But I never found any books that told that story. Well, now I have. “Code Girls” by Liza Mundy is a treasure.

We learn from Mundy that cryptography is the art and science of code making, cryptanalysis is the discipline of code breaking, and cryptology captures both skill sets. Mundy describes Code Girls who operated primarily as cryptanalysts.

The remarkable characteristic about the “Code Girls” story is that despite the heroic efforts of Friedman and Rochefort, the day-to-day work of deciphering Japanese and other nations’ codes during WWII was largely done by American women, civilians at first and then in collaboration with the newly formed WAVES (Women Accepted for Volunteer Emergency Service in The United States Naval Reserve) and the WAACs (Women’s Army Auxiliary Corps) that came into service in 1942.

While military and civilian men mostly got the credit, it was these formidable women who ran the show. And their efforts were so secretive, that many went to their grave without telling their loved ones what they did during the war. Family and friends thought that the “Code Girls” just did administrative work.

Mundy is able to tell the stories of some 20+ women, what they did with their cryptanalyst efforts, and how they lived their lives. Let me just highlight six of the superstars.

The Women

Agnes Meyer Driscoll:

• One of the great cryptanalysts of all time.

• Made major breakthroughs against Japanese naval cryptosystems in the 1920/30s.

• Cursed like a sailor (Similar to Admiral Grace Hopper).

• She was known for saying that any man-made code could be broken by a woman.

  • Note: Sounds like a similar line from “The Return of the King” movie.

    • Witch-king: “No man can kill me” ‘

    • Éowyn: “I am no man,” before striking him down.

• Early work on Japanese naval codes was foundational to later team-based successes against JN-25.

• Mentored and influenced a generation of Navy cryptanalysts, many of whom later received the credit.

• Learned how the Japanese disguised their fleet code, using a method called “superencipherment,” that involves both a code and a cipher.

• In 1937, she suffered a car crash that broke her leg badly, as well as both jaws. It took her a year to recover, and in some ways she never did. Many people felt her personality changed following her ordeal.

• In 1940, the Navy took her off JN-25 and assigned her to an independent U.S. solution of Enigma, but her efforts lagged behind the more advanced British program.

• After the war, the Navy revered her work yet marginalized her role and didn’t seem to know what to do with her.

Elizebeth Smith Friedman

• Was part of the early Riverbank Laboratories effort that helped establish modern U.S. cryptanalysis.

• Broke rumrunner codes during Prohibition for the U.S. Coast Guard that resulted in successful prosecutions. In court, she testified as an expert witness.

• Married to William Friedman, the man who supervised the breaking of the Purple Code. Mundy makes a strong case that Elizabeth may have been the more naturally gifted early cryptanalyst and likely influenced William Friedman’s development.

• Variously employed by the Justice and Treasury Departments, the Customs Bureau, the Coast Guard, and other agencies

Genevieve Grotjan

• In September 1940, played the key role in identifying the pattern that enabled the U.S. to break the Japanese Purple code (Codename: Magic) that enabled sustained insight into Japanese diplomatic communications throughout much of the war.

Ann Caracristi

• A problem-solving prodigy, intellectually ferocious, Annie worked twelve-hour shifts, day after day.

• As a 23-year-old, became the head of an Army research unit.

• One of only a few superstars who were asked to stay on after the war.

• Matched wits against Japanese code makers, solving message addresses and enabling military intelligence to develop “order of battle” showing the location of Japanese troops.

• Broke the Japanese Army address code system and excavated code groups revealing the place names of where Japanese Army units were located.

• She had this mesmerizing thing she could do, flipping a pencil between her fingers and never dropping it (Like Boris Grishenko, played by Alan Cumming, in the James Bond movie GoldenEye.

Wilma Berryman, later Wilma Davis

• Helped Ann Caracristi break the Japanese Army address code system.

Fran Steen, Later Suddeth Josephson

• Helped break the inter-island cipher JN-25 code (Code name: Pretty Weather) that facilitated the assassination of General Yamamoto.

The Codes

• JN-20: A lower-level naval cipher system; regional/logistical communications. Cracking aided in the naval battle at Midway.

• JN-25: Primary an imperial Japanese Navy operational code; strategic, fleet-level, war-winning intelligence; Cracking led to assassination of General Yamamoto.

• 2468: Water transport code. Cracking led to revealed supply chains and vulnerabilities.

• 2345: Weapons logistics. Cracking exposed the Japanese Army’s logistics backbone.

• 3366: – Aviation code: Cracking led to aircraft movement and support

• 5678: High-volume, widely used Japanese Army communications system, Cracking helped pattern recognition to increase confidence.

• 6666: Isolated or cut-off Japanese forces (late war). Cracking led to insight into degraded, fragmented command structures.

• 6789: Promotions/transfers. Cracking led to an understanding of unit structure; specifically leadership changes

• 7777: A theater-level Japanese Army communications system, associated with regions like the Southwest Pacific. Cracking led to understanding regional priorities, command relationships, and coordination between units in a specific battle space.

I have two minor nitpicks about the book. The first is that Mundy tells a scattered story. If the reader wants to hear about the extraordinary accomplishments of, say, Ann Caracristi, there is not one place to look. You have to pick it up in fragments as you read the book. I found that to be frustrating. Second, Mundy devotes significant space to the personal and social lives of the Code Girls; their friendships, relationships, and life transitions alongside the war. That context will resonate with many readers and adds human depth to the story. For my purposes, though, I would have preferred more emphasis on the technical details and operational impact of their cryptanalytic work.

Those two minor complaints aside, I want to give a full throated endorsement for the Canon’s induction of this book’s into the Cybersecurity Canon Hall of Fame. It’s not just as a compelling history, but as a corrective to the way we tell the story of cybersecurity’s origins. The lesson is straightforward: the foundation of modern cryptanalysis was not built by a handful of famous men. It was scaled, operationalized, and sustained by thousands of disciplined analysts, many of them women, working in obscurity. If your mental model of the field still centers on lone geniuses, this book forces an update. The Code Girls weren’t an exception to the rule. They were the rule.

Source

Liza Mundy (Author), Erin Bennett (Narrator) 2017. Code Girls: The Untold Story of the American Women Code Breakers Who Helped Win World War II [2021 Canon Hall of Fame Book]. Goodreads, URL: https://www.goodreads.com/book/show/34184307-code-girls

• Canon Review URL: https://cybercanon.org/code-girls/

References

Ashley Bennett, 2018. Cypher [Game Walkthrough Guide]. The Walkthrough King, URL: https://www.walkthroughking.com/text/cypher.aspx

Neal Stephenson, 1999. Cryptonomicon [2019 Canon Lifetime Achievement Author]. Goodreads, URL: https://www.goodreads.com/book/show/816.Cryptonomicon

• Canon URL: https://cybercanon.org/cryptonomicon/

Heather Antoinetti, 2026. “Code Girls” Example of Fragmentation during WWII is the same one stalling your AI strategy today. [Essay]. LinkedIn, URL: https://www.linkedin.com/posts/hantoinetti_womenshistorymonth-aiadoption-leadership-share-7444396839564382209-HMgq/

Heather Antoinetti, 2026. The Women Who Broke Codes and the System That Slowed Them Down [Essay]. The Ah-Ha Moment, URL: https://ah-ha.ai/the-ah-ha-moment/the-women-who-broke-codes-and-the-system-that-slowed-them-down

Morten Tyldum (Director), Graham Moore (Writer), Benedict Cumberbatch (Actor), Keira Knightley (Actor), and Matthew Goode (Actor), 2014. The Imitation Game [Movie]. Letterboxd, URL: https://letterboxd.com/film/the-imitation-game/

Benedict Cumberbatch (Actor), Keira Knightley (Actor), Michael Gathright (YouTube Content Producer), 2016. Imitation Game no one can imagine [Video]. YouTube, URL:

I’m working on my Cybersecurity Canon review of Tony Martin-Vegue’s 2026 book, From Heatmaps to Histograms. In the prologue, Tony says this:

You won’t find the answers to cyber risk quantification inside the cybersecurity industry, not in the books, frameworks, or certifications. That’s where the myths are born: that quant is impossible, that you need mountains of perfect data, that it’s too complicated to be worth it.

I’ve been trying to convey that exact sentiment for about five years now. When I’m writing and speaking to groups, I usually say this immediately after.

We are wrong of course.

Tony’s book is excellent. You should read it.

Source

Tony Martin-Vegue, 2026. From Heatmaps to Histograms: A Practical Guide to Cyber Risk Quantification [Book]. Goodreads. URL https://www.goodreads.com/book/show/243058626-from-heatmaps-to-histograms

Right now, boards are approving millions in cybersecurity spend every year without knowing if it actually reduces risk.

I run a small consulting service called First Principles Consulting where I advise clients on cybersecurity strategies that buy down business risk.

First Principles Consulting

Last week, I briefed the board of a large organization in terms of revenue. The board secretary asked me to talk about my book and how it applies to board oversight.

First Principles Book

Further, she wanted me to give an overview of the Mythos platform and recommend how the board should think about this latest cybersecurity threat. I had 20 minutes.

Here is what I presented

Let’s be a Bit Controversial

Business leaders and board members let security pros like me get away with Fear Uncertainty and Doubt briefings for three decades. I call them FUD Briefings

I’ve been in the cybersecurity field for over 30 years. I’ve spent gazillions of dollars pursuing the accepted industry best practices of the day just like everybody else. But about 10 years ago, I had to admit that I really couldn’t tell my organizational leaders whether or not I had actually improved our defenses in some meaningful way; that what I was doing actually helped the business by improving its risk posture.

Oh, I collected the technical metrics by counting all the security things. I produced big and scary looking heat maps to justify additional funding for the next perceived threat. And The Heat Map slowly became the industry standard for conveying cyber risk to leadership.

But, I mean, just look at that chart. Those are adjectives, feelings. They don’t represent facts about the business. And if the “critical” label in the top right corner wasn’t scary enough, we color coded it red just to make sure you didn’t miss the point.

How do you make resource decisions based on feelings? It’s like saying we should buy the next firewall because they’re fluffy. That doesn’t make any sense

When my peers and I get together behind closed doors, you know, at the bars, on the side streets near the conferences we were all attending, we unabashedly call the Heat Map the FUD briefing.

Looking back over my career, I’m a bit ashamed that I did that; that we all did that; that board members and senior staff let us get away with it. More importantly, I’m embarrassed that, back in the mid-1990s, just after we invented the CISO job, my peers and I somehow convinced business leaders and board members that cybersecurity risk was special; different than all the other risks that the business had to deal with.

We said that cyber risk was so distinctive that it required special handling compared to all the other business risks like strategic, financial, operational, etc; that cybersecurity risk was so technical and scary, that it couldn’t be thought of in the same business risk terms.

We were wrong, of course.

But we made business leaders believe it and, by the way, business leaders let us get away with it.

A Reboot of Cybersecurity Strategy

Don’t get me wrong. The cybersecurity people-process-technology triad did improve. We got better at what we were doing. We just never stopped to consider if we were going in the right direction in the first place. Most of us couldn’t even articulate a direction at all other than we need more stuff, and we absolutely couldn’t tie our efforts back to measuring business risk.

It occurred to me that what we needed was to wipe the table clean. Get rid of all of our assumptions about what works and what doesn’t. Eliminate all the frameworks and compliance standards and start from scratch. This, of course, got me to thinking about the idea of first principles.

I looked at the historical big thinkers, the philosophers, like Aristotle and Descartes. Descartes, perhaps the GOAT of first principle thinking with his

Cogito Ergo Sum - I think, therefore I am.

I looked at the mathematicians like Whitehead and Russell who reinvented the language of math from the ground up when they realized that you could get two absolutely correct answers to the same problem using the existing set of math rules. It took them 80 pages to prove that 1 + 1 = 2. And in my favorite footnote of all time, the authors said, and I quote,

The above proposition is occasionally useful.

Who knew that math nerds could be funny?

I even looked at Elon Musk and how he solved the problem of reusable spacecraft. He didn’t look at what NASA did in the 1960s and took the next step. Instead, he threw everything out and started from scratch with first principles

These big thinkers, and many, many more, tackled gigantic complex problems by reducing them to first principles first, and then reasoning outward from there.

First Principles are atomic. They are the foundation for everything that follows. They are the absolute “What” regarding the thing we are trying to achieve reduced to their essential essence. Once you find them you can’t break them down any further

Cogito Ergo Sum- I think therefore I am.

Which made me wonder, what is the absolute cybersecurity first principle?

The Absolute Cybersecurity First Principle

I won’t bore you with the many iterations I went through, but three years ago, I published a book where I made the case for what I believe is the absolute cybersecurity first principle. Here’s it is:

That’s it.

It seems simple. It’s no longer than a Twitter line. But in practice, it’s quite complex. It’s actually three things.

1. Reducing the probability.

2. Worry about material business impacts only.

3. Forecast within the current business cycle.

In order to reduce the probability, you have to calculate the current probability. As an industry, we’re really quite bad at this. Most of us avoid the question because calculating it seems hard. There’s math involved, and probabilities. Because of that, we think we need five nines of precision and accuracy. Most of my peers think that this kind of quantitative analysis is impossible in the cybersecurity space.

So we punt and give business leaders qualitative analysis in the form of heatmaps. And by the way, there are reams of scientific papers that have proved, over and over again, that heat maps are just bad science when it comes to conveying risk to senior leaders (See the Hubbard and Seiersen 2018 Cybersecurity Canon Hall of Fame Book, How to Measure Anything in Cybersecurity Risk or my summary of it in the Resources section below).

The thing is, you don’t need that kind of detail; that five nines of detail. You’re looking to make business decisions to buy down risk. What you need is good-enough precision and accuracy, ballpark precision and accuracy, in the same order-of-magnitude precision and accuracy, so that a business leader can make a decision about whether to buy the new firewall or not, whether to hire that new SOC analyst, or whether to implement that new access management policy.

Calculating that probability can be done and I talk about how to do it in my book. And this is what it might look like for this large company.

This is a first draft Loss Exceedance Curve that forecasts the probabilities of dollar loss thresholds over the next year. This is an outside in forecast, meaning, that it doesn’t take into consideration any of the generic company’s deployed defensive measures. This forecast only considers the general case. What is the probability of a material loss to any institution of the same size and vertical in terms of revenue. If we factored in their deployed infosec program, these numbers would most likely be two to three points lower.

For example, in this outside-in-analysis, the probability that this generic company might lose a million dollars in the next business cycle is 6%. The chances that it will lose more than $100 million is just .65 percent. That brown dot represents the generic company’s material loss threshold. I made an assumption that any loss less than 2 Million would hurt but it wouldn’t be material to the business. But anything greater would be. The probability of that event is just 5.54 percent.

Here’s my point: wouldn’t you rather see a loss exceedance curve, built on concrete business data and explicit ranges of uncertainty, that estimates the probability of a material loss within the next year to the right order of magnitude, rather than qualitative Heat Maps and their fluffy adjectives?

The bottom line is this: If we can’t estimate the probability of loss, then every cybersecurity investment is effectively a guess based on feelings and fear. We can do better than that and I believe boards can provide the guidance to get us there.

First Principle Takeaway

Thinking in terms of first principles reduces cybersecurity to its essence: What is the probability of a material cyber event in the next business cycle. This focuses the entire activity towards business goals. It gives senior leaders and board members a path to weigh cyber risk against all the other business risks and to evaluate if the spend is worth the investment. First principles turn cybersecurity from a cost center into a capital allocation problem. Once you define probability, materiality, and time, every dollar you spend can be evaluated against how much risk it actually removes.

Mythos: Vulnerability Discovery and the Burglar Metaphor.

Recently, Anthropic, one of the big AI companies, announced a new product, Mythos, and it’s restricted access program, Project Glasswing. Security professionals have been reacting to Mythos the way the world reacted to ChatGPT in 2022; stunned by what it can do and uncertain about what comes next.”

Mythos is Anthropic’s highly capable AI model designed for cybersecurity tasks, especially vulnerability discovery and exploit code development. Because of the potential danger, Project Glasswing is Anthropic’s program to only allow access to a small selection of vendors and infrastructure operators. Mythos isn’t available to the public. In order to understand the significance of this new development though, I like to use a metaphor to explain the difference between software vulnerabilities and exploit code.

Think about securing your house from intruders. Nobody’s house is burglar proof. You lock your doors and windows, you subscribe to a security monitoring company, and you have two big dogs that mostly sleep in the living room but you claim that they’re your watchdogs. But, there are weaknesses.

You chose cheap locks, and sometimes, you forget to lock the windows when you go to bed. You put the dogs in the Kennel at night. Nothing bad has happened yet. You just know that there are certain vulnerabilities in your system.

The same is true for software. Developers sometimes write code that has inherent vulnerabilities built in. They either made mistakes when they were writing it or they didn’t follow the standard rules designed to prevent such things. Hackers, in contrast, write exploit code designed to leverage a specific software vulnerability.

In our house metaphor, a burglar walks up to the ground floor window in the middle of the night, notices that you forgot to lock the window, opens the window, and climbs into the house. The burglar has exploited the vulnerability. When hackers launch an exploit at a piece of software, they are looking to climb in a software window; to gain access to a system on the victim’s network. There is an entire portion of the cybersecurity industry dedicated to finding software vulnerabilities and getting them patched as quickly as possible so that hackers can’t do this.

Why is Mythos Significant

Before Mythos, the process of building reliable exploit code was extremely manual and expensive. Governments would pay anywhere from tens of thousands to over a million dollars for reliable exploit code, depending on the target (Source: Perlroth). It’s the reason that hackers only use exploit code in less than 20% of their attack campaigns (Source: 2025 Verizon DBIR). Most hackers can’t afford to pay for the exploit code development or don’t have the skill to build the exploit code themselves. Besides, there are far easier ways to gain access to a system then running expensive exploit code.

The reason that everybody is talking about mythos is because, among other things, it has greatly reduced the cost of developing exploit code. In the same way that large language models like ChatGPT, Claude, and Gemini are significant in the way those models can summarize large quantities of text relatively quickly, Mythos can scan software repositories, identify potential software vulnerabilities, and write exploit code that leverages those vulnerabilities in a fraction of the time our previous manual process required.

Restricting access to Mythos through Project Glasswing buys time, but not much. The underlying capability, scanning code for vulnerabilities and generating exploit code, already exists across competing AI systems. None of them have a purpose-built tool like Mythos yet. They will. And adversary nation-states like China and Russia almost certainly have this capability already. They're just not publishing press releases about it.

I have an old friend of mine who still works in the NSA. This past weekend, we met for breakfast with a bunch of old Army guys and Mythos was the conversation topic. We asked him if the NSA already had this capability. He just smiled and wouldn’t confirm one way or the other. He gave nothing away but I would bet $100 of my own money that the U.S. already has this capability and has for some time.

The Mythos Impact Minus the FUD

The impact is that, in the near future, the percentage of attack campaigns that use exploit code will start to go up; way past the 20% I quoted before, because the cost just dropped through the floor.

All of this sounds alarming, even FUD-Like, but in reality, the only thing that is significantly changing will be the volume of attack campaigns that use exploit code to compromise victims. It’s not a panic moment. It is a logical progression. Every infosec team of any size already runs some form of vulnerability management. The trick today is to scale those programs using the same technology; to discover new vulnerabilities quickly, and patch them before attackers can exploit them. The appropriate response is to focus on your own vulnerability management program to ensure that it can operate at greater speed and scale.

This generic company already has a process to identify and patch vulnerabilities. The question is whether those processes are fast enough in an environment where attackers may also be accelerating. This is where investments in automation, prioritization, and process efficiency become directly tied to reducing risk.

Last Thoughts

For the past 30 years, cybersecurity improved tactically but fallen short strategically. Security professionals, like me, made a bad assumption in the early days that cybersecurity risk was somehow technical and scary that it was different than all the other business risks. What still surprises me is that nobody called us on it sooner. In hindsight, they should have made us demonstrate how our efforts across the people-process-technology triad improved the risk posture of the business. Three decades later, we are all just now coming to the conclusion that we were wrong.

For the board, everything discussed in this essay reduces to one question: What is the probability of a material cyber event in the next year. Every cybersecurity dollar the board approves should demonstrably reduce the probability of a material loss within a defined time horizon. That’s first principle thinking.

New technologies like Mythos don't change the principle and don't require us to rebuild our programs from scratch. Mythos will make us to refocus our tactics. We will need to change our reaction velocity. If we’ve grounded our cybersecurity strategies in first principles though, they will hold. The adjustment is at the tactical level, operating at greater speeds, and ensuring our defenses keep pace with the evolving threat.

Resources

C. David Hylender, Philippe Langlois, Alex Pinto, Suzanne Widup, 2025. Data Breach Investigations Report [Report]. Verizon Business, URL: https://www.verizon.com/business/resources/reports/2025-dbir-data-breach-investigations-report.pdf

Gadi Evron, Rich Mogull, Robert T. Lee, Jen Easterly, Bruce Schneier, Chris Inglis, Phil Venables, Heather Adkins, Rob Joyce, Sounil Yu, Jim Reavis, Katie Moussouris, John N. Stewart, Maxim Kovalsky, Dave Lewis, Joshua Saxe, John Yeoh, Ramy Houssaini, 2026. The “AI Vulnerability Storm”: Building a “Mythos-ready” Security Program [White paper]. Cloud Security Alliance Lab Space, URL: https://labs.cloudsecurityalliance.org/mythos-ciso/

Helen Patton, Rick Howard, Larry Pesce n.d. This Is How They Tell Me the World Ends [Book Review]. Cybersecurity Canon Project. URL https://cybercanon.org/this-is-how-they-tell-me-the-world-ends/

Nicole Perlroth, 2021. This Is How They Tell Me the World Ends: The Cyberweapons Arms Race [Book]. Goodreads. URL https://www.goodreads.com/book/show/49247043-this-is-how-they-tell-me-the-world-ends

Rick Howard, First Principles Consulting [Company Page]. Cybersecurity First Principles, URL: https://cybersecurityfirstprinciples.com/

Rick Howard, 2023. Cybersecurity First Principles: A Reboot of Strategy and Tactics [2026 Canon Hall of Fame Book]. Amazon, URL: https://amzn.to/4mI7QMU

Rick Howard, 2023. Research on Why the Heat Maps are Poor Vehicles for Conveying Risk [Book Appendix]. The CyberWire, URL: https://www.n2k.com/cybersecurityfirstprinciplesbook

Staff, 7 April 2026. Project Glasswing [Announcement]. Anthropic, URL: https://www.anthropic.com/project/glasswing

Douglas Hubbard, Richard Seiersen, 2016. How to Measure Anything in Cybersecurity Risk [2018 Cybersecurity Canon Hall of Fame Book].

• Canon Review: https://cybercanon.org/how-to-measure-anything-in-cybersecurity-risk/

• Goodreads: https://www.goodreads.com/book/show/26518108-how-to-measure-anything-in-cybersecurity-risk

• Canon Interview:

If you have been putting off The Count of Monte Cristo because of its length, I am here to tell you that you are right to be scared and wrong to keep waiting.

Alexandre Dumas is an author I feel like I have always known about but have never read. His most popular novels (The Three Musketeers, The Man in the Iron Mask, and The Count of Monte Cristo) have well over 100 screen adaptations combined if you count silent films, TV movies, series, miniseries, and international productions. But I have never read any of the books. Over the New Years holiday, one our close family friends said that she was reading it and loving it, so I thought I would give it a try.

I’m glad that I did because it is an entertaining and complex soap-opera-revenge-story set in and around Italy and France just before and after the French defeated Napoleon at the Battle of Waterloo in 1815. But it is long; 60 hours of audio long. It took me three months to get through it. And there are a bazillion characters to keep track of. And as good as Dumas is, I had trouble keeping everybody straight.

The setup is relatively simple, but the execution of it is complex. A young Edmond Dantès is sabotaged by three colleagues and one magistrate over the jealousy of his fiancee, the envy of his promising naval career, indifference, and political self-preservation. His enemies frame him for a crime he didn't commit and send him to prison forever. While in prison, he meets an older-man-father-figure who teaches him various languages, math, philosophy, and the analytical framework that lets Dantès understand the conspiracy. Just before their get-away, the old man dies but not before he reveals the location of his secret treasure. Heartbroken, Edmond escapes anyway, recovers the treasure, and takes another 10 years planning his revenge. He shows up in Rome and in Italy as the Count of Monte Cristo, maybe the most wealthy person on the planet, and starts to pull the strings of his revenge plan on his four targets.

• The Count disgraces Fernand Mondego so badly that Mondego commits suicide.

• He exposes Gérard de Villefort’s hypocrisy to the world. The impact is that Villefort loses his family and goes insane.

• He gives Gaspard Caderousse a chance to reform but Caderousse can’t stay on that path. He dies as a direct consequence of returning to crime.

• He financially ruins Baron Danglars by preying on his greed. Danglars becomes a pauper but, at the end of the book and with a feeling of remorse, the Count spares his life.

Dantès carries out most of his revenge, but when innocent people suffer, he recognizes he’s gone too far. He spares Danglars, abandons further vengeance, and turns toward mercy rather than trying to justify his role as divine justice.

And I will say, Dumas sticks the landing. All of those bazillion characters I was talking about have a satisfying arc. And the resolution to it all is hopeful. The Count abandons the role of avenging angel, acknowledges he is not God and cannot perfectly administer justice, and in the final pages, delivers his final philosophy: wait and hope (“attendre et espérer).

But let me address the book’s length. Newspapers paid Dumas primarily through serialization contracts. Payment scaled with output volume, not literary minimalism. Expansive plots and large casts sustained serialization. The system rewarded length and continuity, so verbosity had economic upside. Dumas wasn’t counting words but he was absolutely operating in a system where more content = more money.

Dumas was one of the first “industrial-scale” novelists in history. He ran his writing career like a production company. He worked with collaborators, like Auguste Maquet, who would draft outlines, build historical scaffolding, and sometimes produce early versions of chapters. Dumas would then rewrite heavily, add dialogue, pacing, and injected iconic flair that made these kinds of books popular. He essentially built a content pipeline, 150 years before Hollywood writers’ rooms or modern media franchises.

He made enormous money but spent it faster than it was coming in. He built the extravagant Château de Monte-Cristo outside Paris, hosted constant parties, funded friends, and lived big. He was in perpetual debt and eventually exiled himself to Belgium to avoid creditors. He orchestrated numerous affairs and begat several children. He was financially reckless, socially dominant, politically engaged, and personally chaotic. And that combination is exactly why his books feel so alive. To adapt Thoreau’s Walden,

He lived deep and sucked out all the marrow of life.”

And by the way, the man could write.

Source

Alexandre Dumas (Author), Robin Buss (Translator), Bill Homewood (Narrator), 1844. The Count of Monte Cristo [Book]. Narrated by Bill Homewood. Goodreads. URL https://www.goodreads.com/book/show/7126.The_Count_of_Monte_Cristo

References

Kevin Reynolds (Director), 2002. The Count of Monte Cristo [Movie]. Letterboxd, URL: https://letterboxd.com/film/the-count-of-monte-cristo-2002/

KimMiE, 2025. The Count of Monte Cristo by Alexandre Dumas [Book Review]. Cannonball Read, URL: https://cannonballread.com/2025/04/the-count-of-monte-cristo-kimmie/

Other Books by Alexandre Dumas

Alexandre Dumas, 1844. The Three Musketeers [Book]. Goodreads, URL: https://www.goodreads.com/book/show/7190.The_Three_Musketeers

Alexandre Dumas, 1847. The Man in the Iron Mask [Book]. Goodreads, URL: https://www.goodreads.com/book/show/54499.The_Man_in_the_Iron_Mask

What if I told you the hunt for Satoshi Nakamoto is actually a masterclass in cyber risk forecasting?

The week, two New York Times journalists claimed to have solved one of the greatest internet mysteries of the past 20 years. They argue that the man behind the pseudonym of Satoshi Nakamoto, the creator of Bitcoin, is none other than Adam Back, a British cryptographer, inventor of Hashcash, CEO of Blockstream, and early cypherpunk enthusiast. Internet sleuths have had Mr. Back on a list of possibles for years, but with the NYTs analysis, he just became the frontrunner. One of the journalists, John Carreyrou, claims that he is between 99.5% and 100% confident about his forecast.

The reason this story caught my eye is that, to reach their conclusion, the journalists followed a loose Bayesian methodology, applied some basic Superforecasting techniques, and liberally leveraged a collection of Fermi Estimates to eliminate a field of over 1,000 suspects down to one name. And if this sounds familiar, it should. That collection of methods is identical to the methods I advocate for calculating cyber risk in my book, Cybersecurity First Principles.

Book

I think this Bitcoin case study is an illustrative example of how to apply that reasoning to another field.

Satoshi Nakamoto History

For those living under a rock for the past 20 years, Satoshi is the author pseudonym behind the famous 2008 paper, Bitcoin: A Peer-to-Peer Electronic Cash System, the paper that jump-started the entire cryptocurrency phenomenon. As Carreyrou put it, Satoshi

… revolutionized finance, spawned a $2.4 trillion industry and amassed one of the world’s biggest fortunes in one stroke of staggering genius.

But no one identified the real identity behind the pseudonym for two decades.

The Main Method: Stylometry

One technique that Carreyrou and his colleague, Dylan Freedman, used to narrow their search is called stylometry. Stylometry is the quantitative analysis of writing style to identify or compare authors. It treats writing as data, not prose, and assumes that every writer has unconscious writing patterns that investigators can use like a fingerprint. They look for things like:

• frequency of common words (“the,” “and,” “of”)

• sentence length and structure

• punctuation habits

• spelling preferences (e.g., “color” vs “colour”)

• function-word usage (the most important signal)

The technique started back in the 1850s but didn’t gain mathematical rigor until the 1960s. Frederick Mosteller and David L. Wallace published Inference in an Authorship Problem where they applied Bayesian statistics to discovering authorship of several essays in The Federalist Papers. Researchers argued over Federalist Nos. 49–58 and Nos. 62–63 as to whether Alexander Hamilton or James Madison wrote them. After their analysis, Mosteller and Wallace claimed that all of them were most likely written by Madison. Because of this work, historians now attribute authorship as follows:

• Alexander Hamilton: 51 essays

• James Madison: 29 essays

• John Jay: 5 essays

The bottom line is that stylometry measures those patterns statistically and compares them across texts.

Carreyrou and Freedman hired a Stylometry expert to go through reams of published papers, email, and chat room logs, recently released during discovery in a lawsuit that identified another individual as Satoshi Nakamoto. The expert did the analysis twice, but each time he said the evidence was inconclusive about naming Adam Back. Back’s writing style was too similar to other suspects.

Fermi Estimates to the Rescue

Carreyrou went back to the drawing board and took a deep dive into the material again. If he made some assumptions, could he reduce the suspect pool down to one man?

This is a textbook example of Fermi estimates. Take a large and narly complex problem, make some back-of-the-envelope estimates, and reduce the problem space until you find a ballpark answer. Carreyrou compiled a list of 42 pieces of evidence, call them connection quirks, like observations on calendar timelines and writing tics, that he applied to the suspect list. He talks about each in his article but I have summarized them here:

42 Pieces of Evidence

Of the 42, perhaps eight of them are strong signal indicators while the others are weaker. Over 15 of them are mostly noise. Here are the strongest indicators:

• 20: Awareness of Hashcash and b-money

• 22: Timeline

• 24: Hacked email

• 31: Writing Tics - sociolinguistic variation

• 32: “Web Money” and “proof-of-work”

• 33: “partial pre-image”

• 34: “burning the money”

• 35: Assumption List

In his article, Carreyrou talks about reducing the suspect list each time he applied one of those criteria. They started with over a thousand suspects.

• He reduced the pool to just over 600 by eliminating candidates who never discussed digital money.

• He reduced the list to 521 by correlating use of synonym-less words shared with Satoshi.

• He reduced the list to 325 by comparing Satoshi’s grammatical hyphenation errors.

• He narrowed the list further to 114 by grouping posters who sometimes confused “it’s” with “its” or vice versa.

• He reduced the list to 56 by screening for those who finished some sentences with “also” like Satoshi.

• He shrank the list down to 20 by selecting posters who wrote “bug fix” as two words and “halfway” and “downside” as one word.

• He got the list down to eight by eliminating posters who, unlike Satoshi, correctly hyphenated the compound adjectives “noun-based” and “file-sharing” but did not hyphenate the compound noun “double spending.”

• Finally, when he compared the remaining eight suspects who alternated between using “e-mail” and “email,” “e-cash” and “electronic cash,” “cheque” and “check” and the British and American forms of the word “optimize” like Satoshi did, only one name popped out as matching all of that criteria: Adam Back.

Not a Slam Dunk

Clearly this isn’t as rigorous as a formal Stylometry assessment like Mosteller and Wallace’s. Carreyrou’s claim that he is 99.9% confident with the answer is suspect. It’s extremely high and isn’t represented as a range.

My own Superforecasting range is relatively lower. On the skeptical side, I weigh the stylometry inconclusiveness and Back’s direct correspondence with Satoshi more heavily. On the optimistic side, I weigh the British language clues, the Hashcash/cypherpunk lineage, and Carreyrou’s Fermi estimates more heavily.

In either case, Adam Back is the clear front-runner.

If you put a gun to my head and made me bet which person is the most likely suspect behind the Satoshi Nakamoto alias, I would put my money on Adam Back.

Take Away

If you follow internet lore, the hunt for Satoshi Nakamoto is irresistible. Who wouldn’t want to uncover the man behind Bitcoin?

But the larger point for me is how John Carreyrou applied a disciplined way of thinking to produce a high-confidence estimate. He used Superforecasting techniques, a little bit of Bayesian reasoning, and Fermi estimation to reduce massive uncertainty into a tractable forecasting problem. That’s the same playbook we should be using in cybersecurity. We rarely get perfect data. We rarely get certainty. But we can systematically make good-enough cybersecurity forecasts, using these same procedures, that are in the right order of magnitude so that we can make resource decisions. This case study is about Bitcoin, but it’s also about how to think clearly when there is no data.

Source

John Carreyrou With Dylan Freedman, 2026. My Quest to Solve Bitcoin’s Great Mystery [Analysis]. The New York Times, URL: https://www.nytimes.com/2026/04/08/business/bitcoin-satoshi-nakamoto-identity-adam-back.html

References

Alexander Hamilton, John Jay, James Madison, 1788. The Federalist Papers [Analysis]. Project Gutenberg. URL https://www.gutenberg.org/cache/epub/18/pg18-images.html

Cullen Hoback (Writer, Director), 2024. Money Electric: The Bitcoin Mystery [Documentary]. HBO - IMDb, URL: https://www.imdb.com/title/tt33600145/?ref_=vp_close

Frederick Mosteller, David L. Wallace, 1963. Inference in an Authorship Problem [Journal]. Journal of the American Statistical Association, URL: https://ptrckprry.com/course/ssd/reading/Most63.pdf

John Carreyrou, 2026. Who Is Satoshi Nakamoto, the Creator of Bitcoin? This Investigation May Have the Answer [Podcast]. The New York Times, URL: https://www.nytimes.com/2026/04/09/podcasts/the-daily/satoshi-nakamoto-bitcoin-creator.html

John Carreyrou, Natalie Kitroeff, 2026. Who Is Satoshi Nakamoto? [Podcast Transcript]. The New York Times, URL: https://www.nytimes.com/2026/04/09/podcasts/the-daily/satoshi-nakamoto-bitcoin-creator.html

Kevin Roose, Casey Newton, 2024. A Flood of A.I. Slop + Searching for Satoshi + the Hot Mess Express Returns [Podcast]. Podcast Addict, URL: https://podcastaddict.com/hard-fork/episode/184042839

Nathaniel Popper, 2015. Decoding the Enigma of Satoshi Nakamoto and the Birth of Bitcoin [Analysis]. The New York Times, URL: https://www.nytimes.com/2015/05/17/business/decoding-the-enigma-of-satoshi-nakamoto-and-the-birth-of-bitcoin.html

Philip Tetlock, Dan Gardner, 2015. Superforecasting: The Art and Science of Prediction [2023 Canon Hall of Fame Book]. Cybersecurity Canon Project. URL: https://cybercanon.org/superforecasting-the-art-and-science-of-prediction/

Rick Howard, Andy Greenberg, 2022. Andy Greenberg Interview: Tracers in the Dark. [Podcast]. The CyberWire, URL: https://thecyberwire.com/podcasts/cso-perspectives/95/transcript

Rick Howard, 2023. Cybersecurity First Principles: A Reboot of Strategy and Tactics [2026 Canon Hall of Fame Book]. Cybersecurity Canon Project, URL: https://cybercanon.org/cybersecurity-first-principles-a-reboot-of-strategy-and-tactics/

Rick Howard and Brandon Karpf, 2026. First Principles Risk Forecasting Workshop [Online Workshop]. Learning First Principles, URL: https://learnfirstprinciples.com/

Rick Howard (Editor), 2026. Satoshi Evidence from Carreyrou NYT Article [Summary]. Google Docs, URL: https://docs.google.com/document/d/1E02rgDkP7-VuTkgoLq26vbs9VkhrGulLFz9-lm1REOI/edit?tab=t.0#heading=h.q3tjfl1vsi12

Satoshi Nakamoto, 2008. Bitcoin: A Peer-to-Peer Electronic Cash System [Historic and Important Paper]. Bitcoin. URL https://bitcoin.org/bitcoin.pdf

Sharon McGrayne, 2011. The Theory That Would Not Die: How Bayes’ Rule Cracked the Enigma Code, Hunted Down Russian Submarines, and Emerged Triumphant from Two Centuries of Controversy [2024 Canon Niche Nominated]. Cybersecurity Canon Project, URL: https://cybercanon.org/the-theory-that-would-not-die-how-bayes-rule-cracked-the-enigma-code-hunted-down-russian-submarines-and-emerged-triumphant-from-two-centuries-of-controversy/

Staff, NA. cryptoanarchy.wiki - Cypherpunks Mailing List Archive [Wiki]. cryptoanarchy.wiki, URL: https://mailing-list-archive.cryptoanarchy.wiki/

Thomas Bayes, 1763. An Essay towards solving a Problem in the Doctrine of Chances [journal]. Philosophical Transactions of the Royal Society of London, URL: https://royalsocietypublishing.org/doi/epdf/10.1098/rstl.1763.0053

Will Stephenson, 2025. The Mysterious Mr. Nakamoto [Book Review]. The New York Times, URL: https://www.nytimes.com/2025/03/29/books/review/benjamin-wallace-the-mysterious-mr-nakamoto.html

Natalie Kitroeff, John Carreyrou, Adam Back, 2026. Unmasking the Creator of Bitcoin [Video]. New York Times Podcasts - YouTube, URL:

Barely Sociable, 2020. Bitcoin - Unmasking Satoshi Nakamoto [Video]. YouTube, URL:

My generation worries about self-aware AI, like the Terminator from the movies, but the real threat doesn’t need consciousness at all.

I’ve been thinking about this in conjunction with one of my favorite novels: Daemon by Daniel Suarez. He and his wife self-published it back in 2006. First, it’s a ripping near-future techno-thriller that should have been made into a movie by now. Come on Netflix, this is the perfect two-season story for a network like yours. The book is a Cybersecurity Canon Niche Book and I wrote the review back in 2015. But as modern AI systems get more and more impressive, I’ve been in awe about how closely the author, Daniel Suarez, described where we are today some two decades ago.

Daemon Canon Book Review

AGI - The Singularity - The Terminator

The main bad guy is a post-AGI piece of software called The Daemon; named after those little Unix daemons that pop up, perform a task, and then disappear.

AGI stands for Artificial General Intelligence. It’s an AI research milestone where AI systems become better than all humans at all tasks; not just some humans and some tasks, but all of them.

When Daniel Suarez wrote it, and even when I read it a decade later, most people had never heard of AGI. The AI research community had been discussing the concept for years. Ben Goertzel’s 2006 book Artificial General Intelligence helped formalize the term. But for the general public, “AI” still meant something closer to the 1984 Terminator movie, where an AI system suddenly becomes self-aware and decides to wipe out humanity.

I want to distinguish the term “AGI” from from the phrase “The Singularity” which happens later on the AI research milestone timeline. Ray Kurzweil popularized the concept in his 2005 book The Singularity Is Near. It’s the milestone when AGI systems have been recursively self improving themselves so fast that humans can’t comprehend or control.

The Book’s Story

That’s where Suarez sets the story. Matthew Sobol is a wealthy owner of a “World of Warcraft (WOW)” type of video game called The Citadel. In the real world, back in 2006, WOW dominated the MMO (Massively Multiplayer Online) market with as many as 7 million subscribers. In the book, The Citadel is similar.

Sobol is a systems thinker but he sees existing institutions (corporate, legal, economic) as corrupt, fragile, and misaligned. He builds an alternative system, the Daemon, first using the Citadel as an AGI prototype, but eventually moving the prototype out into the real world to compete with and replace existing corrupt structures.

The Daemon uses coercion, violence, and manipulation to subordinate individuals to system-level outcomes. It embeds itself across global networks. It recruits people and systems, manipulates financial systems, and orchestrates real-world events through automated triggers. It operates like a distributed control system by leveraging surveillance, gaming mechanics, and incentives to build a decentralized organization that challenges governments and corporations. As law enforcement and security experts scramble to understand the threat, they discover the system is not just malicious. It’s adaptive, resilient, and guided by a coherent ideology.

All of this kicks off after Sobol dies at the beginning of the book. When Sobol finds out that he is dying from terminal brain cancer, he uses that time to design, test, and deploy the Daemon. The reader experiences what may be considered to be a post-apocalyptic, good-guy-vs-bad-guy story. But, even with all of the violence and damage to institutions worldwide, Suarez implies that there will be benefits too:

• Reduced corporate and institutional corruption: The Daemon bypasses traditional power structures (banks, corporations, governments) and enforces transparent, rule-based interactions.

• Efficient resource allocation: Labor is matched to problems in near real-time.

• Alternative economic system: Think cryptocurrencies before it became a thing. The Daemon builds a parallel economy that operates outside state control.

• Individual Empowerment: Skills and competence matter more than credentials.

• Local Community Restoration: Encourages localized production and self-sufficiency.

• Security through automation: The Daemon enforces rules consistently. The system deters crime through predictable, automated consequences.

• Incentives Alignment: Participants are incentivized to cooperate, contribute and follow system rules.

But every “benefit” comes with a tradeoff:

• Coercion replaces consent.

• Algorithmic control replaces human judgment.

• Violence is used to enforce compliance.

The bottom line is that a system that fixes real problems can still be dangerous if it removes human agency.

Forecasting the AGI Timeline

The Daemon isn’t the Terminator. It’s not self-aware. In fact, Suarez said he intentionally tried to tell a story that wasn’t Terminator-like. The Daemon operates autonomously and irreversibly on its own following the goals set by Sobol; just like giving Claude Work a goal to solve some problem today, but at a global scale.

I’ve been vibe coding with Chat GPT to write simple helper apps for about six months. And I’ve just recently dipped my toe into Claude Code. Because of that experience, and my general observation regarding the rapid improvement of AI systems in general, I’m starting to think the claims about imminent Artificial General Intelligence (AGI) may be justified. All the AI companies’ marketing teams think the industry might reach that milestone before 2030. Until just recently, I’ve been skeptical of that marketing hype. Still, it is possible. Putting my Superforecaster hat on, my first cut at estimating the probability of reaching the AGI research milestone is this:

• ~20% chance by 2030

• ~50% chance by 2040

• ~70%+ by 2050

Now, that’s a giant SWAG (Swinging-Wild-Ass-Guess) but I have more confidence in that forecast than I do the AI marketing teams’ forecast.

Once we reach the AGI milestone though, whenever that happens, there will be a Post-AGI ramp where systems start improving themselves and capability begins to exceed human level expertise and control. At some point, we will reach the singularity. I have this nagging feeling though that because of the AGI system’s property of exponential improvement, the Post-AGI ramp might be very short. This is the setting of Suarez’s book.

Take Away

The novel explores how software can enforce rules, coordinate behavior, and outmaneuver traditional institutions. At its core, Daemon argues that autonomous code, once unleashed at scale, can become a governing force that blurs the line between tool and actor in modern society. At first glance, the reader might think this is one bad way it could go in a Post-AGI world. But in Suarez’s sequel, Freedom, he implies that this new way might be a better way and the only way to get there is to reboot society with violence and automation. The jury is out on that premise. Only you can be the judge.

Still, the book is a lot of fun and on that criteria alone, it’s worth the read. But it’s also one of those books that you think about long after you’ve read it. I’ve been doing it for over a decade and I’m still seeing things I didn’t notice when I first read it.

Source

Daniel Suarez, 2006. Daemon [2015 Canon Niche Nominated Book]. Goodreads, URL: https://www.goodreads.com/book/show/6665847-daemon

References

Ben Goertzel, 2006. Artificial General Intelligence [Book]. Goodreads, URL: https://www.goodreads.com/book/show/1651355.Artificial_General_Intelligence

Brandon Karpf, Rick Howard, 2026. First Principles Risk Forecasting: The missing implementation chapter for quantitative risk forecasting [Workshop Tools] URL: https://learnfirstprinciples.com/

Daniel Suarez, 2010. Freedom™ (Daemon, #2) [2015 Canon Niche Nominated Book]. Goodreads, URL: https://www.goodreads.com/book/show/8488830-freedom

James Cameron (Director), Linda Hamilton (Actor), Arnold Schwarzenegger (Actor), Michael Biehn (Actor), 1984. The Terminator [Movie]. Letterboxd, URL: https://letterboxd.com/film/the-terminator/

Matteo Wong and Lila Shroff, 2026. Silicon Valley Is in a Frenzy Over Bots That Build Themselves [Analysis]. The Atlantic, URL: https://www.theatlantic.com/technology/2026/04/ai-industry-self-improving-bots/686686/

Ray Kurzweil, 2005. The Singularity is Near: When Humans Transcend Biology [Book]. Goodreads, URL: https://www.goodreads.com/book/show/83518.The_Singularity_is_Near

Rick Howard, 2015. Daemon and Freedom [2015 Canon Niche Nominated Book Review]. CyberCanon, URL: https://cybercanon.org/daemon-and-freedom/

Rick Howard, 2025. Vibe Coding a Bayesian Thought Experiment [Explainer]. Rick’s First Principles Newsletter. URL https://diffuser.substack.com/p/vibe-coding-a-bayesian-thought-experiment

Thomas Bayes, 1763. An Essay towards solving a Problem in the Doctrine of Chances [Journal]. Philosophical Transactions of the Royal Society of London, URL: https://royalsocietypublishing.org/doi/epdf/10.1098/rstl.1763.0053

Tyler DFC, 2010. Don’t Be A Cog in the Wheel [Book Review]. Pajiba, URL: https://www.pajiba.com/book_reviews/book-review-daemon-by-daniel-suarez.php

Zoey Yang, 2024. Daemon: A Tech Thriller That Deserves to Hit the Screen(Score: 4.1/5) [Book Review]. Medium, URL: https://medium.com/@PurrCoderHickory/daemon-a-tech-thriller-that-deserves-to-hit-the-screen-4dabdb78d4b3

Daniel Suarez, 2009. Daniel Suarez, author of Daemon [Video]. YouTube, URL:

Gregory Warner, 2025. The Last Invention, EP 1: Ready or Not [Podcast]. Longview - YouTube. URL

Hot Take

This book is likely the first public account of a cyber espionage campaign, orchestrated by the Russians in the late 1980s, leveraging German hacker mercenaries, to infiltrate U.S. academic institutions as a pathway into U.S. government systems. It’s the book that launched many a cybersecurity career for practitioners of a certain age (Read that as “old as dirt.”)

That said, I think it might be time to move this classic from the must-read pile to the historical-archive pile.

My History

I first read this book back in 1989 when I was in grad school. The U.S. Army sent me to the Naval Postgraduate School to get educated on how to become an Army automator. Read that last sentence again and you will get the flavor of Army thinking at the time (Navy school → Army Automator. Hey, don’t ask me. I just worked there.)

Instead of working on my graduate thesis (which I was far behind on), I devoured this book over a weekend. It was a revelation. For me, and many of my peers both in the service and out, this book created the path to a cybersecurity profession. It showed that cybersecurity could be a career.

For the next 30 years

Stoll’s book was the first thing I handed to newbies when they came to work for me. I recommended it whenever anybody asked me how to break into the field. It was one of the first books I reviewed when I started the Cybersecurity Canon Project many years ago.

My 2013 Canon Review

And it was one of the first books that the Cybersecurity Canon committee inducted into the Hall of Fame back in 2016 along with Kim Zetter’s Countdown to Zero Day and Brian Krebs’ Spam Nation.

But, a couple of weeks ago, the Cybersecurity Canon Project and the Cyber Guild selected this book for our joint quarterly discussion. This group of about 30 northern virginia-cybersecurity-nerds meets regularly to talk about Canon Hall of Fame titles. I’m the facilitator, but I was a bit concerned. After all, the book is nearly 40 years old. I wondered whether it would still resonate. Would younger readers still see it as an inspiration even though it takes place in a world where

• Nobody had direct Internet access at home.

• CompuServe was a primary gateway to being online.

• AOL didn’t become a thing until 1993.

• The web browser didn’t exist either.

• NCSA Mosaic didn’t show up until 1993.

• Cell phones were the size of bowling balls.

• Most home computers ran DOS on IBM PCs (or clones).

• Macs were for the cool kids, but they were niche.

• Unix powered the serious university and government computers, but those systems were far removed from anything ordinary users ever experienced.

Still, Dr. Stoll did invent incident response. Despite the new tooling available today, his method is largely unchanged. And we still haven’t solved the problem of information sharing with the government (something that Stoll complained about for the entire book). And the weakness that the German hackers leveraged across the U.S. networks was the inability of users to pick good passwords. Remarkably, this remains a problem some 60 years after Dr. Fernando Corbató introduced computer passwords at MIT.

The question is, do those facts make the book a must-read in 2026?

I don’t think so.

My First Love

Stoll’s “Cuckoo’s Egg” was my first love in the technology space. And it’s tough to let go of something that powerful. The thing that sealed the deal for me, the thing that cemented my love affair with it, was after I finished the book. I immediately wrote a gushing email to the author proclaiming that the book completely changed my view of the world. Back then, email was so new that authors put their real email addresses into their books. Dr. Stoll answered me in 15 minutes. That was it. I was hooked.

But, as much as I hate to admit it, even with an incipient love letter chain started, I think it’s time to make a clean break. Like the Ariana Grande song says: “thank you, next.” Cuckoo’s Egg shaped how I see the world. But after 40 years, it’s time to move on.

Source

Clifford Stoll, 1989. The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage [2016 Canon Hall of Fame Book].

• Goodreads. URL https://www.goodreads.com/book/show/18154.The_Cuckoo_s_Egg

• Cybersecurity Canon Review: https://cybercanon.org/the-cuckoos-egg/

• Buy URL: https://amzn.to/3JWAhsb

• Buy URL: https://bookshop.org/a/119420/9781416507789

Reference

Brian Krebs, 2014. Spam Nation: The Inside Story of Organized Cybercrime — from Global Epidemic to Your Front Door [2016 Canon Hall of Fame Book].

• Goodreads URL: https://www.goodreads.com/book/show/18509663-spam-nation

• Canon URL: https://cybercanon.org/spam-nation/

• Buy URL: https://amzn.to/4o0m5wz

Clifford Stoll, 1988. STALKING THE WILY HACKER [Journal Article]. COMMUNICATION OF THE ACM, vol. 31. No. 5. URL http://pdf.textfiles.com/academics/wilyhacker.pdf

Clifford Stoll, 1996. Second Thoughts on the Information Highway [Presentation]. C-SPAN. URL https://www.c-span.org/program/public-affairs-event/second-thoughts-on-the-information-highway/132866

Clifford Stoll, 1999. High Tech Heretic [Book Discussion. C-SPAN. URL https://www.c-span.org/program/book-tv/high-tech-heretic/133700

Clifford Stoll, Brian Lamb, 1996. Cuckoo’s Egg Discussion [Author Interview]. C-SPAN. URL https://www.c-span.org/program/public-affairs-event/second-thoughts-on-the-information-highway/132866

Clifford Stoll, 2008. Clifford Stoll: Astronomer, educator, skeptic [Bio]. TED Talks. URL https://www.ted.com/speakers/clifford_stoll

Clifford Stoll, 2008. The call to learn [Ted Talk]. TED. URL https://www.ted.com/talks/clifford_stoll_the_call_to_learn

Clifford Stoll, n.d. Acme Klein Bottle [Company Web Page]. URL https://www.kleinbottle.com/

Clifford Stoll, n.d. Why read The Cuckoo’s Egg? [Book Explainer]. Book DNA. URL https://bookdna.com/book/the-cuckoos-egg

David Kahn, 1967. The Codebreakers: The Comprehensive History of Secret Communication from Ancient Times to the Internet [Book]. Goodreads. URL https://www.goodreads.com/book/show/29608.The_Codebreakers

James Bamford, 1982. The Puzzle Palace: Inside the National Security Agency, America’s Most Secret Intelligence Organization [Book]. Goodreads. URL https://www.goodreads.com/book/show/804860.The_Puzzle_Palace

John Markoff, 1989. West Germans Raid Spy Ring That Violated U.S. Computers [News]. The New York Times. URL https://www.nytimes.com/1989/03/03/world/west-germans-raid-spy-ring-that-violated-us-computers.html

Kim Zetter, 2014. Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon [2016 Canon Hall of Fame Book].

• Goodreads URL: https://www.goodreads.com/book/show/18465875-countdown-to-zero-day

• Canon Review URL: https://cybercanon.org/countdown-to-zero-day-stuxnet-and-the-launch-of-the-worlds-first-digital-weapon/

• Amazon Buy URL: https://amzn.to/3JVc99m

Staff, n.d. GNU Emacs [Product Page. GNU Project. URL https://www.gnu.org/software/emacs/

Staff, n.d. The 1988 Morris worm, the internet’s first cyberattack [History]. Lawrence Livermore National Laboratory. URL https://st.llnl.gov/news/look-back/1988-morris-worm-internets-first-cyberattack

William E. Burrows, 1986. Deep Black: Space Espionage and National Security [Book]. Goodreads. URL https://www.goodreads.com/book/show/887319.Deep_Black

Ariana Grande, 2018. thank u, next (Official Video) [Music Video] YouTube

Cliff Stoll, 2013. The KGB, the Computer, and Me. [WWW Document]. NOVA - YouTube. URL

Clifford Stoll, 2017. Secrets to measuring a piece of paper [Explainer]. Numberphile - YouTube. URL

Cliff Stoll, 2017. (Still) Stalking the Wily Hacker [Keynote]. SANS Digital Forensics and Incident Response CTI Summit - YouTube, URL:

I’m conducting a two-hour hands on risk forecasting workshop with my colleague Brandon Karpf today. If you’re in town, come on by. I would love to see.

But if you can’t make that, I’m doing a book signing for my Cybersecurity First Principles book over at the book store immediately after.

See you there!

RSAC 2026 is occurring March 23-26! Here is your one-stop shop for RSAC sessions or activities with ties to the Cybersecurity Canon!

The sections below include Book Signings, Canon Author and Committee Member Speaking sessions, Birds of a Feather sessions, and even representation at College Day.

Book Signings: Opportunities with Authors of Hall of Fame/Nominated

Author: Ross Haleliuk

• Book: Cyber for Builders, Hall of Fame Nominee

• When: Tuesday, Mar 24 at 11 AM PDT (after Ross’ speaking session)

• Where: RSAC Bookstore

Author: Helen Patton

• 2025 Hall of Fame winner for Navigating the Cybersecurity Career Path

• Book: Switching to Cyber: The Mid-Career Guide to Launching a Cybersecurity Career

• When: Tue 3/24 at 1pm

• Where: RSAC bookstore

Author: Rick Howard (Me)

• Book: Cybersecurity First Principles: A Reboot of Strategy and Tactics, 2026 Hall of Fame Winner

• When: Tuesday 3/24 at 3:45pm

• Where: RSAC bookstore

Author: Cassie Crossley

• Book: Software Supply Chain Security: Securing the End-to-End Supply Chain for Software, Firmware, and Hardware

• When: Thursday, Mar 26 1:00 - 1:45 PM PDT

• Where: RSAC bookstore

CyberCanon’s Hall of Fame Authors and Committee Member’s Sessions

MONDAY

Author: Caroline Wong

• Books: Security Metrics: A Beginner’s Guide, Hall of Fame Nominee

• Session 1:The Foundations of AI

• When: Monday, Mar 23 8:30 AM - 9:20 AM PDT

CyberCanon Committee Member: Adrian Sanabria

• Session: A Failure Is a Terrible Thing to Waste: The Case for Breach Transparency

• When: Monday, Mar 23 9:40 AM - 10:30 AM PDT

Author: Nicole Perlroth

• Author of To Catch a Thief: China’s Rise to Cyber Supremacy and Hall of Fame book: This Is How They Tell Me The World Ends

• Session 1: Resilient Infrastructure as National Defense: The Digital Front Line

• When: Monday, Mar 23 9:40 AM - 10:30 AM PDT

CCC Member & Author: Cassie Crossley

• Author of Software Supply Chain Security

• Session: Panel: Preparing for the EU Cyber Resilience Act

• When: Monday, Mar 23 1:00 - 1:45 PM PDT

Canon Committee Member: Meghan Jacquot

• Session: Belonging in Cyber: Building a Trusted Community

• When: Monday, Mar 23 1:10 PM - 2:00 PM PDT

Author: Roger Grimes

• Author of Hall of Fame Nominee book: Preparing for the Day When Quantum Computing Breaks Today’s Crypto

• Session: Who Would Fall for That? Foundations of Avoiding Scary Scams

• When: Monday, Mar 23 2:20 PM - 3:10 PM PDT

TUESDAY

Author: Ross Haleliuk

• Author of HoF Nominee “Cyber for Builders”

• Session: Inside the Network Live: Winning as an Incumbent in the Age of AI

• When: Tuesday, Mar 24 9:40 AM - 10:30 AM PDT

Author: George Kurtz

• Co-author of Hall of Fame book Hacking Exposed with Stuart McClure, Joel Scambray

• Session 1: The Crash Test is Over: New Standards of Command for AI Safety

• When: Tuesday, Mar 24 10:50 AM - 11:10 AM PDT

Author: Rick Howard (Me)

• Presenting with Brandon Karpf

• Session: LAB2-T09 - First Principles Risk Forecasting: From Theory to Practice

• When: Tuesday, Mar 24 1:15 PM - 3:15 PM PDT

WEDNESDAY

Author: Sounil Yu

• Author of: Cyber Defense Matrix: The Essential Guide to Navigating the Cybersecurity Landscape

• Session: When Dollars Don’t Make Sense: Rethinking Cyber Risk Quantification

• When: Wednesday, Mar 25 9:40 AM - 10:30 AM PDT

Author: Rock Lambros

• Book: The CISO Evolution: Business Knowledge for Cybersecurity Executives with Matthew Sharp)

• Session: The Unsolvable Problem: Right to Erasure and Irreversible Nature of LLMs

• When: Wednesday, Mar 25 9:40 AM - 10:30 AM PDT

CCC member & Author: Cassie Crossley

• Author of Software Supply Chain Security

• Session: Panel: Supply Chain Under Siege: Strategic Defense in a Regulated World

• When: Wednesday, Mar 25 1:15 - 2:05 PM PDT

Author: Brian Krebs

• Author of Hall of Fame book: Spam Nation

• Session: From Infiltration to Disruption: Taking on the Russian Cyber Mob

• When: Wednesday, Mar 25 1:15 PM - 2:05 PM PDT

Canon Co-Founder and Author: Helen Patton

• Author of the 2025 Hall of Fame winner, Navigating the Cybersecurity Career Path, and also author of Switching to Cyber: The Mid-Career Guide to Launching a Cybersecurity Career

• Session: Beyond Jericho: Salvaging Zero Trust from Buzzword Bingo

• When: Wednesday, Mar 25 1:15 PM - 2:05 PM PDT

Author: Caroline Wong

• Author of Hall of Fame Nominee book: Security Metrics: A Beginner’s Guide

• Session 2: The Fundamentals Forum: Let’s Get Back to Basics

• When: Wednesday, Mar 25 2:25 PM - 3:15 PM PDT

Author: Bruce Schneier

• Lifetime Achievement Author of Secrets and Lies, Data and Goliath, and Click Here to Kill Everybody

• Session: Integrous System Design

• When: Wednesday, Mar 25 2:25 PM - 3:15 PM PDT

THURSDAY

Author: Nicole Perlroth

• Author of To Catch a Thief: China’s Rise to Cyber Supremacy and Hall of Fame book: This Is How They Tell Me The World Ends

• Session 2: The Cyber Threat Landscape: Year in Review, Future in Focus

• When: Thursday, Mar 26 8:30 AM - 9:20 AM PDT

Author: George Kurtz

• Co-author of Hall of Fame book Hacking Exposed with Stuart McClure, Joel Scambray

• Session 2: Hacking Exposed

• When: Thursday, Mar 26 10:50 AM - 11:40 AM PDT

Bird of Feather sessions

Author: Kelly Shortridge

• BoF Topic: Adapting to the Unknown: Resilience Engineering in a Time of Chaos

• Book: Security Chaos Engineering: Sustaining Resilience in Software and Systems, 2026 Hall of Fame Winner

• When: Monday, Mar 23 1:10 PM - 2:00 PM PDT

CCC Member & Author: Cassie Crossley

• BoF Topic: Exploitable or Not? CRA-Ready Product Security Triage for CVEs

• Cassie is the author of Software Supply Chain Security

• When: Thursday, Mar 26 1:00 - 2:20 PM PDT

Other

College day: Meghan Jacquot of the CyberCanon Committee is volunteering at College Day to help give feedback to college students on their resumes

Next week I’ll be at the RSA Conference in San Francisco wearing a few different hats.

Cybersecurity Canon – I’ll be recruiting new volunteers and committee members, talking with vendors about partnerships, and spending some time at the conference bookstore concierge desk.

First Principles Consulting – I’m meeting with clients and Substack readers, and hopefully connecting with a few new ones.

Author – I’ll also be running a hands-on risk forecasting workshop based on Cybersecurity First Principles and doing a book signing at the conference bookstore.

RSA week tends to fill up fast, but if you’re attending and want to grab a coffee, I’d love to meet. My calendar is already getting tight, but if we can find an opening, let’s make it happen.

Schedule a meeting at RSA

Here is my schedule as it stands now:

Cybersecurity Canon Committee Breakfast

When: Tuesday, Mar 24, 7AM

Where: Mel’s Drive-In, 801 Mission St, San Francisco, CA 94103, USA

Who’s Invited: All Committee and staff

Book Signing:

Author: Rick Howard
Book: Cybersecurity First Principles: A Reboot of Strategy and Tactics

When: Tuesday 3/24 at 3:45pm
Where: RSAC bookstore

Workshop:

Session: LAB2-T09 - First Principles Risk Forecasting: From Theory to Practice

When: Tuesday, Mar 24 1:15 PM - 3:15 PM PDT

Cybersecurity Canon Book Store Concierge Desk

When: Tuesday and Wednesday, Mar 24 and 25th, 2-4 PM

Where: RSA Book Store at Moscone Center

Since the start of the year, I’ve been working my way toward this essay. If you run a Substack called Rick’s First Principles and you’ve spent an entire career in cybersecurity, sooner or later you have to answer the obvious question: what is the actual first principle of cybersecurity?

I wrote three essays to prep the ground.

• The first explains why first-principle thinking matters at all (First Principle Thinking).

• The second looks at who else has tried to define cybersecurity first principles (Prior Research on Cybersecurity First Principles).

• The third examines what most security professionals claim the first principle is and why those answers fall short (The Cybersecurity Ballot: Meet the Perennial Candidates).

The main lesson from the Perennial Candidates essay is that the usual answers miss the mark. They are either too simple or too tactical. They focus on technical activities: preventing exploits, blocking malware, detecting and removing attacker tools, following compliance checklists, or meeting legal requirements. All of those things matter. But none of them explain the real purpose of a security program. When you read these candidates, the reaction is immediate: Yes, that’s useful, but what about everything else? Each one addresses a narrow slice of the problem. None of them describes the whole mission in terms that senior leadership can understand.

There’s another issue. These candidates are binary tasks. Either you complete them or you don’t. There’s no middle ground.

With that groundwork in place, it’s time to put a stake in the ground and describe what I believe the true cybersecurity first principle is.

Think in Terms of Probabilities

Instead of a binary metric, we should be thinking in terms of a sliding scale, something like a probability. We need to build a program that matches leadership’s risk appetite toward the business. Our first principle program should drive us closer to reducing the probability of a cyber adversary damaging the business. That gives us some planning room. For example, we can tell the boss that because we invested X amount of dollars on a new security tool or a new security function, we reduced the probability of an adversary group damaging the business from 20 percent to 15 percent. When we present the infosec program in that manner, then leadership can evaluate whether the spend for the project was worth the effort.

And if it does happen, an adversary successfully steals our intellectual property or encrypts our data, the infosec program is not an instant failure. We didn’t tell the boss that we would stop all adversary campaigns. We told them that we would reduce the probability of a successful one.

That’s getting closer to our absolute first principle. It’s no longer a binary question because we couched it in terms of probabilities for the leadership to consider. But it’s still missing something. It’s still too broad and will cause us to spend resources on things that aren’t important.

Think in Terms of Materiality

What’s missing is a discussion of materiality. Face it, not everything on your network is essential. If the bad guys compromise Luigi’s laptop and steal the menu for the lunch special in the company cafeteria, maybe we don’t need to call in the FBI for that one. You might be a little embarrassed, but the exfiltration of the lunch menu to the APT’s command-and-control server in Tajikistan will not cause the company much heartburn. So, why then would we spend a lot of resources trying to protect it?

I don’t know about you, but the volume of resources that I typically get to spend on cybersecurity has never been infinite. If you try to spread that volume thinly over everything, you run out of resources before you run out of things to do anyway. The projects that you did funnel money to are likely not funded completely enough to solve the entire problem. That’s like trying to feed a platoon of neighborhood teenagers with one spoonful of Jif peanut butter (extra crunchy of course). Nobody is going to be satisfied at the conclusion of that exercise. The clear answer is to focus only on what is material to the business. Everything else is nice to have.

Public Company Materiality

If you’re a public company, Supreme Court Justice Thurgood Marshall crafted the landmark judicial definition of materiality in 1976. He wrote in the TSC Industries vs Northway case that a fact is “material” if there is

... a substantial likelihood that a reasonable shareholder would consider it important in deciding how to vote … [or] ... a substantial likelihood that the disclosure of the omitted fact would have been viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available.”

Phew! That is a mouthful. Let me restate that in English. For a public company in the United States, “materiality” is any event that significantly impacts share value.

That seems straightforward enough until you view it through the lens of cybersecurity. Except for some obvious significant public cyber attacks, like the 2017 Russian NotPetya campaign where the total estimated damage worldwide was north of $10 billion, network defenders have struggled with articulating materiality. Historically, public companies have never really addressed cybersecurity material risk in their earnings calls; at least, not as a matter of course. Business leaders and infosec professionals haven’t had the language to bridge the gap between typical business materiality issues, like mergers and acquisitions, and the infosec professional’s favorite tool to convey cybersecurity risk, the heat map.

That started to change in 2023. The U.S. Securities and Exchange Commission, the SEC, approved a new rule for all public companies: Leadership must report material cyber events within four business days. All of a sudden, cybersecurity materiality became a real thing that security practitioners in public companies needed to worry about. Every public company CISO worth their salt made a beeline to the CFO’s office in order to come to some understanding about how they were going to define cybersecurity materiality going forward.

But hold the phone. In a landmark decision in 2024, the US Supreme Court reversed its 1984 ruling in the case of Chevron v. the Natural Resources Defense Council, better known as the Chevron doctrine, that allowed federal agencies, like the SEC, to enforce their own rules in lieu of specific laws passed by Congress. Chief Justice John Roberts called the Chevron doctrine “fundamentally misguided.”

And with President Trump releasing the hounds in 2025 to eliminate US government inefficiency in big government institutions, like the SEC, who knows if the SEC will even be around in a couple of years. All of this introduces a period of uncertainty for the enforcement of the SEC’s cybersecurity reporting rule in public companies. The SEC rule doesn’t go away, but now, public companies have a legal path for noncompliance.

What a mess.

Materiality for Everybody

Despite the SEC Rule then, materiality is still an essential concept. But we still haven’t answered the question: what is it?

If you take any three random people walking down the hallway at your headquarters building and lock them in a room with a white board for an hour, they could probably come up with hundreds of potential risks to the business or to some government mission. Some risks would be more likely than others and some would have more impact than others, but the list would be long. If you then brought the senior leaders of the organization into the room, they would most likely extend the list by some meaningful number.

But let me be blunt. A material issue is a potential company killer, organization killer, or mission killer. If you’re trying to prioritize the team’s future work, dividing the potential risks into mission Killers and everything else is a useful exercise. It tends to focus the leadership.

When the REvil hacker gang launched a ransomware attack against Travelex on New Year’s Eve in 2020, the company quickly had to fall into administration. It became insolvent and was unable to pay its debts. That’s a company killer.

In 2014, the Deep Panda Chinese hacker group stole the personnel files of every US government employee past and present from the US Office of Personnel Management (OPM). This is perhaps the most impactful cyber espionage campaign known to the public against any country. One of OPM’s primary missions was to protect the government’s personnel files. OPM completely failed to protect its only material asset: the employee background database

In the U.S. government, that’s not just a list of names and social security numbers. That’s a list of everything you have ever done for the past decade; where you lived, who your neighbors were, who your relatives are and where they lived, every crime you’ve ever committed, and every vice you’ve ever had (drugs, prostitution, etc). Deep Panda vacuumed it all up into the Chinese intelligence machine.

That’s a mission killer.

Since none of us has an infinite supply of resources in the people-process-technology triad, it makes sense to completely focus our first principle strategies to protect the material things in our environments and not get distracted by all the other things.

And, I hear what you’re saying. There are plenty of potential risks that fall short of the company-organization-mission killer paradigm that would still be significantly painful; that would cause serious disruption to current planning and progress. You could make the case that some of these risks might be material too. Fair enough. But let’s start with the company-organization-mission killers first and work back from there. Those are absolutely material.

Back in 1999, the SEC said that a good rule of thumb is 5% of revenue as a starting place for a material number. In 2025 I heard Richard Seiersen, Canon Hall of Fame author for “How to Measure Everything in Cybersecurity Risk” said at a risk forecasting workshop that a good material number to consider is whatever insurance coverage you have plus whatever cash on-hand is available.

The thing is, what’s material and what isn’t is different for every organization. It depends on factors such as risk tolerance, organizational size, and whether the organization is commercial, academic, or governmental. It also changes over time. What’s material for a startup today won’t be what’s material when the startup becomes a Silicon Valley tech giant down the road.

Think in Terms of a Limited Timespan

So far then, we have “reducing the probability of a material cyber event” shaping up as our ultimate first cybersecurity principle, but it’s still missing something; it’s still not precise enough. With what we have right now, we would be calculating probabilities of material cyber events indefinitely into the future.

Calculating the probability of material impact to an organization any time in the future (say the next 100 years) is a lot different than calculating the probability over the next year. Will cyber adversaries successfully breach our digital environments sometime in the future? That’s likely if the question is open-ended like that, if there’s no end date. But, will they have success in the next year? That probability likely will drop off precipitously if you time bound the question. It also has the added benefit of giving senior leadership something to focus on. Instead of using fear, uncertainty, and doubt (FUD) to get your infosec program funded, as in, “OMG, this is a really scary thing and I need a gazillion dollars to fix it.” It’s just another risk in the set of hundreds that the boss has to deal with. Let’s not try to boil the ocean here. Let’s timebound our risk calculations to some meaningful but short timeframe in the future. It can be three years, one year, six months; whatever is meaningful to the business.

Drum Roll Please: The Cybersecurity First Principle

We have all the preliminaries covered. It’s time for me to reveal what I think is the absolute cybersecurity first principle; our initial building block, the atomic element, that we will base the entire infosec program on. Remember, it must address three things: probability, materiality, and time.

Here is my proposal:

That’s it. Nothing else matters. This simple statement is atomic. You don’t read it and say to yourself, “I like it but there are three other things I have to do too.” Compared to the other first principle candidates discussed earlier, it states precisely and clearly what we are trying to accomplish. And it doesn’t matter what kind of organization you are: Public Company, Private Company, Government organization, or Academic institution.

This has the same feel as the core statements produced by other first-principles thinkers (like Euclid, Descartes, even Musk) when they stripped problems down to their fundamentals (see the earlier essay on first-principles thinking). It doesn’t rely on precedent (how things were done before), analogy (this looks like X), authority (what experts, standards, or competitors say), or incrementalism (tweaking the current system). It captures the essential objective. It also gives you a practical test for every security decision. If you’re spending resources on the people-process-technology triad that don’t reduce the probability of a material cyber event, you’re wasting resources.

Takeaway

In these last four essays, I assumed you weren’t familiar with the idea of first principles. I explained what they are and told the stories of some of the big thinkers in human history (such as Euclid, Aristotle, Descartes, Whitehead & Russell, and Elon Musk) who have used them to solve some of the thorniest problems known to humankind. I then noted that although in the early digital age, many big thinker computer scientists, such as James Anderson, Willis Ware, Bell and LaPadula, Saltzer and Schroeder, Dr. Fred Cohen, and Donn Parker, tried to find the edges of what cybersecurity meant but didn’t quite get there. The closest they came was something called the CIA triad, which is not really a first principle idea at all. I then made the case that other cybersecurity first principle candidates don’t really meet the bill either. Efficient patching, malware prevention, rapid detection and eradication, framework checklists like NIST or ISO, and even compliance law all fall short of what a first principle is supposed to be. They’re all good tactics that we might find useful, but they are not a coherent first principle strategy.

I then made my case for what I claim is the absolute cybersecurity first principle:

“Reduce the probability of a material cyber event over the next business cycle.”

There you have it. I’ve been thinking, debating, and writing about this idea for almost a decade, and it has gone through many versions. But I think this current iteration is as close as I’ve ever been to clearly stating what it is we are all trying to accomplish with our infosec programs.

That begs the question, what’s next? If reducing the probability of a material a cyber event is the thing we are trying to do, what are the follow-on first principle building blocks that we will install that will help us do that? Just like Whitehead and Russell, what are the essential concepts that will allow us to uniquely prove the equivalent of 1 + 1 = 2 in our network defender world?

In future essays, I will cover follow on strategies and tactics that logically follow from this first principle. Stay tuned.

Source

Rick Howard, 2023. Cybersecurity First Principles: A Reboot of Strategy and Tactics [2026 Canon Hall of Fame Book]

• Canon Review URL

• Amazon Buy URL

• Goodreads URL

Resources

Douglas Hubbard, Richard Seiersen, 2016. How to Measure Anything in Cybersecurity Risk [2018 Canon Hall of Fame Book].

• Canon Review URL

• Amazon Buy URL

• Goodreads URL

MATTHEW DALY, 2024. Supreme Court Chevron decision: What it means for federal regulations [Explainer]. AP News. URL https://apnews.com/article/supreme-court-chevron-regulations-environment-4ae73d5a79cabadff4da8f7e16669929

Rick Howard, 2022. Cyber sand table series: OPM. [Podcast]. The CyberWire - CSO Perspectives Podcast. URL https://thecyberwire.com/stories/d0d8b9995bd84c389112385dd95ec4ee/cyber-sand-table-series-opm

Staff, 1999. SEC Staff Accounting Bulletin No. 99: Materiality [Bulletin]. SECURITIES AND EXCHANGE COMMISSION. URL https://www.sec.gov/interps/account/sab99.htm

Staff, 2020. Ransomware vicitim Travelex forced into bankruptcy [News]. Security Magazine. URL https://www.securitymagazine.com/articles/93062-ransomware-vicitim-travelex-forced-into-bankruptcy

The U.S. Supremet Court, 2023. 22-451 Loper Bright Enterprises v. Raimondo (Chevron Doctrine) [Ruling]. Supreme Court of the United States. URL https://www.supremecourt.gov/opinions/23pdf/22-451_7m58.pdf

U.S. Securities and Exchange Commission, 2023. Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure [SEC Ruling] Securities Act Release No. 33‑11216, Exchange Act Release No. 34‑97989, 88 Fed. Reg. 51,896. URL https://www.sec.gov/files/rules/final/2023/33-11216.pdf

We’ve spent three decades refining tactics but we still haven’t agreed on the fundamental rule that governs all of it.

I’ve been thinking about first principles and what might be the cybersecurity first principle for over a decade. Three years ago, I even published a book about the topic.

Cybersecurity First Principles

Since then, I’ve been tightening my thinking. I haven’t changed my mind on the core concepts of the book. I’ve just gotten better at explaining them. To that end, I’ve published two essays refining my ideas:

• First Principle Thinking

• Prior Research on Cybersecurity First Principles

I’m slowly working my way towards discussing what I think the absolute cybersecurity first principle is. But before I get there, it’s worth examining the best-practice strategies most of us have relied on for the past 30 years. These are the leading candidates for the title. They deserve scrutiny before any final claim is made.

The Candidate List

When I ask security professionals what they think is the atomic cybersecurity first principle, they usually respond with one or more items in a set of traditional cybersecurity best practices. Things like

• The CIA Triad

• Vulnerability Management

• Malware Prevention

• Incident Response

• Frameworks

• Compliance

But according to Caroline Wong, author of the Cybersecurity Canon Hall of Fame book Security Metrics: A Beginner’s Guide, the phrase “best practice” is misapplied by most network defenders.

A best practice should refer to an approach or methodology that is understood to be more effective at delivering a particular outcome than any other technique when applied in a particular situation.

She says that many accepted cybersecurity best practices, although good ideas, have not delivered on those outcomes.

I concur with Caroline. In my own career, I’ve built information security programs around these same best practices too. But after 30 years in the field, I have to admit something: I can’t say with any confidence that one best practice is substantially better than some other one. The general theme to all of them is that they all contribute value. But none of them, by themselves, are sufficient as the foundational principle on which to build an entire infosec program. Let’s take each one in turn.

The CIA Triad

The CIA acronym stands for Confidentiality, Integrity, and Availability and the CIA Triad is a general-purpose defensive model intended to apply across all contexts and threat types. But it says nothing about how adversaries actually operate. It doesn’t account for adversary tactics, techniques, or procedures. It doesn’t incorporate the behavior of the roughly 500 adversary campaigns active on the internet at any given time. If a strategy ignores how real attackers behave, how can it be the atomic first principle? The CIA Triad is not bad per se; it’s just not complete.

One thing to note: As of this writing, I estimate that the actual number of active adversary campaigns is between 250 and 700 depending on who is counting. I use the Tydal Cyber platform and the MITRE ATT&CK Framework to get my range (Links in the Resource Section below).

Also, last year, I wrote a three-part series that explores the history, limitations, and potential replacements for the CIA Triad (Links in the Resource Section below).

Vulnerability Management

Vulnerability Management is similar. First, it’s a never-ending task. “I’ve patched all of our vulnerabilities” said nobody ever. More importantly, exploitation of vulnerabilities isn’t the biggest problem infosec practitioners face. The 2025 Verizon Data Breach Investigations Report (DBIR) notes that hackers use vulnerability exploitation as an initial access vector only 20% of the time. If patching is your first principle, what about the other 80% of attacks?

Preventing Malware

The equivalent argument applies to Preventing Malware. The same DBIR says hackers deploy malware in only 45% of breaches. If anti-malware is your first principle, what are you doing about the other 55% of attacks?

Incident Response

Incident response as a formal discipline emerged in the late 1980s. You could argue that Cliff Stoll pioneered the practical model when he tracked East German hackers working on behalf of Soviet intelligence; a story he documented in the Cybersecurity Canon Hall of Fame book The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage. But sometime in the 2010s, the infosec community started to pursue the idea that cyber defense is too hard and therefore should be abandoned in favor of incident response; abandon prevention mechanisms in favor of early detection mechanisms and efficient eradication systems. It turns out that this is also too hard to do mostly because it’s expensive. Small-to-medium-sized organizations can’t really afford to do it so they don’t. A true first principle must be universally applicable and not reserved for those with the largest budgets.

Frameworks

It’s tough to find a hard number, but there are likely dozens of cybersecurity frameworks globally; maybe as high as 50, depending on how you define “framework.” The number varies because there are many different kinds:

• Governance Frameworks: Like ISACA’s COBIT; Control Objectives for Information and Related Technologies.

• Control Catalogs: Like the NIST Special Publication 800-53 (Revision 5): Security and Privacy Controls for Information Systems and Organizations.

• Maturity Models: Like the U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC).

• Regulatory Schemas: Like the European Union’s General Data Protection Regulation (GDPR).

• Sector-Specific Standards: Like the North American Electric Reliability Corporation’s NERC Critical Infrastructure Protection Standards (NERC CIP)

• Regional Data Protection Regimes: Like the California Consumer Privacy Act (CCPA).

• Tickets to Ride (Compliance to gain access): Like the U.S. General Services Administration (GSA) Federal Risk and Authorization Management Program (FedRAMP).

From the very beginning, many security practitioners understood compliance regulations for what they are: attempts to establish baseline parameters of security and privacy programs. These same security practitioners view them as necessary evils to prevent fines (GDPR, for example) or as the price of doing business (FEDRAMP, for example). But they don’t view them as essential to protecting their organizations on the Internet. You have to follow them because they are requirements for some business need, but most don’t consider them fundamental to their security program and therefore can’t be the basis for any cybersecurity first principle program. Besides, for some organizations, it’s just easier to pay fines if they get caught as a cost of doing business. That doesn’t seem like a cybersecurity first principle.

Takeaway

The uncomfortable truth is this: cybersecurity doesn’t suffer from a lack of tools. It suffers from a lack of clarity. We keep refining mechanisms without agreeing on purpose. If these traditional best practices aren’t first principles, then we’ve been building programs on secondary assumptions for 30 years. That has consequences.

A first principle must be universal, irreducible, and explanatory. None of these candidates meet that bar. They are useful. They are necessary. But they are derivative.

So the real question isn’t which best practice should win the election. The real question is: what is the governing law of cybersecurity?

That’s where we go next.

References

Caroline Wong, 2011. Security Metrics, A Beginner’s Guide [Cybersecurity Canon Hall of Fame Book].

• Goodreads URL https://www.goodreads.com/book/show/13654596-security-metrics-a-beginner-s-guide

• Canon Review: https://cybercanon.org/security-metrics-a-beginners-guide/

• Amazon Link: https://amzn.to/47FT1FA

Rick Howard, 2025. Part I: Is the CIA Triad Dead?: Why has the CIA Triad Endured? [Explainer]. Rick’s First Principles Newsletter. URL https://diffuser.substack.com/p/is-the-cia-triad-dead

Rick Howard, 2025. Part II: Is the CIA Triad Dead? [Explainer]. Rick’s First Principles Newsletter. URL https://diffuser.substack.com/p/is-the-cia-triad-dead-63c

Rick Howard, 2025. Part III: Is the CIA Triad Dead? [Explainer]. Rick’s First Principles Newsletter. URL https://diffuser.substack.com/p/part-iii-is-the-cia-triad-dead

Rick Howard, 2026. First Principle Thinking [Explainer]. Rick’s First Principles Newsletter. URL https://diffuser.substack.com/p/first-principle-thinking

Rick Howard, 2026. Prior Research on Cybersecurity First Principles [Explainer]. Rick’s First Principles Newsletter. URL https://diffuser.substack.com/p/prior-research-on-cybersecurity-first

Staff, n.d. Tidal Cyber [Dashboard]. Community Edition. URL https://app.tidalcyber.com/

Staff, n.d. MITRE ATT&CK Framework [Wiki]. Mitre. URL https://attack.mitre.org/

Robert Duvall passed away this week. He has been one of my favorite actors for as long as I can remember. The tributes I’ve read mostly highlight the performances he is best known for: The Godfather I & II, where he brings calm intelligence to a world of chaos and violence; Tender Mercies, which earned him the Academy Award for Best Actor; and Apocalypse Now, with the unforgettable line, “I love the smell of napalm in the morning.”

But none of those are even in my top three.

Lonesome Dove

I first noticed Mr. Duvall when he starred in my dad’s favorite western, Lonesome Dove, in 1989. The series is set just after the Civil War, during the height of the great cattle drives from Texas to Montana. Duvall plays Captain Augustus “Gus” McCrae, a retired Texas Ranger and arguably one of the most charismatic characters ever to appear in a western. He knows the West is not a myth; hell, he helped tame it. Yet he still believes in love, beauty, conversation, good whiskey, and loyal friendship. And by god, Duvall plays the hell out of that character; probably gave the defining performance of his career in my humble opinion, Tender Mercies notwithstanding. And I’m pretty sure that my dad wanted to be Gus when he grew up. Now that I think about it, so do I.

To Kill a Mockingbird

But that’s not my favorite performance of his. It ranks only third on my list. The second best is Duvall’s turn as Boo Radley, early in his career, in 1962’s To Kill a Mockingbird. He has one line and is in the movie for only minutes right at the end. But wow, what an impact. His character looms in the background throughout the movie, never seen, just talked about, as the neighborhood boogeyman that the children fear. Then, after he saves Scout and Jem from a brutal attack, he steps out of the shadows. He is pale, quiet, shy, almost fragile; not a monster at all; just a gentle, wounded man. In that final scene, without theatrics and almost without words, Duvall lets the humanity pour through. The myth collapses. What remains is quiet goodness. I have watched that end-scene over a dozen times. It always brings tears to my eyes. Gregory Peck gets all the praise for his portrayal of Atticus Finch in this movie; a shiny heroic beacon in the dark of always doing the right thing. Duvall comes in at the end of the movie, playing a man that nobody knows, and brings the message home that anybody can do the right thing too.

Secondhand Lions

But my favorite Duvall performance comes out of a little seen movie called Secondhand Lions. He plays Hub McCann, a retired, rumored-to-be-legendary adventurer who lives out his final years on a dilapidated Texas farm with his brother Garth (played by Michael Caine). Duvall gives a monologue about the meaning of life that is so powerful, so raw, that my wife and I rewatch the movie at least once a year. He’s an old timer and sleepwalks in the middle of the night; dreaming about his lost true love. When his nephew asks him about it, he delivers these lines:

A man should believe in those things, because those are the things worth believing in.

I know that Tim McCanlies wrote the script and directed the movie, so he gets credit for the sentiment, but man, Duvall delivers it. An actor of a lesser caliber would have just made those lines sappy and unbelievable.

Take Away

Robert Duvall could play the mythic adventurer, the invisible protector, the weary consigliere, the broken singer, or the mad colonel and make each one feel completely real. He was that good of an actor. But what binds my three favorite performances together is that he made me believe that I was watching a man of real substance. Whether he was Gus McCrae laughing at death, Boo Radley standing silently in a doorway, or Hub McCann insisting that some things are worth believing in even when the world tells you otherwise, Duvall gave me examples of men that I could use as a north star in my own life’s journey. I will be forever grateful for that.

Thank you Mr. Duvall and Godspeed on your next journey.

References

Robert Duvall and Haley Joel Osment. 2003. The Speech: Secondhand Lions. [Movie Clip] Youtube. URL:

@tomalexander85, 2026. Robert Duvall’s Film Debut [Movie Clip]. YouTube. URL

Staff, 2024. Lonesome Dove | The Final Goodbye [Movie Clip]. FETV - YouTube. URL

Bruce Beresford (Director), Robert Duvall (Actor), 1983. Tender Mercies [Movie]. Letterboxd. URL https://letterboxd.com/film/tender-mercies/

Francis Ford Coppola (Direcetor), Robert Duvall (Actor), 1972. The Godfather [Movie]. Letterboxd. URL https://letterboxd.com/film/the-godfather/

Francis Ford Coppola (Director), Robert Duvall (Actor), 1974. The Godfather Part II [Movie]. Letterboxd. URL https://letterboxd.com/film/the-godfather-part-ii/

Francis Ford Coppola (Director), Robert Duvall (Actor), 1979. Apocalypse Now [Movie]. Letterboxd. URL https://letterboxd.com/film/apocalypse-now/

Lewis John Carlino (Director), Robert Duvall (Actor), 1979. The Great Santini [Movie]. Letterboxd. URL https://letterboxd.com/film/the-great-santini/

Robert Mulligan (Director), Robert Duvall (Actor), Gregory Peck (Actor), 1962. To Kill a Mockingbird [Movie]. Letterboxd. URL https://letterboxd.com/film/to-kill-a-mockingbird/

Simon Wincer (Director), Larry McMurtry (Writer), William D. Wittliff (Writer), Robert Duvall (Actor), Tommy Lee Jones (Actor), 1989. Lonesome Dove [TV Mini-Series]. IMDb. URL https://www.imdb.com/title/tt0096639/

Staff, 2026. Films starring Robert Duvall [List]. Letterboxd. URL https://letterboxd.com/actor/robert-duvall/

Tim McCanlies (Writer and Director), Robert Duvall (Actor), Sir Michael Caine (Actor), 2003. Secondhand Lions [Movie]. Letterboxd. URL https://letterboxd.com/film/secondhand-lions/

Staff, 2018. Top 10 Robert Duvall Roles [Video]. WatchMojo - YouTube. URL

As the United States continues its descent into chaos and anarchy, I’ve been soothing my soul watching movies where the protagonists exude character; a trait that our country’s leadership seems to be in short supply. Movies like

• Superman, when Lois says, “You trust everyone and think everyone you’ve ever met is beautiful.” And Superman says “Well, maybe that’s the new punk rock.”

• The American President, when Michael Douglas, speaking to the press, says “And I can tell you without hesitation that being President of this country is entirely about Character.”

• Lincoln: The entire damn movie

But the movie that really moved me lately was A Bridge of Spies, written by Joel and Ethan Coen and directed by Steven Spielberg. It stars Tom Hanks playing an insurance lawyer who the courts appoint to defend a suspected Russian Spy. The CIA wants Hanks to tell them what his client is saying, violating client-attorney privilege. Hanks take umbrage with the suggestion and explains in simple terms, what it means to be an American. Hanks says,

“Your Agent Hoffman right? German Extraction?

My names Donovan, Irish, both sides, mother and father.

I’m Irish, your German, but what makes us both Americans?

Just one thing. One … One, One.

The rule book. We call it the Constitution.

And we agree to the rules. And that’s what makes us Americans.

It’s all that makes us Americans.

Well, when you put it like that, being an American is pretty simple. It’s not about the color of your skin or where you came from. It’s not about your assigned race or ethnic ancestry. If your an American citizen, the thing that connects you to all the other American citizens is the law, the set of rules embodied in the U.S. Constitution and philosophically grounded in the Declaration of Independence.

We hold these truths to be self-evident, that all men are created equal.

Or, if you want a more folksy version of that idea, how about the song lyrics from In America by The Charlie Daniels Band:

From The Sound up in Long Island

Out to San Francisco Bay

And everything that’s in between them is our own

And we may have done a little bit

Of fighting among ourselves

But you outside people best leave us alone

‘Cause we’ll all stick together

And you can take that to the bank

That’s the cowboys and the hippies

And the rebels and the yanks

You just go and lay your hand

On a Pittsburgh Steelers fan

And I think you’re gonna finally understand

I fear we’ve forgotten that sentiment.

If America is a contract, then breaking the rules doesn’t just break laws. It breaks the country.

References

Willoughby Alley, 2016. What Makes Us Americans [WWW Document]. Bridge Of Spies Clip - YouTube. URL

Steven Spielberg (Director), Tom Hanks (Actor), 2015. Bridge of Spies [Movie]. Letterboxd. URL https://letterboxd.com/film/bridge-of-spies/

Rob Reiner (Director), Aaron Sorkin (Writer), Michael Douglas (Actor), 1995. The American President [Movie]. Letterboxd. URL https://letterboxd.com/film/the-american-president/

Lee Hoedl, 2020. The American President - The Final Speech [Movie Clip]. YouTube. URL

Staff, 1776. Declaration of Independence: A Transcription [Founding Document]. National Archives. URL https://www.archives.gov/founding-docs/declaration-transcript

Staff, 1787. The Constitution of the United States: A Transcription [WWW Document]. National Archives. URL https://www.archives.gov/founding-docs/constitution-transcript (accessed 2.15.26).

Charlie Daniels, 2001. In America - The Charlie Daniels Band  [Music Video]. YouTube. URL

JayAye, 2025. Maybe that’s the Real Punk Rock [Movie Clip]. Superman 2025 - YouTube. URL

James Gunn (Writer and Director, David Corenswet (Actor), Rachel Brosnahan (Actor), 2025. Superman [Movie]. Letterboxd. URL https://letterboxd.com/film/superman-2025/