The Art of War (Part 3)

Hi !

The Art of War by Sun Tzu is surprisingly well-suited to cybersecurity, not because networks resemble battlefields literally, but because the underlying logic of conflict, deception, and asymmetric advantage maps cleanly onto modern digital environments. In a previous article, I indicated that cybersecurity principles could be applied to the concepts discussed in the 13 chapters.

Let’s first look at one possible interpretation of them.

Laying Plans (The Assessment)

Application: Threat Intelligence. Before securing a network, you must assess your assets (data value) and your adversaries (threat levels) ;
Example: A company realizes it holds critical health data. It assesses that its adversary is not a lone hacker but a state-sponsored group. It adapts its defense accordingly.

Waging War (The Challenge)

Application: Resource Management & Security ROI. Security budgets are limited. Aim for efficiency rather than an accumulation of tools ;
Example: Instead of buying dozens of redundant security tools, an SME invests in employee training (the weakest link) and immutable backups, minimizing the cost of a potential ransomware attack.

Attack by Stratagem (Offensive Strategy)

Application: Reducing the Attack Surface. The best defense is to offer no target ;
Example: A company disables all unused ports and services on its servers. By leaving no “doors” open, it wins the battle without ever having to repel a hacker.

Tactical Dispositions

Application: Defense in Depth. Build a robust architecture that makes intrusion extremely costly for the attacker ;
Example: Implementing a system where, even if an attacker gains network access (the perimeter), they remain blocked by strong encryption and network segmentation.

Energy (The Use of Force)

Application: Security Orchestration. Use automation tools (SOAR) to react instantly and “flow” over the attack like a wave ;.
Example: A SIEM detects an anomaly and automatically isolates the compromised machine from the rest of the network, stopping the attacker before they can move laterally.

Weak Points and Strong

Application: Vulnerability Management. Targeting unpatched flaws (the void) or reinforcing your own “voids.” ;
Example: A Red Team bypasses a robust firewall (the strong) and targets a misconfigured privilege on a minor user account (the weak).

Maneuvering (Direct Combat)

Application: Incident Response Management. Knowing when to react and when to observe to avoid being distracted by false flags ;
Example: A SOC analyst identifies a minor DDoS attack (a diversion) and realizes it is a maneuver to keep them busy while a more discreet intrusion occurs on another segment.

Variation in Tactics (Adaptation)

Application: Agility against Emerging Threats. Do not remain stuck with obsolete security policies ;
Example: Facing a new “Zero-Day” vulnerability, the security team suspends ongoing projects to apply emergency patches, adapting to the current reality.

The Army on the March

Application: Monitoring and Logging. Observing the early warning signs of an attack ;
Example: An unusual spike in outbound traffic to an unknown IP at 3:00 AM is interpreted as a sign of data exfiltration, allowing for intervention before the theft is complete.

Terrain (Classification of Ground)

Application: Secure Network Architecture. Understanding your infrastructure ;
Example: Placing critical servers in an isolated VLAN, restricted geographically and logically, turning the “terrain” into a maze with no exit for the attacker.

The Nine Situations (The Nine Zones)

Application: Crisis Management (Death Ground). When the system is compromised, extreme reaction is required ;
Example: During a ransomware infection, the company cuts all internet access and disconnects backup servers, accepting a service interruption to “kill” the attack at the root.

The Attack by Fire

Application: Active Countermeasures. Using the attacker’s tools against them ;
Example: Using “Honeypots”—fake vulnerable servers—to lure hackers, trap them, and analyze their methods to strengthen the real defense.

The Use of Spies

Application: External Threat Intelligence ;
Example: Using Dark Web monitoring services to detect if company credentials are for sale. This information allows for password resets before a hacker even attempts an intrusion.

Now, in light of the information provided in the strategy manual.

Let’s examining how to improve our defensive posture.

“Know your enemy and know yourself”, in cyber terms, this is threat intelligence + asset visibility.

Know yourself*: maintain accurate inventories of systems, software, and exposures (attack surface management) ;
Know your enemy*: track adversary tactics (e.g., MITRE ATT&CK techniques), campaigns, and capabilities ;
Example: An organizations that skip one side of this equation either overreact blindly or underestimate risk.

“All warfare is based on deception”

Cybersecurity is full of deception—on both sides.

Attackers: phishing, spoofing, obfuscation, polymorphic malware ;
Defenders: honeypots, deception grids, fake credentials ;
Example: A honeypot mimics a vulnerable server to lure attackers—pure Sun Tzu thinking.

“The supreme art of war is to subdue the enemy without fighting”

This aligns with prevention and deterrence.

Strong authentication (MFA), patching, and hardening reduce the chance of attack success ;.
Legal, economic, and reputational deterrence also play a role (e.g., attribution, sanctions).

The best cyber battle is the one that never happens.

“Speed is the essence of war”

Speed matters in detection and response:

Mean Time To Detect (MTTD) ;
Mean Time To Respond (MTTR).

Modern SOCs aim to:

Detect intrusions in minutes, not months ;
Automate responses (SOAR platforms).

“Attack where he is unprepared”

This is exactly how cyberattacks work:

Zero-day vulnerabilities ;
Misconfigurations (cloud buckets, exposed APIs) ;
Human weaknesses (social engineering) ;
Attackers rarely break strong defenses—they go around them.

“He who is prudent and lies in wait… will be victorious”

Persistence and patience:

Advanced Persistent Threats (APTs) often dwell undetected for months ;
Defenders must assume breach and monitor continuously.

“In the midst of chaos, there is also opportunity”

Cyber incidents create secondary risks:

During a ransomware attack, attackers may exfiltrate data unnoticed ;
During crisis response, defenders may overlook lateral movement ;
Chaos benefits the prepared attacker.

Terrain and positioning → Network architecture

Sun Tzu emphasized terrain; in cyber this becomes:

Network segmentation
Zero Trust architecture
Identity boundaries

Good “terrain”:

Limits attacker movement ;
Forces exposure at detection points.

Leadership and discipline → Security culture

Sun Tzu stressed command structure and discipline:

Security policies must be enforced, not just written ;
Training reduces human error (phishing resilience).

Intelligence and espionage

Sun Tzu dedicated a full chapter to spies.

Modern equivalent:

Threat intelligence feeds ;
Red teaming / penetration testing ;
Bug bounty programs.

To conclude (Sun Tzu vs Modern Cyber Doctriner)

Compared to Carl von Clausewitz:

Sun Tzu → indirect, asymmetric, deception-driven → closer to cyber reality ;
Clausewitz → decisive battles, force concentration → less directly applicable.

Cybersecurity is:

Persistent - no clear “battle” ;
Asymmetric - small actors can have large impact ;
Deception heavy.

That’s why Sun Tzu resonates more strongly in cyber contexts.

Limits of applying Sun Tzu

It’s not a perfect fit:

Cybersecurity is also engineering, not just strategy ;
Requires technical controls, not only philosophy ;
Legal and compliance constraints matter (GDPR, etc.).

The Art of War provides a strategic mindset for cybersecurity:

Think asymmetrically ;
Assume deception ;
Prioritize intelligence ;
Win before the fight starts.
But it needs to be paired with modern frameworks (Zero Trust, NIST, MITRE ATT&CK) to be operationally useful.

Cheers.

Security Strategy