The attacker's mindset is systems thinking
Attackers don't break rules; they discover that the rules compose differently than the designers believed.
Useful to others as-is. Tested ideas, working code, real findings.
Security people love the phrase “think like an attacker,” but rarely unpack it. Here’s my working definition: an attacker is someone who reads a system as it is, not as it was intended.
Designers think in features. Attackers think in interactions between features. Almost every interesting vulnerability lives in the seam between two components that are each individually correct:
- The parser is fine. The renderer is fine. The parser’s output fed to the renderer is the bug.
- The IAM policy is fine. The default service role is fine. Together they’re a privilege escalation. See cloud-iam-blast-radius.
- The model follows instructions. The document contains instructions. Now the document is the operator. See prompt-injection-is-untrusted-input.
This is just Donella Meadows with a hoodie on. Systems thinking says behavior emerges from structure, not from the intentions of the parts. Offense is the empirical branch of that claim.
The practical loop
- Build the designer’s mental model of the system.
- Build a second model from the actual artifacts: code, configs, network behavior.
- Attack the difference between the two models.
CTFs are a gym for step 3 (ctf-field-notes-web), because puzzle authors deliberately hide a gap between appearance and structure.
Two ways I actually work this loop: fuzzing automates step 3, mutating inputs until the gap between the two models reveals itself, and threat modeling runs the loop in reverse, mapping a system’s seams on purpose before someone else does.
The kindest thing about this mindset: it transfers. Markets, incentives, organizations: anything with rules has seams. That’s half of why I keep poking at quant ideas.
Paths that lead here
- The ADHD-HTB playbook: hacking the brain that hacks the box · Ten friction-bypassing study methods for grinding HackTheBox with an ADHD brain, plus the two of them I turned into real tools: a Swipe-to-Pwn Anki deck and an htb-operator shell.
- Cloud IAM: measure blast radius, not policy count · The security of a cloud account isn't the sum of its policies; it's the reachability graph they create.
- CTF field notes: the web category · A running log of web challenges: patterns that repeat, traps I fell into, and the meta-skill CTFs are secretly teaching.
- Fuzzing is evolution with a weird fitness function · Bridging theoretical biology and systems security in a way that isn't just a superficial metaphor
- From Paladins to Rivals: Why Hero Shooters Are So Stupidly Fun · I started with Paladins, not Overwatch. A love letter to hero shooters like Marvel Rivals and Overwatch, and why their living game of rock-paper-scissors, with tanks, DPS, supports, and ultimates, is so stupidly fun.
- The Diamond Lock: Writing Notes a Future Robot Can't Read · Quantum computers will slice through today's internet locks like a laser through glass. Inside the race to build math even a future super-machine can't crack: public-key crypto, Shor's algorithm, and the diamond lock.
- Prompt injection is an untrusted-input problem wearing a new costume · We've spent thirty years learning to separate code from data. LLMs gleefully merge them again.
- Threat-modeling this garden · Eating my own dog food: a security person's website should survive its own methodology.
- You will never know enough, and that's the job · Imposter syndrome in security isn't a character flaw; it's an accurate readout of an unbounded field, misfiled as a personal deficiency. The fix is a traversal strategy, not more knowledge.
Where this note points
- Cloud IAM: measure blast radius, not policy count · The security of a cloud account isn't the sum of its policies; it's the reachability graph they create.
- Prompt injection is an untrusted-input problem wearing a new costume · We've spent thirty years learning to separate code from data. LLMs gleefully merge them again.
- CTF field notes: the web category · A running log of web challenges: patterns that repeat, traps I fell into, and the meta-skill CTFs are secretly teaching.
- Fuzzing is evolution with a weird fitness function · Bridging theoretical biology and systems security in a way that isn't just a superficial metaphor
- Threat-modeling this garden · Eating my own dog food: a security person's website should survive its own methodology.
- Kelly criterion for bug hunting? · A half-formed hunch: allocating research time across targets is a bankroll problem, and Kelly might be the right lens.
More from these beds
- AI Slop and the Quiet Cost of Foraging · Maggie Appleton calls it jetspraying the web with AI slop. Here is why that cheap flood is so exhausting, told through Information Foraging Theory, and why your tiredness is a rational response, not a personal failing.
- The Dead Internet and Your Pattern-Hungry Brain · That creeping sense that the internet is mostly bots talking to bots has a name. Here is why the feeling is partly real, partly a trick your own mind plays, and what apophenia and the illusory truth effect are doing to you while you scroll.
- Explaining Without the Lecture · I got called a bad explainer, and I think I earned it. The fix isn't reading minds. It's the curse of knowledge, Grice's maxim of quantity, and treating an explanation like a game of catch instead of a monologue.