Adversary Axioms

Julian Cohen
2 min readJul 8, 2019


The new principles of cybersecurity.



Adversaries of all kinds — criminal enterprises, intelligence agencies, and lone wolves — have political, financial, and technical constraints just like conventional organizations have.

“Attackers are resource constrained” Dino A. Dai Zovi (source)

“Attackers have bosses and budgets” Phil Venables (source)

Operational Requirements

Adversaries determine the least costly and most valuable attacks based their operational requirements, which may include:

  • The number of targets they have
  • The complexity of their targets
  • Their required success rate
  • Their required speed of conversion


Adversaries want their attacks to be reusable and low-overhead.

Repeatability: The capability to change the target and have the attack still work with the same success rate.

Scalability: The capability to launch the attack against multiple targets with minimal cost per additional target.

Adversaries build repeatable and scalable playbooks that meet their operations requirements, so they can launch attacks efficiently against their targets.


Adversaries have many targets. Adversaries are opportunistic. Even targeted and sophisticated adversaries go after many targets to increase the likelihood that their repeatable and scalable playbooks will satisfy their operational requirements.


Adversaries try to minimize the cost of an attack or a playbook by taking into account cost factors like expertise, time, money, and politics and success factors like target ubiquity, probability, reliability, and access.

Rational adversaries will use the most cost-effective playbooks that allow them to meet their operational requirements.

Offensive Experience

Experience being an adversary is necessary to accurately understand different adversaries and defend against them.


Understanding levels of adversary sophistication and targeting is necessary to accurately understand different adversaries and defend against them.


We must use data to understand adversaries and constantly reevaluate our threat intelligence. We must collect data from breaches and indictments and analyze data from threat intelligence reports and news articles.

Threat Intelligence

Data feeds and indicators of compromise are not threat intelligence. Actionable information about tactics, procedures, motivation, resourcing, and strategies is threat intelligence.

Threat intelligence organizations are responsible for collecting raw data and understanding adversaries and distilling that data into meaningful intelligence for defense teams.

Testers are not Adversaries

Adversaries are not testers. They have different goals, different constraints, and different tactics. Using a tester to discover vulnerabilities a different kind of adversary would discover or use is pointless.

This article is part 1 in my series on building security programs with adversary intelligence. Part 2 is Adversary-Based Threat Modeling and part 3 is Adversary-Based Risk Analysis.



Julian Cohen

Risk philosopher. CISO. Team and program builder. Ex-vulnerability researcher. Ex-CTF organizer and competitor.