Not all threats matters equally, and not all vulnerabilities hold the same relevance, unless analyzed through the lens of the attacker’s profile.
Adversary profiling allows us to optimize defense in multiple areas. But before profiling attackers, it’s essential to understand how attractive our business is to them. I call this: the logic of Value.
Defending like an Adversary Attacks
The logic of Value puts us ahead of our adversaries from the very beginning, allowing us to distinguish between seemingly similar likelihoods, reveal a hidden relevance, and uncover a hierarchy within the attack surface that would otherwise remain invisible.
By introducing this logic, we move beyond evaluating threats along a single axis. Instead, we shift to a multidimensional model—one that connects likelihood with attacker intent, business sensitivity, and operational impact.
Understanding our organization from both the attacker's and defender's perspective, guided by the potential financial gain the company represents, and securing our resources arranged in layers of priority. It reflects a holistic conception guided by the reason behind the attraction.
Additionally, the type of business, industry, and sector are key factors in inferring what skills and tools attackers may have, what techniques they typically use, and which assets or processes they aim to compromise.
In this way, if we take a lateral approach, we can think of the company’s characteristics as defining the threat, its level of sophistication, and the techniques, tactics and procedures used.
Every organization has a unique combination of data, systems, and processes that may attract different types of attackers. Without this understanding, we might fail to recognize the exploitation paths into our business—whether for one goal or another. We may overlook our hotspots, fail or delay to apply security controls that protect our most critical assets.
Scenarios
Each company operates within a context that defines its exposure to attacks. A financial institution with millions of customer records will be a very different target than a startup developing software.
The first thing we must understand is which elements of the organization represent real value to attackers. It’s not just about digital assets but the business logic of the company within its industry, the data it handles, and the relationships it maintains with other entities. For example, a company that provides essential services may be a high-value target for actors seeking to disrupt a supply chain.
Although not every company holds strategic information or financially valuable data, every company has something to protect: its reputation. In many cases, the true impact of a cyberattack doesn't stem from the direct loss of data or money but from the consequences it generates in market perception, customer trust, and the legal implications of a data breach.
For an attacker, there is no need to sell the data on the black market: it’s enough to threaten publication to extort payment.
For this reason, the cyberattack in such a scenario is fleeting—the true objective is reputation—and the technique used to extract economic return is extortion. Reputational damage can translate into millions in losses due to consumer distrust or a drop in the company’s market value. In this sense, the security breach is just the lever, and at the same time, the pressure point and bargaining chip is the company itself.
Shifting the angle of observation
When it comes to defense, having priorities is as important as moving away from the fiction of imaginary enemies and theoretical attacks to focus on real threats. By using the logic of value, we can make those threats tangible and predictable.
We can introduce a parallel dimension to threat prioritization—one that sees business logic as a predictor of attack patterns. Abraham Wald arrived at a similar kind of insight through the concept of survivorship bias, where strategic understanding emerged by shifting the angle of observation. There, the key insight came not from what was hit; here, it comes from what we are.
Understanding which attacks will be more probable and frequent—which are likely to occur sooner than others, what areas of our surface will be more actively targeted, which threats will be more common, how these attacks might evolve or chain together, and how our own systems may be exploited—given our systems, processes, and market position, allows us to stay one step ahead in defending our infrastructure. That lead can be translated into time—and that time can be used to deepen our defenses against advanced and other threats.
Through this approach, we gain a view that encompasses the full range of potential threats, while operating with a customized model tailored to the unique needs of our organization. It strengthens our specific weaknesses, adds real threat awareness, and the path itself leads to a more efficient use of time—allowing us to turn that time into strategic advantage, defend more effectively, and stay ahead of our adversaries while keeping our systems secure.
Top comments (0)