BRT Card 20 (“Diced Onion”): Don’t overlook the effects of systemic weaknesses when analyzing a system. Your layered security might not be as layered as you think.
BRT Card 19 (“Glitch”): Don’t ignore that tiny pause telling you something isn’t quite right. Your mind will tell you it’s nothing and offer you a facile explanation. Stop and think. Twice.
BRT Card 18 (“Elephant”): For everything you think you see clearly, someone else sees it differently (but just as “clearly”). Remember the proverb of the blind men and the elephant?
BRT Card 17 (“Ctrl + Shift”):Those who understand the system best own the system. Hint: They may not be the system owners.
BRT Card 16 (“Possibilities”): Most days, overlooked possibilities sit in the corner, quiet and ignored. Now and then, one jumps up and scares the living hell out of us.
BRT Card 15 (“Complacency”): When things go well, complacency winks at our egos and laughs at our concerns. When things go wrong, it just shrugs and walks away.
BRT Card 14 (“Uncertainty”): Persistent, ambient uncertainty is like too much alcohol. It reduces our awareness without letting us in on the joke.
BRT Card 13 (“Complexity”): It’s a truism that we live in an increasingly complex world. It’s also a truism that we invoke truisms when we don’t know what else to do.
BRT Card 12 (“Chaos”): We do our best to make sense out of non-sense. Sometimes it almost seems to work. But it might only be chance.
BRT Card 11 (“Shortsighted”): Beware the all-too-common tendency to leap at the shiny new capability, leaving someone else to clean up the unintended but predictable consequences downstream. This often seems to be a peculiarly American ailment.
BRT Card 10 (“Kronos”): The system you designed and built yesterday is not the same system you manage today, nor is it the same system you’ll fix tomorrow. Don’t let static names and labels fool you.
BRT Card 09 (“Mixup”): The view inside differs from the view outside, just as the view before differs from the view after. Somehow we always manage to forget and mix these things up.
BRT Card 08 (“Hammer”): The linear, cause-and-effect style of thinking that works so well with mechanical assemblies often fails dramatically when applied to systems. It’s like trying to defrag a hard drive with a hammer.
BRT Card 07 (“Sphinx”): No red team will unveil every possible source of risk. Some events simply can’t be imagined before they happen. The best red teams respect the wicked riddles inherent in human error, interactive complexity, and emergent surprise.
BRT Card 06 (“Lear’s Fool”): Data-driven rationality risks silencing the modern court’s intuitive countervoice. To paraphrase Asimov, “That fool ain’t no fool.”
BRT Card 05 (“Turnabout”): Why should we expect our opponent’s decisions to be more rational and coherent than our own? How quickly we forget how arbitrary, emotional, and unpredictable we ourselves can be.
BRT Card 04 (“BIOS): Among your most dangerous assumptions are those that “boot up” before you start red teaming. Many of them are cultural, and they stealthily shape not just your thinking, but also your thinking about your thinking.
BRT Card 03 (“Mash”): Life is a mash of chance, luck, synchronicity, and ambiguity from which we confidently extract a cohesive narrative. It tastes great, and yes, it’s only too easy!
BRT Card 02 (“Games”): Security from the attacker’s perspective isn't a game of chess, a game of Go, or a game of poker. Does a game without rules even have a name? Is it even a game?
BRT Card 01 (“The Duel”): While it’s easy to envision yourself engaged in a duel with your opponent (à la Clausewitz), few situations in the modern world resemble the classic duel. Be careful; your “duel” might be over before it starts.