Skip to content

4 Cyber Tactics Straight Out of the Sporting Playbook

Sports teams know how to balance offense and defense, but does your cybersecurity strategy?

Perspective

Almost all the great sports franchises of the past have recognized the importance of blending defense and attack — sometimes making in-game adjustments on the fly. However, in cybersecurity and other IT disciplines, most teams adopt a default mode of working that tends to favor a proactive or reactive approach. This is often referred to as a “security stance” and (unlike sports) tends to change very little over time.

Is the business world missing a trick by failing to reinvent its approach to IT, ops, and security? Are enterprises too reluctant to deploy new approaches? What can we learn from the sporting world that can help us, as cyber professionals, stay ahead of the game?

Strategy requires thought, tactics require observation.

Max Euwe, World Chess Champion

Moneyball (Baseball)

Data and statistics-driven approach to assembling a winning team on a budget

Arguably the most effective and influential strategy in sports, Moneyball (or sabermetrics) has been adopted by multiple teams since the Oakland A’s successfully employed it during the 2002 MLB draft.

In cyber terms, you can become a true Moneyball enterprise by getting a grip on your IT inventory — focusing on the “what,” not the “who.” Mean time to resolve (MTTR) is a good metric to use when it comes to patching, but you can extend this to breach scenarios, too. For example, measure the average time it takes for you to get out of the war room and free up senior or exec-level involvement. Having access to real-time data across your inventory can also rapidly improve decision-making by your big-time players.

Gegenpress (Soccer)

A tactic in which a team, after losing possession of the ball, immediately attempts to win back possession rather than falling back to regroup

This German word literally means “counter-pressing” and has become the most successful tactic in modern-day soccer, with the likes of Jurgen Klopp (Liverpool) and Pep Guardiola (Manchester City) adopting its key principle — turning defense into attack at speed.

The “gegenpressing” philosophy equally applies to the cybersecurity world when you look at things from the opponent’s perspective. The common question you would ask is, “What do we look like to an attacker?” Add to that, “What do you look like to an end user, a customer, or a third party?”

Other ways to deal with the counter-press include looking at your data hygiene — using impact analysis to measure the lateral movement of threats and the overall blast radius. Some orgs will also adopt risk scores for vendors and look at software APIs to identify expired certificates and tokens.

Zone blitz (Football)

When the defense blitzes a linebacker and then drops a defensive lineman into pass coverage — designed to confuse the quarterback

In recent years, the growth of DDoS attacks and phishing scams has hit the corporate world hard. The sheer volume of threats organizations face today is tantamount to a blitzkrieg, which literally means a “lightning war.” The obvious analogy here is the zone blitz in football, which is designed to overwhelm and disrupt.

InfoSec professionals can easily neutralize the zone blitz in several ways. One is to deploy canary tokens (“canaries”) as a honeypot or diversion technique. Another is to deploy regular red teams to test security controls and processes and pen tests to review code and APIs. Over time, red teams should mature into more of a specialist consulting team focused on adversarial threat assessments.

I’m a boxer who believes that the object of the sport is to hit and not get hit.

Floyd Mayweather Jr., Boxer

Princeton Offense (Basketball)

A tactic characterized by quick passing, constant mobility, and player positioning away from the basket

This lesser-known B-ball tactic was introduced by the head coach of Princeton, Pete Carril, who won 13 Ivy League championships employing the system up until the 90s. The hallmark of the offense is the backdoor pass, where a player on the wing slashes toward the basket for a simple, unopposed layup.

Preparedness and agility are the perfect antidote to the Princeton Offense, which means testing everything and understanding how you would behave in a crisis. All processes (no matter how robust) will eventually fail, so you need to be smart and prudent about deploying your resources effectively. If you’re always defending with your top-level talent, the long-term effect will be fatiguing and counterproductive.


Sporting strategies, tactics, and metaphors like these are commonly used in the business world because they help high-performance individuals visualize the field of play and work toward victory.

What’s your future game plan for cybersecurity? Do you have a playbook that blends defense and offense? Join the discussion on our social feeds on LinkedIn and X.

Tanium Staff

Tanium’s village of experts co-writes as Tanium Staff, sharing their lens on security, IT operations, and other relevant topics across the business and cybersphere.

Tanium Subscription Center

Get Tanium digests straight to your inbox, including the latest thought leadership, industry news and best practices for IT security and operations.

SUBSCRIBE NOW