< BACK_TO_INDEX
[Career]2023.08.11 // 2 MIN READ

What's Actually in My Security Backpack

People ask what tools I use day to day, expecting a product list. The tools matter less than knowing which one to reach for, so here's what's actually in rotation, skill by skill.

Risk assessment

Every prioritization decision starts here — what's the actual impact if this specific thing gets exploited, not the theoretical worst case. I lean on NIST and ISO 27001 as a baseline framework, but the useful part is a script that turns a threat model into a scored list instead of a gut-feel ranking:

# quick risk score: likelihood (1-5) x impact (1-5), sorted descending
awk -F',' '{print $1, $2*$3}' risks.csv | sort -k2 -nr

Crude, but it forces the conversation to happen in numbers instead of vibes.

Networking

Wireshark and nmap for anything I can't explain from the logs alone, plus whatever network monitoring tooling is already in place for the environment — the value isn't the specific tool, it's a script that pulls the actual traffic statistics instead of eyeballing a dashboard. If I can't trace a request from client to server and back, I don't actually understand the system I'm supposed to be securing.

CLI fluency across OSes

Bash, PowerShell, and enough of each OS's native tooling to pull logs and check configuration without needing a GUI. This is the difference between debugging an incident in five minutes and waiting on someone else's screen share.

Automation

If I do something by hand twice, the third time is a script. Python and PowerShell cover almost everything — provisioning, patch verification, log extraction. The value isn't the time saved, it's that a script does the same thing every time, and a tired human at 2am does not.

Incident response

A playbook you've actually rehearsed beats one you wrote once and filed away. Identify, contain, eradicate, recover — the framework is standard, the value is in having run it enough times that nobody's improvising the first step during a live incident. Forensics tooling and a script for pulling incident data fast are the difference between reconstructing a timeline in an hour versus a day, and that gap matters more than people expect until they're the one living it.

The two skills that aren't tools

Curiosity — understanding how a system actually works, not just what it's supposed to do, is what catches the misconfiguration nobody documented. And understanding how people actually behave around security controls, because the best policy in the world gets worked around if it doesn't match how people actually do their jobs.

None of this is a product recommendation. It's the actual order of operations I reach for when something's broken and I don't yet know why.