How Attackers Think Differently from Defenders

Difference 1: Controls vs gaps

Defenders inventory what they have. Attackers inventory what's missing.

When a security team assesses their posture, they list controls: MFA is deployed, EDR is on every endpoint, Sentinel ingests these log sources, Conditional Access policies enforce these requirements. The assessment answers "what protection do we have?" The implicit assumption is that more controls means more security.

An attacker assessing the same environment asks the inverse question: what protection is missing, misconfigured, or bypassable? MFA is deployed, but does it protect against token theft? EDR is installed, but does it detect process injection via direct syscalls? Sentinel ingests Windows Security events, but does it ingest Sysmon? The attacker is looking for the seams between controls, not the controls themselves.

Consider Scattered Spider, the cybercriminal group responsible for the Spring 2025 attacks on Marks & Spencer, Co-op, and Harrods. They didn't try to bypass MFA through technical exploits. They called help desks and convinced support staff to reset MFA registrations. The control (MFA) was deployed. The gap (help desk verification procedures) was not covered. Scattered Spider's operational success came from identifying the gap that the defender's control inventory never measured.

The practical implication during an active investigation: stop asking "how did they get past our controls?" and start asking "which gap in our controls is this attacker using?" The first question is backward-looking. The second tells you where the attacker will move next.

Difference 2: Alerts vs objectives

Defenders react to what the SIEM surfaces. Attackers plan toward what they need to achieve.

The SOC analyst's day is structured around the alert queue. Events arrive, get triaged, get investigated, get closed. The analyst is reactive by design. The SIEM decides what deserves attention and in what order.

The attacker's day is structured around an objective. Get domain admin credentials. Access the finance share. Deploy ransomware across the hypervisor layer. Exfiltrate the customer database. Everything the attacker does serves the objective. If a technique is blocked, they switch techniques. If a tool is detected, they switch tools. The objective doesn't change, only the path to it.

CrowdStrike's 2025 observations of Scattered Spider illustrate this. When Microsoft deployed additional protections against legacy MFA bypass methods, the group didn't stop. They shifted to voice phishing against help desk staff, targeting Entra ID, SSO, and VDI accounts directly. When endpoint detection improved, they pivoted to deploying rogue virtual machines inside VMware vSphere environments where EDR agents weren't installed. The objective (data theft and extortion) remained constant across every tactical adaptation.

During an investigation, switching to the attacker's objective-driven perspective lets you ask a more useful question: "Given what this attacker has done so far, what's their likely objective, and what do they need to do next to achieve it?" That question predicts the next move. "What alert should I triage next?" does not.

Difference 3: Events vs decisions

Defenders reconstruct what happened from logs. Attackers make forward-looking decisions in real time.

Investigations are retrospective by nature. You read events that already occurred, build a timeline, and identify what the attacker did. The timeline is accurate but it's always behind. You're reading history while the attacker writes the next chapter.

The attacker is making decisions: "I've compromised this workstation. I have local admin. I can see the domain controller on the network. Do I dump LSASS now or wait until after business hours when fewer analysts are watching? Do I move laterally via RDP or WinRM? Do I target the file server first or go straight for the DC?"

Every decision is shaped by what the attacker has observed: what security tools they've encountered, how the network is segmented, what credentials they've collected, how much time they believe they have before detection. If you understand the decision logic, you can read the events in your timeline and predict the next decision.

The Marks & Spencer attack demonstrates this. Scattered Spider gained initial access through social engineering, then made a deliberate decision to pivot from the compromised Active Directory environment to VMware vCenter. That decision wasn't random. They chose the hypervisor layer because EDR agents don't run on ESXi hosts, because ransomware deployed from the hypervisor encrypts every virtual machine simultaneously, and because backup infrastructure is often managed through the same vSphere environment. Each decision in the chain was shaped by the attacker's understanding of the defensive architecture.

Difference 4: Compliance vs constraints

Defenders benchmark against standards. Attackers work within operational limits.

The defender's world is organized around compliance: ISO 27001 controls, CIS benchmarks, framework requirements. The question is "do we meet the standard?"

The attacker's world is organized around constraints: budget, time, tooling capability, risk of detection. A ransomware crew operating on a 72-hour timeline makes different decisions from a state-sponsored group with six months of patience. A lone operator using open-source tools makes different decisions from a team with custom implants and zero-day exploits.

Constraints shape technique selection in predictable ways. A budget-limited operator reuses publicly available toolkits because developing custom implants requires expertise and time they don't have. A time-pressured operator skips slow credential harvesting methods like Kerberoasting and reaches for LSASS dumping because the results are immediate. A detection-aware operator avoids noisy tools like PsExec and chooses WMI or DCOM for lateral movement because those protocols generate less conspicuous telemetry.

Understanding the attacker's constraints is directly actionable during triage. Noisy, fast-moving activity using commodity tools like Mimikatz, PsExec, and batch scripts signals a ransomware operator under time pressure. Expect rapid lateral movement and prepare for ransomware deployment. Slow, careful activity with custom tooling and long sleep intervals signals a patient adversary. Expect persistence mechanisms in unusual locations and prepare for data exfiltration over weeks.

M-Trends 2026 data confirms this distinction. The espionage category had a median dwell time of 122 days, while ransomware operations compressed initial access to handoff into 22 seconds. The constraint profile tells you which type of campaign you're facing, and that classification determines your containment strategy.

Difference 5: Categories vs paths

Defenders classify events by type. Attackers chain techniques by path.

When a defender sees an event, the first instinct is to categorize it: what ATT&CK technique? What tactic? What severity? Categorization is useful for metrics and reporting, but it treats each event as a member of a class rather than a step in a sequence.

When an attacker runs a technique, they're thinking about the path: "I used this technique to get this result, which enables this next technique, which gets me closer to this objective." The technique is a means, not an end.

Defenders who think in paths instead of categories detect campaigns. Instead of logging "we detected a T1003.001 credential dump," the analyst thinks "credential dump is the third step in an access chain. What were steps one and two, and what's step four?" That reframing connects the event to the campaign and predicts the next move.

The perspective switching method

Three steps you can apply during any active investigation to shift from reconstruction to prediction.

Step 1: Reframe the event as a decision. Replace "the attacker used T1003.001" with "the attacker needed credentials and chose LSASS dumping because it produces plaintext credentials immediately, unlike Kerberoasting which requires offline cracking time." The reason reveals the operational logic behind the technique selection.

Step 2: Identify the constraint profile. Is the attacker moving fast and noisy, or slow and careful? Fast and noisy signals a time-pressured operator, likely ransomware. Slow and quiet signals patience, likely espionage or persistent access. The constraint profile predicts the attacker's next priority and the tempo of your response.

Step 3: Predict the next step. Given the objective and the constraints, what does the attacker need next? Credentials lead to movement targets. Movement leads to persistence or objective access. Persistence leads to data staging. Data staging leads to exfiltration. Pre-position your detection or containment at the predicted step before the attacker reaches it.

The analyst decision above demonstrates the perspective switch applied to a single event. The defender framing would have been "LSASS dump detected, contain the endpoint." The attacker framing produces a prediction that enables proactive containment of the next phase before it executes.

Why this matters for your investigations

The five differences are not theoretical. Each one translates into a question you can ask during any active investigation:

Controls vs gaps: "Which gap is this attacker using, and what other gaps connect to it?" Alerts vs objectives: "What's the likely objective, and what does the attacker need next to reach it?" Events vs decisions: "Why did the attacker choose this technique over alternatives? What does the choice tell me about their constraints?" Compliance vs constraints: "Is this a time-pressured operator or a patient one? What does that predict about their next move?" Categories vs paths: "If this event is step three in a chain, what were steps one and two?"

Every module in this course teaches you to answer these questions with increasing precision. By M9, you'll read a set of alerts and recognize the operational pattern connecting them, because you understand the decision logic that produced them. The shift starts here, with these five differences, and deepens every time you apply them to live evidence.