Hacker Vs Adversary | Blog of Anant Shrivastava

Most of the infosec world loves to parrot the cliché: “Think like a hacker.”
But let’s be honest – most don’t. Heck, most don’t even think like adversaries.

What we usually end up with is people running tools that promise to “think like a hacker” or “stop hackers” while nobody is actually stopping to ask what either of those things mean.

---

Hacker ≠ Adversary

Hackers, in the original sense, are people who twist a system to do something it was never designed to do. The motivation isn’t always money, fame, or chaos. Often, alot of times it’s plain curiosity.

Adversaries, on the other hand, don’t care about curiosity. They have objectives, budgets, timelines, and reporting managers. They’re not bending systems to explore; they’re bending systems to deliver.

“Hackers twist systems to learn. Adversaries twist systems to win.”

It’s like the difference between me wanting to power my servers with solar energy (hacker mindset) and me figuring out how to redirect solar power in an enemy region to cause a blackout (adversary role). Both involve playing with the system, but the intent is miles apart.

---

Hacker is a Mindset. Adversary is a Role.

This is the core mistake the industry keeps making. Hacker is not a job title, it’s a way of looking at the world. Adversary is a role someone plays to achieve a mission.

A hacker can put on the adversary hat if they want. But not every adversary has the hacker mindset – many just follow playbooks or orders.

“Following orders is the one thing hackers despise. Following orders is the one thing adversaries depend on.”

This is why red teams sometimes disappoint: you can staff them with highly skilled operators who simulate adversaries, but if they don’t carry the hacker mindset, their attacks never stretch beyond the playbook.

---

A Personal Note

And let me be clear – I wasn’t throwing the “hacker” word around casually for myself either. For the first few years of my life in infosec, I didn’t feel worthy of the moniker. At one point, I won a CTF at Nullcon and got a jersey with “HACKER” printed across the back. You’d think I’d wear it everywhere, right? Nope. It sat in my closet. I hadn’t proven to myself that I deserved the word.

Because here’s the thing:

“Hacker is not a title you give yourself. It’s something the world eventually recognizes you for – sometimes long before you do.”

---

The Anonymous Problem

Groups like Anonymous or LulzSec were often labeled as “hacker collectives.” But in truth, most of their operations were adversarial campaigns – planned, targeted, disruptive. The hacker branding made for good marketing, but the Guy Fawkes mask was more cosplay than culture. Misguided people joined thinking they were part of hacker culture, yet in reality they were just extra hands running tools while someone else drove the adversarial playbook.

“Anonymous wasn’t hacker culture. It was adversary culture wearing a hacker mask – literally.”

---

Tolerance and Hijack

Hacker culture prided itself on openness, decentralization, and tolerance. Anyone could join.

The problem with being endlessly tolerant is you eventually get hijacked by the intolerant. With no central figure, decentralized systems are easy to capture by central-ish entities. We’ve seen it happen repeatedly.

But here’s the irony: this failure is also a shield. The loud imposters burn in the spotlight, while the real hackers remain in the shadows, tinkering away quietly.

“The louder the cosplay, the deeper the shadows for real curiosity.”

---

Bug Bounties, MITRE, and Reality

Here’s another key distinction:

• Hackers love idiosyncrasies. They stumble onto quirks, weird states, and strange system behaviors.
• Adversaries couldn’t care less about quirks. They’ll phish you, bribe you, or smash their way in if needed. They care about outcomes, not elegance.

That’s why frameworks like MITRE ATT&CK make so much sense for defense. They catalog adversary behaviors, not hacker curiosities. Real-world defenders aren’t dealing with someone who’s tinkering for fun; they’re facing someone with a job to get done.

And it’s also why bug bounties aren’t the same as adversary simulation. Bug bounty programs are valuable, but they are intentionally scoped around the hacker mindset of exploration. They encourage curiosity inside controlled boundaries, which is fine for safety and predictability. Adversarial linkages “chaining bugs into campaigns, mixing technical with social pressure, or stepping outside the target application” are out of scope, and for good reason. No one wants to risk a situation where employees or their families are harmed just so someone can claim a payout.

Bug hunters may apply hacker creativity, but they are not asked to (and should not) simulate the ruthless persistence of a true adversary. That gap explains why organizations sometimes get breached even after generous bounty payouts.

“Hackers get distracted by idiosyncrasies. Adversaries get paid to ignore them.”

---

What Infosec Really Needs

So what does infosec actually need? Not another poster saying “Think like a hacker.”

What we need is both:

• Hacker mindset for creativity, unpredictability, and system-bending insight.
• Adversary roleplay for realism, persistence, and outcome-driven attack chains.

You need both. One without the other is either too whimsical or too mechanical. And remember, the end goal is simple: make the system more secure against attacks than it was before. If your security bar isn’t raised, the whole effort is little more than a shenanigan.

---

Closing Reflection

Raising the bar is always a moving target – adversaries adapt, tactics evolve, and the outcome is never perfect security but relative resilience.

The industry keeps confusing hackers and adversaries because they sometimes overlap. But the distinction matters.

Hackers bend rules for curiosity. Adversaries bend rules for outcomes. Sometimes they’re the same person, but not always.

“Security teams that only think like hackers prepare for curiosities. Security teams that only think like adversaries prepare for missions. Security teams that think like both might actually stand a chance.”

And at the end of the day, all of this only matters if the bar for security is raised. Perfect security is a myth, but raising the bar is about resilience – making it harder, costlier, and riskier for the next attacker than it was before. If your systems aren’t harder to break into tomorrow than they were yesterday, then everything else is just theatrics. And remember, an adversary that thinks like a hacker is the proverbial Baba Yaga the nightmare we need to be prepared for.

---

That’s the balance the industry rarely talks about. Hacker is a mindset. Adversary is a role. If we forget the difference, we end up fighting shadows and missing the real battles happening right in front of us.

---