The Discipline of Reality

“Change your attitude. Unfuck your head. Make an honest, unsentimental accounting of your present condition. Prepare to be disappointed. Define what you want instead, clearly. By clear I mean precise, and feasible. An unrealistic objective is sure to sabotage the process. Hit the books. Try and err. Inquire. Risk. Mimic. Insist. Resist.”

Security Brutalism begins exactly where Mark Twight points: with unsentimental honesty. Not where your program is supposed to be. Not where the roadmap says it will be. Where it actually is. What is deployed. What is broken. What is exposed. What still works under pressure.

Most security programs fail before attackers ever show up because they are built on comfort instead of truth. They protect narratives, tooling decisions, and sunk cost. They avoid precise questions because precise answers are inconvenient. Brutalist Security rejects that. It forces an accounting of real condition and prepares to be disappointed by what it finds.

From there, clarity matters. Not ambitions. Not slogans. Feasible, testable objectives tied to real systems and real threats. You do not "become resilient". You make specific changes that reduce attacker movement, reduce blast radius, and increase survival time. Anything else is self-deception.

Then comes the work. Study the environment. Break your own assumptions. Try controls and watch them fail. Ask better questions. Copy what demonstrably holds up under stress. Insist on evidence. Resist complexity, theater, and tool accumulation.

Security Brutalism is not a mindset exercise. It is disciplined confrontation with reality, followed by deliberate construction of systems that still function when optimism is gone and the breach has already happened.