The Stoic Security Engineer, What Epictetus Can Teach Us About Cybersecurity

When Epictetus, the ancient Stoic philosopher, taught his students in Roman Greece around 100 CE, he couldn’t have imagined ransomware, zero-days, or data breaches. Yet his teachings offer surprisingly practical wisdom for modern cybersecurity professionals navigating an landscape of constant threats and inevitable compromises.

The Dichotomy of Control: Your Security Perimeter Starts in Your Mind

Epictetus’s foundational teaching was deceptively simple:

“Some things are up to us and some are not up to us.”

Wisdom lies in recognizing the difference and focusing our energy accordingly. As he put it in the Enchiridion,

“Our opinions are up to us, and our impulses, desires, aversions—in short, whatever is our own doing.”

In cybersecurity, this distinction is transformative. You cannot control whether sophisticated nation-state actors will target your organization. You cannot control whether a critical zero-day vulnerability will be discovered in software you depend on. You cannot control whether an employee will click a phishing link despite your best training efforts.

What you can control is your response. You can control your patch management processes. You can control your incident response planning. You can control the architecture of your systems to limit blast radius. You can control your investment in detection and monitoring.

Too many security teams burn out obsessing over threats they cannot prevent. The Stoic approach suggests a different path: rigorously prepare what’s within your power, then accept that breaches and incidents will occur despite your best efforts. This isn’t defeatism—it’s the foundation of resilience.

Assume Breach: The Stoic Approach to Trust

Modern security frameworks increasingly embrace the principle of “assume breach”—the idea that you should architect systems assuming attackers will penetrate your defenses. This allows you to focus on limiting damage, detecting intrusions quickly, and recovering effectively.

Epictetus would recognize this immediately. He taught:

“Don’t hope that events will turn out the way you want, welcome events in whichever way they happen: this is the path to peace.”

Being shocked by a security incident, he might argue, is like being shocked that attackers exist.

When a security team operates with assumed breach, they’re not being pessimistic—they’re being realistic. They implement zero-trust architectures. They segment networks. They maintain offline backups. They practice incident response regularly. They’ve mentally rehearsed the breach before it happens, so when it does, they respond with clarity rather than panic.

This is the cybersecurity equivalent of what Stoics called premeditatio malorum—the premeditation of evils. By visualizing worst-case scenarios in advance, you rob them of their power to overwhelm you.

Red Teams and Negative Visualization

Epictetus encouraged his students to regularly imagine losing what they valued most, not to make themselves miserable, but to prepare mentally and appreciate what they had while they had it.

In cybersecurity, we’ve formalized this practice: it’s called penetration testing and red team exercises. We deliberately simulate attacks against our own systems, trying to break in before real adversaries do. We imagine our defenses failing and test whether our detection and response capabilities work.

Organizations that skip this practice, that avoid imagining how they might be compromised, are like Stoics who refuse to contemplate adversity. When the inevitable breach occurs, they’re unprepared, disoriented, and overwhelmed.

The best security programs treat red teaming not as an uncomfortable audit requirement but as essential training for resilience. Each simulated attack is an opportunity to strengthen your mental and technical readiness for the real thing.

Discipline as Daily Practice

Epictetus taught that philosophy wasn’t about memorizing clever arguments, it was about training yourself through daily practice until wise action became natural.

“If you didn’t learn these things in order to demonstrate them in practice, what did you learn them for?”

He asked his students. He compared philosophical training to athletic preparation: constant repetition until excellence becomes habitual.

Security teams understand this intuitively. You cannot secure an organization through policy documents alone. Security requires habit: developers habitually reviewing code for vulnerabilities, employees habitually verifying unusual requests, operations teams habitually checking logs and alerts.

The organizations with the strongest security posture are those where good practices have become reflexive through consistent repetition. Tabletop exercises. Phishing simulations. Regular patch cycles. These aren’t bureaucratic boxes to check, they’re the daily training that makes security automatic.

Accepting What We Cannot Know

One of the most challenging aspects of cybersecurity is operating under fundamental uncertainty. You can never know for certain whether you’ve been compromised. You can never know all the vulnerabilities in your systems. You can never know what novel attack techniques adversaries are developing.

Epictetus taught that demanding certainty about uncertain things is a path to misery. The wise person accepts the limits of human knowledge and acts as reasonably as possible given what can be known.

For security professionals, this means embracing risk management rather than demanding impossible guarantees. It means being comfortable saying “we’ve reduced the risk to an acceptable level” rather than “we’ve eliminated all risk.” It means acknowledging that even with sophisticated monitoring, some attacker activity may go undetected.

This acceptance of uncertainty isn’t resignation, it’s maturity. It allows security teams to make pragmatic decisions rather than being paralyzed by the impossibility of perfect security.

The Stoic Response to Incidents

When a security incident occurs, two responses are common: panic and blame. Neither is productive.

Epictetus taught:

“It’s not things that upset us, but our judgments about things.”

A breach is neither inherently catastrophic nor trivial; what matters is how we respond. He also reminded his students that

“Circumstances don’t make the man, they only reveal him to himself.”

The Stoic incident responder stays calm, focuses on containment and recovery, and treats the incident as an opportunity to strengthen defenses. They don’t waste energy on recrimination or self-flagellation. They ask: What can we learn? What’s within our power to improve?

This doesn’t mean ignoring accountability or avoiding hard questions about what went wrong. But it means approaching post-incident analysis with the goal of becoming more resilient rather than finding someone to punish.

Conclusion: Building Resilient Security Through Ancient Wisdom

Epictetus taught in a world of plague, war, slavery, and political upheaval. His students faced genuine, existential threats. His philosophy wasn’t abstract theorizing, it was a practical toolkit for maintaining clarity and effectiveness in the face of adversity. As he instructed:

“Make the best use of what is in your power, and take the rest as it happens.”

Modern security professionals face different threats, but the underlying challenge is the same: how do you maintain effectiveness and sanity in an environment of constant danger and inevitable setbacks?

The Stoic answer is: Focus on what you control. Prepare for what you cannot prevent. Practice constantly. Accept uncertainty. Respond to incidents with clarity rather than panic.

These aren’t just philosophical niceties, they’re the foundations of sustainable, effective security programs. The security practitioner who embraces these principles won’t prevent every breach, but they’ll build organizations that can withstand attacks, learn from incidents, and grow stronger through adversity.

In other words, they’ll build security programs that are genuinely resilient, not because they never fail, but because they know how to fail well.

As Epictetus might have put it: you cannot control whether attackers will come, but you can control whether you’ll be ready when they do.