From Framing Risks to Framing Scenes
For those not local to Glasgow, you may have missed a recent talk I gave on the crossover between photography and security, exploring how principles from one discipline can meaningfully inform the other and how key concepts are really useful and similar. This blog post will try to highlight the cross over, the takeaways and interesting points, plus showcase some pics I've taken, if you like what you see more can be found over on my photos blog .
Note: where possible, I'll link or detail where photos have been taken if you want to go to similar places.
It is a bit of an unconventional post for once, not overly technical but something that will hopefully make sense to a lot of people, not just the highly technical focused audience. Hopefully it resonates with a few people and hammers home that having something that stimulates the creative side of the brain will help you solve problems regardless of what side of the fence you sit on in security or what hat you don.
Pick a Hobby that Gets you AFK
The first point supports both the cross over but another really important point, it’s about choosing a hobby that takes you away from the keyboard and away from your desk. It can be anything, really, but I’ve found it incredibly important. Over my career, I’ve learned the value of two things: personal time and hobbies. Both should give you something to think about and pull you out of the chair and away from your desk.
For years in my early career my primary hobby was karate, I hold a shodan (1st Degree Black Belt) in karate it was lots of fun and I mostly trained to keep myself sane but also for the social element of things it got me away from my computer and out and moving.
In addition when walking back from training I'd always have some form of camera on me be it a smartphone or sometimes just a point and shoot and got into taking photos of things, hunting through my archives the earliest photos I've got from taking pictures of things is 2011 but I'm sure I took pics before then too, shot from the back of a train looking out onto sunset.
As I've progressed my career in security, my photography has also progressed. I've learnt the tools of the trade and the things I enjoy photographing most. For anyone who keeps up with the stuff I dump on the internet it's mostly really dark moody shots or candid portraits with a peppering of landscape shots.
One of the really great things about working in the industry so long is the ability to afford nice toys too. I still use a smart phone but I have invested over the years in two really nice cameras which I can almost always be found with floating around taking pics of things. They are:
- Leica Q2
- Sony Alpha 7 IV
Doing photography however does not require an expensive camera and a lot can be drawn from learning the basics, just as you would when performing security, hacking et al. Having a basic Linux Virtual Machine and learning your first command line args, or playing about with SSH or whatever takes your fancy is how you can start on anything.
Learn Your Tools
A camera is just a tool. It doesn’t create the moment for you, you do. The same applies in security. A laptop, a scanner, a proxy, a SIEM, a firewall: none of these mean anything without the person and the brain behind them. Your skill comes from understanding how the tool works, where it breaks, and where its limits are.
In photography, the difference between a snapshot and a shot that lands comes from knowing how your camera behaves in different light, how your lens renders depth, how your sensor reacts to contrast. You learn what to push and what to compensate for.
Security is no different. Tools don’t make you good they amplify what you already know and demonstrate your ability to adapt. Knowing how to use them is one thing, but knowing where they fall short is where the real capability appears. That’s where insight happens. That’s where you start spotting gaps in controls, misconfigurations, weak assumptions, or places where everyone else just accepted the default.
The camera and the keyboard are just tools. The craft comes from the intent behind them.
Every Frame Tells a Story
In photography, composition (rule of thirds, leading lines, negative space) isn’t about just about "being artistic". A lot of it is about decision making and framing, which are two concepts closely tied to security and the approach to things. You don’t include every leaf in the frame; you choose what matters and zoom into the important parts.
The same can be said for risk and target prioritisation. During a pentest, red team or audit, clients can have hundreds of findings or attack paths and you can’t choose them all or equally fix them all (at once). You need to "frame" the top ones that have the largest impact or are the most attainable, think of it like framing an Amanita muscaria (thanks F1nux for the correction!) in the forest, not the entire woods.
Adaptability
Some photographers hate bad weather be it grey skies, rain or just dreich undertones. But I thrive on it. Overcast skies? Use a reflector. Sudden rain? Capture the drops and reflect the light off of shiny surfaces. Adaptability isn’t a "nice-to-have" sometimes it is the only way to chase the shot and re-frame the angles and re-approach the scenario.
Red teaming is 90% adaptability and the rest is planning for that adaptability. Set yourself up for the worst case scenario and assume that Plan A and Plan B and possibly even Plan C will fail. So having considerations for changing your angle, your approach and thinking is key. It is equally as important in the world of blue where the adversary changes their path you need to be ready to respond. Plans fail: firewalls get updated, users change passwords, SOC teams detect you. You need to "change your angle" like a photographer adjusting to light.
Here is an example of the same day, same bridge but taken from two different angles (both from a DJI Air2S, I'm tall but I'm not a giant!) the difference in perspective gives two completely different photos.
Learn on Your Feet - Capture the Moment
Portraits are one of my favourite types of shot to take but they are inevitably very hard todo too. Capturing the moment and learning the angles and your tradecraft are very important.
In portrait photography, the compelling part of the image isn’t just the face, while it is important but it’s the small cues: posture, micro-expressions, where the subject’s eyes sit, the environment around them. The real story is in the subtle details most people overlook, the three portraits above have been moments captured at the right time, from left to right capturing a smile and a flick of the hair through to the correct lighting for Salem's glorious beard from the right angle and finally Squ33ks' laughter and the glint of a smile behind her hand.
In contrast, security follows a similar flow. The risk isn’t usually in the loud, flashing alert or the blatant path an attacker might take. The real risks lie in the quiet behaviours, the weak assumptions, the small misconfigurations and the “that’s probably fine” decisions. The most important thing that I do when I do red teaming is challenge assumptions and often chain what others would classify as null point for smaller findings to create more impactful chains and paths. The real story is in the subtle details most people overlook.
In both cases, the story is in the subtle details, train your eye to capture them.
Storytelling
Arguably, everything we do in security involves storytelling. The key is speaking in the language your audience understands and bringing everyone with you. One of the biggest lessons I’ve learned in my career is to talk to the right audience in the right way: learn to speak both nerd and suit, and everything else tends to fall into place. The way you frame a point matters. There is a big difference between talking about MS08-067-netapi, and explaining the financial, operational, and strategic risks that come from running legacy systems and the opportunities it creates for an attacker.
The photo above is capturing light shining through the darkness and I loved the way that the light illuminated an otherwise very dark street, similarly just down the road there was another shot I took of a heater lighting up the darkness:
The same applies to photography. Understanding your audience and guiding them toward what you want them to notice is part of the craft. A technically good photo isn’t enough on its own (well it can be sometimes). However, without context, the viewer may miss the point entirely, a photo without a caption is just a pretty picture.
Patience
Sometimes you wait for hours for the right shot; other times, the moment simply walks into frame. Patience and reconnaissance are just as important in security. Knowing what you’re looking at, understanding what you’re looking for, and resisting the urge to rush are key. The operators who take their time who observe first and move later are the ones who stay quiet, remain under the radar, and evade defences effectively.
This shot for example took ages to get right, I must have stood for easily 20 minutes trying to get someone to walk in the middle of the frame to see the leaves and the trees framing his walk this gentleman was unaware he was the main character in my shot and very much worth it. The amount of people who apologised for "getting in the way" was fun too, little did they know I was waiting for the perfect shot.
The old cliché, “the quieter you are, the more you can hear,” applies just as well to photography. The calmer and more patient you are, the better the shot becomes. Slowing down gives you space to see what’s actually in front of you not just what you expect to see but what you want to fall into your frame and down your viewfinder.
Attention To Detail
Finally probably the most important takeaway from both taking photos and doing security, attention to detail. In photography, the details matter. A stray reflection, a slight tilt in the horizon, a distracting background element these can change the entire feel of an image. The difference between a good shot and a great one often lies in noticing and correcting what others overlook.
Sometimes when taking photos we don't want the whole shot, just the smaller details:
I was aiming to capture the reflection of blue and red against the glass, which isn't as clear in the first shot but when cropped in it flows nicely with the correct things in focus.
When talking about attention to detail, security is no different. Small things matter a misconfigured permission, an unmonitored service account, a default credential left untouched, these are all things that catch my eye and are often the cracks attackers exploit. The real skill is developing the eye to see what shouldn’t be there and what doesn’t quite fit.
Seeing Security Through Another Lens
Go and find something that gets you away from the screen. It doesn’t have to be photography; it could be martial arts, tabletop nights with friends, music, pottery, painting, walking, knitting anything that lets your mind breathe. Creativity and clarity grow in the gaps, not the grind what they also do is serve a purpose to help you solve problems, how many times have you been hitting your head against a problem and gone away todo something else and suddenly thought "aha! that's the solution I was looking for or the idea I wanted!"
Photography and security seem like very different worlds on the surface one creative, one technical; one emotional, one analytical. But the longer I’ve spent doing both, the more I’ve realised they rely on the same fundamentals: patience, observation, adaptability, framing, and attention to detail. After all, hacking is both an art and a science, it's not just tied to 'red teaming', hacking is making something do something it's not meant to, it's a frame of mind and a frame of reference that can be applied to lots of different things.
Whether you’re lining up a shot or picking apart a network, the skill isn’t just in what you do it’s in what you notice. It’s the ability to slow down long enough to see what others miss. To choose what matters and leave out what doesn’t. To wait for the right moment rather than forcing the wrong one. To tell the story in a way your audience can actually hear.
If there’s a takeaway here, it’s that having a creative outlet isn’t a distraction from security work it’s a force multiplier for it. The more you train your eye, the more you train your mind and your approach changes over time. Stepping away from the keyboard is not only a healthy thing todo but it is often the thing that helps you come back with clarity.
If you enjoyed the photos here, I share more over on my photo blog. If this resonated, I’d love to hear your perspective and if you’ve found your own “second craft” that helps you think differently.
