// Comparison

Cyberjutsu vs The Hacker and the State: Which Should You Read?

Two cybersecurity books on Strategy, compared honestly: who each is for, what each does best, and which to read first.

Beginner

3/52021

Cybersecurity for the Modern Ninja

Ben McCarty

Ben McCarty maps declassified medieval ninja scrolls onto modern adversary tradecraft. More analogy-driven than technical, useful for security-program framing.

Beginner

5/52020

The Hacker and the State

Cyber Attacks and the New Normal of Geopolitics

Ben Buchanan

Ben Buchanan's argument that state-on-state cyber operations are not deterrence-shaped (like nuclear) but signaling-shaped: countries use cyber to shape the environment, not to threaten escalation. Builds the case from declassified incidents.

Read this if

Security program managers and CISOs looking for non-technical framing for executive conversations. McCarty's analogies between feudal-Japan ninja tradecraft and modern adversary behaviour are unusual but practical for anchoring strategic discussions.

Anyone trying to think clearly about state-sponsored cyber: policy staff, threat-intel analysts, journalists, and security leaders who have to brief on "the cyber threat" without resorting to vendor decks. The single best academic-grade synthesis of the last twenty years of state cyber operations.

Skip this if

Practitioners wanting technical depth or hands-on guidance. The book is metaphor-driven and conceptual; engineers and analysts will find the depth thin.

Readers wanting forensic detail on specific operations. Buchanan synthesizes; for the procedural blow-by-blow on Stuxnet, NotPetya, or the SolarWinds incident, go to Zetter, Greenberg, and the post-incident reports respectively.

Key takeaways

The ninja-vs-modern-adversary analogies hold up surprisingly well, particularly around deception, patience, and information operations.
The framing is most useful when explaining adversary thinking to non-technical executives; the chapters on deception and counter-intelligence are the strongest.
Treat the book as strategy-and-vocabulary scaffolding, not as technical training; its value is in framing decisions, not making them.

Cyber is poorly modeled by deterrence theory: states use it constantly, below the threshold of war, to shape the environment rather than to threaten escalation.
The signaling/shaping distinction (espionage, sabotage, destabilization, election interference) is the right taxonomy for analyzing modern campaigns and is the book's most reused contribution.
Attribution and accountability remain genuinely hard, and that asymmetry is itself a structural feature of cyber statecraft, not a temporary condition awaiting better tools.

How they compare

We rate The Hacker and the State higher (5/5 against 3/5 for Cyberjutsu). For most readers, that means The Hacker and the State is the primary pick and Cyberjutsu is a useful follow-up.

Both books target beginner-level readers, so the choice is about topic, not difficulty.

Cyberjutsu and The Hacker and the State both cover Strategy, Narrative, so reading them in sequence reinforces the same material from different angles.

Keep reading

Cyberjutsu

→ Alternatives to Cyberjutsu → What to read after Cyberjutsu