Cyber Shelf

// Comparison

Cyberstructure vs The Practice of Network Security Monitoring: Which Should You Read?

Two cybersecurity books on Networking, compared honestly: who each is for, what each does best, and which to read first.

Intermediate
4/52018
Cyberstructure

L'Internet, un espace politique

Stéphane Bortzmeyer

An engineer's lucid account of how the Internet actually works — and why its technical architecture is a political space that shapes human rights — by a DNS specialist at AFNIC.

Intermediate
5/52013
The Practice of Network Security Monitoring

Understanding Incident Detection and Response

Richard Bejtlich

Richard Bejtlich's NSM playbook: how to deploy collection sensors, validate that you actually see what you think you see, and build detection workflows around open-source tools.

Read this if

Technically curious readers, policy people and engineers who want to understand the link between Internet plumbing (DNS, routing, protocols) and politics: privacy, censorship, surveillance, freedom. Won the FIC Cyber Book Prize 2019.
Every SOC analyst and detection engineer. Bejtlich's foundational text on NSM: collect-everything, alert-on-narrow, investigate-broadly. Defines the vocabulary the modern detection field still uses.

Skip this if

Readers after a security how-to or a pure tech manual. The book is about the politics embedded in infrastructure, not about attacking or defending systems.
Readers wanting current SIEM tooling specifics. The book pre-dates EDR-as-default and modern cloud-native telemetry; the principles transfer, the tooling specifics don't.

Key takeaways

  • Rare book that explains Internet infrastructure precisely and draws out its political consequences without hand-waving on either side.
  • Bortzmeyer is a working DNS/networks engineer, so the technical descriptions are accurate, not journalistic approximations.
  • Reframes privacy and freedom as design choices baked into protocols — essential context for anyone in security or policy.
  • Detection without prevention is a strategic choice, not a fallback; Bejtlich was years ahead in arguing the case and the book remains the clearest argument.
  • The four data types (full content, session, transactional, statistical) are still the right framework for thinking about detection coverage.
  • Most SOC failures are organizational and procedural, not tooling; the book's chapters on workflows, runbooks, and analyst growth are still the best in print.

How they compare

We rate The Practice of Network Security Monitoring higher (5/5 against 4/5 for Cyberstructure). For most readers, that means The Practice of Network Security Monitoring is the primary pick and Cyberstructure is a useful follow-up.

Both books target intermediate-level readers, so the choice is about topic, not difficulty.

Cyberstructure and The Practice of Network Security Monitoring both cover Networking, so reading them in sequence reinforces the same material from different angles.

Keep reading

Cyberstructure

Alternatives to CyberstructureWhat to read after Cyberstructure

The Practice of Network Security Monitoring

Alternatives to The Practice of Network Security MonitoringWhat to read after The Practice of Network Security Monitoring

Related topics

Networking