Learning from hackers: Curiosity as a force for progress

On the LEAP blog this month, we’re exploring the intersection between tech innovation and cybersecurity. We’ve often left the cybersecurity chat up to our colleagues at Black Hat MEA (find their blog here – it’s full of interviews with cybersecurity leaders from around the world). But we want to turn our attention to security for a while, because tech and cybersecurity are inextricably interlinked; and tech can’t have a positive impact if it isn’t safe. 

In cybersecurity, curiosity is a survival skill. In one interview with BHMEA, Jason Lau (CISO at Crypto.com) compared it to strategy games:

“The cybersecurity field shares many parallels to the game of chess…it’s important to learn and evolve regardless of the outcome.” 

That mindset (learn, adapt, evolve) is exactly what separates resilient defenders from vulnerable ones. 

In another interview, Lance James (Founder and CEO at Unit 221B) said: “I strive to empathise with our adversaries.” By trying to see the world through an attacker’s eyes; learning about their motivations, and adapting accordingly; defenders anticipate moves that can’t be spotted through automation alone.

Attackers are weaponising curiosity

A new report on distributed denial-of-service (DDoS) attacks in the financial sector, produced by FS-ISAC and Akamai, makes it clear that today’s adversaries are getting curious (and serious) about ways they can exploit attack opportunities for bigger gains and a wider impact. Not long ago, DDoS attacks were dismissed as background noise; but now they’ve evolved into precision campaigns. Instead of being just floods of traffic, they’re used as methodical probes, multi-vector assaults, and adaptive strategies.

In 2024, threat actors increasingly used reconnaissance to map financial institutions’ defences before launching multi-vector campaigns. As the report explains: “The most effective DDoS campaigns…were characterised by strategic reconnaissance and agile execution rather than simple volume.”

Effectively, that’s curiosity weaponised. Attackers are constantly asking: what if we try this angle? What happens if we adapt in real time? And they’re leveraging resources like DDoS-for-hire platforms and VM-based botnets to execute campaigns that bypass traditional defences.

The hacker mindset on both sides 

If attackers are curious, defenders must be more so. The FS-ISAC DDoS Maturity Model highlights the difference between organisations that are stuck in reactive mode, and those that adopt adaptive strategies. At the lowest level, businesses underestimate the threat entirely, have no inventory of APIs, and lack even basic firewalls – making them easy prey. At the top level, adaptive organisations achieve “real-time, dynamic response capability” and leverage peer collaboration through networks like FS-ISAC.

And that is curiosity institutionalised. Those adaptive organisations can map assets continuously, run red-team drills, monitor anomalies, and ask new questions before attackers do.

The leading minds in cybersecurity all value curiosity as a critical quality for success and endurance in the field. When the team at BHMEA asked Dr. Srijith Nair (CISO at Careem) what first sparked his interest in security, he said: “I remember being fascinated by the cat-and-mouse nature of cybersecurity.” And when asked how he stays ahead of the curve, he said he approaches new developments with a beginner’s mindset and open curiosity. 

Cyber thrives on the same exploratory drive that fuels attackers – testing boundaries, seeing how systems respond, and turning missteps into insights.

Curiosity also feeds on context. The FS-ISAC report notes that geopolitical tensions have become catalysts for targeted DDoS waves, with the return of ‘hacktivism’ around the world; campaigns that are explorations of leverage points, and ways to amplify political messages through digital disruption. 

Building resilience through digital exploration 

Across the tech industry, we need to remember that the hacker mindset isn’t inherently malicious. When channelled into innovation and defence, it’s a force for growth and change. 

Lau reminded us that “understanding human behaviour is crucial for anticipating and mitigating cybersecurity threats.” And James said: “It’s easy to disassociate while on a computer, forgetting that it’s not just bits and bytes, but people’s lives at stake.” 

This human curiosity – asking questions about motives, patterns, and vulnerabilities – is the same quality the FS-ISAC urges institutions to embed at scale. Their proactive recommendations include anomaly detection, upstream provider reviews, geo-IP filtering, and constant playbook testing. Each is a structured way to ask ‘what if?’ before attackers force the question. 

Curiosity is a collective discipline 

At Black Hat MEA, the hacker mindset is celebrated not for its destructiveness, but for its creativity. And at LEAP, curiosity drives breakthroughs across tech verticals. Whether you’re designing a new app or defending a payment gateway from a DDoS swarm, curiosity is the engine of progress.

The adversary is curious. The defender must be more so. And when we cultivate that mindset across our teams, our companies, and our industries, we transform cybersecurity from a scramble into a strategy; and into an opportunity to build resilience that lasts.