essay 10 min read

OpSec for Adults: Graduated Resilience Under Observation

Operations security as graduated resilience under observation. A practical floor: civilian baseline anchored on the EFF curriculum, plus a public-figure layer for the crypto archetype with the Lazarus threat model. Pair with the companion piece on what running really costs in 2026.

opsecsecurityprivacycryptocivilian-defense

OpSec is graduated resilience under observation. “Under observation” is the constant: you cannot opt out at the bottom of the list. “Graduated” is the discipline: match your posture to your exposure. Most breaches in 2026 are a posture-exposure gap, not a math problem. This piece is the floor and the climb. The third layer (the gray man, running from a state actor) is where graduation runs out, and gets its own companion piece.

1. Cold open

April 2026. An employee at a small AI startup wants to grind levels in Roblox without grinding. He finds an auto-farming script. He runs it on his work laptop.

The script works. It also carries the Llama infostealer. Llama harvests every cookie, every saved password, every OAuth token sitting in Chrome’s vault, and ships the lot to a stranger.

One of those tokens belongs to a Vercel employee. Months earlier, that employee had granted the same AI startup access to their Vercel Enterprise Google Workspace. They had clicked “Allow all.” Nobody flagged it at the time.

Within hours, the attacker is inside Vercel. Customer database credentials. Cloud keys. Source-control tokens. The platform that runs a meaningful slice of the modern web is, briefly, unzipped.

The data is on offer at two million dollars.

No zero-day. No exotic exploit. A Roblox cheat. A click nobody read. An OAuth token wandering in the dark.

This is what most modern breaches actually look like.

2. Define OpSec

Operations security. The military invented the term. The modern discipline is narrower and more honest: graduated resilience under observation.

“Under observation” is the constant. Ad networks, payment networks, your phone, your phone’s apps, your apps’ SDK vendors, your employer, government databases that have inhaled all of the above, and a long tail of people who would prefer you did not see them watching. There is no opt-out at the bottom of that list.

“Graduated” is the discipline. Match your posture to your exposure. A civilian needs less than a public figure. A public figure needs less than a target. Most people are short of where their actual exposure warrants. Closing that gap is the work.

The Roblox cheat. The “Allow all” click. The OAuth token that wandered. Most breaches in 2026 are a posture-exposure gap. Not a math problem.

3. Layer 1: Civilian baseline

The floor for anyone with a job, money, or a phone. If you have an inbox someone could sell, a wallet, a job that hands you keys to a system, you live here. Layer 1 is the resilience graduation that matches the baseline observation surface every adult is already inside.

The full curriculum already exists. The EFF Surveillance Self-Defense team built it: the Journalist on the Move playlist. It says journalist on the tin, but the threat model is drawn broadly enough that almost every civilian belongs in it. If you read nothing else here, read those modules. The top three are also the top three for everyone.

  1. Strong passwords (and passkeys where supported). A password manager (1Password, Bitwarden). A hardware key (YubiKey) on the accounts that matter. Migrate to passkeys for sites that support them. Stop reusing.
  2. Keep your data safe. Disk encryption (FileVault on macOS, BitLocker on Windows). Encrypted backups. 3-2-1 rule.
  3. Communicate carefully. Default to Signal. Treat SMS like a postcard. Treat Gmail subject lines like postcards too.

Beyond the top three, a representative tactical floor: hardware-key 2FA on the accounts that matter, a carrier port-out PIN to defeat SIM swap, email segmentation (recovery vs daily vs public), browser hygiene (uBlock Origin, container tabs, profiles), network-level DNS blocking (NextDNS, Pi-hole), data-broker opt-outs (Optery, DeleteMe, or the manual workbook), EXIF off, location off on social. Boring. Effective.

Three moves most people miss. None is technical, none is expensive, and the gap between “yes I know about this” and “I have it wired” is where most Layer 1 failures actually live.

Sane phone settings. Stolen Device Protection on iPhone (or its Android equivalent). Lock-screen notification redaction. Screen-lock timeout short. Your phone is the master key to most of the rest of the floor. Do not leave it on factory defaults.

Password manager and MFA everywhere. The manager is the easy half. The hard half is MFA on every account that still matters, including the long tail of forgotten signups still sitting on SMS or no 2FA at all. Find them. Migrate them. The accounts you forgot about are the accounts the attacker found.

Carrier SIM-swap port-out PIN, paired with no-SMS-2FA on the accounts that matter. Five minutes on the phone with the carrier raises the bar against port-out attacks. It does not eliminate them, because customer-support reps still get social-engineered around the PIN. The fix is two-part: set the PIN, and move SMS-based 2FA to TOTP (the 6-digit codes from an authenticator app) or a hardware key on every account where takeover would hurt. (Soft foreshadow: this is also the most common opening move in a drained-wallet story. We will get there in Layer 2.)

Nobody ships a perfect Layer 1. Pick one of the three above this week. The discipline is movement, not arrival.

4. Layer 2: Public figure (the crypto archetype)

The threat model shifts. At Layer 1 the adversary is opportunistic. They want any inbox, any drained card, any account that gets them somewhere. At Layer 2 you are the somewhere. You have a name in TechCrunch, a wallet on a dashboard, a face on a podcast clip, an address on a cap table. The adversary is not casting a net. They are looking for you.

If you live in the crypto ecosystem in 2026, the picture is loud. Risky Bulletin reports North Korean operations stole $577 million in crypto so far this year, accounting for roughly 76 percent of all crypto theft in 2026. Cumulative since 2017: over $6 billion. Empire (May 4) covered the KelpDAO $290M exploit with the protocol CEO saying out loud that “FTX would have looked small in comparison.” The characterization of the adversary, again from Empire:

“This isn’t somebody downloaded a fake Zoom thing and stole a private key. These are multi-month, sometimes multi-year compromises. You have an entire country where the top computer-science graduates are being put into a government department whose mandate is to steal money from crypto protocols. They’re treating this like a business.”

From Empire podcast, May 4 2026 (Stani Kulechov and Mike Silagadze on the KelpDAO exploit).

That is the threat model. A nation-state-grade adversary with time, talent, and a quota. They are usually not coming for your personal wallet; they are coming for the protocol or exchange you can give them access to, and you are the path. If you are a founder, a key engineer, a holder, or married to one, the observation surface includes them. Your phone is part of their attack surface. Your kids’ Instagram is part of their attack surface. Your bookkeeper’s email is part of their attack surface.

The tactical floor at Layer 2:

  • Audit yourself first. Before the bullets below, run an OSINT pass on your own name. Property records, voter rolls, court filings, professional licenses, marriage records, business registrations. Until you know what is searchable, you do not know which of the rest is urgent.
  • Ownership through layers. Property, vehicles, and material crypto holdings under an LLC or trust. Your name not on the title.
  • Mailing addresses that are not your address. Virtual mailbox (iPostal1, Travelers Mail, Earth Class Mail) for postal mail; aliases for deliveries. The CMRA / non-CMRA distinction matters at this tier and is its own rabbit hole; Bazzell’s Extreme Privacy Vol 2 has the chapter.
  • Forwarded numbers. MySudo, Google Voice for non-sensitive lines. Your real number does not appear on KYC forms it does not need to.
  • Hardware wallets, multisig, geographic shard distribution. No screenshot of a seed. No iCloud backup of a seed. Two-of-three with a coordinator that is not your daily laptop.
  • Dedicated travel hardware. Burner laptop, travel router, Mullvad or Tailscale. Do not bring the daily driver across borders if you can avoid it.
  • Smart-home airgap. No Alexa where you discuss money. No queryable cloud archive of your front door.
  • Visitor protocol. Friends and family do not geotag photos at your house. House rules.
  • Executive protection. Once you cross the upper tier (multi-million-dollar visible exposure, kidnapping-tier risk), this stops being a blog-post topic. Talk to a real consultant.

Order of operations: audit first, then ownership and addresses, then numbers and hardware. You cannot fix what you cannot see.

Honesty beat. Even at this layer, the system has gotchas you did not think about. Closed Network Privacy Podcast (April 2026) flagged that decrypted Signal text persists in the iOS notification database for 30 days. Even if you delete the message in Signal. Even if disappearing messages is on. Even if Signal is uninstalled. The FBI has recovered “deleted” messages this way without breaking the encryption. End-to-end encrypted messaging fails at the OS layer. Layer 2 is humbling.

The affirmative defense for the actual Layer 2 individual-targeting threat (zero-click spyware delivered via iMessage or WhatsApp) is Apple’s Lockdown Mode, with GrapheneOS as the Android equivalent. Citizen Lab and Apple both publicly report zero successful mercenary-spyware compromises of a Lockdown-Mode-enabled device. The workflow cost is real (no link previews, fewer attachments, JIT JavaScript off in Safari). At this layer, the cost is part of the price.

The point of all of this is not to become a spy. The point is to graduate your resilience to your actual exposure, which is higher than you think and rising. The bullet list above is what the climb looks like.

5. The canon

If you actually want to go deep, the canon is Michael Bazzell. Extreme Privacy (Vol 1, 2, 3) is the reference text for how to graduate from Layer 1 through most of Layer 2. The IntelTechniques workbooks turn data-broker opt-out from a sentence into a checklist that actually finishes. The Privacy, Security & OSINT podcast is where the field stays current. Read him as the authority you are pointing toward, not someone you are competing with.

6. There is a third layer

Below this one is a third layer. It is where graduated resilience runs out. The romance of disappearing from a state actor is real, and almost no one can afford the price. If you want to see what running actually costs in 2026 (every Flock camera, every Schengen border database, every IMSI catcher, every gait-recognition sweep), the companion piece walks one Gray Man scene through the surveillance overlay it would face today.

7. Close

Privacy is not a destination. It is a posture. You graduate it as your exposure changes. Most readers should live at Layer 1.5: Layer 1, plus one or two specific Layer 2 items chosen for your threat profile (the audit if you have material in your name; a virtual mailbox if your address is in too many places; hardware-wallet hygiene if you hold real crypto). Pick what your exposure actually demands. Not paranoid, not naive, calibrated. The discipline is noticing when your exposure rises and updating your posture before someone else updates it for you. This is not about hiding; it is about maintaining the agency to choose what you reveal.