Dylan Shroll

The Artistry of Adaptation: What Jazz Taught Me About Cybersecurity

Jazz and cybersecurity share an essential core — improvisation, deep listening, collaboration, and the courage to adapt when the chart goes out the window.

  • cybersecurity
  • jazz
  • culture
  • incident-response
  • leadership

I was 17 years old when I first heard In a Sentimental Mood, recorded by Duke Ellington and John Coltrane. All at once, I was transported — not into a physical space, but into a mode of being with the music, cocreating the moment with Duke and ‘Trane. I was living on couches in the Drake Neighborhood of Des Moines, Iowa in the 2010’s. A far cry from Rudy Van Gelder’s studio in New Jersey in 1962. I was separate from them in time and space, but still they were present with me. They demonstrated a dynamic collaboration and an unyielding freedom that I aspire to.

Jazz is more than a genre of music — it’s a living, breathing artistic movement deeply rooted in the lived experiences of African American communities. Born from resilience, creativity, and cultural expression, jazz embodies improvisation, adaptability, and dynamic collaboration. At its heart, jazz captures the necessity of responding intuitively to ever-changing conditions, reflecting the realities of those who created it. Similarly, cybersecurity requires us to navigate uncertainty and continuously adapt to emerging threats. Just as jazz musicians improvise and innovate in real time, cybersecurity professionals must be ready to pivot and dynamically respond to unforeseen challenges, reinforcing that both disciplines share an essential core: the artistry of adaptation.

Timing: The Rhythm Underneath Everything

The first lesson we can learn from Jazz greats is the importance of timing. Whether it is knowing when and how to fill space as a percussionist or devising cadences and schemes of detection for the systems you are charged with protecting, there are huge parallels between the two disciplines. It’s important not just to understand the rhythm of the ‘song’ you’re playing, but to feel the interplay of each competing track and player. In that way you can orchestrate your own activities to be in accord with the whole performance. It doesn’t matter if you’re a forensic analyst looking to understand the activities of an adversary in a system, or a red team operator looking to optimize your attack schedule, or even a trombone player performing in front of a sold-out crowd at Nocé in downtown Des Moines, it all comes down to timing.

In cybersecurity, timing is the silent variable that separates a near-miss from a catastrophe. Consider the SolarWinds SUNBURST campaign: Russian state-sponsored attackers spent months — from September 2019 through February 2020 — carefully injecting test code, then trojanized updates, into the Orion platform before roughly 18,000 customers ever downloaded the compromised software. Their patience was a kind of dark musicianship, a deliberate exploitation of tempo. And the defenders? They had to find their own rhythm in response: FireEye’s discovery in December 2020 triggered a cascading tempo shift where CISA issued emergency directives, the National Security Council convened, and organizations worldwide scrambled to contain the damage — all within days. The cadence of detection, the tempo of response, the rest between actions — these are the measures of our song.

Paying Attention: Deep Listening as a Security Practice

There is a concept in jazz called “deep listening” — the practice of tuning your whole self into the music happening around you, not just hearing the notes but feeling the spaces between them. A drummer listening for the bassist’s walk. A pianist sensing a soloist’s phrasing so she can comp underneath them like a river supporting a boat. It’s an awareness that goes beyond the surface, into the texture and intention of every sound in the room.

A Security Operations Center runs on that same kind of awareness. Analysts sit in front of screens the way a musician sits in front of a bandstand — not passively watching, but actively sensing. They’re listening to the network: the hum of normal traffic, the subtle dissonance of an anomalous DNS query, the faint cymbal-crash of a lateral movement attempt. Situational awareness in cybersecurity is deep listening by another name. It’s the difference between an analyst who sees a log entry and one who feels the shape of the threat it implies.

And just as a jazz musician learns to bring the drums to the foreground while letting the horns recede — a kind of selective listening — a seasoned SOC analyst learns to filter the noise. Alert fatigue is the cybersecurity equivalent of a room so loud you can’t hear the melody. The best analysts, like the best musicians, develop an ear for what matters: that one note that’s slightly flat, that one connection to a command-and-control server that doesn’t belong. Threat intelligence feeds become like the sheet music that gives context to the improvisation — they don’t tell you exactly what’s going to happen, but they orient your listening so you know where to pay attention.

Collaboration and Communication: Playing as an Ensemble

No jazz combo worth its salt is a collection of soloists taking turns. The magic happens in the interplay — the way a rhythm section breathes together, the way a trumpet player and a saxophonist trade fours like two friends finishing each other’s sentences. Jazz musicians communicate through musical cues, eye contact, a nod of the head, a raised horn. It’s a language built on trust and responsiveness, refined through countless hours of playing together.

Incident response teams work the same way, or at least the good ones do. When a breach unfolds, a team doesn’t have the luxury of long meetings and carefully worded memos. They’re improvising in real time — the forensic analyst calling out indicators of compromise like a bassist laying down the changes, the incident commander directing the response like a bandleader cueing a key change. Information has to flow with the fluidity of a jazz standard: everyone needs to know the form, everyone needs to trust that their teammates are hearing the same thing.

During the SolarWinds response, the Cyber Unified Coordination Group brought together CISA, the FBI, the Office of the Director of National Intelligence, and the NSA — each organization a different instrument in the ensemble. Their coordination had to be tight enough to be useful and loose enough to be adaptive. That’s the tension at the heart of any great jazz performance: structure and freedom, held in balance like a chord suspended in midair. The organizations that handle incidents well are the ones that have rehearsed together — run tabletop exercises, built shared language, developed the kind of nonverbal communication that only comes from time spent in the same room (or the same Slack channel) under pressure.

Improvisation and Adaptation: When the Chart Goes Out the Window

Here’s the thing about jazz that separates it from most other musical traditions: the chart is a suggestion. The head — that opening melody — gives you a harmonic framework, a set of changes to navigate. But the soul of the performance lives in what the musicians do with those changes. Charlie Parker and Dizzy Gillespie didn’t invent bebop by following the rules of swing — they invented it by hearing the constraints and choosing to play through them, creating something faster, denser, more intellectually demanding. Bebop was, as much as anything, a declaration of creative sovereignty by young Black musicians who were tired of their art being flattened into dance music.

Cybersecurity demands that same creative audacity. Every threat actor who crosses your perimeter is, in a sense, a musician playing a tune you haven’t heard before. Your playbooks are your charts — they’ll get you through the first chorus. But the moment an adversary does something unexpected — pivots from one technique to another, uses a zero-day you didn’t see coming, chains vulnerabilities in a way no one’s documented — you’re improvising. And the quality of your improvisation depends on the same thing it depends on in jazz: how deeply you’ve internalized the fundamentals.

Parker didn’t improvise out of ignorance — he improvised out of mastery. He knew the harmonic structures so intimately that he could depart from them and return at will, like a river that leaves its banks in spring and always finds its way home. The best incident responders I’ve worked with are the same way. They’ve studied the MITRE ATT&CK framework like a musician studies scales. They’ve practiced in labs and exercises until the fundamentals are muscle memory. And when the moment comes — when the adversary plays a phrase nobody anticipated — they can hear it, adapt, and respond in kind. Not because they’re following a script, but because they’ve built the musical vocabulary to compose one on the fly.

Pivoting and Resilience: Turning a Wrong Note into a Solo

Miles Davis is often credited with the advice: “Do not fear mistakes. There are none.” Whether he said it exactly that way or not, the philosophy is pure jazz. In a live performance, a wrong note isn’t a failure — it’s an invitation. A skilled musician takes the note that shouldn’t have been played and leans into it, turns it into a departure point for something unexpected, something that might end up being the most memorable moment of the set. The audience never knows the difference, because the musician’s response transforms the error into intention.

Security teams face this reality constantly. A detection rule fires on a false positive, burning hours of investigation — but in the process, the analyst discovers an unpatched system nobody knew was exposed. A phishing campaign bypasses the email gateway, and the response reveals a gap in user awareness training that, once filled, prevents a far more damaging attack months later. A perimeter control that once seemed adequate is tested and found wanting — so the team pivots, moving from a castle-and-moat mentality toward a zero trust architecture that treats every connection as potentially hostile.

Resilience, in jazz and in cybersecurity, isn’t about never hitting the wrong note. It’s about what you do after. It’s the ability to take what happened — the breach, the missed alert, the strategy that didn’t hold — and fold it into something stronger. Post-incident reviews are our after-set conversations, the moments where the band gathers backstage and asks: what worked? Where did we lose the groove? And most importantly: what did we learn that we can carry into the next performance?

Dynamism and Continuous Learning: The Genre That Refused to Stand Still

Jazz has never been content to stay in one place. From the collective improvisation of early New Orleans jazz, to the danceable precision of the swing era, to the angular velocity of bebop, to the cool restraint of Miles Davis’s nonet sessions, to the electric fusion of Herbie Hancock and Weather Report, to the neo-soul inflections of Robert Glasper and Kamasi Washington — jazz evolves because its practitioners refuse to stop learning. Every new generation absorbs what came before and asks: what else is possible? The evolution isn’t a rejection of the tradition. It’s a deepening of it.

Cybersecurity follows the same arc. We began with perimeter defenses — firewalls and intrusion detection systems standing like castle walls, assuming everything inside was trustworthy and everything outside was suspect. That was our swing era: structured, orderly, effective for its time. But the threat landscape evolved, and so did we. Cloud adoption, remote work, and increasingly sophisticated adversaries forced the industry into its own bebop moment — a fundamental rethinking of the assumptions underlying the whole endeavor. Zero trust architecture didn’t emerge because someone got bored with firewalls; it emerged because the old model couldn’t keep up with the complexity of the modern network, just as bebop emerged because the constraints of big-band swing couldn’t contain the creative ambitions of a new generation of musicians.

Continuous learning is the thread that connects every era of jazz and every evolution in cybersecurity. A musician who stopped listening in 1945 would be lost in a John Coltrane performance by 1965. A security professional who stopped learning after earning their first certification would be equally lost in a modern cloud-native threat landscape. The tooling changes — from SIEM platforms to AI-driven anomaly detection, from manual log review to autonomous SOC operations. The adversaries evolve — from script kiddies to nation-state actors with thousand-person teams. The only constant is the need to keep learning, keep adapting, keep listening for the next phrase in a song that never quite resolves.

Coda: The Song That Never Ends

Jazz teaches us that mastery isn’t a destination — it’s a way of being in the world. Duke Ellington didn’t stop composing when he reached fame; he kept pushing, kept exploring, kept listening to the musicians around him and finding new harmonies in old forms. John Coltrane practiced for hours every day, even at the peak of his career, because he understood that the music always had more to teach him.

Cybersecurity asks the same of us. Not just technical proficiency, but a posture of openness — a willingness to be surprised, to improvise, to collaborate with the people next to us on the bandstand. It asks for timing and deep listening, for the courage to pivot when the old strategy isn’t working, and for the humility to know that no matter how much we’ve learned, the song is still unfolding.

I think about that 17-year-old kid on a couch in the Drake Neighborhood, hearing Duke and ‘Trane for the first time, and I recognize the same feeling I get when a complex incident comes together — when the team finds its groove, when the detection fires at just the right moment, when the response flows like a well-rehearsed standard played by musicians who trust each other completely. It’s the artistry of adaptation. And it’s a song worth playing for the rest of our careers.