Magic taught me to think in curves before cards

When I started playing Magic I thought it was about finding the most broken cards and shoving them into a deck. After a few tournaments you discover the game is something else: managing mana curves, land ratios, response windows and exit plans for when the first line falls.

A rule that stuck with me

A deck is not measured by its strongest card. It is measured by the probability that you draw the right card on the right turn.

I first heard it from a Modern player. It is the same sentence I have since repeated dozens of times reviewing Sigma rules: a detection is not measured by how flashy it is against the attack-of-the-month — it is measured by the probability that it fires at the right time, without burying the SOC in false positives.

Curves, not cards

When you build a serious deck you start with the curve — the mana cost distribution. You set the curve first and then fill it with cards that respect it. If a card is brutal but breaks the curve, out it goes.

In security it works the same way: you set kill-chain coverage first (reconnaissance, execution, persistence, lateral movement, exfil) and then fill it with detections that respect that coverage. If a rule is brilliant but only covers what you already had covered, out it goes.

Things that do not appear in the manuals

• The sideboard matters more than the mainboard. In Magic you tune the deck between games. In security you tune the posture between incidents.
• The metagame outranks the deck. No point running the same deck all year if the meta has shifted. No point hunting the same TTPs if the actors have pivoted.
• Bad cards in the wrong deck are brilliant cards in the right one. Same goes for Sigma rules a team discards because they do not fit their pipeline — they may be gold somewhere else.

In the end

Magic taught me to think in distributions, not in moves. That is exactly what I do when designing a detection stack: I do not measure it by the flashiest rule, I measure it by its aggregate shape.