Assume Breach.

A security operating philosophy that designs controls, monitoring, and architecture around the premise that an adversary is already inside the environment, prioritizing detection, containment, and recovery alongside (not instead of) prevention. It belongs to the Defense & Operations category of cybersecurity.

A security operating philosophy that designs controls, monitoring, and architecture around the premise that an adversary is already inside the environment, prioritizing detection, containment, and recovery alongside (not instead of) prevention.

Assume Breach is a security operating philosophy popularized by Microsoft in the mid-2010s and now the default posture of mature programs and zero-trust architectures. Rather than treating prevention as the primary defense and detection as a backstop, an assume-breach program designs the environment as if the adversary has already gained a foothold and asks how detection, containment, recovery, and limiting blast-radius will hold up. Concretely this drives: network microsegmentation so lateral movement is constrained, identity-centric architecture (every request authenticated and authorized), endpoint detection and response everywhere, centralized logging with retention long enough for true-detection of slow campaigns, regular red-team and purple-team exercises against the live environment (not just labs), automated containment playbooks (isolate host, rotate keys, kill session), and recovery rehearsals (immutable backups, alternative paths to keep the business running). Assume Breach is a foundational principle of NIST 800-207 Zero Trust, the U.S. DoD Zero Trust Strategy, the U.K. NCSC Cyber Assessment Framework, and most modern security programs.

Defences for Assume Breach typically combine technical controls and operational practices, as detailed in the full definition above.

Common alternative names include: Breach-tolerant security, Compromise-tolerant design.