Defense in Depth
What is Defense in Depth?
Defense in DepthSecurity strategy that layers independent controls so that if any single control fails, others continue to prevent, detect, or contain an attack.
Defense in depth, originally a military doctrine, applies multiple, diverse, and partially redundant controls across people, processes, and technology. Typical layers include perimeter (firewall, WAF, DDoS), network (segmentation, IDS/IPS), endpoint (EDR, hardening), application (input validation, CSP, SAST/DAST), identity (MFA, least privilege), data (encryption, DLP), monitoring (SIEM, SOC), and recovery (backups, IR). The premise is that no single control is perfect; layering raises attacker cost and increases the chance that one layer catches an intrusion that bypassed the others. It complements zero trust, which questions implicit trust between layers, and aligns with frameworks like NIST CSF and ISO/IEC 27001.
● Examples
- 01
A user opens a phishing link: secure email gateway, browser SmartScreen, EDR, FIDO2 MFA, least privilege, and SIEM alerting each provide a separate line of defence.
- 02
Multiple backup tiers (snapshot, offline copy, immutable WORM) survive ransomware that defeats live systems.
● Frequently asked questions
What is Defense in Depth?
Security strategy that layers independent controls so that if any single control fails, others continue to prevent, detect, or contain an attack. It belongs to the Compliance & Frameworks category of cybersecurity.
What does Defense in Depth mean?
Security strategy that layers independent controls so that if any single control fails, others continue to prevent, detect, or contain an attack.
How does Defense in Depth work?
Defense in depth, originally a military doctrine, applies multiple, diverse, and partially redundant controls across people, processes, and technology. Typical layers include perimeter (firewall, WAF, DDoS), network (segmentation, IDS/IPS), endpoint (EDR, hardening), application (input validation, CSP, SAST/DAST), identity (MFA, least privilege), data (encryption, DLP), monitoring (SIEM, SOC), and recovery (backups, IR). The premise is that no single control is perfect; layering raises attacker cost and increases the chance that one layer catches an intrusion that bypassed the others. It complements zero trust, which questions implicit trust between layers, and aligns with frameworks like NIST CSF and ISO/IEC 27001.
How do you defend against Defense in Depth?
Defences for Defense in Depth typically combine technical controls and operational practices, as detailed in the full definition above.
● Related terms
- compliance№ 167
CIA Triad
Foundational information-security model that groups objectives into Confidentiality, Integrity, and Availability.
- identity-access№ 854
Principle of Least Privilege
A security principle that grants every user, process, or service only the minimum privileges strictly required to perform its function — no more.
- compliance№ 936
Risk Management
The coordinated process of identifying, analyzing, evaluating, treating, monitoring, and communicating risks to keep them within an organization's defined tolerance.
- compliance№ 731
NIST Cybersecurity Framework
A voluntary risk-based framework published by the U.S. National Institute of Standards and Technology that organizes cybersecurity outcomes into six core functions.