Quiz Entry - updated: 2026.07.14
Explain Microsoft's vulnerability mitigation strategy and its four tactics.
Four layered tactics in priority order — Eliminate, Break, Contain, Limit — because each layer assumes the previous one will eventually fail.
The goal: "make vulnerabilities difficult and costly to find, exploit, and leverage."
Four tactics (in priority order):
| Priority | Tactic | Examples |
|---|---|---|
| 1st | Eliminate vulnerabilities | SAST/DAST, code review, memory-safe languages |
| 2nd | Break exploitation | ASLR, Same-Origin Policy, Secure/HttpOnly cookies |
| 3rd | Contain damage | App containers, virtualization, sandboxing, least privilege |
| 4th | Limit time window | Mature detection & response, rapid patching |
Why all four matter (defense in depth):
- You can't eliminate all bugs (tactic 1 fails)
- Some exploits bypass protections (tactic 2 fails)
- Sandboxes can be escaped (tactic 3 fails)
- Detection isn't instant (tactic 4 buys time)
Mnemonic: "EBCL" = "Every Bug Creates Liability" — Eliminate → Break → Contain → Limit