Quiz Entry - updated: 2026.07.14
What is Defense in Depth ("layered security")?
The idea that no single security control is sufficient — protect each asset with multiple, independent layers, so that if one fails the others still hold.
A typical onion looks like:
| Layer | What it protects against | Examples |
|---|---|---|
| Perimeter Security | Bulk unwanted traffic | Firewall, edge router, WAF |
| Network Security | Lateral movement, MITM | Segmentation, VLANs, IDS/IPS |
| Endpoint Security | Compromised devices | EDR, disk encryption, OS hardening |
| Application Security | App-level bugs | Secure coding, auth, input validation |
| Data Security | Theft of the data itself | Encryption at rest, access controls |
| Critical Assets | The thing you actually care about | Strict need-to-know, audit logging |
Why layered? Every individual control has a non-zero failure rate (zero-days, misconfigurations, insider mistakes, supply-chain compromises). Stacked controls multiply the attacker's work — they don't just have to find one bug, they have to defeat the whole stack.
Tip: The classic question to ask of any design — "if this control fails, what catches the attacker next?" If the answer is "nothing", you don't have defense in depth.