Defensive Security
Defence operationalises the foundations: detect what prevention misses, respond before damage spreads, and recover when controls fail. Modern practice has shifted from perimeter defence toward assume-breach and zero trust.
1. The SOC & security operations
The Security Operations Centre (SOC) is the team and tooling responsible for continuous monitoring, detection, and response. It is conventionally organised in tiers — triage analysts, incident responders, and threat hunters — supported by automation. A useful mental model is the OODA loop (Observe, Orient, Decide, Act): defence is a tempo contest, and the side that cycles faster wins. Much of the AI disruption discussed later is, in essence, a change in tempo.
2. Detection & monitoring
Detection rests on collecting and correlating telemetry from across the estate:
- SIEM (Security Information and Event Management) — centralises logs and applies correlation rules to surface suspicious patterns.
- EDR / XDR (Endpoint / Extended Detection and Response) — deep visibility into endpoint behaviour, able to detect and roll back malicious activity.
- NDR (Network Detection and Response) — anomaly detection on network traffic.
- Threat intelligence — feeds of known-malicious indicators (IOCs) and adversary TTPs, mapped to MITRE ATT&CK.
Two metrics dominate: MTTD (mean time to detect) and MTTR (mean time to respond). Detection engineering increasingly uses machine learning for anomaly detection — valuable but prone to false positives, which create alert fatigue. The hard problem is signal-to-noise, not data volume.
3. Incident response
When prevention and detection give way to a confirmed compromise, structured incident response (IR) contains the damage. The NIST SP 800-61 lifecycle[17] defines four phases:
| Phase | Objective |
|---|---|
| 1. Preparation | Tools, playbooks, and training before an incident |
| 2. Detection & analysis | Confirm, scope, and triage the incident |
| 3. Containment, eradication & recovery | Stop spread, remove the threat, restore service |
| 4. Post-incident activity | Lessons learned; feed back into preparation |
A mature programme rehearses this through tabletop exercises and maintains tested, offline backups — the single most reliable defence against ransomware. Resilience — the ability to keep operating and recover — is now treated as co-equal with prevention.
4. Zero-trust architecture
The traditional model trusted anything inside the network perimeter — a fatal assumption once an attacker gets a foothold. Zero trust[12], formalised in NIST SP 800-207, inverts it. Its tenets:
- Never trust, always verify — authenticate and authorise every request, regardless of origin.
- Least-privilege access — grant the minimum rights, just in time.
- Assume breach — segment aggressively to limit blast radius and inspect continuously.
In practice this means strong identity (phishing-resistant MFA), device posture checks, micro-segmentation, and policy enforced per-request rather than per-network-zone. Zero trust is the architectural answer to the lateral-movement stage of the attack lifecycle.
5. Hardening & the supply chain
Hardening reduces the attack surface before an attacker arrives: disable unused services, apply secure configuration baselines (e.g., CIS Benchmarks), enforce patching, and adopt memory-safe languages for new code.
The frontier of defensive concern is the software supply chain. The SolarWinds (2020) and Log4Shell (2021) incidents showed that compromising a widely used component cascades to thousands of downstream victims. Responses include:
- SBOM (Software Bill of Materials) — a manifest of every component in a product, enabling rapid impact assessment when a new vulnerability lands.
- Artifact signing & provenance — frameworks like SLSA and Sigstore that verify what was built, from what, by whom.
- Dependency scanning — continuous checking of third-party libraries against known CVEs.
6. Vulnerability management
Vulnerability management is the continuous cycle of discovering, prioritising, remediating, and verifying weaknesses. Because organisations face far more vulnerabilities than they can fix at once, prioritisation is everything — combining CVSS severity with exploit-availability signals such as CISA’s Known Exploited Vulnerabilities catalogue and the EPSS exploit-prediction score.
The defining tension is the patch gap: the time between a fix being available and being deployed everywhere. Defenders want this short; attackers race to exploit N-days before it closes. This is precisely the gap that AI-scale vulnerability discovery is now reshaping from both directions — finding bugs faster for defenders to fix, and faster for attackers to weaponise. That collision is the subject of the next page.