Skip to content

Explain defense in depth and give a concrete example of applying it.

Short answer

Defense in depth means layering multiple independent security controls so that if one fails, others still protect the asset. No single control is assumed perfect, so you stack preventive, detective, and responsive measures across the network, host, application, and data layers.

Defense in depth is the recognition that every control eventually fails or gets bypassed, so security should never rest on a single point. Instead you layer independent controls so an attacker has to defeat several of them in sequence to reach what matters.

Why one layer is never enough

A firewall can be misconfigured. A patch can be missed. A user can be phished. If your entire posture depends on one control, that control becomes a single point of failure — and attackers are very good at finding the one thing you assumed was solid. Layering buys you resilience and time: even a partial breach gets contained or detected before it becomes total.

A concrete example

Consider protecting a customer database:

  • Perimeter: a firewall and WAF filter inbound traffic.
  • Network: segmentation isolates the database subnet so a compromised web server can't reach it freely.
  • Host: the database server is hardened, patched, and runs endpoint detection.
  • Application: input validation and parameterized queries block SQL injection.
  • Identity: least-privilege accounts and MFA limit who can touch the data.
  • Data: the records are encrypted at rest, so a stolen disk image is useless.
  • Detective + responsive: logging, alerting, and backups catch and recover from what slips through.

An attacker who beats the firewall still faces segmentation, then host hardening, then access controls, then encryption.

The subtle point

Layers must be independent. Two controls that share the same weakness (say, both trusting the same SSO token) collapse together and don't actually add depth.

What interviewers look for

A good answer states the principle — assume any control can fail — and then demonstrates it with concrete layers spanning network, host, app, identity, and data, ideally noting that the layers should fail independently.

Likely follow-ups

  • How does defense in depth differ from zero trust?
  • Give an example of a detective control versus a preventive control.
  • What is the risk of redundant controls that aren't truly independent?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.