Skip to content

Defense In Depth

Prime #
786
Origin domain
Military Strategic Studies
Subdomain
layered protection → Military Strategic Studies
Aliases
Layered Defense, Defense in Depth Strategy

Core Idea

Defense in depth is the structural pattern in which a system places multiple independent protective layers between a threat and the asset to be defended, so that compromising any single layer does not compromise the whole. Each layer absorbs some attempts, slows others, and yields visible failures that the next layer can act on; only a correlated breach across all layers produces total loss. The defining structural claim is that the security a system actually has is governed not by the strength of its strongest barrier but by the number of barriers and the independence of their failure modes — the answer to the question "how many independent failures must occur for the asset to be lost?"

Several structural commitments organise the pattern. There is an asset to be protected against a directed threat. There are multiple barriers placed in series between threat and asset, each with a non-trivial per-attempt failure probability. There is an independence-of-failure-modes assumption across barriers — the load-bearing assumption, because if layers are independent the total breach probability is roughly the product of the per-layer probabilities and gains compound, whereas if layers share a failure mode — same vendor, same credential, same human operator, same physical site — independence collapses and the depth is illusory. Total compromise requires a path through all barriers, so failure analysis traces aligned holes rather than a single break. And the marginal layer is evaluated by its independent contribution to residual risk, not by its individual strength: adding a layer is worth it only when its independent failure rate is well below the current residual. The prime thereby converts a vague "security posture" into an explicit model with an interrogable independence assumption at its centre.

How would you explain it like I'm…

Wall Behind A Wall

Imagine guarding a treasure with a fence, then a locked door behind it, then a guard dog behind that. If a robber sneaks past the fence, the door still stops them. You stay safe not because any one thing is unbeatable, but because they'd have to beat ALL of them — and each one is different.

Many Separate Barriers

Defense in depth means putting several SEPARATE barriers between a threat and the thing you're protecting, so that getting past one doesn't mean getting past all. Each layer stops some attempts, slows others, and shows you when it's been broken so the next layer can react. The big idea is that your real safety doesn't come from your single strongest wall — it comes from how MANY barriers there are and how DIFFERENTLY they can fail. That difference matters most: if all your layers can be broken the same way — same password, same person in charge, same weak spot — then they're really just one layer wearing many hats, and the 'depth' is fake. The key question is: how many separate failures must happen before the treasure is lost?

Independent Layers Of Defense

Defense in depth is the pattern in which a system places MULTIPLE INDEPENDENT protective layers between a threat and the asset, so that compromising any single layer doesn't compromise the whole. Each layer absorbs some attempts, slows others, and yields visible failures the next layer can act on; only a correlated breach across all layers produces total loss. The defining claim is that the security a system actually has is governed not by the strength of its strongest barrier but by the NUMBER of barriers and the INDEPENDENCE of their failure modes — the answer to 'how many independent failures must occur for the asset to be lost?' Independence is the load-bearing assumption: if layers are truly independent, the total breach probability is roughly the PRODUCT of the per-layer probabilities, so gains compound; but if layers share a failure mode — same vendor, same credential, same operator, same site — independence collapses and the depth is illusory. Total compromise requires a path through all barriers, so failure analysis traces ALIGNED holes rather than a single break, and a marginal layer is worth adding only when its independent failure rate is well below the current residual risk.

 

Defense in depth is the structural pattern in which a system places multiple independent protective layers between a threat and the asset to be defended, so that compromising any single layer does not compromise the whole. Each layer absorbs some attempts, slows others, and yields visible failures that the next layer can act on; only a correlated breach across all layers produces total loss. The defining structural claim is that the security a system actually has is governed not by the strength of its strongest barrier but by the number of barriers and the independence of their failure modes — the answer to 'how many independent failures must occur for the asset to be lost?' Several commitments organize it: an asset to be protected against a directed threat; multiple barriers placed in series, each with a non-trivial per-attempt failure probability; an independence-of-failure-modes assumption across barriers — the load-bearing assumption, because if layers are independent the total breach probability is roughly the product of the per-layer probabilities and gains compound, whereas if layers share a failure mode (same vendor, credential, human operator, or physical site) independence collapses and the depth is illusory; the requirement that total compromise needs a path through ALL barriers, so failure analysis traces aligned holes rather than a single break; and a marginal-layer test, evaluating each added layer by its independent contribution to residual risk rather than its individual strength — adding a layer is worth it only when its independent failure rate is well below the current residual. The prime thereby converts a vague 'security posture' into an explicit model with an interrogable independence assumption at its center.

Structural Signature

the asset under directed threatthe multiple barriers placed in seriesthe per-layer failure probabilitythe independence-of-failure-modes assumptionthe all-layers path required for total compromisethe marginal-layer-by-independent-contribution rule

A protective arrangement exhibits the defense-in-depth pattern when each of the following holds:

  • An asset and a directed threat. Something of value must be protected against an adversary or hazard that aims at it.
  • Barriers in series. Multiple protective layers are placed between threat and asset, each absorbing some attempts, slowing others, and yielding visible failures the next layer can act on.
  • Non-trivial per-layer failure probability. Each barrier is assumed imperfect, with a meaningful chance of being breached on any given attempt; no single layer is relied on as heroic.
  • The independence-of-failure-modes assumption. The load-bearing condition: if layers fail for unrelated reasons, total breach probability is roughly the product of the per-layer probabilities and gains compound; if they share a failure mode (same vendor, credential, operator, site), independence collapses and the depth is illusory.
  • An all-layers path for total loss. Total compromise requires a path through every barrier, so failure analysis traces aligned holes (the Swiss-cheese reconstruction) rather than a single break.
  • The marginal-layer rule. A new layer is justified only when its independent failure rate sits well below the current residual risk — sizing investment by independent contribution, not individual strength.

The components compose one interrogable question — how many independent failures must occur for the asset to be lost? — and the pattern is doctrinally bound to defense and safety: it presupposes a threat, a defender, and an asset, importing that adversarial-safety frame wherever it travels.

What It Is Not

  • Not containment. containment (the nearest neighbour) confines a hazard within a boundary so it cannot spread; defense in depth stacks multiple independent barriers in series so that only a correlated breach across all yields total loss. Containment is one boundary holding; defense in depth is the compounding arithmetic of many.
  • Not mere redundancy. Plain redundancy duplicates components for reliability; defense in depth specifically layers barriers for failure absorption under attack, with independence of failure modes load-bearing. Three same-vendor firewalls behind one credential are redundancy that looks like depth but constitutes one layer.
  • Not escape prevention at a single boundary. escape_and_leakage names a quantity exiting one barrier; defense in depth concerns how many independent barriers must all fail for loss — a count-and-independence property, not a single-boundary seal.
  • Not failure-mode cataloguing. failure_mode_and_effects_analysis_fmea enumerates and ranks failure modes; defense in depth is the architecture whose guarantee is the product of independent per-layer failure probabilities. FMEA finds the modes; depth structures the barriers against them.
  • Not systemic risk. systemic_risk is the risk of correlated cascade across a whole system; defense in depth is a defensive architecture whose own failure mode is correlated breach — it is a response to, not an instance of, systemic correlation.
  • Common misclassification. Counting layers as if they multiply when shared causes make them one. The security a system has is the number of independent failures required, not the number of barriers on the diagram; any shared person, vendor, credential, or environmental condition touching two layers collapses the independence the arithmetic depends on.

Broad Use

In cybersecurity, the pattern stacks perimeter firewalls, network segmentation, host hardening, encryption, monitoring, and least-privilege identity so that a phished credential does not reach the database. In safety engineering and nuclear power, it stacks fuel cladding, primary cooling, containment vessel, reactor building, and emergency siting — the "Swiss-cheese model" of accident causation. In public health, it stacks vaccination, hygiene, ventilation, testing, isolation, and treatment so that no single failure produces an outbreak. In military fortification, it stacks outer wall, ditch, inner wall, and keep, or forward screen, main line of resistance, and reserve. In aviation safety, it stacks pilot, copilot, autopilot, air traffic control, structural redundancy, and regulation. And in financial controls, it stacks separation of duties, approval limits, audit trails, reconciliation, and external audit. Across all of these the structural claim is identical: the protective property is a function of layer count and failure-mode independence, not of any single layer's heroics, and the recurring lesson — read most vividly in accident postmortems — is that the layers were quietly made dependent, correlated by a shared procedure, vendor, or operator, and so behaved as one layer when it mattered.

Clarity

Defense in depth names a specific structural choice that is easy to confuse with mere redundancy or with single-point hardening. Its clarifying force is to shift the operative question from "how strong is the barrier?" to "how many independent failures must occur for the asset to be lost?" That number — not the strength of any one layer — is the security property the system actually has, and surfacing it converts an intuitive sense of safety into an auditable quantity.

The frame also clarifies the difference between apparent and real depth. Three firewalls from the same vendor, configured by the same operator, behind the same credential, look like three layers but constitute one, because their failure modes are correlated. Naming the independence assumption explicitly is what lets a designer ask the disqualifying question — "what common cause could take out two layers at once?" — and discover that the depth is overstated before an incident discovers it for them. Clarity here is the discipline of treating every claim of depth as a claim about independence, and treating any shared person, vendor, document, or environmental condition that touches more than one layer as evidence that the depth is less than it appears.

Manages Complexity

Defense in depth lets a designer accept that any one layer will be imperfect and still bound the system's failure probability. Each layer can be reasoned about and improved locally, while the overall guarantee depends only on layer count and the independence of failure modes, not on a heroic single barrier. This decomposition is the central complexity-management move: it decouples local layer design from the global guarantee, so that improving the database encryption and improving the network segmentation can proceed independently while their joint contribution to residual risk follows a simple compounding rule.

The compression extends to failure analysis. Instead of asking, after an incident, "which barrier was weak?", the frame asks "which holes lined up?" — reconstructing the breach as a path through aligned gaps rather than a single break. This Swiss-cheese diagnosis turns a sprawling, blame-seeking postmortem into a structured search for the correlated failure that let a path open through all layers at once. And it gives a clean stopping rule for investment: add a marginal layer only when its independent failure rate is well below the current residual, which bounds the otherwise-open question of "how much defence is enough" by tying it to the compounding arithmetic rather than to intuition.

Abstract Reasoning

The key abstraction is the probability of correlated breach across layers. If layers are independent, total breach probability is approximately the product of per-layer breach probabilities, and gains compound multiplicatively; if layers share a failure mode, independence collapses and the depth is illusory. This single abstraction supports the prime's most important inference: that a system's protection can be quantitatively strong yet practically fragile if its layers are secretly correlated, and that the right object of attention is therefore the independence structure, not the individual strengths.

The reasoning supports a recurring move — audit for shared failure modes — that applies as readily to a reactor as to a software deployment: ask what common cause could take out two layers at once, and treat any such cause as a collapse of the depth. It supports varying the layer kind, since independence is more credible when layers are qualitatively different (technical plus procedural plus physical) than when three layers of the same kind are stacked. And it supports the marginal-layer calculus, which prevents both under-investment (a single heroic barrier) and over-investment (redundant layers that share a failure mode and add no independent contribution). A reasoner equipped with this prime treats every layered defence as a claim about an independence assumption to be interrogated, and treats correlation between layers as the silent failure that turns apparent depth into a single point of failure.

Knowledge Transfer

The pattern carries interventions, not just vocabulary, and the portable procedure is to enumerate the layers, model total compromise as a path through all of them, audit aggressively for shared failure modes, and size each marginal layer by its independent contribution to residual risk. Each domain fills the slots with its own barriers while the independence logic holds.

The question "what is the common cause that could take out two layers at once?" applies as well to a reactor as to a cloud deployment, and answering it is the central transfer: the nuclear engineer auditing whether a single procedure disables multiple safety systems and the security architect auditing whether a single credential reaches multiple tiers are running the identical analysis. Varying the layer kind transfers as a general independence-strengthening move — qualitatively different layers fail for different reasons, so a defence mixing technical, procedural, and physical barriers is more credibly independent than one stacking three barriers of the same type. Measuring breach as a path through layers rather than a perimeter break transfers as a postmortem discipline: the Swiss-cheese reconstruction works in aviation, medicine, finance, and software alike, because in each the breach is a sequence of aligned holes rather than a single failure. And trading depth for cost transfers as the marginal-layer rule, which bounds defensive investment in any substrate.

The transfer is real but the prime grades as framed, because the pattern is doctrinally bound to defense and safety practices. It presupposes a directed threat, a defender, and an asset worth protecting; it imports the defender-versus-threat adversarial frame and an evaluative concern with safety wherever it travels, and its institutional vocabulary — barriers, breach, containment, posture — stays close to the surface even outside its origin fields. What ports cleanly is the structural arithmetic of independent layers and the central interrogable assumption — independence of failure modes — together with the audit-for-common-cause discipline that follows from it. What does not port is any application stripped of the threat-and-asset framing, where there is nothing to defend and no adversary to defend against; in such settings the layered structure may persist as redundancy, but defense in depth specifically denotes layering for failure absorption under attack, with the independence property load-bearing.

Examples

Formal/abstract

The probability arithmetic of layered protection is the prime's formal core, and the nuclear-reactor containment stack is its canonical worked instance. The asset is the radioactive core inventory; the directed threat is a release of that inventory to the environment. The barriers in series are the fuel cladding, the primary cooling system, the reactor pressure vessel, the containment building, and the emergency siting/exclusion zone — each with a non-trivial per-attempt failure probability \(p_i\). The load-bearing condition is independence: if the barriers fail for unrelated reasons, the probability of total release is the product \(\prod_i p_i\), so five layers each with a 1-in-100 failure chance give a 1-in-\(10^{10}\) joint breach — gains compound multiplicatively. The all-layers-path requirement is the Swiss-cheese reconstruction: total loss requires a hole through every slice, aligned. The marginal-layer rule is exact — adding a sixth barrier is worth it only if its independent failure rate sits well below the current residual \(\prod_i p_i\). And the prime's central interrogable question — how many independent failures must occur for the asset to be lost? — is answered by the count of slices, provided independence holds. The diagnostic the prime sharpens is the collapse of that assumption: if a single shared cause (a common power supply, a single operator procedure, a common-mode seismic event) can disable two barriers at once, their failures are correlated, the product rule no longer applies, and the apparent five-layer depth is really fewer. The intervention follows directly — audit for shared failure modes and vary the layer kind (technical, procedural, physical) so the layers fail for genuinely different reasons.

Mapped back: The reactor containment stack instantiates every commitment — asset under threat, barriers in series, per-layer failure probability, the load-bearing independence assumption, the all-layers path, the marginal-layer rule — and shows the prime's arithmetic: protection compounds multiplicatively only to the extent failure modes are independent.

Applied/industry

The identical structure, importing its adversarial-safety frame, governs cybersecurity architecture and aviation safety — two domains where the recurring lesson is correlated failure masquerading as depth. In an enterprise security stack, the asset is a sensitive database and the threat is an attacker; the barriers in series are perimeter firewalls, network segmentation, host hardening, encryption, monitoring, and least-privilege identity, so that a single phished credential does not reach the data. The prime's clarifying question shifts the design conversation from "how strong is our firewall?" to "how many independent failures must occur for the database to be lost?" — and the central audit is the disqualifying question: three firewalls from the same vendor, configured by the same operator, behind the same single-sign-on credential look like three layers but constitute one, because their failure modes are correlated. Real depth comes from varying the layer kind — a technical control plus a procedural control plus a physical control fail for different reasons — and the postmortem discipline is the Swiss-cheese reconstruction: after a breach, ask which holes lined up, not which single barrier was weak. Aviation safety is the same skeleton in a non-cyber substrate: the asset is the flight's safe outcome, and the layers are pilot, copilot, autopilot, air-traffic control, structural redundancy, and regulation. Accident investigation is explicitly a Swiss-cheese analysis — a crash is a path through aligned gaps in multiple layers, and the most instructive finding is usually that the layers were quietly made dependent (a single fatigued crew, a single ambiguous procedure touching pilot and controller, a single weather condition defeating multiple safeguards), collapsing independence exactly when it was needed. In both, the marginal-layer rule bounds investment: add a layer only when its independent contribution sits below the current residual risk.

Mapped back: Security stacks and aviation safety systems are defense in depth in cyber and transport substrates: barriers in series whose protection depends on failure-mode independence, audited for shared causes, reconstructed after failure as aligned holes — the same arithmetic and the same correlated-failure pathology the reactor case makes formal.

Structural Tensions

T1 — Apparent Depth versus Failure-Mode Independence (measurement). The whole arithmetic — total breach probability as the product of per-layer probabilities — holds only under independence, yet layer count is what is visible and independence is what is hidden. The failure mode is counting layers as if they multiply when shared causes (same vendor, credential, operator, site) make them one: three firewalls behind one sign-on look like depth and constitute a single point. Diagnostic: for every pair of layers, ask what common cause could breach both; the security a system has is the number of independent failures required, not the number of barriers drawn on the diagram.

T2 — Layer Count versus Marginal Independent Contribution (scalar). More layers feel safer, but a layer's worth is its independent failure rate relative to the current residual — a layer correlated with an existing one adds cost and complexity with no protective gain. The failure mode is over-investment: stacking redundant same-kind barriers that share a failure mode, mistaking visible thoroughness for actual depth. Diagnostic: justify each marginal layer by its independent contribution below the current residual risk, not by its individual strength or by the comfort of having "another layer"; a correlated layer is decorative.

T3 — Defense in Depth versus Single-Point Hardening (sign/direction). The prime trades layer count against barrier strength, and the two strategies pull opposite ways: depth accepts weak imperfect layers and relies on multiplication, hardening pours resources into one heroic barrier. The failure mode is mixing the philosophies incoherently — under-building each layer because "there are others" while also not making any single layer strong, ending with neither real depth nor real hardening. Diagnostic: ask whether the design's guarantee rests on count-times-independence or on one barrier's strength; a layered defence whose layers are each individually relied upon has quietly reverted to single-point hardening with extra steps.

T4 — Series Barriers versus Added Complexity (coupling). Each layer absorbs attacks but also adds operational surface — more components to configure, monitor, and keep independent — and that added complexity can itself create the shared failure mode (a common management plane, a single orchestration tool) that collapses independence. The failure mode is depth that defeats itself: the very machinery added to coordinate many layers becomes the common cause across them. Diagnostic: ask whether the infrastructure managing the layers is itself a layer-spanning dependency; defence that adds a unifying control plane to many barriers may have built the correlated-breach path it was meant to prevent.

T5 — Layered Absorption versus Brittle Latency (temporal). Layers are valued for absorbing and slowing attacks so the next layer can act — but that benefit assumes detection-and-response operates within the time a breach takes to traverse the stack. The failure mode is treating layers as static walls while ignoring response latency: if an attacker pivots through aligned holes faster than the defender aggregates a response, the layers fall in sequence and depth provides no time advantage. Diagnostic: compare the time to traverse the layers against the time to detect and respond; depth that yields visible failures the next layer cannot act on in time is depth in name only, and the load-bearing variable becomes response latency, not layer count.

T6 — Defense Frame versus Mere Redundancy (scopal, framed-prime honesty). Defense in depth is doctrinally bound to threat-and-asset framing — layering specifically for failure absorption under attack, with independence load-bearing. Stripped of an adversary, the same layered structure is just redundancy. The failure mode is over-applying the adversarial frame where there is no directed threat (calling ordinary redundancy "defense in depth" and importing audit-for-attacker disciplines that do not fit), or under-applying it where a real adversary actively seeks correlated breaches that random-failure redundancy analysis misses. Diagnostic: ask whether a directed adversary is steering toward the shared failure mode; under attack, independence must be defended against intelligent correlation, which redundancy-for-reliability does not address.

Structural–Framed Character

Defense in depth sits on the framed side of the structural–framed spectrum, with an aggregate of 0.6. There is a real structural arithmetic at its core — the probability of total compromise as the product of independent per-layer breach probabilities, with failure-mode independence as the load-bearing, interrogable assumption — and that arithmetic ports cleanly to nuclear safety, public health, aviation, and financial controls. But the pattern is doctrinally bound to defense and safety practices, and the criteria lean far enough toward framed to place it past the middle.

Institutional origin is the strongest driver at 1.0: the prime is born of military fortification and safety engineering, and its institutional vocabulary — barriers, breach, posture, containment — stays close to the surface wherever it travels, so its instances outside the origin fields are recognisable translations of a defensive doctrine. The remaining diagnostics sit at 0.5 and pull the same way. Evaluative weight is mild: the frame carries a safety-oriented concern (a "breach" is bad, an "asset" is to be protected), a partial normative load. Human-practice binding is 0.5: the threat-defender-asset framing presupposes a directed adversary and something worth protecting, yet the underlying independence arithmetic also governs purely physical safety stacks (reactor containment vessels failing for unrelated reasons), which is what holds the binding at partial rather than full. Vocabulary travels halfway — the layered-independence structure ports but the barrier/breach/posture lexicon follows it. And import-versus-recognize is 0.5: invoking the prime imports the adversarial-safety frame as much as it recognises a layered structure already present, and stripped of an adversary the same structure is merely redundancy. The structural arithmetic of independent layers is genuine and interrogable — which keeps this from the far framed end — but the threat-and-asset doctrine is heavy enough to place it at 0.6, and the prose label of "framed" matches the frontmatter.

Substrate Independence

Defense in Depth is a moderately substrate-independent prime — composite 3 / 5 on the substrate-independence scale. The pattern — stack multiple independent protective layers so that the failure of any one does not breach the whole — does port across cybersecurity, nuclear-reactor safety, public-health containment, military fortification, aviation safety systems, and layered financial controls (domain breadth 4), and the transfer is concrete and documented in each safety-engineering tradition (transfer evidence 4). What pins it to the middle is that the pattern carries an adversarial-and-safety framing throughout: it presupposes a threat to be resisted and a designer arranging layers against it, so every instance is a human-engineered protective architecture rather than a medium-neutral relation (structural abstraction 3). The strong, documented transfer lifts it to a 3, but the inherited safety frame holds it there.

  • Composite substrate independence — 3 / 5
  • Domain breadth — 4 / 5
  • Structural abstraction — 3 / 5
  • Transfer evidence — 4 / 5

Relationships to Other Primes

One-hop neighborhood: parents above, mutual partners to the right, children below.Defense In Depthsubsumption: RedundancyRedundancy

Parents (1) — more general patterns this builds on

  • Defense In Depth is a kind of, typical Redundancy

    Defense in depth specializes redundancy: it layers barriers FOR FAILURE ABSORPTION UNDER ATTACK, with INDEPENDENCE OF FAILURE MODES load-bearing and an optimizing adversary seeking the correlated breach. Plain redundancy duplicates for reliability against RANDOM failure. The file: 'defense in depth specifically denotes layering for failure absorption under attack' — the adversarial specialization of stacked-multiples.

Path to root: Defense In DepthRedundancySelf Checking

Neighborhood in Abstraction Space

Defense In Depth sits among the more crowded primes in the catalog (16th percentile for distinctiveness): several abstractions describe nearly the same structure, so a description that fits it will tend to fit its neighbors too — transporting it usually means disambiguating within this family rather than landing on it exactly.

Family — Boundaries, Containment & Isolation (12 primes)

Nearest neighbors

Computed from structural-signature embeddings · 2026-06-14

Not to Be Confused With

The closest confusion is with containment, the prime's nearest embedding neighbour, because both place barriers between a hazard and the wider world and both speak of breach and protection. But they name structurally different protective ideas. Containment is about one boundary holding — confining a hazard (a leak, a fire, an infection, a fault) within an enclosure so it cannot spread, and the protective property is the integrity of that single boundary. Defense in depth is about many barriers in series — stacking multiple independent layers so that compromising any one does not compromise the whole, and the protective property is the count of independent failures required for total loss, roughly the product of per-layer breach probabilities. The crucial difference is the load-bearing role of independence: containment cares whether the boundary holds, while defense in depth cares whether the layers fail for unrelated reasons, because that independence is what makes the gains compound multiplicatively. A single containment vessel is not defense in depth; five containment vessels whose failure modes are correlated (a common seismic event, a shared power supply) are not defense in depth either, despite looking like five layers — the depth is illusory exactly when independence collapses. The confusion is dangerous because it hides the disqualifying question defense in depth demands: "what common cause could take out two barriers at once?" A practitioner thinking in containment terms audits whether each boundary holds; a practitioner thinking in defense-in-depth terms audits whether the boundaries fail independently — and only the second catches the correlated-breach pathology that turns apparent depth into a single point of failure.

A second, subtler confusion — the prime's framed-honesty boundary — is with plain redundancy. Both stack multiples of a protective element, and stripped of an adversary they can look identical. The distinction is the purpose and the threat model. Redundancy duplicates components for reliability against random failure — spare tyres, backup servers, RAID disks — and its analysis asks whether enough copies survive independent random faults. Defense in depth layers barriers for failure absorption under directed attack, where an intelligent adversary actively seeks the correlated breach that random-failure analysis never models. The same three-firewall stack is redundancy when the threat is random component failure and defense in depth when the threat is an attacker steering toward a shared credential. The confusion cuts both ways and both ways are costly: calling ordinary redundancy "defense in depth" imports audit-for-attacker disciplines that do not fit a no-adversary setting, while treating a genuine defensive architecture as mere redundancy ignores that an intelligent adversary will manufacture the correlation that random-failure redundancy assumes away. Defense in depth's signature concern — independence defended against intelligent correlation — is precisely what redundancy-for-reliability does not address.

For the practitioner the three primes answer different questions. Does one boundary confine the hazard (containment — check boundary integrity)? Do enough copies survive random failure (redundancy — check independent fault tolerance)? Or must many barriers, failing for genuinely unrelated reasons, all be breached by a directed adversary for loss (defense in depth — audit for shared failure modes and intelligent correlation)? Mistaking which is in play leaves the correlated-breach path unexamined, or imports adversarial auditing where no adversary exists.

Solution Archetypes

No catalogued solution archetypes reference this prime yet.