Open this lesson in your favourite AI. It'll walk you through the why, explain the demo, and quiz you on the try-it list.
A single control that 'prevents X' is a single point of failure. Defence in depth stacks controls so any one failing still leaves N-1 in place: kernel hardening, container isolation, network segmentation, audit logging, EDR, monitoring. The art is choosing controls whose failure modes are uncorrelated so an attacker can't bypass them with one trick.
Stack against unauthorised file read: filesystem permissions (DAC), capabilities/SELinux (MAC), seccomp (syscall filter), audit log (post-hoc detection), EDR (behavioural). One CVE rarely breaks all five.
Use these three in order. Each builds on the one before.
In one paragraph, explain defence in depth.
Walk me through five orthogonal controls against a single attack class.
When does adding another defence-in-depth layer become net-negative (operationally too expensive)?