Security Brutalism

Mar 2025 - Updated Apr 2025

We live in an increasingly complex and noisy tech world, organizations often get bogged down in a proliferation of security tools and overly complicated strategies. Security Brutalism offers a contrasting philosophy: a return to the fundamental principles of security, prioritizing robust core controls, transparency and openness, and functional efficiency over complexity. This approach aims to build a resilient and understandable security foundation that effectively mitigates key risks without the unnecessary overhead and opacity that can plague modern security programs.

To strengthen and simplify security, we should adopt a brutalist approach—one that prioritizes raw functionality, structural honesty, and directness over unnecessary complexity or obscured processes. This means embracing systems that are clear in purpose, resilient by design, and grounded in the fundamental capabilities of the technologies they rely on.

This concept draws from brutalist architecture and web design, both of which favor unembellished, utilitarian structures that reveal rather than conceal their underlying materials and construction. Central to this philosophy is the principle of truth to materials—the idea that a system should express its true nature, not hide behind decorative abstractions.

Security Brutalism helps focusing on what truly matters and ensuring everyone understands the "why" behind the security measures, leading to a stronger security culture and a more defensible organization.

Security Brutalism is all about establishing baselines, looking for anomalies, and having a plan (more here).

In short: What you see is what's enforced; what breaks doesn't collapse the system; and what remains is strong and recoverable.

The Why Behind Security Brutalism

I’ve been in the security field for over 20 years, working across nearly every aspect of it. However, in the past decade, I’ve seen how security has become flooded with vendors offering random solutions, each claiming to solve problems we didn’t even know we had. Meanwhile, regulations continue to pile on new requirements, only adding to the complexity. This has made it increasingly difficult to prioritize what actually needs attention, especially when it comes to identifying the real gaps and issues that need fixing.

We’re facing a growing need for resources, yet budgets keep shrinking. Alerts are flooding our monitoring systems, but we have no clear understanding of their root causes. New controls are being implemented, but they often fail when put to the test. And the people who should be benefiting from security still don’t fully understand it.

This is the reason behind Security Brutalism. It's a return to a no-nonsense, transparent, and robust approach to security, prioritizing effectiveness, simplicity, clarity, and resilience over superficial aesthetics. My goal was to develop a security program centered around simplicity and strong fundamental protections. Similar to its architectural style counterpart, it focuses on a raw, functional, unadorned, and genuinely straightforward approach to security.

Security Brutalism Principles

  1. Expose the Mechanics: Make how security works transparent to users and stakeholders.
  2. Enforce Functionality Over Frictionless Experience: Favor transparency and user control over aesthetics — rough edges are fine if it means security is clear and uncompromised.
  3. Simplify to the Core: Remove anything that isn’t essential, auditable, or explainable.

A Program

A Security Brutalism program should focus on:

Transparent and Minimalist Security Design

  1. No unnecessary complexity—security measures should be clear, direct, and understandable.
  2. Systems should expose their security mechanisms explicitly, rather than hiding them behind abstracted layers.
  3. Open-source, auditable security models over proprietary black-box solutions.

Resilient, No-Nonsense Infrastructure

  1. Redundancy and robustness over sleekness; favoring simple, hardened systems over fragile, interdependent components.
  2. Use of lower level security controls such as hardware-based security and strict access controls, rather than reliance on security software and patches exclusively.
  3. Prioritize default security over user convenience: strict authentication, logging, and monitoring as foundational principles.

Function Over Form

  1. Security interfaces should be utilitarian, terse, information-dense, and highly functional, akin to command line tools or text-based dashboards rather than polished graphical UIs.
  2. No unnecessary distractions; just raw, clear data representation.

Self-Contained Security Units

  1. Architecture brutalism often features monolithic, self-reliant structures, which in security means containerized applications, and strict network segmentation.
  2. It also means minimized attack surface by stripping unnecessary features: "if it’s not essential, it should be removed."

Hard But Effective Access Controls

  1. No tolerance on password policies, multi-factor authentication (MFA), and least privilege access.
  2. Clear audit trails and forensic logging. If something happens, it should be instantly traceable.

Raw Exposure Threat Intelligence

  1. Systems should not obscure their security status. Real-time threat intelligence feeds, system logs, and alerts should be openly visible to security teams.
  2. Aggressive intrusion detection with loud, unmissable alerts rather than subtle warnings.

A Brutalist Approach To Incident Response

  1. Incident response is strict, pre-planned, and executed with precision. No hesitation or reliance on reactive, ad-hoc solutions.
  2. Harsh containment measures. For example: automatic isolation of compromised systems and immediate credential revocation.

To Close

A brutalist approach to security may feel austere—even unforgiving at times—but it’s also highly effective. Prioritizing simplicity, transparency, and resilience over elegance and convenience creates a sturdier, more reliable foundation for managing risk. Rather than smoothing over complexity with decorative abstractions, Security Brutalism embraces clarity and function, favoring systems and controls that are direct, enforceable, and built to endure.

Note: This is post lives on the Security Brutalism website. There is now also a runbook that provides a high-level, simplified guide for security teams and executives to begin implementing a security brutalism approach.