The Basics: A Brutalist Security Program Stripped to the Essentials

Here's the most minimal security program you can run, and you can use it as a tool to evaluate your current posture, find missing fundamentals, simplify a setup that has grown too complex, or build a foundation from scratch.

Start by minimizing the attack surface. Keep a full asset inventory, remove anything unnecessary, and harden what remains; the less there is to attack, the less you have to defend.

Identity and access management comes next. Default to no access and grant it only when needed and only in the amount needed, lock down admin accounts, and enforce zero trust with network segmentation. Trust nothing by default, since least privilege limits the damage any single compromise can cause.

Data security follows from there. Classify sensitive data, encrypt it, and control who can reach it, and make sure backups are tested, protected, and actually restorable when you need them. Data is usually the real target, so it needs protection that matches that role.

Patch and vulnerability management has to run constantly. Scan often, patch fast, and eliminate unsupported software, because known bugs give attackers easy wins you can avoid simply by staying current.

Incident response rounds out the operational side. Keep the plan simple and practice it, and make sure the team knows how to detect, contain, and recover, since an attack will happen eventually and preparation beats scrambling in the moment.

None of this holds without continuous assessment. Scan, test, clean up, and recheck on a regular schedule, remove what's no longer needed, and keep adapting, because security functions as an ongoing process rather than something you finish once and leave alone.

Strip the system down, lock down what remains, test it often, and trust nothing. That's the Brutalist approach: simple, strong, and built to survive contact with reality.


Note: Originally posted in the Security Brutalist blog.