Stop Building Taller Walls
History is unkind to those who focus too much on their perimeter defences. We wrote about this recently in the context of the Trivy supply chain compromise. If all your defences face outward, an attack that starts inside has nothing to fight.
So, what does the alternative look like?
Defending inside your environment
In 2011 the US Department of Defense published its Strategy for Operating in Cyberspace and gave us the first formal definition of active cyber defence: "synchronized, real-time capability to discover, detect, analyze, and mitigate threats and vulnerabilities." The strategy described a shift away from static network defence toward something that operates at network speed, using sensors, software and intelligence to detect and stop malicious activity before it can cause damage. It acknowledged that intrusions won't always be stopped at the boundary, and called for advanced sensors to detect, discover, map and mitigate threats that make it inside your own environment.
That definition gave us a useful starting point. But the term has been often misunderstood ever since, often reduced to "hacking back." This is an unhelpful distraction. Active defence's defining characteristics are written on the tin: it's defensive. It means imposing costs on attackers in your own environment, against threats that are already inside or attempting to get in.
The nuance of what active defence looks like in practice is better captured by work like MITRE Engage, which provides a detailed framework for adversary engagement, denial and deception operations. Or by Heckman et al.'s Cyber Denial, Deception and Counter Deception, which lays out the tactical and operational detail of how denial and deception techniques are planned and executed. Neither of these talks about hacking back. They talk about channeling attackers into monitored environments, planting deceptive artifacts that reveal attacker intent, creating detection opportunities that don't depend on distinguishing malicious activity from noise and using the attacker's own behaviour against them.
Active defence may be a relatively new concept in cyber. But as a strategy, it was perfected about seven hundred years ago.
Beaumaris
This is Beaumaris Castle on Anglesey, built from 1295 as part of Edward I's conquest of north Wales. Its designer, James of St George, created what UNESCO considers one of the finest examples of military architecture in Europe. And it is, essentially, a physical implementation of active defence.
Multiple rings of walls, each overlooking the next. If an attacking force breached the outer wall, they hadn't won anything. The inner walls were higher, the defenders threatened anyone caught between the rings and the whole structure was designed to channel attackers into prepared ground where defensive capabilities were concentrated. If that sounds like MITRE Engage's concept of adversary engagement, that's because it is. The tactics are the same. Only the medium has changed.
Beaumaris wasn't passive. It wasn't built to absorb hits. It was built to impose cost. Every metre of progress made things worse for the attacker. The defenders didn't just detect the breach. They anticipated it and used the attacker's own momentum against them.
The organisations spending differently
Here's my theory and I'll admit it's not fully backed by data yet, but from what I've seen I believe it: you can gauge the cyber maturity of an organisation by looking at what proportion of their security budget is invested in cyber defence capabilities focused inside their environment, not just at the perimeter.
The organisations that have been through a serious incident, or watched their peers go through one, are spending differently. Deception technology is growing at 12.6% CAGR and it's on track to more than double by 2033. Gartner projects that 60% of enterprises pursuing zero trust will be using microsegmentation by the end of this year, up from less than 5% in 2023. These aren't niche categories any more. This is where the smart money is going.
What these organisations have in common is that they're building active defence into their environments. Internal detection that watches east-west traffic, not just north-south. Deception that only triggers when something is moving laterally where it shouldn't be. Hunt teams actively looking for signs of attacker presence. Segmentation that creates internal chokepoints, the digital equivalent of channeling the attacker between Beaumaris's walls.
This isn't just about surviving a breach. It's about imposing cost on the attacker. Deception that wastes their time and burns their tools against fake targets. Tripwires that force them to reveal themselves the moment they move. Environments designed so that an attacker can't operate without generating signals they can't suppress. There's a difference between "we can take a hit" and "hitting us will cost you." One is attrition, the other changes the economics of attacking you in the first place.
Different money, not more money
Active defence doesn't necessarily require more money. It requires different money. Shifting even 15-20% of an existing cyber defence budget away from yet another perimeter tool and toward internal detection and cost imposition changes the equation. The SANS survey found only 5% of organisations expect a significant increase in their detection and response budgets, so the money for active defence is coming from reallocation, not growth. But the organisations making that shift are the ones setting the pace.
The organisations that weather this stuff aren't the ones with the tallest perimeter. They're the ones that prepared the ground behind it. The ones who prevent the breach but also expect the breach, and make the breach something the attacker comes to regret.
The question isn't whether someone will get past your perimeter. That's already been answered. The question is what it costs them when they do.