Continue your mission
Operating under the assumption that breach is inevitable, and designing your architecture so it doesn't matter.
Breach assumption is the operating principle that your organization has already been compromised, or will be. It is not pessimism — it is architectural realism. Within the Empty Fortress doctrine, breach assumption shifts the design question from "how do we prevent all breaches" to "when the breach happens, what do they find?"
Organizations that invest exclusively in prevention create a brittle security posture. They optimize for keeping attackers out and underinvest in detection, containment, and recovery. When the perimeter inevitably fails — and it will — they have no second line of defense. The mean time to detect a breach is still measured in months across most industries. Prevention-only architectures are why.
Assume breach changes four things. Detection becomes continuous, not periodic — you hunt for indicators of compromise in real time because you believe they are already there. Containment is pre-planned — segmentation, kill switches, and isolation runbooks exist before they are needed. Data exposure is minimized by design — Empty Fortress principles ensure that a breach finds as little valuable data as possible. Recovery is rehearsed — tabletop exercises, backup restoration drills, and communication plans are tested regularly, not filed away.
Run threat hunts quarterly, not just after alerts. Maintain an incident response retainer so you are not searching for help during a crisis. Implement canary tokens and honeypots to detect lateral movement. Log everything and retain logs in an immutable store the attacker cannot reach. Test your backups by actually restoring from them.
When you combine breach assumption with Empty Fortress, the calculus changes dramatically. The attacker breaches your perimeter and finds encrypted data they cannot read, minimized data stores with little of value, compartmentalized systems that resist lateral movement, and detection systems that identified them before they found anything worth taking.
Assume you are already breached and design accordingly. Shift investment from prevention-only to detection, containment, and recovery. Empty Fortress makes breach assumption survivable by ensuring there is nothing worth finding.
CDA Theater missions that address topics covered in this article.
Architectural patterns for limiting blast radius through isolation of systems, data, and access.
How CDA's Empty Fortress doctrine relates to traditional defense in depth — complementary strategies starting from different assumptions.
Written by CDA Editorial
Found an issue? Help improve this article.