Continue your mission
Before firewalls, before encryption, before SIEM platforms and zero-trust architectures, medieval engineers solved the same problem that modern security teams face every day: how do you protect the most valuable thing you have when determined adversaries will never stop looking for a way in?
# The PDM Through History: How Medieval Castles Mirrored Cybersecurity
Before firewalls, before encryption, before SIEM platforms and zero-trust architectures, medieval engineers solved the same problem that modern security teams face every day: how do you protect the most valuable thing you have when determined adversaries will never stop looking for a way in?
The answer, developed across six centuries of European and Crusader-era fortress construction, was a layered, concentric defense system. No single wall was expected to stop a determined attacker. No single gate was the last line. Each layer assumed the one before it might eventually fail, and prepared accordingly. The innermost stronghold was designed to hold even if every outer defense had been breached.
This is not a metaphor borrowed to make cybersecurity more interesting. It is structural convergence. The engineers who built Krak des Chevaliers in Syria, Caernarfon Castle in Wales, and the Theodosian Walls of Constantinople were solving, in stone and mortar, precisely the architecture that the Planetary Defense Model (PDM) encodes for the digital environment. Six concentric layers, each with a distinct defensive function, each dependent on the others, all protecting a core that cannot afford to fall.
The PDM organizes all of cybersecurity into six domains ordered from innermost to outermost: DPS (Data Protection and Sovereignty), VSD (Vulnerability and Surface Defense), SPH (Security Posture and Hygiene), IAT (Identity Access and Trust), TID (Threat Intelligence and Defense), and RGA (Risk Governance and Assurance). Understanding what each domain does, and why all six must operate simultaneously, is considerably easier when you can walk the walls.
The keep, or donjon, was the innermost stronghold of a medieval castle. It was built last, reinforced most heavily, and designed to be the final defensible position when all outer defenses had failed. The lord's treasury, the sealed food stores, the most sensitive correspondence, and the most valuable hostages were held in the keep. If the outer walls fell, the garrison retreated here. If the attacker reached the keep, the game was effectively over.
DPS (Data Protection and Sovereignty) is the keep of the Planetary Defense Model. This domain covers encryption at rest and in transit, data loss prevention, data classification, data governance, and sovereign data handling. If an attacker reaches this layer, they have reached the thing you are protecting: the data itself.
The Sovereign Data Protocol (SDP) governs this domain. Its tagline: "Your data lives where you decide. Period." Just as a medieval lord did not leave the crown jewels in the bailey courtyard, an organization under SDP does not leave its most sensitive data in unencrypted databases, unclassified storage buckets, or systems with permissive access controls.
The Tower of London is the most instructive example. Built from 1066 onward, the White Tower at its center was never primarily a military fortification. It was a statement of absolute sovereignty. The Jewel House, where the Crown Jewels are stored, is the inner keep of the inner keep: layered vaulting, weight-bearing stone walls, and modern physical access controls stacked on centuries of defensive intent. That is DPS thinking.
Krak des Chevaliers, the Crusader fortress in modern Syria, is the best-preserved example of 12th-century surface reduction thinking. Its designers built concentric curtain walls with overlapping fields of fire, a deep moat on the most vulnerable approach, and carefully controlled entry points that forced approaching forces into killing grounds. The goal was not to make the castle impenetrable. The goal was to make every potential approach either impossible or catastrophically costly.
VSD (Vulnerability and Surface Defense) operates on the same logic. Every exposed service, unpatched system, and misconfigured API is a gap in this layer. Every gap the attacker cannot see, cannot reach, or cannot exploit without being detected is a reduction in the effective attack surface. The Continuous Surface Reduction (CSR) methodology governs this domain: "Every surface you expose is a surface we eliminate."
The moat is attack surface management. The curtain wall is the external perimeter, patched and hardened. The overlapping towers that allow defenders to fire along the wall face, rather than just outward, are vulnerability management and penetration testing: scanning the perimeter not just from outside but from angles that match how an attacker actually moves.
Medieval fortress designers understood something that modern vulnerability programs often miss: a strong wall with a weak gate is weaker than a slightly lower wall with no gates at all. Attack surface reduction is not about strength. It is about count. Fewer exposed surfaces means fewer variables to defend.
A castle without a garrison is a pile of expensive stone that anyone can walk into. The moat, the walls, the gatehouse, and the towers are all inert without the operational discipline of daily maintenance and patrol. Medieval garrisons ran on precise routines: wall walks at scheduled intervals, gate inspections at dawn and dusk, nightly rotation of the watch, weekly inspection of siege equipment, and quarterly assessments of food and water stores.
When that routine broke down, castles fell. In 1204, Constantinople's Theodosian Walls, which had held for 800 years against every external assault, were breached by the Fourth Crusade through a single section that the garrison had neglected to properly repair and staff. Eight centuries of engineering, defeated by a lapse in maintenance discipline.
SPH (Security Posture and Hygiene) is the garrison routine. This domain covers endpoint security, patch management, configuration management, asset inventory, system hardening, and baseline enforcement. The Autonomous Posture Command (APC) methodology governs it: "Your posture adapts. Your hygiene never sleeps."
The connection to the Theodosian Walls is not decorative. The most sophisticated firewall configuration degrades if patches are not applied. The most carefully designed network architecture becomes traversable if endpoint hygiene lapses. Terrain that is maintained is difficult to cross. Terrain that is neglected becomes the path of least resistance.
Caernarfon Castle in Wales, built by Edward I between 1283 and 1330, has one of the most sophisticated gatehouse systems of the medieval era. Entry required passing through multiple portcullises, a series of right-angle turns that prevented a charging force from maintaining momentum, murder holes in the ceiling for dropping projectiles, and a separate mechanism for each gate that required distinct authorization to operate. Every person entering Caernarfon was identified, challenged, and verified at multiple points before reaching the interior.
IAT (Identity Access and Trust) is the gatehouse. This domain governs who and what is allowed to operate within the environment: identity and access management, multi-factor authentication, privileged access management, zero trust architecture, and session controls. The Zero Possession Architecture (ZPA) methodology governs it: "Trust nothing. Possess nothing. Verify everything."
The portcullis is multi-factor authentication. The right-angle turns in the gatehouse passage are the principle of least privilege, ensuring that even someone who passes the first gate cannot proceed directly to the keep. The murder holes are anomaly detection: passive surveillance of everyone who has passed the first challenge, watching for behavior that does not match a legitimate visitor's profile.
Medieval castle designers understood that identity verification is not a single event. It is continuous challenge at every point of transition. ZPA encodes the same principle: a valid credential at the perimeter does not grant access to the core. Every movement inward requires re-verification.
The most expensive real estate on any medieval castle was the top of the tallest tower. That height was not aesthetic. It was operational. A watchtower at 80 feet of elevation could see an approaching column of soldiers at 15 to 20 miles on flat terrain. That is four to six hours of warning time, given medieval marching rates. The difference between a garrison that knew an attack was coming and one that did not was the difference between a prepared defense and a rout.
Castles in contested territory extended this intelligence network outward through scouts, paid informants in nearby towns, and signal networks using fire beacons that could relay a warning across the country in hours. Richard the Lionheart's Chateau Gaillard in Normandy was positioned to give visual line-of-sight to warning positions along the Seine River, providing advance intelligence of any French river assault.
TID (Threat Intelligence and Defense) is the watchtower and the scout network. This domain covers security operations centers, SIEM platforms, threat hunting, threat intelligence feeds, managed detection and response, and behavioral analytics. The Predictive Defense Intelligence (PDI) methodology governs it: "See the threat before it sees you."
A SOC without threat intelligence feeds is a garrison watching the immediate walls. A SOC with active threat intelligence, adversary tracking, and behavioral analytics is the full watchtower network: it sees the threat before the threat reaches the curtain wall. The medieval garrison that sent scouts beyond the moat rather than waiting to observe attackers at the gate had a decisive advantage. PDI operates on the same logic.
No castle operated in isolation. Every castle was part of a feudal governance structure that determined how resources were allocated, which alliances were maintained, what the rules of conduct were in times of conflict, and who bore accountability when defenses failed. The lord's council, meeting in the great hall, made decisions that no individual garrison commander could make alone: when to negotiate, when to fight, how to distribute the harvest between troops and peasants, and what treaties with neighboring lords would extend the effective defensive perimeter.
When governance failed, castles fell to internal fracture rather than external assault. The Wars of the Roses depopulated the English castle system through governance collapse, not military defeat.
RGA (Risk Governance and Assurance) is the lord's council. This domain covers risk assessment, compliance frameworks, audit, policy management, security awareness training, third-party risk management, business continuity, and board reporting. The Perpetual Compliance Assurance (PCA) methodology governs it: "Compliance is not an event. It is a state."
The feudal alliance system is third-party risk management. The treaty that granted a neighboring lord passage through your lands in exchange for military support is a vendor risk agreement. The garrison's code of conduct is the security awareness program. The lord's obligation to account to the king for the castle's state of readiness is the board reporting function. RGA does not stop attacks directly, but an organization without governance cannot sustain any inner layer over time.
The medieval castle analogy matters for a concrete reason: it breaks the mental model that most organizations apply to cybersecurity, which is perimeter-first thinking.
Perimeter-first thinking says: if we build the wall high enough, nothing gets in. Every medieval military engineer who survived a siege knew this was wrong. The question was never whether the outer wall would hold forever. The question was whether the inner layers could sustain defense while the outer layers absorbed the attack, and whether the garrison had enough warning, resource, and intelligence to manage a response.
Modern organizations fail by treating cybersecurity as a perimeter problem when it is a depth problem. They invest heavily in firewalls and endpoint detection while leaving their data unclassified, their identities under-governed, and their patch cycles months behind. They have a strong curtain wall and a keep with an unlocked door.
The PDM makes this imbalance visible through The Shield diagnostic: six concentric rings, each representing a domain. When CDA assesses a client, red segments reveal where the walls are thin. The most common finding is outside-in imbalance: strong outer layers, degraded inner ones. That is exactly the failure pattern that brought down Château Gaillard in 1204, when Philip II of France found not a breach in the walls but a forgotten drainage channel into the inner ward.
No single layer of a medieval castle was the defense. All layers operated simultaneously, each one buying time for the next, each one reducing the attacker's options. The PDM encodes this principle for the digital environment: defense runs deep, or it does not run at all.
CDA's Planetary Defense Model was not named after a castle. It was named after a planet: the most complete natural system of concentric protection in observable physics. But the structural parallel to medieval castle design is not accidental. Both emerge from the same first-principles analysis of what layered defense actually requires.
The critical distinction CDA draws from this history is that the layers are concentric, not sequential. A medieval garrison did not first perfect the outer wall and then begin building the keep. All layers were constructed simultaneously, and all required continuous maintenance. The PCA methodology governing RGA makes this explicit: compliance is not a phase you complete before moving to operations. It is a state you maintain at the same time as everything else.
For organizations assessing their own posture, The Shield serves the same function the watchtower served for a medieval castellan: a single diagnostic view that reveals which segments of the defense are degraded and which are holding. A CISO presenting The Shield to a board is doing what the lord's council did, translating operational reality into governance-level decisions about resource allocation and risk tolerance.
The VSD domain, governed by CSR, maps most directly to the castle design principle of attack surface reduction. Every mission in the VSD campaign category is an act of medieval-style surface engineering: close the drainage channels, repair the wall sections, eliminate the approach routes that an attacker could exploit. The tagline, "Every surface you expose is a surface we eliminate," could have been the motto of the engineers at Krak des Chevaliers.
CDA Theater missions that address topics covered in this article.
The Enigma machine was an electro-mechanical cipher device used primarily by Nazi Germany during World War II to encrypt military communications.
On November 2, 1988, a Cornell University graduate student named Robert Tappan Morris released a self-replicating computer program onto the ARPANET, the research network that would become the public internet.
Malware is any software designed to disrupt, damage, or gain unauthorized access to a computer system.
Written by Evan Morgan
Found an issue? Help improve this article.