THE SECURITY BRUTALIST

The Laws of Security Brutalism

A Security Brutalism approach demands simple and raw laws because it prioritizes clarity, directness, and unambiguous enforcement over nuance and flexibility. In high-risk or high-stakes environments, overly complex or interpretive rules can lead to inconsistencies, loopholes, and human error—weaknesses that attackers often exploit. Relying on foundational truths, a brutalist approach removes ambiguity, ensures predictability, and reinforces a culture of discipline and zero tolerance for fluff. These uncompromising laws serve as the backbone for a defense posture that values strength, transparency, and resilience above all.

Allow me to present, then, a set of straightforward laws for initiating a brutalist approach to security.

The Laws

  1. If it’s not being used, it’s an attack surface.
  2. Every dependency is a liability.
  3. Elegant diagrams lie.
  4. Complexity is camouflage for failure.
  5. No consequences, no control.
  6. If it needs training, it failed.
  7. The attacker doesn’t care about your backlog.
  8. Every exception becomes the new standard.
  9. A good policy is one sentence long.
  10. If you can’t break it, you can’t defend it.
  11. Every dashboard lies. Trust the logs.
  12. MFA is the seatbelt. The car still crashes.
  13. What you expose, they will exploit.
  14. Security at rest is security asleep.
  15. Trust is a vulnerability.
  16. No one reads your risk register.


The Defining Law: Use It or Remove It

If it’s not being used, it’s an attack surface.

This is the first and defining law of Security Brutalism. It’s not a suggestion. It’s a demand.

Security teams waste time protecting what no one needs. Unused endpoints, stale integrations, orphaned services, zombie identities—each one adds surface, complexity, and risk. They multiply quietly, ignored by product and protected by inertia.

Security Brutalism doesn’t accept that. It refuses to defend what shouldn’t exist.

If something isn't actively serving the business, it shouldn't be hardened—it should be removed. You don't need more controls. You need less surface. You need subtraction.

Security isn’t about visibility. It’s about clarity. And clarity starts with deletion.

Brutalist Security doesn’t layer on tools to manage the mess. It clears the debris first. What's left should be simple, strong, and worth defending.

This isn’t minimalism for aesthetics. It's minimalism for survival.