Security Brutalism Risk Method V2
In the original Security Brutalism Risk Method, we showed how an intentionally blunt, fast, and brutally honest approach to assessing risk enables teams to measure risk quickly and effectively. The method prioritizes clear visibility, decisive action, and explicitly owning assumptions.
After putting the method into practice for a while, it became clear that a few enhancements were needed. This is Version 2 of the Security Brutalism Risk Method. This version keeps all of the original steps, expands them into a more structured template, formalizes a "Risk Brief" and scorecard language, and adds an optional small section on metrics tracking over time for stakeholders to have as additional sources of information.
In short: the original is a practice. Version 2 is a practice plus a starting pattern for documentation and team scaling.
Why This Method
Instead of defining risk as a score in a vacuum and security theater, this method focuses on business-impact, acknowledges and documents assumptions intentionally, and forces decisions that reduce real exposure.
Here we go, the Security Brutalism Risk Method v2 (SBRM2).
Philosophy and Principles
The original philosophy remains: be blunt. Be fast. Be directionally correct. Make risk visible, even if it’s ugly. Together with this, here are the guiding principles:
- Expose risk plainly.
- Assess fast, 80% right in minutes > 95% right in days.
- Anchor risk to business impact, not compliance abstractions.
- Document assumptions openly.
- Decide now; refine later.
SBRM2 Process (Complete in ~15 Minutes)
1. Trigger (2 min)
Identify the reason for the risk check: is it an incident spike? New feature? Audit finding? Third-party change? Other?
Once that's done, record "Trigger" + "Why now?"
2. Brutalist Snapshot (3 min)
Create a raw snapshot:
| Field | Brutalist Input |
|---|---|
| Asset at Risk | What we’re protecting |
| Threat Actor/Vector | Who/what could damage it |
| Likelihood | High/Med/Low (gut estimate) |
| Impact | Business effect (“revenue loss,” “brand damage”) |
| Detection Weakness | How easy is detection now? |
| Existing Controls | List them bluntly |
Use simple language; no probabilities or formulas.
3. Brutalist Risk Scorecard (3 min)
Populate a one-slide scorecard:
- Risk Statement: Minimal plain-English summary
- Likelihood: High / Medium / Low
- Impact: High / Medium / Low
- Speed to Damage: Minutes / Hours / Days
- Detection Today: Strong / Weak
- Controls in Place: None / Partial / Full
- Brutal Truth: "Attacker wins within minutes because..."
4. Rapid Verdict (5 min)
Decide triage urgency:
| Category | What It Means | Brutalist Call |
|---|---|---|
| Now | Immediate action required | Fix before further damage |
| Next | High priority next sprint | Address within cycle |
| Watchlist | Lower priority | Monitor, reassess |
Then assign owner and target deadline.
5. Brutalist Brief (2 min)
Send a plain-text (no slide decks) update to stakeholders with a review, impact, and overall veredict. Example:
Risk Review: Customer S3 bucket publicly accessible; no MFA; attackers scanning today.
Impact: High reputational + compliance risk.
Verdict: Now -> Lock down permissions by EOD.
Optional: Brutalist Risk Metrics
In some cases, the brief may need to be accompanied by metrics that certain stakeholders require to make decisions. Here are a few meaningful indicators tied to risk exposure:
- Exposure Time: Hours between risk discovery and containment
- Detection Latency: Time from event to alert
- Number and description of unmitigated critical vulnerabilities
- Repeat risks identified / closed
These are not compliance counts; they measure actual risk visibility and response data.
Brutalist Mantra
As you go through the risk assessment, remember: perfect is the enemy of secure.
"Expose risk. Act fast. Communicate plainly. Reduce exposure now."
Example: Exposed Internal Admin API
Step 1: Trigger
Trigger: Multiple failed authentication attempts detected against an internal admin API over the last 24 hours.
Why now: The API was recently refactored and moved behind a new load balancer. Monitoring rules were not updated.
Step 2: Brutalist Snapshot
Asset at Risk: Internal Admin API used to manage customer account states (suspensions, resets).
Threat Actor / Vector: External attacker scanning cloud IP ranges; attempting credential stuffing against the admin endpoint.
Likelihood: Medium — endpoint is reachable and being probed, but requires authentication.
Impact: High — unauthorized access allows account manipulation and potential data exposure.
Detection Weakness: Alerts only trigger after multiple failed attempts; no alerting on successful admin access.
Existing Controls:
Step 3: Brutalist Risk Scorecard
Risk Statement: An external attacker could gain unauthorized access to the admin API and manipulate customer accounts without immediate detection.
Likelihood: High
Impact: High
Speed to Damage: Minutes — a single successful login allows immediate changes.
Detection Today: Weak — successful access may go unnoticed for hours.
Controls in Place: Partial — authentication exists, but network exposure and monitoring gaps remain.
Brutal Truth: If credentials are guessed or reused, the attacker wins quickly and quietly.
Step 4: Rapid Verdict
Verdict: NOW
Why: Active probing is already happening. High-impact actions available post-auth. Detection is insufficient for admin access.
Owner: Platform Security Team
Target Deadline: End of day tomorrow
Step 5: Brutalist Brief (What Gets Shared)
Risk Review: Internal admin API is externally reachable and currently being probed. Authentication exists, but monitoring and network restrictions are weak.
Impact: High - unauthorized access enables customer account manipulation and potential data exposure.
Decision: NOW - restrict network access and improve detection immediately.
Action: Lock admin API behind VPN / private network. Add alerting on all successful admin access. Review and tighten IP allowlist.
Deadline: Tomorrow EOD
Here's a template (markdown) you can download and use: SBRM2.md