The Security Brutalist Checker Tool

The Security Brutalist Checker tool is a simple, checkbox-based assessment built around the minimal and essential controls defined in The Basics: A Brutalist Security Program Stripped to the Essentials. It offers a clear way to evaluate the current state of security from a Security Brutalism perspective, focusing on whether the foundational controls are truly in place.

Refer to it as a guide for aligning work with core security principles. While the areas, controls, and expected outcomes may not align perfectly with every organization, their purpose is to drive attention toward core security fundamentals that are often overlooked or neglected.

The Score

For each of the nine areas you can get an "Implemented ", "Partially Implemented ", or "Not Implemented". Assign two points for the areas implemented, one point for partially implemented, and zero for not implemented. Maximum score is 18 points:

• 15–18 (green): basics covered.
• 9–14 (yellow): Some basics in place, needs work.
• 0–8 (red): Lacking core security hygiene.

Checking the Boxes

This is a reality checklist, not a maturity model. If something isn’t enforced, tested, and measurable, it doesn’t count. Check a box only if the control is real, consistently enforced, and hardened. If it’s aspirational, informal, or applied inconsistently, consider it "not implemented."

Be brutal. Be honest. Be secure.

When using the tool, mark a control as implemented only if it is:

• Actively in use.
• Enforced by configuration or automation (a policy might work, but you have to have a way to enforce it).
• Regularly reviewed and hardened.

What Each Section Means

Each section defines an expected outcome—there is no room for interpretation. A control is either fully implemented as described, or it is not. The following outlines the required state for each control or fundamental. Partial, informal, or inconsistent implementations do not meet the standard and must not be marked as complete.

1. Minimize Attack Surface

Goal: Reduce what can be attacked and harden what remains.

• Keep a full asset inventory: All devices, services, applications, and cloud resources are known, documented, and regularly updated.
• Remove anything unnecessary: No unused apps, open ports, dev environments, or legacy tools left active.
• Harden what remains: Baseline configurations (e.g. CIS benchmarks) are enforced. Defaults are changed, unnecessary features disabled.

2. Strong Identity & Access Management

Goal: Control who can access what, and limit the blast radius.

• Default to no access: Users and systems start with zero permissions; access must be explicitly granted.
• Grant only needed access: All access is least privilege, time-limited when possible, and tightly scoped.
• Lock down admin accounts: Admins use separate accounts, MFA is enforced, and all admin actions are logged.
• Use zero trust & segmentation: Systems validate trust continuously. Networks and services are segmented to block lateral movement.

3. Data Security

Goal: Protect the actual target — your data.

• Classify, encrypt, and control access: Sensitive data is labeled, encrypted in transit and at rest, and access is tightly controlled.
• Test, protect, and restore backups: Backups are encrypted, stored securely, and restored regularly in real tests.

4. Patch & Vulnerability Management

Goal: Close the doors attackers use.

• Scan constantly: Automated tools scan infrastructure, containers, apps, and endpoints continuously for known issues.
• Patch fast: High-risk vulnerabilities are patched within days — not weeks or months.
• Eliminate unsupported software: No end-of-life or unpatchable systems are in use — they’re upgraded or removed.

5. Incident Response

Goal: Be ready when things go wrong — because they will.

• Have a simple, practiced plan: You have a written incident response plan that’s been used in drills.
• Know how to detect, contain, recover: Detection tools, alerting, and response roles are well-defined. Recovery is documented and tested.

6. Continuous Assessment

Goal: Stay sharp, adapt fast, and remove risk over time.

• Regularly scan and test: You do internal and external scans, plus penetration testing or red teaming.
• Remove what’s no longer needed: Unused accounts, systems, rules, and software are removed quickly — not just ignored.
• Continuous improvement: Lessons from audits, tests, and incidents are turned into concrete improvements.

7. Cloud Security

Goal: Harden your cloud use like you would your infrastructure.

• Least privilege & IAM controls: Roles, policies, and permissions are tightly scoped. No wildcard permissions or default admins.
• Encrypt data in transit & at rest: Encryption is enforced across all services — S3, RDS, GCS, etc. TLS is standard.
• Logging & monitoring in place: CloudTrail, CloudWatch, GuardDuty, or equivalent are configured and alerting works.

8. Email Security

Goal: Stop the most common attack vector: phishing.

• Use SPF, DKIM, DMARC: All email domains are authenticated, and DMARC enforcement is at least in quarantine mode.
• Filter or quarantine suspicious email: Suspicious attachments and links are filtered, sandboxed, or held for review.
• Train users to spot phishing: Training is regular, realistic, and reinforced with phishing simulations.

9. Security Education & Awareness

Goal: Make security culture real, not just training slides.

• Frequent, realistic training: Training is relevant to actual risks. People know what’s expected, not just generic advice.
• Phishing simulations used: Simulations are regular and reported — people learn through doing.
• No-blame reporting culture: Users feel safe reporting mistakes, phishing clicks, or suspicious activity without punishment.

Next

Go to the Security Brutalist Checker tool and assess your current posture.