A Brutalist Security Maturity Checklist
The Brutalist Security Maturity Checklist is practical, unapologetic, and focused on core resilience. It's divided into four tiers of maturity, each grounded in real control impact, not security theater. This can be used as a scorecard for executive reporting or internal program benchmarking.
Note: This list is not all-inclusive. This is an example.
Legend: X = Not yet started, P = In progress, I = Implemented
Tier 0: Security Theater (Baseline Risk)
Things look secure, but they’re not.
| Control | Brutalist Standard | Status |
|---|---|---|
| MFA | Not enforced universally | X |
| Identity and Access | Admin access is not audited or limited | X |
| Cloud | No asset inventory; unknown exposure | X |
| Code Security | Secrets sometimes hardcoded in repos | X |
| Logging | Logging is partial or decentralized | X |
| Patching | Ad hoc, non-automated patching | X |
| Monitoring | No alerting or triage process | X |
| Incident Response | No tested IR plan | X |
Tier 1: Foundations in Place
The building has walls. Still vulnerable, but finally taking shape.
| Control | Brutalist Standard | Status |
|---|---|---|
| MFA | Enforced for all users, no exceptions | I / P |
| Identity and Access | Least privilege by role, unused accounts auto-expire | I / P |
| Cloud | Asset inventory auto-populated; no public S3 buckets | I / P |
| Code Security | Secrets scanning in CI/CD, enforced checks | I / P |
| Infra as Code | Baseline configs codified, peer reviewed | I / P |
| Logging | Centralized log storage, 7+ day retention | I / P |
| Monitoring | Critical alerts go to humans, false positive tuning started | I / P |
| Patching | Mostly automated patching, some exceptions | I / P |
| Incident Response | IR plan exists, team roles assigned | I / P |
Tier 2: Brutalist Core
Security is rigid, minimal, and effective. Controls are unforgiving but functional.
| Control | Brutalist Standard | Status |
|---|---|---|
| MFA | Required for all internal systems (SSH, Git, etc.) | I |
| Identity and Access | All permissions reviewed quarterly; role-based access only | I |
| Build Pipelines | CI/CD fully automated; production access via automation only | I |
| Secrets in Code | Centralized secret mgmt (e.g., Vault/KMS), no plaintext anywhere | I |
| Security Testing | Static/Dynamic scans on every build; fail pipeline on findings | I |
| Logging | Immutable logs (WORM); tamper detection alerts enabled | I |
| Monitoring | Logs + endpoint detection feeding into SIEM with real-time response | I |
| Patching | Automated patching | I |
| Incident Response and Drills | Quarterly incident simulations; lessons documented | I |
Tier 3: Ruthless Simplicity + Continuous Verification
Core controls and processes are automated. Security is boring! And that’s the point.
| Control | Brutalist Standard | Status |
|---|---|---|
| Access Reviews | Continuous access validation (Just-in-Time provisioning) | I / P |
| Configuration Drift | Daily drift detection + rollback automation | I / P |
| Continuous Monitoring | Behavioral analytics + anomaly detection enabled | I / P |
| Zero Trust | Full Zero Trust posture across cloud and internal services | I / P |
| Chaos Engineering | Simulated attacks regularly run (insider, supply chain, lateral movement) | I / P |
| Metrics | Security scorecard shared monthly with leadership (MFA % use, open risks, mean time to detect/respond) | I / P |
| AI Use | AI-assisted threat hunting or behavioral analytics (Wait... What?) | I / P |
| Supply Chain Security | SBOM maintained; dependencies scanned at ingest & build | I / P |
Final Maturity Outcome
This is it!
| Tier | Description | Security Culture |
|---|---|---|
| Tier 0 | Superficial security; breach is inevitable | Firefighting |
| Tier 1 | Security has a seat at the table | Growing Awareness |
| Tier 2 | Defensible architecture, audit-ready | Intentional Discipline |
| Tier 3 | Resilient, automated, and provable | Security-First DNA |
Back or Next: Bonus - Brutalist Security: A Field Guide for Security Pros.