You canât choose the right control until you understand what itâs supposed to do. Controls fall into five functional categories: preventive, detective, corrective, deterrent, and compensating. Realâworld security strategies blend multiple categories to create defence in depth.
Preventive controls block an attack from succeeding. Firewalls, encryption, access badges, and input validation are all preventive. The idea is to eliminate or reduce a vulnerability so the threat canât exploit it.
Detective controls identify an attack that has already occurred (or is in progress). Log monitoring, SIEM alerts, CCTV, and intrusion detection systems fall here. Their effectiveness depends on coverage and timely human review.
# Simulated SIEM alert for multiple failed logins
grep "Failed password" /var/log/auth.log | awk '{print $(NF-3)}' | sort | uniq -c | sort -nr | head -5Corrective controls limit damage and return systems to a known good state. Examples: restoring from backups, patching a vulnerability after an exploit, or isolating an infected machine. Incident response plans are the procedural corrective control.
Deterrent controls discourage attackers by increasing perceived risk (warning banners, security guard presence). Compensating controls are used when the primary control isnât feasibleâe.g., using network segmentation when you canât patch a legacy system.
| Category | Objective | Example |
|---|---|---|
| Preventive | Block | MFA |
| Detective | Identify | HIDS alerts |
| Corrective | Recover | Restore from backup |
| Deterrent | Discourage | Legal warning banners |
| Compensating | Substitute | Isolated VLAN for unpatched server |
A single technology often spans multiple categories: a nextâgen firewall can be preventive (blocking malware) and detective (logging threats). Design with categories, not just products.
â ïž Overâreliance on detective controls means youâre always reacting. Aim for a strong preventive baseline.
Verify exercises to earn â 150 XP and unlock next lab level.