Medieval Castle Architects Invented Cybersecurity 800 Years Ago. Is Your Business Using Their Playbook?

-



Thought Leadership Defense in Depth
April 2026  ·  8 min read

Moats. Drawbridges. Portcullises. Murder holes. The architects of medieval castles invented layered defense-in-depth centuries before the first computer existed — and the principles they built in stone map almost perfectly to the security posture every small business needs today.

In the 13th century, the architects of Caernarfon Castle in Wales planned the King's Gate to require any visitor to cross two drawbridges, pass through five heavy doors, and pass under six portcullises — with murder holes in the ceiling and arrow slits on both walls the entire way. Though the gatehouse was never fully completed as originally designed, the intention was unambiguous: an attacker who breached the outer moat still faced the gatehouse. An attacker who forced the gatehouse still faced the portcullis. An attacker who bypassed the portcullis still faced scalding water from above and archers on both sides. Reaching the inner keep required surviving every single one of these layers — consecutively, under fire, with no cover.

Medieval military architects didn't call it "defense-in-depth." They didn't have a term for it at all. They just understood something intuitively that took modern cybersecurity decades to formally articulate: a single line of defense, no matter how strong, will eventually be breached. The only reliable protection is layers — each one independent, each one capable of stopping an attacker even if everything before it has failed.

Now consider the typical small business security posture in 2026: a firewall on the perimeter, antivirus on the endpoints, and the assumption that if those two things are in place, the castle is secure. That's the 9th century equivalent of a wooden palisade and a prayer. The medieval architects would be horrified.

"Nothing was made by chance. When visiting a castle, consider why this wall or tower was built where it stands or how it used the landscape as part of its defenses." — Every element served a purpose. Every layer was deliberate. The same should be true of your security architecture.

The castle as a security architecture lesson

Walk through the defensive layers of a medieval castle from the outside in — and the modern cybersecurity parallel at each layer becomes unmistakable.

🌊

Layer 1 — The Moat

First line of defense. Stops attackers before they reach the walls.

Castle A deep ditch — typically 30–60 feet wide and up to 15 feet deep — surrounding the entire castle, often filled with water. The moat prevented attackers from using battering rams, siege towers, or tunneling beneath the walls. It forced any attacker to slow down and become exposed to defensive fire before they ever reached the walls themselves.
Modern equivalent Your external attack surface assessment. Before an attacker can reach your systems, do you know what's visible from the outside? Exposed ports, discoverable admin pages, publicly indexed sensitive files, misconfigured DNS records. The moat is knowing your perimeter — because you can't defend what you can't see.
🪵

Layer 2 — The Drawbridge

Controlled access. Raised the moment danger appears.

Castle The drawbridge spanned the moat and could be raised in seconds when danger was detected — removing the only safe crossing and forcing any attacker into the water. It wasn't permanently down or permanently up. It was controlled access: open to those with legitimate business, closed instantly to everyone else.
Modern equivalent Firewall rules, VPN access controls, and network segmentation. Your most sensitive systems should require explicit access, not be open by default. The drawbridge principle: default to closed, open deliberately. Not everything should be accessible from everywhere.
🏰

Layer 3 — The Curtain Wall

The primary perimeter. Thick, high, and built to absorb punishment.

Castle The outer curtain wall — often 30+ feet high and over two meters thick — was the castle's primary defensive perimeter. It wasn't designed to stop every attack forever; it was designed to slow attackers long enough for defenders to respond. The wall at Caerphilly Castle was built to a depth that made battering rams completely ineffective.
Modern equivalent Your patched, hardened perimeter: up-to-date software, closed unnecessary ports, SSL/TLS properly configured, email authentication records (SPF, DKIM, DMARC) in place. The curtain wall is your maintained, monitored surface — not impenetrable, but strong enough to make attacks expensive and detectable.
⛩️

Layer 4 — The Gatehouse & Portcullis

Authentication under pressure. The last check before entry.

Castle The gatehouse was the most fortified structure in the castle — intentionally so, because the entrance was also the most vulnerable point. The portcullis could be dropped instantly to seal the gate, trapping attackers in the passageway. Caernarfon's King's Gate had six separate portcullises. An attacker who forced one still faced five more.
Modern equivalent Multi-factor authentication on every login — especially email, admin accounts, and remote access. MFA is your portcullis: even if an attacker has a valid password (forced the first gate), they still can't pass. Six portcullises at Caernarfon. You need at minimum one — and most SMBs still don't have it.
☠️

Layer 5 — The Murder Holes

Active detection. What happens when someone gets through anyway.

Castle Murder holes (machicolations) were openings in gatehouse ceilings through which defenders could drop rocks, scalding water, or burning sand on attackers who had already breached the outer defenses. Castle designers planned for breaches. They didn't assume the walls would hold forever. They built active countermeasures for the moment they didn't.
Modern equivalent Intrusion detection, security monitoring, and incident response planning. Assume breach — plan for what happens when an attacker gets through your perimeter. Endpoint detection, log monitoring, and anomaly alerting are your murder holes: active countermeasures that operate after the initial defenses have been bypassed.
🗼

Layer 6 — The Inner Keep

The crown jewels. Your most protected, most restricted asset.

Castle The keep was the innermost stronghold — the last resort and the most hardened structure in the castle. It housed the lord, the treasury, and the most valuable assets. Access was strictly controlled; even within the castle, not everyone could enter the keep. Spiral staircases were deliberately narrow to slow any attacker who made it this far.
Modern equivalent Least-privilege access controls and data segmentation. Your most sensitive data — financial records, client contracts, employee information — should be accessible only to those who need it. An attacker who breaches your perimeter shouldn't automatically reach everything. Segment, restrict, and protect the crown jewels separately.

The weakness that brought down every castle

Here's what medieval military history teaches that the cybersecurity world keeps relearning: almost no castle fell to a direct frontal assault on its defenses. The fortifications worked. What failed, repeatedly, was something else entirely.

1 Trickery at the gate

Pontefract Castle fell when attackers disguised themselves as bed-collectors to gain legitimate entry. The defenses were irrelevant — the drawbridge was lowered for them willingly. Modern equivalent: phishing and social engineering. Your portcullis doesn't help if your employee opens the gate.

2 The insider threat

Throughout castle history, gates were opened from the inside by traitors or coerced guards. All external fortification is useless if someone with legitimate access acts against you. Modern equivalent: compromised employee credentials, malicious insiders, or accounts that weren't disabled when an employee left.

3 The unguarded postern gate

Many castles had small secondary entrances — postern gates — used for discreet movement. These were less defended than the main gatehouse and frequently exploited. Modern equivalent: forgotten admin accounts, unused open ports, shadow IT tools that create access paths nobody is monitoring.

4 Siege and attrition

When direct assault failed, attackers simply waited — cutting off supply lines, starving the garrison, waiting for desperation. Modern equivalent: ransomware. Encrypt the data, cut off access, wait for the business to become desperate enough to pay. The castle that didn't prepare for a long siege lost to one.

Every one of these failure modes has a direct modern counterpart — and every one is exploited against SMBs today. The castles that survived weren't the ones with the thickest walls. They were the ones that planned for all four failure modes, not just the frontal assault.

The castle your business needs to build

Defense-in-depth isn't a complicated concept. Medieval architects who had never heard the term built it instinctively because they understood the stakes. When a castle fell, people died. When a business suffers a significant breach, the consequences are existential in a different but equally real way — customers lost, data exposed, operations paralyzed, reputation gone.

The six-layer castle maps directly to a defensible SMB security posture:

  • Moat: Know your external attack surface continuously — not annually
  • Drawbridge: Default-deny access controls with explicit allow rules
  • Curtain wall: Patched systems, closed ports, hardened email authentication
  • Portcullis: MFA on every account that matters
  • Murder holes: Monitoring, detection, and an incident response plan
  • Inner keep: Segment your most sensitive data behind the strictest access controls

Most SMBs have layer three — the curtain wall — and call it done. The medieval architects would recognize that immediately: a single wall, no moat, no portcullis, no inner keep, and no plan for when the wall fails. That's not a castle. That's a target.

Platforms like Veriti Spottr are built to give you the moat — the continuous, outside-in view of your attack surface that tells you what's visible, what's exposed, and what needs to be fixed before someone uses it as the entry point. You can't build the other layers until you know what your perimeter looks like. That's where the castle starts.

The final stone

The architects of Caernarfon, Caerphilly, and Beaumaris didn't build their castles hoping no one would attack them. They built them assuming attack was inevitable and designing every layer to make it as costly as possible. They planned for the frontal assault and for the spy at the gate and for the unguarded postern and for the long siege.

Eight hundred years later, the threat model has changed. The attackers are bots and criminal syndicates and nation-state actors rather than knights and siege engines. But the logic of layered defense hasn't changed at all.

Build your moat. Raise your drawbridge. Man your murder holes. And know exactly what your walls look like — from the outside — before anyone else does.

Start with the moat — know your external attack surface before attackers do. Veriti Spottr's beta is free.

Join the free beta →
VS
Veriti Spottr Team AI-powered cyber risk clarity for SMBs  ·  veritispottr.com

Comments

Post a Comment

Popular posts from this blog

Your Password Policy Isn't Protecting You. Your Employees' Habits Are.

-
Image
Thought Leadership Credential Risk May 2026  ·  8 min read 94% of leaked passwords are reused or duplicated. Employees reuse the same password an average of 13 times. And by 2026, nearly half of all successful cyberattacks on SMBs will originate from credential reuse. Most businesses have a password policy. Almost none have visibility into whether anyone follows it. Think about the password you use for your personal email. Now think about whether any of your employees use that same password — or a variation of it — to log into your business systems. You don't know. And that uncertainty is the problem. In 2024, a security researcher analyzed 19.03 billion leaked passwords from breach databases and found that only 6% were unique. The other 94% had been used before — on another account, at another company, in another breach. Every one of those reused credentials is a master key that attackers test systematically...
Read more

What Attackers Do With Your Data in the First 60 Minutes

-
Image
Thought Leadership Incident Response May 2026  ·  8 min read In 2025, the fastest attacks moved from stolen credential to complete data exfiltration in 72 minutes — 4x faster than the year before. Most businesses discover breaches 292 days later. Here is exactly what an attacker does in that window — and what it means for your business before anyone has noticed. At 11:43pm on a Tuesday, an automated tool tests a stolen credential against your email platform. It matches. A session token is issued. In the next 72 minutes — while you sleep, while your team sleeps, while your IT provider sleeps — a sequence of events unfolds that will take your business an average of 292 days to discover. This is not a hypothetical. The 2026 Unit 42 Global Incident Response Report — Palo Alto Networks' annual analysis drawn from hundreds of real-world breach investigations — found that the fastest 25% of attacks in 2025 reached full da...
Read more

Your Biggest Cyber Risk Isn't Outside Your Firewall. It's on Your Payroll.

-
Image
Thought Leadership Insider Threat May 2026  ·  8 min read Most small businesses invest in perimeter security and assume the threat is outside. The data tells a different story. The most financially damaging cyber incidents don't break through your defenses — they walk past them, using legitimate access your own employees already have. In May 2025, Coinbase discovered that cyber attackers had recruited a group of their own customer support agents — employees with legitimate system access — and bribed them to hand over customer data. The attackers then used that data to impersonate Coinbase representatives, manipulating customers into sending them cryptocurrency. When the attackers contacted Coinbase demanding a $20 million ransom, the company refused to pay. The total cost — including customer reimbursements, security upgrades, and regulatory response — ran significantly higher. Coinbase isn't a naive startup. They're one of...
Read more