In a perfect world, you’d have enough time and resources to address every vulnerability and exposure. You could carefully implement tailored remediations that address specific security gaps. Patches would have little to no impact on operations.
In reality, your team is inundated with an endless stream of exposure findings. Vulnerabilities, misconfigurations, and exposures quickly pile up to the thousands. Even worse, these findings are scattered across disparate tools–vulnerability management (VM) and cloud, data, and application security posture management (CSPM, DSPM, and ASPM) solutions, just to name a few.
With limited security team resources and bandwidth, addressing each finding one by one is practically impossible. Some patches could create even more issues and risk severely disrupting the business. Findings fatigue bogs your team down and diminishes its capacity to effectively respond when it actually matters.
Sound familiar? If so, take a step back and consider all the layers of protections throughout your systems and infrastructure. This unified view can help you realize that you actually already have relevant security measures in place for many findings. While they may work differently than suggested remediations, they still provide adequate protections from potential exploits.
The above scenario illustrates the concept of compensating controls for exposure management in action. Keep reading to dig into what they are, how they relate to other key security concepts, and how to think about compensating controls for your organization’s security programs, with a range of illustrative examples.
What Are Compensating Controls for Exposure Management?
Compensating controls for exposure management are alternative measures used to address an exposure when the “primary” control is not feasible, practical, or cost-effective.
Solid foundational knowledge of security controls and defense in depth helps understand how compensating controls work. Seasoned practitioners, feel free to skip to the next section.
A Refresher on Security Controls
Security controls are safeguards that protect the confidentiality, integrity, and availability of an organization’s systems and information. These measures prevent, detect, and counteract threats to mitigate risks to essential operations and assets (e.g. physical property, devices, applications, databases with sensitive information, etc.).
While there are a few authoritative resources on security controls (e.g. NIST SP 800-53 and CIS Controls), you can bucket them into 3 categories:
Prevention, Detection, and Corrective Controls
Prevention controls are proactive safeguards that stop incidents from occurring by eliminating exposures before an adversary can exploit them. There are a wide variety of subcategories within prevention controls. Those that tend to get the most emphasis include configuration management controls (e.g. templates for secure defaults, removal or disablement of unnecessary services) that reduce attack surfaces and harden systems, access controls (e.g. IAM, MFA, RBAC) that determine who can access what, data protection controls (e.g. encryption, digital signatures) that protect data from unauthorized access, network-level controls (e.g. firewalls, segmentation processes) that limit traffic to authorized uses, and application-level controls (e.g. API endpoint protections, input validation processes) that block exploits and abuses of business applications.
Detection controls are reactive measures that identify, log, and alert on activity that may indicate a security incident has happened. Detection controls also have a variety of subcategories across system monitoring, auditing, logging, threat detection, alerting, and more. They are generally implemented by SIEM, IDS, EDR, UEBA, FIM, and related technologies.
Corrective controls are measures that guide incident response, enable remediation, mitigate damages, and facilitate restoration and recovery. Examples of corrective controls include patch management processes, incident response playbooks, automatic lockouts, and network quarantine mechanisms. They’re facilitated by a range of tools including firewalls, antivirus, SOAR, EDR, DFIR, and several other adjacent technologies.
These 3 broad categories of security controls provide different layers of protection that reinforce each other to safeguard your organization.
What Is Defense In Depth?
“Defense in depth” is the practice of combining overlapping layers of protections across the above control categories. Multiple security measures make it much more difficult for adversaries to achieve their goal. If one control fails, several others still stand in between the attacker and their target.
A castle is a classic analogy. Outer walls resemble firewalls, while moats resemble network segmentation. Guards are a basic form of access control, checking who comes and goes. Watchmen monitor activity near the outer walls and report their findings, similar to SIEMs and EDRs. A garrison of soldiers is ready to push back enemies who succeed in breaching the walls, similar to incident responders during a cyber attack. In the aftermath of a siege, stewards rebuild gates, repair walls, and add new fortifications while helping restore the armory, similar to remediation and recovery efforts.
Savvy adversaries can overcome these controls in isolation. Imagine a spy trying to steal a rival kingdom’s war plans, disguised as a merchant. After manipulating the guards to enter the castle, he’d still need to get to the keep, access the war council’s chambers, find the plans, document the intel, then escape–evading security measures at every step. That’s the essence of defense in depth. Several layers of protections that work together to systemically reduce risk and thwart attacker’s efforts.
In cybersecurity, prevention controls are the first line of defense that stop threats before any harm is done. Detection controls provide the next line of defense, identifying the nature of the threat and triggering appropriate responses. Corrective controls are the final fail-safe measures that contain breaches, limit damage, and restore systems to their pre-breach state.
Compensating Controls for “Defense in Breadth”
Defense in depth sets the standard for systemically reducing risk, but the strategy has a key drawback. It’s often not practical to implement. This is where compensating controls for exposure management shine. They provide sufficient protections when the theoretical “ideal” of defense in depth’s diversity of controls isn’t feasible.
Let’s revisit our castle analogy: what happens when heavy storms damage a large section of the outer walls, but the masons are already reinforcing doors in the keep? The moat just beyond the outer wall is still there preventing easy penetration. Watchmen and rangers could also be deployed with more frequent patrols near the damaged area.
But what if a sudden illness overcomes many of the watchmen, or an extended drought dries up the moat? The castle’s archers are still placed at the battlements just inside the moat to protect the inner walls. Rangers could extend their surveillance, and messengers could tell nearby villages to light beacon fires if they see enemy activity.
You still need to eventually repair the castle walls (and maybe pray for rain while you’re at it!). Fortunately, the presence of the other measures means those fixes don’t need to happen right now. Making optimal tradeoff decisions and tactical adjustments requires clear visibility into the status of all the various layers of defenses, knowledge of available resources and surrounding conditions, and alignment with the kingdom’s key priorities. And it’s really no different for cybersecurity practitioners and leadership.
Defense in Depth vs. Breadth
Think back to the introduction: maintaining defense in depth with immediate, targeted remediations only happens in theory. In reality, compensating controls save the day by providing adequate protections from exposures when multiple layers of defenses aren’t feasible. They ensure you’re covered in practical scenarios where time is of the essence, manpower is limited, and budgets are constrained. Clear visibility into how security controls compensate for each other helps answer “am I protected from active threats relevant to my organization? How might those protections hold up? And if they don’t, what’s the backup plan?”
So if defense in depth means multiple layers of overlapping security controls that always work as expected, we can call a realistic strategy built around compensating controls “defense in breadth.”
Compensating Controls for Exposure Management in Action: Sample Scenarios
Now let’s dig into some real-world examples of compensating controls to see this “defense in breadth” concept in action.
Legacy Application Lacking MFA
Legacy, custom applications built in-house still exist in many organizations, especially for HR and finance. You know the saying: if it ain’t broke, don’t fix it. But these applications often don’t support multi-factor authentication due to outdated protocols, incompatibility with current authentication libraries, or limitations in their code base.
In the absence of MFA, a range of compensating controls can be deployed to mitigate risk. You could configure the application to only be accessible through a company-hosted VPN and enhance the application’s password policy to require high-complexity, frequently-rotated passwords. These prevention controls compensate for the lack of MFA by limiting potential paths to unauthorized access.
Detection controls can also compensate for this gap. A targeted set of detection rules can be deployed into the organization’s SIEM to identify potential identity-based attacks scoped to the relevant infrastructure, with targeted runbooks that ensure swift response workflows should a threat arise.
Insecure Protocols Running on Endpoints
Insecure, outdated protocols like SMBv1, Telnet, and older versions of FTP persist in many enterprise environments, often to support fragile integrations with legacy systems or custom tools. Most vulnerability management platforms would tell you to block their usage, either directly at the endpoint or on the network. These two approaches represent compensating controls between EDR and IPS solutions.
Unfortunately, stopping their use altogether can break critical business processes that aren’t easily rewritten or replaced. When these insecure protocols can’t be eliminated outright, network access control lists can tightly restrict which systems can communicate over the protocol, limiting its use to known, trusted paths. Host-based monitoring tools can be configured to detect and alert on protocol usage, providing visibility without disrupting operations.
Detection-based compensating controls could also add valuable coverage. SIEM rules can flag unusual use of legacy protocols, especially outside of business hours or from unexpected systems. These signals, paired with predefined response procedures, help reduce the window of exploitability until a long-term fix becomes viable.
Web Application Vulnerabilities
Not every web application vulnerability can be patched immediately, especially in large environments with limited engineering bandwidth, complex deployment pipelines, and change management gates. In many cases, a well-tuned Web Application Firewall (WAF) serves as a critical compensating control by blocking known exploit patterns at the edge.
The options for compensating controls don’t stop there. Runtime Application Self-Protection (RASP) can be used within the application itself to enforce security policies and detect malicious behavior in real time. Additionally, reinforcing input validation and output encoding can reduce exploitability even if the vulnerable function is still present in the code.
From a detection perspective, signals from the WAF and application logs can be fed into a SIEM or analytics platform to monitor attempted exploits. When tied to alert thresholds and SOAR workflows, this creates a layered defense posture that mitigates risk even before a full code-level patch can be deployed.
Endpoint Firewall Reconfiguration
In some cases, patches for known vulnerabilities can’t be applied without first adjusting local endpoint firewall configurations. Unfortunately, these changes could disrupt other dependent systems or expose devices in unintended ways. When endpoint firewalls can’t be reconfigured immediately, cloud-native firewalls often take over as the first line of defense.
As a compensating control, traffic to the vulnerable endpoints can be tightly filtered upstream at the cloud perimeter, ensuring that only specific, trusted sources are allowed to connect. In parallel, host-based intrusion prevention systems (HIPS) can be deployed to inspect runtime behavior and block known exploit attempts at the process level.
Detection controls further bolster this setup. EDR agents or network detection tools can alert security teams when anomalous connections or access attempts are made to the protected endpoints. Combined with tailored alerting logic and rapid containment playbooks, these layers buy time while the underlying firewall configuration issues are addressed.
–
In all the above examples, a phased, layered approach is the best path. Observe user activity related to the exposure, educate relevant stakeholders about risks and alternatives, and gradually restrict usage through policy or technical constraints.
Layered Defenses, Real-World Execution with Compensating Controls for Exposure Management
Security teams strive for ideal, layered defense architectures. In the real world, legacy systems, integration complexity, and competing business priorities often make defense in depth infeasible. That’s where compensating controls for exposure management can introduce a “defense in breadth” paradigm to manage risk with flexibility, precision, and context. Compensating controls enable creative, risk-aware strategies that replicate the intent of missing controls without disrupting the business.
Whether it’s restricting access to endpoints that use insecure protocols or pairing runtime protections with WAFs to cover application vulnerabilities, compensating controls allow organizations to preserve continuity while maintaining strong security posture.
The key is to implement layers of prevention, detection, and response in ways that reduce risk despite technical limitations. When guided by real-world constraints and threat modeling, compensating controls aren’t just acceptable. They’re the smartest path to effective, resilient exposure management.