Layered defense, also called defense in depth, is a security strategy that uses multiple types of security controls so that if an adversary bypasses one control, another still protects the data or system or limits the damage.
Layered defense is just another name for defense in depth. The idea is simple: don't bet everything on one lock. You stack multiple security controls so an attacker has to get through several barriers instead of one.
The CED (AP Cybersecurity 2.1.G) spells out why this works. Different threats need different defenses, so layering lets an organization match the right control to each kind of attack. It also builds resilience. If an adversary slips past one control, like a firewall, the next layer (say, database encryption or multi-factor authentication) can still block access or shrink the damage. Layers can sit across policy, network, device, and data, which is exactly the framing AP uses to test the concept.
This term lives in Unit 2: Securing Spaces, topic 2.1 Cyber Foundations, and it directly answers learning objective AP Cybersecurity 2.1.G: explain why a defense-in-depth strategy is necessary to optimally protect an organization. It's the payoff concept of the whole risk discussion. You learn about adversaries (2.1.B), attack phases (2.1.C), risk (2.1.D), and individual security controls (2.1.F), and layered defense is the strategy that ties them together. The big idea: no single control is enough, so you build redundancy on purpose.
Keep studying AP Cybersecurity Unit 2
Visual cheatsheet
view galleryDefense in Depth (Unit 2)
These are literally the same thing. EK 2.1.G.1 says a defense-in-depth strategy is a layered defense, so if you see either term on the exam, treat them as interchangeable.
Security Controls (Unit 2)
A layered defense is built out of security controls (2.1.F). Layered defense is the strategy; controls like firewalls, encryption, and MFA are the individual bricks that make up each layer.
Phases of a Cyberattack (Unit 2)
Attacks unfold in phases like initial access, lateral movement, and taking action (2.1.C). Layered defense gives you a chance to catch an adversary at each phase, so one missed layer doesn't mean automatic compromise.
Risk Mitigation (Unit 2)
Mitigation (2.1.E) means adding controls to reduce likelihood or impact. Layered defense is mitigation taken seriously, since stacking controls lowers the odds an attack succeeds and limits the harm if it does.
Multiple-choice questions test whether you can recognize a layered defense in action. A classic stem describes an organization putting controls across policy, network, device, and data layers and asks which term names that multi-layer approach (answer: layered defense or defense in depth). Another common version lists firewalls at the perimeter, encryption on databases, MFA for users, and endpoint detection on devices, then asks what happens when an attacker breaches one layer. The point you must make: another control still protects the data or limits the damage. No released FRQ has used the exact term, but the concept supports any free-response answer about why one control isn't enough and how layering builds resilience.
Risk mitigation (2.1.E) is one of four ways to manage risk (avoid, transfer, mitigate, accept), and it means adding controls to reduce likelihood or impact. Layered defense is a specific way to do mitigation well, by stacking multiple controls. Mitigation is the broader strategy; layered defense is the multi-control tactic that carries it out.
Layered defense and defense in depth are the same concept, so treat the two terms as interchangeable on the exam.
The core idea is redundancy: if an attacker bypasses one security control, another layer still protects the data or limits the damage (EK 2.1.G.3).
Layering works because different threats need different controls, letting you match the right defense to each type of attack (EK 2.1.G.2).
Layers typically span policy, network, device, and data, which is the framing AP questions use.
This concept answers learning objective AP Cybersecurity 2.1.G in Unit 2, and it's the strategy that ties together adversaries, attack phases, and individual controls.
Layered defense is a security strategy that uses multiple types of security controls so that if one control fails, another still protects your data or limits the damage. It's also called defense in depth and is tested under learning objective AP Cybersecurity 2.1.G in Unit 2.
Yes. EK 2.1.G.1 states directly that a defense-in-depth strategy is a layered defense, so the two terms mean the same thing and either can show up on the exam.
Risk mitigation is the general strategy of adding controls to reduce a risk's likelihood or impact, and it's one of four risk-management options (avoid, transfer, mitigate, accept). Layered defense is a specific way to mitigate by stacking multiple controls, so it's a tactic that lives inside mitigation.
Because every control can eventually be bypassed. Layered defense builds resilience so that when an adversary gets past one layer, like a firewall, another layer such as encryption or multi-factor authentication can still stop them or reduce the harm (EK 2.1.G.3).
An organization using firewalls at the network perimeter, encryption on sensitive databases, multi-factor authentication for user access, and endpoint detection software on all devices. That spread of controls across network, data, and device layers is exactly what AP means by layered defense.
Connect this key term to the AP exam workflow: review the course, practice questions, and check related study tools.