Practical security architecture reference — from core fundamentals to cloud security, with interview prep for architect roles.
- Beginners breaking into security who want to understand how systems are secured at an architectural level
- Mid-level engineers preparing for security architect interviews or transitioning into architecture roles
- Anyone who needs a quick, opinionated reference on security architecture decisions
- Learning path: Start with Fundamentals, then move to Cloud, then Frameworks
- Interview prep: Jump straight to Interview Prep for questions, scenarios, and whiteboard exercises
- On the job: Grab a Template for your next security review or threat model
Core security architecture concepts every practitioner needs to know.
| Topic | Description |
|---|---|
| Defense in Depth | Layered security controls — why one wall isn't enough |
| Zero Trust | Never trust, always verify — architecture and implementation |
| Least Privilege | Minimum access, maximum security |
| Threat Modeling | Finding what can go wrong before it does |
| Secure SDLC | Building security into the development lifecycle |
| Identity & Access Management | Authentication, authorization, and identity architecture |
| Network Security Architecture | Segmentation, firewalls, and network design |
| Data Protection | Encryption, classification, and data lifecycle |
| Logging & Monitoring | Visibility, detection, and audit trails |
| Incident Response Architecture | Designing systems that support fast response |
| API Security | Securing APIs — OWASP Top 10, gateways, and authentication patterns |
| Security Automation & Orchestration | SOAR, IaC security, CI/CD pipelines, and detection-as-code |
| Vendor Risk Management | Third-party risk lifecycle — assess, contract, monitor |
| Security Policy Development | Policy hierarchy, governance, and writing enforceable policies |
Security architecture in cloud environments — AWS, Azure, and GCP patterns.
| Topic | Description |
|---|---|
| Shared Responsibility Model | Who secures what in cloud environments |
| Cloud Identity & IAM | Identity federation, roles, and cloud-native IAM |
| Network Segmentation in Cloud | VPCs, security groups, and micro-segmentation |
| Secure Cloud Storage | Object storage, encryption, and access policies |
| Container & Serverless Security | Securing modern compute patterns |
| Cloud Logging & SIEM | Centralized logging and detection in the cloud |
| Multi-Cloud Considerations | Architecture decisions across cloud providers |
Industry frameworks and how they map to real architecture decisions.
| Topic | Description |
|---|---|
| NIST CSF | The Cybersecurity Framework — Identify, Protect, Detect, Respond, Recover |
| CIS Controls | Prioritized security actions that work |
| MITRE ATT&CK | Adversary tactics and techniques — the defender's playbook |
| Zero Trust Architecture (NIST 800-207) | The formal ZTA reference architecture |
| ISO 27001 / 27002 | International ISMS standard — certification, controls, and PDCA |
Fork these and use them on the job.
| Template | Use Case |
|---|---|
| Threat Model Template | Structured threat modeling for any system |
| Security Architecture Review | Checklist for reviewing system designs |
| Risk Assessment Template | Lightweight risk assessment framework |
| Cloud Security Checklist | Pre-deployment cloud security validation |
Found an error? Have a better way to explain something? PRs welcome.
MIT — use it, fork it, learn from it.