Open Sourcing the Peak Defence Method: Transforming Security Management

Enhancing Security Through Knowledge Sharing

You can skip directly to the Peak Defence Method, or keep reading to learn why we’re open sourcing our security methodology.

The Growing Gap Between Security Investment and Outcomes

Despite record spending on tools and technologies, many organizations still struggle to build effective security management programs. The troubling reality is that the gap between security investment and actual outcomes continues to widen—and for good reason.

Security isn’t just about technology. It never has been.

Most security failures don’t stem from a lack of tools; they come from fundamental disconnects in how security is managed:

Security teams operate in isolation from the rest of the organization
Programs focus on prevention while neglecting resilience and recovery
Work expands indefinitely without clear boundaries or completion criteria
Security requirements arrive too late in development and business processes
Cross-functional dependencies create bottlenecks and implementation failures

At Peak Defence, we’ve spent a long time developing, testing, and refining a methodology that addresses these challenges. Our approach integrates people, process, and technology in a framework that scales from startups to enterprises, providing clear guidance while adapting to organizational context.

Today, we’re taking a step that might seem counterintuitive for a security company: we’re open sourcing our entire methodology.

Why Open Source Our “Secret Sauce”?

The decision to open source our methodology wasn’t an obvious one. We’ve invested countless hours refining our approach, testing it with organizations of all sizes, and learning from both successes and failures.

But the answer to “why share it?” is profoundly simple: security works better when knowledge is shared, not hoarded.

We believe that improving the security posture of organizations worldwide serves a greater purpose than maintaining proprietary methods. By making our methodology accessible to everyone, we aim to:

Elevate the entire industry’s approach to security management
Reduce unnecessary duplication of effort as organizations reinvent similar wheels
Create a community of practice that continuously improves our collective capabilities
Make effective security accessible to organizations of all sizes, not just those with massive budgets

As threats continue to evolve and resources remain constrained, we can’t afford to keep effective security approaches locked away. The challenges we face demand collaborative solutions.

The Peak Defence Method: A Meaningful Approach to Security

Our methodology addresses the fundamental disconnect between security investment and outcomes by providing a comprehensive framework built on these core principles:

Risk-based prioritization - focusing security efforts on what matters most using practical risk assessment techniques
Balances resilience with prevention - designing security that adapts to inevitable failures
Decentralizes execution with clear guardrails - empowering teams while maintaining direction
Creates visible progress and value - delivering concrete security improvements that business leaders can see
Establishes time-bounded security work - preventing endless projects through deliberate scoping

The foundation of this approach is what we call the Four Horizons Framework—a structured way to connect security strategy with daily execution:

The Four Horizons Framework

Four Horizons Framework

Our framework spans multiple time horizons, ensuring both strategic vision and practical execution:

Lifetime Horizon (Years) - Security principles and architecture that guide long-term decisions:

Enterprise security vision and principles
Core risk tolerance framework
Long-term security capability planning
Cross-functional security operating model

Yearly Horizon (12 Months) - Structured security program with clear objectives:

Annual risk assessment and prioritization
Major security capability initiatives
Resource allocation and planning
Compliance roadmap and governance

Quarterly Horizon (3 Months) - Breaking down annual goals into achievable projects:

Shaped security initiatives with clear appetites
Security portfolio management
Progress measurement and adaptation
Cross-functional delivery coordination

Cycle Horizon (6 Weeks + Cool-down) - Converting projects into executable work:

Time-bounded security implementation cycles
Team autonomy with clear boundaries
Visible progress tracking and completion
Built-in reflection and improvement

This structure creates a virtuous cycle where strategic direction guides tactical execution, and implementation learnings inform future strategy.

Cross-Functional Security Integration

One of the most distinctive aspects of our methodology is how it addresses security as an inherently cross-functional capability rather than a siloed technical function.

Traditional approaches treat security as something applied to the business from the outside. The Peak Defence Method integrates security across organizational functions:

Product/Engineering: Security patterns that enable rather than block development
Operations: Resilience capabilities that span prevention, detection, and recovery
Legal/Compliance: Risk-informed frameworks that satisfy regulations without checkbox thinking
Business Units: Security enablement that aligns with business objectives and constraints

By providing function-specific guidance and creating clear interfaces between security and other domains, we transform security from a barrier to an enabler of business success.

A Methodology That Grows With You

Organizations at different maturity levels have fundamentally different security needs. A startup of 20 people can’t implement security the same way as a global enterprise of 20,000—and shouldn’t try to.

Our methodology addresses this reality through a progressive disclosure approach with three distinct maturity levels:

Level 1: Startup Foundation (5-50 employees)

For startups and small organizations, we focus on:

Essential security controls with maximum impact
Simple processes with minimal overhead
Direct collaboration across the entire team
Practical guidance that balances security with agility

Example: Our startup-level guidance for incident response provides a simple one-page playbook that any team member can follow, focusing on the critical first steps rather than comprehensive procedures.

Level 2: Scale-up Enhancement (50-500 employees)

As organizations grow, we provide:

Structured security programs with dedicated resources
Balanced processes that scale without bureaucracy
Security champions network across departments
Specialized guidance for different functions

Example: Our scale-up approach to access management includes role-based templates, departmental integration guides, and automation patterns that maintain security while supporting organizational growth.

Level 3: Enterprise Optimization (500+ employees)

For large organizations, we offer:

Comprehensive security architecture and governance
Enterprise integration across business units
Specialized security functions with clear interfaces
Advanced resilience and adaptation capabilities

Example: Our enterprise-level risk management framework includes business capability mapping, cross-functional governance structures, and specialized risk assessment methodologies for different organizational contexts.

By providing right-sized guidance for each maturity level, we ensure organizations can implement effective security appropriate to their size and complexity—and evolve their approach as they grow.

What You’ll Find in the Open Source Methodology

Our comprehensive playbook includes practical guidance you can implement today:

Core Methodology Chapters

Core Principles: The philosophical foundation of resilience-oriented security
Planning Horizons: How to organize security work across different timescales
Shaping Security Work: Defining security initiatives at the right level of abstraction
Security Roles and Responsibilities: Building effective security teams and governance

Why Now?

The timing of this decision isn’t random. We’re at an inflection point in cybersecurity where:

AI is transforming the security landscape, creating both opportunities and challenges
Resource constraints are intensifying, forcing teams to do more with less
Threat actors are becoming increasingly sophisticated, requiring more intelligent defensive approaches
Cross-functional security has become essential, as security touches every aspect of business

By open sourcing our methodology now, we aim to help organizations navigate these challenges with approaches proven to work in real-world environments.

What This Means for Our Business

Some might wonder how open sourcing our methodology aligns with our business interests. We see it as perfectly aligned with our values and business model for several reasons:

We believe in our technology. While our methodology provides the framework, our Wingman platform offers the most efficient implementation of these principles.
We’re playing the long game. By helping elevate industry practices, we’re creating an ecosystem where our approach to security management becomes the standard.
We practice radical transparency. This move aligns with our core value of openness and our belief that security thrives in the light, not in the shadows.
Our professional CISO services complement the methodology. Organizations that want expert guidance implementing these principles can still engage with our professional services team.

In essence, we’re making a bet that by empowering the entire community with better security approaches, we’ll build a stronger foundation for our business and the industry as a whole.

Join Us in Transforming Security Management

The open source Peak Defence Method represents just the beginning of a journey. The real transformation happens when organizations make these principles their own, adapting them to their unique contexts and needs.

How to Get Started

Access the Peak Defence Method: Visit peakdefence.com/resources/method to access the complete methodology
Implement the Approach: Start with the assessment framework to identify your first improvement areas
Contribute Your Experience: Share your adaptations and insights to help evolve the methodology github.com/peakdefence/method

For Different Roles

Security Leaders: Use the methodology to structure your security program and communicate value
Technology Leaders: Leverage cross-functional guidance to integrate security into technology processes
Business Executives: Understand how security capabilities support business objectives
Practitioners: Implement practical security improvements using proven approaches

Looking Forward

This is just the beginning of our open source journey. In the coming months, we’ll be:

Publishing case studies of real-world implementations
Expanding function-specific guidance based on community feedback
Building additional tools and templates for methodology implementation

Security has always been a collective challenge requiring collective solutions. By open sourcing our methodology, we’re taking a meaningful step toward a future where effective security management is accessible to all organizations, not just those with the largest budgets or most sophisticated teams.

Because ultimately, we believe that security isn’t just what we do—it’s what we enable others to do. And that’s a mission worth sharing openly.

Peak Defence exists to transform how organizations manage security through the perfect integration of People, Process, and Technology. Our AI-native Wingman platform and expert professional services help organizations build more resilient, effective security programs in an increasingly complex threat landscape.