Defense in depth is best described as:

Defense in depth means building multiple overlapping protection layers so that if one layer is breached, others still protect the asset. This approach spreads risk across people, processes, and technology, and across different parts of the system—perimeter defenses, internal segmentation, access controls, monitoring, backups, and incident response. By not relying on a single control, it mitigates issues like misconfigurations, zero-days, and insider threats, and reduces the chance that a single mistake leads to a complete breach. For example, even with a strong firewall, if phishing compromises credentials, actions like network segmentation, MFA, and continuous monitoring can limit access and detect the intrusion. The other concepts fall short because a single firewall is just one layer and can be bypassed; focusing only on technical controls ignores policies and user behavior; and security by obscurity relies on secrecy rather than resilience and is not a robust strategy.