WHAT CAN WE LEARN ABOUT CYBER SECURITY FROM THE ROMANS?

A Strategic OSINT and Cybercrime Framework for Modern Digital Defence

INTRODUCTION

The military strategies of the Roman Empire, developed nearly 3,000 years ago, provide profound insights for contemporary cybersecurity challenges. As organisations grapple with escalating cyber threats, with cybercrime costs projected to reach $10.5 trillion annually by 2025 and the global average price of a data breach reaching $4.88 million in 2024, Roman military doctrine offers a strategic framework that modern enterprises could benefit from emulating.

This analysis examines two fundamental approaches to cybersecurity through the lens of Roman military strategy: Compliance-Based Security (analogous to Hadrian's Wall) and Threat-Based Security (modelled after Roman Castra). By integrating Open-Source Intelligence (OSINT) and cybercrime analysis methodologies, organisations can develop a comprehensive defensive strategy that helps address both opportunistic and advanced persistent threats.

THE MODERN BATTLEFIELD

Contemporary organisations face an unprecedented cyber threat landscape. Government statistics indicate that 22% of businesses and 14% of charities experienced cybercrime in the last 12 months, with this figure rising to 45% among medium-sized companies. These statistics underscore the critical need for robust, adaptive defence strategies that can counter both automated attacks and sophisticated threat actors.

The Roman Empire's approach to territorial defence offers a compelling parallel to modern cybersecurity challenges. Just as Rome confronted barbarian tribes, betrayal from within, and organised military campaigns, today's organisations must defend against script kiddies, insider threats, and Advanced Persistent Threat (APT) groups operating from the dark web.

COMPLIANCE-BASED SECURITY: THE HADRIAN'S WALL APPROACH

Historical Context

Hadrian's Wall, constructed between AD 122 and 128, stretched 84 miles across northern England, representing one of the most ambitious perimeter defence projects in history. This massive fortification was designed to separate the civilised Roman territories from the "barbarian" lands beyond.

MODERN PARALLELS

Contemporary compliance-based security mirrors Hadrian's Wall philosophy through:

• Perimeter Defence Models: Traditional firewall architectures that attempt to create clear boundaries between trusted and untrusted networks

• Regulatory Compliance: adherence to standards such as PCI DSS, ISO 27001, SOC 2, and GDPR

• Baseline Security Controls: Uniform security policies applied across the entire IT estate

Critical Limitations

The fundamental weakness of perimeter-based defence becomes evident when examining both historical and contemporary examples; just as Hadrian's Wall was breached during the Great Conspiracy of AD 367, modern perimeter defences face similar vulnerabilities from zero-day exploits that bypass sophisticated firewalls, social engineering attacks that circumvent technical controls entirely, and insider threats operating from within the trusted perimeter.

Resource intensity presents another critical challenge that has affected both Roman and modern defensive strategies. The wall necessitated substantial resources, including round-the-clock staffing of 16 principal forts and 80 milecastles, ongoing repairs due to adverse weather and enemy action, and static resource allocation that could not adapt to evolving threat landscapes. Modern compliance programmes encounter similar resource challenges, including continuous patching and configuration management across diverse IT environments, audit overheads that consume significant bandwidth from security teams, and a technology debt arising from the maintenance of legacy systems to meet compliance requirements.

The static nature of perimeter defence also creates long-term strategic vulnerabilities that have proved fatal to both Roman and contemporary security models. Historical records indicate that Hadrian's Wall became less effective as enemy tactics evolved to exploit specific weaknesses, political priorities shifted resources to other frontiers, and the quality of the garrison declined due to recruitment challenges. Contemporary compliance-based security suffers from identical issues: threats evolve faster than compliance frameworks can be updated, business requirements often conflict with rigid security baselines, and a shortage of skilled professionals compromises the quality of security implementations.

THREAT-BASED SECURITY: THE CASTRA MODEL

Strategic Deployment

Rather than relying solely on perimeter defence, Rome deployed Castra (military camps) strategically throughout the empire. The network of roads, including the “Via Praetoria” and “Via Decumana,” was designed for efficient travel and connected key areas, allowing easy access across the site.

Roman military strategy demonstrated a sophisticated understanding of risk-based resource allocation. Commanders deployed their most experienced legions to confront the most significant threats, while auxiliary forces managed routine security in pacified regions, and mobile reserves could swiftly reinforce vulnerable areas. Each castra developed threat-specific countermeasures tailored to local adversaries, incorporating various fortification designs based on anticipated attack methods, specialised training for regional threat patterns, and intelligence networks that provided early warnings of enemy movements. Unlike Hadrian's Wall, the castra system provided genuine defence in depth through forward outposts for early threat detection, primary fortifications capable of withstanding sieges, and fallback positions that enabled strategic withdrawal and counterattack.

Modern Implementation

Contemporary threat-based security adopts similar principles through the identification of critical assets, where organisations must recognise their crown jewels, including repositories of intellectual property, databases of customer data, financial systems, payment processing, and industrial control systems in manufacturing environments. The integration of threat intelligence utilises multiple sources, including OSINT, helping to decipher and find connections between criminals and other actors, monitor social media for indicators of insider threats, consult public data breach databases for compromised credentials, explore technical forums where attack techniques are discussed, and analyse geopolitical contexts to understand the motivations of APT groups.

Dark Web Intelligence (DARKINT) sheds light on potential threats by assisting investigators in monitoring hacker forums, marketplaces, and other dark web hubs for illicit activity. Organisations would be advised to observe cybercriminal marketplaces for stolen corporate data systematically, Ransomware-as-a-Service (RaaS) platforms targeting their industry, exploit trading forums for zero-day vulnerabilities, and credential trading sites for compromised employee accounts. Commercial threat intelligence enhances this intelligence through APT group tracking and attribution analysis, malware family analysis, IOC feeds, industry-specific threat reports from security vendors, as well as government advisories and threat bulletins.

Adaptive response capabilities are the operational core of threat-based security, necessitating dynamic response mechanisms such as threat hunting teams that proactively seek indicators of compromise, incident response playbooks tailored for specific attack scenarios, deception technologies that create honeypots and honeynets, and User and Entity Behaviour Analytics (UEBA) to detect anomalies.

OSINT AND CYBERCRIME INTEGRATION

Strategic Intelligence Collection

Modern organisations should consider establishing comprehensive intelligence programmes that integrate multiple disciplines through OSINT methodology, adhering to trusted frameworks. This methodology requires defining requirements to identify the threats most relevant to your organisation, planning collections to determine which sources provide pertinent intelligence, evaluating sources to assess their reliability and timeliness, analysing and synthesising information to understand implications for security posture, and disseminating intelligence to share with relevant stakeholders.

Understanding cybercriminal ecosystems requires a thorough analysis of the economic motivations driving various threat actor groups, their technical capabilities, preferred attack methods, and the organisational structures within cybercriminal enterprises. Furthermore, it entails examining the supply chains for malware and exploits, laundering services, and the geopolitical factors influencing cybercriminal safe havens. This cybercrime analysis offers the contextual understanding vital for effectively anticipating and countering emerging threats.

Dark Web Monitoring Implementation

Organisations should establish systematic dark web monitoring programmes through a comprehensive technical infrastructure that provides audit capabilities for dark web forums, marketplaces, and encrypted chat services, alerting organisations to potential security breaches and data exposures. This infrastructure requires access to the Tor network with appropriate operational security, automated collection tools for scalable monitoring, translation capabilities for non-English underground forums, and data analysis platforms for pattern recognition and correlation.

Effective monitoring programmes should concentrate on company-specific mentions in cybercriminal discussions, threats within the industry sector, targeted campaigns, sales of employee credentials, exposure of personal information, theft of intellectual property, and industrial espionage activities, as well as compromises of third-party suppliers that could impact your organisation. This systematic approach to monitoring facilitates the early detection of threats before they escalate into active attacks against organisational assets.

THE BLENDED DEFENCE STRATEGY

Learning from Roman Success

Rome's military success derived from combining static defences with mobile response capabilities. The empire's longevity (nearly 1,500 years) demonstrates the effectiveness of this integrated approach.

Modern Implementation Framework

The first layer of baseline security establishes fundamental controls across the entire IT estate through asset inventory and classification to understand what requires protection, management of vulnerabilities with risk-based prioritisation, standardisation of access controls with identity and access management (IAM), security awareness training for all staff members, and incident response procedures with clear escalation pathways. This foundational layer mirrors Hadrian's Wall by providing consistent protection across the entire organisational perimeter.

The second layer of targeted protection focuses advanced security measures on critical assets and high-risk scenarios through enhanced threat detection utilising machine learning and behavioural analysis, threat hunting programmes with dedicated security analysts, red team exercises simulating advanced persistent threats, executive protection programmes for high-value targets, and supply chain security assessment and monitoring. This layer embodies the castra model by concentrating sophisticated defences where they matter most.

The third layer of intelligence-driven security integrates threat intelligence to inform both defensive layers through regular threat landscape analysis, attack scenario modelling based on current threat intelligence, Indicator of Compromise (IOC) feeds integrated into security tools, threat actor profiling for attribution and prediction, and geopolitical risk assessment for contextual understanding. This intelligence layer provides the situational awareness that enables both baseline and targeted defences to adapt dynamically to evolving threats.

Resource Optimisation

Following the Roman model of efficient resource allocation can help organisations achieve cost-effective baseline security through automated security controls, which reduce manual overhead. Additionally, they can leverage cloud-native security services for scalability and cost efficiency, risk-based asset classification to prevent over-protecting low-value systems, and standardised security architectures that minimise complexity and maintenance costs. This approach ensures that foundational security measures remain sustainable and scalable as organisations expand.

Typically, organisations shape their technology investment strategies to allocate resources where they deliver the most significant security value, prioritising the protection of critical assets. They tend to direct a larger share of security investment toward these areas, utilise threat intelligence platforms to provide actionable insights, implement security orchestration tools for rapid incident response, and harness advanced analytics capabilities for pattern recognition and predictive capabilities. This targeted approach mirrors the Roman deployment of veteran legions to the most critical frontier positions while maintaining adequate security across the broader empire.

MODERN THREAT LANDSCAPE ANALYSIS

Cybercrime Economics and Attack Evolution

Understanding the economic drivers of cybercrime provides critical insights for defensive planning. The ransomware ecosystem is exhibiting increasing sophistication, with the average total cost of a ransomware breach reaching £5.13 million, representing a 13% rise from 2022. This meteoric growth is explained by several factors, including the professionalisation of ransomware operations, the emergence of Ransomware-as-a-Service platforms that lower barriers to entry, numerous cryptocurrency payment systems that facilitate anonymous transactions, and perverse incentives created by insurance payouts that inadvertently fund criminal enterprises.

The dark web is home to sophisticated marketplaces where a range of stolen data can be traded. Personal Identifiable Information (PII) can sell for $1-$50 per record. Credit card data commands prices that vary by card type and validity. Corporate credentials command premium prices for privileged accounts, and intellectual property is often sold through specialised brokers. Understanding these economic dynamics helps organisations prioritise their defensive investments and anticipate which of their assets are most likely to be targeted.

Traditional attack vectors remain consistently relevant, as phishing attacks continue to account for the majority of initial compromises. Unpatched vulnerabilities present reliable attack surfaces, weak passwords and credential reuse facilitate account takeovers, and removable media still pose risks associated with insider threats. Nevertheless, emerging attack methods highlight criminal innovation through supply chain compromises targeting software vendors and service providers, cloud misconfigurations that expose sensitive data and systems, the exploitation of IoT devices that create new attack surfaces, and AI-powered attacks that automate social engineering and evasion techniques.

LESSONS FROM HISTORY AND MODERN EXAMPLES

The Fall of Constantinople (1453)

The Theodosian Walls were built during the reign of Theodosius II to protect the capital of the Byzantine Empire, Constantinople, enabling the city to remain impregnable to enemy attack for 800 years.

However, the Empire's reliance on these walls ultimately failed when:

• New technology (cannons) rendered traditional fortifications obsolete

• Static defences couldn't adapt to evolving siege tactics

• Resource constraints prevented adequate manning of the walls

• Internal politics compromised the defence coordination

Modern Parallel

Organisations relying solely on perimeter security face similar risks from advanced persistent threats that utilise zero-day exploits and social engineering.

Estonia's Cyber Defence Model: A Contemporary Success

Following the 2007 cyberattacks, Estonia implemented a blended approach combining:

• National baseline security standards for critical infrastructure

• Threat intelligence sharing between the government and the private sector

• Rapid response capabilities through the Cyber Emergency Response Team

• International cooperation through NATO's Cooperative Cyber Defence Centre of Excellence

This model demonstrates the successful integration of compliance-based and threat-based approaches at a national level.

Financial Services Sector: A Corporate Example

Leading banks have successfully implemented Roman-inspired security models:

• Baseline controls ensuring regulatory compliance (PCI DSS, Basel III)

• Targeted protection for high-value systems (SWIFT networks, trading platforms)

• Threat intelligence programs monitor cybercriminal forums for industry-specific threats

• Adaptive responses, including threat hunting and red team exercises

FUTURE CONSIDERATIONS AND EMERGING THREATS

Technological Evolution

• Quantum computing potentially renders current encryption methods obsolete

• Artificial intelligence both enhances defences and enables new attack methods

• 5G and IoT expansion creates new attack surfaces

• Cloud computing shifts security boundaries and responsibility models

Geopolitical Factors

• Nation-state actors are increasingly targeting private sector organisations

• Cyber warfare is blurring the lines between criminal and military activities

• Regulatory divergence creates compliance challenges for multinational organisations

• Supply chain nationalism and geopolitics is having a significant impact on technology choices and security relationships

Evolving Criminal Ecosystem

• Cybercrime-as-a-Service further lowers barriers to entry and reduces risks for the criminal

• Cryptocurrency evolution enables new payment and laundering methods

• Dark web maturation is creating more sophisticated criminal marketplaces

• AI-powered attacks are automating and scaling traditional attack methods

RECOMMENDATIONS AND BEST PRACTICES

Strategic Recommendations

1. Adopt a Blended Approach: Combine compliance-based baseline security with targeted protection based on threat intelligence.

   What did the Romans do? They typically deployed a standard formation but would deploy auxiliaries or cavalry in response to particular threats.

2. Invest in Intelligence: Develop comprehensive threat intelligence capabilities, including OSINT and dark web monitoring.

   What did the Romans do? When planning major campaigns, they deployed reconnaissance resources, sending scouts ahead to gather information about enemy positions, terrain and numbers.

3. Focus on Critical Assets: Prioritise security investments based on business risk rather than technical vulnerability

   What did the Romans do? Major walls, such as Hadrian's Wall or the Theodosian Walls in Constantinople, demonstrated a defensive focus on critical assets.

4. Develop Adaptive Capabilities: Create security programmes that can evolve alongside the changing threat landscape.

   What did the Romans do? After suffering a number of defeats in battles against Hannibal, during the Second Punic War, the Romans learned the lessons, adapted their strategy and were ultimately the victors by the end of the war.

5. Integrate Business and Security: Ensure security decisions are informed by business context and risk tolerance

   What did the Romans do? Military campaigns were planned with the Empire’s economic interests, political alliances, and long-term stability in mind.

IMPLEMENTATION OF BEST PRACTICES

Governance and Strategy

• Executive sponsorship for cybersecurity initiatives at the board level

• Risk-based decision-making aligning security investments with business priorities

• Cross-functional collaboration between IT, security, legal, and business units

• Regular strategy reviews, adapting to the changing threat landscape and business requirements

Technical Implementation

• Defence in depth architectures provide multiple layers of protection

• Zero trust principles: never trusting, constantly verifying access requests

• Automation and orchestration reduce response times and human error

• Continuous monitoring provides real-time visibility into security posture

Organisational Capabilities

• Security culture development, making security everyone's responsibility

• Skills development, investing in staff training and professional development

• Incident response readiness, regular testing and updating of response procedures

• Knowledge sharing, participating in industry information sharing programs

CONCLUSION

The Roman Empire's approach to territorial defence offers timeless lessons for modern cybersecurity challenges. By understanding the strengths and limitations of both compliance-based (Hadrian's Wall) and threat-based (Castra) security models, organisations can develop comprehensive defence strategies that address the full spectrum of cyber threats.

The integration of open-source intelligence and cybercrime analysis methodologies provides the situational awareness necessary to anticipate and counter emerging threats. Just as Roman commanders combined static fortifications with mobile legions, modern security leaders must blend baseline security controls with adaptive threat response capabilities.

The stakes have never been higher. With cybercrime costs projected to reach $10.5 trillion annually in 2025, organisations cannot afford to rely on outdated security models. The Roman military's long-term success over more than a millennium demonstrates the effectiveness of integrated, intelligence-driven defence strategies.

As the scholar Vegetius wrote: "Si vis pacem, para bellum" - If you want peace, prepare for war. In the digital age, this wisdom remains as relevant as ever. Organisations that adopt the strategic principles demonstrated by Rome's military success will be best positioned to defend against tomorrow's cyber threats.

The choice is clear: continue building digital Hadrian's Walls that will inevitably be breached, or adopt the proven Roman model of integrated, intelligence-driven defence that has already demonstrated it can stand the test of time.

Authored by: The Coalition of Cyber Investigators

Paul Wright (United Kingdom) & Neal Ysart (Philippines)

With contributions from guest author Paul Jackson, CEO of Theos Cyber, a leading cybersecurity provider in the Asia-Pacific region.

©2025 The Coalition of Cyber Investigators. All rights reserved.

The Coalition of Cyber Investigators is a collaboration between

Paul Wright (United Kingdom) - Experienced Cybercrime, Intelligence (OSINT & HUMINT) and Digital Forensics Investigator;

Neal Ysart (Philippines) - Elite Investigator & Strategic Risk Advisor, Ex-Big 4 Forensic Leader; and

Lajos Antal (Hungary) Highly Experienced Cyber Forensics, Investigations and Cybercrime Expert.

The Coalition unites leading experts to deliver cutting edge research, OSINT, Investigations & Cybercrime Advisory Services worldwide.

Our two co-founders, Paul Wright and Neal Ysart, offer over 80 years of combined professional experience. Their careers span law enforcement, cyber investigations, open source intelligence, risk management, and strategic risk advisory roles across multiple continents.

They have been instrumental in setting formative legal precedents and stated cases in cybercrime investigations, as well as contributing to the development of globally accepted guidance and standards for handling digital evidence.

Their leadership and expertise form the foundation of the Coalition’s commitment to excellence and ethical practice.

Alongside them, Lajos Antal, a founding member of our Boiler Room Investment Fraud Practice, brings deep expertise in cybercrime investigations, digital forensics and cyber response, further strengthening our team’s capabilities and reach.

The Coalition of Cyber Investigators, with decades of hands-on experience in cyber investigations and OSINT, is uniquely positioned to support organisations facing complex or high-risk investigations. Our team’s expertise is not just theoretical - it’s built on years of real-world investigations, a deep understanding of the dynamic nature of digital intelligence, and a commitment to the highest evidential standards.