Gyala cited by Gartner as a Sample Vendor in the “Hype Cycle for CPS Security” Report. Read

What the roman Agger can teach us about cybersecurity

Defense is not the wall. It is the system

Do you know what the Agger was? It is a Latin term that can be translated as embankment or rampart. But it was much more than an earthen embankment.
It was part of a far more sophisticated defensive system: a ditch excavated in front of it, the raised earth forming a barrier, a palisade of sharpened stakes, watchtowers, controlled entry points, and, above all, a carefully planned deployment of troops.

.

Contrary to what we might imagine, the Agger was not designed to prevent an attack in absolute terms. That was never its objective.

Its purpose was to slow down the advancing enemy, expose them, and force them to move through the routes the Romans had chosen. It was designed to transform an attack into something observable and controllable.

Within this approach lies the first lesson that, even today, we still struggle to understand in the cybersecurity world: ancient strategists had already grasped the importance of gaining time and visibility as part of a defensive strategy.

Even Rome never relied on an impenetrable perimeter. Instead, the Romans built around that perimeter a system specifically designed to make attacks emerge.

When reading the accounts of Caesar’s military campaigns, this approach appears repeatedly. Fortified camps were built every single day, even in territories that appeared completely secure.
This was the consequence of another remarkable Roman insight: they knew they could not prevent every attack, but they also knew that when an attack came, they had to be prepared to manage it.

And this brings us to the second essential element: the troops.

The legions did not stand passively behind the Agger, waiting for something to happen. Instead, they were trained to respond in a coordinated manner, organized into autonomous yet interconnected units capable of adapting rapidly to changing circumstances.
Every soldier knew exactly what to do, but more importantly, every unit knew how to operate alongside—and in coordination with—the others.

There were sentries maintaining constant surveillance, signaling systems capable of transmitting information rapidly, and a continuous ability to redeploy forces wherever pressure was increasing.

The structure existed to buy time.
Control resided in the ability to deliver an immediate, context-aware response.
Defense, therefore, was not the barrier itself—it was the ability to use it.

At this point, the parallel with cybersecurity becomes inevitable.

Today, we continue to build security as though a stronger wall were enough. We reinforce the perimeter, add more controls, and segment networks. All of these measures are correct. All of them are necessary. Yet they are often driven by an implicit assumption: if we can prevent attackers from getting in, then the problem has been solved.

Reality tells us otherwise.
Exceptions, successful infiltrations, and ultimately cyberattacks demonstrate that this approach is no longer sufficient.

In IT environments—and even more so in OT environments—the perimeter is no longer something stable. It is distributed, dynamic, and continuously crossed by data flows that cannot simply be interrupted. Believing that we can permanently “keep attackers out” is no longer realistic.
Believing that we can permanently “keep attackers out” is no longer realistic.

More importantly, we should recognize that this is not where the outcome of an attack is ultimately determined.

The Romans never asked themselves whether someone would reach the ditch, nor whether they would manage to cross it.
They took that for granted. Their attention was focused on what would happen afterwards: how much time they could gain, how quickly they could determine where the threat was coming from, and how effectively they could respond.

They had already embraced a mindset that many organizations today still fail to adopt.

The objective was not to prevent intrusion at all costs.
The objective was to maintain control.

This requires a fundamental shift in perspective. It means accepting that an attacker may succeed in gaining access and designing systems that do more than simply withstand an attack—they must be capable of observing, interpreting, and reacting. It means shifting the value from the structure itself to its behavior.

In other words, it means moving from static defense to orchestrated defense.

This is precisely the approach that becomes critical in IT/OT environments. In these contexts, the “wall” is often fragile—or simply nonexistent—and the only way to maintain control is to know what is happening while it is happening.

Perhaps this is the lesson worth carrying forward from history: the real issue is not merely whether an attacker breaches the perimeter, but what happens during the minutes that follow. In this respect, we are often less prepared than the Romans themselves.

If we look at cybersecurity through this lens, the objective is no longer to build increasingly thicker defenses, but to design systems capable of observing, interpreting, and reacting while an attack is in progress.

Detecting an anomaly is no longer sufficient. It must be understood within its operational context, events must be correlated, and responses must be executed in a manner consistent with the service being protected—in real time.

This is precisely the paradigm embodied by Gyala’s Agger.

  • It is an architecture that moves beyond the traditional model of centralized, sequential security by introducing an approach in which:
  • Detection is behavioral, built upon a dynamic understanding of the infrastructure and its operational states.
  • Correlation of IT, OT, and network events transforms isolated signals into actionable operational context for decision-making.
  • Reaction is automated and distributed, executed directly on the endpoints and systems involved without relying on human intervention or escalation workflows.
  • Visibility is end-to-end, extending even across hybrid environments and legacy systems, where the perimeter is, by definition, incomplete.
  • Reaction policies can be customized at the individual endpoint level, ensuring that each endpoint responds using the approach best suited to its specific operational context.

In this model, defense is no longer a single point of control—it becomes a property of the entire system.

Just as with the Roman Agger, the true value does not lie in preventing entry. It lies in knowing what is happening while it is happening, and in already possessing the capability to respond.
Today, we call this cyber resilience.