Most security stacks are built inside out.
Somebody gets hit with ransomware, so they buy EDR. Then a phishing campaign slips through, so they add email security. Then compliance comes knocking, so they bolt on a SIEM. Every tool is a reaction to the last thing that went wrong.
There's a better way to build this. Start with what matters most, then layer up based on where the business actually is. Not where the last breach scared them into being.
A few years ago, we co-authored a whitepaper with Huntress called "The MSP Cybersecurity Journey" that mapped security maturity across four levels. It's desperately overdue for an update so we won’t link it here (we know, we know), but the core framework still holds up. We used it as the skeleton for this guide. Consider this the 2026 version of that thinking, with actual tool guidance bolted on.
This guide lays out the complete security stack, layer by layer, in the order you should actually deploy them. Whether you're an MSP building stacks for clients, an IT admin trying to prioritize your budget, or an enterprise team rationalizing your toolset, this is the deployment order that makes everything else work better.
Not every organization needs every layer on this list. A 10-person bakery has different needs than a 200-person law firm. That's why we map everything to maturity levels:
If you're an MSP, the first thing you should do with any client is figure out where they sit across these levels. Then use this guide to build their path forward. Don't sell a SIEM to a client who doesn't even have MFA yet.
Deploy at: Level 1 (every organization needs this)
This is your foundation. Every other layer in this guide builds on top of it.
DNS filtering works by intercepting DNS queries and blocking resolution to known-malicious, suspicious, or policy-violating domains. A user clicks a phishing link. The DNS query fires. Your DNS filter blocks it before the browser ever loads the page. No connection established. No payload delivered. No damage done.
That's why 80% of threats can be stopped at the DNS layer before they reach anything else.
It's also the only layer that protects every device on the network without requiring an agent on each one. IoT devices, guest Wi-Fi, that smart TV in the conference room, the HVAC controller nobody thinks about. EDR can't touch those. DNS filtering covers all of them.
And it deploys in minutes. Change your DNS settings, install a roaming client for off-network devices, and you're live. No hardware. No professional services engagement.
This is where we live. DNSFilter is AI-powered content and threat filtering built for MSPs from day one. We block threats an average of 10 days faster than traditional threat feeds because our ML models process over 200 billion DNS queries daily and detect malicious domains by behavior patterns, not static blocklists.
Multi-tenant dashboard. Roaming clients for off-network protection. PSA integrations. Transparent pricing. 53% of our customers deploy in a single day.
That's not marketing copy. That's the pitch because it's what actually happens.
Let's be real. If your DNS isn't filtered, everything downstream is working harder than it has to. Your email security is processing phishing that should've been blocked at resolution. Your EDR is scanning malware that never should've been downloaded. Your SIEM is logging events that didn't need to happen.
Start here. Everything else gets easier.
Deploy at: Level 1-2
As many as 95% of cyberattacks start with phishing. DNS filtering catches a massive chunk of that by blocking the domains those phishing emails link to. But you still need email-specific protection for the stuff that doesn't rely on a malicious URL. Business email compromise. Impersonation attacks. Weaponized attachments.
This is your phishing prevention software layer.
In 2026, AI-generated phishing is faster, more targeted, and more convincing than anything we've seen. The days of spotting phishing by bad grammar are over. You need behavioral AI that analyzes sender patterns, email context, and user relationships.
Here's what most email security guides miss. DNS filtering and email security aren't separate categories. They're two halves of the same phishing prevention strategy. DNS blocks the domains. Email security blocks the messages. Together, you're catching phishing at both the network layer and the application layer.
If you only have budget for one, start with DNS. It covers phishing, malware delivery, and content filtering in a single tool. Then add email security as budget allows.
Deploy at: Basic AV at Level 1, full EDR at Level 2
Endpoint protection is where most people think the security stack starts. It shouldn't be. By the time malware hits an endpoint, your DNS filter and email security have already failed to stop it. EDR is your third line of defense, not your first.
That said, you absolutely need it. Polymorphic malware is using large language models to rewrite its own code now. There's been 140% growth in newly weaponized domains. Signature-based antivirus alone is not going to cut it.
This is your malware prevention software layer. And at Level 2 and above, you need real EDR with behavioral analysis, threat hunting, and automated response.
At Level 1, basic antivirus is fine. Get something on every endpoint. At Level 2, upgrade to full EDR with behavioral detection and response. At Level 3, you're looking at XDR that correlates endpoint data with network and email telemetry.
Deploy at: MFA at Level 1, full IAM at Level 2-3
Identity is the new perimeter. When AI makes impersonation trivial and credentials are the most common attack vector, controlling who can access what is no longer a nice-to-have.
MFA should be in place at Level 1. Full stop. If your client has no MFA, that's the first thing you fix. Not next quarter. Not after the EDR rollout. Now.
From there, password management and least-privilege access policies round out the identity layer.
Any MFA is better than no MFA. If budget is tight, use the free tier of whatever authenticator app your email platform supports. The specific tool matters less than the fact that it's deployed and enforced across every user.
Deploy at: Basic backup at Level 1, immutable BDR at Level 2
Backup isn't prevention. It's your insurance policy when prevention fails.
Here's the ransomware prevention angle nobody talks about. DNS filtering prevents ransomware by blocking the command-and-control domains that ransomware needs to communicate with. It blocks the malicious domains that deliver the payload in the first place. So your first layer of ransomware prevention tools is actually your DNS filter.
But when ransomware does get through (and eventually, somewhere, it will), immutable backups are the difference between paying a ransom and restoring operations in hours.
At Level 1, you need backups. Period. Even if it's basic cloud backup of critical files. At Level 2, move to immutable, image-based BDR with tested recovery procedures and documented RTOs. At Level 3, recovery is part of your incident response plan and regularly exercised.
Deploy at: Basic awareness at Level 1, ongoing program at Level 2
You can deploy every tool on this list and one employee clicking the wrong link can still compromise everything.
Security awareness training is the human layer of your stack. Phishing simulations, role-based education, compliance training, and a culture that rewards reporting suspicious activity instead of punishing mistakes.
In 2026, training platforms are using AI to personalize content based on user behavior. Someone who fails a phishing simulation gets more frequent, targeted training. Someone who consistently catches them gets different content. It's not one-size-fits-all anymore.
That old Huntress whitepaper we keep referencing made an important point about training. At Level 0, businesses don't think cybersecurity affects them. At Level 1, they do basic awareness. At Level 2, training is role-based and periodic. At Level 3, it's tied to business objectives with tested effectiveness. That was true when we wrote it and it's true now.
Most clients are somewhere between Level 0 and Level 1 on training. Start simple. Get a phishing simulation running. Build from there.
Deploy at: Level 3 only (requires dedicated resources)
SIEM is the capstone of a mature security program. It correlates data from every other layer (DNS logs, email events, endpoint telemetry, identity logs, backup alerts) into a single pane of glass for real-time monitoring and incident response.
It's also the layer most commonly deployed too early.
A SIEM without the foundational layers feeding it useful data is just expensive noise. If your client doesn't have DNS filtering, email security, EDR, and MFA in place, a SIEM is going to drown you in alerts with no context. Get the foundation right first.
Most SMBs and many mid-market organizations don't need a full SIEM. If you have DNS filtering, email security, EDR, and MFA all properly configured and logging, you have solid visibility already. SIEM is for when you need to correlate across all of those sources and you have the team to act on what it finds.
If you're an MSP and your client isn't at Level 3, your time is better spent maturing their foundational layers.
Here's how it all maps together:
If you read this entire guide and you're wondering what to do first, here's your answer.
Start with DNS.
It takes minutes to deploy. It covers phishing prevention, malware prevention, and content filtering in one tool. It protects every device on the network including the ones that can't run an agent. It's required for compliance. And it makes every other layer in your stack more effective by filtering out the noise before it reaches them.
Request a demo and see how much of your threat landscape disappears at the DNS layer.
Now go build your stack. From the outside in.