Fifth layer – response layer

This is the layer where all the monitoring-related activities happen.

For example, someone logging in to a database server in the middle of the night is definitely a suspicious activity. If there are rules written to alert against a similar kind of predefined or correlation-based activity, then it is possible to prevent the attacker from doing any harm.

The tools that are part of this layer are generally SIEM systems.